Squid Log Clam AV Files Stopped Working and Redirect now blank
-
Hello Fellow Netgate community,
Can you please help? I recently noticed that the Virus logs that track the Viruses that Clam AV catches for my HTTPS proxy are no longer working inside of Squid as of a couple weeks ago.
I am running SSL intercept this has worked before please see attached:
Reference how to install the Squid certificate I had to generate it in the command line and load it into the Pfsense
This works for version 22.05 better when you load the certificate.
Check it out Ref: https://forum.it-monkey.net/index.php?topic=23.0
This site had the best walk through with setting this up outside of the advanced options.
(Image how redirect use to work)Now it will only redirect to a blank page and the test signature is no longer a 100 percent catch
The logs stopped working I cleaned them and they have all restored except the Virus logs.
(Virus Catching functional)
(Logs no longer saving for CLAM AV Virus Table for tracking empty on clear)I had to clear the logs as it would no longer save them something got corrupted.
(I have cleared all log files locally and they have restored)
(I have also cleared all log files locally for C-iap)
The virus table will not restore.
The red stopped page no longer is functional.
(system will not catch test file)
Again when it does catch a virus it shows an errored page that the certificate is unknown.
-
@jonathanlee
Ref also
https://forum.netgate.com/topic/138455/squid-clamav-antivirus-not-working-properly/11?_=1669772030240 -
@jonathanlee
You saw :
which means, to me, that the part that feeds de data to be tested can't contact the scan deamon, clamd.
Because it isn't running ?
Because the socket 'rights' are not ok ?
Because something else ?Check the 'clamd' log file.
When it start, and fails to create the socket, it should log this.
Tthe proxy can't pipe the received info through the scanner. Result : info isn't scanned any more.Btw : I'm not using also these packages on pfSense.
I do use "clamav" (clamd) on my mail server, as mails are stored in clear in the mail box folders, and after receiving a mail, they are parsed/scanned for common BS. -
This post is deleted! -
@jonathanlee
Probably.
Remember : I'm not using these pfSense packagesUnder /var/log/ - files are subsequent sub folder.
Or differently, as you've shown an example above : /var/squid/log/....Btw : you use squid clam proxy etc : you should have a console (SSH) open all times (I'm not kidding) with these logs files.
These 'pfSEnse addons' you use interacts with most incoming traffic : you better know what is going on in real time : that's why there are log files, as they tell you what's going on.
I would tail them all ..... -
@gertjan Thanks for your help here is the 29th error Can't save PID after it ran again and worked.
-
-
-
-
I wonder if the port is required in the rules that is why I added the firewall ACL for 127.0.0.1:. to the firewall, I feel this is a bit risky however and would only like the one port, I am going to change it to 1344 again I had that listed for use as it is part of the remote cache load from other content acceleration systems. What port does the clamd use for accessing the loopback? Squid already uses 1344 if you look at the config options it is used with I-CAP
-
Error
squidclamav_check_preview_handler: Wed Nov 30 15:56:36 2022, 92197/1098002432, ERROR clientip is null, you must set 'icap_send_client_ip on' into squid.conf
It goes on and on...
I have also just added
adaptation_send_client_ip {$icap_send_client_ip}
to line 234 of
ref https://forum.netgate.com/topic/129331/adaptation_send_client_ip-vs-icap_send_client_ip?_=1669853066007
It seems to already be enabled also, any ideas?
Keep in mind it all worked until a week or so ago, not it will not even see the test virus anymore
