Setting up HAVP (with ClamAV) + Squid to work as Secure Proxy

There are two ways in which HAVP can be made to interact with Squid (obtained from http://kokikode.wordpress.com/2010/03/14/configuring-squid-havpclamav-in-ubuntu-reviews/).
1. First way is to have the HAVP as Parent proxy for squid.

               Transparent Proxy*
               192.168.0.253:3128
                      ||                    [eth1]
                      ||                      ||
 [Intranet]--------[Squid]-+-[HAVP]--------[Internet]
     ||                        ||
   [eth0]                  Parent Proxy
192.168.0.0/24            127.0.0.1:8080
                               ||
                               ||
                            [ClamAV]

2. Second is to make Squid Proxy as the Parent proxy for HAVP.

                 [ClamAV]
                     ||
                     ||
               Transparent Proxy*
               192.168.0.253:8080
                     ||                     [eth1]
                     ||                       ||
 [Intranet]--------[HAVP]-+-[Squid]--------[Internet]
     ||                        ||
   [eth0]                  Parent Proxy
192.168.0.0/24            127.0.0.1:3128

There are advantages and disadvantages for each (as described in http://kokikode.wordpress.com/2010/03/14/configuring-squid-havpclamav-in-ubuntu-reviews/)

I prefer Method-1, because the proxy only caches the content deemed safe.

Creating Method-1 Setup:
STEP1: Install Squid Proxy
The steps are outlined in my previous post.
STEP2: Install ClamAV.
I tried installing ClamAV using the command:

sudo apt-get install clamav

When performing signature update using

sudo freshclam

I obtained some warning saying ClamAV engine is out of date. So I decided to install ClamAV from the source code. The latest stable source code can be obtained from http://www.clamav.net/lang/en/download/sources/.

Before installing ClamAV, a new user and groupid needs to be created. The default userid and groupid are "clamav". They can be added using the commands:

groupadd clamav
useradd -g clamav clamav

Untar the downloaded source code using the command:

tar -xzvf clamav-0.97.3.tar.gz

Move into the newly created directory and try to perform "configure" with any needed options (No need to specify any options unless userid and groupid are different from default, clamav-milter needs to be installed or new experimental features need to be added). Before we actually install, it would be good to check for previous versions of clamav and remove them. The commands to install are:

cd clamav-0.97.3
./configure
make
sudo apt-get remove --purge clamav
sudo make uninstall
sudo make install

Before updating clamav, it is good to edit the clamd.conf freshclam.conf files located in /usr/local/etc folder. One line containing "Example" needs to be commented and any other entries need to be uncommented as per need. The config files are self explanatory. However, one issue could arise. The log files and signature directories used by freshclam and clamd, specified in the .conf files, might not have required file permissions to be created/edited. You can manually create the file and folder and edit their permissions using "chmod/chown" command.

Update the antivirus signatures and try scanning a simple file.

sudo freshclam
clamscan -v filename

STEP3: Install HAVP
The instructions given in http://kokikode.wordpress.com/2010/03/04/configuring-squid-havpclamav-in-ubuntu-example-1/ provide some guidance for the installation.

This command was installing an older version of HAVP.

sudo apt-get install havp

Hence, get the latest source code of HAVP from http://www.server-side.de/download.htm.

Install HAVP using the regular commands given below. They also add required userid and groupid "havp", allowing me to skip adding them manually.

tar -xvzf havp-0.92a.tar.gz
cd havp-0.92a
./configure
make
sudo make install

Add the below line in /usr/local/squid/etc/squid.conf

cache_peer 127.0.0.1 parent 8080 0 no-query no-digest no-netdb-exchange default

Next havp.config needs to be edited. This config file is located in /usr/local/etc/havp/havp.config. Most of the entries are self explanatory in the config file, however the configuration provided in http://kokikode.wordpress.com/2010/03/04/configuring-squid-havpclamav-in-ubuntu-example-1/ can be used as a reference.

