Generic Program Information

Installing Squid

Setting SquidClamav as Squid Icap service

Squid v3.x installation and configuration

To have full and stable icap support with Squid you must use the 3.x branch and configure squid with the following option:

        --enable-icap-client

I don't know what other options you are using but you have to add this one to your configure command. If you prefer to use distribution packaging you may already have it configured like this if you can install the c-icap package too.

If you don't know, run the following command an search for the configuration directive: --enable-icap-client

        /usr/local/squid/sbin/squid -v | grep "enable-icap-client"

If it is not enable you must reinstall Squid with this configuration option or install the additional packages.

Once you have it enabled, to integrate c-icap and SquidClamav to your squid cache just edit squid.conf and set the following directives.

Squid 3.4.x configuration

There are some configuration differences between 3.1.x and 3.4.x Squid version. Here are the directives I use for Squid 3.4.x:

        icap_enable on
        icap_send_client_ip on
        icap_send_client_username on
        icap_client_username_encode off
        icap_client_username_header X-Authenticated-User
        icap_preview_enable on
        icap_preview_size 1024
        icap_service service_avi_req reqmod_precache
        icap://localhost:1344/squidclamav bypass=off
        adaptation_access service_avi_req allow all
        icap_service service_avi_resp respmod_precache
        icap://localhost:1344/squidclamav bypass=on
        adaptation_access service_avi_resp allow all
    

If you don't know where to put them in squid.conf, just search for 'icap_.*' and add those configuration lines at the end of the icap section.

Squid 3.1.x configuration

There are some configuration differences between 3.1.x and 3.0.x Squid version. Here are the directives I use for Squid 3.1.x:

        icap_enable on
        icap_send_client_ip on
        icap_send_client_username on
        icap_client_username_encode off
        icap_client_username_header X-Authenticated-User
        icap_preview_enable on
        icap_preview_size 1024
        icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
        adaptation_access service_req allow all
        icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
        adaptation_access service_resp allow all
    

If you don't know where to put them in squid.conf, just search for 'icap_.*' and add those configuration lines at the end of the icap section.

Here the bypass is set to 1, that means that in case of squidclamav problems squid will simply ignore the error and continue.

Squid 3.0.x configuration

For squid 3.0.x you must replace 'bypass=1' by '1' or 'bypass=0' by '0' and the access to the service is defined at a class level. Only the last four configuration lines change from version 3.1.x.

        icap_enable on
        icap_send_client_ip on
        icap_send_client_username on
        icap_client_username_encode off
        icap_client_username_header X-Authenticated-User
        icap_preview_enable on
        icap_preview_size 1024
        icap_service service_req reqmod_precache 1 icap://127.0.0.1:1344/squidclamav
        icap_service service_resp respmod_precache 1 icap://127.0.0.1:1344/squidclamav
        icap_class class_avreq service_req
        icap_class class_avresp service_resp
        icap_access class_avreq allow all
        icap_access class_avresp allow all
    

If you don't know where to put them in squid.conf, just search for 'icap_.*' and add those configuration lines at the end of the icap section.

Here the bypass is set to 1, that means that in case of squidclamav problems squid will simply ignore the error and continue.

What do that configuration directives do? They enable Squid's ICAP client and tell Squid to send the logged username and client's IP address to the ICAP server. They also enable preview for faster SquidClamav work. The last four lines define how to call the ICAP server. Here we call the squidclamav service on localhost and port 1344 (host and port can be changed). The bypass parameter set to 1 means that Squid will continue without bothering about ICAP server or SquidClamav failure. This is just like the old bridge mode in previous releases of SquidClamAV. I don't want users to be bored by a continuously error message if SquidClamav or c-icap produce errors or if there's an error in the configuration file. Users don't have to know about that, they want to surf and don't care about your problems :-) If you don't think like me, just set the bypass argument to 0 and Squid will return an error message in case of a failure.

