From 4604f19b3570a55c74dfb4b7b3271aa74696c82c Mon Sep 17 00:00:00 2001 From: Darold Gilles Date: Mon, 11 Mar 2019 16:54:06 +0100 Subject: [PATCH] Update documentation and copyrights. --- COPYING | 2 +- README | 405 ++++++++++++++++++++++++++++--------------- debian/copyright | 2 +- doc/README | 331 ++++++++++++++++++++--------------- doc/SquidClamav.pod | 316 +++++++++++++++++++-------------- doc/squidclamav.1 | 365 ++++++++++++++++++++++---------------- etc/squidclamav.conf | 2 +- src/squidclamav.c | 2 +- 8 files changed, 874 insertions(+), 551 deletions(-) diff --git a/COPYING b/COPYING index 53995f0..6c75c2f 100644 --- a/COPYING +++ b/COPYING @@ -1,4 +1,4 @@ -Copyright (c) 2005-2016 Gilles Darold - All rights reserved. +Copyright (c) 2005-2019 Gilles Darold - All rights reserved. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/README b/README index becf270..59a1471 100644 --- a/README +++ b/README @@ -1,16 +1,16 @@ NAME - SquidClamav v6 - HTTP Antivirus for Squid based on ClamAv and the ICAP + SquidClamav - HTTP Antivirus for Squid based on ClamAv and the ICAP protocol DESCRIPTION - SquidClamav v6 is an antivirus for the Squid proxy based on the ICAP + SquidClamav is an antivirus for the Squid proxy based on the ICAP protocol and the awards-winning ClamAv anti-virus toolkit. Using it will help you securing your home or enterprise network web traffic. SquidClamav is the most efficient antivirus tool for HTTP traffic available for free, it is written in C as a c-icap service and can handle several thousands of connections at once. - SquidClamav v6 only scan the HTTP stream sent by Squid through the ICAP + SquidClamav only scan the HTTP stream sent by Squid through the ICAP server. It doesn't make HTTP requests itself so this is a gain of performance and ensures that the data scanned is the same as the user has requested. @@ -23,7 +23,7 @@ DESCRIPTION libclamav to scan files is speediest and more simple than the srv_clamav module provided with the c-icap server. - SquidClamav v6 is faster than any other HTTP antivirus and can handle + SquidClamav is faster than any other HTTP antivirus and can handle several thousands of simultaneous users at once, this is what we need. The other unique feature of SquidClamav is that you can have Clamd @@ -42,15 +42,10 @@ DESCRIPTION USAGE Generic Program Information - SquidClamav v6 has been completely rewritten to be used through the - Squid v3.x ICAP feature allowing "on stream" scanning. It is now built - as a c-icap server service but keeps all features from v5 and is fully - compatible with the old SquidClamav configuration file. The squidclamav - configuration file is unchanged minus some obsolete directives. - - This also means that SquidClamav can no more be run into an interactive - console for testing your URL. All debug information will now go to the - c-icap logfile. + SquidClamav is compatible with all Squid v3.x versions that support the + ICAP feature allowing "on stream" scanning. squidclamav is built as a + c-icap server service and can be controlled through a configuration + file. Installing Squid Setting SquidClamav as Squid Icap service @@ -125,8 +120,7 @@ USAGE section. Here the bypass is set to 1, that means that in case of squidclamav - problems squid will simply ignore the error and continue. This is - the equivalent of the bridge mode in version 5.x of suidclamav. + problems squid will simply ignore the error and continue. Squid 3.0.x configuration For squid 3.0.x you must replace 'bypass=1' by '1' or 'bypass=0' by @@ -152,8 +146,7 @@ USAGE section. Here the bypass is set to 1, that means that in case of squidclamav - problems squid will simply ignore the error and continue. This is - the equivalent of the bridge mode in version 5.x of suidclamav. + problems squid will simply ignore the error and continue. What do that configuration directives do? They enable Squid's ICAP client and tell Squid to send the logged username and client's IP @@ -170,9 +163,17 @@ USAGE like me, just set the bypass argument to 0 and Squid will return an error message in case of a failure. + Chained Url Checker + You can chained SquidClamav call to an Url checked like squidguard by + setting the 'url_rewrite_program' squid.conf directive: + + url_rewrite_program /usr/bin/squidGuard + url_rewrite_children 15 + url_rewrite_access allow all + C-icap server installation/configuration If you don't have package solutions or encounter problems when - installing SquidClamav I recommand you to install the c-icap server from + installing SquidClamav I recommend you to install the c-icap server from source as following. You can download it from SourceForge at http://c-icap.sourceforge.net/. Choose version c-icap-0.3.2 or later versions, then run: @@ -204,7 +205,7 @@ USAGE where c-icap server is writing pid and socket file. You may also want to change the user/group owning c-icap's processes. By - default the owner is the user/group who runs the program. I recommand + default the owner is the user/group who runs the program. I recommend you to change them to the same user/group running your Squid cache. For example: @@ -294,16 +295,21 @@ CONFIGURATION Global configuration Log file and debug - In version 6.x the directives 'logfile', 'debug' and 'stat' are obsolete - as logging and debug are now handled by the c-icap server. You can - control them using the following c-icap.conf directives: + Logging and debug are handled by the c-icap server. You can control them + using the following c-icap.conf directives: ServerLog /usr/local/c-icap/var/log/server.log DebugLevel 0 Debug information is disable by default, do not enable it on production - systems as it costs a lot of performance. The debug level can be set - from 1 up to 3 for SquidClamav but can be up to 10 for c-icap. + systems as it costs a lot of performances. The debug level can be set + from 1 up to 3 for SquidClamav but can be up to 10 for c-icap. By + setting + + DebugLevel 3 + + you will trace everything done by SquidClamav, this is useful for + debugging purpose. Clamd daemon SquidClamav needs to know where to contact clamd, the ClamAV daemon, for @@ -323,7 +329,7 @@ CONFIGURATION Clamd failover If you have multiple ClamAv servers, SquidClamav is able to do failover - between them. You just have to set 'clamd_ip' to a list of IP adresses + between them. You just have to set 'clamd_ip' to a list of IP addresses separated by a comma. Do not insert space characters in this list or it will break all. For example: @@ -391,60 +397,102 @@ CONFIGURATION By default it is disabled as you can also log this information with the cgi-script or send an email. - Chained Url Checker - The squidguard directive is preserved for backward compatibility but you - must remove it from your configuration file as it could result in many - squidclamav crashes. + Maximun file size scanned + The maxsize directive allows to disable virus scan completely for files + bigger than the value in bytes. Default is 0, no size limit as you may + want to control download size into squid.conf or clamd. - Please use the 'url_rewrite_program' squid.conf directive instead to - call squidGuard. + maxsize 2M - url_rewrite_program /usr/bin/squidGuard - url_rewrite_children 15 - url_rewrite_access allow all + If you want to abort virus scan after a certain amount of data you must + take a look at the clamd configuration directive 'StreamMaxLength' that + will close a stream when the given size is reached. - If you still want to use it, SquidClamav allows you to chain the - SquidGuard program to check the URL requested against blocklists using - the 'squidguard' directive. You just have to give the path to the - program. + DNS lookup of client IP address + Directive dnslookup allow you to enable / disable DNS lookup of all + client IP address. Default is enabled: - squidguard /usr/local/squidGuard/bin/squidGuard + dnslookup 1 - The chained program is called before the virus scan and any other - SquidClamav operations. The call to this program can be disabled with - the 'whitelist', 'trustuser' and 'trustclient' directives. See - SquidClamav Patterns for more information. + to preserve backward compatibility. You should deactivate this feature + if you don't use trustclient with hostname in the regexp or if you don't + have a DNS on your network. Disabling it will also speed up squidclamav. - To log every chained program redirection enable the 'logredir' - configuration directive as following: + Safebrowsing + ClamAV 0.95 introduced support for Google Safe Browsing database. The + database is packed inside a CVD file and distributed through our mirror + network as safebrowsing.cvd. This feature is disabled by default on all + clamav installations. - logredir 1 + In order to enable this feature, you must first add "SafeBrowsing Yes" + to freshclam.conf. There is no option in clamd.conf. If the engine finds + Google Safe Browsing files in the database directory, ClamAV will enable + safe browsing. To turn it off you need to update freshclam.conf and + remove the safebrowsing files from the database directory before + restarting clamd. + + Then to enable this feature into SquidClamav you have to enable the + following configuration directive. + + safebrowsing + Enable / Disable Clamav Safe Browsing feature. You mus have enabled + the corresponding behavior in clamd by enabling SafeBrowsing into + freshclam.conf Enabling it will first make a safe browsing request + to clamd and then the virus scan request. - By default it is disabled as you can also log this information with - squidguard. + Control virus scan + There is two scan mode to fully control squidclamav behavior. The first + and historical mode is "ScanAllExcept" that scans everything by default. + This mode can be controlled by directives: abort, abortcontent, + whitelist, trustuser and trustclient. - Maxsize - This directive allows to disable virus scan completely for files bigger - than the value in bytes. Default is 0, no size limit as you may want to - control download size into squid.conf or clamd. + scan_mode ScanAllExcept - maxsize 2000000 + The second mode since squidclamav version 7 is "ScanNothingExcept" that + will scan nothing but the content controlled by the scan, scancontent, + blacklist, untrustuser and untrusted client. - If you want to abort virus scan after a certain amount of data you must - take a look at the clamd configuration directive 'StreamMaxLength' that - will close a stream when the given size is reached. + scan_mode ScanNothingExcept + + Any other value for the scan_mode directive will force the + "ScanAllExcept" mode. This guarantee the backward compatibility with + older squidclamav version. - Controlling SquidClamav behaviour - As in SquidClamav v5.x, v6.0 will scan all downloaded files by default. - You have five directives to control the way things must work. + abort + The 'abort' directive will let you disable virus scanning at URL + level (not chained program). When the URL matches the regex pattern, + SquidClamav falls back to Squid immediately after the call to the + chained program, if one is defined there. - All these directives used extended regex pattern matching and are case - insensitive. + For example: - Control both chained program and virus scan - There are 3 configuration directives that allow you to disable virus - scan and call to chained redirector like SquidGuard. Those pattern - matchings are searched as soon as a Squid entry is received. + abort \.squid-cache\.org + abort .