C-icap Service configuration

Support
,
1

Hi,

I try to get squid proxy running in combination with clamav on a complete fresh NS installation.

Within cache.log I get following message:

/var/log/squid/cache.log:2020/08/07 13:57:01 kid1| WARNING: Squid got an invalid ICAP OPTIONS response from service icap://127.0.0.1:1344/squidclamav; error: unsupported status code of OPTIONS response

Could it be that there is a “Service squidclamav” line missing within /etc/c-icap/c-icap.conf as I can find it for “Service echo”?
Or is that squidclamav Service available via another internal function?

Thanks for your feedback

Daniel

2

Hi Daniel,

welcome to NethServer Community.

Please check the service status

systemctl status clamd@squidclamav -l

or for running clamav instances:

ps aux | grep clam

Maybe related:

3

Hi Markus,

it’s still not working after updating the mentioned packages (against testing-repos).

The clam service is running:

[root@nethserver ufdbguard]# systemctl status clamd@squidclamav -l
● clamd@squidclamav.service - clamd scanner (squidclamav) daemon
Loaded: loaded (/usr/lib/systemd/system/clamd@.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/clamd@squidclamav.service.d
└─c-icap.conf
/etc/systemd/system/clamd@.service.d
└─reload.conf, timeout.conf
Active: active (running) since Wed 2020-08-19 15:03:31 CEST; 16min ago
Docs: man:clamd(8)
man:clamd.conf(5)
Introduction - ClamAV Documentation
Main PID: 6824 (clamd)
CGroup: /system.slice/system-clamd.slice/clamd@squidclamav.service
└─6824 /usr/sbin/clamd -c /etc/clamd.d/squidclamav.conf

Aug 19 15:03:29 nethserver clamd[6824]: SWF support enabled.
Aug 19 15:03:29 nethserver clamd[6824]: HTML support enabled.
Aug 19 15:03:29 nethserver clamd[6824]: XMLDOCS support enabled.
Aug 19 15:03:29 nethserver clamd[6824]: HWP3 support enabled.
Aug 19 15:03:29 nethserver clamd[6824]: Self checking every 600 seconds.
Aug 19 15:03:31 nethserver systemd[1]: Started clamd scanner (squidclamav) daemon.
Aug 19 15:04:12 nethserver clamd[6824]: instream(local): Eicar-Test-Signature.UNOFFICIAL FOUND
Aug 19 15:05:16 nethserver clamd[6824]: instream(local): Eicar-Test-Signature.UNOFFICIAL FOUND
Aug 19 15:07:52 nethserver clamd[6824]: instream(local): Eicar-Test-Signature.UNOFFICIAL FOUND
Aug 19 15:13:41 nethserver clamd[6824]: SelfCheck: Database status OK.
[root@nethserver ufdbguard]#

But Virus check is just working after adding the following line to /etc/c-icap/c-icap.conf:

Service squidclamav squidclamav.so

4

I think I could reproduce the issue. With (auto)removal of nethserver-squidguard and ufdbguard, nethserver-squidclamav is removed too.
Please check if nethserver-squidclamav is installed:

yum install nethserver-squidclamav

5

Hi,

the nethserver-squidclamav package is still installed - maybe the wrong versions anywhere?

[root@nethserver ~]# rpm -qa | egrep -i “nethserver|ufdb” | sort
nethserver-antivirus-1.5.1-1.ns7.noarch
nethserver-backup-config-2.5.0-1.ns7.noarch
nethserver-backup-data-1.7.2-1.ns7.noarch
nethserver-base-3.7.7-1.ns7.noarch
nethserver-c-icap-1.1.0-1.ns7.noarch
nethserver-cockpit-1.7.7-1.ns7.noarch
nethserver-cockpit-lib-1.7.7-1.ns7.noarch
nethserver-collectd-3.1.0-1.ns7.noarch
nethserver-diagtools-1.0.3-1.ns7.noarch
nethserver-dnsmasq-1.7.2-1.ns7.noarch
nethserver-duc-1.7.0-1.ns7.noarch
nethserver-firewall-base-3.10.1-1.ns7.noarch
nethserver-hosts-1.2.2-1.ns7.noarch
nethserver-httpd-3.11.1-1.ns7.noarch
nethserver-httpd-admin-2.5.1-1.ns7.noarch
nethserver-lang-cockpit-1.4.4-8.ns7.noarch
nethserver-lang-en-1.4.4-8.ns7.noarch
nethserver-letsencrypt-1.1.6-1.ns7.noarch
nethserver-lib-2.2.11-1.ns7.noarch
nethserver-lightsquid-1.1.2-1.ns7.noarch
nethserver-lsm-1.2.3-1.ns7.noarch
nethserver-mail-smarthost-2.17.1-1.ns7.noarch
nethserver-netdata-1.1.0-1.ns7.noarch
nethserver-nethforge-release-7-3.ns7.noarch
nethserver-ntp-1.1.3-1.ns7.noarch
nethserver-openssh-1.6.0-1.ns7.noarch
nethserver-phonehome-1.4.0-1.ns7.noarch
nethserver-php-1.2.1-1.ns7.noarch
nethserver-release-7-17.ns7.noarch
nethserver-smartd-1.1.0-1.ns7.noarch
nethserver-squid-1.10.10-1.ns7.noarch
nethserver-squidclamav-3.1.0-1.ns7.noarch
nethserver-squidguard-1.9.2-1.7.g186a20a.ns7.noarch
nethserver-sssd-1.7.0-1.ns7.noarch
nethserver-subscription-3.6.2-1.ns7.noarch
nethserver-subscription-inventory-3.6.1-1.ns7.x86_64
nethserver-subscription-ui-3.6.2-1.ns7.noarch
nethserver-yum-1.4.1-1.ns7.noarch
ufdbGuard-1.34.6-2.el7.x86_64
[root@nethserver ~]#

6

Please check if squidclamav is enabled:

[root@server ~]# config show squidclamav
squidclamav=configuration
    status=enabled

Restart relevant services and rewrite config files:

signal-event nethserver-antivirus-update
signal-event nethserver-squidguard-update

Now the “Service squidclamav squidclamav.so” line should be the last line in /etc/c-icap/c-icap.conf.

If that’s not the case, expand the template manually and restart the services:

expand-template /etc/c-icap/c-icap.conf

7

Squidclamav is enabled.

But I had to modify /etc/e-smith/templates/etc/c-icap/c-icap.conf/10base to get this line activated.
Is this something which needs to be modified within the following RPM?

[root@nethserver ~]# rpm -qf /etc/e-smith/templates/etc/c-icap/c-icap.conf/10base
nethserver-c-icap-1.1.0-1.ns7.noarch
[root@nethserver ~]#

8

There should be a template fragment /etc/e-smith/templates/etc/c-icap/c-icap.conf/90squidclamav writing the line to /etc/c-icap/c-icap.conf when squidclamav is enabled. There’s no need to modify a fragment to add the line manually.

[root@server ~]# rpm -qf /etc/e-smith/templates/etc/c-icap/c-icap.conf/90squidclamav
nethserver-squidclamav-3.1.0-1.ns7.noarch
[root@server ~]# cat /etc/e-smith/templates/etc/c-icap/c-icap.conf/90squidclamav
{
    my $status = $squidclamav{'status'} || 'disabled';
    if ($status eq 'enabled') {
        $OUT.="Service squidclamav squidclamav.so\n";
    }
}
9

After another fresh NS installation and the mentioned signal-event commands I’ve seen that this 90squidclamav File was create

Now it works like sharm

Thanks for your fast feedback

2 Likes