作者:张惠(jimzhang)
QQ号:872656885
E-mail、msn:[email protected]
个人blog:zhanghui8059.cublog.cn
注:本文章的内容归作者所有,欢迎大家转载,但请转载的时候,务必保留作者完整信息,因为作者写的文章,都是来自实际经验跟项目实施,每一片文章都有作者心血在里面,谢谢!
欢迎大家批评指点,有疑问,请与本作者联系!
现在网络病毒泛滥,一不小心就会让全公司的电脑中毒,会浪费很大财力及物力,也不利于公司的网络安全,所以做一个网关杀毒,是很必要的。在windows下面有isa,配合杀毒软件,可以做网关杀毒,虽然效果还可以,但要花很多money,且要很好的硬件设备,若用户数多,稳定性也不是很好。所以就找在linux下的解决方案,Linux下,当然就是squid跟clamav,来做网关杀毒了,可是中间的组件,我用过havp、dansguardian,这两个进程很多,且占资源,只能在本地机器上工作,不能分离。
鉴于以上原因,发现国外的朋友都在用ICAP,icap其实就一个协议(Internet Content Adaptation Protocol),通过协议杀毒,肯定要比havp、dansguardian好,且代理服务器跟杀毒服务器可以分离,国内的朋友用的最多的是硬件杀毒网关,比如:趋势、咖啡等软件公司的,其实这些软件公司的硬件杀毒网关或者软件杀毒网关,都有ICAP的影子。
linux下的软件,基本上都是开源,且效果很好,为什么不自己打造一个网关杀毒?效果肯定不会比那些杀毒软件公司差多少。国内的朋友都在用这个,且效果很好,所以,我就有冲动了,凭自己对Linux的熟悉,准备将公司换成squid+c_icap+clamav,上线后,效果确实可以。
squid 3.0开始支持icap client,icap server目前开源的,我就只找到c_icap,且跟clamav集成效果比较好。下面就是我的安装步骤:
1、 squid 3.0支持Icap_client,所以用squid3.0进行编译安装。
./configure --prefix=/usr/local/squid \ //指定安装目录。
--enable-linux-tproxy \
--enable-linux-netfilter \ //支持transparent代理
--enable-cpu-profiling \ //支持多CPU
--enable-icap-client \ //支持icap client
--enable-kill-parent-hack \ //关掉suqid的时候,要不要连同父进程一起关掉
--enable-arp-acl \ //支持MAC管理
--enable-delay-pools //此选项使能一个延时池,这样能对某些特定的请求限制额定带宽。
vi /usr/local/squid/etc/squid.conf
http_port 8080 transparent
cache_mem 128 MB
cache_dir ufs /usr/local/squid/var/cache 100 16 256
cache_effective_user root
cache_effective_group root
dns_nameservers 222.172.200.68
cache_access_log /usr/local/squid/var/logs/access.log
cache_store_log /usr/local/squid/var/logs/store.log
cache_log /usr/local/squid/var/logs/cache.log
pid_filename /usr/local/squid/var/logs/squid.pid
visible_hostname tglm.3322.org
client_mask 255.255.255.255
cache_mgr [email protected]
error_directory /usr/local/squid/share/errors/Simplify_Chinese
auth_param basic program /usr/bin/ncsa_auth /usr/local/squid/etc/password
auth_param basic children 5
auth_param basic realm My Proxy Caching Domain
auth_param basic credentialsttl 2 hours
acl normal proxy_auth REQUIRED
http_access allow normal
acl cc arp 00:91:50:04:06:38
acl bb src 222.220.0.0/255.255.0.0
acl aa src 0.0.0.0/0
acl tt time MTWHF 08:00-20:00
acl xz urlpath_regex -i \.mp3$ \.avi$ \.wma$
acl ww dstdomain www.baidu.com www.qq.com
http_access deny xz
http_access deny !tt
http_access deny ww
http_access allow cc
http_access allow bb
命令解释:
error_directory //设定错误文档
http_port 192.168.0.1:3128 //设定SQUID的代理端口 (加上IP地址,Squid就不会监听外部的网络接口)
dns_nameservers //电信公用DNS
cache_mgr //管理者的电子邮件
sible_hostname //标志主机名
client_mask 255.255.255.255 //告诉Squid如何处理用户,对每个请求的IP地址作为单独地址处理
httpd_accel_uses_host_header on //设定http1.1协议支持
httpd_accel_host virtual
httpd_accel_with_proxy on //是否让squid代理本地的web服务
http_access allow all //允许所有主机通过代理服务器上网
cache_mem 20 MB //指定Squid可以使用的RAM
maximum_object_size 4096 KB //缓存文件的最大和最小值
minimum_object_size 0 KB
maximum_object_size_in_memory 30 KB
minimum_object_size_in_memory 0 KB
cache_dir ufs /usr/local/squid/var/cache 100 16 256 //磁盘缓存目录,100M缓存空间,16个目录,256个子目录;
