Building ICAP Chain for Antivirus and Web Filtering in Squid

Currently Diladele Web Safety does not support filtering downloaded files for viruses. Nevertheless it is possible to add another ICAP anti-virus filtering server along with qlproxy to Squid. To do this you would need to have a recent version of Squid (at least 3.1.10+) that supports ICAP chaining.

The following section from squid.conf shows what needs to be adjusted in ICAP integration section to have Diladele Web Safety and (for example) Kaspersky Antivirus for Squid proxy to work together.

# enable icap
icap_enable on

# enable icap preview to speed up checking
icap_preview_enable on

# the size of preview is set to 4Kb
icap_preview_size 4096

# after object is scanned, reuse the connection
icap_persistent_connections on

# diladele web safety needs ip info to correctly apply policies
icap_send_client_ip on

# diladele web safety need user info to correctly apply policies
icap_send_client_username on
icap_client_username_header X-Client-Username

# define diladele web safety request and response filtering services (the port is non standard)
icap_service qlproxy1 reqmod_precache routing=0 bypass=0 icap://127.0.0.1:1345/reqmod
icap_service qlproxy2 respmod_precache routing=0 bypass=0 icap://127.0.0.1:1345/respmod

# define kaspersky request and response filtering services
icap_service kav1 reqmod_precache routing=0 bypass=0 icap://127.0.0.1:1344/av/reqmod
icap_service kav2 respmod_precache routing=0 bypass=0 icap://127.0.0.1:1344/av/respmod

# define domains and content types excluded from web filtering
acl qlproxy_icap_edomains dstdomain "/opt/qlproxy/etc/squid/icap_exclusions_domains.conf"
acl qlproxy_icap_etypes rep_mime_type "/opt/qlproxy/etc/squid/icap_exclusions_contenttypes.conf"

# create request chain (qlproxy to kav)
adaptation_service_chain chain1 qlproxy1 kav1

# exclude domains from request filtering
adaptation_access chain1 deny qlproxy_icap_edomains

# and scan other requests
adaptation_access chain1 allow all

# create response chain (qlproxy to kav)
adaptation_service_chain chain2 qlproxy2 kav2

# exclude domains from response filtering
adaptation_access chain2 deny qlproxy_icap_edomains

# exclude content types from response filtering
adaptation_access chain2 deny qlproxy_icap_etypes

# and scan other responses
adaptation_access chain2 allow all

Please note, you also need to set the ICAP Port in the Web UI of Diladele Web Safety Settings / Network / Port to 1345. And as a reference here is the contents of /etc/opt/Kaspersky/kav4proxy.conf.

# network settings
[icapserver.network]
ListenAddress=localhost:1344
Timeout=0

# process management settings
[icapserver.process]
MaxChildren=6
IdleChildren=1
MaxReqsPerChild=0
MaxEnginesPerChild=4

# protocol settings
[icapserver.protocol]
AnswerMode=partial
MaxSendDelayTime=10
PreviewSize=0
MaxConnections=5000
Allow204=true
HTTPClientIpICAPHeader=X-Client-IP
HTTPUserNameICAPHeader=X-Client-Username
SendAVScanResult=false
ReqModeServiceUrl=av/reqmod
RespModeServiceUrl=av/respmod

# path options
[icapserver.path]
PidFile=/var/run/kav4proxy/kavicapserver.pid
CorePath=

# groups
[icapserver.groups]
Priority=0
ClientIP=.*
URL=.*

# engine options
[icapserver.engine.options]
ScanPacked=yes
ScanArchives=yes
ScanSFXArchives=yes
ScanMailBases=yes
ScanMailPlain=yes
Cure=no
MaxScanTime=300
UseAnalyzer=yes
HeuristicLevel=recommended
MaxNestingLevel=8

# filter settings. Requests described within this section excluded from the antiviral scan. The SKIP action applied to these requests.
[icapserver.filter]
ExcludeMimeType=
ExcludeURL=
MaxReqLength=0

# Actions applied to objects after scanning.
[icapserver.actions]
InfectedAction=deny
SuspiciousAction=deny
WarningAction=deny
ErrorAction=skip
ProtectedAction=skip
CorruptedAction=skip
CuredAction=skip
LicenseErrorAction=skip
BasesErrorAction=deny
MaxReqLengthAction=skip
PartialResponseAction=check
PartialRequestAction=check

# notifications
[icapserver.notify]
NotifyTemplateDir=/opt/kaspersky/kav4proxy/share/notify
NotifyScript=/etc/opt/kaspersky/notify.sh

# statistics 
[icapserver.statistics]
CounterStatisticsFile=
AVStatisticsFile=
AVStatisticsAddress=

# reports options for icap server
[icapserver.report]
ReportFileName=/var/log/kaspersky/kav4proxy/kavicapserver.log
Buffered=false
ReportLevel=4
ShowOk=true
Append=true
AVReportFileName=/var/log/kaspersky/kav4proxy/av_server_log
AVReportLevel=4

It is also possible to chain c-icap server together with Diladele Web Safety but this is left as an exercise for the reader.

About sichent

sichent
This entry was posted in Anti-Virus, ICAP. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s