View previous topic :: View next topic |
Author |
Message |
o5gmmob8 Guru
Joined: 17 Oct 2003 Posts: 465
|
Posted: Wed Aug 22, 2012 2:38 am Post subject: test squid + clamav |
|
|
Hi all,
Is there a good way to test that squid and clamav are working and preventing viruses from being downloaded?
I went to the wikipedia and found eicar or something and was able to download that in both text and zip file forms. That would indicate to me that antivirus is not working.
Walter |
|
Back to top |
|
|
Odward n00b
Joined: 21 Mar 2012 Posts: 65
|
Posted: Wed Aug 22, 2012 6:32 am Post subject: |
|
|
Mine blocks the eicar test files from Here.
Although not the httpS versions since I don't have secure connections via proxy.
Did you setup the c-icap server and tell squid about it? Was squid installed with the icap-client USE flag?
I have app-antivirus/clamav, net-proxy/squid, net-proxy/squidclamav and net-proxy/c-icap installed -
and net-proxy/squidguard <- although this isn't necessary if you just want to block viruses.
If all of that is ok, you will probably need to check your config files.
/etc/squid/squid.conf
/etc/squidclamav.conf
/etc/c-icap/c-icap.conf
You can look at /var/log/clamav/clamd.log but it only says much if it actually finds a virus.
You can also
Code: | tail -f /var/log/c-icap/server.log |
then open some websites, that file should have all sorts of activity to indicate it is scanning.
If you're still at a loss, I just set all this up a few days ago for my home so just ask and I can probably
help with the config files. |
|
Back to top |
|
|
o5gmmob8 Guru
Joined: 17 Oct 2003 Posts: 465
|
Posted: Wed Aug 22, 2012 1:05 pm Post subject: |
|
|
Hi Odward,
Thanks for your reply.
Yes, I setup the c-icap server and squid is aware of it. Yes, squid was built with the icap-client USE flag.
Yes, I also have squidguard and adzapper, although it appears adzapper is not being used recently. (It appeared that both squidguard and adzapper were being used for a little while after I had setup clamav, squidguard, and c-icap, but recently, I am getting ads again).
I am using syslog for managing most of my log files and as a result, it is intertwined with other logs. I'll poke around my logs to see if I can find anything interesting. I will try that eicar site again.
Thanks,
Walter |
|
Back to top |
|
|
o5gmmob8 Guru
Joined: 17 Oct 2003 Posts: 465
|
Posted: Fri Aug 24, 2012 4:08 am Post subject: |
|
|
Hi Odward,
After making my logs a bit more verbose, this is what I got:
Code: |
Aug 24 00:02:59 Dell-server squid[19439]: WARNING: Squid got an invalid ICAP OPTIONS response from service icap://127.0.0.1:1344/squidclamav; error: unsupported status code of OPTIONS respo
nse
Aug 24 00:02:59 Dell-server squid[19439]: optional ICAP service is down after an options fetch failure: icap://127.0.0.1:1344/squidclamav [down,!valid]
Aug 24 00:03:00 Dell-server c-icap: : 127.0.0.1 127.0.0.1 OPTIONS squidclamav 500
Aug 24 00:03:00 Dell-server squid[19439]: WARNING: Squid got an invalid ICAP OPTIONS response from service icap://127.0.0.1:1344/squidclamav; error: unsupported status code of OPTIONS respo
nse
Aug 24 00:03:00 Dell-server squid[19439]: optional ICAP service is down after an options fetch failure: icap://127.0.0.1:1344/squidclamav [down,!valid]
|
I tried this setup using documentation from one of the links below. This is my relevant squid.conf (or was my squid.conf), I have updated below this one.
Code: |
#http://wiki.squid-cache.org/Features/ICAP
#http://monklinux.blogspot.com/2012/03/installing-squid-proxy-with-reporting.html
#http://c-icap.sourceforge.net/install.html
#http://squid-web-proxy-cache.1019090.n4.nabble.com/Icap-clam-Av-td1593135.html
icap_enable on
icap_preview_enable on
icap_preview_size 128
icap_send_client_ip on
icap_service service_avi_req reqmod_precache 0 icap://localhost:1344/srv_clamav
icap_service service_avi respmod_precache 1 icap://localhost:1344/srv_clamav
adaptation_service_set class_antivirus service_avi service_avi_req
adaptation_access class_antivirus allow all
|
Code: |
# use i-cap to enable ClamAV to scan content for viruses
#http://wiki.squid-cache.org/Features/ICAP
#http://monklinux.blogspot.com/2012/03/installing-squid-proxy-with-reporting.html
#http://c-icap.sourceforge.net/install.html
#http://squid-web-proxy-cache.1019090.n4.nabble.com/Icap-clam-Av-td1593135.html
#http://squidclamav.darold.net/installv6.html
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_resp allow all
|
According to another post, I am using the wrong URL. What are you using?
Walter |
|
Back to top |
|
|
Odward n00b
Joined: 21 Mar 2012 Posts: 65
|
Posted: Fri Aug 24, 2012 5:14 am Post subject: |
|
|
Quote: | icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_resp allow all
|
That entry of yours is exactly what I'm using.
