ClamAV doesn't get updated behind proxy

antivirus
squid
v7
proxy

(Juan Carlos Fernandez) #1

NethServer Version: 7.6.1810
Module: clamav-0.101.1-1.el7.x86_64 | nethserver-antivirus-1.2.1-1.ns7.noarch

I have a NS instance (for clarifying purpose lets call it clamav-ns) behind a proxy/gateway, I’m receiving mails notification with this error:

ERROR: Can't download main.cvd from database.clamav.net

When I run freshclam command I get this:

ClamAV update process started at Tue Mar  5 09:27:08 2019
WARNING: can't download main.cvd from database.clamav.net
Trying again in 5 secs...
WARNING: Can't download main.cvd from database.clamav.net
Trying again in 5 secs...
ERROR:  Can't download main.cvd from database.clamav.net
Giving up on database.clamav.net...
Update failed. Your network may be down or none of the mirrors listed in /etc/freshclam.conf is working. Check https://www.clamav.net/documents/official-mirror-faq for possible reasons.

Gateway/proxy is also a NS with nethserver-squid configured like this:
Web%20Proxy%20Rules%20Config

Since clamav-ns is on the green zone, it has its proxy configuration set it and working, I checked this with this two commands:

1. yum check-update
2. speedtest-cli

Both commands respond correctly so proxy configuration for clamav-ns, I check freshclam configuration (/etc/freshclam.conf) and found out that it doesn’t have its proxy configuration set it.

So I created a custom template like this:

mkdir -p /etc/e-smith/templates-custom/etc/freshclam.conf/
nano /etc/e-smith/templates-custom/etc/freshclam.conf/99proxy

And added this lines:

# Proxy settings
HTTPProxyServer ip-for-clamav-ns
HTTPProxyPort 3128
HTTPProxyUsername proxy-username
HTTPProxyPassword proxy-password

I expanded the template like this:

expand-template /etc/freshclam.conf 

Rerun freshclam command and …

ClamAV update process started at Tue Mar  5 09:42:21 2019
Connecting via ###.###.###.###
main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Connecting via ###.###.###.###
Downloading daily.cvd [ 56%]

Download in progress, so problem solved.
I don’t know why clamav doesn’t use the global proxy, does someone have a better solution?
Should this template be included as a normal template?


(Markus Neuberger) #2

Proxy settings are only configurable via the configuration file and freshclam will require strict permission settings for the config file when HTTPProxyPassword is turned on.

See https://www.clamav.net/documents/configuration#freshclamconf

Yes, I think you found a bug. I’m working on a template fragment to get the network proxy settings and use it in freshclam.conf as you described.

EDIT:

Does the following /etc/e-smith/templates-custom/etc/freshclam.conf/99proxy work for you?

{
my $host = $proxy{host};
my $port = $proxy{port} || "3128";
my $user = $proxy{user};
my $password = $proxy{password};
if ($host ne "") {

$OUT .=<<"EOF";
# proxy settings
HTTPProxyServer $host
HTTPProxyPort $port
EOF

  if ($user ne "" and $password ne "") {

$OUT .=<<"EOF";
HTTPProxyUsername $user
HTTPProxyPassword $password
EOF

  }
}

}

(Juan Carlos Fernandez) #3

Yes, it works, thank you @mrmarkuz


(Markus Neuberger) #4

You’re welcome.
I realized it’s a little more complex as one may use a manual proxy without authentication, in this case you would leave username/password blank and freshclam won’t work. I’ll post a new fragment after rework…

EDIT:

I edited the template fragment to work without username/password.
While testing I noticed a freshclam warning:

[root@server2 ~]# freshclam
WARNING: Insecure permissions (for HTTPProxyPassword): /etc/freshclam.conf must have no more than 0700 permissions.

Fixed it with:

chmod 600 /etc/freshclam.conf

EDIT:

I opened an issue:


(Giacomo Sanchietti) #5

Thank you for reporting @jfernandez and wonderful bug report @mrmarkuz!

Are you working on opening the PR or should I step in?


(Markus Neuberger) #6

Thanks, I am already working on it.


(Giacomo Sanchietti) #7

@mrmarkuz did a great job and fixed the issue.

@jfernandez would give it a try? Just execute:

rm -rf /etc/e-smith/templates-custom/etc/freshclam.conf
yum --enablerepo=nethserver-testing update nethserver-antivirus

And everything should still be working!


(Juan Carlos Fernandez) #8

Is working, again thanks for the support, and as usual, keep up the good work