OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: cwynd on April 11, 2017, 04:28:10 pm

Title: [SOLVED] Looking for help re squidclamav redirect problem
Post by: cwynd on April 11, 2017, 04:28:10 pm

Hi All, I am trying to get squidclamav working with OPNsense 17.1. My problem is I cannot get the redirect to work for eicar test virus files. I have everything working fine for clean urls, and with squidclamav debug enabled I see it receiving and processing the request::

Code: [Select]

DEBUG initializing request data handler.
DEBUG processing preview header.
DEBUG X-Client-IP: 192.168.1.150
DEBUG method GET
DEBUG url http://no.viruses.here
DEBUG URL requested:  http://no.viruses.here

DEBUG Content-Length: -1
DEBUG No body data, allow 204
DEBUG Releasing request data.
DEBUG initializing request data handler.
DEBUG processing preview header.
DEBUG preview data size is 1024
DEBUG X-Client-IP: 192.168.1.150
DEBUG method GET
DEBUG url  http://no.viruses.here
DEBUG URL requested:  http://no.viruses.here

DEBUG Content-Length: 3699
DEBUG Content-Type: text/html
DEBUG End of method squidclamav_check_preview_handler
DEBUG ending request data handler.

Sending zINSTREAM command to clamd.
DEBUG Ok connected to clamd.
DEBUG: Scanning data now
DEBUG Write 3703 bytes on 3699 to socket
DEBUG received from Clamd: stream: OK
DEBUG Closing Clamd connection.
DEBUG Responding with allow 204

But for an eicar test virus url, it seems like the request get's released by squidclamav (if I am reading the below correctly), but a response is never received, and never forwarded to clamd for scanning, and no response or redirect ever goes back to the client browser, which eventually reports a '504 Gateway Error'. This is the complete squidclamav debug log:

Code: [Select]

DEBUG initializing request data handler.
DEBUG processing preview header.
DEBUG X-Client-IP: 192.168.1.150
DEBUG method GET
DEBUG url http://www.eicar.org/download/eicar.com
DEBUG URL requested: http://www.eicar.org/download/eicar.com
DEBUG Content-Length: -1
DEBUG No body data, allow 204
DEBUG Releasing request data.

I have duplicated this problem on two completely separate c-icap/squiidclamav/clamd setups now, most recently with latest c-icap (0.5.2) and squidclamav (6.16)  compiled from sources, so I'm sure it's something I am doing wrong. But after 3 days of poring over logs I cannot see it.

Any help or hints greatly appreciated!!

PS: clwarn.cgi is in the right place, and is visible to the client browser if I load it directly) According to the apache logs it never gets hit unless I load it explicitly.

PPS: This is all HTTP (no HTTPS...  yet)


Edit: Marked solved.

Title: [SOLVED] Re: Looking for help re squidclamav redirect problem
Post by: cwynd on April 11, 2017, 08:46:57 pm

ok figured it out. The problem was that suricata was blocking the eicar response before it even got to the proxy+squidclamav. Obvious with hindsight, but not at all in the heat of the moment. Once I unblocked that, everything works as intended. At least I understand ICAP protocol a little better from reading the RFP :)