AntiVirusSquid

To prevent malicious files and of course advertisements from reaching and compromising the users webbrowser a filtering proxy is the easiest way for medium to large installations. It enable a centralized management of the anti-virus signatures and the known ad-providers. In my case the proxy is opt-in for each user but limited only to FladiAtAccount owners.

Requirements

The foundation of this setup will again be Debian GNU/Linux. Two essential packages are required.

• squid3
• havp

They will drag in a whole lot of dependencies. Among them will be ClamAV which will provide the anti-virus scanning.

PAM

To use PAM as authenticator for Squid you need to set up a corresponding realm. Create a file called /etc/pam.d/squid and configure it for your set of PAM modules.

Squid

Several settings in /etc/squid3/squid.conf need to be modified of added.

Authentication

First we need to let the users authenticate against the previously configure PAM realm. Add this lines to squid.conf:

auth_param basic program /usr/lib/squid3/pam_auth
auth_param basic children 2
auth_param basic realm Fladi.at - Proxy
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

ACLs

Add this ACL named "_user_" as your first one in squid.conf:

acl user proxy_auth REQUIRED

Now allow HTTP access for this ACL:

http_access allow user all

Insert this before you deny all access.

Forward requests to HAVP

To forward all requests squid is handling to HAVP we need to define a cache peer:

cache_peer 127.0.0.1 parent 3129 0 no-query no-digest no-netdb-exchange default

This will just do plain forwards to HAVP which we will configure to listen on TCP 127.0.0.1:3129 for requests.

HAVP

HAVP ist the HTTP-Anti-Virus-Proxy and is responsible for filtering out malicious content. It does not cache or enforce ACLs. The debian package provides a descent default configuration in /etc/havp/havp.config wher eonly a few settings have to be changed.

Listen only local

Change this settings to the appropriate value:

Setting	Value	Explanation
PORT	3129	The same port that we defined for the cache perr in Squid before.
BIND_ADDRESS	127.0.0.1	Only bind to localhost as Squid will be the only one to submit requests to HAVP directly.

ClamAV

Change this settings to enable filtering with ClamAV. Of course other AV engines can be used, but ClamAV is available in Debian package repository. You can choose to use clamav-daemon or libclamav. For libclamav change this settings:

Setting	Value	Explanation
ENABLECLAMLIB	true	This enabled scanning for malicious files through libclamav. It's easier to set up but is expected to have a slight impact on performance.

If you already have a running clamav-daemon on this system you can have HAVP use it. For clamav-daemon change this settings:

Setting	Value	Explanation
ENABLECLAMD	true	This enabled scanning for malicious files through a running clam-daemon instance. It should provide better performance than libclamav.
CLAMDSOCKET	/var/run/clamav/clamd.ctl	The socket which is used to communicate with clam-daemon. This is the default for the Debian package.

Usage

Start both Squid and HAVP by their scripts in /etc/init.d:

Now configure your browser to use the Server on port 3128 (the port Squid is listening on, if in doubt, please see /etc/squid3/squid.conf). Upon requesting your first URL in the browser a authentication dialog should pop up, asking you for username and password. Provide credentials that are valid for your prevoiusly configured PAM stack and you should be able to surf through Squid and HAVP.

To test filtering of malicious files point your browser to http://www.eicar.org/anti_virus_test_file.htm and try to download one of the files at the bottom of the page. If everything is working fine, you should see a page from HAVP saying that you were trying to download a virus with the signature of "Eicar-Test-Signature". If your browser downloads the file, your setup is notworking and malicious files are still passing through to your browser.