*\.(png|gif|jpg)$ + + The first regexp will exclude any file hosted on domain + squid-cache.org from virus scanning, the last one will exclude all + PNG, GIF and JPEG image from scanning. + + Only used in "ScanAllExcept" mode. + + abortcontent + The 'abortcontent' directive allows you to exclude any file from + virus scanning, whose Content-Type matches the regex pattern. This + directive costs more time because SquidClamav needs to download the + HTTP header for a file with a HEAD request. Note that some sites do + not answer to HEAD requests so the content type will not be able to + be retrieved so they will be scanned. + + Example: + + abortcontent ^image\/.*$ + abortcontent ^video\/x-flv$ + + The first directive will complete the "abort .*\.(png|gif|jpg)$" + previous directive to match dynamic image or with parameters at end. + The second will allow your users to view streamed video instantly. + + Only used in "ScanAllExcept" mode. whitelist The 'whitelist' configuration directive allows you to disable @@ -457,6 +505,23 @@ CONFIGURATION will deliver any files from hosts on clamav.net domain directly. + You can also use a file containing all regex that might be + whitelisted and provide the file name to the whitelist directive. + Suppose that you have a file named + /usr/local/c-icap/etc/sc_whitelist with the following content: + + \.clamav\.net + \.darold\.net + + then you just have to set whitelist in squidclamav.conf as follow: + + whitelist /usr/local/c-icap/etc/sc_whitelist + + the file must contain only one regex per line and no extra + character. + + Only used in "ScanAllExcept" mode. + trustuser The 'trustuser' directive allows you to disable chained program and virus scan when an ident matches the search pattern. On regex found @@ -470,6 +535,8 @@ CONFIGURATION will let user logged as administrator to not be bored by chained program and virus scan. + Only used in "ScanAllExcept" mode. + trustclient The 'trustclient' directive allows you to disable chained program and virus scan if the client source IP address or DNS name match the @@ -486,57 +553,24 @@ CONFIGURATION scan for a single computer and the second will do for en entire class C network. - dnslookup - Enable / disable DNS lookup of client IP address. Default is enabled - '1' to preserve backward compatibility but you must deactivate this - feature if you don't use trustclient with hostname in the regexp or - if you don't have a DNS on your network. Disabling it will also - speed up squidclamav. - - Safebrowsing - ClamAV 0.95 introduced support for Google Safe Browsing database. The - database is packed inside a CVD file and distributed through our mirror - network as safebrowsing.cvd. This feature is disabled by default on all - clamav installations. - - In order to enable this feature, you must first add “SafeBrowsing - Yes” to freshclam.conf. There is no option in clamd.conf. If the - engine finds Google Safe Browsing files in the database directory, - ClamAV will enable safe browsing. To turn it off you need to update - freshclam.conf and remove the safebrowsing files from the database - directory before restarting clamd. + Only used in "ScanAllExcept" mode. - Then to enable this feature into SquidClamav you have to enable the - following configuration directive. - - safebrowsing - Enable / Disable Clamav Safe Browsing feature. You mus have enabled - the corresponding behavior in clamd by enabling SafeBrowsing into - freshclam.conf Enabling it will first make a safe browsing request - to clamd and then the virus scan request. - - Control virus scan - There are 3 configuration directives that allow you to disable virus - scan for downloaded files. - - abort - The 'abort' directive will let you disable virus scanning at URL - level (not chained program). When the URL matches the regex pattern, - SquidClamav falls back to Squid immediately after the call to the - chained program, if one is defined there. + scan + The 'scan' directive will let you enable virus scanning at URL + level. For example: - abort \.squid-cache\.org - abort .*\.(png|gif|jpg)$ + scan .*\.(doc|docx|pdf|xls)$ - The first regexp will exclude any file hosted on domain - squid-cache.org from virus scanning, the last one will exclude all - PNG, GIF and JPEG image from scanning. + The regexp will force virus scanning for extensions .doc, .docx, + .pdf and .xls. - abortcontent - The 'abortcontent' directive allows you to exclude any file from - virus scanning, whose Content-Type matches the regex pattern. This + Only used in "ScanNothingExcept" mode. + + scancontent + The 'scancontent' directive allows you to force virus scanning for + some files whose Content-Type matches the regex pattern. This directive costs more time because SquidClamav needs to download the HTTP header for a file with a HEAD request. Note that some sites do not answer to HEAD requests so the content type will not be able to @@ -544,34 +578,134 @@ CONFIGURATION Example: - abortcontent ^image\/.*$ - abortcontent ^video\/x-flv$ + scancontent ^application\/.*$ - The first directive will complete the "abort .*\.(png|gif|jpg)$" - previous directive to match dynamic image or with parameters at end. - The second will allow your users to view streamed video instantly. + Only used in "ScanNothingExcept" mode. + + blacklist + The 'blacklist' configuration directive allows you to force virus + scan at URL level. + + For example: + + whitelist \.badsite\.com + + will force scanning any files from hosts on badsite.com domain. + + You can also use a file containing all regex that might be + blacklisted and provide the file name to the blacklist directive. + Suppose that you have a file named + /usr/local/c-icap/etc/sc_blacklist with the following content: + + \.badsite\.com + \.getyourvirus\.org + + then you just have to set blacklist in squidclamav.conf as follow: + + blacklist /usr/local/c-icap/etc/sc_blacklist - maxsize - As said above, the 'maxsize' directive allows you not to scan a file - when the content-length of the file is bigger than the defined - value. By default there's no size limit. + the file must contain only one regex per line and no extra + character. + + Only used in "ScanNothingExcept" mode. + + untrustuser + The 'untrustuser' directive allows you to force virus scan when an + ident matches the search pattern. Of course you must have Squid + authentication helper enabled. + + For example: + + untrustuser fakeuser + + Only used in "ScanNothingExcept" mode. + + untrustclient + The 'untrustclient' directive allows you to force virus scan if the + client source IP address or DNS name match the search pattern. The + source IP can be a single IP address or an address range following + the given regex pattern. + + For example: - multipart - Send the Content-Type header to Clamav for multipart content types - so multipart bodies can be broken up by their boundary and each part - can be scanned. + untrustclient ^192\.168\.1\.1$ + untrustclient ^192\.168\.1\..*$ + untrustclient ^mypc\.domain\.dom$ + + The first and the last entry will force virus scan for a single + computer and the second will do for en entire class C network. + + Only used in "ScanNothingExcept" mode. + + Libarchive support + Allow squidclamav to uncompress archives and filter according to + user-defined rules before passing them to clamav. See directives bellow + for more details. + + enable_libarchive + Enable/disable use of libarchive by SquidClamav. Disabled by + default. Note that if libarchive is not available on your server + enabling this feature will have no effect. When libarchive headers + are not present the code to support libarchive in squidclamav is not + compiled. + + ban_archive_entry + Block matching archive entries. For example: zip files containing + threats such as ransomeware that are not yet detected by clamav or + other antivirus software (typically 5KB zip files containing a cab + file or a vbe script). Here is the value set in the configuration + file if enabled: + + ban_archive_entry ^.*\.(ade|adp|app|asd|asf|asx|bas|bat|cab|chm|cmd|com|cpl|crt|dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh)$ + + ban_max_entries + Maximum number of entries in an archive in order to block it if + there's at least one match. Archives with more than ban_max_entries + will not be blocked even if there are matches. A value of 0 (or + commented) will ignore the number of entries in an archive. + Suggested value: 1. + + ban_max_matched_entries + Maximum number of matched entries in an archive in order to block + it. Archives with more than ban_max_matched_entries matches will not + be blocked. A value of 0 (or commented) will ban an archive when + there's at least one entry match. Suggested value: 1. + + banmaxsize + Maximum size of an archive that may be opened. Any file bigger that + this value will not be scanned. Suggested value: 2M. + + recoverpath + Path where banned archives are stored (libarchive). Hard-coded file + format: + + banned_USERNAME_CLIENTIP_UNIXTIME_RAND(99).FILEEXTENSION + + USERNAME and CLIENTIP are available when enabling + icap_send_client_ip and icap_send_client_username in squid.conf. + Check clwarn.cgi example to see how you can retrieve the file name + and serve it via http. + + recovervirus + Enable if virus files should also be copied to recoverpath. + Hard-coded file format: + + virus_USERNAME_CLIENTIP_UNIXTIME_RAND(99).FILEEXTENSION + + Otherwise only archives containing ban_archive_entry matches will be + copied. Testing SquidClamav - As SquidClamav v6.0 is now a c-icap service, it can no more be run at - console in interactive mode. To check what is going wrong, you must edit + As SquidClamav is a c-icap service, it can not be run at console as an + interactive program. To check what is going wrong, you must edit c-icap.conf file, set DebugLevel to 3 and enable ServerLog. Then check for lines with squidclamav string in the log file which is defined with ServerLog in squidclamav's config. Performance - With SquidClamav v6.x the way to tune your service is to tune c-icap - server and clamd daemon. On heavy http access, putting the clamd daemon - on a dedicated server with multiple CPU will really help. + With SquidClamav the way to tune your service is to tune c-icap server + and clamd daemon. On heavy http access, putting the clamd daemon on a + dedicated server with multiple CPU will really help. If you experience Squid "ICAP protocol error" (with bypass enabled) please consider increasing the following c-icp parameters: StartServers, @@ -599,20 +733,15 @@ ACKNOWLEDGEMENT software. Special thanks to Christos Tsantilas for his implementation of the - c-icap server. Lots of SquidClamav v6 source code has been learned or + c-icap server. Lots of SquidClamav source code has been learned or simply cut and pasted from the source code of his clamav service. - I must also thank all the great contributors: - - - Leonardo Humberto Liporati from www.ig.com.br - - Dale Laushman from The Uptime Group - - Rainer schoepf from Proteosys.com - - Yann Ormanns - - and all others who help me to build a useful and reliable product. + I must also thank all the great contributors and all others who help to + build a useful and reliable product. They are all cited in ChangeLog + file. LICENSE - Copyright (c) 2005-2016 Gilles Darold - All rights reserved. + Copyright (c) 2005-2019 Gilles Darold - All rights reserved. Some code is Copyright (C) 2004-2008 Christos Tsantilas diff --git a/debian/copyright b/debian/copyright index acd01f9..13b7486 100644 --- a/debian/copyright +++ b/debian/copyright @@ -3,7 +3,7 @@ Upstream-Name: c-icap-modules Source: http://c-icap.sourceforge.net/ Files: * -Copyright: 2005-2016 Gilles Darold - All rights reserved. +Copyright: 2005-2019 Gilles Darold - All rights reserved. 