Squidclamav & SquidGuard
This post will guide you to setup an anti-virus and an URL filtering proxy.
OS: Slackware 13.37
Software: squidclamav 6.5, squidGuard 1.5-beta, c-icap 0.1.7
Required software component
- squidclamav – anti-virus
- squidGurard – URL filtering
- c-icap
- clamav – scan virus
Installation
- c-icap
./configure --prefix=/usr/local/c-icap --enable-large-files make make install mkdir -p /usr/local/c-icap/var/run mkdir /usr/local/c-icap/var/log chown -R nobody:nobody /usr/local/c-icap/var
- squidclamav
- modify source file for the config file path, in the src/squidclamav.h,
#define CONFIG_FILE "/usr/local/squidclamav/etc/squidclamav.conf"
./configure --prefix=/usr/local/squidclamav --with-c-icap=/usr/local/c-icap/ make make install
- squidclamav.so install into /usr/local/c-icap/lib/c_icap/squidclamav.so
- modify source file for the config file path, in the src/squidclamav.h,
- squidGurad
./configure --prefix=/usr/local/squidGuard --with-squiduser=nobody make make install
Configuration
- base on /usr/local/c-icap/etc/c-icap.conf, you may take the following options as reference,
PidFile /usr/local/c-icap/var/run/c-icap.pid CommandsSocket /usr/local/c-icap/var/run/c-icap.ctl User nobody Group nobody ServerAdmin you@your.address ServerName YourServerName #Service echo srv_echo.so #(uncomment)
- /usr/local/squidclamav/etc/squidclamav.conf, you may take the following options as reference,
clamd_local /usr/local/clamav/var/run/clamd.socket logredir 1 dnslookup 0
- /usr/local/squid/etc/squid.conf, add
acl POST method POST icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_encode off icap_client_username_header X-Authenticated-User icap_preview_enable on icap_preview_size 1024 icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_req deny POST adaptation_access service_req allow all icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_resp deny POST adaptation_access service_resp allow all url_rewrite_program /usr/local/squidGuard/bin/squidGuard
It seem some sites will have problem with POST request when squidGurad is configured, the above setup will skip all POST request to squidGurad.
Blacklists for squidGuard
The squidGuard site have listed some blacklists provider which you could download the lists and install in your site to deny the access to some sites by category.
- /usr/local/squidGuard/squidGuard.conf
- general option, define the blacklist DB and the log path
dbhome /usr/local/squidGuard/db logdir /usr/local/squidGuard/log
- define the blacklist DB of the category
dest phishing { domainlist blacklists/phishing/domains urllist blacklists/phishing/urls log banned.log # optional to log blocked access in this category } - you may define some your whitelist
dest whitelist { domainlist whitelist/domains urllist whitelist/urls } - the ACL block
acl { default { pass whitelist !phishing all redirect http://yousite.com/block.html } } - adding all together, a complete sample of squidGuard.conf
dbhome /usr/local/squidGuard/db logdir /usr/local/squidGuard/log dest whitelist { domainlist whitelist/domains urllist whitelist/urls } dest ownbl { domainlist bl/domains urllist bl/urls } dest ads { domainlist blacklists/ads/domains urllist blacklists/ads/urls log banned.log # optional to log blocked access in this category } dest adv { domainlist blacklists/adv/domains urllist blacklists/adv/urls log banned.log # optional to log blocked access in this category } dest phishing { domainlist blacklists/phishing/domains urllist blacklists/phishing/urls log banned.log # optional to log blocked access in this category } dest spyware { domainlist blacklists/spyware/domains urllist blacklists/spyware/urls log banned.log # optional to log blocked access in this category } acl { default { pass whitelist !ownbl !ads !adv !phishing !spyware all redirect http://yourcompany.com/block.html } }
