HTTP Anti-Virus Proxy

Hello experts

I have much trouble to get HAVP with Squid working in this case.

My HAVP listens to port 8080 and it is working correctly. Pointing my brwosers Proxy to proxy:8080 works fine.

Now I want to do it with a squid. So the config is Client -> Squid -> HAVP -> Internet.

I got this working on another machine already but on this one it does not work. Squid is NEVER using the HAVP, no matter what I try to configure. Even the debug messages of Squid didn't help me.

My Squid Config is as following (changing some Domainnames and external IPs):

more squid.conf | grep -v ^$ | grep -v "#"

cache_peer 141.1.1.1 parent 80 0 no-query
cache_peer 141.2.2.2 parent 8183 0 no-query
cache_peer 127.0.0.1 parent 8080 0 no-query no-digest no-netdb-exchange default
acl admin_net src 192.168.40.0/24
acl Scan_HTTP proto HTTP
never_direct allow Scan_HTTP
cache_peer_access 127.0.0.1 deny !Scan_HTTP
cache_peer_access 127.0.0.1 allow Scan_HTTP
cache_peer_access 127.0.0.1 allow admin_net
cache_peer_domain 141.1.1.1 test1.de
cache_peer_domain 141.2.2.2 test2.de
acl ffproxies dstdomain test3.de
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
acl JARFILE urlpath_regex \.jar
no_cache deny JARFILE
acl INTERN dstdomain mydomain.de mydomain-gmbh.de
no_cache deny INTERN
cache_mem 512 MB
cache_dir ufs /var/cache/squid 5000 16 256 read-only
cache_store_log none
ftp_user nix@ueberhauptgarnix.com
redirect_program /usr/sbin/squidGuard -c /etc/squidguard.conf
redirect_children 30
refresh_pattern ^ftp: 60 20% 60
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl netmon src 172.16.11.106/32 192.168.12.5/32 192.168.12.7/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 8443
acl CONNECT method CONNECT
acl netzgenhosts src "/etc/squid/squid.dnsok"
acl nosavhosts src "/etc/squid/squid.nosav"
acl mydomain_src src 172.16.0.0/12 192.168.0.0/16
acl mydomain_dst dst 172.16.0.0/12 192.168.0.0/16
acl local_adr dst 127.0.0.1/255.255.255.255
acl local_url dstdomain localhost
acl errortest dstdomain error.mydomain-test.de
acl denyusers src "/etc/squid/squid.deny"
acl allowdomains url_regex -i "/etc/squid/squid.allowurl"
acl nimdaWorm urlpath_regex -i \.eml$
acl w32gonera urlpath_regex -i gone.scr$
acl denydomains dstdom_regex -i "/etc/squid/squid.denyurl"
acl denypath urlpath_regex -i "/etc/squid/squid.denyurl"
acl denyips dst "/etc/squid/squid.denyips"
acl blockedtypereq req_mime_type -i ^application/x-msmetafile$
acl blockedtypereq req_mime_type -i application/x-msmetafile
acl blockedtyperep rep_mime_type -i ^application/x-msmetafile$
acl blockedtyperep rep_mime_type -i application/x-msmetafile
acl denyext url_regex -i \.wmf$
acl denydisp rep_header Content-Disposition -i filename.*\.wmf
http_access allow manager localhost
http_access allow manager netmon
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow ffproxies
http_access deny nimdaWorm
http_access deny w32gonera
http_access deny local_url
http_access deny local_adr
http_access deny errortest
http_access deny !mydomain_src
http_access deny !netzgenhosts
http_access deny denydomains
http_access deny denypath
http_access deny denyips
http_access deny denyext
http_access deny denydisp
http_access deny blockedtypereq
http_access deny blockedtyperep
http_access allow allowdomains
http_access allow mydomain_dst
http_access deny denyusers
http_access deny nosavhosts
http_access allow admin_net
http_access allow all
http_access deny all
http_reply_access allow all
icp_access allow all
cache_mgr Hotline@mydomain.de
visible_hostname my-proxy
append_domain .mydomain.de
deny_info ERR_LOCAL_PROXY local_url
deny_info ERR_LOCAL_PROXY local_adr
deny_info ERR_NO_DNS netzgenhosts
deny_info ERR_NO_SAV nosavhosts
deny_info http://wwwtest.mydomain-gmbh.de/ errortest
cachemgr_passwd disable shutdown
cachemgr_passwd none all
acl schnellsurfer src 0.0.0.0/0
always_direct deny ffproxies
always_direct allow mydomain_dst
always_direct allow schnellsurfer
always_direct deny all
never_direct allow ffproxies
never_direct deny mydomain_dst
never_direct deny schnellsurfer
never_direct allow all
header_access X-Forwarded-For deny !mydomain_dst
header_access Server deny !mydomain_dst
header_access Link deny !mydomain_dst
header_access Via deny !mydomain_dst
error_directory /usr/share/squid/errors/German
uri_whitespace encode
strip_query_terms off
coredump_dir /var/cache/squid

I have two network cards in my computer running SuSE Linux:
eth0 192.168.102.12
eth1 "an external IP"


Looking to /var/log/havp shows no errors in HAVP and only something in access.log when pointing the browser directly to 192.168.102.12:8080 and not to 192.168.102.12:3128 (where Squid is running). No errors in /var/log/messages or in /var/log/squid/access.log or /var/log/squid/cache.log

Squid simply does not care about HAVP...

I also tries the minimal config from http://www.server-side.de/ideas.htm with ACL all in all places. Also tried tu use the IP of eth0 192.168.102.12 instead of localhost or 127.0.0.1 ...same result.

Help is really appreciated.

Regards,
Alexander

I'm no expert but we Just did pretty much what you are looking to do this morning with SELS9 Enterprise Server in less than 20 minutes. We had them running separately but realized the security is too weak to run havp on it's own. I realize that most of this is redundant regarding your situation, but I hope you glean something useful from this post. To get it to work you may need to pare your squid file down a touch, then add all of your particulars back a couple at a time. Our setup here is internet-->squid-->havp-->squid or havp-->client. It works. Don't listen with havp on a public ip if you are going to run squid. Listen on the internet with squid, send the traffic to havp for scanning and either back to squid or straight to a browser. Squid does not care about viruses -- the only real reason to scan for them is to protect Windows clients.

Try this simple setup: With both a working squid and a working havp (not together), make sure at least the following lines are present in squid.conf along with your local network ip range (to avoid becoming a spam or XXX-proxy machine).

cache_peer 127.0.0.1 parent 8080 0 no-query no-digest no-netdb-exchange default
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow local_network
# And finally deny all other access to this proxy
http_access deny all
-- some of these may not be necessary, but the first one most certainly needs to be in your config. Make sure and ditch the redirect to squidGuard -- why troubleshoot that headache. (The redirect to squidGuard is fine but you have left out what you are doing with the traffic). Also, try configuring only one cache_peer until it starts working.

Restart your firewall process.
Restart the network interfaces.

With squid listening on port 3128 (or 80) --> add PARENTPORT 3128 (80) to havp.config. Restart squid. Restart havp. You should now have a configuration that will serve and scan web content to browsers configured with either port 3128 (squid) (80) or port 8080 (havp). This configuration will send ssl through squid without being scanned. If you are still having problems, I can provide more details, but I am confident (at that point) the developers will catch the hangup.

robm
~

Hi, I think I see a simple reason..

Squid checks all always_direct acls before checking never_direct.

And you basically have always_direct allow schnellsurfer which forces all requests to go direct

Cheers,
Henrik

Hi Henrik

thanks for your hint. After hours I have found it by myself. And now I understand the meaning of these things in Squid !

BTW: It seems to run stable with about 30 req / s and 460 kb / s average in 60 minutes.

Thanks again and Regards,
Alexander