プロキシサーバーでウィルスチェック(Squid+SquidClamAV+ClamAV)

最終更新日： 2014.02.19

[root@fedora ~]# yum -y install curl-devel　←　SquidClamAVインストールに必要なcurl-develインストール

[root@fedora ~]# wget http://nchc.dl.sourceforge.net/sourceforge/squidclamav/squidclamav-3.5.tar.gz　←　SquidClamAVダウンロード

※最新版のURLはダウンロードページで確認すること

[root@fedora ~]# tar zxvf squidclamav-3.5.tar.gz　←　SquidClamAV展開

[root@fedora ~]# cd squidclamav-3.5　←　SquidClamAV展開先ディレクトリへ移動

[root@fedora squidclamav-3.5]# ./configure && make && make install　←　SquidClamAVインストール

[root@fedora squidclamav-3.5]# cp squidclamav.conf.dist /etc/squidclamav.conf　←　SquidClamAV設定ファイルを所定のディレクトリへコピー

[root@fedora squidclamav-3.5]# cp clwarn.cgi /var/www/cgi-bin/　←　ウィルス検出時のリダイレクト先スクリプトを所定のディレクトリへコピー

[root@fedora squidclamav-3.5]# cd　←　SquidClamAV展開先ディレクトリを抜ける

[root@fedora ~]# rm -rf squidclamav-3.5　←　SquidClamAV展開先ディレクトリを削除

[root@fedora ~]# rm -f squidclamav-3.5.tar.gz　←　ダウンロードしたファイルを削除

[root@fedora ~]# vi /etc/squid/squid.conf　←　Squid設定ファイル編集
#  TAG: url_rewrite_program
#       Specify the location of the executable for the URL rewriter.
#       Since they can perform almost any function there isn't one included.
#
#       For each requested URL rewriter will receive on line with the format
#
#       URL  client_ip "/" fqdn  user  method  urlgroup 
#
#       And the rewriter may return a rewritten URL. The other components of
#       the request line does not need to be returned (ignored if they are).
#
#       The rewriter can also indicate that a client-side redirect should
#       be performed to the new URL. This is done by prefixing the returned
#       URL with "301:" (moved permanently) or 302: (moved temporarily).
#
#       It can also return a "urlgroup" that can subsequently be matched
#       in cache_peer_access and similar ACL driven rules. An urlgroup is
#       returned by prefixing the returned url with "!urlgroup!"
#
#       By default, a URL rewriter is not used.
#
#Default:
# none
url_rewrite_program /usr/local/bin/squidclamav　←　追加

#  TAG: url_rewrite_children
#       The number of redirector processes to spawn. If you start
#       too few Squid will have to wait for them to process a backlog of
#       URLs, slowing it down. If you start too many they will use RAM
#       and other system resources.
#
#Default:
# url_rewrite_children 5
url_rewrite_children 15　←　追加

#  TAG: url_rewrite_access
#       If defined, this access list specifies which requests are
#       sent to the redirector processes.  By default all requests
#       are sent.
#
#Default:
# none
url_rewrite_access deny localhost　←　追加

http_access deny to_localhost　←　行頭の#を削除してコメント解除

[root@fedora ~]# vi /etc/squidclamav.conf　←　SquidClamAVファイル編集
proxy http://127.0.0.1:3128/
logfile /var/log/squidclamav.log
redirect http://localhost/cgi-bin/clwarn.cgi
debug 0
force 1
clamd_local /tmp/clamd.socket
timeout 60
abort ^.*\.gz$
abort ^.*\.bz2$
abort ^.*\.pdf$
abort ^.*\.js$
abort ^.*\.html$
abort ^.*\.css$
abort ^.*\.xml$
abort ^.*\.xsl$
abort ^.*\.js$
abort ^.*\.ico$
aborti ^.*\.gif$
aborti ^.*\.png$
aborti ^.*\.jpg$
aborti ^.*\.swf$
content ^.*application\/.*$

[root@fedora ~]# touch /var/log/squidclamav.log　←　SquidClamAVログファイル作成

[root@fedora ~]# chown squid:squid /var/log/squidclamav.log　←　SquidClamAVログファイル所有者変更

[root@fedora ~]# vi /etc/logrotate.d/squidclamav　←　SquidClamAVログローテーション設定ファイル作成
/var/log/squidclamav.log {
    missingok
    notifempty
    sharedscripts
    postrotate
        killall -HUP squidclamav > /dev/null 2>/dev/null || true
    endscript
}

[root@fedora ~]# /etc/rc.d/init.d/squid restart　←　Squid再起動
Stopping squid:                                            [  OK  ]
Starting squid: .                                          [  OK  ]