Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.47k stars 707 forks source link

HTTP Proxy for freshclam: avoid secrets in freshclam.conf and respect environment variable HTTP_PROXY #1382

Open rriemann opened 1 month ago

rriemann commented 1 month ago

Problem Description

For a small project, my organisation runs clamav as a simple ICAP API in a restricted environment with no internet. We can though access the internet through a web proxy with the appropriate credentials.

As we deploy clamav+freshclam in kubernetes, we struggle to pass through the secret for the web proxy from the HashiCorp Vault part of the kubernetes environment made available as an environment variable to the /etc/clamav/freshclam.conf file.

Kubernetes does not permit environment variable interpolation in ConfigMaps holding the freshclam.conf. Putting the secret in the container image is an anti pattern. As a workaround I can only imagine to do some sed whenever the container boots, but this would introduce unnecessary race conditions.

Possible Solution

Ideally, freshclam would respect the proxy configuration found in HTTP_PROXY and/or HTTPS_PROXY environment variable like many other applications do. Only if not set, it would use values from freshclam.conf.

Example of curl: https://everything.curl.dev/usingcurl/proxies/env.html

micahsnyder commented 1 month ago

@rriemann I agree we should be able to set the http proxy username, password, and port through environment variables rather than relying on HTTPProxyUsername, HTTPProxyPassword, and HTTPProxyPort in freshclam.conf. I'm a little surprised we don't have this already, at least for password.

We do have environment variables for freshclam client authentication with a certificate. From freshclam --help:


Environment Variables:

  CURL_CA_BUNDLE                         May be set to the path of a file (bundle)
                                         containing one or more CA certificates.
                                         This will override the default openssl
                                         certificate path.

  FRESHCLAM_CLIENT_CERT                  May be set to the path of a file (PEM)
                                         containing the client certificate.
                                         This may be used for client authentication
                                         to a private mirror.
  FRESHCLAM_CLIENT_KEY                   May be set to the path of a file (PEM)
                                         containing the client private key.
                                         This is required if FRESHCLAM_CLIENT_CERT is set.
  FRESHCLAM_CLIENT_KEY_PASSWD            May be set to a password for the client key PEM file.
                                         This is required if FRESHCLAM_CLIENT_KEY is
                                         set and the PEM file is password protected.

I wonder if you can use this for certificate-based authentication with your proxy.

rriemann commented 1 month ago

Unfortunately, we have zero flexibility on the proxy. It is managed by a partner on which we have no influence.

In the meanwhile, I came up with this poor-programmers’ work-around:

I add this line to the /init entrypoint file in the docker container:

echo "$(envsubst < /etc/clamav/freshclam.conf)" > /etc/clamav/freshclam.conf

I can put $PROXY_PASS in the file and it will be replaced. Of course, support for a proper http_proxy environment variable is cleaner. :)

My Containerfile:

FROM clamav/clamav:$VERSION

RUN apk add --no-cache gettext
RUN sed -i '12iecho "$(envsubst < /etc/clamav/freshclam.conf)" > /etc/clamav/freshclam.conf' /init
micahsnyder commented 1 month ago

Note for future dev: this also relates to / is supporting the need for #841