Configuring a Virus Scanning Proxy for File Uploads Using Squid and c-ICAP
Setting up a virus-scanning proxy server is a crucial step in securing your network, especially when handling file uploads. While scanning downloaded files is a well-documented process, scanning uploads presents additional challenges. In this guide, we'll walk through configuring Squid with c-ICAP and SquidClamAV to inspect uploaded files before they reach their destination.
Why Scan Uploaded Files?
Many organizations focus on scanning files that users download, assuming threats primarily come from incoming traffic. However, uploaded files can also be a major security risk. Malicious insiders, compromised accounts, or infected devices can introduce malware into cloud storage, shared network drives, or internal web applications. Ensuring that uploaded files are scanned helps maintain a secure environment.
Prerequisites
Before starting, ensure you have:
- A Linux-based server (Ubuntu 24.04 recommended)
- Squid proxy installed
- c-ICAP and SquidClamAV installed for virus scanning
- Basic knowledge of Squid configuration
For setting up Tomcat on Ubuntu 24.04, you can follow this comprehensive install Tomcat on Ubuntu 24.04 guide, which provides step-by-step instructions.
Step 1: Installing and Configuring Squid
First, install Squid if it isn’t already installed:
sudo apt update
sudo apt install squid -y
Edit the Squid configuration file:
sudo nano /etc/squid/squid.conf
Add or modify the following lines to enable ICAP services:
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_resp allow all
Save and exit the file, then restart Squid:
sudo systemctl restart squid
Step 2: Installing and Configuring c-ICAP
c-ICAP acts as a middleware that processes requests between Squid and the antivirus engine. Install it with:
sudo apt install c-icap -y
Edit its configuration file:
sudo nano /etc/c-icap/c-icap.conf
Ensure the following settings are enabled:
PidFile /var/run/c-icap/c-icap.pid
ModulesDir /usr/lib/c-icap
MaxServers 10
StartServers 3
Timeout 300
KeepAlive On
Restart the service:
sudo systemctl restart c-icap
Step 3: Installing and Configuring SquidClamAV
SquidClamAV integrates ClamAV with Squid for virus scanning. Install it using:
sudo apt install squidclamav -y
Edit the SquidClamAV configuration file:
sudo nano /etc/squidclamav.conf
Ensure this line exists:
clamd_local /var/run/clamav/clamd.ctl
Restart the services:
sudo systemctl restart clamav-daemon
sudo systemctl restart squid
Step 4: Enabling Upload Scanning
By default, c-ICAP works well for scanning downloads, but uploads require additional configuration. Unfortunately, c-ICAP has known limitations when dealing with multipart form data in POST requests, which makes upload scanning unreliable.
Possible Workaround: Two Squid Instances
One possible solution is to configure two Squid proxies—one for handling uploads and one for downloads. The upload proxy can be configured to treat uploads as downloads, allowing files to be scanned before they are sent.
Modify the Squid configuration to direct uploads to a second instance:
acl upload_methods method POST PUT
http_access deny upload_methods
cache_peer 127.0.0.1 parent 3129 0 no-query default
never_direct allow upload_methods
Then, configure a second Squid instance running on port 3129 with ICAP scanning enabled.
Step 5: Testing the Setup
To verify that uploads are being scanned, try uploading an EICAR test file:
wget -O eicar.com.txt "https://secure.eicar.org/eicar.com.txt"
curl -F "file=@eicar.com.txt" http://your-proxy/upload
Check the Squid logs to see if the file was blocked:
sudo tail -f /var/log/squid/access.log
If the file is scanned and blocked, your configuration is working correctly.
Conclusion
Setting up a virus-scanning proxy for file uploads can be challenging, especially due to c-ICAP’s limitations with multipart data. However, workarounds such as using two Squid instances or modifying Squid behavior can help. While this solution isn’t perfect, it significantly improves security by preventing infected files from being uploaded.
If you’re working with web applications and need to deploy Apache Tomcat, I highly recommend checking out this excellent guide on installing Tomcat on Ubuntu 24.04. It provides clear, step-by-step instructions that make the process seamless.
Let me know in the comments if you’ve found a better solution for scanning uploaded files—I’d love to hear your thoughts! 🚀