Hi, my name is Luis, I’m from Brazil and I work in a university, with some Windows workstations in the Lan. I found out about HAVP
reading na article in the brazilian edition of Linux Magazine, but I’m lay when it comes about proxy. I configured the HAVP, following the how-to, but there’s a lack of documentation in portuguese. So I got to the finally conclusion:
- Debian Etch running the Iptables with the nat rules and transparent Proxy as we see below:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --append FORWARD --in-interface eth0 -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
- Squid 2.6 configuration so HAVP can work as a parent:
############################################
############################################
http_port 3128 transparent
visible_hostname vm1
cache_mem 64 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 512 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid 2048 16 256
cache_access_log /var/log/squid/access.log
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
#HAVP
cache_peer 127.0.0.1 parent 8080 0 no-query no-digest no-netdb-exchange default
cache_peer_access 127.0.0.1 allow all
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # swat
acl Safe_ports port 1025-65535 # portas altas
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl redelocal src 10.180.0.0/24
http_access allow localhost
http_access allow redelocal
http_access deny all
##########################################
##########################################
HAVP file configuration – running with LibClamav:
#####
##### ClamAV Library Scanner (libclamav)
#####
ENABLECLAMLIB true
# HAVP uses libclamav hardcoded pattern directory, which usually is
# /usr/local/share/clamav. You only need to set CLAMDBDIR, if you are
# using non-default DatabaseDirectory setting in clamd.conf.
#
# Default: NONE
# CLAMDBDIR /path/to/directory
# Should we block broken executables?
#
# Default:
# CLAMBLOCKBROKEN false
# Should we block encrypted archives?
#
# Default:
# CLAMBLOCKENCRYPTED false
# Should we block files that go over maximum archive limits?
#
# Default:
# CLAMBLOCKMAX false
# Scanning limits _inside_ archives (filesize = MB):
# Read clamd.conf for more info.
#
# Default:
# CLAMMAXFILES 1000
# CLAMMAXFILESIZE 10
# CLAMMAXRECURSION 8
# CLAMMAXRATIO 250
This part is the only one that has been changed.
With this Setup I configure my clients so they’ll be able to use my server as a gateway. Making a test in Eicar website, the anti-virus works, but when the virus is in URL, like this:
http://www.tpncs.com/NetEmpresa-3.3.25.exe ; the browser opens a window to save the file in the HD. When I run clamd in a command line, it detects the virus in the file thas has been saved. My doubt is: is Havp, in my configuration, scanning only cached files? How can I resolve the problem described above?
Another question, what is the difference in my configuration for a sandwich configuration?
PS: I ask about the difference because I’m new in this subject, I read about sandwich configuration, but I don’t understand the real difference between them.
Thank you and I really appreciate your colaboration. And thanks to havp development team.
Luis Manrique.