[squid-users] peek and splice content inspection question

Alex Rousskov rousskov at measurement-factory.com
Thu Aug 13 20:56:47 UTC 2015


On 08/13/2015 09:38 AM, Amos Jeffries wrote:
> On 14/08/2015 12:47 a.m., Marko Cupać wrote:
>> Is it possible - by means of squid's peek and splice feature - to
>> inspect file extensions and mime types of https traffic? Can bumped
>> https traffic be forwarded to icap (squidclamav) for AV scanning?

> Doing so is the features intended purpose.


And you may be able to use either Secure ICAP (Squid 4) or the eCAP
ClamAV adapter for AV scanning without transmitting bumped messages over
plain text ICAP connections.


> if I just send traffic to squidclamav on icap
> tcp port, then I don't store usernames and passwords or private emails
> in cache?

Squid caching is not related to AV scanning. If you do not disable
caching, Squid will cache cachable responses. IIRC, the code making the
cachability decision does not check whether the response was bumped.
However, you may configure it to do so using the "cache" directive:

  http://www.squid-cache.org/Doc/config/cache/

Said that, most responses with private information should not be
cachable by default because the server should mark them as such.


The current eCAP ClamAV adapter [temporary] stores message bodies on
disk to pass them to the ClamAV library for analysis. I do not know
about squidclamav.


HTH,

Alex.



More information about the squid-users mailing list