Internet -havp-squid-client



  • Hi all
    I config my box follow the wiki guider
    http://doc.pfsense.org/index.php/HAVP_Package_for_HTTP_Anti-Virus_Scanning

    havp is as Parent for Squid
    havp's av scan is set on squid cache
    and the other setting are at default

    squid sets is in default
    and in  custom options field is

    never_direct allow all;cache_peer 127.0.0.1 parent 3129 0 name=havp no-query no-digest no-netdb-exchange default;
    

    it is auto append after save havp setting

    and I DO the first method, it seems not work, when i open http://www.eicar.org/anti_virus_test_file.htm ,click the virus test, there is no warm window appear

    could somebody tell me why?
    waiting on line….



  • Are you using squid in transparent and also Squidguard??



  • I am using squid in transparent, no Squidguard.
    pfsense version is 1.2.2 installed on hdd with liveCD.



  • I have squid/havp/squidguard and my config works this way.
    Try putting Havp in Transparent and Squid transparent unchecked.

    Havp…
    Transparent checked
    upstream proxy...lan IP:squid port.....example 192.168.1.1:3128
    Havp proxy port 3121
    enable x-forward...checked

    In squid:
    x forward unchecked
    disable Via unchecked
    transparent unchecked



  • The wiki said havp should enable forwarded ip, not x-forwarded ?
    maybe the wiki is wrong?
    The pf box is at my office, I will try the way later!
    Thank you ,ColdFusion!



  • havp log

    
    08/08/2009 22:13:44 === Starting HAVP Version: 0.88
    08/08/2009 22:13:44 === Mandatory locking disabled! KEEPBACK settings not used!
    08/08/2009 22:13:44 Running as user: havp, group: havp
    08/08/2009 22:13:44 Use parent proxy: 192.168.100.1:3128
    08/08/2009 22:13:44 Use transparent proxy mode
    08/08/2009 22:13:44 --- Initializing Clamd Socket Scanner
    08/08/2009 22:14:44 Clamd: Could not connect to scanner! Scanner down?
    08/08/2009 22:14:44 ERROR: Clamd Socket Scanner failed EICAR virus test! (Could not connect to scanner socket)
    08/08/2009 22:16:43 === Starting HAVP Version: 0.88
    08/08/2009 22:16:43 === Mandatory locking disabled! KEEPBACK settings not used!
    08/08/2009 22:16:43 Running as user: havp, group: havp
    08/08/2009 22:16:43 Use parent proxy: 192.168.100.1:3128
    08/08/2009 22:16:43 Use transparent proxy mode
    08/08/2009 22:16:43 --- Initializing Clamd Socket Scanner
    08/08/2009 22:17:43 === Starting HAVP Version: 0.88
    08/08/2009 22:17:43 === Mandatory locking disabled! KEEPBACK settings not used!
    08/08/2009 22:17:43 Running as user: havp, group: havp
    08/08/2009 22:17:43 Use parent proxy: 192.168.100.1:3128
    08/08/2009 22:17:43 Use transparent proxy mode
    08/08/2009 22:17:43 --- Initializing Clamd Socket Scanner
    08/08/2009 22:18:43 Clamd: Could not connect to scanner! Scanner down?
    08/08/2009 22:18:43 ERROR: Clamd Socket Scanner failed EICAR virus test! (Could not connect to scanner socket)
    08/08/2009 22:22:05 === Starting HAVP Version: 0.88
    08/08/2009 22:22:05 === Mandatory locking disabled! KEEPBACK settings not used!
    08/08/2009 22:22:05 Running as user: havp, group: havp
    08/08/2009 22:22:05 Use parent proxy: 192.168.100.1:3128
    08/08/2009 22:22:05 Use transparent proxy mode
    08/08/2009 22:22:05 --- Initializing Clamd Socket Scanner
    08/08/2009 22:23:05 Clamd: Could not connect to scanner! Scanner down?
    08/08/2009 22:23:05 ERROR: Clamd Socket Scanner failed EICAR virus test! (Could not connect to scanner socket)
    
    

    I DON'T KNOW WHY?



  • Pls show 'pkg_info' cmd result



  • HI all,
    I have found the reason why the warning window not appear when I click the virus test link, because of the browser, I have 3 browser opera 9.64, iceweasel 3.0.3 and epiphany2.22.3 on my debian 5 .
    when I use  epiphany to test the virus link, no warn window. but opera and iceweasel said find virus,and the havp warn window show, and the wiki about havp and squid seems right.
    I DON'T KNOW WHAT IS THE PROBLEM  WIHT EPIPHANY ?



  • When I try the below quoted settings I get the following error banner

    Mar 17 16:37:19 php: : New alert found: There were error(s) loading the rules: /tmp/rules.debug:502: cannot define table snort2c: Device busy /tmp/rules.debug:648: cannot define table virusprot: Device busy pfctl: Syntax error in config file: pf rules not loaded The line in question reads [502]: table <snort2c>persist
    and
    Mar 17 16:38:02 havp[18168]: All childs busy, spawning new (now: 14) - SERVERNUMBER might be too low
    Mar 17 16:38:01 havp[18168]: All childs busy, spawning new (now: 12) - SERVERNUMBER might be too low
    It's a 3 Ghz box with 1 Gb ram
    Any ideas what is causing it?

    @ColdFusion:

    I have squid/havp/squidguard and my config works this way.
    Try putting Havp in Transparent and Squid transparent unchecked.