- general option, define the blacklist DB and the log path
- Whitelist – you could define some whitelist url in /usr/local/squidGuard/db/whitelist/urls
facebook.com q-station.net
- Install 3rd party blacklist – basically, you could download the tar archive from providers, and untar it to /usr/local/squidGuard/db, in other words, after untar the archive, the directory structures should look like this:
ls -lR /usr/local/squidGuard/db /usr/local/squidGuard/db: drwxr-xr-x 2 nobody nobody 4096 Mar 1 22:00 bl/ drwxr-xr-x 99 nobody nobody 4096 Mar 2 05:26 blacklists/ drwxr-xr-x 2 nobody nobody 4096 Mar 1 21:35 whitelist/ /usr/local/squidGuard/db/bl: -rw-r--r-- 1 nobody nobody 0 Mar 1 22:00 domains -rw-r--r-- 1 nobody nobody 0 Mar 1 22:00 urls /usr/local/squidGuard/db/blacklists: drwxr-xr-x 2 nobody nobody 4096 Mar 2 05:26 ads/ drwxr-xr-x 2 nobody nobody 4096 Mar 2 05:26 adult/ drwxr-xr-x 2 nobody nobody 4096 Mar 2 05:26 adv/ drwxr-xr-x 2 nobody nobody 4096 Mar 2 05:26 aggressive/ drwxr-xr-x 2 nobody nobody 4096 Mar 2 05:26 agressif/ drwxr-xr-x 2 nobody nobody 4096 Mar 2 05:26 alcohol/ drwxr-xr-x 2 nobody nobody 4096 Mar 2 05:26 anonvpn/ : : /usr/local/squidGuard/db/blacklists/ads: total 240 -rw-r--r-- 1 nobody nobody 59204 Mar 2 05:26 domains -rw-r--r-- 1 nobody nobody 8349 Mar 2 05:26 urls /usr/local/squidGuard/db/blacklists/adult: total 18592 -rw-r--r-- 1 nobody nobody 17186368 Mar 2 05:26 domains -rw-r--r-- 1 nobody nobody 1851077 Mar 2 05:26 urls /usr/local/squidGuard/db/blacklists/adv: total 924 -rw-r--r-- 1 nobody nobody 214657 Mar 2 05:26 domains -rw-r--r-- 1 nobody nobody 43991 Mar 2 05:26 urls : : /usr/local/squidGuard/db/whitelist: total 20 -rw-r--r-- 1 nobody nobody 0 Mar 1 21:34 domains -rw-r--r-- 1 nobody nobody 24 Mar 1 21:34 urls - Compile the blacklist
> /usr/local/squidGurad/bin/squidGuard -C all > chown -R nobody:nobody /usr/local/squidGuard
Executing all the thing
/usr/local/c-icap/bin/c-icap # activate the ICAP service and allow scanning virus /usr/local/squid/bin/squid -k reconfigure # activate the squidGurad by reconfigure the squid
Post installation
- log rotation
- /etc/logrotate.d/c-icap
/usr/local/c-icap/var/log/*log { rotate 12 weekly compress delaycompress postrotate kill -HUP `cat /usr/local/c-icap/var/run/c-icap.pid` endscript } - /etc/logrotate.d/squidGuard
/usr/local/squidGuard/log/banned.log /usr/local/squidGuard/log/squidGuard.log { weekly rotate 5 copytruncate compress notifempty missingok }
- /etc/logrotate.d/c-icap
Maintaince
- Updating squidclamav.conf – you could safely restart c-icap to make system recognize the changes, or you could do the following by using the ICAP control interface:
echo -n "squidclamav:cfgreload" > /usr/local/c-icap/var/run/c-icap.ctl
- Updating blacklists – when you download new blacklists, you should compile the list by
/usr/local/squidGuard/bin/squidGuard -C all
- then you should make sure squidGuard could read the db
chown -R nobody:nobody /usr/local/squidGuard/db
- make the new blacklist DB effective by
/usr/local/squid/sbin/squid -k reconfigure