Filtraggio della navigazione con squidclamav in Debian
ATTENZIONE, NON SCANNA IN HTTPS
- Installre squid3. Non funziona con squid 2
sudo apt-get install squid3
- Installare clamav-daemon ed i toll di compilazione e creazioen pacchetti:
sudo apt-get install clamav-daemon gcc make curl libcurl4-gnutls-dev checkinstall
- Scaricare e compilare icap:
cd /tmp/ wget http://freefr.dl.sourceforge.net/project/c-icap/c-icap/0.2.x/c_icap-0.2.1.tar.gz tar zxvf c_icap-* cd c_icap-* ./configure make
- Creare il pacchetto debian. inserendo
- l'architettura correta in -A
- la release corretta al posto di 0.2.1
- Quando si legge il control file, togliere le righe vuote di
- Depends:
- Conflicts:
- Replaces:
sudo checkinstall \
-D \
--install=no \
-A i386 \
--review-control \
--pkgrelease 0.2.1-1 \
--maintainer gabriele.mailing@rvmgroup.it \
--pkgname c-icap
- Il pacchetto di weezi è qui Debian -- Details of package c-icap in wheezy
- Installarlo:
sudo dpkg -i c-icap_*
- Scaricare scompattare e compilare squidclamav:
cd /tmp wget http://switch.dl.sourceforge.net/project/squidclamav/squidclamav/6.9/squidclamav-6.9.tar.gz tar xvzf squidclamav-* cd squidclamav-* ./configure make
- Creare il pacchetto debian. inserendo
- l'architettura correta in -A
- la release corretta al posto di 6.9
- Quando si legge il control file, togliere le righe vuote di
- Depends:
- Conflicts:
- Replaces:
sudo checkinstall \
-D \
--install=no \
-A i386 \
--review-control \
--pkgrelease 6.9-1 \
--maintainer gabriele.mailing@rvmgroup.it \
--pkgname libc-icap-mod-squidclamav
- Il pacchetto di weezi è qui Debian -- Details of package libc-icap-mod-squidclamav in wheezy
- Installarlo:
sudo dpkg -i libc-icap-mod-squidclamav_*
- Impostare l'url mostrato quando si rileva un virus:
sudoedit /etc/squidclamav.conf
... redirect http://malware.hiperlinks.com.br/denied.shtml ... clamd_local /var/run/clamav/clamd.ctl ...
- Configurare c-icap per squid:
sudoedit /usr/local/etc/c-icap.conf
# line 140: change to admin's address ServerAdmin root@server.world # line 149: change to your servername ServerName lan.server.world # line 497: add Service squidclamav squidclamav.so PidFile /var/run/c-icap.pid ServerLog /var/log/c-icap.log AccessLog /var/log/c-icap-access.log CommandsSocket /var/run//c-icap.ctl
- Configurare squid per usare icap:
sudoedit /etc/squid/squid3.conf
# line 4689: add icap_enable on # line 4776: add icap_send_client_ip on # line 4784: add icap_send_client_username on # line 4789: add icap_client_username_header X-Authenticated-User # line 4855: add icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_req allow all icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_resp allow all
- Avviare icap:
sudo /usr/local/bin/c-icap -N -D -f /usr/local/etc/c-icap.conf
- Riavviare squid:
sudo invoke-rc.d squid restart
- Testare su http://www.testvirus.de/de/testvirus.html
Customizzazione Debian
- Creare il file init.d per icap:
sudoedit /etc/init.d/c-icap
#! /bin/sh
#
### BEGIN INIT INFO
# Provides: c-icap
# Required-Start: $network $remote_fs $syslog
# Required-Stop: $network $remote_fs $syslog
# Should-Start: $named
# Should-Stop: $named
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: C-ICAP Server Version 0.1.3
