SquidClamav is a ClamAV antivirus redirector for Squid
. It will help us filter out malicious software from web traffic.
We already covered the installation procedure of the Clam AntiVirus in a previous document, so we won't dwell on this topic now and proceed directly to the installation of SquidClamav. We will assume that ClamAV resides on the same machine as Squid, though you may wish to create a separate antivirus server, possibly serving both the cache and the mail server.
SquidClamav relies on the cURL library to download the files to scan, so we need to add the following packages first:
Then we can download, extract and compile the SquidClamav tarball:
$ tar -zxvf squidclamav-x.x.tar.gz [...] $ cd squidclamav-x.x $ env LDFLAGS=-L/usr/local/lib/ CPPFLAGS=-I/usr/local/include/ ./configure [...] $ make [...] $ su Password: # make install [ ... ] # cp etc/squidclamav.conf /etc/ # touch /var/log/squidclamav.log # chown _squid /var/log/squidclamav.log
The configuration file is /etc/squidclamav.conf; one of the best points of SquidClamav is its ability to natively co-operate with SquidGuard (or any other redirector, specified in the squidguard directive), by calling it before any further processing of the HTTP request.
By default, SquidClamav will scan all downloaded files, but you can save system resources and improve performance by specifying a series of domains, users and clients (using the whitelist, trustuser and trustclient directives respectively) for which you want to skip both virus scanning and the call to the chained redirector. E.g.:
# Disable redirector and virus scanning for files from kernel-panic.it whitelist .*\.kernel-panic\.it # Disable redirector and virus scanning for requests from a specific user trustuser administrator # Disable redirector and virus scanning for requests from specific clients trustclient ^172\.16\.0\..*$ trustclient ^mypc\.lan\.kernel-panic.it$
SquidClamav also allows you to disable virus scanning (but not the call to the chained redirector) based on regular expressions matching the URL string (abort directive) or the Content-Type of the response (abortcontent directive); both directives are case-insensitive. E.g.:
# Disable virus scanning for .png, .gif and .jpg images and documents from # squid-cache.org abort \.squid-cache\.org abort .*\.(png|gif|jpg)$ # Disable virus scanning for images and flash videos abortcontent ^image\/.*$ abortcontent ^video\/x-flv$
Below is a sample configuration file:
# IP address and port of the Squid proxy squid_ip 127.0.0.1 squid_port 3128 # Path to the log file logfile /var/log/squidclamav.log # URL where to redirect a request when a virus is found. SquidClamav will # append the original URL, virus name, source IP and user the to this URL redirect http://www.kernel-panic.it/viruswarn.php # Disable virus scanning if the requested file hits squid cache trust_cache 1 # Timeout when downloading files timeout 60 # Set this to '1' for more verbose logging debug 0 # Set this to '1' to force virus scan of URLs whose content-type can't be # determined by libcurl force 1 # Set this to '1' to show time statistics of URL processing stat 0 # Don't follow more than 10 redirects maxredir 10 # Uncomment to disable virus scanning for files bigger than the specified # size (in bytes) # maxsize 2000000 # Uncomment to make cURL pretend to be Internet Explorer #useragent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) # IP address and port of the clamd daemon; you can specify up to 5 # (comma-separated) IPs for failover clamd_ip 127.0.0.1 clamd_port 3310 # Uncomment if you're using the unix socket to communicate with clamd #clamd_local /tmp/clamd # Check rules abort ^.*\.(ico|gif|png|jpg)$ abortcontent ^image\/.*$ abort ^.*\.(css|xml|xsl|js|html|jsp)$ abortcontent ^text\/.*$ abortcontent ^application\/x-javascript$ abortcontent ^video\/mp4$ abortcontent ^video\/x-flv$ abort ^.*\.(pdf|swf)$ whitelist .*\.kernel-panic\.it # Call another redirector (usually squidGuard) before the antivirus scanner squidguard /usr/local/bin/squidGuard
Now we only have to modify the value of the url_rewrite_program parameter in Squid's configuration file:
url_rewrite_program /usr/local/bin/squidclamav
and reload Squid.
# squid -k reconfigure
Note: to scan a file, SquidClamav needs to download it first; so make sure your Squid ACLs allow localhost to access the web:
http_access allow localhost
You can check that everything is working fine by trying to download the Eicar anti-virus test file. In the log file, you should get something like:
[...] Fri May 15 19:26:49 2009 [29028] DEBUG received from Clamd: stream: Eicar-Test-Signature FOUND Fri May 15 19:26:49 2009 [29028] LOG Redirecting URL to: http://www.kernel-panic.it/viruswarn.php? url=http://www.eicar.org/download/eicar.com.txt&source=192.168.1.14/-&user=-&virus=stream:+ Eicar-Test-Signature+FOUND Fri May 15 19:26:49 2009 [29028] DEBUG End reading clamd scan result. Fri May 15 19:26:49 2009 [29028] DEBUG Virus found send redirection to Squid.