Installation guide
Requirement
Squid
For SquidClamav v6.x you must download Squid version 3.x.
You must have Squid already installed, if not you can get it here: http://www.squid-cache.org/
Clamd
Clam Antivirus Toolkit must also be installed and a clamd daemon must running, no matter if it is configured to use Unix or TCP socket SquidClamav can use both. ClamAv can be fond here: http://www.clamav.net/
SquidGuard (optional)
If you want to chain Squidguard with SquidClamav it must also be installed. Download it from here: http://www.squidguard.org/
c-icap server
SquidClamav v6.x as ICAP service require the c-icap server available from http://c-icap.sourceforge.net/
Install the c-icap-0.1.4 or more which is icap server, the modules part is not required
Installation
Squid v3.x installation and configuration
To have full and stable icap support with Squid you must use the 3.x branch and configure squid with the following option:
--enable-icap-client
I don't know what other options you are using but you have to add this one to your configure command. If you prefer to use distribution packaging you may already have it configured if you can install the c-icap package too.
If you don't know, run the following command an search for the configuration directive: --enable-icap-client
/usr/local/squid/sbin/squid -v | grep "enable-icap-client"
If it is not enable you must reinstall Squid with this configuration option or install the additional packages.
Once you have it enabled, to integrate c-icap and SquidClamav to your squid cache just edit squid.conf and set the following directives.
Squid 3.1.x configuration
There's some configuration difference between 3.1.x and 3.0.x Squid version. Here are those I use for Squid 3.1.x:
icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_encode off icap_client_username_header X-Authenticated-User icap_preview_enable on icap_preview_size 1024 icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_req allow all icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_resp allow all
If you don't know where to put them in squid.conf, just search for 'icap_.*' and add those configuration lines at the end of the icap section.
Squid 3.0.x configuration
For squid 3.0.x you must replace 'bypass=1' by '1' or 'bypass=0' by '0' and the access to the service is defined at a class level. Only the last fourth configuration line change from version 3.1.x.
icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_encode off icap_client_username_header X-Authenticated-User icap_preview_enable on icap_preview_size 1024 icap_service service_req reqmod_precache 1 icap://127.0.0.1:1344/squidclamav icap_service service_resp respmod_precache 1 icap://127.0.0.1:1344/squidclamav icap_class class_avreq service_req icap_class class_avresp service_resp icap_access class_avreq allow all icap_access class_avresp allow all
If you don't know where to put them in squid.conf, just search for 'icap_.*' and add those configuration lines at the end of the icap section.
What that configuration directives do? It enables the ICAP client into Squid and tells Squid to send the logged username and client's Ip to the ICAP server. It also enable preview for faster SquidClamav work. The last four lines defined how to call the ICAP server. Here we call the squidclamav service on localhost and port 1344 but it can be on any other host and port. The bypass parameter set to 1 mean that Squid will continue without bothering about ICAP server or SquidClamav failure. This is just like the old bridge mode in the SquidClamav previous release. I don't want users to be bored by a continuously error message if SquidClamav or c-icap have failure or if there's an error in configuration file. Users don't have to know about that, they want to surf and don't care about your problems :-) If you don't think like me, just set the bypass argument to 0 and Squid will return an error message on failure.
C-icap server installation/configuration
If you don't have package solution or encounter problem to install SquidClamav I recommand you to install the c-icap server from source as follow. You can download it from SourceForge at http://c-icap.sourceforge.net/. Choose version c-icap-0.1.4 or later versions, then run:
./configure --prefix=/usr/local/c-icap --enable-large-files make make install
Then, edit the file /usr/local/c-icap/etc/c-icap.conf. It contains a set of documented values that configure the c-icap server. To enable the support of SquidClamav just add the following line to the end of the file:
Service squidclamav squidclamav.so
Don't care about the srv_clamav.* configuration directives this will not breaks anything. SquidClamav do not use them but read its own directives from the file /etc/squidclamav.conf
You must disable the c-icap embedded modules by commenting the lines:
#Service url_check_module srv_url_check.so #Service antivirus_module srv_clamav.so
if you have not installed the c-icap modules and this will also preserve some resources.
Following your installation you may need to create the /var/run/c-icap/ where c-icap server is writing pid and socket file.
You may also want to change the user/group owning c-icap's processes. By default the owner is the user/group who runs the program. I recommand you to change them to the same user/group running your Squid cache. For example:
User proxy Group proxy
of course you will need to change the owner of directory /var/run/c-icap/ and the directory of your server log. See the ServerLog directive to know the path. For me, I use the following commands to set the good rights on my installation:
mkdir /var/run/c-icap/ chown -R proxy:proxy /var/run/c-icap/ chown -R proxy:proxy /usr/local/c-icap/
After that you can run the c-icap server as explain below.
SquidClamav installation/configuration
Installing SquidClamav require that you already have installed the c-icap as explain above. You must provide the installation path of c-icap to the configure command as follow, compile and then install:
./configure --with-c-icap=/usr/local/c-icap/ make make install
this will install the squidclamav.so library into the c-icap modules/services repository.
Runing c-icap server
Finally, you can run the c-icap server as root user:
/usr/local/c-icap/bin/c-icap
Or any other path to the binary. If you want to display debugging information on the terminal, the previous command should be executed with the following arguments:
/usr/local/c-icap/bin/c-icap -N -D -d 10
The first argument -N prevents the c-icap server from forking in the background, the second argument -D enables the printing of messages to standard output, and the third argument -d 10 enables the printing of full debugging information.
Reloading configuration without restarting the c-icap server
To force SquidClamav to reread his configuration file after change you can send the following command to the c-icap server
echo -n "squidclamav:cfgreload" > /var/run/c-icap/c-icap.ctl
It will reread all his configuration directive and restart pipes to squidGuard. So if you make changes to squidGuard you must execute this command to activate them into SquidClamav.
Or to be sure that all is really initialized or that you have made change to the c-icapi configuration file you can run the following command:
echo -n "reconfigure" > /var/run/c-icap/c-icap.ctl
The service will reread the config file without the need for stop and restart the c-icap server. The services will be reinitialized.
Packaging
If you want to build binary package for your prefered Linux distribution take a look at the packaging/ directory of the source tarball. There's everything to build RPM, Slackware and Debian packages. See README file in that directory.