cache_access_log /var/squid/access.log //客户端访问日志
cache_log /var/squid/cache.log //缓存访问情况
cache_store_log /var/squid/store.log //网页调用情况
cache_swap_low 85 //指定进行空间交换的空占比(缓存数值超过或低于某个百分比时和交换空间进行数据交换)
cache_swap_high 90
httpd_accel_port 80 //被缓存服务器的port
acl mmxfile urlpath_regex -i \.mp3$ \.avi$ \.wma$ //(-i参数忽略大小写如:mp3=MP3)
http_access deny mmxfile
# /usr/local/squid/sbin/squid -NCd1 //测试ctrl+c退出
# echo "/usr/local/squid/bin/RunCache & " >> /etc/rc.d/rc.local
# /usr/local/squid/sbin/squid -k reconfigure //启用新的配置文件
# /usr/local/squid/sbin/squid -k rotate //截断日志
# /usr/local/squid/sbin/squid -k shutdown //stop squid
Icap client for squid配置:
icap_enable on
icap_preview_enable on
icap_preview_size 128
icap_send_client_ip on
icap_service service_avi_req reqmod_precache 0 icap://localhost:1344/srv_clamav
icap_service service_avi respmod_precache 1 icap://localhost:1344/srv_clamav
icap_class class_antivirus service_avi
icap_access class_antivirus allow all
icap_class class_antivirus_req service_avi_req
icap_access class_antivirus_req allow all
2、 安装杀毒软件clamav
官方下载地址:http://www.clamav.net
增加clamav所需用户和组:
groupadd clamav
useradd -g clamav -s/bin/false -d/dev/null clamav
2、解压安装:
tar zxvf clamav-0.88.4.tar.gz
cd clamav-0.88.4
./configure --prefix=/usr/local/clamav --with-dbdir=/usr/clamav
make
make check
make install
3、修改配置文件:
vi /usr/etc/clamd.conf
LogSyslog
LogVerbose
LogFacility LOG_MAIL
LogFile /var/log/clamav/clamd.log
PidFile /var/run/clamd.pid
DatabaseDirectory /usr/clamav
LocalSocket /var/run/clamav/clamd
StreamMaxLength 10M
User clamav
ScanMail
ScanArchive
ScanRAR
注意:一定要注释掉上面两个文件中Example那行
修改病毒更新配置文件:
vi /usr/etc/freshclam.conf
DatabaseDirectory /usr/clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogSyslog
LogVerbose
DatabaseOwner clamav
Checks 12
DatabaseMirror db.CN.clamav.net
DatabaseMirror database.clamav.net
NotifyClamd
mkdir /var/log/clamav
chown clamav.clamav /var/log/clamav/
3、 安装C_icap
http://c-icap.sourceforge.net/
./configure --enable-static --prefix=/usr/local/c-icap/ \
--with-clamav
make
make install
调试启动:/usr/local/c-icap/bin/c-icap -N -D -d 10
#
# This file contains the default settings for c-icap
#
PidFile /var/run/c-icap.pid
CommandsSocket /var/run/c-icap/c-icap.ctl
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
## set KeepAliveTimeout to -1 for no timeout
KeepAliveTimeout 600
StartServers 3
MaxServers 10
MinSpareThreads 10
MaxSpareThreads 20
ThreadsPerChild 10
MaxRequestsPerChild 0
Port 1344
User root
Group root
#ServerAdmin [email protected] # Not implemented yet
#ServerName localhost:1344 # Not implemented yet
TmpDir /var/tmp
MaxMemObject 131072
ServerLog /usr/local/c-icap//var/log/server.log
AccessLog /usr/local/c-icap//var/log/access.log
#DebugLevel 3
ModulesDir /usr/local/c-icap/lib/c_icap
Module logger sys_logger.so
#Module perl_handler perl_handler.so //此行注释掉,不然会报错。
sys_logger.Prefix "C-ICAP:"
sys_logger.Facility local1
##Specify wich logger to use......
