Squid filter patches

Squid is my HTTP proxy of choice for the most applications. It is also used in Gibraltar firewall, not only for caching HTTP content, but also for filtering it. Although squid comes with some basic filtering capabilities, e.g. the URL filters, much is missing, including methods of content filtering. There are various approaches for including content filtering capabilities with squid, including chaining with other proxies (e.g. Muffin, httpf, or HAVP) and redirector plugins that first download the complete file at the proxy server, process it and only then start to send it to the client. Both approaches have disadvantages, the former that it uses a second proxy, the latter that clients will usually time out when the download takes too long and the client is not receiving anything in the mean time.

Thus the squid filter patches were born. The original version was written by Olaf Titz and is still available at http://sites.inka.de/sites/bigred/devel/squid-filter.html. However, they have only recently been updated to newer squid versions (by Andreas Schiller, independently of my patches available on this page) and do not include any anti-virus filter plugins. A preliminary version of a clamav filter plugin has been created by the OpenAntivirus project and is available at http://www.openantivirus.org/projects.php (last update 2002). My squid filter patches build on both, but are available for the newest stable squid versions and significantly improve anti-virus filtering.DownloadThe main development happens directly in the Gibraltar versions of the Debian squid packages. Although I try to update this page whenever I make changes, it can be out of date at some times. The newest versions of these patches are always integrated into the Gibraltar firewall. The main development happens directly in the squid Debian packages, but when larger changes have happened, I will create explicit patches and make them available here.

  • Squid filter patches version 2.1 for Squid 2.5.9-9 (upstream version 2.5.9, Debian package revision 9) including the ICAP client patch. This is a slight performance optimization of version 2.0, which will delete temporary files as early as possibly and thus save disk space. It now also includes the configure and Makefile.in files, as I have been told that the bootstrap.sh script is difficult to run with it’s rather ancient autoconf/automake dependencies (which is also my experience). This unfortunately doubles the size of the patch, but should make it easier to apply.
    Attention: please apply this patch to version 2.1, because the performance optimization introduced a potential security problem, where files were not scanned at all if the maximum file size to scan was not set to -1. This patch fixes the issue.
  • Squid filter patches version 2.0 for Squid 2.5.9-9 (upstream version 2.5.9, Debian package revision 9) including the ICAP client patch. Since the ICAP client patch somehow conflicts with my filter patches, I have decided to include it directly because it allows to interface with ICAP servers (e.g. commercial anti-virus scanners). When not enabled, it does not hurt.
    Albert Siersema updated this version of the patch for Squid 2.5.12 (vanilla version). It is split into a diff and an archive with the new files, which should be unpacked into the squid top-level source directory after applying the diff.
  • Squid filter patches version 1.0 for Squid 2.5.4.

These patches are available under the GNU GPL.

Please note that the Kaspersky anti-virus filter plugin included in the Gibraltar firewall can not be included in these open-source patches, because it uses the commercial Kaspersky client library. However, it only differs from the clamav anti-virus filter plugin for interfacing with the scanner, and by looking at the source code it should be possible to easily create a version for the open source Kaspersky client library available at http://kavclient.sourceforge.net/ or for other scanner engines. The clamav filter source code includes comments where the scanner-specific code should go. All other code should be general anough for arbitrary file-based scanner engines (and is in fact used by the Kaspersky filter plugin included with Gibraltar).
When looking at the Debian package changelog, you will notice that there were quite some versions between the patch versions posted here. I do have the patches available, but they still include the Kaspersky code and can therefore not be made distributed without removing this Kaspersky specific code. Since the newest version is available here, I have not bothered to strip the versions before that, but if for some reason you need them or want to have a look at the intermediary clamav filter plugin versions, please feel free to contact me.
InstallationTo install the patches, simply apply them to the Squid source code. If you use the version the patches were mode for, they should apply cleanly. Then compile with the configure option “–enable-filters” to include them in the code. If you use the squid Debian packages, the patches will modify the Debian build script to automatically include this option. If you use the upsream sources, you can safely ignore any rejects under the (non-existant) debian/ subdirectory.

Already patched source and binary packages for Debian woody (the base of Gibraltar firewall) can always be found in the Gibraltar archive on the mirror servers, e.g. at ftp://gd.tuwien.ac.at/opsys/linux/gibraltar/archive.
ConfigurationAfter applying the patches, new options are made available in the squid config file. My patches include all the plugins written by Olaf Titz (only marginally adapted to the new squid versions), so please see his page for basic configuration options. Here I will concentrate on the config options of the new anti-virus filter plugin for clamav. To enable the module, it just needs to be loaded with the load_module option in squid.conf. Assuming the default Debian package installation, the line should like this:

load_module /usr/lib/squid/clamavscan.so /var/lib/clamav 100000 100000
Version 2.0 of the clamav module takes three parameters in the following order:

  1. The location to the clamav anti-virus database. Debian stores it under /var/lib/clamav by default.

  2. The maximum scan window size. A sliding window of this size will be used to scan parts of the downloaded file while it is being downloaded. It should be set larger than the largest virus size known at the moment.

  3. The maximum file size in bytes. Files larger than this will only get scanned until this limit and are then just passed to the client if no virus is found in the first part (which is where viruses usually reside). For very large files, this means that the download of the first part with this size will be slow, but after that it will be sent to the client as quickly as it can be downloaded. You can specify “-1” to disable this feature and scan all files independent of their file size.

  4. This parameter is optional and can be used to specify an “action script”. That is, whenever a virus is detected, this
    script is executed. This parameter is the (optional) last parameter to the load_module line, e.g.

    load_module /usr/lib/squid/clamavscan.so /var/lib/clamav 100000 1000000 /usr/local/bin/notify-client.sh

    The parameters passed to this script are
    - the URL
    - the virus name
    - the HTTP content type
    - the client’s IP address
    - and (if set) the authenticated user name

    This script can do basically anything, e.g. use smbclient to sent SMB messages to windows hosts.

The limitations of the scan window and file sizes are currently necessary for performance reasons. Setting them too low will definitely increase the risk of letting a virus through. I am still working on a better solution that is guaranteed to stop all viruses while still providing reasonable performance.

René Mayrhofer
René Mayrhofer
Professor of Networks and Security & Director of Engineering at Android Platform Security; pacifist, privacy fan, recovering hypocrite; generally here to question and learn