2004-2008 Christos Tsantilas License: GPL-2+ diff --git a/doc/README b/doc/README index 0af57d7..59a1471 100644 --- a/doc/README +++ b/doc/README @@ -1,16 +1,16 @@ NAME - SquidClamav v6 - HTTP Antivirus for Squid based on ClamAv and the ICAP + SquidClamav - HTTP Antivirus for Squid based on ClamAv and the ICAP protocol DESCRIPTION - SquidClamav v6 is an antivirus for the Squid proxy based on the ICAP + SquidClamav is an antivirus for the Squid proxy based on the ICAP protocol and the awards-winning ClamAv anti-virus toolkit. Using it will help you securing your home or enterprise network web traffic. SquidClamav is the most efficient antivirus tool for HTTP traffic available for free, it is written in C as a c-icap service and can handle several thousands of connections at once. - SquidClamav v6 only scan the HTTP stream sent by Squid through the ICAP + SquidClamav only scan the HTTP stream sent by Squid through the ICAP server. It doesn't make HTTP requests itself so this is a gain of performance and ensures that the data scanned is the same as the user has requested. @@ -23,7 +23,7 @@ DESCRIPTION libclamav to scan files is speediest and more simple than the srv_clamav module provided with the c-icap server. - SquidClamav v6 is faster than any other HTTP antivirus and can handle + SquidClamav is faster than any other HTTP antivirus and can handle several thousands of simultaneous users at once, this is what we need. The other unique feature of SquidClamav is that you can have Clamd @@ -42,15 +42,10 @@ DESCRIPTION USAGE Generic Program Information - SquidClamav v6 has been completely rewritten to be used through the - Squid v3.x ICAP feature allowing "on stream" scanning. It is now built - as a c-icap server service but keeps all features from v5 and is fully - compatible with the old SquidClamav configuration file. The squidclamav - configuration file is unchanged minus some obsolete directives. - - This also means that SquidClamav can no more be run into an interactive - console for testing your URL. All debug information will now go to the - c-icap logfile. + SquidClamav is compatible with all Squid v3.x versions that support the + ICAP feature allowing "on stream" scanning. squidclamav is built as a + c-icap server service and can be controlled through a configuration + file. Installing Squid Setting SquidClamav as Squid Icap service @@ -125,8 +120,7 @@ USAGE section. Here the bypass is set to 1, that means that in case of squidclamav - problems squid will simply ignore the error and continue. This is - the equivalent of the bridge mode in version 5.x of suidclamav. + problems squid will simply ignore the error and continue. Squid 3.0.x configuration For squid 3.0.x you must replace 'bypass=1' by '1' or 'bypass=0' by @@ -152,8 +146,7 @@ USAGE section. Here the bypass is set to 1, that means that in case of squidclamav - problems squid will simply ignore the error and continue. This is - the equivalent of the bridge mode in version 5.x of suidclamav. + problems squid will simply ignore the error and continue. What do that configuration directives do? They enable Squid's ICAP client and tell Squid to send the logged username and client's IP @@ -170,9 +163,17 @@ USAGE like me, just set the bypass argument to 0 and Squid will return an error message in case of a failure. + Chained Url Checker + You can chained SquidClamav call to an Url checked like squidguard by + setting the 'url_rewrite_program' squid.conf directive: + + url_rewrite_program /usr/bin/squidGuard + url_rewrite_children 15 + url_rewrite_access allow all + C-icap server installation/configuration If you don't have package solutions or encounter problems when - installing SquidClamav I recommand you to install the c-icap server from + installing SquidClamav I recommend you to install the c-icap server from source as following. You can download it from SourceForge at http://c-icap.sourceforge.net/. Choose version c-icap-0.3.2 or later versions, then run: @@ -204,7 +205,7 @@ USAGE where c-icap server is writing pid and socket file. You may also want to change the user/group owning c-icap's processes. By - default the owner is the user/group who runs the program. I recommand + default the owner is the user/group who runs the program. I recommend you to change them to the same user/group running your Squid cache. For example: @@ -294,16 +295,21 @@ CONFIGURATION Global configuration Log file and debug - In version 6.x the directives 'logfile', 'debug' and 'stat' are obsolete - as logging and debug are now handled by the c-icap server. You can - control them using the following c-icap.conf directives: + Logging and debug are handled by the c-icap server. You can control them + using the following c-icap.conf directives: ServerLog /usr/local/c-icap/var/log/server.log DebugLevel 0 Debug information is disable by default, do not enable it on production - systems as it costs a lot of performance. The debug level can be set - from 1 up to 3 for SquidClamav but can be up to 10 for c-icap. + systems as it costs a lot of performances. The debug level can be set + from 1 up to 3 for SquidClamav but can be up to 10 for c-icap. By + setting + + DebugLevel 3 + + you will trace everything done by SquidClamav, this is useful for + debugging purpose. Clamd daemon SquidClamav needs to know where to contact clamd, the ClamAV daemon, for @@ -323,7 +329,7 @@ CONFIGURATION Clamd failover If you have multiple ClamAv servers, SquidClamav is able to do failover - between them. You just have to set 'clamd_ip' to a list of IP adresses + between them. You just have to set 'clamd_ip' to a list of IP addresses separated by a comma. Do not insert space characters in this list or it will break all. For example: @@ -391,60 +397,102 @@ CONFIGURATION By default it is disabled as you can also log this information with the cgi-script or send an email. - Chained Url Checker - The squidguard directive is preserved for backward compatibility but you - must remove it from your configuration file as it could result in many - squidclamav crashes. + Maximun file size scanned + The maxsize directive allows to disable virus scan completely for files + bigger than the value in bytes. Default is 0, no size limit as you may + want to control download size into squid.conf or clamd. - Please use the 'url_rewrite_program' squid.conf directive instead to - call squidGuard. + maxsize 2M - url_rewrite_program /usr/bin/squidGuard - url_rewrite_children 15 - url_rewrite_access allow all + If you want to abort virus scan after a certain amount of data you must + take a look at the clamd configuration directive 'StreamMaxLength' that + will close a stream when the given size is reached. - If you still want to use it, SquidClamav allows you to chain the - SquidGuard program to check the URL requested against blocklists using - the 'squidguard' directive. You just have to give the path to the - program. + DNS lookup of client IP address + Directive dnslookup allow you to enable / disable DNS lookup of all + client IP address. Default is enabled: - squidguard /usr/local/squidGuard/bin/squidGuard + dnslookup 1 - The chained program is called before the virus scan and any other - SquidClamav operations. The call to this program can be disabled with - the 'whitelist', 'trustuser' and 'trustclient' directives. See - SquidClamav Patterns for more information. + to preserve backward compatibility. You should deactivate this feature + if you don't use trustclient with hostname in the regexp or if you don't + have a DNS on your network. Disabling it will also speed up squidclamav. - To log every chained program redirection enable the 'logredir' - configuration directive as following: + Safebrowsing + ClamAV 0.95 introduced support for Google Safe Browsing database. The + database is packed inside a CVD file and distributed through our mirror + network as safebrowsing.cvd. This feature is disabled by default on all + clamav installations. - logredir 1 + In order to enable this feature, you must first add "SafeBrowsing Yes" + to freshclam.conf. There is no option in clamd.conf. If the engine finds + Google Safe Browsing files in the database directory, ClamAV will enable + safe browsing. To turn it off you need to update freshclam.conf and + remove the safebrowsing files from the database directory before + restarting clamd. - By default it is disabled as you can also log this information with - squidguard. + Then to enable this feature into SquidClamav you have to enable the + following configuration directive. - Maxsize - This directive allows to disable virus scan completely for files bigger - than the value in bytes. Default is 0, no size limit as you may want to - control download size into squid.conf or clamd. + safebrowsing + Enable / Disable Clamav Safe Browsing feature. You mus have enabled + the corresponding behavior in clamd by enabling SafeBrowsing into + freshclam.conf Enabling it will first make a safe browsing request + to clamd and then the virus scan request. - maxsize 2000000 + Control virus scan + There is two scan mode to fully control squidclamav behavior. The first + and historical mode is "ScanAllExcept" that scans everything by default. + This mode can be controlled by directives: abort, abortcontent, + whitelist, trustuser and trustclient. - If you want to abort virus scan after a certain amount of data you must - take a look at the clamd configuration directive 'StreamMaxLength' that - will close a stream when the given size is reached. + scan_mode ScanAllExcept + + The second mode since squidclamav version 7 is "ScanNothingExcept" that + will scan nothing but the content controlled by the scan, scancontent, + blacklist, untrustuser and untrusted client. + + scan_mode ScanNothingExcept + + Any other value for the scan_mode directive will force the + "ScanAllExcept" mode. This guarantee the backward compatibility with + older squidclamav version. + + abort + The 'abort' directive will let you disable virus scanning at URL + level (not chained program). When the URL matches the regex pattern, + SquidClamav falls back to Squid immediately after the call to the + chained program, if one is defined there. + + For example: + + abort \.squid-cache\.org + abort .