squid+icap+clamav網關殺毒

作者：張惠(jimzhang)
QQ號：872656885
E-mail、msn:zhanghui8059@126.com
個人blog：zhanghui8059.cublog.cn
注：本文章的內容歸作者所有，歡迎大家轉載，但請轉載的時候，務必保留作者完整信息，因為作者寫的文章，都是來自實際經驗跟項目實施，每一片文章都有作者心血在里面，謝謝！
歡迎大家批評指點，有疑問，請與本作者聯系！

現在網絡病毒泛濫，一不小心就會讓全公司的電腦中毒，會浪費很大財力及物力，也不利于公司的網絡安全，所以做一個網關殺毒，是很必要的。在windows下面有isa，配合殺毒軟件，可以做網關殺毒，雖然效果還可以，但要花很多money，且要很好的硬件設備，若用戶數多，穩定性也不是很好。所以就找在linux下的解決方案，Linux下，當然就是squid跟clamav，來做網關殺毒了，可是中間的組件，我用過havp、dansguardian，這兩個進程很多，且占資源，只能在本地機器上工作，不能分離。
鑒于以上原因，發現國外的朋友都在用ICAP，icap其實就一個協議(Internet Content Adaptation Protocol)，通過協議殺毒，肯定要比havp、dansguardian好，且代理服務器跟殺毒服務器可以分離，國內的朋友用的最多的是硬件殺毒網關，比如：趨勢、咖啡等軟件公司的，其實這些軟件公司的硬件殺毒網關或者軟件殺毒網關，都有ICAP的影子。
linux下的軟件，基本上都是開源，且效果很好，為什么不自己打造一個網關殺毒？效果肯定不會比那些殺毒軟件公司差多少。國內的朋友都在用這個，且效果很好，所以，我就有沖動了，憑自己對Linux的熟悉，準備將公司換成squid+c_icap+clamav,上線后，效果確實可以。
squid 3.0開始支持icap client，icap server目前開源的，我就只找到c_icap，且跟clamav集成效果比較好。下面就是我的安裝步驟：

1、?? squid 3.0支持Icap_client,所以用squid3.0進行編譯安裝。
./configure --prefix=/usr/local/squid \ ?? ?? //指定安裝目錄。
--enable-linux-tproxy \?
--enable-linux-netfilter \ ?? ?? ?? ?? //支持transparent代理
--enable-cpu-profiling \ ?? ?? ?? ?? //支持多CPU
--enable-icap-client \ ?? ?? ?? ?? ?? //支持icap client
--enable-kill-parent-hack \ ?? ?? ?? ??? //關掉suqid的時候，要不要連同父進程一起關掉
--enable-arp-acl \ ?? ?? ?? ?? ?? ??? //支持MAC管理
--enable-delay-pools ?? ?? ?? ?? ??? //此選項使能一個延時池，這樣能對某些特定的請求限制額定帶寬。

vi /usr/local/squid/etc/squid.conf
http_port 8080 transparent
cache_mem 128 MB
cache_dir ufs /usr/local/squid/var/cache 100 16 256
cache_effective_user root
cache_effective_group root
dns_nameservers 222.172.200.68
cache_access_log /usr/local/squid/var/logs/access.log
cache_store_log /usr/local/squid/var/logs/store.log
cache_log /usr/local/squid/var/logs/cache.log
pid_filename /usr/local/squid/var/logs/squid.pid
visible_hostname tglm.3322.org
client_mask 255.255.255.255
cache_mgr postmaster@tglm.3322.org
error_directory /usr/local/squid/share/errors/Simplify_Chinese
auth_param basic program /usr/bin/ncsa_auth /usr/local/squid/etc/password
auth_param basic children 5
auth_param basic realm My Proxy Caching Domain
auth_param basic credentialsttl 2 hours
acl normal proxy_auth REQUIRED
http_access allow normal

acl cc arp 00:91:50:04:06:38
acl bb src 222.220.0.0/255.255.0.0
acl aa src 0.0.0.0/0

acl tt time MTWHF 08:00-20:00
acl xz urlpath_regex -i \.mp3$ \.avi$ \.wma$
acl ww dstdomain www.baidu.com www.qq.com

http_access deny xz
http_access deny !tt
http_access deny ww
http_access allow cc
http_access allow bb?


