GIT –  On : Setup with Clamav antivirus On FreeBSD , Transparent On FreeBSD, Tuning HTTP Proxy on FreeBSD

1. Setup Squid with Clamav antivirus On FreeBSD 

If you want to protect a lan network from viruses downloaded from Internet, an interesting solution is to use Squid proxy with Clamav antivirus. This setup was tested succesfuly on FreeBSD 6.1 (it shoud work in 5.4 too).

We will use a special daemon, c-icap that is listening on port 1344 and is invoking clamav from web .

c-icap can be found here: http://sourceforge.net/projects/c-icap

Also a patch for squid can be found at c-icap project section on sourceforge (squid must be patched) to work with c-icap.

One thing to mention: using c-icap scales better than using redirect function of squid.

Step 1
——–
Download latest version of c-icap from sourceforge.net. (you can find on our site a version of c-icap, at Downloads section).

Step 2
——–
Unpack, configure it and compile it.

tar xfz c_icap-030606rc1.tar.gz
cd c_icap-030606rc1
./configure –enable-static –with-clamav –prefix=/usr/local/c_icap
make install

Configs will be in /usr/local/c_icap/etc

Open c-icap.conf with your favorite editor and add following settings:

acl localsquid_respmod src 127.0.0.1 type respmod
acl localsquid src 127.0.0.1
acl externalnet src 0.0.0.0/0.0.0.0
icap_access allow localsquid_respmod
icap_access allow localsquid
icap_access deny externalnet

Also check other settings and make necessary changes that suites your needs.
I’ve made a c-icap FreeBSD 6.1 (i386) package for you, see Downloads section of this website.

Step 3
——–
After making config changes run c-icap to test it.

/usr/local/c_icap/bin/c-icap

Having no messages is good. Now we need to make sure that daemon is running and listening on port 1344.

ps ax | grep c-icap

Also we can verify that with “netstat” .

Step 4
Download squid with c-icap support from sourceforge.net
Unpack, configure it and compile it.

tar xfz squid-icap-2.5.STABLE12-20051102.tgz
cd squid-icap-2.5.STABLE12-20051102
./configure –enable-icap-support –prefix=/usr/local
make install

If this step fails for you, you can cvsup /usr/ports/www, to have the last version of squid, that have c-icap patch included, configure it and compiled with icap support.

./configure –bindir=/usr/local/sbin –sysconfdir=/usr/local/etc/squid –datadir=/usr/local/etc/squid –libexecdir=/usr/local/libexec/squid –localstatedir=/usr/local/squid –enable-removal-policies=lru,heap –enable-auth=basic,ntlm,digest –enable-basic-auth-helpers=NCSA,PAM,MSNT,SMB,winbind,YP –enable-digest-auth-helpers=password –enable-external-acl-helpers=ip_user,unix_group,wbinfo_group,winbind_gr oup –enable-ntlm-auth-helpers=SMB,winbind –enable-storeio=ufs,diskd,null –enable-underscores –enable-err-languages=English –enable-default-err-language=Spanish –with-large-files –enable-large-cache-files –enable-delay-pools –enable-ipf-transparent –disable-ident-lookups –enable-snmp –enable-removal-policies –prefix=/usr/local i386-portbld-freebsd6.1 –enable-pf-transparent –enable-icap-support

It will be installed into /usr/local/squid

We need to create proxy cache and log directories.

cd /usr/local/squid/var
chown nobody cache/ logs/
chgrp nobody cache/ logs/

Run following command to precreate squid cache tree:

/usr/local/squid/sbin/squid -z

By default the cache is configure as:

cache_dir ufs /usr/local/squid/var/cache 100 16 256

Now let’s configure it. The config file is in /usr/local/squid/etc/squid.conf

First of all allow access to proxy from your network.

acl mynetwork src 192.168.2.0/24
http_access allow mynetworks

At this moment we have a working proxy but without c-icap support.

Open /usr/local/squid/etc/squid.conf in your favorite editor

Find each of following keywords and replace the value as below:

icap_enable on
icap_preview_enable on
icap_preview_size 128
icap_send_client_ip on
icap_service service_avi_req reqmod_precache 0 icap://localhost:1344/srv_clamav
icap_service service_avi respmod_precache 1 icap://localhost:1344/srv_clamav
icap_class class_antivirus service_avi service_avi_req
icap_access class_antivirus allow all

Let’s restart squid with updated configuration:

/usr/local/squid/sbin/squid -k reconfigure

2. Tuning Squid HTTP Proxy on FreeBSD

First you shoud install Squid from ports and compile with options to support diskd

Install Squid from ports.

cd /usr/ports/www/squid
make install

Compile Squid with diskd support:

cd /usr/ports/www/squid/work/squid-2.5.STABLE9

 

./configure –bindir=/usr/local/sbin –sysconfdir=/usr/local/etc/squid –datadir=/usr/local/etc/squid –libexecdir=/usr/local/libexec/squid –localstatedir=/usr/local/squid –enable-removal-policies=lru,heap –enable-auth=basic,ntlm,digest –enable-basic-auth-helpers=NCSA,PAM,MSNT,SMB,winbind,YP –enable-digest-auth-helpers=password –enable-external-acl-helpers=ip_user,unix_group,wbinfo_group,winbind_gr oup –enable-ntlm-auth-helpers=SMB,winbind –enable-storeio=ufs,diskd,null –enable-underscores –enable-err-languages=English –enable-default-err-language=Romanian –with-large-files –enable-large-cache-files –enable-delay-pools –enable-ipf-transparent –disable-ident-lookups –enable-snmp –enable-removal-policies –prefix=/usr/local i386-portbld-freebsd5.4
make install