    Havp…
    Transparent checked
    upstream proxy...lan IP:squid port.....example 192.168.1.1:3128
    Havp proxy port 3121
    enable x-forward...checked

    In squid:
    x forward unchecked
    disable Via unchecked
    transparent unchecked</snort2c>



  • I searched all over and found 1 post in Russian on setting the min max servers in the havp.inc file. Mine looks a bit different and I want to ask for some advice on where and how to modify these settings before I screw it all up.

    # HAVP config file
    # This file generated automaticly with HAVP configurator (part of pfSense)
    # (C)2008 Serg Dvoriancev
    # email: dv_serg@mail.ru
    # ============================================================
    ";
        $conf[] = "USER           " . HVDEF_USER;
        $conf[] = "GROUP          " . HVDEF_GROUP;
        $conf[] = "DAEMON         true";
        $conf[] = "PIDFILE        " . HVDEF_PID_FILE;
        $conf[] = "\n# For small home use, 8 should be minimum.";
        $conf[] = "# For 500 users corporate use, start at 40.";
        $conf[] = "SERVERNUMBER   " . HVDEF_HAVP_MINSRV;
        $conf[] = "MAXSERVERS     " . HVDEF_HAVP_MAXSRV;
        # log
        $conf[] = "\n# log ";
        $conf[] = "ACCESSLOG      " . HVDEF_HAVP_ACCESSLOG;
        $conf[] = "ERRORLOG       " . HVDEF_HAVP_ERRORLOG;
        # syslog
        $conf[] = "\n# syslog";
        $conf[] = "USESYSLOG      {$havp_config[F_SYSLOG]}";
        $conf[] = "SYSLOGNAME     havp";
        $conf[] = "SYSLOGFACILITY daemon";
        $conf[] = "SYSLOGLEVEL    " . (HV_DEBUG === 'true' ? "debug" : "info");     # err | warning | info | debug
    

    $conf[] = "SERVERNUMBER  " . HVDEF_HAVP_MINSRV;
        $conf[] = "MAXSERVERS    " . HVDEF_HAVP_MAXSRV;
    where exactly and what would be a good number to start with. I have up too 15 users on the lan.
    Thanks
    Allan



  • Is from the system logs It's full of these errors and for some reason the system slowly keeps chewing up more memory . At restart it's using 20% of the 1 gig of memory and through the day it climes to 60 to 80%.
    Any help is much appreciated.

    Mar 19 08:50:46 miniupnpd[1566]: HTTP Connection closed inexpectedly
    Mar 19 08:50:46 dnsmasq[14710]: reading /var/dhcpd/var/db/dhcpd.leases
    Mar 19 08:48:36 last message repeated 11 times
    Mar 19 08:48:16 havp[34994]: (192.168.0.25) Could not read server header (192.168.0.136/au.download.windowsupdate.com:80)
    Mar 19 08:46:52 havp[35002]: (192.168.0.6) Could not send body to browser
    Mar 19 08:46:48 havp[34984]: (192.168.0.6) Could not send body to browser
    Mar 19 05:53:08 havp[34990]: (192.168.0.102) Could not send body to browser
    Mar 19 05:53:08 havp[34971]: (192.168.0.102) Could not send body to browser
    Mar 19 05:52:20 havp[34988]: (192.168.0.102) Could not send body to browser
    Mar 19 05:50:22 havp[35002]: (192.168.0.101) Could not send body to browser
    Mar 19 05:49:31 havp[34998]: (192.168.0.102) Could not send body to browser
    Mar 19 05:49:27 havp[34986]: (192.168.0.102) Could not send body to browser
    Mar 19 05:43:03 havp[34974]: (192.168.0.25) Could not read server header (192.168.0.102/sugg.search.yahoo.com:80)
    Mar 19 05:43:02 havp[34992]: (192.168.0.25) Could not read server header (192.168.0.102/sugg.search.yahoo.com:80)
    Mar 19 05:43:01 havp[34974]: (192.168.0.25) Could not read server header (192.168.0.102/sugg.search.yahoo.com:80)
    Mar 19 05:43:00 havp[34992]: (192.168.0.25) Could not read server header (192.168.0.102/sugg.search.yahoo.com:80)
    Mar 19 05:39:52 havp[34984]: 192.168.0.101 GET 200 http://www.eicar.org/download/eicar.com 447+68 VIRUS Clamd: Eicar-Test-Signature
    Mar 19 05:36:43 havp[35001]: (192.168.0.102) Could not read browser header
    Mar 19 05:34:51 miniupnpd[1566]: HTTP Connection closed inexpectedly
    Mar 19 05:34:51 dnsmasq[14710]: reading /var/dhcpd/var/db/dhcpd.leases
    Mar 19 05:34:36 havp[34967]: All childs busy, spawning new (now: 32) - SERVERNUMBER might be too low



  • @ColdFusion:

    I have squid/havp/squidguard and my config works this way.
    Try putting Havp in Transparent and Squid transparent unchecked.

    Havp…
    Transparent checked
    upstream proxy...lan IP:squid port.....example 192.168.1.1:3128
    Havp proxy port 3121
    enable x-forward...checked

    In squid:
    x forward unchecked
    disable Via unchecked
    transparent unchecked

    I have my configuration set up exactly like this, but it doesn't work…the IP address in the logs (and in the denied page), is the router's LAN address, and NOT the client PC.  What am I doing wrong?  Is there a bug?  Can someone shed some light on this?  Thanks!


Locked