Using Kaspersky Scan Engine in ICAP mode with Squid

Squid is a caching and forwarding web proxy server for Windows and UNIX-like systems. You can use Kaspersky Scan Engine in ICAP mode to scan traffic that passes through the Squid proxy.

Software requirements

• Operating system Ubuntu 18.04 or later
• Squid 4.5 or later

Configuring Squid for working with Kaspersky Scan Engine

For Kaspersky Scan Engine to work with Squid in ICAP mode, you must specify Kaspersky Scan Engine as an ICAP service in the Squid configuration file (squid.conf).

In Squid, an ICAP service is defined in the following format: icap_service id vectoring_point [options] uri.

To specify Kaspersky Scan Engine as an ICAP service:

1. Open squid.conf for editing.
2. Define the mandatory parameters id, vectoring_point, and uri:
   1. Set id to any appropriate identifier. For example, srv_kl_resp for request modification (REQMOD) mode and srv_kl_req for response modification (RESPMOD) mode.
   2. Set vectoring_point to an appropriate *_precache value:
      • For request modification (REQMOD) mode, specify reqmod_precache.
      • For response modification (RESPMOD) mode, specify respmod_precache.
   3. Set uri to the location of Kaspersky Scan Engine:
      • For REQMOD mode, the URI must have the following format: icap://servername:port/req.
      • For RESPMOD mode, the URI must have the following format: icap://servername:port/resp.
3. Add the following lines to the end of the Squid configuration file:

   icap_enable on adaptation_send_username on adaptation_send_client_ip on icap_service srv_kl_resp respmod_precache 0 icap://localhost:1344/resp icap_service srv_kl_req reqmod_precache 0 icap://localhost:1344/req adaptation_access srv_kl_resp allow all adaptation_access srv_kl_req allow all icap_service_failure_limit -1 icap_service_revival_delay 30 icap_preview_enable off

   In the example above, srv_kl_resp and srv_kl_req are examples of id, respmod_precache and reqmod_precache are values of vectoring_point, 0 is the value of the Squid bypass option, and vectoring_point and icap://localhost:1344/req are examples of uri.

   You can use localhost in uri only if Kaspersky Scan Engine is installed on the same computer as Squid.

4. Save and close squid.conf.
5. Restart the squid service:

   service squid restart

Configuring Squid for working with Kaspersky Scan Engine and enabling SSL scanning

By default, Kaspersky Scan Engine cannot scan SSL/TLS traffic, but you can configure Squid to decrypt it by using the SSL Bumping functionality.

To configure Squid for working with Kaspersky Scan Engine and enable SSL Bumping:

1. Install the packages necessary to compile and configure Squid:

   apt-get install build-essential openssl libssl-dev pkg-config

2. Download source code for Squid 4.5 or later.
3. Unzip the archive that contains the Squid source code to the required directory.
4. Move to this directory.
5. Compile Squid:

   ./configure --with-default-user=proxy --with-openssl --enable-ssl-crtd

   make all

   make install

   Options --with-openssl and --enable-ssl-crtd are necessary to enable SSL Bumping.

6. Set up the correct time and date on the server that is running Squid. The time and date are checked every time a client is trying to validate the certificate of this server.
7. Configure OpenSSL:
   1. Find the default OpenSSL configuration file openssl.cnf. The location of this file depends on your operating system, but usually it is /etc/ssl/openssl.cnf.
   2. Open openssl.cnf for editing.
   3. Add the following line to the [v3_ca] section of the configuration file:

      keyUsage = cRLSign, keyCertSign

   4. Save and close openssl.cnf.
8. Prepare the environment for storing SSL certificates:
   1. Create a directory for storing SSL certificates:

      mkdir /usr/local/squid/etc/ssl_cert -p

   2. Change the user and the group that own that directory to proxy:

      chown proxy:proxy /usr/local/squid/etc/ssl_cert -R

   3. Change the permissions for that directory:

      chmod 700 /usr/local/squid/etc/ssl_cert -R

9. Move to the newly created directory:

   cd /usr/local/squid/etc/ssl_cert

10. Generate a new self-signed SSL certificate and a private key for the Squid server:

    openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout squid_ca.pem -out squid_ca.pem

11. Convert the newly created certificate to DER format:

    openssl x509 -in squid_ca.pem -outform DER -out squid_ca.der

12. Export the generated certificate to the client computers and install it on them as a Certificate Authority certificate. The method of doing this depends on the browser and operating system of the client.
13. Create a new SSL database for the Squid server:

    /usr/local/squid/libexec/security_file_certgen -c -s /usr/local/squid/var/logs/ssl_db -M 4MB

14. Change the user and the group that own that directory to proxy:

    chown proxy:proxy /usr/local/squid/var/logs/ssl_db -R

15. Configure Squid:
    1. Find the default Squid configuration file squid.conf. The location of this file depends on your operating system, but usually it is /usr/local/squid/etc/squid.conf.
    2. Open squid.conf and make the following edits:
    3. Find the following line:

       http_port 3128

    4. Replace it with the following line:

       http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/squid_ca.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

       This line enables SSL Bumping on port 3128.

    5. Add the following section:

       acl step1 at_step SslBump1

       ssl_bump peek step1

       ssl_bump bump all

       sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /usr/local/squid/var/logs/ssl_db -M 4MB

    6. Specify Kaspersky Scan Engine as an ICAP service in the Squid configuration file as described above in the subsection "Configuring Squid for working with Kaspersky Scan Engine".
    7. Save and close squid.conf.
16. Change the user and the group that own the /usr/local/squid directory to proxy:

    chown -R proxy:proxy /usr/local/squid

17. Start Squid and initialize the Squid cache:

    /usr/local/squid/sbin/squid -z

Following is an example of a Squid configuration file extract. In this example, Squid uses Kaspersky Scan Engine in ICAP mode to scan HTTP messages in both the REQMOD and RESPMOD modes.

# SSL bumping configuration   acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/squid_ca.pem generate-hostcertificates=on dynamic_cert_mem_cache_size=4MB sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /usr/local/squid/var/logs/ssl_db -M 4MB     # ICAP configuration   icap_enable on adaptation_send_username on adaptation_send_client_ip on icap_service srv_kl_resp respmod_precache 0 icap://localhost:1344/resp icap_service srv_kl_req reqmod_precache 0 icap://localhost:1344/req adaptation_access srv_kl_resp allow all adaptation_access srv_kl_req allow all icap_service_failure_limit -1 icap_service_revival_delay 30 icap_preview_enable off

Page top