HTTP Anti-Virus Proxy http://havp.hege.li/forum/ |
|
Havp + Squid -- Problems with virus in url http://havp.hege.li/forum/viewtopic.php?f=3&t=314 |
Page 1 of 1 |
Author: | lmanrique [ 07 Dec 2007 14:39 ] |
Post subject: | Havp + Squid -- Problems with virus in url |
Hi, my name is Luis, I’m from Brazil and I work in a university, with some Windows workstations in the Lan. I found out about HAVP reading na article in the brazilian edition of Linux Magazine, but I’m lay when it comes about proxy. I configured the HAVP, following the how-to, but there’s a lack of documentation in portuguese. So I got to the finally conclusion: - Debian Etch running the Iptables with the nat rules and transparent Proxy as we see below: echo 1 > /proc/sys/net/ipv4/ip_forward iptables --append FORWARD --in-interface eth0 -j ACCEPT iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 - Squid 2.6 configuration so HAVP can work as a parent: ############################################ ############################################ http_port 3128 transparent visible_hostname vm1 cache_mem 64 MB maximum_object_size_in_memory 64 KB maximum_object_size 512 MB minimum_object_size 0 KB cache_swap_low 90 cache_swap_high 95 cache_dir ufs /var/spool/squid 2048 16 256 cache_access_log /var/log/squid/access.log refresh_pattern ^ftp: 15 20% 2280 refresh_pattern ^gopher: 15 0% 2280 refresh_pattern . 15 20% 2280 #HAVP cache_peer 127.0.0.1 parent 8080 0 no-query no-digest no-netdb-exchange default cache_peer_access 127.0.0.1 allow all acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 901 # swat acl Safe_ports port 1025-65535 # portas altas acl purge method PURGE acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl redelocal src 10.180.0.0/24 http_access allow localhost http_access allow redelocal http_access deny all ########################################## ########################################## HAVP file configuration – running with LibClamav: ##### ##### ClamAV Library Scanner (libclamav) ##### ENABLECLAMLIB true # HAVP uses libclamav hardcoded pattern directory, which usually is # /usr/local/share/clamav. You only need to set CLAMDBDIR, if you are # using non-default DatabaseDirectory setting in clamd.conf. # # Default: NONE # CLAMDBDIR /path/to/directory # Should we block broken executables? # # Default: # CLAMBLOCKBROKEN false # Should we block encrypted archives? # # Default: # CLAMBLOCKENCRYPTED false # Should we block files that go over maximum archive limits? # # Default: # CLAMBLOCKMAX false # Scanning limits _inside_ archives (filesize = MB): # Read clamd.conf for more info. # # Default: # CLAMMAXFILES 1000 # CLAMMAXFILESIZE 10 # CLAMMAXRECURSION 8 # CLAMMAXRATIO 250 This part is the only one that has been changed. With this Setup I configure my clients so they’ll be able to use my server as a gateway. Making a test in Eicar website, the anti-virus works, but when the virus is in URL, like this: http://www.tpncs.com/NetEmpresa-3.3.25.exe ; the browser opens a window to save the file in the HD. When I run clamd in a command line, it detects the virus in the file thas has been saved. My doubt is: is Havp, in my configuration, scanning only cached files? How can I resolve the problem described above? Another question, what is the difference in my configuration for a sandwich configuration? PS: I ask about the difference because I’m new in this subject, I read about sandwich configuration, but I don’t understand the real difference between them. Thank you and I really appreciate your colaboration. And thanks to havp development team. Luis Manrique. |
Author: | sebastian [ 09 Dec 2007 01:51 ] |
Post subject: | |
That file is pretty large so it may slip trough. Try configure: KEEPBACKBUFFER MAXSCANSIZE MAXDOWNLOADSIZE to the same value. This will gurantee that all files is scanned completely before they are sent to the browser. But it may cause problems with very large downloads (> 50 mb), because the browser may timeout. Also have a low TRICKLE value so the browser dosent timeout, and a low KEEPBACKTIME (but not too low) so the browser does not timeout. The only reason of having a sandwich configuration, like squid - havp - squid is that the first squid should not cache anything but handle authentication if you want to password protect the internet for you LAN users. But if you only want scanning and caching, squid - havp - squid is EXACTLY the same as havp - squid. PS. When clicking your link, its detected as Trojan.Bancos-3784 DS. |
Author: | hege [ 09 Dec 2007 11:19 ] |
Post subject: | |
sebastian wrote: But if you only want scanning and caching, squid - havp - squid is EXACTLY the same as havp - squid.
