Feature #1959
Feature #1774: Web content filter
Proxy: add web antivirus filter
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-squidclamav | |||
Target version: | v6.4-beta2 | |||
Resolution: | NEEDINFO: | No |
Description
Implement content filter using an antivirus.
Best candidate is SquidClamav using icap protocol.
Packages (for Fedora) available here: http://oliverseeburger.de/repo/fedora_17/x86_64/extras_seeburger/packages/
Associated revisions
First import. Refs #1959
First import. Refs #1959
First import. Refs #1959
spec: move cgi to /var/www/cgi-bin directory. Refs #1959
First import. Refs #1959
Update templates and createlinks. Refs #1959
squidclamav.conf template: update redirect path. Refs #1959
c-icap-conf and db defaults: change DebugLevel default to 0. Refs #1959
web ui: add ui to enable/disable antivirus. Refs #1959
Add support for downloaded blacklists. Refs #1959
spec: requires nethserver-httpd. Refs #1959
createlinks, templates: added /etc/sysconfig/c-icap template to avoid zombie processes. Refs #1959
c-icap.conf templates.metadata: change permission and owner. Refs #1959
squid.conf templates.metadata: change permission and owner. Refs #1959
db defaults: set default status to disabled. Refs #1959
spec: add nethserver-squid dependency, fix typo in nethserver-httpd requires. Refs #1959
web ui: move antivirus proxy configuration to nethserver-squidclamav package. Refs #1959
web ui: move antivirus proxy configuration from nethserver-antivirus package. Refs #1959
History
#1 Updated by Giacomo Sanchietti about 8 years ago
- Target version set to v6.4-beta2
#2 Updated by Giacomo Sanchietti about 8 years ago
- Status changed from NEW to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 0 to 30
- NEEDINFO set to No
Implemented using c-icap and squidclamav.
Packages:- c-icap: icap server
- squidclamav: library for c-icap
- nethserver-c-icap: configuration for c-icap
- nethserver-squidclamav: configuration for squidclamav
#3 Updated by Giacomo Sanchietti about 8 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 70
All stack implemented.
#4 Updated by Giacomo Sanchietti about 8 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 70 to 80
- squidclamav-6.10-1
- nethserver-squidclamav-1.0.0
- nethserver-c-icap-1.0.0
- c-icap-0.2.5
To test the antivirus filter.
1) Install the software: yum --enablerepo=nethserver-testing install nethserver-squidclamav
2) Enable squid from web interface
3) Open one eicar test file from http://www.eicar.org/85-0-Download.html and verify the download is blocked
#6 Updated by Davide Principi about 8 years ago
- Assignee deleted (
Giacomo Sanchietti)
ON_QA: Assignee reset
#7 Updated by Davide Principi about 8 years ago
- Assignee set to Davide Principi
#8 Updated by Davide Principi about 8 years ago
- File QA1959-rpms.txt added
- Status changed from ON_QA to ON_DEV
- % Done changed from 80 to 30
Verification FAILED
Summary¶
the c-icap daemon does not start after installation
Description¶
- After installation I've enabled Squid (Manual) from UI => Save
- c-icap daemon didn't start
The EICAR data was not blocked:
curl -L -x davidep2.vboxnet0.tld:3128 http://www.eicar.org/download/eicar.com X5O!P%[...]AR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*To workaround the problem in "Proxy web" module / Antivirus
- Set "disabled" => Save
- Set "enabled" again => Save
c-icap starts and the EICAR test is blocked.
#9 Updated by Davide Principi about 8 years ago
- Assignee deleted (
Davide Principi)
#10 Updated by Davide Principi about 8 years ago
Davide Principi wrote:
To workaround the problem in "Proxy web" module / Antivirus
- Set "disabled" => Save
- Set "enabled" again => Save
when starting c-icap daemon from httpd-admin a zombie adjust-services
process prevents signal-event
to complete. This resembles Dovecot's case #1232..
To fix c-icap startup I suggest closing output descriptors in /etc/sysconfig/c-icap
:
OPTIONS="&>/dev/null "
c-icap starts and the EICAR test is blocked.
I confess I started it from a Bash shell..
#11 Updated by Davide Principi about 8 years ago
rpm -V
noticed that /etc/squid/squid.conf and /etc/c-icap/c-icap.conf have permissions and owner modified after they've been expanded from template.