In /etc/c-icap/c-icap.conf
Do you have
Code: | Service squidclamav squidclamav.so |
If you had that configured from your initial settings it might have been similar to
Code: | Service srv_clamav srv_clamav.so |
and assuming we're both using the same stable versions from portage, the squidclamav.so should be the correct version.
***Edit - Just an FYI of sorts
In c-icap.conf - "Service squidclamav squidclamav.so" the squidclamav is arbitrary in that you could rename the service
to whatever you want. If you used a custom name, the squid.conf file would have to use the same name at the end of the icap:url
because that's how it knows what service it is trying to contact. The squidclamav.so is the important part because that is the shared
object file used by the service. I'm assuming a previous version used srv_clamav.so but that file doesn't exist on my system.
And just in case - in c-icap.conf you should have ServicesDir followed by the /path/to your squidclamav.so in my case it's
Code: | ServicesDir /usr/lib64/c_icap |
Alternately for "Service" you could use
Code: | Service squidclamav /usr/lib64/c_icap/squidclamav.so |
Or the correct path if it's different on your system.
And, if this wasn't all for naught, don't forget to restart your c-icap with the new config :D |
|
Back to top |
|
|
o5gmmob8 Guru
Joined: 17 Oct 2003 Posts: 465
|
Posted: Fri Aug 24, 2012 2:09 pm Post subject: |
|
|
Hi,
I forgot about c-icap.conf. I had edited it to some point to match the URL, but it was set to clamav. I changed it to squidclamav to match squid, restarted and I believe I am still having the same problem.
I will take a look again later, it seems squid is banning it because it is repeatedly not working (so the logs are not as verbose as I like until it tries to use it again).
Walter |
|
Back to top |
|
|
o5gmmob8 Guru
Joined: 17 Oct 2003 Posts: 465
|
Posted: Sat Aug 25, 2012 4:22 am Post subject: |
|
|
Hi Odward,
I set the DebugLevel to 10 in c-icap.conf. I now see that squidclamav is not initializing, but I don't appear to see anything else that stands out as helpful / useful.
It would be helpful if I can see there is a configuration flaw in my squidclamav.conf or if there is a library mismatch.
Code: |
maxsize 5000000
redirect http://router/squid-clamav/virus-found.html
squidguard /usr/bin/squidGuard
clamd_local /var/run/clamav/clamd.sock
timeout 1
logredir 1
dnslookup 1
trustcache 0
|
I am rebuilding a bunch of libraries with the hope that maybe a library was out of sync after an update.
Walter |
|
Back to top |
|
|
Odward n00b
Joined: 21 Mar 2012 Posts: 65
|
Posted: Sun Aug 26, 2012 3:46 am Post subject: |
|
|
I have 'dnslookup 0' because the config file says if that is enabled (1) you must use "trustclient with hostname in the regexp"
and you must have a DNS server on your network.
I don't have a real DNS server, and you don't appear to be using trustclient unless you omitted that from your config post.
Also the trustcache, which might need to be trust_cache, according to http://squidclamav.darold.net/config.html is "obsolete/unused" in version 6.x
This last part may not concern you, but just in case.
The last thing I can think of offhand, from my limited experience, would be to ask if you changed the default User / Group of c-icap yet?
I had mine working first, but afterwards I ceased having it run as root and I believe I had to be sure clamd and c-icap were both a member
of the same group so c-icap could use the clamd socket (by default my clamd.sock was only available to owner/group). I also think I had to
add that group to the database used by squidGuard so it could read the blacklisted / whitelisted sites, since it is apparently called by the
c-icap server via squidclamav.conf and ignores the url_rewrite directives in squid.conf entirely. If I comment "squidguard ..." in squidclamav.conf
I still get AV scans but I lose ad filtering, even with url_rewrite rules in place and working in squid.conf before I even installed squidclamav. So
for me, so far, that "squidguard /usr/bin/squidGuard" is required to retain ad filtering (even though the squidclamav.conf says the url_rewrites
in squid.conf are the preferred method!). |
|
Back to top |
|
|
o5gmmob8 Guru
Joined: 17 Oct 2003 Posts: 465
|
Posted: Sun Aug 26, 2012 12:44 pm Post subject: |
|
|
Hi Odward,
Thanks for your reply. I commented trustcache 0 as when squidclamav was strarting it would complain about that but still start. I don't see any errors yet, but I also can download that eicar file (perhaps because it is in my cache).
I'll let this run for a while to see if squid is using squidclamav or if it is still blocking it.
Thanks,
Walter |
|
Back to top |
|
|
o5gmmob8 Guru
Joined: 17 Oct 2003 Posts: 465
|
Posted: Mon Sep 10, 2012 2:49 am Post subject: |
|
|
Hi Odward,
Thanks for your help. I decided to take a look at it this evening and found that apparently having the line:
Code: |
squidguard /usr/bin/squidGuard
|
was causing squidGuard to never initialize. I commented it out and it now works. I believe I am using adzapper and squidGuard along with squidClamav for anti-virus checking now. I think before, it was trying to do squidGuard twice.
Anyways, it looks like it is working. Maybe this will help someone else.
The only downside now is, my Internet appears to be a little sluggish now.
Walter |
|
Back to top |
|
|
|