Squid with AVScanner -SquidClamav

Many Administrators prefrers Squid as proxy, as its very flexible & equipped with many features.

With the increasing use of Internet, threats like virus / trojans also increased. To protect corporate network one needs to use proxy with Antivirus for additional security.

I used SquidClamav with Squid to protect my network.

Below is the installation & configuration of SquidClamav.

Install clamav

Installation

Download squidclamav from http://sourceforge.net/projects/squidclamav/

tar zxvf squidclamav-3.9.tar.gz
cd squidclamav-3.9/
./configure
make all
make install
cp squidclamav.conf.dist /etc/squidclamav.conf
touch /var/log/squidclamav.log
chown squid /var/log/squidclamav.log

Configuration

/etc/squidclamav.conf

abort ^.*\.pdf$
abort ^.*\.html$
abort ^.*\.xml$
abort ^.*\.jsp$
abort ^.*\.ico$
aborti ^.*\.gif$
aborti ^.*\.png$
aborti ^.*\.jpg$

debug 1
force 1
stat 1
regexi  ^.*\.exe$
regexi  ^.*\.com$
regexi  ^.*\.zip$
regexi  ^.*\.msi$
regexi  ^.*\.dll$
regexi  ^.*\.cab$
content ^application\/.*$
clamd_local /tmp/clamd.socket
regex|regexi pattern
redirect http://192.168.1.1/virus.html
logfile /var/log/squidclamav.log
whitelist linuxreaders

Testing

Sample output on tunning squidclamav on shell
SquidClamav running as UID 0: writing logs to stderr
Wed Jul 22 14:48:03 2009 LOG Reading configuration from /etc/squidclamav.conf
Bad configuration keyword: regex|regexi pattern
Wed Jul 22 14:48:03 2009 LOG SquidClamav (PID 336) started

Enter following link for test virus scanning.

http://www.eicar.org/download/eicar.com 192.168.1.3 mylog GET
Wed Jul 22 14:49:53 2009 DEBUG Request:http://www.eicar.org/download/eicar.com 192.168.1.3 mylog GET
Wed Jul 22 14:49:53 2009 DEBUG regex matched: http://www.eicar.org/download/eicar.com
Wed Jul 22 14:49:53 2009 DEBUG content matched: application/x-msdos-program
Wed Jul 22 14:49:53 2009 DEBUG Content-Type: application/x-msdos-program will be scanned
Wed Jul 22 14:49:53 2009 DEBUG Sending STREAM to clamd.
Wed Jul 22 14:49:53 2009 LOG Redirecting URL to: http://192.168.1.1/virus.html?url=http://www.eicar.org/download/eicar.com&source=192.168.1.3&user=mylog&virus=stream:+Eicar-Test-Signature+FOUND
Wed Jul 22 14:49:53 2009 STAT Virus Scanning process time   0.201 second(s)
http://192.168.1.1/virus.html?url=http://www.eicar.org/download/eicar.com&source=192.168.1.3&user=mylog&virus=stream:+Eicar-Test-Signature+FOUND 192.168.1.3 mylog GET
Wed Jul 22 14:49:53 2009 DEBUG Virus found, redirection sent to Squid.
Wed Jul 22 14:49:53 2009 STAT Total process time   0.374 second(s)

/etc/squid/squid.conf

acl myuser src 192.168.1.0/255.255.255.0
acl mysite url_regex “/etc/squid/siteallowed”
http_access allow myuser mysite

url_rewrite_access allow myuser
url_rewrite_program /usr/local/bin/squidclamav
url_rewrite_children 15 #increase if you find performance issue with Squid.

if you find any missing point in here, please let us know in comment section or tweet us at @linuxreaders. To get more articles like this, subscribe to our RSS feeds / Mails.