Original settings from RPMs
# ll /etc/c-icap/c-icap.conf -rw-r-----. 1 root c-icap 19280 May 30 13:56 /etc/c-icap/c-icap.conf # ll /etc/squid/squid.conf -rw-r-----. 1 root squid 2315 May 21 12:55 /etc/squid/squid.conf
After template expansions owner is root and permissions are 0644.
#12 Updated by Giacomo Sanchietti about 8 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee set to Giacomo Sanchietti
- % Done changed from 30 to 70
- nethserver-squidclamav
- nethserver-c-icap
- nethserver-squid
#13 Updated by Giacomo Sanchietti about 8 years ago
- nethserver-c-icap-1.0.1-1
- nethserver-squid-1.0.3-1
- nethserver-squidclamav-1.0.1
- Change permissions and owner of c-icap.conf
- Avoid zombie processes (added /etc/sysoconfig/c-icap template)
- set default status to disabled
- add nethserver-httpd dependency
#14 Updated by Giacomo Sanchietti about 8 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
#15 Updated by Alessio Fattorini about 8 years ago
yum --enablerepo=nethserver-testing install nethserver-squidclamav
--> Finished Dependency Resolution Error: Package: nethserver-squidclamav-1.0.1-1.ns6.noarch (nethserver-testing) Requires: nethsever-httpd
I'm installing nethsever-httpd
Installed: nethserver-httpd.noarch 0:2.2.0-1.ns6
Bu i have the same dependecies error
I try to install nethserver-httpd in testing
nethserver-httpd-2.2.1
Same error
I try with repoquery
[root@muflone ~]# repoquery --enablerepo=nethserver-testing --requires --recursive --resolve nethserver-squidclamav nethserver-squidclamav-0:1.0.1-1.ns6.noarch nethserver-antivirus-0:1.0.1-1.ns6.noarch bash-0:4.1.2-14.el6.x86_64 squidclamav-0:6.10-1.ns6.x86_64 nethserver-c-icap-0:1.0.0-1.ns6.noarch [root@muflone ~]# repoquery --enablerepo=nethserver-testing --alldeps --requires --recursive nethserver-squidclamav /bin/sh nethserver-antivirus nethserver-c-icap nethsever-httpd squidclamav
What am i missing? :-\
#16 Updated by Filippo Carletti about 8 years ago
I'm installing nethsever-httpd
It's a typo: nethsever instead of nethserver.
You should install with nodeps or wait for an updated squidcalamav package.
#17 Updated by Alessio Fattorini about 8 years ago
- Status changed from ON_QA to ON_DEV
- % Done changed from 70 to 30
Thank you Filippo, eagle eye ;-)
wget http://pulp.nethesis.it/nethserver/6.4/testing/x86_64/nethserver-squidclamav-1.0.1-1.ns6.noarch.rpm # rpm -Uvh --nodeps http://pulp.nethesis.it/nethserver/6.4/testing/x86_64/nethserver-squidclamav-1.0.1-1.ns6.noarch.rpm Retrieving http://pulp.nethesis.it/nethserver/6.4/testing/x86_64/nethserver-squidclamav-1.0.1-1.ns6.noarch.rpm Preparing... ########################################### [100%] 1:nethserver-squidclamav ########################################### [100%]Ok, but now there's no deps for nethserver-squid. I have squid but not squid panel. I have installed manually
- yum --enablerepo=nethserver-testing install nethserver-squid
- typo on deps "nethsever-httpd"
- nodeps for nethserver-squid, only for squid
#18 Updated by Alessio Fattorini about 8 years ago
I can't test eicar download because another nethserver block it for my test server.
http://nethsecurityng.nethesis.it/cgi-bin/squidclamav/clwarn.cgi?
Can i verify this part indirectly? :-D
#19 Updated by Giacomo Sanchietti about 8 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#20 Updated by Giacomo Sanchietti about 8 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
- nethserver-squidclamav-1.0.2-1
To test behind a firewall, disable the antivirus on the firewall or use another gateway.
