Usage and infrastructureWhile a standalone HAVP installation is very sufficient for home use, recommended configuration for larger usage is
Squid sandwich. Squid has been developed for a long time and has optimized Access Controls, DNS and network usage in general, so it is best that HAVP only handles the scanning part.
SQUID1 --> HAVP --> SQUID2 or ISPs PROXY
SQUID1Configured
without caching (otherwise user might get virus directly from cache). You can control easily who can use Proxy and bypass HAVP for users, addresses or anything that Squid ACLs can do. HTTPS requests should be forwarded directly to SQUID2 or Internet, HAVP has no use for that. Also Squid offers easy way to do load balancing for multiple HAVP servers if needed.
HAVPJust configure PARENTPROXY to point to SQUID2.
SQUID2 (or ISPs Proxy)Here you can
cache content. Squid has much more optimized use of Keep-Alives and DNS, so it will speed up things compared to if HAVP was the last one in chain. Also it can handle some broken/non-standard www-sites better.
Example configurationsYou can run "both Squids" on a single Squid process, with few ACLs. The performance impact is very marginal, while offering very good flexibility.Note: At the moment caching doesn't work this way. You need a separate Squid process for "SQUID2" that does the caching.A rough example for Squid 2.6:
Code:
# Main port that clients use
http_port 8080
# This is SQUID2 port
# havp.config has PARENTHOST 127.0.0.1, PARENTPORT 8081
http_port 127.0.0.1:8081
# Define acl for HAVP port (the port HAVP connects to, SQUID2)
acl FROM_HAVP myport 8081
# You probably don't care to log duplicate requests coming in from HAVP
log_access deny FROM_HAVP
# HAVP on localhost port 8090
cache_peer 127.0.0.1 parent 8090 0 name=havp proxy-only no-query no-digest no-netdb-exchange default
# Needed if we want to go directly to SQUID2 without HAVP
cache_peer 127.0.0.1 parent 8081 0 name=squid2 proxy-only no-query no-digest no-netdb-exchange
# This makes sure ALL requests are sent to parent peers when needed
prefer_direct off
nonhierarchical_direct off
# HTTPS traffic scanning not needed
# (squid2 skipped too, since it can't be cached)
acl HTTPS method CONNECT
always_direct allow HTTPS
# Always force use of HAVP or Squid2 parent
never_direct allow !FROM_HAVP
# It's easier to create whitelists here than in HAVP
# Also, if there is a bug in HAVP, whitelisting there might not work
acl NOSCAN dstdomain trusted.site.net
cache_peer_access havp deny FROM_HAVP
cache_peer_access havp deny HTTPS
cache_peer_access havp deny NOSCAN
cache_peer_access havp allow all
cache_peer_access squid2 deny FROM_HAVP
cache_peer_access squid2 allow all
Naturally this is only an example and there is lots more to configure for a working Squid instance.
