📜 ⬆️ ⬇️

Squid + Dansguardian + c-icap + ClamAV based on CentOS 7

Purpose of the article


A number of articles are available on the Internet on setting up anti-virus protection in the squid + ClamAV bundle, but there is no complete material on setting up the full bundle under CentOS 7. This article will show the process of setting up a proxy server with the following features:

Lecture hall


Linux system administrators

image

Introduction


Most telecom operators now provide routable Internet access, where filtering and anti-virus protection of incoming traffic is somewhat more problematic. In cases when it is necessary to restrict users from accessing certain sites by categories or URLs, as well as the implementation of checking incoming web traffic, in this case the use of a proxy server is the easiest solution.
')
Squid is by far the most functional proxy server that supports a large number of features . For the implementation of anti-virus protection it is proposed to use ClamAV - an open implementation of anti-virus protection. Content filtering by category will be implemented by means of Dansguardian .

The general solution diagram is schematically shown below:

image

Initial data


We have a Linux server running CentOS 7. The server has routed Internet access.

Basic squid setup



# yum update –y # reboot ( ) 


 # yum -y install epel-release 


 # yum -y install squid 



 # systemctl enable squid Created symlink from /etc/systemd/system/multi-user.target.wants/squid.service to /usr/lib/systemd/system/squid.service. # systemctl start squid 

Setting up ClamAV anti-virus scan services



 # yum install clamav clamav-update clamav-scanner clamav-scanner-systemd -y 



 # touch /var/log/clamd.scan # chown clamscan. /var/log/clamd.scan 


 # diff -u /etc/freshclam.conf.orig /etc/freshclam.conf --- /etc/freshclam.conf.orig 2016-07-19 22:47:25.195704610 +0300 +++ /etc/freshclam.conf 2016-07-19 22:47:57.103230225 +0300 @@ -5,7 +5,7 @@ # Comment or remove the line below. -Example +#Example # Path to the database directory. # WARNING: It must match clamd.conf's directive! @@ -14,7 +14,7 @@ # Path to the log file (make sure it has proper permissions) # Default: disabled -#UpdateLogFile /var/log/freshclam.log +UpdateLogFile /var/log/freshclam.log # Maximum size of the log file. # Value of 0 disables the limit. @@ -48,7 +48,7 @@ # This option allows you to save the process identifier of the daemon # Default: disabled -#PidFile /var/run/freshclam.pid +PidFile /var/run/freshclam.pid # By default when started freshclam drops privileges and switches to the # "clamav" user. This directive allows you to change the database owner. 


 # freshclam ClamAV update process started at Tue Jul 19 19:48:31 2016 main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer) connect_error: getsockopt(SO_ERROR): fd=5 error=111: Connection refused Can't connect to port 80 of host database.clamav.net (IP: 208.72.56.53) Trying host database.clamav.net (64.6.100.177)... WARNING: getfile: daily-21724.cdiff not found on database.clamav.net (IP: 64.6.100.177) WARNING: getpatch: Can't download daily-21724.cdiff from database.clamav.net WARNING: getfile: daily-21724.cdiff not found on database.clamav.net (IP: 64.22.33.90) WARNING: getpatch: Can't download daily-21724.cdiff from database.clamav.net Trying host database.clamav.net (150.214.142.197)... WARNING: getfile: daily-21724.cdiff not found on database.clamav.net (IP: 150.214.142.197) WARNING: getpatch: Can't download daily-21724.cdiff from database.clamav.net WARNING: Incremental update failed, trying to download daily.cvd Downloading daily.cvd [100%] daily.cvd updated (version: 21933, sigs: 441430, f-level: 63, builder: neo) Downloading bytecode-279.cdiff [100%] Downloading bytecode-280.cdiff [100%] Downloading bytecode-281.cdiff [100%] Downloading bytecode-282.cdiff [100%] Downloading bytecode-283.cdiff [100%] bytecode.cld updated (version: 283, sigs: 53, f-level: 63, builder: neo) Database updated (4660273 signatures) from database.clamav.net (IP: 69.12.162.28) 


 # wget http://www.eicar.org/download/eicar.com # clamscan --infected --remove --recursive eicar.com eicar.com: Eicar-Test-Signature FOUND eicar.com: Removed. ----------- SCAN SUMMARY ----------- Known viruses: 4654877 Engine version: 0.99.2 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 8.958 sec (0 m 8 s) 


 # systemctl start clamd@scan # systemctl enable clamd@scan Created symlink from /etc/systemd/system/multi-user.target.wants/clamd@scan.service to /usr/lib/systemd/system/clamd@scan.service. 


