[squid-users] icap (squidclamav) and squid 3.5 ssl peek splice

Ulysse 31 ulysse31 at gmail.com
Sun Oct 23 17:33:41 UTC 2016


Hello,

I'm actually trying to scan https web pages for viruses.
I have a working squid 3.5.21 configured for https intercept with ssl bump
peek splice (basic) like following :

[...]
ssl_bump peek all
ssl_bump splice all
[...]
icap_enable on
adaptation_send_client_ip on
adaptation_send_username on
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_req reqmod_precache bypass=1 icap://
127.0.0.1:1344/squidclamav
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=1 icap://
127.0.0.1:1344/squidclamav
adaptation_access service_resp allow all
[...]

I have c-icap, clamd, installed and running correctly.
My problem is the following:
I've an external web server, accessible in both HTTP or HTTPS, in one of
its websites, I've put a eicar.com file. When I access it via HTTP, the
eicar.com file is correctly blocked, but when I do it over HTTPS, the file
is not blocked ... And I don't see why ...
Does peek / splice don't allow icap scanning/filtering ?

Thanks for the help.

Cheers,


-- 
do Vale Victor
Ingénieur Systèmes, Réseaux et Sécurité
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161023/3210862a/attachment.html>


More information about the squid-users mailing list