Re: [squid-users] squid + sslbump + [c-icap] + [squidclamav/havp] + clamav [SOLVED]
Il 10/02/2011 21:10, Alessandro Baggi ha scritto: Il 10/02/2011 20:02, Marcus Kool ha scritto: can only decrypt SSL connections. sslbump cannot decrypt all other types of traffic that use the HTTPS port and CONNECT method. So, for example, it cannot decrypt Skype traffic and files containing a virus can still enter the network. Thanks for the reply, but i want to try to scan viruses on web https, I don't want program that use 443 ports for other purpose, only for web. Sorry another time, on http://wiki.squid-cache.org/Features/SslBump I get: Squid-in-the-middle decryption and encryption of straight *CONNECT* and transparently redirected SSL traffic, using configurable client- and server-side certificates. While decrypted, the traffic can be inspected using ICAP. At this point, what's the meaning of "While decrypted, the traffic can be inspected using ICAP"? On squidclamav site we can find: Release v5.4 is out, here are the change: ... - Add support for scanning SSL encrypted traffic with the new Squid feature sslBump. Thank to Jean DERAM for the patch. ... Thanks in advance Hi list. The problem was solved, I've a misconfiguration with pemission. Now https traffic is scanned. Thanks to all.
[squid-users] squid + sslbump + [c-icap] + [squidclamav/havp] + clamav
Hi list, For many years I've used squid-2.7-STABLE7 for proxying, content filtering and virus scan, but it was not able to scan https traffic for viruses. Now compiling a package for my system, I've seen that in 3.1.x version there is the ssl-bump option to get https traffic treated as http traffic. in my squid.conf I have: ... .. ssl_bump allow localnet always_direct allow all http_port 172.16.2.8:3128 ssl-bump cert:/etc/squid/cert/cert.crt key=/etc/squid/cert/key.key My first question is, How to see if ssl-bump works? in access.log I get always CONNECT/DIRECT for HTTPS connection. This is normal or my ssl-bump config does not work? Then my squidclamav version is 6.x and use c-icap and I've configured squid for icap as: icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_encode off icap_client_username_header X-Authenticated-User icap_preview_enable on icap_preview_size 1024 icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_req allow all icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_resp allow all For http connection all works fine, and always with https connection there are always CONNECT/DIRECT. on http://wiki.squid-cache.org/Features/SslBump I get: Squid-in-the-middle decryption and encryption of straight *CONNECT* and transparently redirected SSL traffic, using configurable client- and server-side certificates. While decrypted, the traffic can be inspected using ICAP. Then at this point ssl-bump must permit to squidclamav to see file (decrypted) over https? if Yes, there is a my misconfiguration, can you point me in the right direction? (If you need my squid.conf I can post it) thanks in advance.
[squid-users] squid redirector.
Hi there. I'm using OpenBSD 4.6 with squid, squidclamav and squidGuard and I've problem with squidGuard. After several hours of work, squidGuard processes become zombies. Then to avoid this problem I'm trying to create my redirector. It is a simple redirector, read from stdin, controls if the url is not blacklisted and then write on stdout (a few lines of code). Then, when I concatenate squidclamav with my redirector, all works fine but squidclamav does not perform any scan on files. (test on eicar.com). Squid + squidclamav works, and also squid + my redirector. Another issue is: I've tried to get the same behaviour with a multiple redirector with "wrapzap", and they works fine, my redirector redirect blacklisted url, and squidclamav perform a scan. Anyone can help me whit this strange behaviour, please? Maybe the problem is the request's form? my redirector get a request from squid on this form: http://www.google.it/ 192.168.1.3/- - GET - myip=192.168.1.2 myport=3128 and then I write this request on stdout. If I try to write this request without myip and myport it does not perform any request. It's a normal Behaviour? Thanks in advance