 # vi /etc/sysconfig/freshclam   ### !!!!! REMOVE ME !!!!!! ### REMOVE ME: By default, the freshclam update is disabled to avoid ### REMOVE ME: network access without prior activation FRESHCLAM_DELAY=disabled-warn # REMOVE ME 


Build packages for CentOS 7 (on another workstation)


I could not find the c-icap, squidclamav, and danguardian packages in the standard repositories for CentOS 7. For this reason, I had to build from src.rpm packages. The assembly was carried out on another workstation. Of course, it’s better not to build as root.

 # wget ftp://ftp.pbone.net/mirror/ftp5.gwdg.de/pub/opensuse/repositories/home%3A/Kenzy%3A/packages/CentOS_7/src/c-icap-0.3.5-3.1.src.rpm # rpm –ivh c-icap-0.3.5-3.1.src.rpm # rpmbuild -bb /root/rpmbuild/SPECS/c-icap.spec 


 # wget ftp://ftp.pbone.net/mirror/ftp5.gwdg.de/pub/opensuse/repositories/home%3A/Kenzy%3A/packages/CentOS_7/src/dansguardian-2.12.0.3-1.1.src.rpm # rpmbuild -bb /root/rpmbuild/SPECS/dansguardian.spec 


 # wget ftp://ftp.pbone.net/mirror/ftp5.gwdg.de/pub/opensuse/repositories/home%3A/Kenzy%3A/packages/CentOS_7/src/squidclamav-6.11-2.1.src.rpm # rpmbuild –bb /root/rpmbuild/SPECS/squidclamav.spec 



Configure c-icap and squidclamav



 # rpm -ivh c-icap-0.3.5-3.1.x86_64.rpm libicapapi3-0.3.5-3.1.x86_64.rpm 


like this
 # diff –ru /etc/c-icap/c-icap.conf.orig /etc/c-icap/c-icap.conf --- /etc/c-icap/c-icap.conf.orig 2016-07-19 23:29:47.764949235 +0300 +++ /etc/c-icap/c-icap.conf 2016-07-21 02:53:24.650555236 +0300 @@ -55,7 +55,7 @@ # generates a number of threads, which serve the requests. # Default: # StartServers 3 -StartServers 3 +StartServers 10 # TAG: MaxServers # Format: MaxServers number @@ -63,7 +63,7 @@ # The maximum allowed number of server processes. # Default: # MaxServers 10 -MaxServers 10 +MaxServers 70 # TAG: MinSpareThreads # Format: MinSpareThreads number @@ -72,7 +72,7 @@ # the c-icap server starts a new child. # Default: # MinSpareThreads 10 -MinSpareThreads 10 +MinSpareThreads 20 # TAG: MaxSpareThreads # Format: MaxSpareThreads number @@ -81,7 +81,7 @@ # the c-icap server kills a child. # Default: # MaxSpareThreads 20 -MaxSpareThreads 20 +MaxSpareThreads 50 # TAG: ThreadsPerChild # Format: ThreadsPerChild number @@ -89,7 +89,7 @@ # The number of threads per child process. # Default: # ThreadsPerChild 10 -ThreadsPerChild 10 +ThreadsPerChild 50 # TAG: MaxRequestsPerChild # Format: MaxRequestsPerChild number @@ -175,7 +175,7 @@ # The acceptable range of levels is between 0 and 10. # Default: # DebugLevel 1 -DebugLevel 1 +DebugLevel 0 # TAG: Pipelining # Format: Pipelining on|off @@ -466,7 +466,8 @@ # information about the c-icap server. # Default: # ServerLog /var/log/c-icap/server.log -ServerLog /var/log/c-icap/server.log +# Disabled +######ServerLog /var/log/c-icap/server.log # TAG: AccessLog # Format: AccessLog LogFile [LogFormat] [[!]acl1] [[!]acl2] [...] @@ -481,7 +482,8 @@ # AccessLog /var/log/c-icap/access.log # Example: # AccessLog /var/log/c-icap/access.log MyFormat all -AccessLog /var/log/c-icap/access.log +# Disabled +#########AccessLog /var/log/c-icap/access.log # TAG: Logger # Format: Logger LoggerName @@ -559,7 +561,7 @@ # Simple test service # Example: # Service echo srv_echo.so -Service echo srv_echo.so +Service squidclamav squidclamav.so # Module: sys_logger # Description: 