*\.(png|gif|jpg)$ + + The first regexp will exclude any file hosted on domain + squid-cache.org from virus scanning, the last one will exclude all + PNG, GIF and JPEG image from scanning. + + Only used in "ScanAllExcept" mode. + + abortcontent + The 'abortcontent' directive allows you to exclude any file from + virus scanning, whose Content-Type matches the regex pattern. This + directive costs more time because SquidClamav needs to download the + HTTP header for a file with a HEAD request. Note that some sites do + not answer to HEAD requests so the content type will not be able to + be retrieved so they will be scanned. - Controlling SquidClamav behaviour - As in SquidClamav v5.x, v6.0 will scan all downloaded files by default. - You have five directives to control the way things must work. + Example: - All these directives used extended regex pattern matching and are case - insensitive. + abortcontent ^image\/.*$ + abortcontent ^video\/x-flv$ + + The first directive will complete the "abort .*\.(png|gif|jpg)$" + previous directive to match dynamic image or with parameters at end. + The second will allow your users to view streamed video instantly. - Control both chained program and virus scan - There are 3 configuration directives that allow you to disable virus - scan and call to chained redirector like SquidGuard. Those pattern - matchings are searched as soon as a Squid entry is received. + Only used in "ScanAllExcept" mode. whitelist The 'whitelist' configuration directive allows you to disable @@ -457,7 +505,7 @@ CONFIGURATION will deliver any files from hosts on clamav.net domain directly. - You can alse use a file containing all regex that might be + You can also use a file containing all regex that might be whitelisted and provide the file name to the whitelist directive. Suppose that you have a file named /usr/local/c-icap/etc/sc_whitelist with the following content: @@ -472,6 +520,8 @@ CONFIGURATION the file must contain only one regex per line and no extra character. + Only used in "ScanAllExcept" mode. + trustuser The 'trustuser' directive allows you to disable chained program and virus scan when an ident matches the search pattern. On regex found @@ -485,6 +535,8 @@ CONFIGURATION will let user logged as administrator to not be bored by chained program and virus scan. + Only used in "ScanAllExcept" mode. + trustclient The 'trustclient' directive allows you to disable chained program and virus scan if the client source IP address or DNS name match the @@ -501,57 +553,24 @@ CONFIGURATION scan for a single computer and the second will do for en entire class C network. - dnslookup - Enable / disable DNS lookup of client IP address. Default is enabled - '1' to preserve backward compatibility but you must deactivate this - feature if you don't use trustclient with hostname in the regexp or - if you don't have a DNS on your network. Disabling it will also - speed up squidclamav. + Only used in "ScanAllExcept" mode. - Safebrowsing - ClamAV 0.95 introduced support for Google Safe Browsing database. The - database is packed inside a CVD file and distributed through our mirror - network as safebrowsing.cvd. This feature is disabled by default on all - clamav installations. - - In order to enable this feature, you must first add "SafeBrowsing Yes" - to freshclam.conf. There is no option in clamd.conf. If the engine finds - Google Safe Browsing files in the database directory, ClamAV will enable - safe browsing. To turn it off you need to update freshclam.conf and - remove the safebrowsing files from the database directory before - restarting clamd. - - Then to enable this feature into SquidClamav you have to enable the - following configuration directive. - - safebrowsing - Enable / Disable Clamav Safe Browsing feature. You mus have enabled - the corresponding behavior in clamd by enabling SafeBrowsing into - freshclam.conf Enabling it will first make a safe browsing request - to clamd and then the virus scan request. - - Control virus scan - There are 3 configuration directives that allow you to disable virus - scan for downloaded files. - - abort - The 'abort' directive will let you disable virus scanning at URL - level (not chained program). When the URL matches the regex pattern, - SquidClamav falls back to Squid immediately after the call to the - chained program, if one is defined there. + scan + The 'scan' directive will let you enable virus scanning at URL + level. For example: - abort \.squid-cache\.org - abort .*\.(png|gif|jpg)$ + scan .*\.(doc|docx|pdf|xls)$ - The first regexp will exclude any file hosted on domain - squid-cache.org from virus scanning, the last one will exclude all - PNG, GIF and JPEG image from scanning. + The regexp will force virus scanning for extensions .doc, .docx, + .pdf and .xls. - abortcontent - The 'abortcontent' directive allows you to exclude any file from - virus scanning, whose Content-Type matches the regex pattern. This + Only used in "ScanNothingExcept" mode. + + scancontent + The 'scancontent' directive allows you to force virus scanning for + some files whose Content-Type matches the regex pattern. This directive costs more time because SquidClamav needs to download the HTTP header for a file with a HEAD request. Note that some sites do not answer to HEAD requests so the content type will not be able to @@ -559,17 +578,64 @@ CONFIGURATION Example: - abortcontent ^image\/.*$ - abortcontent ^video\/x-flv$ + scancontent ^application\/.*$ - The first directive will complete the "abort .*\.(png|gif|jpg)$" - previous directive to match dynamic image or with parameters at end. - The second will allow your users to view streamed video instantly. + Only used in "ScanNothingExcept" mode. + + blacklist + The 'blacklist' configuration directive allows you to force virus + scan at URL level. + + For example: + + whitelist \.badsite\.com + + will force scanning any files from hosts on badsite.com domain. + + You can also use a file containing all regex that might be + blacklisted and provide the file name to the blacklist directive. + Suppose that you have a file named + /usr/local/c-icap/etc/sc_blacklist with the following content: + + \.badsite\.com + \.getyourvirus\.org + + then you just have to set blacklist in squidclamav.conf as follow: - maxsize - As said above, the 'maxsize' directive allows you not to scan a file - when the content-length of the file is bigger than the defined - value. By default there's no size limit. + blacklist /usr/local/c-icap/etc/sc_blacklist + + the file must contain only one regex per line and no extra + character. + + Only used in "ScanNothingExcept" mode. + + untrustuser + The 'untrustuser' directive allows you to force virus scan when an + ident matches the search pattern. Of course you must have Squid + authentication helper enabled. + + For example: + + untrustuser fakeuser + + Only used in "ScanNothingExcept" mode. + + untrustclient + The 'untrustclient' directive allows you to force virus scan if the + client source IP address or DNS name match the search pattern. The + source IP can be a single IP address or an address range following + the given regex pattern. + + For example: + + untrustclient ^192\.168\.1\.1$ + untrustclient ^192\.168\.1\..*$ + untrustclient ^mypc\.domain\.dom$ + + The first and the last entry will force virus scan for a single + computer and the second will do for en entire class C network. + + Only used in "ScanNothingExcept" mode. Libarchive support Allow squidclamav to uncompress archives and filter according to @@ -630,16 +696,16 @@ CONFIGURATION copied. Testing SquidClamav - As SquidClamav v6.0 is now a c-icap service, it can no more be run at - console in interactive mode. To check what is going wrong, you must edit + As SquidClamav is a c-icap service, it can not be run at console as an + interactive program. To check what is going wrong, you must edit c-icap.conf file, set DebugLevel to 3 and enable ServerLog. Then check for lines with squidclamav string in the log file which is defined with ServerLog in squidclamav's config. Performance - With SquidClamav v6.x the way to tune your service is to tune c-icap - server and clamd daemon. On heavy http access, putting the clamd daemon - on a dedicated server with multiple CPU will really help. + With SquidClamav the way to tune your service is to tune c-icap server + and clamd daemon. On heavy http access, putting the clamd daemon on a + dedicated server with multiple CPU will really help. If you experience Squid "ICAP protocol error" (with bypass enabled) please consider increasing the following c-icp parameters: StartServers, @@ -667,20 +733,15 @@ ACKNOWLEDGEMENT software. Special thanks to Christos Tsantilas for his implementation of the - c-icap server. Lots of SquidClamav v6 source code has been learned or + c-icap server. Lots of SquidClamav source code has been learned or simply cut and pasted from the source code of his clamav service. - I must also thank all the great contributors: - - - Leonardo Humberto Liporati from www.ig.com.br - - Dale Laushman from The Uptime Group - - Rainer schoepf from Proteosys.com - - Yann Ormanns - - and all others who help me to build a useful and reliable product. + I must also thank all the great contributors and all others who help to + build a useful and reliable product. They are all cited in ChangeLog + file. LICENSE - Copyright (c) 2005-2016 Gilles Darold - All rights reserved. + Copyright (c) 2005-2019 Gilles Darold - All rights reserved. Some code is Copyright (C) 2004-2008 Christos Tsantilas diff --git a/doc/SquidClamav.pod b/doc/SquidClamav.pod index 49928bd..1e2cf3e 100644 --- a/doc/SquidClamav.pod +++ b/doc/SquidClamav.pod @@ -1,16 +1,16 @@ =head1 NAME -SquidClamav v6 - HTTP Antivirus for Squid based on ClamAv and the ICAP protocol +SquidClamav - HTTP Antivirus for Squid based on ClamAv and the ICAP protocol =head1 DESCRIPTION -SquidClamav v6 is an antivirus for the Squid proxy based on the ICAP protocol +SquidClamav is an antivirus for the Squid proxy based on the ICAP protocol and the awards-winning ClamAv anti-virus toolkit. Using it will help you securing your home or enterprise