HTTP Anti-Virus Proxy

Official HAVP Support Forum
Registration disabled, I'm tired of spambots. E-mail if you have questions.
HAVP project is pretty much frozen/abandoned at this time anyway.

All times are UTC + 2 hours [ DST ]

Post new topic Reply to topic  [ 2 posts ] 
Author Message
 Post subject: Usage and infrastructure
PostPosted: 01 Mar 2006 18:16 
HAVP Developer

Joined: 27 Feb 2006 18:12
Posts: 687
Location: Finland
Usage and infrastructure

While a standalone HAVP installation is very sufficient for home use, recommended configuration for larger usage is Squid sandwich. Squid has been developed for a long time and has optimized Access Controls, DNS and network usage in general, so it is best that HAVP only handles the scanning part.

    SQUID1 --> HAVP --> SQUID2 or ISPs PROXY


Configured without caching (otherwise user might get virus directly from cache). You can control easily who can use Proxy and bypass HAVP for users, addresses or anything that Squid ACLs can do. HTTPS requests should be forwarded directly to SQUID2 or Internet, HAVP has no use for that. Also Squid offers easy way to do load balancing for multiple HAVP servers if needed.


Just configure PARENTPROXY to point to SQUID2.

SQUID2 (or ISPs Proxy)

Here you can cache content. Squid has much more optimized use of Keep-Alives and DNS, so it will speed up things compared to if HAVP was the last one in chain. Also it can handle some broken/non-standard www-sites better.

Example configurations

You can run "both Squids" on a single Squid process, with few ACLs. The performance impact is very marginal, while offering very good flexibility.

Note: At the moment caching doesn't work this way. You need a separate Squid process for "SQUID2" that does the caching.

A rough example for Squid 2.6:

# Main port that clients use
http_port 8080

# This is SQUID2 port
# havp.config has PARENTHOST, PARENTPORT 8081

# Define acl for HAVP port (the port HAVP connects to, SQUID2)
acl FROM_HAVP myport 8081

# You probably don't care to log duplicate requests coming in from HAVP
log_access deny FROM_HAVP

# HAVP on localhost port 8090
cache_peer parent 8090 0 name=havp proxy-only no-query no-digest no-netdb-exchange default

# Needed if we want to go directly to SQUID2 without HAVP
cache_peer parent 8081 0 name=squid2 proxy-only no-query no-digest no-netdb-exchange

# This makes sure ALL requests are sent to parent peers when needed
prefer_direct off
nonhierarchical_direct off

# HTTPS traffic scanning not needed
# (squid2 skipped too, since it can't be cached)
acl HTTPS method CONNECT
always_direct allow HTTPS
# Always force use of HAVP or Squid2 parent
never_direct allow !FROM_HAVP

# It's easier to create whitelists here than in HAVP
# Also, if there is a bug in HAVP, whitelisting there might not work
acl NOSCAN dstdomain

cache_peer_access havp deny FROM_HAVP
cache_peer_access havp deny HTTPS
cache_peer_access havp deny NOSCAN
cache_peer_access havp allow all
cache_peer_access squid2 deny FROM_HAVP
cache_peer_access squid2 allow all

Naturally this is only an example and there is lots more to configure for a working Squid instance.

PostPosted: 13 Jan 2011 18:23 
And indefinitely it is not far :)

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 2 hours [ DST ]

Who is online

Users browsing this forum: No registered users and 1 guest

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group