Except that you lose flexibility without Squid, acls for whitelisting, routing etc. Also if users are forced to proxy HTTPS, it's more efficient through Squid than HAVP. |
Author: | sebastian [ 09 Dec 2007 13:16 ] |
Post subject: | |
You can still use acls in the caching squid that is placed after havp. And with HTTPS, its best to use Apache 2.2.6 to configure it as a proxy that eavesdrop on HTTPS traffic and sends it unencrypted through HAVP & squid and then reencrypting the traffic at the other end. This means that the client will get invalid certificate, but the only thing needed to do is to import the root certificate into the browser. (Maybe you can put the root in a EXE that forcefully installs the root certificate, that also calls a URL after installation. Then you have a captive portal that makes sure the user cannot visit any site before this "secret" URL is visited, and that means that the user has executed the EXE.) Here is a apache configuration you can use to eavesdrop on SSL traffic: Code: <VirtualHost> #HTTPS traffic RewriteEngine on RewriteCond %{REQUEST_METHOD} !^(GET|POST) RewriteRule .* - [F] ServerAdmin root@localhost ErrorLog /var/log/httpd/error_log TransferLog /var/log/httpd/access_log SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT56:!eNULL:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP SSLCertificateFile /etc/httpd/server.crt #THIS is the certificate the user is going to get SSLCertificateKeyFile /etc/httpd/server.key #THIS is the private key SSLCertificateChainFile /etc/httpd/cacert.crt #THIS is the CA root, also needs to be imported to your browser. SetEnv HOME /home/nobody ProxyRemote * http://127.0.0.1:8080 #HAVP proxy ProxyPreserveHost Off RequestHeader unset xsslcatch RequestHeader set xsslcatch ison #Tell the apache proxy on port 8445 #that the traffic was HTTPS before it was unencrypted Header unset Via Header unset X-Cache Header unset Vary </VirtualHost> <VirtualHost> #HTTP traffic RewriteEngine on RewriteCond %{REQUEST_METHOD} !^(GET|POST) RewriteRule .* - [F] DocumentRoot /arpmessages ServerAdmin root@localhost ErrorLog /var/log/httpd/error_log TransferLog /var/log/httpd/access_log ProxyRemote * http://127.0.0.1:8080 #HAVP proxy ProxyPreserveHost Off RequestHeader unset xsslcatch RequestHeader set xsslcatch isoff #Tell the apache proxy on port 8445 #that the traffic was not encrypted, and it should NOT reencrypt the traffic. Header unset Via Header unset X-Cache Header unset Vary </VirtualHost> #your SQUID proxy needs to use this as your last proxy: 127.0.0.1:8445 <VirtualHost> ProxyRequests on SSLProxyEngine on SSLProxyMachineCertificateFile clientcerts.pem ProxyVia block ProxyPreserveHost Off #ProxyMaxForwards -1 #Not implemented in Apache Yet. Will come in 2.2.7 version DocumentRoot /home/httpd/html ServerAdmin root@localhost ErrorLog /var/log/httpd/error_log TransferLog /var/log/httpd/access_log SetOutputFilter INFLATE Header unset Content-Encoding <Proxy> RequestHeader unset Via RequestHeader unset X-Forwarded-For RequestHeader unset Accept-Encoding RequestHeader unset xsslcatch RequestHeader unset cache-control Header unset pragma Header unset cache-control Header unset expires Header set Cache-Control public Header set Expires "Thu, 31 Dec 2099 23:59:59 GMT" RequestHeader unset cache-control RewriteEngine On RewriteCond %{HTTP:xsslcatch} ^ison$ RewriteRule ^proxy:http://(.*)$ proxy:https://$1 RewriteCond %{HTTP:xsslcatch} ^isoff$ RewriteRule ^proxy:http://(.*)$ proxy:http://$1 RewriteCond %{REQUEST_METHOD} !^(GET|POST) RewriteRule .* - [F] </Proxy> </VirtualHost> And then use the following IPtables rules: Code: /sbin/iptables -t nat -A PREROUTING -p tcp -i ! eth3 --dport 443 -j REDIRECT --to-port 8443
/sbin/iptables -t nat -A PREROUTING -p tcp -i ! eth3 --dport 80 -j REDIRECT --to-port 8444 and "eth3" is your internet interface. You need some accept rules too. Then configure transparent = off on both squid and HAVP. (Apache takes care of this bit) Then you have a proxy chain that looks like this: Apache - HAVP - Squid - Apache And it will scan both HTTP and HTTPS traffic transparently. |
Author: | hege [ 09 Dec 2007 14:45 ] |
Post subject: | |
sebastian wrote: You can still use acls in the caching squid that is placed after havp. You are missing the point, there are many things that you might want to do before you reach HAVP (or don't reach at all). Quote: And with HTTPS, its best to use Apache 2.2.6 to configure it as a proxy that eavesdrop on HTTPS traffic and sends it unencrypted through HAVP & squid and then reencrypting the traffic at the other end.
This is way off-topic too. But props for a good example. |
Page 1 of 1 | All times are UTC + 2 hours [ DST ] |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |