Hi Amos
On 06/30/2012 10:25 AM, Amos Jeffries wrote:
On 30/06/2012 7:20 p.m., Felix Leimbach wrote:
Hello list
I'm running squid 3.1.19 with squidclamav 6.6 and while debugging a
different issue, I looked at tcpdumps of the ICAP traffic for
squidclamav.
I noticed that not only the webpages are sent to squidclamav for
scanning, the *requests* are sent and scanned as well.
This looks like unnecessary processing overhead to me and I've
disabled this by removing these lines (from squidclamav's install [1]
page):
icap_service service_req reqmod_precache bypass=1
icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all
what's left is the response scanning:
icap_service service_resp respmod_precache bypass=1
icap://127.0.0.1:1344/squidclamav
adaptation_access service_resp allow all
Viruses in webpages are still being caught just fine.
Should the install page be updated or is there a disadvantage to this
approach?
[1] http://squidclamav.darold.net/installv6.html
1) squidclamav is not part of the Squid project. So it is highly
unlikely that people here are in a position to edit that programs
documentation.
That's why Gilles (author of squidclamav) was CCed ;-)
2) the HTTP world is not limited to downloads. Uploaded files, CONNECT
tunnels, media streams and other types of client sent things also need
AV scanning to protect servers against infected clients.
You are right of course, there are defense-in-depth scenarios where you
want to scan outgoing traffic.
In my case - which I believe is the most common squidclamav use case -
the purpose is to protect the internal network's users from external
threats.
It is of course up to you which you enable/disable. But being AV
documentation I would expect they prefer to document the safest known
configurations as standard and let particular admin make the choice to
open holes.
ACK. Maybe Gilles wants to include this as an information on the install
page, because most people will not notice the potential for a
performance gain otherwise.
Felix
