このブログを検索

2012年10月10日水曜日

squidclamav 6.9 + c-icap 0.2.2 バージョンアップ

今回、osのバージョンアップに伴い、squidclamavとc-icapもバージョンアップを実施した。

os:openSUSE 12.2
squid 3.1.20  (squid -vで確認)
apache 2.2.22 (apache2ctl -v)
clamav 0.97.6 (clamd -V)
squid-graph 3.2 http://squid-graph.sourceforge.net/ (今回インストール方法は書いてませんが、全くバージョンアップしていない代物なので、ネットで検索すれば出てきます。)

今回の主役は以下の2つ。
squidclamav 6.4 ⇒ 6.9 http://squidclamav.darold.net
c-icap 0.1.7 ⇒ 0.2.2 http://c-icap.sourceforge.net/

なお、c-icapの0.1.x系では、
/usr/local/c-icap/lib/c_icap
0.2.x系では、
/usr/local/c-icap/lib64/c_icap
にモジュールが置かれるので、0.1.x系から継続使用しているサーバーのバージョンアップは気を付けて下さい。
基本的なことですが、メジャーバージョンアップ時にはよくあることですので。
ボクは気付くまで、数か月要しました。(単なる見落としなんですが。。。)


[c-icap]
cd /home/niriakot/ダウンロード (このフォルダにsquidclamav,c-icapをアップする。)

tar xvzf c_icap-0.2.2.tar.gz
cd c_icap-0.2.2
./configure --prefix=/usr/local/c-icap --enable-large-files
(make clean)
make
make install

vi /usr/local/c-icap/etc/c-icap.conf
※以前のものが使えますが、モジュールディレクトリとサービスディレクトリはlib64に変更するべし。
---e.g.---start---

PidFile /var/run/c-icap/c-icap.pid
CommandsSocket /var/run/c-icap/c-icap.ctl
Timeout 300
MaxKeepAliveRequests 100
KeepAliveTimeout 600
StartServers 3
MaxServers 10
MinSpareThreads     10
MaxSpareThreads     20
ThreadsPerChild     10
MaxRequestsPerChild  0
Port 1344
ServerAdmin webmaster@example.jp
ServerName sq.example.jp
TmpDir /var/tmp
MaxMemObject 131072
# TAG: DebugLevel
# Format: DebugLevel level
# Description:
#       The level of debugging information to be logged.
#       The acceptable range of levels is between 0 and 10.
# Default:
#       DebugLevel 1
DebugLevel 1
ModulesDir /usr/local/c-icap/lib64/c_icap
ServicesDir /usr/local/c-icap/lib64/c_icap
#TemplateDir /usr/local/c-icap/share/c_icap/templates/
#TemplateDefaultLanguage en
LoadMagicFile /usr/local/c-icap/etc/c-icap.magic
RemoteProxyUsers off
RemoteProxyUserHeader X-Authenticated-User
RemoteProxyUserHeaderEncoded on
LogFormat myFormat "%tl, %a %la %>a %<A %im %iu %is %I %O %Ib %Ob %{10}bph"
ServerLog /usr/local/c-icap/var/log/server.log
AccessLog /usr/local/c-icap/var/log/access.log myFormat
Service echo srv_echo.so
Service squidclamav squidclamav.so

