[squid-users] icap SOPHOS SAVDI and custom errorpage
d.webb at mdx.ac.uk
Tue Nov 10 16:05:17 UTC 2015
Squid Cache: Version 3.3.8
on RHEL 7.1
and have configured things so that virus scanning with Sophos' SAVDI
works and can get to a custom error page however I can't seem to find
anyway of getting the name of the detected virus passed across to the
custom error page and displayed.
The appropriate part of my squid.conf is
acl http_status_403 http_status 403
acl virus_found rep_header X-Blocked -i \Virus found during virus scan\.
adaptation_access sophosicap allow all
icap_service sophosicap respmod_precache icap://127.0.0.1:4020/sophos
http_reply_access deny http_status_403 virus_found
deny_info ERR_MDX_VIRUS_FOUND virus_found
(I'm not sure if this is the best way of doing things but it was the
only way I could find which worked.
The deny_info documentation
seemed to suggest that I could use the servicename sophosicap
The acl is typically the last acl on the http_access deny line which
denied access. The exceptions to this rule are:
- When Squid needs to request authentication credentials. It's then
the first authentication related acl encountered
- When none of the http_access lines matches. It's then the last
acl processed on the last http_access line.
- When the decision to deny access was made by an adaptation service,
the acl name is the corresponding eCAP or ICAP service_name.
but I couldn't work out how to get this to work.
As I said though none of the custom errorpage variables from
seem to get back the virus name from SAVDI.
The only place I have found the virus name reported is in the icap_log I
with format :
logformat icap_squid2 %ts.%03tu %6icap::tr %>a %icap::to/%03icap::Hs
%icap::<st %icap::rm %icap::ru %un -/%icap::<A - %icap::<h
1447168691.715 15 10.2.213.153 ICAP_MOD/200 703 RESPMOD
icap://127.0.0.1:4020/sophos - -/127.0.0.1 -
Is there anyway of getting this reported virusname (Virus-ID) into the
custom error page ?
Has anyone else got SAVDI working with Squid icap ?
David Webb (CISSP-ISSAP)
Information Systems Security Architecture Professional
IT Security team leader
Please note that Middlesex University's preferred way of receiving all correspondence is via email in line with our Environmental Policy. All incoming post to Middlesex University is opened and scanned by our digital document handler, CDS, and then emailed to the recipient.
If you do not want your correspondence to Middlesex University processed in this way please email the recipient directly. Parcels, couriered items and recorded delivery items will not be opened or scanned by CDS. There are items which are "exceptions" which will be opened by CDS but will not be scanned a full list of these can be obtained by contacting the University.
More information about the squid-users