Add FreeBSD sysctl parameters into your /boot/loader.conf:

kern.ipc.nmbclusters: 32768
kern.maxfiles=65536
kern.maxfilesperproc=32768
net.inet.ip.portrange.last: 65535

Compile kernel with this options:

options SHMSEG=16
options SHMMNI=32
options SHMMAX=2097152
options SHMALL=4096
options MAXFILES=8192

Your squid.conf should like like that:

(please modify the path where your stored squid cache, the size of cache and also the allowed ip range for your squid daemon. Don’t forget do do a ‘squid -z’ if you did not, at install time (for creating cache directories).

#my settings
http_port 8080
icp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 128 MB

maximum_object_size 80000 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
cache_dir diskd /mnt/squid 28000 32 512 Q1=72 Q2=64

log_fqdn off
logfile_rotate 10

dns_nameservers 10.0.0.1

auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

#next, remove
acl localnet src 10.0.0.0/255.255.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 210 1025-65535 280 488 591 777
acl CONNECT method CONNECT
acl all src 0.0.0.0/0.0.0.0

http_access deny !Safe_ports

http_access allow localnet
http_reply_access allow all
visible_hostname localhost

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

coredump_dir /usr/local/squid/cache

3. Transparent Squid On FreeBSD

This section shows you howto setup transparent proxy with squid, redirecting http traffic to squid port. The howto is for FreeBSD setups that uses OpenBSD packet filter – pf, or ipfw firewall.

Step 1

Install squid from ports. If you use pf firewall you will need to compile Squid with support for pf.

cd /usr/ports/www/squid

make install

If you use pf firewall you must compile squid with transparent pf support. (there are also other options like support for diskd)

cd /usr/ports/www/squid/work/squid-2.5.STABLE12

./configure –bindir=/usr/local/sbin –sysconfdir=/usr/local/etc/squid –datadir=/usr/local/etc/squid –libexecdir=/usr/local/libexec/squid –localstatedir=/usr/local/squid –enable-removal-policies=lru,heap –enable-auth=basic,ntlm,digest –enable-basic-auth-helpers=NCSA,PAM,MSNT,SMB,winbind,YP –enable-digest-auth-helpers=password –enable-external-acl-helpers=ip_user,unix_group,wbinfo_group,winbind_gr oup –enable-ntlm-auth-helpers=SMB,winbind –enable-storeio=ufs,diskd,null –enable-underscores –enable-err-languages=English –enable-default-err-language=Romanian –with-large-files –enable-large-cache-files –enable-delay-pools –enable-ipf-transparent –disable-ident-lookups –enable-snmp –enable-removal-policies –prefix=/usr/local i386-portbld-freebsd6.1 –enable-pf-transparent

make install

Step 2

a) If you are using pf firewall:

You shoud add the following rules in order to redirect http traffic to squid (assuming squid is running on port 8080):

# ——— pf.conf ———-

int_if=”fxp0″

ext_if=”fxp1″

rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 8080

pass in on $int_if inet proto tcp from any to 127.0.0.1 port 8080 keep state

pass out on $ext_if inet proto tcp from any to any port www keep state

# ——- end pf.conf ——-

Also we must allow squid to access pf device.

chgrp _squid /dev/pf

chmod g+rw /dev/pf

b) If you are using ipfw firewall

Add your redirect rule in your ipfw config file:

int_if=”fxp0″

ipfw add 1000 fwd 127.0.0.1,8080 tcp from any to any 80 in recv $int_if

In both setups, with pf or ipfw firewall if you are using pppoe servers or other setups in which you use ng netgraph or tun interfaces, the redirect rule must be on that particular ng interface.

When using ipfw you can redirect http traffic to ng*. With pf using ng* will not work.

Your squid.conf should like like that:

(please modify the path where your stored squid cache, the size of cache and also the allowed ip range for your squid daemon. Don’t forget do do a ‘squid -z’ if you did not, at install time (for creating cache directories).

#my settings

http_port 8080

icp_port 0

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?

no_cache deny QUERY

cache_mem 128 MB

maximum_object_size 80000 KB

ipcache_size 1024

ipcache_low 90

ipcache_high 95

cache_dir diskd /mnt/squid 28000 32 512 Q1=72 Q2=64

log_fqdn off

logfile_rotate 10

dns_nameservers 10.0.0.1

auth_param basic children 5

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 2 hours

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern . 0 20% 4320

#next, remove

acl localnet src 10.0.0.0/255.255.0.0

acl localhost src 127.0.0.1/255.255.255.255

acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443 563

acl Safe_ports port 80 21 443 563 210 1025-65535 280 488 591 777

acl CONNECT method CONNECT

acl all src 0.0.0.0/0.0.0.0

http_access deny !Safe_ports

http_access allow localnet

http_reply_access allow all

visible_hostname localhost

httpd_accel_host virtual

httpd_accel_port 80

httpd_accel_with_proxy on

httpd_accel_uses_host_header on

coredump_dir /usr/local/squid/cache

Print Friendly

Comments

comments

Bài viết liên quan