---e.g.---end---

vi /etc/init.d/c-icap
---e.g.---start---
#!/bin/sh # # /etc/init.d/c-icap # and its symbolic link # /usr/sbin/rcc-icap # ### BEGIN INIT INFO # Provides: c-icap # Required-Start: $syslog $remote_fs # Should-Start: # Required-Stop: $syslog $remote_fs # Should-Stop: # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: c-icap redirector for squid and clamav # Description: Start c-icap to provide clamav virus # scanner interface for Squid. ### END INIT INFO CICAP_BIN=/usr/local/c-icap/bin/c-icap test -x $CICAP_BIN || { echo "$CICAP_BIN not installed"; if [ "$1" = "stop" ]; then exit 0; else exit 5; fi; } CICAP_CONFIG=/etc/sysconfig/c-icap test -r $CICAP_CONFIG || { echo "$CICAP_CONFIG not existing"; if [ "$1" = "stop" ]; then exit 0; else exit 6; fi; } . $CICAP_CONFIG if [ "$USE_CICAP" == "no" ]; then echo "c-icap disabled in $CICAP_CONFIG. To enable c-icap, set USE_CICAP=\"yes\" in $CICAP_CONFIG" exit 6 fi . /etc/rc.status rc_reset case "$1" in start) echo -n "Starting c-icap " /sbin/startproc $CICAP_BIN rc_status -v ;; stop) echo -n "Shutting down c-icap " /sbin/killproc -TERM $CICAP_BIN rc_status -v ;; try-restart|condrestart) if test "$1" = "condrestart"; then echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}" fi $0 status if test $? = 0; then $0 restart else rc_reset # Not running is not a failure. fi rc_status ;; restart) $0 stop $0 start rc_status ;; force-reload) echo -n "Reload service c-icap " /sbin/killproc -HUP $CICAP_BIN rc_status -v ;; reload) echo -n "Reload service c-icap " /sbin/killproc -HUP $CICAP_BIN rc_status -v ;; status) echo -n "Checking for service c-icap " /sbin/checkproc $CICAP_BIN rc_status -v ;; probe) test /usr/local/c-icap/etc/c-icap.conf -nt /var/run/c-icap/c-icap.pid && echo reload ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" exit 1 ;; esac rc_exit
---e.g.---end---

vi /etc/sysconfig/c-icap
※以前のままです。
---e.q.---start---

## Path:        Network/WWW/Proxy/c-icap
## Description: c-icap configuration
## Type:        yesno
## Default:     yes
## ServiceReload: c-icap
## ServiceRestart: c-icap
#
# Set USE_CICAP to yes, if you want to use the proxy virus scanning
# facility c-icap within squid3 and clamav.
#
USE_CICAP="yes"

---e.q.---end---

以上でc-icapの部分は完了。

[squidclamav]
cd /home/niriakot/ダウンロード
tar xvzf squidclamav-6.9.tar.gz
cd squidclamav-6.9
./configure --with-c-icap=/usr/local/c-icap/
(make clean)
make
make install

