search

darold / squidclamav

SquidClamAv is a dedicated ClamAV antivirus redirector for Squid. It can run antivirus checks based on filename regex, content-type regex, and more. It is easy to install and works even with heavy Squid access.
http://squidclamav.darold.net/
Other
55 stars 32 forks source link

c-icap and squidclam integration #56

Closed RomanSilinenko closed 2 years ago

RomanSilinenko commented 4 years ago

Hello colleagues. I really need some help with config. Till now, i've managed to launch c-icap and squidclamav together and it detects EICAR if i feed it as input file: root@kali:/var/run# clamdscan --stream /home/kali/eicar.com /home/kali/eicar.com: Eicar-Test-Signature FOUND

but if i try to feed it with url, nothing happens:

`root@kali:/var/run# c-icap-client -d 2 -resp https://www.eicar.org/download/eicar.com -i 192.168.95.125 -s squidclamav -no204 -v ICAP server:192.168.95.125, ip:192.168.95.125, port:1344 ICAP HEADERS: ICAP/1.0 200 OK Server: C-ICAP/0.5.3 Connection: keep-alive ISTag: CI0001-1-squidclamav-10 Encapsulated: res-hdr=0, null-body=177

RESPMOD HEADERS: HTTP/1.0 200 OK Date: Fri Jan 24 20:09:11 2020 Last-Modified: Fri Jan 24 20:09:11 2020 Content-Length: 0 Via: ICAP/1.0 kali (C-ICAP/0.5.3 SquidClamav/Antivirus service ) Done`

c-icap/serever.log with Debug level set to 3 gives this:

Fri Jan 24 20:09:11 2020, 5244/2655110912, squidclamav.c(302) squidclamav_init_request_data: Fri Jan 24 20:09:11 2020, 5244/2655110912, DEBUG initializing request data handler. Fri Jan 24 20:09:11 2020, 5244/2655110912, squidclamav.c(329) squidclamav_release_request_data: Fri Jan 24 20:09:11 2020, 5244/2655110912, DEBUG Releasing request data. Fri Jan 24 20:09:11 2020, 5244/2655110912, squidclamav.c(302) squidclamav_init_request_data: Fri Jan 24 20:09:11 2020, 5244/2655110912, DEBUG initializing request data handler. Fri Jan 24 20:09:11 2020, 5244/2655110912, squidclamav.c(358) squidclamav_check_preview_handler: Fri Jan 24 20:09:11 2020, 5244/2655110912, DEBUG processing preview header. Fri Jan 24 20:09:11 2020, 5244/2655110912, squidclamav.c(1761) extract_http_info: Fri Jan 24 20:09:11 2020, 5244/2655110912, DEBUG method GET Fri Jan 24 20:09:11 2020, 5244/2655110912, squidclamav.c(1772) extract_http_info: Fri Jan 24 20:09:11 2020, 5244/2655110912, DEBUG url https://www.eicar.org/download/eicar.com Fri Jan 24 20:09:11 2020, 5244/2655110912, squidclamav.c(437) squidclamav_check_preview_handler: Fri Jan 24 20:09:11 2020, 5244/2655110912, DEBUG URL requested: https://www.eicar.org/download/eicar.com Fri Jan 24 20:09:11 2020, 5244/2655110912, squidclamav.c(469) squidclamav_check_preview_handler: Fri Jan 24 20:09:11 2020, 5244/2655110912, ERROR clientip is null, you must set 'icap_send_client_ip on' into squid.conf Fri Jan 24 20:09:11 2020, 5244/2655110912, squidclamav.c(526) squidclamav_check_preview_handler: Fri Jan 24 20:09:11 2020, 5244/2655110912, DEBUG No body data, allow 204 Fri Jan 24 20:09:11 2020, 5244/2655110912, squidclamav.c(673) squidclamav_end_of_data_handler: Fri Jan 24 20:09:11 2020, 5244/2655110912, DEBUG ending request data handler. Fri Jan 24 20:09:11 2020, 5244/2655110912, squidclamav.c(329) squidclamav_release_request_data: Fri Jan 24 20:09:11 2020, 5244/2655110912, DEBUG Releasing request data.

what these error messages mean?

yvoinov commented 4 years ago

Did you read this

https://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/C-ICAP

?

RomanSilinenko commented 4 years ago

Yup. Doesn't tell much to me. Are these errors in log output just informative or they are stopping the scan process?

yvoinov commented 4 years ago

Seems like misconfiguration. ClamAV can't got content body from host.

Require to dig more into full setup config.

darold commented 4 years ago

Hi,

Looks like the error message is explicit: ERROR clientip is null, you must set 'icap_send_client_ip on' into squid.conf. I don't what to amend to be more clear.

@RomanSilinenko what is the value of the icap_send_client_ip directive in your squid.conf file?

yvoinov commented 4 years ago

I've observed this error message ever on my working servers with correct configuration. Not sure this is relevant.

darold commented 4 years ago

Maybe it is generated because the c-icap-client -d command is not sending the client-ip like squid can do, in this case I agree it is not relevant.

darold commented 4 years ago

After some though I think that it could be probably good to not throw an error and goes without the client ip. This will disable some rules but at least the test will not stop on error. @RomanSilinenko for the moment your test must be done through your Squid proxy not directly to the icap server.

ameti commented 3 years ago

Hi. I am trying to build a docker container with squidclamav. I install squid3 and c-icap via apt. I also get this error squidclamav.c(469) squidclamav_check_preview_handler: ERROR clientip is null, you must set 'icap_send_client_ip on' into squid.conf even though the squid.conf contains:

icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_avi_req reqmod_precache icap://localhost:1344/squidclamav bypass=on
adaptation_access service_avi_req allow all
icap_service service_avi_resp respmod_precache icap://localhost:1344/squidclamav bypass=off
adaptation_access service_avi_resp allow all

tried restarting many times but without success. Any idea what could be wrong?

darold commented 3 years ago

Maybe you are not loading the right squid.conf file?

ameti commented 3 years ago

You are probably right because I tried to not install squid3 at all and the build works but I get the same error. (clientip) However when I install squid (version 3.5.23) the /etc/init.d/squid starts the correct config: CONFIG=/etc/squid/squid.conf Is there a way how I tell squidclamav to use that config?

d Sep  1 13:07:49 2021, 1514/779040512, squidclamav.c(437) squidclamav_check_preview_handler: Wed Sep  1 13:07:49 2021, 1514/779040512, DEBUG URL requested: /test 
Wed Sep  1 13:07:49 2021, 1514/779040512, squidclamav.c(469) squidclamav_check_preview_handler: Wed Sep  1 13:07:49 2021, 1514/779040512, ERROR clientip is null, you must set 'icap_send_client_ip on' into squid.conf 
Wed Sep  1 13:07:49 2021, 1514/779040512, squidclamav.c(551) squidclamav_check_preview_handler: Wed Sep  1 13:07:49 2021, 1514/779040512, DEBUG Can not begin to scan url: No preview data. 
Wed Sep  1 13:07:49 2021, 1514/779040512, squidclamav.c(567) squidclamav_check_preview_handler: Wed Sep  1 13:07:49 2021, 1514/779040512, DEBUG End of method squidclamav_check_preview_handler 
Wed Sep  1 13:07:49 2021, 1514/779040512, Error parsing chunks! 
Wed Sep  1 13:07:49 2021, 1514/779040512, squidclamav.c(329) squidclamav_release_request_data: Wed Sep  1 13:07:49 2021, 1514/779040512, DEBUG Releasing request data.