Squid https aufbrechen und ClamAV: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
(Die Seite wurde neu angelegt: „=clamav und anderes installieren= *apt install c-icap clamav clamdscan libicapapi-dev clamav-daemon =squid runterladen und übersetzen= *wget http://www.squid…“)
 
 
(6 dazwischenliegende Versionen von 2 Benutzern werden nicht angezeigt)
Zeile 2: Zeile 2:
 
*apt install  c-icap clamav clamdscan libicapapi-dev clamav-daemon
 
*apt install  c-icap clamav clamdscan libicapapi-dev clamav-daemon
 
=squid runterladen und übersetzen=
 
=squid runterladen und übersetzen=
*wget http://www.squid-cache.org/Versions/v4/squid-4.10-20200419-r2ae88f12c.tar.gz
+
<!--*wget http://www.squid-cache.org/Versions/v4/squid-4.10-20200419-r2ae88f12c.tar.gz -->
*tar -xvzf squid-4.10-20200419-r2ae88f12c.tar.gz
+
*wget http://www.squid-cache.org/Versions/v4/squid-4.17.tar.gz
 +
<!--*tar -xvzf squid-4.10-20200419-r2ae88f12c.tar.gz -->
 +
*tar -xvzf squid-4.17.tar.gz
 
*cd squid*
 
*cd squid*
 
*./configure --with-openssl --enable-ssl-crtd --enable-ltdl-convenience --enable-icap-client
 
*./configure --with-openssl --enable-ssl-crtd --enable-ltdl-convenience --enable-icap-client
 
*make  
 
*make  
 
*make install
 
*make install
 +
 +
=squid anpassen=
 +
*cd /usr/local/squid/etc
 +
*openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout myCA.pem  -out myCA.pem
 +
*/usr/local/squid/libexec/security_file_certgen -c -s /var/lib/ssl_db -M 4MB
 +
*cat /usr/local/squid/etc/squid.conf
 +
<pre>
 +
acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
 +
acl localnet src 10.0.0.0/8            # RFC 1918 local private network (LAN)
 +
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN)
 +
acl localnet src 169.254.0.0/16        # RFC 3927 link-local (directly plugged) machines
 +
acl localnet src 172.16.0.0/12          # RFC 1918 local private network (LAN)
 +
acl localnet src 192.168.0.0/16        # RFC 1918 local private network (LAN)
 +
acl localnet src fc00::/7              # RFC 4193 local private network range
 +
acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines
 +
 +
acl SSL_ports port 443
 +
acl Safe_ports port 80          # http
 +
acl Safe_ports port 21          # ftp
 +
acl Safe_ports port 443        # https
 +
acl Safe_ports port 70          # gopher
 +
acl Safe_ports port 210        # wais
 +
acl Safe_ports port 1025-65535  # unregistered ports
 +
acl Safe_ports port 280        # http-mgmt
 +
acl Safe_ports port 488        # gss-http
 +
acl Safe_ports port 591        # filemaker
 +
acl Safe_ports port 777        # multiling http
 +
acl CONNECT method CONNECT
 +
 +
http_port 3128 ssl-bump  cert=/usr/local/squid/etc/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
 +
 +
# For squid 4.x
 +
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB
 +
 +
acl step1 at_step SslBump1
 +
 +
ssl_bump peek step1
 +
ssl_bump bump all
 +
 +
icap_enable on
 +
icap_send_client_ip on
 +
icap_send_client_username on
 +
icap_client_username_encode off
 +
icap_client_username_header X-Authenticated-User
 +
icap_preview_enable on
 +
icap_preview_size 1024
 +
 +
icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
 +
icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
 +
 +
adaptation_access service_req allow all
 +
adaptation_access service_resp allow all
 +
 +
http_access deny !Safe_ports
 +
http_access deny CONNECT !SSL_ports
 +
http_access allow localhost manager
 +
http_access deny manager
 +
 +
http_access allow localnet
 +
http_access allow localhost
 +
http_access deny all
 +
coredump_dir /usr/local/squid/var/cache/squid
 +
refresh_pattern ^ftp:          1440    20%    10080
 +
refresh_pattern ^gopher:        1440    0%      1440
 +
refresh_pattern -i (/cgi-bin/|\?) 0    0%      0
 +
refresh_pattern .              0      20%    4320
 +
</pre>
 +
 
=squid clamav runterladen und übersetzen=
 
=squid clamav runterladen und übersetzen=
 
*wget https://github.com/darold/squidclamav/archive/v7.1.tar.gz
 
*wget https://github.com/darold/squidclamav/archive/v7.1.tar.gz
Zeile 13: Zeile 83:
 
*cd squidclamav-7.1/
 
*cd squidclamav-7.1/
 
*./configure && make && make install
 
*./configure && make && make install
 +
=c-icap aktivieren=
 +
*cat /etc/default/c-icap.conf
 +
START=yes
 +
*cat /etc/c-icap/c-icap.conf
 +
Service squidclamav squidclamav.so
 +
Port 1344
 +
 +
=diverse dienste starten=
 +
*systemctl restart  clamav-freshclam.service
 +
*systemctl restart  clamav-daemon.service
 +
*systemctl restart  c-icap.service

Aktuelle Version vom 8. August 2023, 15:40 Uhr

clamav und anderes installieren

  • apt install c-icap clamav clamdscan libicapapi-dev clamav-daemon

squid runterladen und übersetzen

squid anpassen

  • cd /usr/local/squid/etc
  • openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout myCA.pem -out myCA.pem
  • /usr/local/squid/libexec/security_file_certgen -c -s /var/lib/ssl_db -M 4MB
  • cat /usr/local/squid/etc/squid.conf
acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12          # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16         # RFC 1918 local private network (LAN)
acl localnet src fc00::/7               # RFC 4193 local private network range
acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

http_port 3128 ssl-bump  cert=/usr/local/squid/etc/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

# For squid 4.x
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB

acl step1 at_step SslBump1

ssl_bump peek step1
ssl_bump bump all

icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024

icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav

adaptation_access service_req allow all
adaptation_access service_resp allow all

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager

http_access allow localnet
http_access allow localhost
http_access deny all
coredump_dir /usr/local/squid/var/cache/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

squid clamav runterladen und übersetzen

c-icap aktivieren

  • cat /etc/default/c-icap.conf
START=yes
  • cat /etc/c-icap/c-icap.conf
Service squidclamav squidclamav.so
Port 1344

diverse dienste starten

  • systemctl restart clamav-freshclam.service
  • systemctl restart clamav-daemon.service
  • systemctl restart c-icap.service
Abgerufen von „http://wiki.ixheim.de/index.php?title=Squid_https_aufbrechen_und_ClamAV&oldid=48520