 # echo "d /var/run/c-icap 0755 c-icap c-icap -" >/etc/tmpfiles.d/c-icap.conf 


 cat <<EOF > /usr/lib/systemd/system/c-icap.service # create new [Unit] Description=c-icap service After=network.target [Service] Type=forking PIDFile=/var/run/c-icap/c-icap.pid ExecStart=/usr/bin/c-icap -f /etc/c-icap/c-icap.conf KillMode=process [Install] WantedBy=multi-user.target EOF 


 # yum localinstall squidclamav-6.11-2.1.x86_64.rpm 


 # diff -u /etc/squidclamav.conf.orig /etc/squidclamav.conf --- /etc/squidclamav.conf.orig 2016-07-19 23:52:25.927974080 +0300 +++ /etc/squidclamav.conf 2016-07-21 02:43:17.838443019 +0300 @@ -18,14 +18,15 @@ # Path to the squiGuard binary if you want URL filtering, note that you'd better # use the squid configuration directive 'url_rewrite_program' instead. -#squidguard /usr/sbin/squidGuard +#squidguard /usr/bin/squidGuard # Path to the clamd socket, use clamd_local if you use Unix socket or if clamd # is listening on an Inet socket, comment clamd_local and set the clamd_ip and # clamd_port to the corresponding value. -clamd_local /var/run/clamav/clamd-socket -#clamd_ip 192.168.1.5,127.0.0.1 -#clamd_port 3310 +#clamd_local /var/run/clamd.scan/clamd.sock +clamd_ip 127.0.0.1 +clamd_port 3310 +trust_cache 0 # Set the timeout for clamd connection. Default is 1 second, this is a good # value but if you have slow service you can increase up to 3. 


 # mkdir /var/run/c-icap # chown c-icap /var/run/c-icap # systemctl enable c-icap # systemctl start c-icap 


Setting up squid integration with c-icap



 # cat <<EOF >> /etc/squid/squid.conf # c-icap integration icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_header X-Authenticated-User icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_req allow all icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_resp allow all # end integration EOF 


 # systemctl restart squid 


SquidGuard setup



 # yum install squidGuard –y 


 # egrep -v "^#|^$" /etc/squid/squidGuard.conf dbhome /var/squidGuard/blacklists logdir /var/log/squidGuard time workhours { weekly mtwhf 08:00 - 16:30 date *-*-01 08:00 - 16:30 } rew dmz { s@://admin/@://admin.foo.bar.de/@i s@://foo.bar.de/@://www.foo.bar.de/@i } dest deny { domainlist deny/domains urllist deny/urls } acl { default { pass !deny all redirect http://admin.foo.bar.de/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u } } 


 # mkdir –p /var/squidGuard/blacklists/deny # cat /var/squidGuard/blacklists/deny/domains yahoo.co.in example.com # cat /var/squidGuard/blacklists/deny/urls #write URLs you'd like to prohibit to access http://www.yahoo.co.in http://www.sathish.com 


 # chown -R squid. /var/squidGuard/blacklists/deny/ # squidGuard -C all 


 # ls -l /var/squidGuard/blacklists/deny/*.db -rw-r--r--. 1 root root 8192 Jul 19 22:09 /var/squidGuard/blacklists/deny/domains.db -rw-r--r--. 1 root root 8192 Jul 19 22:09 /var/squidGuard/blacklists/deny/urls.db # file /var/squidGuard/blacklists/deny/domains.db /var/squidGuard/blacklists/deny/domains.db: Berkeley DB (Btree, version 9, native byte-order) 


Dansguarian setup



 # rpm -ivh dansguardian-2.12.0.3-1.1.x86_64.rpm 


 # vi /etc/dansguardian/dansguardian.conf … accessdeniedaddress = 'http://127.0.0.1/cgi-bin/dansguardian.pl' … 


 # /etc/init.d/dansguardian start # chkconfig dansguardian on 


Apache web server setup



 # yum install httpd 


 # systemctl enable httpd # systemctl start httpd 


 # cp /srv/www/cgi-bin/clwarn.cgi* /var/www/cgi-bin/ 


Health check



image

image

Conclusion


This article shows that setting up a squid proxy server with the ClamAV antivirus software is a simple task that even a novice Linux / Unix administrator can do.

By artemii

Source: https://habr.com/ru/post/307020/


All Articles