Squid3 Transparent Proxy with antivirus



  • I installed Squid3 and configured it as a transparent proxy with antivirus enabled using c-icap.

    When I tried to browse the web on a device pages wouldn't load.

    I looked at services status and clamd was stopped. I started that and then got an error when trying to browse the web (which I failed to write down/screenshot)

    I disabled antivirus in Squid and then I was able to browse the web ok and squid is logging properly.

    When I tried to re-enable antivirus in squid I got the following error:

    Squidclamav warns redirect points to sample config domain (http://proxy.domain.dom/squid_clwarn.php)
    Change redirect info on 'squidclamav.conf' field to pfsense gui or an external host.
    c-icap Squidclamav service definition is no present.
    Add 'Service squid_clamav squidclamav.so'(without quotes) to 'c-icap.conf' field in order to get it working.
    Remove ldap configuration'Manager:Apassword@ldap.chtsanti.net?o=chtsanti?mermberUid?(&(objectClass=posixGroup)(cn=%s))' from 'c-icap.conf' field.
    

    Before I start manually changing config files, is this ok to do? Do I need to do anything else to configure properly?

    Edit: I went ahead and made the changes as specified and was able to save with antivirus enabled without error. But now when I browse I get the following error:



  • go to services->proxy filter (use squid dev) _> squidgaurd common acl and under target rules, put each to "allow" (tab and 3 x down arrow cliicks, then tab again)

    save and reboot squid 3 (or the whole pfsense box)



  • the c-icap antivirus should work too (it is for me)

    the havp Antivirus HTTP proxy Service is broken,



  • @messerchmidt:

    go to services->proxy filter (use squid dev) _> squidgaurd common acl and under target rules, put each to "allow" (tab and 3 x down arrow cliicks, then tab again)

    save and reboot squid 3 (or the whole pfsense box)

    I don't have Services->Proxy Filter. Only Proxy Server and Reverse Proxy. Is Proxy Filter Squidguard? I have only installed Squid3 so far.



  • Try to update clam antivirus manually through shell



  • @exograpix:

    Try to update clam antivirus manually through shell

    Can you provide instructions or a link or upgrading clamav through the shell? I'm afraid I don't know how to do that.



  • https://forum.pfsense.org/index.php?topic=77264.0

    You aren't alone. This thread provides some background but also specifically on how to update with freshclam.



  • Hello,

    Basically the icap service listens on IPv6 instead of IPv4.
    Open the file /usr/local/pkg/squid.inc and edit the following lines from

    
    icap_service service_avi_req reqmod_precache icap://[::1]:1344/squid_clamav bypass=off
    adaptation_access service_avi_req allow all
    icap_service service_avi_resp respmod_precache icap://[::1]:1344/squid_clamav bypass=on
    adaptation_access service_avi_resp allow all
    
    

    to

    
    icap_service service_avi_req reqmod_precache icap://localhost:1344/squid_clamav bypass=off
    adaptation_access service_avi_req allow all
    icap_service service_avi_resp respmod_precache icap://localhost:1344/squid_clamav bypass=on
    adaptation_access service_avi_resp allow all
    
    

    Restart squid and and icap and it should work :)



  • still wont go, get this when i try to enable it under proxy server -> antivirus

    The following input errors were detected:

    Squidclamav warns redirect points to sample config domain (http://proxy.domain.dom/squid_clwarn.php)
    Change redirect info on 'squidclamav.conf' field to pfsense gui or an external host.
    c-icap Squidclamav service definition is no present.
    Add 'Service squid_clamav squidclamav.so'(without quotes) to 'c-icap.conf' field in order to get it working.
    Remove ldap configuration'Manager:Apassword@ldap.chtsanti.net?o=chtsanti?mermberUid?(&(objectClass=posixGroup)(cn=%s))' from 'c-icap.conf' field.



  • Well that's the basic config to add, i guessed you should already have done this.
    As it is said, modify your config files (in GUI this time):

    Add this to the last line of c-icap.conf
    Service squid_clamav squidclamav.so

    in Squidclamav.conf change the redirection line to something like
    redirect http://myinternalurl.when.virus.detected

    and remove the stated ldap line in c-icap.conf (even if it's commented out, remove it !)

    Regards,
    Ozy.



  • I just wanna say thank you, steps above works perfect for me.

    pfsense 2.2.4-RELEASE (amd64)
    squid3 0.3.4



  • Finally getting to turning on squid3 antivirus and smacked right into this same problem.

    Running on pfSense 2.2.5-DEVELOPMENT (amd64) built on Sun Nov 01, with squid3 0.4.1.1,

    The filename to edit is different, it's now /usr/local/pkg/squid_antivirus.inc

    But editing to change [::1] to 127.0.0.1 now works, and even though the C-ICAP access log still shows ::1, it still passes the EICAR test.

    Much thanks for the workaround.


Log in to reply