Chained Url Checker

You can chained SquidClamav call to an Url checked like squidguard by setting the 'url_rewrite_program' squid.conf directive:

        url_rewrite_program /usr/bin/squidGuard
        url_rewrite_children 15
        url_rewrite_access allow all

Call of squidguard from SquidClamav is no longer supported.

C-icap server installation/configuration

If you don't have package solutions or encounter problems when installing SquidClamav I recommend you to install the c-icap server from source as following. You can download it from SourceForge at http://c-icap.sourceforge.net/. Choose version c-icap-0.3.2 or later versions, then run:

        ./configure --prefix=/usr/local/c-icap --enable-large-files
        make
        make install

Then, edit the file /usr/local/c-icap/etc/c-icap.conf. It contains a set of documented values that configure the c-icap server. To enable the support of SquidClamav just add the following line to the end of the file:

        Service squidclamav squidclamav.so

Don't care about the srv_clamav.* configuration directives, this will not break anything. SquidClamav doesn't use them but reads its own directives from the file /usr/local/etc/c-icap/squidclamav.conf.

You can disable the c-icap embedded modules by commenting out these lines:

        #Service url_check_module srv_url_check.so
        #Service antivirus_module srv_clamav.so

This will preserve some resources.

Following your installation you may need to create the /var/run/c-icap/ where c-icap server is writing pid and socket file.

You may also want to change the user/group owning c-icap's processes. By default the owner is the user/group who runs the program. I recommend you to change them to the same user/group running your Squid cache. For example:

        User proxy
        Group proxy

Of course you will need to change the owner of directory /var/run/c-icap/ and the directory of your server log. See the ServerLog directive to get the path. For me, I use the following commands to set the good rights on my installation:

        mkdir /var/run/c-icap/
        chown -R proxy:proxy /var/run/c-icap/
        chown -R proxy:proxy /usr/local/c-icap/

After that you can run the c-icap server as explained below.

SquidClamav installation/configuration

Installing SquidClamav requires that you already have installed the c-icap as explained above. You must provide the installation path of c-icap to the configure command as following:

        ./configure
        make
        make install

This will install the squidclamav.so library into the c-icap modules/services repository.

Note that if the c-icap installation does not save the c-icap-config program in a directory that can be found in your default path you will need to give the path to this program to squidclamav at configure time:

        ./configure --with-c-icap=/usr/local/c-icap/
        make && make install

Running c-icap server

Finally, you can run the c-icap server as root user:

        /usr/local/c-icap/bin/c-icap

or any other path to the binary. If you want to display debugging information on the terminal, the previous command should be executed with the following arguments:

        /usr/local/c-icap/bin/c-icap -N -D -d 10

The first argument -N prevents the c-icap server from forking into the background, the second argument -D enables the printing of messages to standard output, and the third argument -d 10 enables the printing of full debugging information.

Reloading configuration without restarting the c-icap server

To force SquidClamav to reread its configuration file after changes you can send the following command to the c-icap server

        echo -n "squidclamav:cfgreload" > /var/run/c-icap/c-icap.ctl

It will reread all its configuration directives and restart pipes to squidGuard. So if you make changes to squidGuard you must execute this command to activate them in SquidClamav.

Or to be sure that everything is really initialized or that you have made change to the c-icap configuration file you can run the following command:

        echo -n "reconfigure" > /var/run/c-icap/c-icap.ctl

The service will reread the config file without the need for stopping and restarting the c-icap server. The service will just be reinitialized.

Global configuration

Logging and debug are handled by the c-icap server. You can control them using the following c-icap.conf directives:

        ServerLog /usr/local/c-icap/var/log/server.log
        DebugLevel 0

Debug information is disable by default, do not enable it on production systems as it costs a lot of performances. The debug level can be set from 1 up to 3 for SquidClamav but can be up to 10 for c-icap. By setting

        DebugLevel 3

you will trace everything done by SquidClamav, this is useful for debugging purpose.

