Home arrow BSD Applications arrow Setup Squid with Clamav antivirus
Setup Squid with Clamav antivirus PDF
Sunday, 24 September 2006
If you want to protect a lan network from viruses downloaded from Internet, an interesting solution is to use Squid proxy with Clamav antivirus. This setup was tested succesfuly on FreeBSD 6.1 (it shoud work in 5.4 too).

We will use a special daemon, c-icap that is listening on port 1344 and is invoking clamav from web cache.

c-icap can be found here: http://sourceforge.net/projects/c-icap

Also a patch for squid can be found at c-icap project section on sourceforge (squid must be patched) to work with c-icap.

One thing to mention: using c-icap scales better than using redirect function of squid.

Step 1
--------
Download latest version of c-icap from sourceforge.net. (you can find on our site a version of c-icap, at Downloads section).


Step 2
--------
Unpack, configure it and compile it.

tar xfz c_icap-030606rc1.tar.gz
cd c_icap-030606rc1
./configure --enable-static --with-clamav --prefix=/usr/local/c_icap
make install

Configs will be in /usr/local/c_icap/etc

Open c-icap.conf with your favorite editor and add following settings:

acl localsquid_respmod src 127.0.0.1 type respmod
acl localsquid src 127.0.0.1
acl externalnet src 0.0.0.0/0.0.0.0
icap_access allow localsquid_respmod
icap_access allow localsquid
icap_access deny externalnet

Also check other settings and make necessary changes that suites your needs.

I've made a c-icap FreeBSD 6.1 (i386) package for you, see Downloads section of this website.


Step 3

--------
After making config changes run c-icap to test it.

/usr/local/c_icap/bin/c-icap

Having no messages is good. Now we need to make sure that daemon is running and listening on port 1344.

ps ax | grep c-icap

Also we can verify that with "netstat" command.


Step 4

--------

Download squid with c-icap support from sourceforge.net
Unpack, configure it and compile it.

tar xfz squid-icap-2.5.STABLE12-20051102.tgz
cd squid-icap-2.5.STABLE12-20051102
./configure --enable-icap-support --prefix=/usr/local
make install

If this step fails for you, you can cvsup /usr/ports/www, to have the last version of squid, that have c-icap patch included, configure it and compiled with icap support.

./configure --bindir=/usr/local/sbin --sysconfdir=/usr/local/etc/squid --datadir=/usr/local/etc/squid --libexecdir=/usr/local/libexec/squid --localstatedir=/usr/local/squid --enable-removal-policies=lru,heap --enable-auth=basic,ntlm,digest --enable-basic-auth-helpers=NCSA,PAM,MSNT,SMB,winbind,YP --enable-digest-auth-helpers=password --enable-external-acl-helpers=ip_user,unix_group,wbinfo_group,winbind_group --enable-ntlm-auth-helpers=SMB,winbind --enable-storeio=ufs,diskd,null --enable-underscores --enable-err-languages=English --enable-default-err-language=Spanish --with-large-files --enable-large-cache-files --enable-delay-pools --enable-ipf-transparent --disable-ident-lookups --enable-snmp --enable-removal-policies --prefix=/usr/local i386-portbld-freebsd6.1 --enable-pf-transparent --enable-icap-support


It will be installed into /usr/local/squid

We need to create proxy cache and log directories.

cd /usr/local/squid/var
chown nobody cache/ logs/
chgrp nobody cache/ logs/

Run following command to precreate squid cache tree:

/usr/local/squid/sbin/squid -z

By default the cache is configure as:
cache_dir ufs /usr/local/squid/var/cache 100 16 256

Now let's configure it. The config file is in /usr/local/squid/etc/squid.conf

First of all allow access to proxy from your network.

acl mynetwork src 192.168.2.0/24
http_access allow mynetworks


At this moment we have a working proxy but without c-icap support.

Open /usr/local/squid/etc/squid.conf in your favorite editor

Find each of following keywords and replace the value as below:

icap_enable          on
icap_preview_enable  on
icap_preview_size    128
icap_send_client_ip  on
icap_service         service_avi_req reqmod_precache 0 icap://localhost:1344/srv_clamav
icap_service         service_avi respmod_precache 1 icap://localhost:1344/srv_clamav
icap_class           class_antivirus service_avi service_avi_req
icap_access          class_antivirus allow all


Let's restart squid with updated configuration:

/usr/local/squid/sbin/squid -k reconfigure


Last Updated ( Sunday, 24 September 2006 )
 

Other BSD Systems

OpenBSD

Misc

Solaris

Polls

Best BSD firewall?