BSD Applications Setup Squid with Clamav antivirus | Setup Squid with Clamav antivirus |
|
|
|
If you want to protect a lan network from viruses downloaded from
Internet, an interesting solution is to use Squid proxy with Clamav
antivirus. This setup was tested succesfuly on FreeBSD 6.1 (it shoud
work in 5.4 too). We will use a special daemon, c-icap that is listening on port 1344 and is invoking clamav from web cache. c-icap can be found here: http://sourceforge.net/projects/c-icap Also a patch for squid can be found at c-icap project section on sourceforge (squid must be patched) to work with c-icap. One thing to mention: using c-icap scales better than using redirect function of squid. Step 1 -------- Download latest version of c-icap from sourceforge.net. (you can find on our site a version of c-icap, at Downloads section). Step 2 -------- Unpack, configure it and compile it. tar xfz c_icap-030606rc1.tar.gz Configs will be in /usr/local/c_icap/etc Open c-icap.conf with your favorite editor and add following settings: acl localsquid_respmod src 127.0.0.1 type respmod Also check other settings and make necessary changes that suites your needs. I've made a c-icap FreeBSD 6.1 (i386) package for you, see Downloads section of this website.
/usr/local/c_icap/bin/c-icap Having no messages is good. Now we need to make sure that daemon is running and listening on port 1344. ps ax | grep c-icap Also we can verify that with "netstat" command.
If this step fails for you, you can cvsup /usr/ports/www, to have the last version of squid, that have c-icap patch included, configure it and compiled with icap support. ./configure --bindir=/usr/local/sbin
--sysconfdir=/usr/local/etc/squid --datadir=/usr/local/etc/squid
--libexecdir=/usr/local/libexec/squid --localstatedir=/usr/local/squid
--enable-removal-policies=lru,heap --enable-auth=basic,ntlm,digest
--enable-basic-auth-helpers=NCSA,PAM,MSNT,SMB,winbind,YP
--enable-digest-auth-helpers=password
--enable-external-acl-helpers=ip_user,unix_group,wbinfo_group,winbind_group
--enable-ntlm-auth-helpers=SMB,winbind --enable-storeio=ufs,diskd,null
--enable-underscores --enable-err-languages=English
--enable-default-err-language=Spanish --with-large-files
--enable-large-cache-files --enable-delay-pools
--enable-ipf-transparent --disable-ident-lookups --enable-snmp
--enable-removal-policies --prefix=/usr/local i386-portbld-freebsd6.1
--enable-pf-transparent --enable-icap-support
We need to create proxy cache and log directories. cd /usr/local/squid/var Run following command to precreate squid cache tree: /usr/local/squid/sbin/squid -z By default the cache is configure as: Now let's configure it. The config file is in /usr/local/squid/etc/squid.conf First of all allow access to proxy from your network. acl mynetwork src 192.168.2.0/24
Open /usr/local/squid/etc/squid.conf in your favorite editor Find each of following keywords and replace the value as below: icap_enable on
/usr/local/squid/sbin/squid -k reconfigure
|