Clamd daemon

SquidClamav needs to know where to contact clamd, the ClamAV daemon, for on stream virus scanning.

        clamd_local /tmp/clamd
        #clamd_ip 192.168.1.5
        #clamd_port 3310

By default SquidClamav will contact clamd locally on the /tmp/clamd unix socket (clamd_local). If your clamd daemon uses INET socket or stays in a remote server, you have to set the IP address and the port with clamd_ip and clamd_port.

If you use INET socket the 'clamd_local' directive must be commented, or SquidClamav will always use the clamd_local directive.

Clamd failover

If you have multiple ClamAv servers, SquidClamav is able to do failover between them. You just have to set 'clamd_ip' to a list of IP addresses separated by a comma. Do not insert space characters in this list or it will break all. For example:

        clamd_ip 192.168.1.5,192.168.1.13,192.168.1.9
        clamd_port 3310
        timeout 1

You can set up to 5 clamd servers. The clamd port must be the same for all these servers as 'clamd_port' only accepts one single value.

SquidClamav will always connect to the first IP address available. If this fails it will try the next defined IP address after 1 second. When a connect can be established SquidClamav will reuse this last "working" IP address first to not slow down process the next time.

If you think 1 second is a low value, you can change the connect timeout by editing file squidclamav.conf and set the 'timeout' directive to a higher value. For example :

        timeout 2

Value must be set in seconds. Do not set it too high (< 5) or you can slow down everything.

Redirection

URL redirect

When a virus is detected SquidClamav needs to redirect the client to a warning page. The SquidClamav distribution contains a set of Perl CGI scripts with different languages that you can use. To specify this redirection you have to have to specify a redirect URL to the 'redirect' directive as follow:

        redirect http://proxy.samse.fr/cgi-bin/clwarn.cgi

Take a look in the cgi-bin directory to see all translations of this cgi script.

Squidclamav will pass the following parameters to this CGI:

        url=ORIGNAL_HTTP_REQUEST
        virus=NAME_OF_THE_VIRUS
        source=DOWNLOADER_IP_ADDRESS
        user=DOWNLOADER_IDENT

If this directive is disabled squidclamav will use c-icap error templates to report issues. See below.

Using c-icap template instead of redirect scripts

If the redirect directive is not set, SquidClamav will attempt to load a template up from disk and send this back to the user. By default this template is found at the following path:

        /usr/share/c_icap/templates/squidclamav/en/MALWARE_FOUND

Available format tokens are all of those available to the LogFormat directive of c-icap, plus an additional token:

        %mn - formatted name of the malware, as given by ClamAV.

Notice redirection into log file

To log every redirection enable the 'logredir' configuration directive:

        logredir 1

By default it is disabled as you can also log this information with the cgi-script or send an email.

Maximun file size scanned

The maxsize directive allows to disable virus scan completely for files bigger than the value in bytes. Default is 0, no size limit as you may want to control download size into squid.conf or clamd.

        maxsize 2M

If you want to abort virus scan after a certain amount of data you must take a look at the clamd configuration directive 'StreamMaxLength' that will close a stream when the given size is reached.

DNS lookup of client IP address

Directive dnslookup allow you to enable / disable DNS lookup of all client IP address. Default is enabled:

        dnslookup 1

to preserve backward compatibility. You should deactivate this feature if you don't use trustclient with hostname in the regexp or if you don't have a DNS on your network. Disabling it will also speed up squidclamav.

Multipart content

Clamd supports decoding email style multipart content and scan each part. Unless clamd receives a Content-Type header it can't know how to break up the multipart content and so it tries to scan the entire body as one file, even if parts are base64 encoded. Enabling the 'multipart' directive:

        multipart 0

will force detection of multipart content and sends a To: and Content-Type header to clamd before the rest of the body. Disabled by default for backward compatibility.

Safebrowsing

ClamAV 0.95 introduced support for Google Safe Browsing database. The database is packed inside a CVD file and distributed through our mirror network as safebrowsing.cvd. This feature is disabled by default on all clamav installations.

In order to enable this feature, you must first add "SafeBrowsing Yes" to freshclam.conf. There is no option in clamd.conf. If the engine finds Google Safe Browsing files in the database directory, ClamAV will enable safe browsing. To turn it off you need to update freshclam.conf and remove the safebrowsing files from the database directory before restarting clamd.