network web traffic. SquidClamav is the most efficient antivirus tool for HTTP traffic available for free, it is written in C as a c-icap service and can handle several thousands of connections at once. -SquidClamav v6 only scan the HTTP stream sent by Squid through the ICAP server. +SquidClamav only scan the HTTP stream sent by Squid through the ICAP server. It doesn't make HTTP requests itself so this is a gain of performance and ensures that the data scanned is the same as the user has requested. @@ -22,7 +22,7 @@ survival of SquidClamav, I think that using clamd instead of libclamav to scan files is speediest and more simple than the srv_clamav module provided with the c-icap server. -SquidClamav v6 is faster than any other HTTP antivirus and can handle several +SquidClamav is faster than any other HTTP antivirus and can handle several thousands of simultaneous users at once, this is what we need. The other unique feature of SquidClamav is that you can have Clamd failover by @@ -42,14 +42,9 @@ This will be redirected by squidclamav just like if a virus was found. =head2 Generic Program Information -SquidClamav v6 has been completely rewritten to be used through the Squid v3.x -ICAP feature allowing "on stream" scanning. It is now built as a c-icap server -service but keeps all features from v5 and is fully compatible with the old -SquidClamav configuration file. The squidclamav configuration file is unchanged -minus some obsolete directives. - -This also means that SquidClamav can no more be run into an interactive console -for testing your URL. All debug information will now go to the c-icap logfile. +SquidClamav is compatible with all Squid v3.x versions that support the +ICAP feature allowing "on stream" scanning. squidclamav is built as a +c-icap server service and can be controlled through a configuration file. =head2 Installing Squid @@ -128,8 +123,7 @@ If you don't know where to put them in squid.conf, just search for 'icap_.*' and add those configuration lines at the end of the icap section. Here the bypass is set to 1, that means that in case of squidclamav problems -squid will simply ignore the error and continue. This is the equivalent of the -bridge mode in version 5.x of suidclamav. +squid will simply ignore the error and continue. =item Squid 3.0.x configuration @@ -156,8 +150,7 @@ If you don't know where to put them in squid.conf, just search for 'icap_.*' and add those configuration lines at the end of the icap section. Here the bypass is set to 1, that means that in case of squidclamav problems -squid will simply ignore the error and continue. This is the equivalent of the -bridge mode in version 5.x of suidclamav. +squid will simply ignore the error and continue. =back @@ -174,10 +167,19 @@ about that, they want to surf and don't care about your problems :-) If you don't think like me, just set the bypass argument to 0 and Squid will return an error message in case of a failure. +=head3 Chained Url Checker + +You can chained SquidClamav call to an Url checked like squidguard by setting +the 'url_rewrite_program' squid.conf directive: + + url_rewrite_program /usr/bin/squidGuard + url_rewrite_children 15 + url_rewrite_access allow all + =head3 C-icap server installation/configuration If you don't have package solutions or encounter problems when installing SquidClamav -I recommand you to install the c-icap server from source as following. You can +I recommend you to install the c-icap server from source as following. You can download it from SourceForge at http://c-icap.sourceforge.net/. Choose version c-icap-0.3.2 or later versions, then run: @@ -206,7 +208,7 @@ Following your installation you may need to create the /var/run/c-icap/ where c-icap server is writing pid and socket file. You may also want to change the user/group owning c-icap's processes. By default -the owner is the user/group who runs the program. I recommand you to change them +the owner is the user/group who runs the program. I recommend you to change them to the same user/group running your Squid cache. For example: User proxy @@ -295,16 +297,21 @@ a single space character. Comments are lines starting with a '#' character. =head3 Log file and debug -In version 6.x the directives 'logfile', 'debug' and 'stat' are obsolete as -logging and debug are now handled by the c-icap server. You can control them + +Logging and debug are handled by the c-icap server. You can control them using the following c-icap.conf directives: ServerLog /usr/local/c-icap/var/log/server.log DebugLevel 0 Debug information is disable by default, do not enable it on production -systems as it costs a lot of performance. The debug level can be set -from 1 up to 3 for SquidClamav but can be up to 10 for c-icap. +systems as it costs a lot of performances. The debug level can be set +from 1 up to 3 for SquidClamav but can be up to 10 for c-icap. By setting + + DebugLevel 3 + +you will trace everything done by SquidClamav, this is useful for debugging +purpose. =head3 Clamd daemon @@ -325,7 +332,7 @@ SquidClamav will always use the clamd_local directive. =head3 Clamd failover If you have multiple ClamAv servers, SquidClamav is able to do failover between -them. You just have to set 'clamd_ip' to a list of IP adresses separated by a +them. You just have to set 'clamd_ip' to a list of IP addresses separated by a comma. Do not insert space characters in this list or it will break all. For example: clamd_ip 192.168.1.5,192.168.1.13,192.168.1.9 @@ -394,65 +401,111 @@ By default it is disabled as you can also log this information with the cgi-script or send an email. -=head3 Chained Url Checker +=head4 Maximun file size scanned -The squidguard directive is preserved for backward compatibility but you -must remove it from your configuration file as it could result in many -squidclamav crashes. +The maxsize directive allows to disable virus scan completely for files +bigger than the value in bytes. Default is 0, no size limit as you may +want to control download size into squid.conf or clamd. -Please use the 'url_rewrite_program' squid.conf directive instead to call -squidGuard. + maxsize 2M - url_rewrite_program /usr/bin/squidGuard - url_rewrite_children 15 - url_rewrite_access allow all +If you want to abort virus scan after a certain amount of data you must +take a look at the clamd configuration directive 'StreamMaxLength' that +will close a stream when the given size is reached. -If you still want to use it, SquidClamav allows you to chain the SquidGuard -program to check the URL requested against blocklists using the 'squidguard' -directive. You just have to give the path to the program. +=head4 DNS lookup of client IP address - squidguard /usr/local/squidGuard/bin/squidGuard +Directive dnslookup allow you to enable / disable DNS lookup of all client +IP address. Default is enabled: -The chained program is called before the virus scan and any other SquidClamav -operations. The call to this program can be disabled with the 'whitelist', -'trustuser' and 'trustclient' directives. See SquidClamav Patterns for more -information. + dnslookup 1 -To log every chained program redirection enable the 'logredir' configuration -directive as following: +to preserve backward compatibility. You should deactivate this feature if +you don't use trustclient with hostname in the regexp or if you don't have +a DNS on your network. Disabling it will also speed up squidclamav. - logredir 1 +=head3 Safebrowsing -By default it is disabled as you can also log this information with squidguard. +ClamAV 0.95 introduced support for Google Safe Browsing database. The database +is packed inside a CVD file and distributed through our mirror network as +safebrowsing.cvd. This feature is disabled by default on all clamav installations. -=head3 Maxsize +In order to enable this feature, you must first add "SafeBrowsing Yes" to freshclam.conf. +There is no option in clamd.conf. If the engine finds Google Safe Browsing files in the +database directory, ClamAV will enable safe browsing. To turn it off you need to update +freshclam.conf and remove the safebrowsing files from the database directory before +restarting clamd. -This directive allows to disable virus scan completely for files bigger than the -value in bytes. Default is 0, no size limit as you may want to control download -size into squid.conf or clamd. +Then to enable this feature into SquidClamav you have to enable the following +configuration directive. + +=over 4 + +=item safebrowsing + +Enable / Disable Clamav Safe Browsing feature. You mus have enabled the +corresponding behavior in clamd by enabling SafeBrowsing into freshclam.conf +Enabling it will first make a safe browsing request to clamd and then the +virus scan request. - maxsize 2000000 +=back -If you want to abort virus scan after a certain amount of data you must take a -look at the clamd configuration directive 'StreamMaxLength' that will close a -stream when the given size is reached. +=head3 Control virus scan -=head2 Controlling SquidClamav behaviour +There is two scan mode to fully control squidclamav behavior. The first +and historical mode is "ScanAllExcept" that scans everything by default. +This mode can be controlled by directives: abort, abortcontent, whitelist, +trustuser and trustclient. -As in SquidClamav v5.x, v6.0 will scan all downloaded files by default. -You have five directives to control the way things must work. + scan_mode ScanAllExcept -All these directives used extended regex pattern matching and are case -insensitive. +The second mode since squidclamav version 7 is "ScanNothingExcept" that +will scan nothing but the content controlled by the scan, scancontent, +blacklist, untrustuser and untrusted client. -=head3 Control both chained program and virus scan + scan_mode ScanNothingExcept -There are 3 configuration directives that allow you to disable virus scan and -call to chained redirector like SquidGuard. Those pattern matchings are searched -as soon as a Squid entry is received. +Any other value for the scan_mode directive will force the "ScanAllExcept" +mode. This guarantee the backward compatibility with older squidclamav +version. =over 4 +=item abort + +The 'abort' directive will let you disable virus scanning at URL level (not +chained program). When the URL matches the regex pattern, SquidClamav falls back to +Squid immediately after the call to the chained program, if one is defined there. + +For example: + + abort \.squid-cache\.org + abort .*\.(png|gif|jpg)$ + +The first regexp will exclude any file hosted on domain squid-cache.org from virus scanning, +the last one will exclude all PNG, GIF and JPEG image from scanning. + +Only used in "ScanAllExcept" mode. + +=item abortcontent + +The 'abortcontent' directive allows you to exclude any file from virus scanning, +whose Content-Type matches the regex pattern. This directive costs more time +because SquidClamav needs to download the HTTP header for a file with a HEAD +request. Note that some sites do not answer to HEAD requests so the content type +will not be able to be retrieved so they will be scanned. + +Example: + + abortcontent ^image\/.