squid2.6stable12+clamav+havp搭建防毒代理

Posted on 2007年7月22日 by squid

squid2.6stable12+clamav+havp搭建防毒代理

squid 2.6stable12 的安装

useradd squid

./configure –prefix=/opt/squid –enable-async-io=40 –enable-storeio=”aufs,coss,diskd,ufs” –enable-useragent-log –enable-referer-log –enable-kill-parent-hack –enable-forward-log –enable-snmp –enable-cache-digests –enable-default-err-language=Simplify_Chinese –enable-poll –enable-removal-policies=”heap,lru” –enable-large-cache-files –disable-internal-dns –enable-x-accelerator-vary –enable-follow-x-forwarded-for –with-large-files –disable-ident-lookups –enable-underscore –disable-arp-acl

make && make install

cd /opt/squid
mkdir cache1 cache1
chown -R squid.squid cache1 cache2 var

squid.conf的内容

http_port 3128

cache_mem 100 MB
cache_swap_low 75
cache_swap_high 98

emulate_httpd_log on
logformat combined %>a %ui %un [%tl] “%rm %ru HTTP/%rv” %Hs %<st “%{Referer}>h” “%{User-Agent}>h”
access_log /opt/web-squid/var/logs/access.log combined
redirect_rewrites_host_header off

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http

acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all

cache_effective_user squid
cache_effective_group squid

cache_replacement_policy lru

cache_dir aufs /opt/web-squid/cache1 50 32 64
cache_dir aufs /opt/web-squid/cache2 50 32 64
cache_log /opt/web-squid/var/logs/cache.log
cache_store_log none
cache_swap_log /opt/web-squid/var/logs/swap.log
log_ip_on_direct on
pid_filename /opt/web-squid/var/logs/squid.pid
visible_hostname testwebsquid
logfile_rotate 5

安裝 Clam AntiVirus
首先从[url]http://www.clamav.net/[/url]下载clamav0.90包

useradd clamav

./configure
make
make install

注:安装过程中有可能会出现zlib版本不够的情况,请去[url]http://www.zlib.net/[/url]下载最新的zlib进行安装

安装过程:
./configure
make
make install

安裝 HAVP
从[url]http://www.server-side.de/download.htm[/url]下载havp 0.86的包

useradd havp

./configure
make
make install

chown -R havp.havp /var/log/havp /var/tmp/havp /var/run/havp

vi /usr/local/etc/havp/havp.config

注释以下这行

REMOVETHISLINE deleteme

ClamAV Library Scanner (libclamav) → 由 HAVP 直接取用 ClamAV 的病毒资料库

ENABLECLAMLIB true
CLAMDBDIR /var/lib/clamav

ClamAV Socket Scanner (clamd) → 交由 clamd 扫毒 (须先启动 clamd), 以上两者择一使用即可,我使用的上面那种模式)

ENABLECLAMD true
CLAMDSOCKET /tmp/clamd

其他效能相关的设定:

理論上越多的執行緒效能效能越好, 但仍需視伺服器資源而定

SERVERNUMBER 40
MAXSERVERS 200

只記錄 error log. 較少的 Log 記錄可減輕伺服器負擔

LOGLEVEL 0

不對圖片檔掃毒, 可減輕 CPU 負擔

SCANIMAGES false

这个是havp的监听端口,默认是8080,因为8080是tomcat的默认端口,所以我改成3129了,

PORT=3129

挂载独立磁盘区 /var/tmp/havp (一定要加上 -o mand 參數)

mount -o mand /dev/hda3 /var/tmp/havp

如果沒有多餘的 device 可以掛載, 可參考以下兩種方法:

a. 用記憶體建立虛擬磁碟

mkfs -t ext2 /dev/ram0 8192 (建立 8MB RAM Disk)
mount -o mand /dev/ram0 /var/tmp/havp

b. 使用硬碟空間建立虛擬磁碟

dd if=/dev/zero of=/root/havp_tmp.img bs=128K count=1 seek=1024 (建立 128MB Virtual Disk)
mkfs.ext2 /root/havp_tmp.img
mount -o loop,mand /root/havp_tmp.img /var/tmp/havp

ps. HAVP 可扫描的档案大小将受限于这里所挂载的磁盘空間

更新 shared libraries 资料库 (for ClamAV)

vi /etc/ld.so.conf –> 加入: /usr/local/lib
ldconfig

启动 HAVP

/usr/local/sbin/havp &

squid和havp的捆绑

编辑squid.conf文件
加入如下两行

cache_peer 127.0.0.1 parent 3129 0 no-query no-digest no-netdb-exchange default
cache_peer_access 127.0.0.1 allow all

到目前位置squid+clamav+havp就已经配置完成了
使用squid做代理然后去[url]http://www.eicar.org/anti_virus_test_file.htm[/url]这个网站进行测试吧

HAVP 會直接使用 ClamAV 的 Library, 所以 ClamAV 的服務是不需要啟動的.
您只要使用 ClamAV 的 freshclam 來更新 ClamAV 的病毒碼就行了,
方法如下:

  1. 以 crontab 排程: 0 0 * /usr/local/bin/freshclam –verbose(每天午夜更新病毒碼)

Clamav升级配置文件

vi /usr/local/clamav/etc/freshclam.conf

Example config file for freshclam

Please read the clamav.conf(5) manual before editing this file.

This file may be optionally merged with clamav.conf.

You can change the default database directory here.

DatabaseDirectory /var/lib/clamav

Path to the log file (make sure it has proper permissions)

[b]UpdateLogFile /var/log/freshclam.log[/b]

Enable verbose logging.

[b]LogVerbose[/b]

Use system logger (can work together with UpdateLogFile).

[b]LogSyslog[/b]

By default when freshclam is started by root it drops privileges and

switches to the “clamav” user. You can change this behaviour here.

DatabaseOwner clamav

The main database mirror is database.clamav.net (this is a round-robin

DNS that points to many mirrors on the world) and in most cases you

SHOULD NOT change it.

DatabaseMirror database.clamav.net

How many attempts to make before giving up.

MaxAttempts 3

How often check for a new database. We suggest checking for it every

two hours.

[b]Checks 12[/b]

Proxy settings

HTTPProxyServer myproxy.com

HTTPProxyPort 1234

HTTPProxyUsername myusername

HTTPProxyPassword mypass

Send the RELOAD command to clamd.

NotifyClamd [/optional/config/file/path]

Run command after database update.

OnUpdateExecute command

Run command if database update failed.

OnErrorExecute command

以上内容有部分是看了其他文章后加入的,并非完全本人原创