Then to enable this feature into SquidClamav you have to enable the following configuration directive.

safebrowsing

Enable / Disable Clamav Safe Browsing feature. You mus have enabled the corresponding behavior in clamd by enabling SafeBrowsing into freshclam.conf Enabling it will first make a safe browsing request to clamd and then the virus scan request.

Control virus scan

There is two scan mode to fully control squidclamav behavior. The first and historical mode is "ScanAllExcept" that scans everything by default. This mode can be controlled by directives: abort, abortcontent, whitelist, trustuser and trustclient.

        scan_mode ScanAllExcept

The second mode since squidclamav version 7 is "ScanNothingExcept" that will scan nothing but the content controlled by the scan, scancontent, blacklist, untrustuser and untrusted client.

        scan_mode ScanNothingExcept

Any other value for the scan_mode directive will force the "ScanAllExcept" mode. This guarantee the backward compatibility with older squidclamav version.

abort

The 'abort' directive will let you disable virus scanning at URL level (not chained program). When the URL matches the regex pattern, SquidClamav falls back to Squid immediately after the call to the chained program, if one is defined there.

For example:

        abort \.squid-cache\.org
        abort .*\.(png|gif|jpg)$
    

The first regexp will exclude any file hosted on domain squid-cache.org from virus scanning, the last one will exclude all PNG, GIF and JPEG image from scanning.

Only used in "ScanAllExcept" mode.

abortcontent

The 'abortcontent' directive allows you to exclude any file from virus scanning, whose Content-Type matches the regex pattern. This directive costs more time because SquidClamav needs to download the HTTP header for a file with a HEAD request. Note that some sites do not answer to HEAD requests so the content type will not be able to be retrieved so they will be scanned.

Example:

        abortcontent ^image\/.*$
        abortcontent ^video\/x-flv$
    

The first directive will complete the "abort .*\.(png|gif|jpg)$" previous directive to match dynamic image or with parameters at end. The second will allow your users to view streamed video instantly.

Only used in "ScanAllExcept" mode.

whitelist

The 'whitelist' configuration directive allows you to disable chained program and virus scan at URL level. When the given pattern matches the URL, SquidClamav falls back to Squid instantly.

For example:

        whitelist \.clamav\.net
    

will deliver any files from hosts on clamav.net domain directly.

You can also use a file containing all regex that might be whitelisted and provide the file name to the whitelist directive. Suppose that you have a file named /usr/local/c-icap/etc/sc_whitelist with the following content:

        \.clamav\.net
        \.darold\.net
    

then you just have to set whitelist in squidclamav.conf as follow:

        whitelist /usr/local/c-icap/etc/sc_whitelist
    

the file must contain only one regex per line and no extra character.

Only used in "ScanAllExcept" mode.

trustuser

The 'trustuser' directive allows you to disable chained program and virus scan when an ident matches the search pattern. On regex found SquidClamav falls back to Squid instantly. Of course you must have Squid authentication helper enabled.

For example:

        trustuser administrator
    

will let user logged as administrator to not be bored by chained program and virus scan.

Only used in "ScanAllExcept" mode.

trustclient

The 'trustclient' directive allows you to disable chained program and virus scan if the client source IP address or DNS name match the search pattern. The source IP address can be a single IP address or an address range following the given regex pattern.

For example:

        trustclient ^192\.168\.1\.1$
        trustclient ^192\.168\.1\..*$
        trustclient ^mypc\.domain\.dom$
    

The first and the last entry will disable chained program and virus scan for a single computer and the second will do for en entire class C network.

Only used in "ScanAllExcept" mode.

scan

The 'scan' directive will let you enable virus scanning at URL level.

For example:

        scan .*\.(doc|docx|pdf|xls)$
    

The regexp will force virus scanning for extensions .doc, .docx, .pdf and .xls.

