Feature #1959

Feature #1774: Web content filter

Proxy: add web antivirus filter

Added by Giacomo Sanchietti about 8 years ago. Updated about 8 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-squidclamav
Target version:v6.4-beta2
Resolution: NEEDINFO:No

Description

Implement content filter using an antivirus.

Best candidate is SquidClamav using icap protocol.
Packages (for Fedora) available here: http://oliverseeburger.de/repo/fedora_17/x86_64/extras_seeburger/packages/

QA1959-rpms.txt Magnifier - Installed RPMs (886 Bytes) Davide Principi, 07/24/2013 02:42 PM

Associated revisions

Revision c07df861
Added by Giacomo Sanchietti about 8 years ago

First import. Refs #1959

Revision 31dc9c3f
Added by Giacomo Sanchietti about 8 years ago

First import. Refs #1959

Revision 49a20bb6
Added by Giacomo Sanchietti about 8 years ago

First import. Refs #1959

Revision 9a4fdfeb
Added by Giacomo Sanchietti about 8 years ago

spec: move cgi to /var/www/cgi-bin directory. Refs #1959

Revision 25615a5e
Added by Giacomo Sanchietti about 8 years ago

First import. Refs #1959

Revision 49813f06
Added by Giacomo Sanchietti about 8 years ago

Update templates and createlinks. Refs #1959

Revision f17584db
Added by Giacomo Sanchietti about 8 years ago

squidclamav.conf template: update redirect path. Refs #1959

Revision 8f51dda0
Added by Giacomo Sanchietti about 8 years ago

c-icap-conf and db defaults: change DebugLevel default to 0. Refs #1959

Revision 8e7ff1cf
Added by Giacomo Sanchietti about 8 years ago

web ui: add ui to enable/disable antivirus. Refs #1959

Revision d0671985
Added by Giacomo Sanchietti about 8 years ago

Add support for downloaded blacklists. Refs #1959

Revision d79935c4
Added by Giacomo Sanchietti about 8 years ago

spec: requires nethserver-httpd. Refs #1959

Revision 94494eb2
Added by Giacomo Sanchietti about 8 years ago

createlinks, templates: added /etc/sysconfig/c-icap template to avoid zombie processes. Refs #1959

Revision 32307364
Added by Giacomo Sanchietti about 8 years ago

c-icap.conf templates.metadata: change permission and owner. Refs #1959

Revision 044205c7
Added by Giacomo Sanchietti about 8 years ago

squid.conf templates.metadata: change permission and owner. Refs #1959

Revision 84333bc3
Added by Giacomo Sanchietti about 8 years ago

db defaults: set default status to disabled. Refs #1959

Revision 398cbecd
Added by Giacomo Sanchietti about 8 years ago

spec: add nethserver-squid dependency, fix typo in nethserver-httpd requires. Refs #1959

Revision facfa071
Added by Giacomo Sanchietti about 8 years ago

web ui: move antivirus proxy configuration to nethserver-squidclamav package. Refs #1959

Revision 05fe1a35
Added by Giacomo Sanchietti about 8 years ago

web ui: move antivirus proxy configuration from nethserver-antivirus package. Refs #1959

History

#1 Updated by Giacomo Sanchietti about 8 years ago

  • Target version set to v6.4-beta2

#2 Updated by Giacomo Sanchietti about 8 years ago

  • Status changed from NEW to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 0 to 30
  • NEEDINFO set to No

Implemented using c-icap and squidclamav.

Packages:

#3 Updated by Giacomo Sanchietti about 8 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 70

All stack implemented.

#4 Updated by Giacomo Sanchietti about 8 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 70 to 80
Released rpms in testing:
  • squidclamav-6.10-1
  • nethserver-squidclamav-1.0.0
  • nethserver-c-icap-1.0.0
  • c-icap-0.2.5

To test the antivirus filter.
1) Install the software: yum --enablerepo=nethserver-testing install nethserver-squidclamav
2) Enable squid from web interface
3) Open one eicar test file from http://www.eicar.org/85-0-Download.html and verify the download is blocked

#6 Updated by Davide Principi about 8 years ago

  • Assignee deleted (Giacomo Sanchietti)

ON_QA: Assignee reset

#7 Updated by Davide Principi about 8 years ago

  • Assignee set to Davide Principi

#8 Updated by Davide Principi about 8 years ago

  • File QA1959-rpms.txtMagnifier added
  • Status changed from ON_QA to ON_DEV
  • % Done changed from 80 to 30

Verification FAILED

Summary

the c-icap daemon does not start after installation

Description

  • After installation I've enabled Squid (Manual) from UI => Save
  • c-icap daemon didn't start

The EICAR data was not blocked:

curl -L -x davidep2.vboxnet0.tld:3128 http://www.eicar.org/download/eicar.com
X5O!P%[...]AR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

To workaround the problem in "Proxy web" module / Antivirus
  • Set "disabled" => Save
  • Set "enabled" again => Save

c-icap starts and the EICAR test is blocked.