*$ + abortcontent ^video\/x-flv$ + +The first directive will complete the "abort .*\.(png|gif|jpg)$" previous +directive to match dynamic image or with parameters at end. The second will +allow your users to view streamed video instantly. + +Only used in "ScanAllExcept" mode. + =item whitelist The 'whitelist' configuration directive allows you to disable chained program @@ -465,7 +518,7 @@ For example: will deliver any files from hosts on clamav.net domain directly. -You can alse use a file containing all regex that might be whitelisted and +You can also use a file containing all regex that might be whitelisted and provide the file name to the whitelist directive. Suppose that you have a file named /usr/local/c-icap/etc/sc_whitelist with the following content: @@ -478,6 +531,8 @@ then you just have to set whitelist in squidclamav.conf as follow: the file must contain only one regex per line and no extra character. +Only used in "ScanAllExcept" mode. + =item trustuser The 'trustuser' directive allows you to disable chained program and virus scan @@ -491,6 +546,8 @@ For example: will let user logged as administrator to not be bored by chained program and virus scan. +Only used in "ScanAllExcept" mode. + =item trustclient The 'trustclient' directive allows you to disable chained program and virus scan @@ -506,84 +563,89 @@ For example: The first and the last entry will disable chained program and virus scan for a single computer and the second will do for en entire class C network. -=item dnslookup +Only used in "ScanAllExcept" mode. -Enable / disable DNS lookup of client IP address. Default is enabled '1' to -preserve backward compatibility but you must deactivate this feature if you -don't use trustclient with hostname in the regexp or if you don't have a DNS -on your network. Disabling it will also speed up squidclamav. +=item scan -=back +The 'scan' directive will let you enable virus scanning at URL level. -=head3 Safebrowsing +For example: -ClamAV 0.95 introduced support for Google Safe Browsing database. The database -is packed inside a CVD file and distributed through our mirror network as -safebrowsing.cvd. This feature is disabled by default on all clamav installations. + scan .*\.(doc|docx|pdf|xls)$ -In order to enable this feature, you must first add "SafeBrowsing Yes" to freshclam.conf. -There is no option in clamd.conf. If the engine finds Google Safe Browsing files in the -database directory, ClamAV will enable safe browsing. To turn it off you need to update -freshclam.conf and remove the safebrowsing files from the database directory before -restarting clamd. +The regexp will force virus scanning for extensions .doc, .docx, .pdf and .xls. -Then to enable this feature into SquidClamav you have to enable the following -configuration directive. +Only used in "ScanNothingExcept" mode. -=over 4 +=item scancontent -=item safebrowsing +The 'scancontent' directive allows you to force virus scanning for some files +whose Content-Type matches the regex pattern. This directive costs more time +because SquidClamav needs to download the HTTP header for a file with a HEAD +request. Note that some sites do not answer to HEAD requests so the content type +will not be able to be retrieved so they will be scanned. -Enable / Disable Clamav Safe Browsing feature. You mus have enabled the -corresponding behavior in clamd by enabling SafeBrowsing into freshclam.conf -Enabling it will first make a safe browsing request to clamd and then the -virus scan request. +Example: -=back + scancontent ^application\/.*$ -=head3 Control virus scan +Only used in "ScanNothingExcept" mode. -There are 3 configuration directives that allow you to disable virus scan for -downloaded files. +=item blacklist -=over 4 +The 'blacklist' configuration directive allows you to force virus scan at URL +level. -=item abort +For example: -The 'abort' directive will let you disable virus scanning at URL level (not -chained program). When the URL matches the regex pattern, SquidClamav falls back to -Squid immediately after the call to the chained program, if one is defined there. + whitelist \.badsite\.com -For example: +will force scanning any files from hosts on badsite.com domain. - abort \.squid-cache\.org - abort .*\.(png|gif|jpg)$ +You can also use a file containing all regex that might be blacklisted and +provide the file name to the blacklist directive. Suppose that you have a +file named /usr/local/c-icap/etc/sc_blacklist with the following content: -The first regexp will exclude any file hosted on domain squid-cache.org from virus scanning, -the last one will exclude all PNG, GIF and JPEG image from scanning. + \.badsite\.com + \.getyourvirus\.org -=item abortcontent +then you just have to set blacklist in squidclamav.conf as follow: -The 'abortcontent' directive allows you to exclude any file from virus scanning, -whose Content-Type matches the regex pattern. This directive costs more time -because SquidClamav needs to download the HTTP header for a file with a HEAD -request. Note that some sites do not answer to HEAD requests so the content type -will not be able to be retrieved so they will be scanned. + blacklist /usr/local/c-icap/etc/sc_blacklist -Example: +the file must contain only one regex per line and no extra character. - abortcontent ^image\/.*$ - abortcontent ^video\/x-flv$ +Only used in "ScanNothingExcept" mode. -The first directive will complete the "abort .*\.(png|gif|jpg)$" previous -directive to match dynamic image or with parameters at end. The second will -allow your users to view streamed video instantly. +=item untrustuser + +The 'untrustuser' directive allows you to force virus scan when an ident +matches the search pattern. Of course you must have Squid authentication +helper enabled. + +For example: + + untrustuser fakeuser -=item maxsize +Only used in "ScanNothingExcept" mode. -As said above, the 'maxsize' directive allows you not to scan a file when the -content-length of the file is bigger than the defined value. By default there's -no size limit. +=item untrustclient + +The 'untrustclient' directive allows you to force virus scan if the client +source IP address or DNS name match the search pattern. The source IP +can be a single IP address or an address range following the given regex +pattern. + +For example: + + untrustclient ^192\.168\.1\.1$ + untrustclient ^192\.168\.1\..*$ + untrustclient ^mypc\.domain\.dom$ + +The first and the last entry will force virus scan for a single computer +and the second will do for en entire class C network. + +Only used in "ScanNothingExcept" mode. =back @@ -652,14 +714,15 @@ Otherwise only archives containing ban_archive_entry matches will be copied. =head2 Testing SquidClamav -As SquidClamav v6.0 is now a c-icap service, it can no more be run at console -in interactive mode. To check what is going wrong, you must edit c-icap.conf +As SquidClamav is a c-icap service, it can not be run at console as an +interactive program. To check what is going wrong, you must edit c-icap.conf file, set DebugLevel to 3 and enable ServerLog. Then check for lines with -squidclamav string in the log file which is defined with ServerLog in squidclamav's config. +squidclamav string in the log file which is defined with ServerLog in +squidclamav's config. =head2 Performance -With SquidClamav v6.x the way to tune your service is to tune c-icap server and +With SquidClamav the way to tune your service is to tune c-icap server and clamd daemon. On heavy http access, putting the clamd daemon on a dedicated server with multiple CPU will really help. @@ -692,21 +755,16 @@ Thanks to Squid-cache.org, Clamav.net and c-icap.sf.net for their great software. Special thanks to Christos Tsantilas for his implementation of the -c-icap server. Lots of SquidClamav v6 source code has been learned +c-icap server. Lots of SquidClamav source code has been learned or simply cut and pasted from the source code of his clamav service. -I must also thank all the great contributors: - - - Leonardo Humberto Liporati from www.ig.com.br - - Dale Laushman from The Uptime Group - - Rainer schoepf from Proteosys.com - - Yann Ormanns - -and all others who help me to build a useful and reliable product. +I must also thank all the great contributors and all others who help +to build a useful and reliable product. They are all cited in ChangeLog +file. =head1 LICENSE -Copyright (c) 2005-2016 Gilles Darold - All rights reserved. +Copyright (c) 2005-2019 Gilles Darold - All rights reserved. Some code is Copyright (C) 2004-2008 Christos Tsantilas diff --git a/doc/squidclamav.1 b/doc/squidclamav.1 index 99bce69..147dd3f 100644 --- a/doc/squidclamav.1 +++ b/doc/squidclamav.1 @@ -129,22 +129,22 @@ .\" ======================================================================== .\" .IX Title "SQUIDCLAMAV 1" -.TH SQUIDCLAMAV 1 "2019-03-03" "perl v5.26.1" "User Contributed Perl Documentation" +.TH SQUIDCLAMAV 1 "2019-03-11" "perl v5.26.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SquidClamav v6 \- HTTP Antivirus for Squid based on ClamAv and the ICAP protocol +SquidClamav \- HTTP Antivirus for Squid based on ClamAv and the ICAP protocol .SH "DESCRIPTION" .IX Header "DESCRIPTION" -SquidClamav v6 is an antivirus for the Squid proxy based on the \s-1ICAP\s0 protocol +SquidClamav is an antivirus for the Squid proxy based on the \s-1ICAP\s0 protocol and the awards-winning ClamAv anti-virus toolkit. Using it will help you securing your home or enterprise network web traffic. SquidClamav is the most efficient antivirus tool for \s-1HTTP\s0 traffic available for free, it is written in C as a c\-icap service and can handle several thousands of connections at once. .PP -SquidClamav v6 only scan the \s-1HTTP\s0 stream sent by Squid through the \s-1ICAP\s0 server. +SquidClamav only scan the \s-1HTTP\s0 stream sent by Squid through the \s-1ICAP\s0 server. It doesn't make \s-1HTTP\s0 requests itself so this is a gain of performance and ensures that the data scanned is the same as the user has requested. .PP @@ -156,7 +156,7 @@ survival of SquidClamav, I think that using clamd instead of libclamav to scan files is speediest and more simple than the srv_clamav module provided with the c\-icap server. .PP -SquidClamav v6 is faster than any other \s-1HTTP\s0 antivirus and can handle several +SquidClamav is faster than any other \s-1HTTP\s0 antivirus and can handle several thousands of simultaneous users at once, this is what we need. .PP The other unique feature of SquidClamav is that you can have Clamd failover by @@ -176,14 +176,9 @@ This will be redirected by squidclamav just like if a virus was found. .IX Header "USAGE" .SS "Generic Program Information" .IX Subsection "Generic Program Information" -SquidClamav v6 has been completely rewritten to be used through the Squid v3.x -\&\s-1ICAP\s0 feature allowing \*(L"on stream\*(R" scanning. It is now built as a c\-icap server -service but keeps all features from v5 and is fully compatible with the old -SquidClamav configuration file. The squidclamav configuration file is unchanged -minus some obsolete directives. -.PP -This also means that SquidClamav can no more be run into an interactive console -for testing your \s-1URL.