Squid is a caching and forwarding web proxy server for Windows and UNIX-like systems. You can use Kaspersky Scan Engine in ICAP mode to scan traffic that passes through the Squid proxy.
Software requirements
Configuring Squid for working with Kaspersky Scan Engine
For Kaspersky Scan Engine to work with Squid in ICAP mode, you must specify Kaspersky Scan Engine as an ICAP service in the Squid configuration file (squid.conf).
In Squid, an ICAP service is defined in the following format: icap_service id vectoring_point [options] uri
.
To specify Kaspersky Scan Engine as an ICAP service:
id
, vectoring_point
, and uri
:id
to any appropriate identifier. For example, srv_kl_resp
for request modification (REQMOD) mode and srv_kl_req
for response modification (RESPMOD) mode.vectoring_point
to an appropriate *_precache
value: reqmod_precache
.respmod_precache
.uri
to the location of Kaspersky Scan Engine: icap://servername:port/req
.icap://servername:port/resp
.icap_enable on adaptation_send_username on adaptation_send_client_ip on icap_service srv_kl_resp respmod_precache 0 icap://localhost:1344/resp icap_service srv_kl_req reqmod_precache 0 icap://localhost:1344/req adaptation_access srv_kl_resp allow all adaptation_access srv_kl_req allow all icap_service_failure_limit -1 icap_service_revival_delay 30 icap_preview_enable off |
In the example above, srv_kl_resp
and srv_kl_req
are examples of id
, respmod_precache
and reqmod_precache
are values of vectoring_point
, 0
is the value of the Squid bypass
option, and vectoring_point
and icap://127.0.0.1:1344/req
are examples of uri
.
You can use 127.0.0.1
in uri
only if Kaspersky Scan Engine is installed on the same computer as Squid.
squid
service:service squid restart
Configuring Squid for working with Kaspersky Scan Engine and enabling SSL scanning
By default, Kaspersky Scan Engine cannot scan SSL/TLS traffic, but you can configure Squid to decrypt it by using the SSL Bumping functionality.
To configure Squid for working with Kaspersky Scan Engine and enable SSL Bumping:
apt-get install build-essential openssl libssl-dev pkg-config
./configure --with-default-user=proxy --with-openssl --enable-ssl-crtd
make all
make install
Options --with-openssl
and --enable-ssl-crtd
are necessary to enable SSL Bumping.
openssl.cnf
. The location of this file depends on your operating system, but usually it is /etc/ssl/openssl.cnf
.openssl.cnf
for editing.[v3_ca]
section of the configuration file:keyUsage = cRLSign, keyCertSign
openssl.cnf
.mkdir /usr/local/squid/etc/ssl_cert -p
proxy
:chown proxy:proxy /usr/local/squid/etc/ssl_cert -R
chmod 700 /usr/local/squid/etc/ssl_cert -R
cd /usr/local/squid/etc/ssl_cert
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout squid_ca.pem -out squid_ca.pem
openssl x509 -in squid_ca.pem -outform DER -out squid_ca.der
/usr/local/squid/libexec/security_file_certgen -c -s /usr/local/squid/var/logs/ssl_db -M 4MB
proxy
:chown proxy:proxy /usr/local/squid/var/logs/ssl_db -R
squid.conf
. The location of this file depends on your operating system, but usually it is
/usr/local/squid/etc/squid.conf
.squid.conf
and make the following edits:http_port 3128
http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/squid_ca.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
This line enables SSL Bumping on port 3128.
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /usr/local/squid/var/logs/ssl_db -M 4MB
squid.conf
./usr/local/squid
directory to proxy
:chown -R proxy:proxy /usr/local/squid
/usr/local/squid/sbin/squid -z
Following is an example of a Squid configuration file extract. In this example, Squid uses Kaspersky Scan Engine in ICAP mode to scan HTTP messages in both the REQMOD and RESPMOD modes.
# SSL bumping configuration
http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/squid_ca.pem generate-hostcertificates=on dynamic_cert_mem_cache_size=4MB
# ICAP configuration
icap_enable on adaptation_send_username on adaptation_send_client_ip on icap_service srv_kl_resp respmod_precache 0 icap://localhost:1344/resp icap_service srv_kl_req reqmod_precache 0 icap://localhost:1344/req adaptation_access srv_kl_resp allow all adaptation_access srv_kl_req allow all icap_service_failure_limit -1 icap_service_revival_delay 30 icap_preview_enable off |