On 07/14/2011 07:57 PM, James Ralston wrote: > On 2011-07-11 at 13:40-04 Christopher X Candreva <ch...@westnet.com> wrote: > >> I have one machine run freshclam, and use rsync to update all my >> other servers with the databases. The clamav user has to have ssl >> keys set up so it can ssh to the other servers without a password. >> Then, freshclam.conf has this: ... > > Yeah, we've considered setting up something similar. It wouldn't be > that difficult. > > But the thing is, freshclam already has 99% of the code to do this. > All it needs is a "keep the CDIFF files around" option (to enable on > the master) and a "try to grab the CLD file if the CVD file isn't > available" option (to enable on the clients). That's it.
I think downloading CLD file is sufficient. On a LAN it'll probably be faster than downloading&applying all the individual updates. I think you might be able to configure freshclam to download CLDs with DatabaseCustomURL. Something like this (untested): DatabaseMirror <internal-server-with-some-older-version-of-cvds> DatabaseCustomURL http://<your-internal-webserver>/main.cld DatabaseCustomURL http://<your-internal-webserver>/main.cvd DatabaseCustomURL http://<your-internal-webserver>/daily.cld DatabaseCustomURL http://<your-internal-webserver>/daily.cvd DatabaseCustomURL http://<your-internal-webserver>/bytecode.cld DatabaseCustomURL http://<your-internal-webserver>/bytecode.cvd DatabaseCustomURL http://<your-internal-webserver>/safebrowsing.cld DatabaseCustomURL http://<your-internal-webserver>/safebrowsing.cvd The CLD files are digitally signed too, so you get almost the same integrity checks as with the CVD already. > > It just seems silly to (essentially) write another version of > freshclam when the current version just needs two new options to do > what is necessary. > > On 2011-07-11 14:57:31 -0400 Nathan Gibbs <nat...@cmpublishers.com> wrote: > >> We use the mirrored system, and it works fairly well. One freshclam >> pulling cvd's from outside, several freshclams pulling from the >> local mirror. The only issue we have is the mirror getting behind >> every once in a while, not much of a big deal. > > Alas, our mirror gets behind much more frequently. I don't know if we > keep landing on overloaded mirrors or what, but it's an issue for us. > > On 2011-07-13 00:01:26 +0200 Luca Gibelli <l...@clamav.net> wrote: > >>> We are in a situation where we have multiple hosts that need to >>> run ClamAV, but those hosts are highly restricted in what outbound >>> Internet access they have. Thus, we need to run a local ClamAV >>> mirror. >> >> You can install a http proxy server and restrict access to cvd+cdiff >> files on db.*.clamav.net. > > I appreciate the suggestion, but to clarify: we are prohibited by > policy from allowing any outbound web access for these hosts, proxied > or not. (The policy is dictated from on high, and will not change.) > We *MUST* use a local private mirror, period. > > It would seem that we aren't the only ones who are contemplating > hacking together our own "distribution from a local mirror" mechanism, > because freshclam's solution just isn't adequate/efficient. > > If I were to provide a patch that adds the two options I discussed > above to freshclam, would you at least consider accepting it into > trunk? > > We need this functionality. But if you won't accept a patch to add > it, then we will have to throw away freshclam and design our own > solution, because I don't want to be put in the situation where I have > to maintain my own local patches and update them after every release. Please open an enhancement request on bugzilla. Thanks, --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