命令解釋：
error_directory //設定錯誤文檔
http_port 192.168.0.1:3128 //設定SQUID的代理端口 (加上IP地址，Squid就不會監聽外部的網絡接口)
dns_nameservers //電信公用DNS
cache_mgr ?? //管理者的電子郵件
sible_hostname //標志主機名
client_mask 255.255.255.255 //告訴Squid如何處理用戶，對每個請求的IP地址作為單獨地址處理
httpd_accel_uses_host_header on //設定http1.1協議支持
httpd_accel_host virtual
httpd_accel_with_proxy on //是否讓squid代理本地的web服務
http_access allow all ??? //允許所有主機通過代理服務器上網
cache_mem 20 MB ?? ?? ??? //指定Squid可以使用的RAM
maximum_object_size 4096 KB //緩存文件的最大和最小值?
minimum_object_size 0 KB?
maximum_object_size_in_memory 30 KB?
minimum_object_size_in_memory 0 KB?
cache_dir ufs /usr/local/squid/var/cache 100 16 256 //磁盤緩存目錄,100M緩存空間，16個目錄，256個子目錄；
cache_access_log /var/squid/access.log //客戶端訪問日志
cache_log /var/squid/cache.log //緩存訪問情況
cache_store_log /var/squid/store.log //網頁調用情況?
cache_swap_low 85　　　　　　　//指定進行空間交換的空占比（緩存數值超過或低于某個百分比時和交換空間進行數據交換）
cache_swap_high 90
httpd_accel_port 80　　　　　　//被緩存服務器的port
acl mmxfile urlpath_regex -i \.mp3$ \.avi$ \.wma$　　　//(-i參數忽略大小寫如：mp3=MP3)
http_access deny mmxfile

# /usr/local/squid/sbin/squid -NCd1 ?? //測試ctrl+c退出
# echo "/usr/local/squid/bin/RunCache & " >> /etc/rc.d/rc.local
# /usr/local/squid/sbin/squid -k reconfigure //啟用新的配置文件
# /usr/local/squid/sbin/squid -k rotate ?? //截斷日志
# /usr/local/squid/sbin/squid -k shutdown ??? //stop squid

Icap client for squid配置：
icap_enable on
icap_preview_enable on
icap_preview_size 128
icap_send_client_ip on
icap_service service_avi_req reqmod_precache 0 icap://localhost:1344/srv_clamav
icap_service service_avi respmod_precache 1 icap://localhost:1344/srv_clamav
icap_class class_antivirus service_avi
icap_access class_antivirus allow all
icap_class class_antivirus_req service_avi_req
icap_access class_antivirus_req allow all

2、?? 安裝殺毒軟件clamav

官方下載地址：http://www.clamav.net
增加clamav所需用戶和組:
groupadd clamav
useradd -g clamav -s/bin/false -d/dev/null clamav
2、解壓安裝：
tar zxvf clamav-0.88.4.tar.gz
cd clamav-0.88.4
./configure --prefix=/usr/local/clamav --with-dbdir=/usr/clamav
make
make check
make install

3、修改配置文件：

vi /usr/etc/clamd.conf

LogSyslog
LogVerbose
LogFacility LOG_MAIL
LogFile /var/log/clamav/clamd.log
PidFile /var/run/clamd.pid
DatabaseDirectory /usr/clamav
LocalSocket /var/run/clamav/clamd
StreamMaxLength 10M
User clamav
ScanMail
ScanArchive
ScanRAR

注意：一定要注釋掉上面兩個文件中Example那行

修改病毒更新配置文件：
vi /usr/etc/freshclam.conf
DatabaseDirectory /usr/clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogSyslog
LogVerbose
DatabaseOwner clamav
Checks 12
DatabaseMirror db.CN.clamav.net
DatabaseMirror database.clamav.net
NotifyClamd
mkdir /var/log/clamav
chown clamav.clamav /var/log/clamav/

3、?? 安裝C_icap
http://c-icap.sourceforge.net/
./configure --enable-static --prefix=/usr/local/c-icap/ \
--with-clamav
make
make install

調試啟動：/usr/local/c-icap/bin/c-icap -N -D -d 10


#
# This file contains the default settings for c-icap
#


PidFile /var/run/c-icap.pid
CommandsSocket /var/run/c-icap/c-icap.ctl
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
## set KeepAliveTimeout to -1 for no timeout
KeepAliveTimeout 600
StartServers 3
MaxServers 10
MinSpareThreads ??? 10
MaxSpareThreads ??? 20
ThreadsPerChild ??? 10
MaxRequestsPerChild?? 0
Port 1344
User root
Group root
#ServerAdmin you@your.address # Not implemented yet
#ServerName localhost:1344 # Not implemented yet