vi /etc/squidclamav.conf
※以前のままです。
---e.g.---start---

#-----------------------------------------------------------------------------
# SquidClamav v6.x default configuration file
#
# To know to customize your configuration file, see squidclamav manpage
# or go to http://squidclamav.darold.net/
#
#-----------------------------------------------------------------------------
#
# Global configuration
#
squid_ip 127.0.0.1
squid_port 3128
trust_cache 0
# Maximum size of a file that may be scanned. Any file bigger that this value
# will not be scanned.
maxsize 256000000
# When a virus is found then redirect the user to this URL
redirect http://192.168.10.110/cgi-bin/clwarn.cgi
# Path to the squiGuard binary if you want URL filtering
#squidguard /usr/local/squidGuard/bin/squidGuard
# Path to the clamd socket, use clamd_local if you use Unix socket or if clamd
# is listening on an Inet socket, comment clamd_local and set the clamd_ip and
# clamd_port to the corresponding value.
#clamd_local /tmp/clamd
clamd_local /var/lib/clamav/clamd-socket
clamd_ip 192.168.10.110,127.0.0.1
clamd_port 3310
# Set the timeout for clamd connection. Default is 1 second, this is a good
# value but if you have slow service you can increase up to 3.
timeout 1
# Force SquidClamav to log all virus detection or squiguard block redirection
# to the c-icap log file.
logredir 0
# Enable / disable DNS lookup of client ip address. Default is enabled '1' to
# preserve backward compatibility but you must desactivate this feature if you
# don't use trustclient with hostname in the regexp or if you don't have a DNS
# on your network. Disabling it will also speed up squidclamav.
dnslookup 1
#
# Here is some defaut regex pattern to have a high speed proxy on system
# with low resources.
#
# Do not scan images
#abort ^.*\.(ico|gif|png|jpg)$
#abortcontent ^image\/.*$
# Do not scan text files
#abort ^.*\.(css|xml|xsl|js|html|jsp)$
#abortcontent ^text\/.*$
#abortcontent ^application\/x-javascript$
# Do not scan streamed videos
abortcontent ^video\/x-flv$
abortcontent ^video\/mp4$
#abort ^.*\.wmv$
# Do not scan flash files
abort ^.*\.swf$
abortcontent ^application\/x-shockwave-flash$
# Do not scan sequence of framed Microsoft Media Server (MMS) data packets
#abortcontent ^application\/x-mms-framed$
# White list some sites
# whitelist .*\.clamav.net
whitelist       .*\.gomplayer\.jp
whitelist       .*\.gomlab\.com
whitelist       .*\.sony\.jp
whitelist       .*\.ati\.com
whitelist       .*\.lg\.com
whitelist       .*\.symantec\.com
whitelist       .*\.norton\.com
whitelist       .*\.liveupdate\.symantecliveupdate\.com
whitelist       .*\.slysoft\.com
whitelist       .*\.epson\.jp
whitelist       .*\.microsoft\.com
whitelist       .*\.iodata\.jp
whitelist       .*\.sun\.com
whitelist       .*\.paragon-software\.com
whitelist       .*\.jra-van\.ne\.jp
whitelist       .*\.real\.com
whitelist       .*\.turbine\.com
# See also 'trustuser' and 'trustclient' configuration directives
#trustclient    192.168.10.160
# Do not scan m4a (itunes)
abort ^.*\.m4a$
abortcontent ^video\/x-ms-asf$
# exclude others
abort   ^.*vista_win7_32-64_.*$
abort   ^.*GOMENCODERSETUP_JPN\.EXE$
abort   ^.*Joomla.*$
#abortcontent ^application\/octet-stream$
# -> eicar file type

---e.g.---end---

cp -p /usr/local/lib/squidclamav/* /srv/www/cgi-bin/

vi /etc/squid/squid.conf

 ※以前のままです。
---e.g.---start---

#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 192.168.10.0/24        # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl Safe_ports port 12093       # bitcomet
acl Safe_ports port 20820       # eMule
acl Safe_ports port 1090        # PNA
acl Safe_ports port 554         # RTSP
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# allow localhost always proxy functionality
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/cache/squid 50000 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i \.(gif|png|jpg|jpe?g|ico|tif?f|bmp)$ 10080 90% 43200 ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpe?g|swf|flv|x-flv|mpg|ra?m|mwv|mov|mid)$ 43200 90% 432000 ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|class|pdf)$ 10080 90% 43200 ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
refresh_pattern -i youtube.com/.* 10080 90% 43200
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern . 0 40% 40320
cache_mem 256 MB
maximum_object_size_in_memory 256 MB
maximum_object_size 1024 MB
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
#squidclamav
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_req reqmod_precache bypass=on routing=off ipv6=off icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=on routing=off ipv6=off icap://127.0.0.1:1344/squidclamav
adaptation_access service_resp allow all
http_port 3128
#SSL squidclamav
#http_port 3128 ssl-bump cert=/etc/ssl/sq.pem key=/etc/ssl/sq-key.pem
#ssl_bump allow all
#always_direct allow all
forwarded_for off

---e.g.---end---


/etc/init.d/c-icap start
/etc/init.d/squid restart

[log]
tail -f /var/log/squid/cache.log
tail -f /usr/local/c-icap/var/log/server.log

エラーやワーニングが出ていなければ、完了です。


これ以外でも、弊社では各種サーバーをオープンソースで、作成し、運用を致しますので、
御用命は、
webmaster@niriakot.jp
までどうぞ。
※初めてのお客様には、運用費用3か月は無料にします。(構築費は頂きます。)
3か月運用任せて、もしダメだなと感じましたら、運用契約は無しで結構です。

1 件のコメント: