Using Kaspersky Scan Engine in ICAP mode with Squid

Squid is a caching and forwarding web proxy server for Windows and UNIX-like systems. You can use Kaspersky Scan Engine in ICAP mode to scan traffic that passes through the Squid proxy.

Software requirements

Configuring Squid for working with Kaspersky Scan Engine

For Kaspersky Scan Engine to work with Squid in ICAP mode, you must specify Kaspersky Scan Engine as an ICAP service in the Squid configuration file (squid.conf).

In Squid, an ICAP service is defined in the following format: icap_service id vectoring_point [options] uri.

To specify Kaspersky Scan Engine as an ICAP service:

  1. Open squid.conf for editing.
  2. Define the mandatory parameters id, vectoring_point, and uri:
    1. Set id to any appropriate identifier. For example, srv_kl_resp for request modification (REQMOD) mode and srv_kl_req for response modification (RESPMOD) mode.
    2. Set vectoring_point to an appropriate *_precache value:
      • For request modification (REQMOD) mode, specify reqmod_precache.
      • For response modification (RESPMOD) mode, specify respmod_precache.
    3. Set uri to the location of Kaspersky Scan Engine:
      • For REQMOD mode, the URI must have the following format: icap://servername:port/req.
      • For RESPMOD mode, the URI must have the following format: icap://servername:port/resp.
  3. Add the following lines to the end of the Squid configuration file:

    icap_enable on

    adaptation_send_username on

    adaptation_send_client_ip on

    icap_service srv_kl_resp respmod_precache 0 icap://localhost:1344/resp

    icap_service srv_kl_req reqmod_precache 0 icap://localhost:1344/req

    adaptation_access srv_kl_resp allow all

    adaptation_access srv_kl_req allow all

    icap_service_failure_limit -1

    icap_service_revival_delay 30

    icap_preview_enable off

    In the example above, srv_kl_resp and srv_kl_req are examples of id, respmod_precache and reqmod_precache are values of vectoring_point, 0 is the value of the Squid bypass option, and vectoring_point and icap://127.0.0.1:1344/req are examples of uri.

    You can use 127.0.0.1 in uri only if Kaspersky Scan Engine is installed on the same computer as Squid.

  4. Save and close squid.conf.
  5. Restart the squid service:

    service squid restart

Configuring Squid for working with Kaspersky Scan Engine and enabling SSL scanning

By default, Kaspersky Scan Engine cannot scan SSL/TLS traffic, but you can configure Squid to decrypt it by using the SSL Bumping functionality.

To configure Squid for working with Kaspersky Scan Engine and enable SSL Bumping:

  1. Install the packages necessary to compile and configure Squid:

    apt-get install build-essential openssl libssl-dev pkg-config

  2. Download source code for Squid 4.5 or later.
  3. Unzip the archive that contains the Squid source code to the required directory.
  4. Move to this directory.
  5. Compile Squid:

    ./configure --with-default-user=proxy --with-openssl --enable-ssl-crtd

    make all

    make install

    Options --with-openssl and --enable-ssl-crtd are necessary to enable SSL Bumping.

  6. Set up the correct time and date on the server that is running Squid. The time and date are checked every time a client is trying to validate the certificate of this server.
  7. Configure OpenSSL:
    1. Find the default OpenSSL configuration file openssl.cnf. The location of this file depends on your operating system, but usually it is /etc/ssl/openssl.cnf.
    2. Open openssl.cnf for editing.
    3. Add the following line to the [v3_ca] section of the configuration file:

      keyUsage = cRLSign, keyCertSign

    4. Save and close openssl.cnf.
  8. Prepare the environment for storing SSL certificates:
    1. Create a directory for storing SSL certificates:

      mkdir /usr/local/squid/etc/ssl_cert -p

    2. Change the user and the group that own that directory to proxy:

      chown proxy:proxy /usr/local/squid/etc/ssl_cert -R

    3. Change the permissions for that directory:

      chmod 700 /usr/local/squid/etc/ssl_cert -R

  9. Move to the newly created directory:

    cd /usr/local/squid/etc/ssl_cert

  10. Generate a new self-signed SSL certificate and a private key for the Squid server:

    openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout squid_ca.pem -out squid_ca.pem

  11. Convert the newly created certificate to DER format:

    openssl x509 -in squid_ca.pem -outform DER -out squid_ca.der

  12. Export the generated certificate to the client computers and install it on them as a Certificate Authority certificate. The method of doing this depends on the browser and operating system of the client.
  13. Create a new SSL database for the Squid server:

    /usr/local/squid/libexec/security_file_certgen -c -s /usr/local/squid/var/logs/ssl_db -M 4MB

  14. Change the user and the group that own that directory to proxy:

    chown proxy:proxy /usr/local/squid/var/logs/ssl_db -R

  15. Configure Squid:
    1. Find the default Squid configuration file squid.conf. The location of this file depends on your operating system, but usually it is /usr/local/squid/etc/squid.conf.
    2. Open squid.conf and make the following edits:
    3. Find the following line:

      http_port 3128

    4. Replace it with the following line:

      http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/squid_ca.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

      This line enables SSL Bumping on port 3128.

    5. Add the following section:

      acl step1 at_step SslBump1

      ssl_bump peek step1

      ssl_bump bump all

      sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /usr/local/squid/var/logs/ssl_db -M 4MB

    6. Specify Kaspersky Scan Engine as an ICAP service in the Squid configuration file as described above in the subsection "Configuring Squid for working with Kaspersky Scan Engine".
    7. Save and close squid.conf.
  16. Change the user and the group that own the /usr/local/squid directory to proxy:

    chown -R proxy:proxy /usr/local/squid

  17. Start Squid and initialize the Squid cache:

    /usr/local/squid/sbin/squid -z

Following is an example of a Squid configuration file extract. In this example, Squid uses Kaspersky Scan Engine in ICAP mode to scan HTTP messages in both the REQMOD and RESPMOD modes.

# SSL bumping configuration

 

acl step1 at_step SslBump1

ssl_bump peek step1

ssl_bump bump all

http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/squid_ca.pem generate-hostcertificates=on dynamic_cert_mem_cache_size=4MB

sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /usr/local/squid/var/logs/ssl_db -M 4MB

 

 

# ICAP configuration

 

icap_enable on

adaptation_send_username on

adaptation_send_client_ip on

icap_service srv_kl_resp respmod_precache 0 icap://localhost:1344/resp

icap_service srv_kl_req reqmod_precache 0 icap://localhost:1344/req

adaptation_access srv_kl_resp allow all

adaptation_access srv_kl_req allow all

icap_service_failure_limit -1

icap_service_revival_delay 30

icap_preview_enable off

Page top