Squid Web Cache Wiki

Squid Web Cache 文档

🔗 使用 eCAP 进行 ClamAV 防病毒检查与 Squid

作者:Yuri Voinov

🔗 目录

使用 eCAP 进行防病毒检查,例如 C-ICAP,可能会更有效。您避免了使用中间服务(C-ICAP 和 clamd 本身,模块使用 libclamav),因此可以更快地进行防病毒检查。这从整体上降低了 Squid 安装的总延迟和内存消耗。

🔗 构建 eCAP ClamAV 适配器

首先,您需要下载 eCAP ClamAV 适配器

然后,您需要编译和安装适配器

## 32 bit GCC
./configure 'CXXFLAGS=-O3 -m32 -pipe' 'CFLAGS=-O3 -m32 -pipe' 'LDFLAGS=-L/usr/local/lib' PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:/usr/local/clamav/lib/pkgconfig 'CPPFLAGS=-I/usr/local/clamav/include -I/usr/include' 'LDFLAGS=-L/usr/local/lib -L/usr/local/clamav/lib'
## 64 bit GCC
./configure 'CXXFLAGS=-O3 -m64 -pipe' 'CFLAGS=-O3 -m64 -pipe' 'LDFLAGS=-L/usr/local/lib' PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:/usr/local/clamav/lib/pkgconfig 'CPPFLAGS=-I/usr/local/clamav/include -I/usr/include' 'LDFLAGS=-L/usr/local/lib -L/usr/local/clamav/lib/amd64'
gmake
gmake install-strip

:information_source: 注意:要将适配器与 64 位 Squid 一起使用,您还需要使用 64 位编译 ClamAV 和 libecap。同时,请使用适合您 Squid 版本和所用 libecap 版本的适配器版本以确保互操作性。

:information_source: 注意:在某些平台(例如 Solaris)上,您可能需要在 src/Gadgets.h 中添加 #include以避免因缺少 unlink 子程序而导致的编译错误。

🔗 Squid 配置文件

像这样粘贴配置文件

ecap_enable on

# Bypass scan mime-types
acl bypass_scan_types_req req_mime_type -i ^text/
acl bypass_scan_types_req req_mime_type -i ^application/x-javascript
acl bypass_scan_types_req req_mime_type -i ^application/x-shockwave-flash
acl bypass_scan_types_req req_mime_type -i ^image/
acl bypass_scan_types_req req_mime_type -i ^video
acl bypass_scan_types_req req_mime_type -i ^audio
acl bypass_scan_types_req req_mime_type -i ^.*application\/x-mms-framed.*$

acl bypass_scan_types_rep rep_mime_type -i ^text/
acl bypass_scan_types_rep rep_mime_type -i ^application/x-javascript
acl bypass_scan_types_rep rep_mime_type -i ^application/x-shockwave-flash
acl bypass_scan_types_rep rep_mime_type -i ^image/
acl bypass_scan_types_rep rep_mime_type -i ^video
acl bypass_scan_types_rep rep_mime_type -i ^audio
acl bypass_scan_types_rep rep_mime_type -i ^.*application\/x-mms-framed.*$

loadable_modules /usr/local/lib/ecap_clamav_adapter.so
ecap_service clamav_service_req reqmod_precache uri=ecap://e-cap.org/ecap/services/clamav?mode=REQMOD bypass=off
ecap_service clamav_service_resp respmod_precache uri=ecap://e-cap.org/ecap/services/clamav?mode=RESPMOD bypass=on
adaptation_access clamav_service_req allow !bypass_scan_types_req all
adaptation_access clamav_service_resp allow !bypass_scan_types_rep all

:x: 注意:在某些设置中,您可能需要在 $prefix/clamav/share 中为 clamd.conf 中指定的 DatabaseDirectory 路径创建一个符号链接。例如:

   ln -s /var/lib/clamav /usr/local/clamav/share/clamav

This is due to semi-hardcoded db path in libclamav. Otherwise adaptation
module will be crash Squid itself in current releases.

🔗 所有服务在一个设置中共存

所有服务可以共存于一个 Squid 实例中

    ecap_enable on

    # Bypass scan mime-types
    acl bypass_scan_types_req req_mime_type -i ^text/
    acl bypass_scan_types_req req_mime_type -i ^application/x-javascript
    acl bypass_scan_types_req req_mime_type -i ^application/x-shockwave-flash
    acl bypass_scan_types_req req_mime_type -i ^image/
    acl bypass_scan_types_req req_mime_type -i ^video
    acl bypass_scan_types_req req_mime_type -i ^audio
    acl bypass_scan_types_req req_mime_type -i ^.*application\/x-mms-framed.*$

    acl bypass_scan_types_rep rep_mime_type -i ^text/
    acl bypass_scan_types_rep rep_mime_type -i ^application/x-javascript
    acl bypass_scan_types_rep rep_mime_type -i ^application/x-shockwave-flash
    acl bypass_scan_types_rep rep_mime_type -i ^image/
    acl bypass_scan_types_rep rep_mime_type -i ^video
    acl bypass_scan_types_rep rep_mime_type -i ^audio
    acl bypass_scan_types_rep rep_mime_type -i ^.*application\/x-mms-framed.*$

    loadable_modules /usr/local/lib/ecap_clamav_adapter.so
    ecap_service clamav_service_req reqmod_precache uri=ecap://e-cap.org/ecap/services/clamav?mode=REQMOD bypass=off
    ecap_service clamav_service_resp respmod_precache uri=ecap://e-cap.org/ecap/services/clamav?mode=RESPMOD bypass=on
    adaptation_access clamav_service_req allow !bypass_scan_types_req all
    adaptation_access clamav_service_resp allow !bypass_scan_types_rep all

    acl gzipmimes rep_mime_type -i "/usr/local/squid/etc/acl.gzipmimes"
    loadable_modules /usr/local/lib/ecap_adapter_gzip.so
    ecap_service gzip_service respmod_precache ecap://www.thecacheworks.com/ecap_gzip_deflatebypass=off
    adaptation_access gzip_service allow gzipmimes

    loadable_modules /usr/local/lib/ecap_adapter_exif.so
    ecap_service exif_req reqmod_precache bypass=off ecap://www.thecacheworks.com/exif-filter
    adaptation_service_set reqFilter eReqmod
    adaptation_access reqFilter allow all

:x: 请注意:顺序很重要!eCAP ClamAV 适配器应该在 TCW 适配器之前!

⚠️ Disclaimer: Any example presented here is provided "as-is" with no support
or guarantee of suitability. If you have any further questions about
these examples please email the squid-users mailing list.

类别: ConfigExample

导航:网站搜索网站页面类别🔼 向上