Two major steps need to be performed before successfully running HAVP. The first one is set to set appropriate permissions for the files used by HAVP. In my case, I enumerated the files and folders needing permission change by looking at the error messages. The INSTALL file provided in the extracted havp folder (havp-0.92a) provides the following commands.

Make sure the directories you are using have correct permissions:

  # chown havp /var/tmp/havp /var/log/havp /var/run/havp
  # chmod 700 /var/tmp/havp /var/log/havp /var/run/havp

The second major step is to ensure the scan file system has mandatory locks enabled. The INSTALL file indicates how this could be done. The file /etc/fstab indicates the file systems which are mounted when booting. In my case I just had the root file system (/). So, as indicated in the INSTALL file, I used the following command to activate mandatory locks.

mount -o remount,mand /

The "mand" option could be similarly added to any other file system used by HAVP for scanning (maybe the file system specified for SCANTEMPFILE in havp.config?). To make the "mand" change permanent, we need to add the "mand" option in the fstab file, for the mount root file system entry. The entry in my case looks like:

# <file system> <mount point>   <type>  <options>       <dump>  <pass>
/host/ubuntu/disks/root.disk /               ext4    loop,mand,errors=remount-ro 0       1

We can then start havp using the command:

/usr/local/sbin/havp

We could also start HAVP as user "havp" using the command:

sudo -u havp /usr/local/sbin/havp

STEP 4: Testing the setup.
Try configuring the browser to the squid proxy ip and port 3128, and try browsing few webpages. To test if HAVP is working properly, try visiting this link http://www.eicar.org/download/eicarcom2.zip. It should through a HAVP-ACCESS DENIED PAGE (shown below).

References:
1. http://volatile-minds.blogspot.com/2008/06/installing-clamav-latest-from-source.html
2. http://wiki.clamav.net/bin/view/Main/InstallFromSource
3. http://informatix.or.id/willy/installing-clamav-from-source.php

Setting up Squid Proxy server

Squid could be installed from the Packet Manager, like Synaptic, on Ubuntu. However, most of the times, the latest squid version won't be available from packet managers. We can download the latest source code from http://www.squid-cache.org/Versions/.

I followed the instructions given here: http://www.technologytricks.com/install-squid-proxy-server/ to install Squid. While initializing the cache using the command:

/usr/local/squid/sbin/squid -z

I received the following error:

WARNING: Cannot write log file: /usr/local/squid/var/logs/cache.log/usr/local/squid/var/logs/cache.log: Permission denied

Following instructions given here:http://vonroeschlaub.com/kurt/server.html, I modified the permissions for the folder /usr/local/squid/var/logs, and all its contents using the commands

user@ubuntu:/usr/local/squid/var$ sudo chmod a+w logs
user@ubuntu:/usr/local/squid/var/logs$ sudo chmod a+w * 

You can then test Squid in debugging mode using the command:

sudo /usr/local/squid/sbin/squid -NCd1

"-NCd1" is used for starting it in debugging mode to look for any further errors. I had to use "sudo", because it threw an error as shown below:

2011/12/09 15:44:18| Accepting  HTTP connections at [::]:3128, FD 12.
2011/12/09 15:44:18| HTCP Disabled.
2011/12/09 15:44:18| /usr/local/squid/var/run/squid.pid: (13) Permission denied
FATAL: Could not write pid file
Aborted

Using "sudo" should make it run successfully in debug mode, like below:

2011/12/09 15:45:29| Accepting  HTTP connections at [::]:3128, FD 12.
2011/12/09 15:45:29| HTCP Disabled.
2011/12/09 15:45:29| Squid plugin modules loaded: 0
2011/12/09 15:45:29| Ready to serve requests.

You can then verify if squid is working from the browser. Just go to the connection settings and fill in the IP address of your machine and port 3128 for the proxy and try to browse a url. After browsing few urls, check the access logs in squid/var/logs folder to verify that squid did indeed see the url requests. If you are accessing the proxy from a subnet other than the one listed on your squid.conf file, you should get an "ACCESS DENIED" page. To allow proper browsing, probably the squid.conf needs to be edited further and squid needs to be restarted to make use of the updated configuration file.