Internet -havp-squid-client

gfengyoung

Hi all
I config my box follow the wiki guider
http://doc.pfsense.org/index.php/HAVP_Package_for_HTTP_Anti-Virus_Scanning

havp is as Parent for Squid
havp's av scan is set on squid cache
and the other setting are at default

squid sets is in default
and in  custom options field is

never_direct allow all;cache_peer 127.0.0.1 parent 3129 0 name=havp no-query no-digest no-netdb-exchange default;

it is auto append after save havp setting

and I DO the first method, it seems not work, when i open http://www.eicar.org/anti_virus_test_file.htm ,click the virus test, there is no warm window appear

could somebody tell me why?
waiting on line….

ColdFusion

Are you using squid in transparent and also Squidguard??

gfengyoung

I am using squid in transparent, no Squidguard.
pfsense version is 1.2.2 installed on hdd with liveCD.

ColdFusion

I have squid/havp/squidguard and my config works this way.
Try putting Havp in Transparent and Squid transparent unchecked.

Havp…
Transparent checked
upstream proxy...lan IP:squid port.....example 192.168.1.1:3128
Havp proxy port 3121
enable x-forward...checked

In squid:
x forward unchecked
disable Via unchecked
transparent unchecked

gfengyoung

The wiki said havp should enable forwarded ip, not x-forwarded ?
maybe the wiki is wrong?
The pf box is at my office, I will try the way later!
Thank you ,ColdFusion!

gfengyoung

havp log

08/08/2009 22:13:44 === Starting HAVP Version: 0.88
08/08/2009 22:13:44 === Mandatory locking disabled! KEEPBACK settings not used!
08/08/2009 22:13:44 Running as user: havp, group: havp
08/08/2009 22:13:44 Use parent proxy: 192.168.100.1:3128
08/08/2009 22:13:44 Use transparent proxy mode
08/08/2009 22:13:44 --- Initializing Clamd Socket Scanner
08/08/2009 22:14:44 Clamd: Could not connect to scanner! Scanner down?
08/08/2009 22:14:44 ERROR: Clamd Socket Scanner failed EICAR virus test! (Could not connect to scanner socket)
08/08/2009 22:16:43 === Starting HAVP Version: 0.88
08/08/2009 22:16:43 === Mandatory locking disabled! KEEPBACK settings not used!
08/08/2009 22:16:43 Running as user: havp, group: havp
08/08/2009 22:16:43 Use parent proxy: 192.168.100.1:3128
08/08/2009 22:16:43 Use transparent proxy mode
08/08/2009 22:16:43 --- Initializing Clamd Socket Scanner
08/08/2009 22:17:43 === Starting HAVP Version: 0.88
08/08/2009 22:17:43 === Mandatory locking disabled! KEEPBACK settings not used!
08/08/2009 22:17:43 Running as user: havp, group: havp
08/08/2009 22:17:43 Use parent proxy: 192.168.100.1:3128
08/08/2009 22:17:43 Use transparent proxy mode
08/08/2009 22:17:43 --- Initializing Clamd Socket Scanner
08/08/2009 22:18:43 Clamd: Could not connect to scanner! Scanner down?
08/08/2009 22:18:43 ERROR: Clamd Socket Scanner failed EICAR virus test! (Could not connect to scanner socket)
08/08/2009 22:22:05 === Starting HAVP Version: 0.88
08/08/2009 22:22:05 === Mandatory locking disabled! KEEPBACK settings not used!
08/08/2009 22:22:05 Running as user: havp, group: havp
08/08/2009 22:22:05 Use parent proxy: 192.168.100.1:3128
08/08/2009 22:22:05 Use transparent proxy mode
08/08/2009 22:22:05 --- Initializing Clamd Socket Scanner
08/08/2009 22:23:05 Clamd: Could not connect to scanner! Scanner down?
08/08/2009 22:23:05 ERROR: Clamd Socket Scanner failed EICAR virus test! (Could not connect to scanner socket)

I DON'T KNOW WHY?

dvserg

Pls show 'pkg_info' cmd result

gfengyoung

HI all,
I have found the reason why the warning window not appear when I click the virus test link, because of the browser, I have 3 browser opera 9.64, iceweasel 3.0.3 and epiphany2.22.3 on my debian 5 .
when I use  epiphany to test the virus link, no warn window. but opera and iceweasel said find virus,and the havp warn window show, and the wiki about havp and squid seems right.
I DON'T KNOW WHAT IS THE PROBLEM  WIHT EPIPHANY ?

Alan87i

When I try the below quoted settings I get the following error banner

Mar 17 16:37:19 php: : New alert found: There were error(s) loading the rules: /tmp/rules.debug:502: cannot define table snort2c: Device busy /tmp/rules.debug:648: cannot define table virusprot: Device busy pfctl: Syntax error in config file: pf rules not loaded The line in question reads [502]: table <snort2c>persist
and
Mar 17 16:38:02 havp[18168]: All childs busy, spawning new (now: 14) - SERVERNUMBER might be too low
Mar 17 16:38:01 havp[18168]: All childs busy, spawning new (now: 12) - SERVERNUMBER might be too low
It's a 3 Ghz box with 1 Gb ram
Any ideas what is causing it?

@ColdFusion:

I have squid/havp/squidguard and my config works this way.
Try putting Havp in Transparent and Squid transparent unchecked.

Havp…
Transparent checked
upstream proxy...lan IP:squid port.....example 192.168.1.1:3128
Havp proxy port 3121
enable x-forward...checked

In squid:
x forward unchecked
disable Via unchecked
transparent unchecked</snort2c>

Alan87i

I searched all over and found 1 post in Russian on setting the min max servers in the havp.inc file. Mine looks a bit different and I want to ask for some advice on where and how to modify these settings before I screw it all up.

# HAVP config file
# This file generated automaticly with HAVP configurator (part of pfSense)
# (C)2008 Serg Dvoriancev
# email: dv_serg@mail.ru
# ============================================================
";
    $conf[] = "USER           " . HVDEF_USER;
    $conf[] = "GROUP          " . HVDEF_GROUP;
    $conf[] = "DAEMON         true";
    $conf[] = "PIDFILE        " . HVDEF_PID_FILE;
    $conf[] = "\n# For small home use, 8 should be minimum.";
    $conf[] = "# For 500 users corporate use, start at 40.";
    $conf[] = "SERVERNUMBER   " . HVDEF_HAVP_MINSRV;
    $conf[] = "MAXSERVERS     " . HVDEF_HAVP_MAXSRV;
    # log
    $conf[] = "\n# log ";
    $conf[] = "ACCESSLOG      " . HVDEF_HAVP_ACCESSLOG;
    $conf[] = "ERRORLOG       " . HVDEF_HAVP_ERRORLOG;
    # syslog
    $conf[] = "\n# syslog";
    $conf[] = "USESYSLOG      {$havp_config[F_SYSLOG]}";
    $conf[] = "SYSLOGNAME     havp";
    $conf[] = "SYSLOGFACILITY daemon";
    $conf[] = "SYSLOGLEVEL    " . (HV_DEBUG === 'true' ? "debug" : "info");     # err | warning | info | debug

$conf[] = "SERVERNUMBER  " . HVDEF_HAVP_MINSRV;
    $conf[] = "MAXSERVERS    " . HVDEF_HAVP_MAXSRV;
where exactly and what would be a good number to start with. I have up too 15 users on the lan.
Thanks
Allan

Alan87i

Is from the system logs It's full of these errors and for some reason the system slowly keeps chewing up more memory . At restart it's using 20% of the 1 gig of memory and through the day it climes to 60 to 80%.
Any help is much appreciated.

Mar 19 08:50:46 miniupnpd[1566]: HTTP Connection closed inexpectedly
Mar 19 08:50:46 dnsmasq[14710]: reading /var/dhcpd/var/db/dhcpd.leases
Mar 19 08:48:36 last message repeated 11 times
Mar 19 08:48:16 havp[34994]: (192.168.0.25) Could not read server header (192.168.0.136/au.download.windowsupdate.com:80)
Mar 19 08:46:52 havp[35002]: (192.168.0.6) Could not send body to browser
Mar 19 08:46:48 havp[34984]: (192.168.0.6) Could not send body to browser
Mar 19 05:53:08 havp[34990]: (192.168.0.102) Could not send body to browser
Mar 19 05:53:08 havp[34971]: (192.168.0.102) Could not send body to browser
Mar 19 05:52:20 havp[34988]: (192.168.0.102) Could not send body to browser
Mar 19 05:50:22 havp[35002]: (192.168.0.101) Could not send body to browser
Mar 19 05:49:31 havp[34998]: (192.168.0.102) Could not send body to browser
Mar 19 05:49:27 havp[34986]: (192.168.0.102) Could not send body to browser
Mar 19 05:43:03 havp[34974]: (192.168.0.25) Could not read server header (192.168.0.102/sugg.search.yahoo.com:80)
Mar 19 05:43:02 havp[34992]: (192.168.0.25) Could not read server header (192.168.0.102/sugg.search.yahoo.com:80)
Mar 19 05:43:01 havp[34974]: (192.168.0.25) Could not read server header (192.168.0.102/sugg.search.yahoo.com:80)
Mar 19 05:43:00 havp[34992]: (192.168.0.25) Could not read server header (192.168.0.102/sugg.search.yahoo.com:80)
Mar 19 05:39:52 havp[34984]: 192.168.0.101 GET 200 http://www.eicar.org/download/eicar.com 447+68 VIRUS Clamd: Eicar-Test-Signature
Mar 19 05:36:43 havp[35001]: (192.168.0.102) Could not read browser header
Mar 19 05:34:51 miniupnpd[1566]: HTTP Connection closed inexpectedly
Mar 19 05:34:51 dnsmasq[14710]: reading /var/dhcpd/var/db/dhcpd.leases
Mar 19 05:34:36 havp[34967]: All childs busy, spawning new (now: 32) - SERVERNUMBER might be too low

qsnj.ca

@ColdFusion:

I have squid/havp/squidguard and my config works this way.
Try putting Havp in Transparent and Squid transparent unchecked.

Havp…
Transparent checked
upstream proxy...lan IP:squid port.....example 192.168.1.1:3128
Havp proxy port 3121
enable x-forward...checked

In squid:
x forward unchecked
disable Via unchecked
transparent unchecked

I have my configuration set up exactly like this, but it doesn't work…the IP address in the logs (and in the denied page), is the router's LAN address, and NOT the client PC.  What am I doing wrong?  Is there a bug?  Can someone shed some light on this?  Thanks!