Open pomverte opened 3 years ago
What happens when you change the :80 to :443?
What happens when you change the :80 to :443?
That would be awesome !
Is there a way to configure the port freshclam is making the call ?
To your proxy? in the FreshClam.conf file?
I suppose the example config doesn't show it, but you have some options to customize the DatabaseMirror URL.
Some examples:
For a basic HTTPS connection on port 443
DatabaseMirror yourserver
For a HTTP connection on port 8000
DatabaseMirror http://yourserver:8000
For a HTTP connection on port 8000 with a subdirectory
DatabaseMirror http://yourserver:8000/somepath
But these are just for a regular mirror. You say there's a proxy between you and the mirror. FreshClam has some proxy config options as well. Some examples for how to use it can be found in the sample config: https://github.com/Cisco-Talos/clamav/blob/dev/0.104/etc/freshclam.conf.sample#L120
Let me reprecise the observed and annoying behaviour, it is mainly due to the fact that even when trying to reach a mirror with http (not https), freshclam tries to use a CONNECT verb with the proxy, which is really uncommon : Example with an expected behaviour:
# freshclam.conf
HTTPProxyServer myproxyserver.com
HTTPProxyPort 1234
HTTPProxyUsername myusername
HTTPProxyPassword mypass
In this case freshclam will issue a CONNECT verb to the proxy in order to reach the public mirrors (on port 443 I guess), which totally makes sense.
Example with an unexpected behaviour:
# freshclam.conf
HTTPProxyServer myproxyserver.com
HTTPProxyPort 1234
HTTPProxyUsername myusername
HTTPProxyPassword mypass
PrivateMirror machine1.mylan
DatabaseMirror machine1.mylan
In this case fresh clam still issues a CONNECT verb to the proxy even when trying to reach the internal mirror (machine1.mylan
) on port 80, which is very unusual.
This is an issue because then the (eg. squid) proxy opens a tunnel and won't apply any more filtering once the tunnel is open. Here is the issue: https://github.com/Cisco-Talos/clamav/blob/main/libfreshclam/libfreshclam_internal.c#L706
I've noticed that calling freshclam -v
on a shell w/ http_proxy
/https_proxy
environment variables works, so i've removed the HTTPProxyServer
and HTTPProxyPort
from the config and added a systemd dropin (/etc/systemd/system/clamav-freshclam.service.d/10-Proxy.conf
):
[Service]
Environment=http_proxy=<host>:<port>
Environment=https_proxy=<host>:<port>
After systemd daemon-reload
and systemd restart clamav-freshclam
everything works :tada:
Hello,
I have ran into this same issue, even when defining DatabaseMirror
as http://database.clamav.net the request keeps going through the proxy using CONNECT. I think this is caused because when freshclam sees that the HTTPProxy
parameters are set it applies the CURLOPT_HTTPPROXYTUNNEL
option, which forces the request to be sent using tunneling (https://curl.se/libcurl/c/CURLOPT_HTTPPROXYTUNNEL.html).
So for now the only option to be able to actually cache the database files is to comment the HTTPProxy parameters from freshclam.conf and set the http_proxy
and https_proxy
environment variables before calling the freshclam
script as @morph027 suggested
Describe the bug
Our freshclam process is trying to updates the signature through a mirror server.
The connexion must go through a proxy
freshclam seems to make a HTTP call with the verb CONNECT on port 80
However the proxy only allow CONNECT call on port 443
Is it possible to configure the port ?