Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAVP without Squid. Does not block anything

    Scheduled Pinned Locked Moved pfSense Packages
    11 Posts 4 Posters 8.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MediocreFred
      last edited by

      I have PFSense v1.2.3 running with a WAN, LAN and OPT interfaces. I have snort v2.8.6.1 installed and running fine. I am now trying to get HAVP installed without Squid.

      HAVP installed with no errors. I have updated the ClamAV databases and have configured HAVP as follows:

      HTTP Proxy page
          Enable - checked
          Proxy Mode - Transparent
          Proxy Interface(s) - LAN, OPT
          Proxy Port - 3125
          Block file if error scanning - checked
          Enable RAM disk - checked
          Scan max file size - 2500 K
          Scan Images - checked
          Scan media stream - checked
          Log and Syslog - checked

      The General page shows both the HTTP Antivirus proxy as well as the Antivirus Server as running. I can restart the Proxy just fine.

      Here is what is in the System Log when I restart the proxy service:

      
      Feb 18 07:50:54 	havp[20650]: Process ID: 20650
      Feb 18 07:50:54 	havp[20649]: --- All scanners initialized
      Feb 18 07:50:54 	havp[20649]: Clamd Socket Scanner passed EICAR virus test (Eicar-Test-Signature)
      Feb 18 07:50:54 	havp[20649]: --- Initializing Clamd Socket Scanner
      Feb 18 07:50:54 	havp[20649]: Use transparent proxy mode
      Feb 18 07:50:54 	havp[20649]: Running as user: havp, group: havp
      Feb 18 07:50:54 	havp[20649]: === Mandatory locking disabled! KEEPBACK settings not used!
      Feb 18 07:50:54 	havp[20649]: === Starting HAVP Version: 0.91
      
      

      My understanding of the Transparent mode is "all 'http' requests on interface(s) will be translated to the HAVP proxy server without any client(s) additional configuration necessary". So, I should be able to browse as usual from my computers on the LAN without configuring any special proxy settings on my browsers. Is this true?

      Now, when I launch a browser on my PC and browse to the EICAR test page, I am able to download the EICAR com and zip files just fine (The AV on my PC catches them after they are downloaded and deletes them). HAVP doesn't see them and nothing gets logged in the pfsense System Logs.

      What am I doing wrong? Please help me get HAVP working without Squid. Also, I would really like to not have to configure proxy settings on my PCs - mainly because I run many applications that don't have proxy settings and so, don't play nice with proxy servers.

      Thanks,
      MediocreFred.

      1 Reply Last reply Reply Quote 0
      • D
        dvserg
        last edited by

        What in /tmp/rules.debug section

        
        # havp proxy ifaces redirect
        
        

        SquidGuardDoc EN  RU Tutorial
        Localization ru_PFSense

        1 Reply Last reply Reply Quote 0
        • M
          MediocreFred
          last edited by

          Thanks for the quick response. Here's the relevant section from /tmp/rules.debug:

          
          # havp proxy ifaces redirect
          rdr on em1 proto tcp from any to !(em1) port 80 -> lo0 port 3125
          rdr on em1 proto tcp from any to (em1) port 3125 -> lo0 port 3125
          rdr on em3 proto tcp from any to !(em3) port 80 -> lo0 port 3125
          rdr on em3 proto tcp from any to (em3) port 3125 -> lo0 port 3125
          
          

          There is also this related section:

          
          # havp proxy ifaces rules
          pass in quick on em1 proto tcp from any to !(em1) port 80 flags S/SA keep state
          pass in quick on em3 proto tcp from any to !(em3) port 80 flags S/SA keep state
          
          

          @dvserg:

          What in /tmp/rules.debug section

          
          # havp proxy ifaces redirect
          
          
          1 Reply Last reply Reply Quote 0
          • D
            dvserg
            last edited by

            Hm.. all right.
            If you interfaces not bridged - must work.

            File /var/log/havp/access.log contains last clients requests. Check pls what content in this file.

            SquidGuardDoc EN  RU Tutorial
            Localization ru_PFSense

            1 Reply Last reply Reply Quote 0
            • M
              MediocreFred
              last edited by

              The access.log file is empty. I tried loading a few pages in my browser including the eicar page and initiated a download of the eicar after clearing my browser cache. Went back and looked at the access.log. Still Nothing.

              Please let me know where to look next.

              Thanks.

              @dvserg:

              Hm.. all right.
              If you interfaces not bridged - must work.

              File /var/log/havp/access.log contains last clients requests. Check pls what content in this file.

              1 Reply Last reply Reply Quote 0
              • D
                dvserg
                last edited by

                Pls setup proxy settings in you browser and test howto work this.

                SquidGuardDoc EN  RU Tutorial
                Localization ru_PFSense

                1 Reply Last reply Reply Quote 0
                • M
                  MediocreFred
                  last edited by

                  I have tried everything I can think of -
                  1. Uninstalled and reinstalled havp from the UI.
                  2. Used pkg_delete to delete havp, clamav and arj.
                  3. Reinstalled havp using pkg_add using the following -
                     ```
                  pkg_add -r havp http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7-stable/Latest/havp.tbz

                      This appears to install newer versions of havp, clamav and arj; however, I don't see any way to configure this using the PFSense UI. No idea what is involved in configuring this manually.
                  4\. Reinstalled the havp from the pfsense package manager.
                  5\. Changed the Proxy mode to "Standard". Set the port to "8080". On my PC, I set the proxy settings in Internet Explorer to the IP address of pfsense and port 8080\. Can't access the internet at all with this proxy setting.
                  
                  However, nothing gets logged in either /var/log/havp/access.log or /var/log/havp/havp.log
                  
                  What am I doing wrong? I would really like to get this working.
                  
                  Thanks.
                  1 Reply Last reply Reply Quote 0
                  • G
                    Gloom
                    last edited by

                    Oddly I have always been able to download those files on my setup and nothing ever gets logged to the files in /var/log/havp but I know it does some good as I find quite a few of this type of message on the syslog server.

                    havp[49826]: 172.31.225.226 GET 301 http://www.themoscowtimes.com/news/article/police-upgrade-web-site-ahead-of-reforms/431422.html 901+28129 VIRUS Clamd: Exploit.JS.CVE-2006-1359

                    PLEASE DO NOT CHECK THAT URL UNLESS YOUR ANTI-VIRUS IS UP TO DATE.

                    Never underestimate the power of human stupidity

                    1 Reply Last reply Reply Quote 0
                    • M
                      mshundal
                      last edited by

                      hi, just following up if this was resolved…

                      I just reinstalled pfsense (on a new box) and have run into the same exact situation.

                      any hints or pointers are much appreciated.

                      1 Reply Last reply Reply Quote 0
                      • M
                        mshundal
                        last edited by

                        just blew the box away and installed 2.0 RC1 and seeing the same behavior in this.

                        1 Reply Last reply Reply Quote 0
                        • M
                          mshundal
                          last edited by

                          weird but rebooting the system after seems to make it work - maybe i just needed to 'rehash' from ssh…

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.