\s0 All debug information will now go to the c\-icap logfile. +SquidClamav is compatible with all Squid v3.x versions that support the +\&\s-1ICAP\s0 feature allowing \*(L"on stream\*(R" scanning. squidclamav is built as a +c\-icap server service and can be controlled through a configuration file. .SS "Installing Squid" .IX Subsection "Installing Squid" .SS "Setting SquidClamav as Squid Icap service" @@ -266,8 +261,7 @@ If you don't know where to put them in squid.conf, just search for 'icap_.*' and add those configuration lines at the end of the icap section. .Sp Here the bypass is set to 1, that means that in case of squidclamav problems -squid will simply ignore the error and continue. This is the equivalent of the -bridge mode in version 5.x of suidclamav. +squid will simply ignore the error and continue. .IP "Squid 3.0.x configuration" 4 .IX Item "Squid 3.0.x configuration" For squid 3.0.x you must replace 'bypass=1' by '1' or 'bypass=0' by '0' and @@ -294,8 +288,7 @@ If you don't know where to put them in squid.conf, just search for 'icap_.*' and add those configuration lines at the end of the icap section. .Sp Here the bypass is set to 1, that means that in case of squidclamav problems -squid will simply ignore the error and continue. This is the equivalent of the -bridge mode in version 5.x of suidclamav. +squid will simply ignore the error and continue. .PP What do that configuration directives do? They enable Squid's \s-1ICAP\s0 client and tell Squid to send the logged username and client's \s-1IP\s0 address to the \s-1ICAP\s0 server. @@ -310,11 +303,23 @@ about that, they want to surf and don't care about your problems :\-) If you don't think like me, just set the bypass argument to 0 and Squid will return an error message in case of a failure. .PP +\fIChained Url Checker\fR +.IX Subsection "Chained Url Checker" +.PP +You can chained SquidClamav call to an Url checked like squidguard by setting +the 'url_rewrite_program' squid.conf directive: +.PP +.Vb 3 +\& url_rewrite_program /usr/bin/squidGuard +\& url_rewrite_children 15 +\& url_rewrite_access allow all +.Ve +.PP \fIC\-icap server installation/configuration\fR .IX Subsection "C-icap server installation/configuration" .PP If you don't have package solutions or encounter problems when installing SquidClamav -I recommand you to install the c\-icap server from source as following. You can +I recommend you to install the c\-icap server from source as following. You can download it from SourceForge at http://c\-icap.sourceforge.net/. Choose version c\-icap\-0.3.2 or later versions, then run: .PP @@ -349,7 +354,7 @@ Following your installation you may need to create the /var/run/c\-icap/ where c\-icap server is writing pid and socket file. .PP You may also want to change the user/group owning c\-icap's processes. By default -the owner is the user/group who runs the program. I recommand you to change them +the owner is the user/group who runs the program. I recommend you to change them to the same user/group running your Squid cache. For example: .PP .Vb 2 @@ -455,8 +460,7 @@ a single space character. Comments are lines starting with a '#' character. \fILog file and debug\fR .IX Subsection "Log file and debug" .PP -In version 6.x the directives 'logfile', 'debug' and 'stat' are obsolete as -logging and debug are now handled by the c\-icap server. You can control them +Logging and debug are handled by the c\-icap server. You can control them using the following c\-icap.conf directives: .PP .Vb 2 @@ -465,8 +469,15 @@ using the following c\-icap.conf directives: .Ve .PP Debug information is disable by default, do not enable it on production -systems as it costs a lot of performance. The debug level can be set -from 1 up to 3 for SquidClamav but can be up to 10 for c\-icap. +systems as it costs a lot of performances. The debug level can be set +from 1 up to 3 for SquidClamav but can be up to 10 for c\-icap. By setting +.PP +.Vb 1 +\& DebugLevel 3 +.Ve +.PP +you will trace everything done by SquidClamav, this is useful for debugging +purpose. .PP \fIClamd daemon\fR .IX Subsection "Clamd daemon" @@ -491,7 +502,7 @@ SquidClamav will always use the clamd_local directive. .IX Subsection "Clamd failover" .PP If you have multiple ClamAv servers, SquidClamav is able to do failover between -them. You just have to set 'clamd_ip' to a list of \s-1IP\s0 adresses separated by a +them. You just have to set 'clamd_ip' to a list of \s-1IP\s0 addresses separated by a comma. Do not insert space characters in this list or it will break all. For example: .PP .Vb 3 @@ -577,72 +588,117 @@ To log every redirection enable the 'logredir' configuration directive: By default it is disabled as you can also log this information with the cgi-script or send an email. .PP -\fIChained Url Checker\fR -.IX Subsection "Chained Url Checker" -.PP -The squidguard directive is preserved for backward compatibility but you -must remove it from your configuration file as it could result in many -squidclamav crashes. +Maximun file size scanned +.IX Subsection "Maximun file size scanned" .PP -Please use the 'url_rewrite_program' squid.conf directive instead to call -squidGuard. +The maxsize directive allows to disable virus scan completely for files +bigger than the value in bytes. Default is 0, no size limit as you may +want to control download size into squid.conf or clamd. .PP -.Vb 3 -\& url_rewrite_program /usr/bin/squidGuard -\& url_rewrite_children 15 -\& url_rewrite_access allow all +.Vb 1 +\& maxsize 2M .Ve .PP -If you still want to use it, SquidClamav allows you to chain the SquidGuard -program to check the \s-1URL\s0 requested against blocklists using the 'squidguard' -directive. You just have to give the path to the program. +If you want to abort virus scan after a certain amount of data you must +take a look at the clamd configuration directive 'StreamMaxLength' that +will close a stream when the given size is reached. +.PP +\s-1DNS\s0 lookup of client \s-1IP\s0 address +.IX Subsection "DNS lookup of client IP address" +.PP +Directive dnslookup allow you to enable / disable \s-1DNS\s0 lookup of all client +\&\s-1IP\s0 address. Default is enabled: .PP .Vb 1 -\& squidguard /usr/local/squidGuard/bin/squidGuard +\& dnslookup 1 .Ve .PP -The chained program is called before the virus scan and any other SquidClamav -operations. The call to this program can be disabled with the 'whitelist', -\&'trustuser' and 'trustclient' directives. See SquidClamav Patterns for more -information. +to preserve backward compatibility. You should deactivate this feature if +you don't use trustclient with hostname in the regexp or if you don't have +a \s-1DNS\s0 on your network. Disabling it will also speed up squidclamav. .PP -To log every chained program redirection enable the 'logredir' configuration -directive as following: +\fISafebrowsing\fR +.IX Subsection "Safebrowsing" .PP -.Vb 1 -\& logredir 1 -.Ve +ClamAV 0.95 introduced support for Google Safe Browsing database. The database +is packed inside a \s-1CVD\s0 file and distributed through our mirror network as +safebrowsing.cvd. This feature is disabled by default on all clamav installations. .PP -By default it is disabled as you can also log this information with squidguard. +In order to enable this feature, you must first add \*(L"SafeBrowsing Yes\*(R" to freshclam.conf. +There is no option in clamd.conf. If the engine finds Google Safe Browsing files in the +database directory, ClamAV will enable safe browsing. To turn it off you need to update +freshclam.conf and remove the safebrowsing files from the database directory before +restarting clamd. .PP -\fIMaxsize\fR -.IX Subsection "Maxsize" +Then to enable this feature into SquidClamav you have to enable the following +configuration directive. +.IP "safebrowsing" 4 +.IX Item "safebrowsing" +Enable / Disable Clamav Safe Browsing feature. You mus have enabled the +corresponding behavior in clamd by enabling SafeBrowsing into freshclam.conf +Enabling it will first make a safe browsing request to clamd and then the +virus scan request. +.PP +\fIControl virus scan\fR +.IX Subsection "Control virus scan" .PP -This directive allows to disable virus scan completely for files bigger than the -value in bytes. Default is 0, no size limit as you may want to control download -size into squid.conf or clamd. +There is two scan mode to fully control squidclamav behavior. The first +and historical mode is \*(L"ScanAllExcept\*(R" that scans everything by default. +This mode can be controlled by directives: abort, abortcontent, whitelist, +trustuser and trustclient. .PP .Vb 1 -\& maxsize 2000000 +\& scan_mode ScanAllExcept .Ve .PP -If you want to abort virus scan after a certain amount of data you must take a -look at the clamd configuration directive 'StreamMaxLength' that will close a -stream when the given size is reached. -.SS "Controlling SquidClamav behaviour" -.IX Subsection "Controlling SquidClamav behaviour" -As in SquidClamav v5.x, v6.0 will scan all downloaded files by default. -You have five directives to control the way things must work. -.PP -All these directives used extended regex pattern matching and are case -insensitive. +The second mode since squidclamav version 7 is \*(L"ScanNothingExcept\*(R" that +will scan nothing but the content controlled by the scan, scancontent, +blacklist, untrustuser and untrusted client. .PP -\fIControl both chained program and virus scan\fR -.IX Subsection "Control both chained program and virus scan" +.Vb 1 +\& scan_mode ScanNothingExcept +.Ve .PP -There are 3 configuration directives that allow you to disable virus scan and -call to chained redirector like SquidGuard. Those pattern matchings are searched -as soon as a Squid entry is received. +Any other value for the scan_mode directive will force the \*(L"ScanAllExcept\*(R" +mode. This guarantee the backward compatibility with older squidclamav +version. +.IP "abort" 4 +.IX Item "abort" +The 'abort' directive will let you disable virus scanning at \s-1URL\s0 level (not +chained program). When the \s-1URL\s0 matches the regex pattern, SquidClamav falls back to +Squid immediately after the call to the chained program, if one is defined there. +.Sp +For example: +.Sp +.Vb 2 +\& abort \e.squid\-cache\e.org +\& abort .*\e.