TmpDir /var/tmp
MaxMemObject 131072

ServerLog /usr/local/c-icap//var/log/server.log
AccessLog /usr/local/c-icap//var/log/access.log
#DebugLevel 3

ModulesDir /usr/local/c-icap/lib/c_icap
Module logger sys_logger.so
#Module perl_handler perl_handler.so //此行注釋掉，不然會報錯。

sys_logger.Prefix "C-ICAP:"
sys_logger.Facility local1

##Specify wich logger to use......
#Logger sys_logger
Logger file_logger

## AclControlers example. The default_acl is the buildin acl controller
## To load an extrernal access controller named my_acl.so use:
#Module access_controller?? my_acl.so

## This parameter needed to specify the order of used acl controllers
## If not specified access control will be disabled
#AclControllers default_acl

## An example of acl lists for default_acl controller.
## acl and icap_access?? are aliases for default_acl.acl and default_acl.icap_access
#acl localnet_options src 192.168.1.0/255.255.255.0 type options
#acl localnet_respmod src 192.168.1.0/255.255.255.0 type respmod
acl localnet_respmod src 127.0.0.1
#acl localnet src 192.168.1.0/255.255.255.0
acl localnet src 127.0.0.1
##Use the folllowing to demand use of username ......
##acl localnet src 192.168.1.0/255.255.255.0 user *
acl externalnet src 0.0.0.0/0.0.0.0
#acl barbarian src 192.168.1.5

##An example to specify access to server
#icap_access deny barbarian
#icap_access allow localnet_options
icap_access allow localnet_respmod
icap_access allow localnet
## http_auth mean that the icap server must try to authenticate the request
## using the http headers ....
#icap_access?? http_auth localnet
icap_access deny externalnet

#Also you can specify which hosts to log or not.
# Comment out the folowing two lines to log only the external net
#icap_access nolog localnet
#icap_access log externalnet

##An example for authentication methods ....
## To load an extarnal authentication method module named my_authmethod.so?? use:
#Module auth_method my_authmethod.so

##The following parameter needed to specify the order of authenticators for
##specific authentication method. file_basic is a buildin authenticator
##for buildin basic authentication method (Not implemented yet......) ......
#AuthMethod basic file_basic
ServicesDir /usr/local/c-icap//lib/c_icap
Service echo_module srv_echo.so
Service url_check_module srv_url_check.so
Service antivirus_module srv_clamav.so
##Adding the alias avscan for srv_clamav service.
ServiceAlias?? avscan srv_clamav?allow204=on&sizelimit=off&mode=simple

# Antivirus module settings
# For allowed file types or groups of file types look at?? c-icap.magic
# Antivirus module settings
# For allowed file types or groups of file types look at?? c-icap.magic
srv_clamav.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE GIF JPEG MSOFFICE
#The percentage of data to sent if the downloaded file exceeds the StartSendPercentDataAfter size
srv_clamav.SendPercentData 5
srv_clamav.StartSendPercentDataAfter 2M

##Comment out the following line to enable 204 responces outside previews for srv_clamav
## if your icap client support it. For squid let it off
#srv_clamav.Allow204Responces on

# The Maximum object to be scanned.
srv_clamav.MaxObjectSize?? 5M
#The directory which clamav library will use as temporary.
#srv_clamav.ClamAvTmpDir /var/tmp
#Sets the maximum number of files in archive.)i Set it to 0 to disable it
srv_clamav.ClamAvMaxFilesInArchive 0
#Sets the maximal archived file size. Set it to 0 to disable it.
srv_clamav.ClamAvMaxFileSizeInArchive 100M
#The maximal recursion level.Set it to 0 to disable it.
srv_clamav.ClamAvMaxRecLevel 5

# And here the viralator-like mode.
# where to save documents
#srv_clamav.VirSaveDir /srv/www/htdocs/downloads/
# from where the documents can be retrieved (you can find the get_file.pl script in contrib dir)
#srv_clamav.VirHTTPServer?? "http://fortune/cgi-bin/get_file.pl?usename=%f&remove=1&file="
# The refresh?? rate....
#srv_clamav.VirUpdateTime 15
# For which filetypes the "virelator like mode" will be used.
#srv_clamav.VirScanFileTypes ARCHIVE EXECUTABLE

http.conf 配置：
AllowOverride all
Options all
Order allow,deny
Allow from all
SetHandler cgi-script
Options +ExecCGI
#AllowOverride All

總結

以上是生活随笔為你收集整理的squid+icap+clamav网关杀毒的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。