Re: [squid-users] squidclamav: Reduce overhead by omitting request-scanning? from Felix Leimbach on 2012-06-30 (squid-users)

From: Felix Leimbach <felix.leimbach_at_gmail.com>
Date: Sat, 30 Jun 2012 12:51:58 +0200

Hi Amos

On 06/30/2012 10:25 AM, Amos Jeffries wrote:
> On 30/06/2012 7:20 p.m., Felix Leimbach wrote:
>> Hello list
>>
>> I'm running squid 3.1.19 with squidclamav 6.6 and while debugging a
>> different issue, I looked at tcpdumps of the ICAP traffic for
>> squidclamav.
>> I noticed that not only the webpages are sent to squidclamav for
>> scanning, the *requests* are sent and scanned as well.
>>
>> This looks like unnecessary processing overhead to me and I've
>> disabled this by removing these lines (from squidclamav's install [1]
>> page):
>>
>> icap_service service_req reqmod_precache bypass=1
>> icap://127.0.0.1:1344/squidclamav
>> adaptation_access service_req allow all
>>
>> what's left is the response scanning:
>>
>> icap_service service_resp respmod_precache bypass=1
>> icap://127.0.0.1:1344/squidclamav
>> adaptation_access service_resp allow all
>>
>> Viruses in webpages are still being caught just fine.
>>
>> Should the install page be updated or is there a disadvantage to this
>> approach?
>>
>> [1] http://squidclamav.darold.net/installv6.html
>
> 1) squidclamav is not part of the Squid project. So it is highly
> unlikely that people here are in a position to edit that programs
> documentation.

That's why Gilles (author of squidclamav) was CCed ;-)

> 2) the HTTP world is not limited to downloads. Uploaded files, CONNECT
> tunnels, media streams and other types of client sent things also need
> AV scanning to protect servers against infected clients.

You are right of course, there are defense-in-depth scenarios where you
want to scan outgoing traffic.
In my case - which I believe is the most common squidclamav use case -
the purpose is to protect the internal network's users from external
threats.

> It is of course up to you which you enable/disable. But being AV
> documentation I would expect they prefer to document the safest known
> configurations as standard and let particular admin make the choice to
> open holes.

ACK. Maybe Gilles wants to include this as an information on the install
page, because most people will not notice the potential for a
performance gain otherwise.

Felix
Received on Sat Jun 30 2012 - 10:52:14 MDT

This archive was generated by hypermail 2.2.0 : Sat Jun 30 2012 - 12:00:04 MDT