squid+icap+clamav网关杀毒

作者：张惠(jimzhang)
QQ号：872656885
E-mail、msn:zhanghui8059@126.com
个人blog：zhanghui8059.cublog.cn
注：本文章的内容归作者所有，欢迎大家转载，但请转载的时候，务必保留作者完整信息，因为作者写的文章，都是来自实际经验跟项目实施，每一片文章都有作者心血在里面，谢谢！
欢迎大家批评指点，有疑问，请与本作者联系！

现在网络病毒泛滥，一不小心就会让全公司的电脑中毒，会浪费很大财力及物力，也不利于公司的网络安全，所以做一个网关杀毒，是很必要的。在windows下面有isa，配合杀毒软件，可以做网关杀毒，虽然效果还可以，但要花很多money，且要很好的硬件设备，若用户数多，稳定性也不是很好。所以就找在linux下的解决方案，Linux下，当然就是squid跟clamav，来做网关杀毒了，可是中间的组件，我用过havp、dansguardian，这两个进程很多，且占资源，只能在本地机器上工作，不能分离。
鉴于以上原因，发现国外的朋友都在用ICAP，icap其实就一个协议(Internet Content Adaptation Protocol)，通过协议杀毒，肯定要比havp、dansguardian好，且代理服务器跟杀毒服务器可以分离，国内的朋友用的最多的是硬件杀毒网关，比如：趋势、咖啡等软件公司的，其实这些软件公司的硬件杀毒网关或者软件杀毒网关，都有ICAP的影子。
linux下的软件，基本上都是开源，且效果很好，为什么不自己打造一个网关杀毒？效果肯定不会比那些杀毒软件公司差多少。国内的朋友都在用这个，且效果很好，所以，我就有冲动了，凭自己对Linux的熟悉，准备将公司换成squid+c_icap+clamav,上线后，效果确实可以。
squid 3.0开始支持icap client，icap server目前开源的，我就只找到c_icap，且跟clamav集成效果比较好。下面就是我的安装步骤：

1、   squid 3.0支持Icap_client,所以用squid3.0进行编译安装。
./configure --prefix=/usr/local/squid \       //指定安装目录。
--enable-linux-tproxy \ 
--enable-linux-netfilter \             //支持transparent代理
--enable-cpu-profiling \             //支持多CPU
--enable-icap-client \                //支持icap client
--enable-kill-parent-hack \              //关掉suqid的时候，要不要连同父进程一起关掉
--enable-arp-acl \                    //支持MAC管理
--enable-delay-pools                 //此选项使能一个延时池，这样能对某些特定的请求限制额定带宽。

vi /usr/local/squid/etc/squid.conf
http_port 8080 transparent
cache_mem 128 MB
cache_dir ufs /usr/local/squid/var/cache 100 16 256
cache_effective_user root
cache_effective_group root
dns_nameservers 222.172.200.68
cache_access_log /usr/local/squid/var/logs/access.log
cache_store_log /usr/local/squid/var/logs/store.log
cache_log /usr/local/squid/var/logs/cache.log
pid_filename /usr/local/squid/var/logs/squid.pid
visible_hostname tglm.3322.org
client_mask 255.255.255.255
cache_mgr postmaster@tglm.3322.org
error_directory /usr/local/squid/share/errors/Simplify_Chinese
auth_param basic program /usr/bin/ncsa_auth /usr/local/squid/etc/password
auth_param basic children 5
auth_param basic realm My Proxy Caching Domain
auth_param basic credentialsttl 2 hours
acl normal proxy_auth REQUIRED
http_access allow normal

acl cc arp 00:91:50:04:06:38
acl bb src 222.220.0.0/255.255.0.0
acl aa src 0.0.0.0/0

acl tt time MTWHF 08:00-20:00
acl xz urlpath_regex -i \.mp3$ \.avi$ \.wma$
acl ww dstdomain www.baidu.com www.qq.com

http_access deny xz
http_access deny !tt
http_access deny ww
http_access allow cc
http_access allow bb

