SquidClamav is a ClamAV antivirus redirector for Squid
. It will help us filter out malicious software from web traffic.
We already covered the installation procedure of the Clam AntiVirus in a previous document, so we won't dwell on this topic now and proceed directly to the installation of SquidClamav. We will assume that ClamAV resides on the same machine as Squid, though you may wish to create a separate antivirus server, possibly serving both the cache and the mail server.
SquidClamav relies on the cURL library to download the files to scan, so we need to add the following packages first:
Then we can download, extract and compile the SquidClamav tarball:
$ tar -zxvf squidclamav-x.x.tar.gz [...] $ cd squidclamav-x.x $ env LDFLAGS=-L/usr/local/lib/ CPPFLAGS=-I/usr/local/include/ ./configure [...] $ make [...] $ su Password: # make install [ ... ] # cp squidclamav.conf.dist /etc/squidclamav.conf # touch /var/log/squidclamav.log # chown _squid /var/log/squidclamav.log
The configuration file is /etc/squidclamav.conf. SquidClamav can be configured to scan or ignore requests based on regular expressions. The regex and regexi keywords allow you to specify the files you want to scan (the former is case-sensitive while the latter is not). E.g:
# Check against the ClamAV antivirus all files with case insensitive # extension .exe, .com or .zip regexi ^.*\.exe$ regexi ^.*\.com$ regexi ^.*\.zip$
The abort and aborti keywords, instead, tell SquidClamav to skip checking files matching specific paterns. You may also use the whitelist keyword to ignore a given URL or domain. E.g.:
# Don't virus scan .gif, .png and .jpg images and .html and .htm documents aborti ^.*\.gif$ aborti ^.*\.png$ aborti ^.*\.jpg$ abort ^.*\.html$ abort ^.*\.htm$ # Don't virus scan trusted web sites whitelist www.kernel-panic.it
The content keyword allows virus scanning based on the request content type. E.g.:
# Scan all files with a media type of "application" content ^.*application\/.*$
Below is a sample configuration file:
# IP address and port of the Squid proxy squid_ip 127.0.0.1 squid_port 3128 # Path to the log file logfile /var/log/squidclamav.log # URL where to redirect a request when a virus is found. SquidClamav will # append the original URL and the virus name to this URL. redirect http://www.kernel-panic.it/viruswarn.php # Disable virus scanning if the requested file hits squid cache trust_cache 1 # Timeout when downloading files timeout 60 # Set this to '1' for more verbose logging debug 0 # Set this to '1' to force virus scan of URLs whose content-type can't be # determined by libcurl force 1 # Set this to '1' to show time statistics of URL processing stat 0 # Don't follow more than 10 redirects maxredir 10 # Uncomment to make cURL pretend to be Internet Explorer #useragent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) # IP address and port of the clamd daemon clamd_ip 127.0.0.1 clamd_port 3310 # Uncomment if you're using the unix socket to communicate with clamd #clamd_local /tmp/clamd # Check rules aborti ^.*\/cgi-bin\/.*$ aborti ^.*\.pdf$ aborti ^.*\.html$ aborti ^.*\.css$ aborti ^.*\.xml$ abortcontenti ^.*application\/json.*$ regexi ^.*\.exe regexi ^.*\.zip regexi ^.*\.gz content ^.*application\/.*$ whitelist www.kernel-panic.it # Call another redirector (usually squidGuard) before the antivirus scanner squidguard /usr/local/bin/squidGuard
As you can see, the squidguard parameter allows you to chain SquidClamav with another redirector, typically squidGuard; the chained program is called before the antivirus scanner.
Now we only have to modify the value of the url_rewrite_program parameter in Squid's configuration file:
url_rewrite_program /usr/local/bin/squidclamav
and reload Squid.
# squid -k reconfigure
Note: to scan a file, SquidClamav needs to download it first; so make sure your Squid ACLs allow localhost to access the web:
http_access allow localhost
You can check that everything is working fine by trying to download the Eicar anti-virus test file. In the log file, you should get something like:
[...] Fri May 15 19:26:49 2009 [29028] DEBUG received from Clamd: stream: Eicar-Test-Signature FOUND Fri May 15 19:26:49 2009 [29028] LOG Redirecting URL to: http://www.kernel-panic.it/viruswarn.php? url=http://www.eicar.org/download/eicar.com.txt&source=192.168.1.14/-&user=-&virus=stream:+ Eicar-Test-Signature+FOUND Fri May 15 19:26:49 2009 [29028] DEBUG End reading clamd scan result. Fri May 15 19:26:49 2009 [29028] DEBUG Virus found send redirection to Squid.