#21 Updated by Davide Principi about 8 years ago
- Assignee set to Davide Principi
#22 Updated by Davide Principi about 8 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 70 to 90
VERIFIED
- Installed as dependencies
nethserver-antivirus.noarch 0:1.0.3-1.ns6 nethserver-c-icap.noarch 0:1.0.1-1.ns6 nethserver-firewall-base.noarch 0:1.0.3-1.ns6 nethserver-httpd.noarch 0:2.2.1-1.ns6 nethserver-shorewall.noarch 0:1.0.0-1.ns6 nethserver-squid.noarch 0:1.0.3-1.ns6
- After yum transaction
squid
andc-icap
daemons are disabled and stopped - Started squid => OK
- EICAR test => OK
$ curl -v -L -x davidep2.vboxnet0.tld:3128 http://www.eicar.org/download/eicar.com * About to connect() to proxy davidep2.vboxnet0.tld port 3128 (#0) * Trying 192.168.8.2... * Connected to davidep2.vboxnet0.tld (192.168.8.2) port 3128 (#0) > GET http://www.eicar.org/download/eicar.com HTTP/1.1 > User-Agent: curl/7.29.0 > Host: www.eicar.org > Accept: */* > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 OK < Date: Mon, 29 Jul 2013 10:20:42 GMT < Server: Apache < Content-Disposition: attachment; filename="eicar.com" < Cache-Control: private < Content-Length: 68 < Content-Type: application/octet-stream < X-Cache: MISS from davidep2.vboxnet0.tld < X-Cache-Lookup: MISS from davidep2.vboxnet0.tld:3128 < Via: 1.1 davidep2.vboxnet0.tld (squid/3.3.5) < Connection: keep-alive < * Connection #0 to host davidep2.vboxnet0.tld left intact X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
- Started c-icap => OK
- EICAR test => OK
$ curl -v -L -x davidep2.vboxnet0.tld:3128 http://www.eicar.org/download/eicar.com * About to connect() to proxy davidep2.vboxnet0.tld port 3128 (#0) * Trying 192.168.8.2... * Connected to davidep2.vboxnet0.tld (192.168.8.2) port 3128 (#0) > GET http://www.eicar.org/download/eicar.com HTTP/1.1 > User-Agent: curl/7.29.0 > Host: www.eicar.org > Accept: */* > Proxy-Connection: Keep-Alive > < HTTP/1.1 301 Moved Permanently < Date: Mon, 29 Jul 2013 10:24:07 GMT < Location: http://davidep2.vboxnet0.tld/cgi-bin/squidclamav/clwarn.cgi?url=http://www.eicar.org/download/eicar.com&source=192.168.8.1&user=-&virus=stream: Eicar-Test-Signature FOUND < Server: C-ICAP < Content-Type: text/html < Content-Language: en < X-Cache: MISS from davidep2.vboxnet0.tld < X-Cache-Lookup: MISS from davidep2.vboxnet0.tld:3128 < Transfer-Encoding: chunked < Via: ICAP/1.0 davidep2.vboxnet0.tld (C-ICAP/0.2.5 SquidClamav/Antivirus service ), 1.1 davidep2.vboxnet0.tld (squid/3.3.5) < HTTP/1.1 200 OK < Date: Mon, 29 Jul 2013 10:24:07 GMT < Server: Apache/2.2.15 (CentOS) DAV/2 mod_ssl/2.2.15 OpenSSL/1.0.0-fips < Content-Type: text/html; charset=ISO-8859-1 < X-Cache: MISS from davidep2.vboxnet0.tld < X-Cache-Lookup: MISS from davidep2.vboxnet0.tld:3128 < Transfer-Encoding: chunked < Via: 1.1 davidep2.vboxnet0.tld (squid/3.3.5) < Connection: keep-alive < <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" [...] The requested URL http://www.eicar.org/download/eicar.com contains a virus<br> Virus name: Eicar-Test-Signature [...] * Connection #1 to host davidep2.vboxnet0.tld left intact
#23 Updated by Giacomo Sanchietti about 8 years ago
- Status changed from VERIFIED to ON_QA
- % Done changed from 90 to 70
Moved web proxy antivirus configuration from nethserver-antivirus to nethserver-squidclamav package.
Please do a quick test with:- nethserver-antivirus-1.0.4-1
- nethserver-squidclamav-1.0.3-1
Just check the web UI is working correctly.
#24 Updated by Davide Principi about 8 years ago
- Assignee set to Davide Principi
#25 Updated by Davide Principi about 8 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 70 to 90
#26 Updated by Davide Principi about 8 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
Moved to nethserver-updates repository