Only used in "ScanNothingExcept" mode.

scancontent

The 'scancontent' directive allows you to force virus scanning for some files whose Content-Type matches the regex pattern. This directive costs more time because SquidClamav needs to download the HTTP header for a file with a HEAD request. Note that some sites do not answer to HEAD requests so the content type will not be able to be retrieved so they will be scanned.

Example:

        scancontent ^application\/.*$
    

Only used in "ScanNothingExcept" mode.

blacklist

The 'blacklist' configuration directive allows you to force virus scan at URL level.

For example:

        whitelist \.badsite\.com
    

will force scanning any files from hosts on badsite.com domain.

You can also use a file containing all regex that might be blacklisted and provide the file name to the blacklist directive. Suppose that you have a file named /usr/local/c-icap/etc/sc_blacklist with the following content:

        \.badsite\.com
        \.getyourvirus\.org
    

then you just have to set blacklist in squidclamav.conf as follow:

        blacklist /usr/local/c-icap/etc/sc_blacklist
    

the file must contain only one regex per line and no extra character.

Only used in "ScanNothingExcept" mode.

untrustuser

The 'untrustuser' directive allows you to force virus scan when an ident matches the search pattern. Of course you must have Squid authentication helper enabled.

For example:

        untrustuser fakeuser
    

Only used in "ScanNothingExcept" mode.

untrustclient

The 'untrustclient' directive allows you to force virus scan if the client source IP address or DNS name match the search pattern. The source IP can be a single IP address or an address range following the given regex pattern.

For example:

        untrustclient ^192\.168\.1\.1$
        untrustclient ^192\.168\.1\..*$
        untrustclient ^mypc\.domain\.dom$
    

The first and the last entry will force virus scan for a single computer and the second will do for en entire class C network.

Only used in "ScanNothingExcept" mode.

Libarchive support

Allow squidclamav to uncompress archives and filter according to user-defined rules before passing them to clamav. See directives bellow for more details.

enable_libarchive

Enable/disable use of libarchive by SquidClamav. Disabled by default. Note that if libarchive is not available on your server enabling this feature will have no effect. When libarchive headers are not present the code to support libarchive in squidclamav is not compiled.

ban_archive_entry

Block matching archive entries. For example: zip files containing threats such as ransomeware that are not yet detected by clamav or other antivirus software (typically 5KB zip files containing a cab file or a vbe script). Here is the value set in the configuration file if enabled:

    ban_archive_entry ^.*\.(ade|adp|app|asd|asf|asx|bas|bat|cab|chm|cmd|com|cpl|crt|dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh)$
    

ban_max_entries

Maximum number of entries in an archive in order to block it if there's at least one match. Archives with more than ban_max_entries will not be blocked even if there are matches. A value of 0 (or commented) will ignore the number of entries in an archive. Suggested value: 1.

ban_max_matched_entries

Maximum number of matched entries in an archive in order to block it. Archives with more than ban_max_matched_entries matches will not be blocked. A value of 0 (or commented) will ban an archive when there's at least one entry match. Suggested value: 1.

banmaxsize

Maximum size of an archive that may be opened. Any file bigger that this value will not be scanned. Suggested value: 2M.

recoverpath

Path where banned archives are stored (libarchive). Hard-coded file format:

    banned_USERNAME_CLIENTIP_UNIXTIME_RAND(99).FILEEXTENSION
    

USERNAME and CLIENTIP are available when enabling icap_send_client_ip and icap_send_client_username in squid.conf. Check clwarn.cgi example to see how you can retrieve the file name and serve it via http.

recovervirus

Enable if virus files should also be copied to recoverpath. Hard-coded file format:

    virus_USERNAME_CLIENTIP_UNIXTIME_RAND(99).FILEEXTENSION
    

Otherwise only archives containing ban_archive_entry matches will be copied.

Testing SquidClamav

Performance

If you experience Squid "ICAP protocol error" (with bypass enabled) please consider increasing the following c-icp parameters: StartServers, MaxServers, MinSpareThreads, MaxSpareThreads, ThreadsPerChild. Increasing MaxThreads parameter in clamd.conf may also help.