### END INIT INFO
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/bin/c-icap
NAME=c-icap
DESC=c-icap
test -x $DAEMON || exit 0
LOGDIR=/var/log/c-icap
PIDFILE=/var/run/c-icap/$NAME.pid
DODTIME=3 # Time to wait for the server to die, in seconds
# If this value is set too low you might not
# let some servers to die gracefully and
# 'restart' will not work
STARTUPTIME=1 # Time to wait to decide if daemon is up and running
# Include c-icap defaults if available
if [ -f /etc/default/c-icap ] ; then
. /etc/default/c-icap
fi
check_ctl_dir() {
# Create the ctl empty dir if necessary
if [ ! -d /var/run/c-icap ]; then
mkdir /var/run/c-icap
chown c-icap /var/run/c-icap
chmod 0755 /var/run/c-icap
fi
}
# If the daemon is not enabled, give the user a warning and stop.
# Check to create /var/run directory if someone wants to run c-icap
# in debug mode / foreground to test some functions without start it from init.d
if [ "$START" != "yes" ]; then
check_ctl_dir
echo "To enable $NAME, edit /etc/default/c-icap and set START=yes"
exit 0
fi
set -e
running_pid()
{
# Check if a given process pid's cmdline matches a given name
pid=$1
name=$2
[ -z "$pid" ] && return 1
[ ! -d /proc/$pid ] && return 1
cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1 |cut -d : -f 1`
# Is this the expected child?
[ "$cmd" != "$name" ] && return 1
return 0
}
running()
{
# Check if the process is running looking at /proc
# (works for all users)
# No pidfile, probably no daemon present
[ ! -f "$PIDFILE" ] && return 1
# Obtain the pid and check it against the binary name
pid=`cat $PIDFILE`
running_pid $pid $DAEMON || return 1
return 0
}
force_stop() {
# Forcefully kill the process
[ ! -f "$PIDFILE" ] && return
if running ; then
kill -15 $pid
# Is it really dead?
[ -n "$DODTIME" ] && sleep "$DODTIME"s
if running ; then
kill -9 $pid
[ -n "$DODTIME" ] && sleep "$DODTIME"s
if running ; then
echo "Cannot kill $LABEL (pid=$pid)!"
exit 1
fi
fi
fi
rm -f $PIDFILE
return 0
}
case "$1" in
start)
check_ctl_dir
echo -n "Starting $DESC: "
start-stop-daemon --start --quiet --pidfile $PIDFILE \
--exec $DAEMON -- $DAEMON_OPTS
[ -n "$STARTUPTIME" ] && sleep "$STARTUPTIME"s
if running ; then
echo "$NAME."
else
echo " ERROR."
fi
;;
stop)
echo -n "Stopping $DESC: "
start-stop-daemon --stop --quiet --pidfile $PIDFILE \
--exec $DAEMON
[ -n "$DODTIME" ] && sleep "$DODTIME"s
echo "$NAME."
;;
force-stop)
echo -n "Forcefully stopping $DESC: "
force_stop
if ! running ; then
echo "$NAME."
else
echo " ERROR."
fi
;;
#reload)
#
# If the daemon can reload its config files on the fly
# for example by sending it SIGHUP, do it here.
#
# If the daemon responds to changes in its config file
# directly anyway, make this a do-nothing entry.
#
# echo "Reloading $DESC configuration files."
# start-stop-daemon --stop --signal 1 --quiet --pidfile \
# /var/run/$NAME.pid --exec $DAEMON
#;;
force-reload)
#
# If the "reload" option is implemented, move the "force-reload"
# option to the "reload" entry above. If not, "force-reload" is
# just the same as "restart" except that it does nothing if the
# daemon isn't already running.
# check wether $DAEMON is running. If so, restart
start-stop-daemon --stop --test --quiet --pidfile \
/var/run/$NAME.pid --exec $DAEMON \
&& $0 restart \
|| exit 0
;;
restart)
check_ctl_dir
echo -n "Restarting $DESC: "
if running ; then
start-stop-daemon --stop --quiet --pidfile \
$PIDFILE --exec $DAEMON
fi
[ -n "$DODTIME" ] && sleep $DODTIME
start-stop-daemon --start --quiet --pidfile \
$PIDFILE --exec $DAEMON -- $DAEMON_OPTS
echo "$NAME."
;;
status)
echo -n "$NAME is "
if running ; then
echo "running"
else
echo " not running."
exit 1
fi
;;
*)
N=/etc/init.d/$NAME
# echo "Usage: $N {start|stop|restart|reload|force-reload}" >&2
echo "Usage: $N {start|stop|restart|force-reload|status|force-stop}" >&2
exit 1
;;
esac
exit 0
- Renderlo eseguibile:
sudo chmod +x /etc/init.d/c-icap
- Creare le directory debianizzate:
sudo mkdir -p /var/log/c-icap /var/run/c-icap /etc/c-icap
- Linkare file di configurazione:
sudo ln -s /usr/local/etc/c-icap.conf /etc/c-icap/c-icap.conf sudo ln -s /usr/local/etc/c-icap.magic /etc/c-icap/c-icap.magic
- Creare il defaults file:
sudoedit /etc/default/c-icap
# Defaults for c-icap initscript # sourced by /etc/init.d/c-icap # installed at /etc/default/c-icap by the maintainer scripts # Should c-icap daemon run automatically on startup? (default: no) START=yes # Additional options that are passed to the Daemon. DAEMON_OPTS=""
- Abilitarlo:
sudo update-rc.d c-icap defaults
- Linkare il binario debianizzato
sudo ln -s /usr/local/bin/c-icap /usr/bin/c-icap
- Avviarlo