Hello all.
I try to make next system switching our proxy from Win to Linux:
user --> squid1 --> havp --> squid2 --> our Win proxy --> Internet.
But i have a problem with it
When i tried this link: http://www.eicar.org/download/eicar.com.txt i have a page with
Quote:
HAVP - Access Denied
Access to the page has been denied
because the following virus was detected
ClamAV: Eicar-Test-Signature
Access to the page has been denied
because the following virus was detected
ClamAV: Eicar-Test-Signature
But when i try this link: http://www.eicar.org/download/eicar.com havp skiped this file as a normal file and no reporting about virus.
squid.conf
Code:
http_port proxy:3128
http_port 127.0.0.1:8080
icp_port 0
htcp_port 0
cache_mem 50 MB
cache_mgr tssv@vrnges.ru
cache_dir ufs /var/cache/squid 10000 32 512
cache_peer 127.0.0.1 parent 6666 0 proxy-only no-query no-digest no-netdb-exchange default
cache_peer 192.168.101.136 parent 3128 0 proxy-only login=proxy-test:test default
offline_mode off
maximum_object_size 102400 KB
reload_into_ims off
pipeline_prefetch on
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl my_network src 192.168.101.0/255.255.255.0
acl all src 0.0.0.0/0.0.0.0
acl from_havp myport 8080
http_access allow my_network
http_access allow manager localhost
http_access deny manager
http_access allow from_havp localhost
http_access deny from_havp all
http_access allow localhost
http_access deny all
acl QUERY urlpath_regex cgi-bin \?
acl CONNECT method CONNECT
no_cache deny QUERY
no_cache deny localhost
no_cache deny CONNECT
no_cache allow all
http_reply_access allow all
icp_access allow all
never_direct allow all
shutdown_lifetime 5 seconds
half_closed_clients off
hierarchy_stoplist cgi-bin ?
cache_peer_access 127.0.0.1 deny from_havp
cache_peer_access 127.0.0.1 allow all
http_port 127.0.0.1:8080
icp_port 0
htcp_port 0
cache_mem 50 MB
cache_mgr tssv@vrnges.ru
cache_dir ufs /var/cache/squid 10000 32 512
cache_peer 127.0.0.1 parent 6666 0 proxy-only no-query no-digest no-netdb-exchange default
cache_peer 192.168.101.136 parent 3128 0 proxy-only login=proxy-test:test default
offline_mode off
maximum_object_size 102400 KB
reload_into_ims off
pipeline_prefetch on
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl my_network src 192.168.101.0/255.255.255.0
acl all src 0.0.0.0/0.0.0.0
acl from_havp myport 8080
http_access allow my_network
http_access allow manager localhost
http_access deny manager
http_access allow from_havp localhost
http_access deny from_havp all
http_access allow localhost
http_access deny all
acl QUERY urlpath_regex cgi-bin \?
acl CONNECT method CONNECT
no_cache deny QUERY
no_cache deny localhost
no_cache deny CONNECT
no_cache allow all
http_reply_access allow all
icp_access allow all
never_direct allow all
shutdown_lifetime 5 seconds
half_closed_clients off
hierarchy_stoplist cgi-bin ?