#9 Updated by Davide Principi about 8 years ago

  • Assignee deleted (Davide Principi)

#10 Updated by Davide Principi about 8 years ago

Davide Principi wrote:

To workaround the problem in "Proxy web" module / Antivirus
  • Set "disabled" => Save
  • Set "enabled" again => Save

when starting c-icap daemon from httpd-admin a zombie adjust-services process prevents signal-event to complete. This resembles Dovecot's case #1232..

To fix c-icap startup I suggest closing output descriptors in /etc/sysconfig/c-icap:

OPTIONS="&>/dev/null " 

c-icap starts and the EICAR test is blocked.

I confess I started it from a Bash shell..

#11 Updated by Davide Principi about 8 years ago

rpm -V noticed that /etc/squid/squid.conf and /etc/c-icap/c-icap.conf have permissions and owner modified after they've been expanded from template.

Original settings from RPMs

  # ll /etc/c-icap/c-icap.conf
-rw-r-----. 1 root c-icap 19280 May 30 13:56 /etc/c-icap/c-icap.conf

  # ll /etc/squid/squid.conf
-rw-r-----. 1 root squid 2315 May 21 12:55 /etc/squid/squid.conf

After template expansions owner is root and permissions are 0644.

#12 Updated by Giacomo Sanchietti about 8 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 30 to 70
Need rebuild of:
  • nethserver-squidclamav
  • nethserver-c-icap
  • nethserver-squid

#13 Updated by Giacomo Sanchietti about 8 years ago

New package in nethserver-testing repoitory:
  • nethserver-c-icap-1.0.1-1
  • nethserver-squid-1.0.3-1
  • nethserver-squidclamav-1.0.1
Changes for c-icap:
  • Change permissions and owner of c-icap.conf
  • Avoid zombie processes (added /etc/sysoconfig/c-icap template)
Changes for squidclamav:
  • set default status to disabled
  • add nethserver-httpd dependency

#14 Updated by Giacomo Sanchietti about 8 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

#15 Updated by Alessio Fattorini about 8 years ago

yum --enablerepo=nethserver-testing install nethserver-squidclamav

--> Finished Dependency Resolution
Error: Package: nethserver-squidclamav-1.0.1-1.ns6.noarch (nethserver-testing)
           Requires: nethsever-httpd

I'm installing nethsever-httpd

Installed:
  nethserver-httpd.noarch 0:2.2.0-1.ns6

Bu i have the same dependecies error

I try to install nethserver-httpd in testing
nethserver-httpd-2.2.1

Same error

I try with repoquery

[root@muflone ~]# repoquery --enablerepo=nethserver-testing  --requires --recursive --resolve nethserver-squidclamav
nethserver-squidclamav-0:1.0.1-1.ns6.noarch
nethserver-antivirus-0:1.0.1-1.ns6.noarch
bash-0:4.1.2-14.el6.x86_64
squidclamav-0:6.10-1.ns6.x86_64
nethserver-c-icap-0:1.0.0-1.ns6.noarch

[root@muflone ~]# repoquery --enablerepo=nethserver-testing --alldeps --requires --recursive nethserver-squidclamav
/bin/sh
nethserver-antivirus
nethserver-c-icap
nethsever-httpd
squidclamav


What am i missing? :-\

#16 Updated by Filippo Carletti about 8 years ago

I'm installing nethsever-httpd

It's a typo: nethsever instead of nethserver.
You should install with nodeps or wait for an updated squidcalamav package.

#17 Updated by Alessio Fattorini about 8 years ago

  • Status changed from ON_QA to ON_DEV
  • % Done changed from 70 to 30

Thank you Filippo, eagle eye ;-)

wget http://pulp.nethesis.it/nethserver/6.4/testing/x86_64/nethserver-squidclamav-1.0.1-1.ns6.noarch.rpm

# rpm -Uvh --nodeps http://pulp.nethesis.it/nethserver/6.4/testing/x86_64/nethserver-squidclamav-1.0.1-1.ns6.noarch.rpm
Retrieving http://pulp.nethesis.it/nethserver/6.4/testing/x86_64/nethserver-squidclamav-1.0.1-1.ns6.noarch.rpm
Preparing...                ########################################### [100%]
   1:nethserver-squidclamav ########################################### [100%]
Ok, but now there's no deps for nethserver-squid. I have squid but not squid panel. I have installed manually
  1. yum --enablerepo=nethserver-testing install nethserver-squid
Then
  • typo on deps "nethsever-httpd"
  • nodeps for nethserver-squid, only for squid

#18 Updated by Alessio Fattorini about 8 years ago

I can't test eicar download because another nethserver block it for my test server.
http://nethsecurityng.nethesis.it/cgi-bin/squidclamav/clwarn.cgi?
Can i verify this part indirectly? :-D

#19 Updated by Giacomo Sanchietti about 8 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#20 Updated by Giacomo Sanchietti about 8 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
New package in nethserver-testing repo:
  • nethserver-squidclamav-1.0.2-1

To test behind a firewall, disable the antivirus on the firewall or use another gateway.

#21 Updated by Davide Principi about 8 years ago

  • Assignee set to Davide Principi

#22 Updated by Davide Principi about 8 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 70 to 90

VERIFIED

  • Installed as dependencies
      nethserver-antivirus.noarch 0:1.0.3-1.ns6        nethserver-c-icap.noarch 0:1.0.1-1.ns6    
      nethserver-firewall-base.noarch 0:1.0.3-1.ns6    nethserver-httpd.noarch 0:2.2.1-1.ns6     
      nethserver-shorewall.noarch 0:1.0.0-1.ns6        nethserver-squid.noarch 0:1.0.3-1.ns6 
    
  • After yum transaction squid and c-icap daemons are disabled and stopped
  • Started squid => OK
  • EICAR test => OK
    $ curl -v -L -x davidep2.vboxnet0.tld:3128 http://www.eicar.org/download/eicar.com
    * About to connect() to proxy davidep2.vboxnet0.tld port 3128 (#0)
    *   Trying 192.168.8.2...
    * Connected to davidep2.vboxnet0.tld (192.168.8.2) port 3128 (#0)
    > GET http://www.eicar.org/download/eicar.com HTTP/1.1
    > User-Agent: curl/7.29.0
    > Host: www.eicar.org
    > Accept: */*
    > Proxy-Connection: Keep-Alive
    > 
    < HTTP/1.1 200 OK
    < Date: Mon, 29 Jul 2013 10:20:42 GMT
    < Server: Apache
    < Content-Disposition: attachment; filename="eicar.com" 
    < Cache-Control: private
    < Content-Length: 68
    < Content-Type: application/octet-stream
    < X-Cache: MISS from davidep2.vboxnet0.tld
    < X-Cache-Lookup: MISS from davidep2.vboxnet0.tld:3128
    < Via: 1.1 davidep2.vboxnet0.tld (squid/3.3.5)
    < Connection: keep-alive
    < 
    * Connection #0 to host davidep2.vboxnet0.tld left intact
    X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
    
  • Started c-icap => OK
  • EICAR test => OK
       $ curl -v -L -x davidep2.vboxnet0.tld:3128 http://www.eicar.org/download/eicar.com
    * About to connect() to proxy davidep2.vboxnet0.tld port 3128 (#0)
    *   Trying 192.168.8.2...
    * Connected to davidep2.vboxnet0.tld (192.168.8.2) port 3128 (#0)
    > GET http://www.eicar.org/download/eicar.com HTTP/1.1
    > User-Agent: curl/7.29.0
    > Host: www.eicar.org
    > Accept: */*
    > Proxy-Connection: Keep-Alive
    > 
    < HTTP/1.1 301 Moved Permanently
    < Date: Mon, 29 Jul 2013 10:24:07 GMT
    < Location: http://davidep2.vboxnet0.tld/cgi-bin/squidclamav/clwarn.cgi?url=http://www.eicar.org/download/eicar.com&source=192.168.8.1&user=-&virus=stream: Eicar-Test-Signature FOUND
    < Server: C-ICAP
    < Content-Type: text/html
    < Content-Language: en
    < X-Cache: MISS from davidep2.vboxnet0.tld
    < X-Cache-Lookup: MISS from davidep2.vboxnet0.tld:3128
    < Transfer-Encoding: chunked
    < Via: ICAP/1.0 davidep2.vboxnet0.tld (C-ICAP/0.2.5 SquidClamav/Antivirus service ), 1.1 davidep2.vboxnet0.tld (squid/3.3.5)
    < HTTP/1.1 200 OK
    < Date: Mon, 29 Jul 2013 10:24:07 GMT
    < Server: Apache/2.2.15 (CentOS) DAV/2 mod_ssl/2.2.15 OpenSSL/1.0.0-fips
    < Content-Type: text/html; charset=ISO-8859-1
    < X-Cache: MISS from davidep2.vboxnet0.tld
    < X-Cache-Lookup: MISS from davidep2.vboxnet0.tld:3128
    < Transfer-Encoding: chunked
    < Via: 1.1 davidep2.vboxnet0.tld (squid/3.3.5)
    < Connection: keep-alive
    < 
    <!DOCTYPE html
        PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
    [...]
        The requested URL http://www.eicar.org/download/eicar.com contains a virus<br>
        Virus name: Eicar-Test-Signature
    [...]
    * Connection #1 to host davidep2.vboxnet0.tld left intact
    

#23 Updated by Giacomo Sanchietti about 8 years ago

  • Status changed from VERIFIED to ON_QA
  • % Done changed from 90 to 70

Moved web proxy antivirus configuration from nethserver-antivirus to nethserver-squidclamav package.

Please do a quick test with:
  • nethserver-antivirus-1.0.4-1
  • nethserver-squidclamav-1.0.3-1

Just check the web UI is working correctly.

#24 Updated by Davide Principi about 8 years ago

  • Assignee set to Davide Principi

#25 Updated by Davide Principi about 8 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 70 to 90

#26 Updated by Davide Principi about 8 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

Moved to nethserver-updates repository

Also available in: Atom PDF