#Logger sys_logger
Logger file_logger
## AclControlers example. The default_acl is the buildin acl controller
## To load an extrernal access controller named my_acl.so use:
#Module access_controller my_acl.so
## This parameter needed to specify the order of used acl controllers
## If not specified access control will be disabled
#AclControllers default_acl
## An example of acl lists for default_acl controller.
## acl and icap_access are aliases for default_acl.acl and default_acl.icap_access
#acl localnet_options src 192.168.1.0/255.255.255.0 type options
#acl localnet_respmod src 192.168.1.0/255.255.255.0 type respmod
acl localnet_respmod src 127.0.0.1
#acl localnet src 192.168.1.0/255.255.255.0
acl localnet src 127.0.0.1
##Use the folllowing to demand use of username ......
##acl localnet src 192.168.1.0/255.255.255.0 user *
acl externalnet src 0.0.0.0/0.0.0.0
#acl barbarian src 192.168.1.5
##An example to specify access to server
#icap_access deny barbarian
#icap_access allow localnet_options
icap_access allow localnet_respmod
icap_access allow localnet
## http_auth mean that the icap server must try to authenticate the request
## using the http headers ....
#icap_access http_auth localnet
icap_access deny externalnet
#Also you can specify which hosts to log or not.
# Comment out the folowing two lines to log only the external net
#icap_access nolog localnet
#icap_access log externalnet
##An example for authentication methods ....
## To load an extarnal authentication method module named my_authmethod.so use:
#Module auth_method my_authmethod.so
##The following parameter needed to specify the order of authenticators for
##specific authentication method. file_basic is a buildin authenticator
##for buildin basic authentication method (Not implemented yet......) ......
#AuthMethod basic file_basic
ServicesDir /usr/local/c-icap//lib/c_icap
Service echo_module srv_echo.so
Service url_check_module srv_url_check.so
Service antivirus_module srv_clamav.so
##Adding the alias avscan for srv_clamav service.
ServiceAlias avscan srv_clamav?allow204=on&sizelimit=off&mode=simple
# Antivirus module settings
# For allowed file types or groups of file types look at c-icap.magic
# Antivirus module settings
# For allowed file types or groups of file types look at c-icap.magic
srv_clamav.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE GIF JPEG MSOFFICE
#The percentage of data to sent if the downloaded file exceeds the StartSendPercentDataAfter size
srv_clamav.SendPercentData 5
srv_clamav.StartSendPercentDataAfter 2M
##Comment out the following line to enable 204 responces outside previews for srv_clamav
## if your icap client support it. For squid let it off
#srv_clamav.Allow204Responces on
# The Maximum object to be scanned.
srv_clamav.MaxObjectSize 5M
#The directory which clamav library will use as temporary.
#srv_clamav.ClamAvTmpDir /var/tmp
#Sets the maximum number of files in archive.)i Set it to 0 to disable it
srv_clamav.ClamAvMaxFilesInArchive 0
#Sets the maximal archived file size. Set it to 0 to disable it.
srv_clamav.ClamAvMaxFileSizeInArchive 100M
#The maximal recursion level.Set it to 0 to disable it.
srv_clamav.ClamAvMaxRecLevel 5
# And here the viralator-like mode.
# where to save documents
#srv_clamav.VirSaveDir /srv/www/htdocs/downloads/
# from where the documents can be retrieved (you can find the get_file.pl script in contrib dir)
#srv_clamav.VirHTTPServer "http://fortune/cgi-bin/get_file.pl?usename=%f&remove=1&file="
# The refresh rate....
#srv_clamav.VirUpdateTime 15
# For which filetypes the "virelator like mode" will be used.
#srv_clamav.VirScanFileTypes ARCHIVE EXECUTABLE
http.conf 配置:
AllowOverride all
Options all
Order allow,deny
Allow from all
SetHandler cgi-script
Options +ExecCGI
#AllowOverride All