cache_peer_access 127.0.0.1 deny from_havp
cache_peer_access 127.0.0.1 allow all
havp.config
Code:
USER havp
GROUP havp
PIDFILE /var/run/havp/havp.pid
SERVERNUMBER 16
MAXSERVERS 100
ACCESSLOG /var/log/havp/access.log
ERRORLOG /var/log/havp/havp.log
LOG_OKS true
LOGLEVEL 9
SCANTEMPFILE /var/tmp/havp/havp-XXXXXX
TEMPDIR /tmp
DBRELOAD 60
PARENTPROXY 127.0.0.1
PARENTPORT 8080
PORT 6666
BIND_ADDRESS 127.0.0.1
WHITELISTFIRST true
WHITELIST /etc/havp/whitelist
BLACKLIST /etc/havp/blacklist
FAILSCANERROR true
SCANIMAGES true
MAXSCANSIZE 1000000
STREAMUSERAGENT Player Winamp iTunes QuickTime Audio RMA/ MAD/ Foobar2000 XMMS
ENABLECLAMLIB true
CLAMDBDIR /var/lib/clamav
CLAMBLOCKENCRYPTED false
CLAMBLOCKMAX false
ENABLECLAMD false
ENABLEFPROT false
ENABLEAVG false
ENABLEAVESERVER false
ENABLESOPHIE false
ENABLETROPHIE false
ENABLENOD32 false
ENABLEAVAST false
GROUP havp
PIDFILE /var/run/havp/havp.pid
SERVERNUMBER 16
MAXSERVERS 100
ACCESSLOG /var/log/havp/access.log
ERRORLOG /var/log/havp/havp.log
LOG_OKS true
LOGLEVEL 9
SCANTEMPFILE /var/tmp/havp/havp-XXXXXX
TEMPDIR /tmp
DBRELOAD 60
PARENTPROXY 127.0.0.1
PARENTPORT 8080
PORT 6666
BIND_ADDRESS 127.0.0.1
WHITELISTFIRST true
WHITELIST /etc/havp/whitelist
BLACKLIST /etc/havp/blacklist
FAILSCANERROR true
SCANIMAGES true
MAXSCANSIZE 1000000
STREAMUSERAGENT Player Winamp iTunes QuickTime Audio RMA/ MAD/ Foobar2000 XMMS
ENABLECLAMLIB true
CLAMDBDIR /var/lib/clamav
CLAMBLOCKENCRYPTED false
CLAMBLOCKMAX false
ENABLECLAMD false
ENABLEFPROT false
ENABLEAVG false
ENABLEAVESERVER false
ENABLESOPHIE false
ENABLETROPHIE false
ENABLENOD32 false
ENABLEAVAST false
squid access.log on http://www.eicar.org/download/eicar.com.txt
Code:
1201177286.418 233 127.0.0.1 TCP_MISS/200 567 GET http://www.eicar.org/download/eicar.com.txt - DEFAULT_PARENT/192.168.101.136 text/plain
1201177286.419 235 192.168.101.73 TCP_MISS/200 1361 GET http://www.eicar.org/download/eicar.com.txt - DEFAULT_PARENT/127.0.0.1 text/html
1201177290.346 4161 127.0.0.1 TCP_MISS/404 181 GET http://192.168.101.136:3128/squid-internal-periodic/store_digest - DEFAULT_PARENT/192.168.101.136 -
1201177286.419 235 192.168.101.73 TCP_MISS/200 1361 GET http://www.eicar.org/download/eicar.com.txt - DEFAULT_PARENT/127.0.0.1 text/html
1201177290.346 4161 127.0.0.1 TCP_MISS/404 181 GET http://192.168.101.136:3128/squid-internal-periodic/store_digest - DEFAULT_PARENT/192.168.101.136 -
havp access.log on http://www.eicar.org/download/eicar.com.txt
Code:
24/01/2008 15:21:26 127.0.0.1 GET 200 http://www.eicar.org/download/eicar.com.txt 497+68 VIRUS ClamAV: Eicar-Test-Signature
24/01/2008 15:21:30 127.0.0.1 GET 404 http://192.168.101.136:3128/squid-internal-periodic/store_digest 179+0 OK
24/01/2008 15:21:30 127.0.0.1 GET 404 http://192.168.101.136:3128/squid-internal-periodic/store_digest 179+0 OK
squid access.log on http://www.eicar.org/download/eicar.com
Code:
1201177418.869 10 192.168.101.73 TCP_HIT/200 594 GET http://www.eicar.org/download/eicar.com - NONE/- application/x-msdos-program
and havp access.log on http://www.eicar.org/download/eicar.com is empty.
What's wrong in my system ?
P.S. Finally our Win proxy in chain will be changed on ISP proxy.