命令解释：
error_directory //设定错误文档
http_port 192.168.0.1:3128 //设定SQUID的代理端口 (加上IP地址，Squid就不会监听外部的网络接口)
dns_nameservers //电信公用DNS
cache_mgr    //管理者的电子邮件
sible_hostname //标志主机名
client_mask 255.255.255.255 //告诉Squid如何处理用户，对每个请求的IP地址作为单独地址处理
httpd_accel_uses_host_header on //设定http1.1协议支持
httpd_accel_host virtual
httpd_accel_with_proxy on //是否让squid代理本地的web服务
http_access allow all     //允许所有主机通过代理服务器上网
cache_mem 20 MB           //指定Squid可以使用的RAM
maximum_object_size 4096 KB //缓存文件的最大和最小值 
minimum_object_size 0 KB 
maximum_object_size_in_memory 30 KB 
minimum_object_size_in_memory 0 KB 
cache_dir ufs /usr/local/squid/var/cache 100 16 256 //磁盘缓存目录,100M缓存空间，16个目录，256个子目录；
cache_access_log /var/squid/access.log //客户端访问日志
cache_log /var/squid/cache.log //缓存访问情况
cache_store_log /var/squid/store.log //网页调用情况 
cache_swap_low 85　　　　　　　//指定进行空间交换的空占比（缓存数值超过或低于某个百分比时和交换空间进行数据交换）
cache_swap_high 90
httpd_accel_port 80　　　　　　//被缓存服务器的port
acl mmxfile urlpath_regex -i \.mp3$ \.avi$ \.wma$　　　//(-i参数忽略大小写如：mp3=MP3)
http_access deny mmxfile

# /usr/local/squid/sbin/squid -NCd1    //测试ctrl+c退出
# echo "/usr/local/squid/bin/RunCache & " >> /etc/rc.d/rc.local
# /usr/local/squid/sbin/squid -k reconfigure //启用新的配置文件
# /usr/local/squid/sbin/squid -k rotate    //截断日志
# /usr/local/squid/sbin/squid -k shutdown     //stop squid

Icap client for squid配置：
icap_enable on
icap_preview_enable on
icap_preview_size 128
icap_send_client_ip on
icap_service service_avi_req reqmod_precache 0 icap://localhost:1344/srv_clamav
icap_service service_avi respmod_precache 1 icap://localhost:1344/srv_clamav
icap_class class_antivirus service_avi
icap_access class_antivirus allow all
icap_class class_antivirus_req service_avi_req
icap_access class_antivirus_req allow all

2、   安装杀毒软件clamav

官方下载地址：http://www.clamav.net
增加clamav所需用户和组:
groupadd clamav
useradd -g clamav -s/bin/false -d/dev/null clamav
2、解压安装：
tar zxvf clamav-0.88.4.tar.gz
cd clamav-0.88.4
./configure --prefix=/usr/local/clamav --with-dbdir=/usr/clamav
make
make check
make install

3、修改配置文件：

vi /usr/etc/clamd.conf

LogSyslog
LogVerbose
LogFacility LOG_MAIL
LogFile /var/log/clamav/clamd.log
PidFile /var/run/clamd.pid
DatabaseDirectory /usr/clamav
LocalSocket /var/run/clamav/clamd
StreamMaxLength 10M
User clamav
ScanMail
ScanArchive
ScanRAR

注意：一定要注释掉上面两个文件中Example那行

修改病毒更新配置文件：
vi /usr/etc/freshclam.conf
DatabaseDirectory /usr/clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogSyslog
LogVerbose
DatabaseOwner clamav
Checks 12
DatabaseMirror db.CN.clamav.net
DatabaseMirror database.clamav.net
NotifyClamd
mkdir /var/log/clamav
chown clamav.clamav /var/log/clamav/

3、   安装C_icap
http://c-icap.sourceforge.net/
./configure --enable-static --prefix=/usr/local/c-icap/ \
--with-clamav
make
make install

调试启动：/usr/local/c-icap/bin/c-icap -N -D -d 10

#
# This file contains the default settings for c-icap
#

PidFile /var/run/c-icap.pid
CommandsSocket /var/run/c-icap/c-icap.ctl
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
## set KeepAliveTimeout to -1 for no timeout
KeepAliveTimeout 600
StartServers 3
MaxServers 10
MinSpareThreads     10
MaxSpareThreads     20
ThreadsPerChild     10
MaxRequestsPerChild   0
Port 1344
User root
Group root
#ServerAdmin you@your.address # Not implemented yet
#ServerName localhost:1344 # Not implemented yet

TmpDir /var/tmp
MaxMemObject 131072

ServerLog /usr/local/c-icap//var/log/server.log
AccessLog /usr/local/c-icap//var/log/access.log
#DebugLevel 3

ModulesDir /usr/local/c-icap/lib/c_icap
Module logger sys_logger.so
#Module perl_handler perl_handler.so //此行注释掉，不然会报错。

sys_logger.Prefix "C-ICAP:"
sys_logger.Facility local1

##Specify wich logger to use......
#Logger sys_logger
Logger file_logger

## AclControlers example. The default_acl is the buildin acl controller
## To load an extrernal access controller named my_acl.so use:
#Module access_controller   my_acl.so

## This parameter needed to specify the order of used acl controllers
## If not specified access control will be disabled
#AclControllers default_acl

## An example of acl lists for default_acl controller.
## acl and icap_access   are aliases for default_acl.acl and default_acl.icap_access
#acl localnet_options src 192.168.1.0/255.255.255.0 type options
#acl localnet_respmod src 192.168.1.0/255.255.255.0 type respmod
acl localnet_respmod src 127.0.0.1
#acl localnet src 192.168.1.0/255.255.255.0
acl localnet src 127.0.0.1
##Use the folllowing to demand use of username ......
##acl localnet src 192.168.1.0/255.255.255.0 user *
acl externalnet src 0.0.0.0/0.0.0.0
#acl barbarian src 192.168.1.5

##An example to specify access to server
#icap_access deny barbarian
#icap_access allow localnet_options
icap_access allow localnet_respmod
icap_access allow localnet
## http_auth mean that the icap server must try to authenticate the request
## using the http headers ....
#icap_access   http_auth localnet
icap_access deny externalnet

#Also you can specify which hosts to log or not.
# Comment out the folowing two lines to log only the external net
#icap_access nolog localnet
#icap_access log externalnet

##An example for authentication methods ....
## To load an extarnal authentication method module named my_authmethod.so   use:
#Module auth_method my_authmethod.so

##The following parameter needed to specify the order of authenticators for
##specific authentication method. file_basic is a buildin authenticator
##for buildin basic authentication method (Not implemented yet......) ......
#AuthMethod basic file_basic
ServicesDir /usr/local/c-icap//lib/c_icap
Service echo_module srv_echo.so
Service url_check_module srv_url_check.so
Service antivirus_module srv_clamav.so
##Adding the alias avscan for srv_clamav service.
ServiceAlias   avscan srv_clamav?allow204=on&sizelimit=off&mode=simple

# Antivirus module settings
# For allowed file types or groups of file types look at   c-icap.magic
# Antivirus module settings
# For allowed file types or groups of file types look at   c-icap.magic
srv_clamav.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE GIF JPEG MSOFFICE
#The percentage of data to sent if the downloaded file exceeds the StartSendPercentDataAfter size
srv_clamav.SendPercentData 5
srv_clamav.StartSendPercentDataAfter 2M

##Comment out the following line to enable 204 responces outside previews for srv_clamav
## if your icap client support it. For squid let it off
#srv_clamav.Allow204Responces on

# The Maximum object to be scanned.
srv_clamav.MaxObjectSize   5M
#The directory which clamav library will use as temporary.
#srv_clamav.ClamAvTmpDir /var/tmp
#Sets the maximum number of files in archive.)i Set it to 0 to disable it
srv_clamav.ClamAvMaxFilesInArchive 0
#Sets the maximal archived file size. Set it to 0 to disable it.
srv_clamav.ClamAvMaxFileSizeInArchive 100M
#The maximal recursion level.Set it to 0 to disable it.
srv_clamav.ClamAvMaxRecLevel 5

# And here the viralator-like mode.
# where to save documents
#srv_clamav.VirSaveDir /srv/www/htdocs/downloads/
# from where the documents can be retrieved (you can find the get_file.pl script in contrib dir)
#srv_clamav.VirHTTPServer   "http://fortune/cgi-bin/get_file.pl?usename=%f&remove=1&file="
# The refresh   rate....
#srv_clamav.VirUpdateTime 15
# For which filetypes the "virelator like mode" will be used.
#srv_clamav.VirScanFileTypes ARCHIVE EXECUTABLE

http.conf 配置：
AllowOverride all
Options all
Order allow,deny
Allow from all
SetHandler cgi-script
Options +ExecCGI
#AllowOverride All