Copyright (C) 2014 Andrew Nikitin . Copyright (C) 2015 ESF, LLC All rights reserved. */ /* ====================================================================================== */ /* Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* ====================================================================================== */ ]]> havp Antivirus: HTTP proxy (HAVP + ClamAV) Status 1.06 /usr/local/pkg/havp.inc Antivirus Antivirus service
Services
/antivirus.php
havp havp.sh havp Antivirus HTTP Proxy Service https://packages.pfsense.org/packages/config/havp/havp.inc /usr/local/pkg/ https://packages.pfsense.org/packages/config/havp/havp_avset.xml /usr/local/pkg/ https://packages.pfsense.org/packages/config/havp/antivirus.php /usr/local/www/ General Page /antivirus.php HTTP Proxy /pkg_edit.php?xml=havp.xml Settings /pkg_edit.php?xml=havp_avset.xml HAVP Log /havp_log.php Enable enable Check this to enable AV proxy. checkbox ClamAV Mode useclamd Daemon - HAVP will use ClamAV as socket scanner daemon. (Default option.)
Library - HAVP will use ClamAV as loaded library scanner. Note: this mode needs much more memory.
]]>
select true
Proxy Mode proxymode Standard - clients bind to the 'proxy port' on selected interface(s)
Parent for Squid - configure HAVP as parent for Squid proxy
Transparent - all HTTP requests on interface(s) will be directed to the HAVP proxy server without any client configuration necessary. (Works as parent for Squid with transparent Squid proxy.)
Internal - HAVP will listen on the loopback (127.0.0.1) on configured 'Proxy Port.' Use your own firewall forwarding rules.
]]>
select standard
Proxy Interface(s) proxyinterface The interface(s) for client connections to the proxy. Use 'Ctrl' + left click for multiple selection. interfaces_selection lan Proxy Port proxyport Note: This port must be different from Squid proxy. ]]> input 10 3125 Parent Proxy parentproxy Enter the parent (upstream) proxy settings in PROXY:PORT format or leave empty. input 90 Enable X-Forwarded-For enablexforwardedfor Enable this if you use your own parent proxy after HAVP, so it will see the original client's IP.
Note: Disabling this also disables Via: header generation.
]]>
checkbox
Enable Forwarded IP enableforwardedip If HAVP is used as a parent proxy for some other proxy, this allows writing the real user's IP to log, instead of the proxy IP. checkbox Language lang Select the language in which the HAVP proxy server will display error messages to users. select en Max Download Size maxdownloadsize (in bytes) or leave empty. Downloads larger than 'Max Download Size' will be blocked if not whitelisted. ]]> input 10 HTTP Range Requests range Allowing HTTP Range is a security risk, because partial HTTP requests may not be properly scanned.
Note: Whitelisted sites are allowed to use HTTP Range in any case, regardless of this setting. ]]>
checkbox
Whitelist whitelist separate line. The URLs will be accessible to users without AV scanning.
Use '*' symbol as wildcard mask. URL examples: *.github.com/*, *sourceforge.net/*clamav-*, */*.xml, */*.inc ]]>
textarea 60 5 base64
Blacklist blacklist separate line, using the same syntax as 'Whitelist'.
Access to these URLs will be blocked for HAVP proxy users. ]]>
textarea 60 5 base64
Block File on Scanning Error failscanerror If enabled, the proxy will block the files if an error occurs while scanning. checkbox Enable RAM Disk enableramdisk RAM disk size depends on 'Scan Max File Size' and available memory. This option should be ignored on systems with low memory.
Note: RAM disk size is calculated as [1/4 available system memory] > [Scan max file size] * 100 ). ]]>
checkbox
Scan Max File Size scanmaxsize Small values increase scan speed and maximum new connections per second and allow RAM disk use.
NOTE: Setting a low limit is a security risk, because some archives like ZIP need all the data to be scanned properly! Use this only if you can't afford temporary space for large files. ]]>
select 0
Scan Images scanimg Check this option to scan image files. This option allows you to increase reliability, but also slows down the scanning process. checkbox Scan Media Streams scanstream Check this option to scan media (audio/video) streams. checkbox Scan Broken Executables scanbrokenexe Check this to enable the Heuristic Broken Executable Scan. checkbox on HAVP Log log Check this to enable HAVP logging. checkbox syslog HAVP Syslog syslog Check this to enable HAVP logging to syslog. checkbox
havp_validate_settings($_POST, $input_errors); havp_resync(); havp_install(); havp_deinstall();