Squid+ClamAV

From wiki.habital.lv
Jump to navigation Jump to search

Описание настройки прокси-сервера Squid с использованием ClamAV-антивируса.

Для совместной работы Squid и ClamAV требуется следующее программное обеспечение:

  • libecap
  • squid
  • clamav
  • c-icap
  • c-icap-modules
  • squidclamav

Настройка c-icap

Файл "c-icap.conf": 

PidFile /var/run/c-icap/c-icap.pid
CommandsSocket /var/run/c-icap/c-icap.ctl
Timeout 300
MaxKeepAliveRequests 100
KeepAliveTimeout 600  
StartServers 3
MaxServers 10
MinSpareThreads     10
MaxSpareThreads     20
ThreadsPerChild     10
MaxRequestsPerChild  0
Port 1344 
User squid
Group squid
ServerAdmin admin@your.domain
ServerName proxy.your.domain
TmpDir /var/tmp
MaxMemObject 131072
DebugLevel 0
Pipelining on
SupportBuggyClients off
ModulesDir /usr/lib64/c_icap
ServicesDir /usr/lib64/c_icap
TemplateDir /usr/share/c_icap/templates/
TemplateDefaultLanguage en
LoadMagicFile /etc/c-icap/c-icap.magic
RemoteProxyUsers off
RemoteProxyUserHeader X-Authenticated-User
RemoteProxyUserHeaderEncoded on
LogFormat myFormat "%tl, %a %im %iu %is %I %O %Ib %Ob %{10}bph" 
ServerLog /var/log/c-icap/server.log
AccessLog /var/log/c-icap/access.log
Service squidclamav squidclamav.so
Service echo srv_echo.so

Настройка clamav

Файл clamd.conf: 

LogFile /var/log/clamav/clamd.log
LogSyslog yes
PidFile /var/run/clamav/clamd.pid
TemporaryDirectory /var/tmp
DatabaseDirectory /var/lib/clamav
LocalSocket /var/run/clamav/clamd.socket
FixStaleSocket yes
TCPSocket 3310
TCPAddr 127.0.0.1
ExcludePath ^/proc/
ExcludePath ^/sys/
User clamav
AllowSupplementaryGroups yes

Файл clamav-milter.conf: 

MilterSocket /var/run/clamav/clamav-milter.socket
User clamav
AllowSupplementaryGroups yes
PidFile /var/run/clamav/clamav-milter.pid
TemporaryDirectory /var/tmp
ClamdSocket unix:/var/run/clamav/clamd.socket
LogFile /var/log/clamav/clamav-milter.log
LogSyslog yes

Настройка squidclamav

Файл squidclamav.conf: 

maxsize 5000000
redirect http://127.0.0.1/cgi-bin/clwarn.cgi
clamd_ip 127.0.0.1
clamd_port 3310
timeout 1
logredir 0
dnslookup 1
safebrowsing 0

Насртройка squid для clamav

Файл squid.conf: 

#
# ClamAV
#
# acl icap_whitelist_domain "/etc/squid/icap_whitelist.txt"

icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024

icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
# adaptation_access service_req deny icap_whitelist
adaptation_access service_req allow all

icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
# adaptation_access service_req deny icap_whitelist
adaptation_access service_resp allow all
Retrieved from "https://wiki.habital.lv/index.php?title=Squid%2BClamAV&oldid=35"