Installation guide


Requirement


Squid

For SquidClamav v6.x you must download Squid version 3.x.

You must have Squid already installed, if not you can get it here: http://www.squid-cache.org/

Clamd

Clam Antivirus Toolkit must also be installed and a clamd daemon must running, no matter if it is configured to use Unix or TCP socket SquidClamav can use both. ClamAv can be fond here: http://www.clamav.net/

SquidGuard (optional)

If you want to chain Squidguard with SquidClamav it must also be installed. Download it from here: http://www.squidguard.org/

c-icap server

SquidClamav v6.x as ICAP service require the c-icap server available from http://c-icap.sourceforge.net/

Install the c-icap-0.1.4 or more which is icap server, the modules part is not required

Installation

Squid v3.x installation and configuration

To have full and stable icap support with Squid you must use the 3.x branch and configure squid with the following option:

	--enable-icap-client

I don't know what other options you are using but you have to add this one to your configure command. If you prefer to use distribution packaging you may already have it configured if you can install the c-icap package too.

If you don't know, run the following command an search for the configuration directive: --enable-icap-client

	/usr/local/squid/sbin/squid -v | grep "enable-icap-client"

If it is not enable you must reinstall Squid with this configuration option or install the additional packages.

Once you have it enabled, to integrate c-icap and SquidClamav to your squid cache just edit squid.conf and set the following directives.

Squid 3.4.x configuration

There are some configuration differences between 3.1.x and 3.4.x Squid version. Here are the directives I use for Squid 3.4.x:

    icap_enable on
    icap_send_client_ip on
    icap_send_client_username on
    icap_client_username_encode off
    icap_client_username_header X-Authenticated-User
    icap_preview_enable on
    icap_preview_size 1024
    icap_service service_avi_req reqmod_precache
    icap://localhost:1344/squidclamav bypass=off
    adaptation_access service_avi_req allow all
    icap_service service_avi_resp respmod_precache
    icap://localhost:1344/squidclamav bypass=on
    adaptation_access service_avi_resp allow all

If you don't know where to put them in squid.conf, just search for 'icap_.*' and add those configuration lines at the end of the icap section.

Squid 3.1.x and more configuration

There's some configuration difference between 3.1.x and 3.0.x Squid version. Here are those I use for Squid 3.1.x:

	icap_enable on
	icap_send_client_ip on
	icap_send_client_username on
	icap_client_username_encode off
	icap_client_username_header X-Authenticated-User
	icap_preview_enable on
	icap_preview_size 1024
	icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
	adaptation_access service_req allow all
	icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
	adaptation_access service_resp allow all

If you don't know where to put them in squid.conf, just search for 'icap_.*' and add those configuration lines at the end of the icap section.

Squid 3.0.x configuration

For squid 3.0.x you must replace 'bypass=1' by '1' or 'bypass=0' by '0' and the access to the service is defined at a class level. Only the last fourth configuration line change from version 3.1.x.

	icap_enable on
	icap_send_client_ip on
	icap_send_client_username on
	icap_client_username_encode off
	icap_client_username_header X-Authenticated-User
	icap_preview_enable on
	icap_preview_size 1024
	icap_service service_req reqmod_precache 1 icap://127.0.0.1:1344/squidclamav
	icap_service service_resp respmod_precache 1 icap://127.0.0.1:1344/squidclamav
	icap_class class_avreq service_req
	icap_class class_avresp service_resp
	icap_access class_avreq allow all
	icap_access class_avresp allow all

If you don't know where to put them in squid.conf, just search for 'icap_.*' and add those configuration lines at the end of the icap section.

What that configuration directives do? It enables the ICAP client into Squid and tells Squid to send the logged username and client's Ip to the ICAP server. It also enable preview for faster SquidClamav work. The last four lines defined how to call the ICAP server. Here we call the squidclamav service on localhost and port 1344 but it can be on any other host and port. The bypass parameter set to 1 mean that Squid will continue without bothering about ICAP server or SquidClamav failure. This is just like the old bridge mode in the SquidClamav previous release. I don't want users to be bored by a continuously error message if SquidClamav or c-icap have failure or if there's an error in configuration file. Users don't have to know about that, they want to surf and don't care about your problems :-) If you don't think like me, just set the bypass argument to 0 and Squid will return an error message on failure.

C-icap server installation/configuration

If you don't have package solution or encounter problem to install SquidClamav I recommand you to install the c-icap server from source as follow. You can download it from SourceForge at http://c-icap.sourceforge.net/. Choose version c-icap-0.1.4 or later versions, then run:

	./configure --prefix=/usr/local/c-icap --enable-large-files
	make
	make install

Then, edit the file /usr/local/c-icap/etc/c-icap.conf. It contains a set of documented values that configure the c-icap server. To enable the support of SquidClamav just add the following line to the end of the file:

	Service squidclamav squidclamav.so

Don't care about the srv_clamav.* configuration directives this will not breaks anything. SquidClamav do not use them but read its own directives from the file /etc/squidclamav.conf

You must disable the c-icap embedded modules by commenting the lines:

	#Service url_check_module srv_url_check.so
	#Service antivirus_module srv_clamav.so

if you have not installed the c-icap modules and this will also preserve some resources.

Following your installation you may need to create the /var/run/c-icap/ where c-icap server is writing pid and socket file.

You may also want to change the user/group owning c-icap's processes. By default the owner is the user/group who runs the program. I recommand you to change them to the same user/group running your Squid cache. For example:

	User proxy
	Group proxy

of course you will need to change the owner of directory /var/run/c-icap/ and the directory of your server log. See the ServerLog directive to know the path. For me, I use the following commands to set the good rights on my installation:

	mkdir /var/run/c-icap/
	chown -R proxy:proxy /var/run/c-icap/
	chown -R proxy:proxy /usr/local/c-icap/

After that you can run the c-icap server as explain below.

SquidClamav installation/configuration

Installing SquidClamav require that you already have installed the c-icap as explain above. You must provide the installation path of c-icap to the configure command as follow, compile and then install:

	./configure --with-c-icap=/usr/local/c-icap/
	make
	make install

this will install the squidclamav.so library into the c-icap modules/services repository.

Runing c-icap server

Finally, you can run the c-icap server as root user:

	/usr/local/c-icap/bin/c-icap

Or any other path to the binary. If you want to display debugging information on the terminal, the previous command should be executed with the following arguments:

	/usr/local/c-icap/bin/c-icap -N -D -d 10

The first argument -N prevents the c-icap server from forking in the background, the second argument -D enables the printing of messages to standard output, and the third argument -d 10 enables the printing of full debugging information.

Reloading configuration without restarting the c-icap server

To force SquidClamav to reread his configuration file after change you can send the following command to the c-icap server

	echo -n "squidclamav:cfgreload" > /var/run/c-icap/c-icap.ctl

It will reread all his configuration directive and restart pipes to squidGuard. So if you make changes to squidGuard you must execute this command to activate them into SquidClamav.

Or to be sure that all is really initialized or that you have made change to the c-icapi configuration file you can run the following command:

        echo -n "reconfigure" > /var/run/c-icap/c-icap.ctl

The service will reread the config file without the need for stop and restart the c-icap server. The services will be reinitialized.

Free and Open Source...
but worth more! Consider
a Donation