C-icap Service configuration

Hi,

I try to get squid proxy running in combination with clamav on a complete fresh NS installation.

Within cache.log I get following message:

/var/log/squid/cache.log:2020/08/07 13:57:01 kid1| WARNING: Squid got an invalid ICAP OPTIONS response from service icap://127.0.0.1:1344/squidclamav; error: unsupported status code of OPTIONS response

Could it be that there is a “Service squidclamav” line missing within /etc/c-icap/c-icap.conf as I can find it for “Service echo”?
Or is that squidclamav Service available via another internal function?

Thanks for your feedback

Daniel

Hi Daniel,

welcome to NethServer Community.

Please check the service status

systemctl status clamd@squidclamav -l

or for running clamav instances:

ps aux | grep clam

Maybe related:

Hi Markus,

it’s still not working after updating the mentioned packages (against testing-repos).

The clam service is running:

[root@nethserver ufdbguard]# systemctl status clamd@squidclamav -l
● clamd@squidclamav.service - clamd scanner (squidclamav) daemon
Loaded: loaded (/usr/lib/systemd/system/clamd@.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/clamd@squidclamav.service.d
└─c-icap.conf
/etc/systemd/system/clamd@.service.d
└─reload.conf, timeout.conf
Active: active (running) since Wed 2020-08-19 15:03:31 CEST; 16min ago
Docs: man:clamd(8)
man:clamd.conf(5)
Introduction - ClamAV Documentation
Main PID: 6824 (clamd)
CGroup: /system.slice/system-clamd.slice/clamd@squidclamav.service
└─6824 /usr/sbin/clamd -c /etc/clamd.d/squidclamav.conf

Aug 19 15:03:29 nethserver clamd[6824]: SWF support enabled.
Aug 19 15:03:29 nethserver clamd[6824]: HTML support enabled.
Aug 19 15:03:29 nethserver clamd[6824]: XMLDOCS support enabled.
Aug 19 15:03:29 nethserver clamd[6824]: HWP3 support enabled.
Aug 19 15:03:29 nethserver clamd[6824]: Self checking every 600 seconds.
Aug 19 15:03:31 nethserver systemd[1]: Started clamd scanner (squidclamav) daemon.
Aug 19 15:04:12 nethserver clamd[6824]: instream(local): Eicar-Test-Signature.UNOFFICIAL FOUND
Aug 19 15:05:16 nethserver clamd[6824]: instream(local): Eicar-Test-Signature.UNOFFICIAL FOUND
Aug 19 15:07:52 nethserver clamd[6824]: instream(local): Eicar-Test-Signature.UNOFFICIAL FOUND
Aug 19 15:13:41 nethserver clamd[6824]: SelfCheck: Database status OK.
[root@nethserver ufdbguard]#

But Virus check is just working after adding the following line to /etc/c-icap/c-icap.conf:

Service squidclamav squidclamav.so

I think I could reproduce the issue. With (auto)removal of nethserver-squidguard and ufdbguard, nethserver-squidclamav is removed too.
Please check if nethserver-squidclamav is installed:

yum install nethserver-squidclamav

Hi,

the nethserver-squidclamav package is still installed - maybe the wrong versions anywhere?

[root@nethserver ~]# rpm -qa | egrep -i “nethserver|ufdb” | sort
nethserver-antivirus-1.5.1-1.ns7.noarch
nethserver-backup-config-2.5.0-1.ns7.noarch
nethserver-backup-data-1.7.2-1.ns7.noarch
nethserver-base-3.7.7-1.ns7.noarch
nethserver-c-icap-1.1.0-1.ns7.noarch
nethserver-cockpit-1.7.7-1.ns7.noarch
nethserver-cockpit-lib-1.7.7-1.ns7.noarch
nethserver-collectd-3.1.0-1.ns7.noarch
nethserver-diagtools-1.0.3-1.ns7.noarch
nethserver-dnsmasq-1.7.2-1.ns7.noarch
nethserver-duc-1.7.0-1.ns7.noarch
nethserver-firewall-base-3.10.1-1.ns7.noarch
nethserver-hosts-1.2.2-1.ns7.noarch
nethserver-httpd-3.11.1-1.ns7.noarch
nethserver-httpd-admin-2.5.1-1.ns7.noarch
nethserver-lang-cockpit-1.4.4-8.ns7.noarch
nethserver-lang-en-1.4.4-8.ns7.noarch
nethserver-letsencrypt-1.1.6-1.ns7.noarch
nethserver-lib-2.2.11-1.ns7.noarch
nethserver-lightsquid-1.1.2-1.ns7.noarch
nethserver-lsm-1.2.3-1.ns7.noarch
nethserver-mail-smarthost-2.17.1-1.ns7.noarch
nethserver-netdata-1.1.0-1.ns7.noarch
nethserver-nethforge-release-7-3.ns7.noarch
nethserver-ntp-1.1.3-1.ns7.noarch
nethserver-openssh-1.6.0-1.ns7.noarch
nethserver-phonehome-1.4.0-1.ns7.noarch
nethserver-php-1.2.1-1.ns7.noarch
nethserver-release-7-17.ns7.noarch
nethserver-smartd-1.1.0-1.ns7.noarch
nethserver-squid-1.10.10-1.ns7.noarch
nethserver-squidclamav-3.1.0-1.ns7.noarch
nethserver-squidguard-1.9.2-1.7.g186a20a.ns7.noarch
nethserver-sssd-1.7.0-1.ns7.noarch
nethserver-subscription-3.6.2-1.ns7.noarch
nethserver-subscription-inventory-3.6.1-1.ns7.x86_64
nethserver-subscription-ui-3.6.2-1.ns7.noarch
nethserver-yum-1.4.1-1.ns7.noarch
ufdbGuard-1.34.6-2.el7.x86_64
[root@nethserver ~]#

Please check if squidclamav is enabled:

[root@server ~]# config show squidclamav
squidclamav=configuration
    status=enabled

Restart relevant services and rewrite config files:

signal-event nethserver-antivirus-update
signal-event nethserver-squidguard-update

Now the “Service squidclamav squidclamav.so” line should be the last line in /etc/c-icap/c-icap.conf.

If that’s not the case, expand the template manually and restart the services:

expand-template /etc/c-icap/c-icap.conf

Squidclamav is enabled.

But I had to modify /etc/e-smith/templates/etc/c-icap/c-icap.conf/10base to get this line activated.
Is this something which needs to be modified within the following RPM?

[root@nethserver ~]# rpm -qf /etc/e-smith/templates/etc/c-icap/c-icap.conf/10base
nethserver-c-icap-1.1.0-1.ns7.noarch
[root@nethserver ~]#

There should be a template fragment /etc/e-smith/templates/etc/c-icap/c-icap.conf/90squidclamav writing the line to /etc/c-icap/c-icap.conf when squidclamav is enabled. There’s no need to modify a fragment to add the line manually.

[root@server ~]# rpm -qf /etc/e-smith/templates/etc/c-icap/c-icap.conf/90squidclamav
nethserver-squidclamav-3.1.0-1.ns7.noarch
[root@server ~]# cat /etc/e-smith/templates/etc/c-icap/c-icap.conf/90squidclamav
{
    my $status = $squidclamav{'status'} || 'disabled';
    if ($status eq 'enabled') {
        $OUT.="Service squidclamav squidclamav.so\n";
    }
}

After another fresh NS installation and the mentioned signal-event commands I’ve seen that this 90squidclamav File was create

Now it works like sharm

Thanks for your fast feedback

2 Likes