(png|gif|jpg)$ +.Ve +.Sp +The first regexp will exclude any file hosted on domain squid\-cache.org from virus scanning, +the last one will exclude all \s-1PNG, GIF\s0 and \s-1JPEG\s0 image from scanning. +.Sp +Only used in \*(L"ScanAllExcept\*(R" mode. +.IP "abortcontent" 4 +.IX Item "abortcontent" +The 'abortcontent' directive allows you to exclude any file from virus scanning, +whose Content-Type matches the regex pattern. This directive costs more time +because SquidClamav needs to download the \s-1HTTP\s0 header for a file with a \s-1HEAD\s0 +request. Note that some sites do not answer to \s-1HEAD\s0 requests so the content type +will not be able to be retrieved so they will be scanned. +.Sp +Example: +.Sp +.Vb 2 +\& abortcontent ^image\e/.*$ +\& abortcontent ^video\e/x\-flv$ +.Ve +.Sp +The first directive will complete the \*(L"abort .*\e.(png|gif|jpg)$\*(R" previous +directive to match dynamic image or with parameters at end. The second will +allow your users to view streamed video instantly. +.Sp +Only used in \*(L"ScanAllExcept\*(R" mode. .IP "whitelist" 4 .IX Item "whitelist" The 'whitelist' configuration directive allows you to disable chained program @@ -657,7 +713,7 @@ For example: .Sp will deliver any files from hosts on clamav.net domain directly. .Sp -You can alse use a file containing all regex that might be whitelisted and +You can also use a file containing all regex that might be whitelisted and provide the file name to the whitelist directive. Suppose that you have a file named /usr/local/c\-icap/etc/sc_whitelist with the following content: .Sp @@ -673,6 +729,8 @@ then you just have to set whitelist in squidclamav.conf as follow: .Ve .Sp the file must contain only one regex per line and no extra character. +.Sp +Only used in \*(L"ScanAllExcept\*(R" mode. .IP "trustuser" 4 .IX Item "trustuser" The 'trustuser' directive allows you to disable chained program and virus scan @@ -687,6 +745,8 @@ For example: .Sp will let user logged as administrator to not be bored by chained program and virus scan. +.Sp +Only used in \*(L"ScanAllExcept\*(R" mode. .IP "trustclient" 4 .IX Item "trustclient" The 'trustclient' directive allows you to disable chained program and virus scan @@ -703,58 +763,24 @@ For example: .Sp The first and the last entry will disable chained program and virus scan for a single computer and the second will do for en entire class C network. -.IP "dnslookup" 4 -.IX Item "dnslookup" -Enable / disable \s-1DNS\s0 lookup of client \s-1IP\s0 address. Default is enabled '1' to -preserve backward compatibility but you must deactivate this feature if you -don't use trustclient with hostname in the regexp or if you don't have a \s-1DNS\s0 -on your network. Disabling it will also speed up squidclamav. -.PP -\fISafebrowsing\fR -.IX Subsection "Safebrowsing" -.PP -ClamAV 0.95 introduced support for Google Safe Browsing database. The database -is packed inside a \s-1CVD\s0 file and distributed through our mirror network as -safebrowsing.cvd. This feature is disabled by default on all clamav installations. -.PP -In order to enable this feature, you must first add \*(L"SafeBrowsing Yes\*(R" to freshclam.conf. -There is no option in clamd.conf. If the engine finds Google Safe Browsing files in the -database directory, ClamAV will enable safe browsing. To turn it off you need to update -freshclam.conf and remove the safebrowsing files from the database directory before -restarting clamd. -.PP -Then to enable this feature into SquidClamav you have to enable the following -configuration directive. -.IP "safebrowsing" 4 -.IX Item "safebrowsing" -Enable / Disable Clamav Safe Browsing feature. You mus have enabled the -corresponding behavior in clamd by enabling SafeBrowsing into freshclam.conf -Enabling it will first make a safe browsing request to clamd and then the -virus scan request. -.PP -\fIControl virus scan\fR -.IX Subsection "Control virus scan" -.PP -There are 3 configuration directives that allow you to disable virus scan for -downloaded files. -.IP "abort" 4 -.IX Item "abort" -The 'abort' directive will let you disable virus scanning at \s-1URL\s0 level (not -chained program). When the \s-1URL\s0 matches the regex pattern, SquidClamav falls back to -Squid immediately after the call to the chained program, if one is defined there. +.Sp +Only used in \*(L"ScanAllExcept\*(R" mode. +.IP "scan" 4 +.IX Item "scan" +The 'scan' directive will let you enable virus scanning at \s-1URL\s0 level. .Sp For example: .Sp -.Vb 2 -\& abort \e.squid\-cache\e.org -\& abort .*\e.(png|gif|jpg)$ +.Vb 1 +\& scan .*\e.(doc|docx|pdf|xls)$ .Ve .Sp -The first regexp will exclude any file hosted on domain squid\-cache.org from virus scanning, -the last one will exclude all \s-1PNG, GIF\s0 and \s-1JPEG\s0 image from scanning. -.IP "abortcontent" 4 -.IX Item "abortcontent" -The 'abortcontent' directive allows you to exclude any file from virus scanning, +The regexp will force virus scanning for extensions .doc, .docx, .pdf and .xls. +.Sp +Only used in \*(L"ScanNothingExcept\*(R" mode. +.IP "scancontent" 4 +.IX Item "scancontent" +The 'scancontent' directive allows you to force virus scanning for some files whose Content-Type matches the regex pattern. This directive costs more time because SquidClamav needs to download the \s-1HTTP\s0 header for a file with a \s-1HEAD\s0 request. Note that some sites do not answer to \s-1HEAD\s0 requests so the content type @@ -762,19 +788,74 @@ will not be able to be retrieved so they will be scanned. .Sp Example: .Sp +.Vb 1 +\& scancontent ^application\e/.*$ +.Ve +.Sp +Only used in \*(L"ScanNothingExcept\*(R" mode. +.IP "blacklist" 4 +.IX Item "blacklist" +The 'blacklist' configuration directive allows you to force virus scan at \s-1URL\s0 +level. +.Sp +For example: +.Sp +.Vb 1 +\& whitelist \e.badsite\e.com +.Ve +.Sp +will force scanning any files from hosts on badsite.com domain. +.Sp +You can also use a file containing all regex that might be blacklisted and +provide the file name to the blacklist directive. Suppose that you have a +file named /usr/local/c\-icap/etc/sc_blacklist with the following content: +.Sp .Vb 2 -\& abortcontent ^image\e/.*$ -\& abortcontent ^video\e/x\-flv$ +\& \e.badsite\e.com +\& \e.getyourvirus\e.org .Ve .Sp -The first directive will complete the \*(L"abort .*\e.(png|gif|jpg)$\*(R" previous -directive to match dynamic image or with parameters at end. The second will -allow your users to view streamed video instantly. -.IP "maxsize" 4 -.IX Item "maxsize" -As said above, the 'maxsize' directive allows you not to scan a file when the -content-length of the file is bigger than the defined value. By default there's -no size limit. +then you just have to set blacklist in squidclamav.conf as follow: +.Sp +.Vb 1 +\& blacklist /usr/local/c\-icap/etc/sc_blacklist +.Ve +.Sp +the file must contain only one regex per line and no extra character. +.Sp +Only used in \*(L"ScanNothingExcept\*(R" mode. +.IP "untrustuser" 4 +.IX Item "untrustuser" +The 'untrustuser' directive allows you to force virus scan when an ident +matches the search pattern. Of course you must have Squid authentication +helper enabled. +.Sp +For example: +.Sp +.Vb 1 +\& untrustuser fakeuser +.Ve +.Sp +Only used in \*(L"ScanNothingExcept\*(R" mode. +.IP "untrustclient" 4 +.IX Item "untrustclient" +The 'untrustclient' directive allows you to force virus scan if the client +source \s-1IP\s0 address or \s-1DNS\s0 name match the search pattern. The source \s-1IP\s0 +can be a single \s-1IP\s0 address or an address range following the given regex +pattern. +.Sp +For example: +.Sp +.Vb 3 +\& untrustclient ^192\e.168\e.1\e.1$ +\& untrustclient ^192\e.168\e.1\e..*$ +\& untrustclient ^mypc\e.domain\e.dom$ +.Ve +.Sp +The first and the last entry will force virus scan for a single computer +and the second will do for en entire class C network. +.Sp +Only used in \*(L"ScanNothingExcept\*(R" mode. .PP \fILibarchive support\fR .IX Subsection "Libarchive support" @@ -836,13 +917,14 @@ format: Otherwise only archives containing ban_archive_entry matches will be copied. .SS "Testing SquidClamav" .IX Subsection "Testing SquidClamav" -As SquidClamav v6.0 is now a c\-icap service, it can no more be run at console -in interactive mode. To check what is going wrong, you must edit c\-icap.conf +As SquidClamav is a c\-icap service, it can not be run at console as an +interactive program. To check what is going wrong, you must edit c\-icap.conf file, set DebugLevel to 3 and enable ServerLog. Then check for lines with -squidclamav string in the log file which is defined with ServerLog in squidclamav's config. +squidclamav string in the log file which is defined with ServerLog in +squidclamav's config. .SS "Performance" .IX Subsection "Performance" -With SquidClamav v6.x the way to tune your service is to tune c\-icap server and +With SquidClamav the way to tune your service is to tune c\-icap server and clamd daemon. On heavy http access, putting the clamd daemon on a dedicated server with multiple \s-1CPU\s0 will really help. .PP @@ -870,22 +952,15 @@ Thanks to Squid\-cache.org, Clamav.net and c\-icap.sf.net for their great software. .PP Special thanks to Christos Tsantilas for his implementation of the -c\-icap server. Lots of SquidClamav v6 source code has been learned +c\-icap server. Lots of SquidClamav source code has been learned or simply cut and pasted from the source code of his clamav service. .PP -I must also thank all the great contributors: -.PP -.Vb 4 -\& \- Leonardo Humberto Liporati from www.ig.com.br -\& \- Dale Laushman from The Uptime Group -\& \- Rainer schoepf from Proteosys.com -\& \- Yann Ormanns -.Ve -.PP -and all others who help me to build a useful and reliable product. +I must also thank all the great contributors and all others who help +to build a useful and reliable product. They are all cited in ChangeLog +file. .SH "LICENSE" .IX Header "LICENSE" -Copyright (c) 2005\-2016 Gilles Darold \- All rights reserved. +Copyright (c) 2005\-2019 Gilles Darold \- All rights reserved. .PP Some code is Copyright (C) 2004\-2008 Christos Tsantilas .PP diff --git a/etc/squidclamav.conf b/etc/squidclamav.conf index 00fbaa4..8b28a84 100644 --- a/etc/squidclamav.conf +++ b/etc/squidclamav.conf @@ -57,7 +57,7 @@ multipart 0 # SquidClamav can be run in two mode. The first and default one is the # "ScanAllExcept" mode that will scan everything by default and can be -# controlled by the abort, abortcontent, whitelisti, trustuser and +# controlled by the abort, abortcontent, whitelist, trustuser and # trustclient directives. The second mode is "ScanNothingExcept" that # will scan nothing but the content controlled by the scan, scancontent, # blacklist, untrustuser and untrustclient directives. diff --git a/src/squidclamav.c b/src/squidclamav.c index bbedfb5..925dca6 100644 --- a/src/squidclamav.c +++ b/src/squidclamav.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2005-2016 Gilles Darold + * Copyright (C) 2005-2019 Gilles Darold * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by