0,0 → 1,623 |
# |
# This is the configuration file for HAVP |
# |
# All lines starting with a hash (#) or empty lines are ignored. |
# Uncomment parameters you want to change! |
# |
# All parameters configurable in this file are explained and their default |
# values are shown. If no default value is defined "NONE" is specified. |
# |
# General syntax: Parameter Value |
# Value can be: true/false, number, or path |
# |
# Extra spaces and tabs are ignored. |
# |
|
# You must remove this line for HAVP to start. |
# This makes sure you have (hopefully) reviewed the configuration. :) |
# Hint: You must enable some scanner! Find them in the end.. |
# REMOVETHISLINE deleteme |
|
# |
# For reasons of security it is recommended to run a proxy program |
# without root rights. It is recommended to create user that is not |
# used by any other program. |
# |
# Default: |
# USER havp |
# GROUP havp |
|
# If this is true HAVP is running as daemon in background. |
# For testing you may run HAVP at your text console. |
# |
# Default: |
# DAEMON true |
|
# |
# Process id (PID) of the main HAVP process is written to this file. |
# Be sure that it is writeable by the user under which HAVP is running. |
# /etc/init.d/havp script requires this to work. |
# |
# Default: |
# PIDFILE /var/run/havp/havp.pid |
|
# |
# For performance reasons several instances of HAVP have to run. |
# Specify how many servers (child processes) are simultaneously |
# listening on port PORT for a connection. Minimum value should be |
# the peak requests-per-second expected + 5 for headroom. For best |
# performance, you should have atleast 1 CPU core per 16 processes. |
# |
# For single user home use, 8 should be minimum. |
# For 500+ users corporate use, start at 40. |
# |
# Value can and should be higher than recommended. Memory and |
# CPU usage is only affected by the number of concurrent requests. |
# |
# More childs are automatically created when needed, up to MAXSERVERS. |
# |
# Default: |
# SERVERNUMBER 8 |
# MAXSERVERS 100 |
|
# |
# Files where to log requests and info/errors. |
# Needs to have write permission for HAVP user. |
# |
# Default: |
# ACCESSLOG /var/log/havp/access.log |
# ERRORLOG /var/log/havp/havp.log |
|
# |
# Syslog can be used instead of logging to file. |
# For facilities and levels, see "man syslog". |
# |
# Default: |
# USESYSLOG false |
# SYSLOGNAME havp |
# SYSLOGFACILITY daemon |
# SYSLOGLEVEL info |
# SYSLOGVIRUSLEVEL warning |
|
# |
# true: Log every request to access log |
# false: Log only viruses to access log |
# |
# Default: |
LOG_OKS false |
|
# |
# Level of HAVP logging |
# 0 = Only serious errors and information |
# 1 = Less interesting information is included |
# |
# Default: |
# LOGLEVEL 0 |
|
# |
# Temporary scan file. |
# This file must reside on a partition for which mandatory |
# locking is enabled. For Linux, use "-o mand" in mount command. |
# See "man mount" for details. Solaris does not need any special |
# steps, it works directly. |
# |
# Specify absolute path to a file which name must contain "XXXXXX". |
# These characters are used by system to create unique named files. |
# |
# Default: |
# SCANTEMPFILE /var/tmp/havp/havp-XXXXXX |
|
# |
# Directory for ClamAV and other scanner created tempfiles. |
# Needs to be writable by HAVP user. Use ramdisk for best performance. |
# |
# Default: |
# TEMPDIR /var/tmp |
|
# |
# HAVP reloads scanners virus database by receiving a signal |
# (send SIGHUP to PID from PIDFILE, see "man kill") or after |
# a specified period of time. Specify here the number of |
# minutes to wait for reloading. |
# |
# This only affects library scanners (clamlib, trophie). |
# Other scanners must be updated manually. |
# |
# Default: |
# DBRELOAD 60 |
|
# |
# Run HAVP as transparent Proxy? |
# |
# If you don't know what this means read the mini-howto |
# TransparentProxy written by Daniel Kiracofe. |
# (e.g.: http://www.tldp.org/HOWTO/mini/TransparentProxy.html) |
# Definitely you have more to do than setting this to true. |
# You are warned! |
# |
# Default: |
# TRANSPARENT false |
|
# |
# Specify a parent proxy (e.g. Squid) HAVP should use. |
# |
# Default: NONE |
PARENTPROXY localhost |
PARENTPORT 3128 |
|
# |
# Write X-Forwarded-For: to log instead of connecters IP? |
# |
# If HAVP is used as parent proxy by some other proxy, this allows |
# to write the real users IP to log, instead of proxy IP. |
# |
# Default: |
# FORWARDED_IP false |
|
# |
# Send X-Forwarded-For: header to servers? |
# |
# If client sent this header, FORWARDED_IP setting defines the value, |
# then it is passed on. You might want to keep this disabled for security |
# reasons. Enable this if you use your own parent proxy after HAVP, so it |
# will see the original client IP. |
# |
# Disabling this also disables Via: header generation. |
# |
# Default: |
# X_FORWARDED_FOR false |
|
# |
# Port HAVP is listening on. |
# |
# Default: |
PORT 8090 |
|
# |
# IP address that HAVP listens on. |
# Let it be undefined to bind all addresses. |
# |
# Default: NONE |
BIND_ADDRESS 127.0.0.1 |
|
# |
# IP address used for sending outbound packets. |
# Let it be undefined if you want OS to handle right address. |
# |
# Default: NONE |
# SOURCE_ADDRESS 1.2.3.4 |
|
# |
# Path to template files. |
# |
# Default: |
TEMPLATEPATH /usr/local/etc/havp/templates/fr |
|
# |
# Set to true if you want to prefer Whitelist. |
# If URL is Whitelisted, then Blacklist is ignored. |
# Otherwise Blacklist is preferred. |
# |
# Default: |
# WHITELISTFIRST true |
|
# |
# List of URLs not to scan. |
# |
# Default: |
# WHITELIST /usr/local/etc/havp/whitelist |
|
# |
# List of URLs that are denied access. |
# |
# Default: |
# BLACKLIST /usr/local/etc/havp/blacklist |
|
# |
# Is scanner error fatal? |
# |
# For example, archive types that are not supported by scanner |
# may return error. Also if scanner has invalid pattern files etc. |
# |
# true: User gets error page |
# false: No error is reported (viruses might not be detected) |
# |
# Default: |
# FAILSCANERROR true |
|
# |
# When scanning takes longer than this, it will be aborted. |
# Timer is started after HAVP has fully received all data. |
# If set too low, complex files/archives might produce timeout. |
# Timeout is always a fatal error regardless of FAILSCANERROR. |
# |
# Time in minutes! |
# |
# Default: |
# SCANNERTIMEOUT 10 |
|
# |
# Allow HTTP Range requests? |
# |
# false: Broken downloads can NOT be resumed |
# true: Broken downloads can be resumed |
# |
# Allowing Range is a security risk, because partial |
# HTTP requests may not be properly scanned. |
# |
# Whitelisted sites are allowed to use Range in any case. |
# |
# Default: |
# RANGE false |
|
# |
# Allow HTTP Range request to get the ZIP header first? |
# |
# This allows (partial) scanning of ZIP files that are bigger than |
# MAXSCANSIZE. Scanning is done up to that many bytes into the file. |
# |
# Default: |
# PRELOADZIPHEADER true |
|
# |
# If you really need more performance, you can disable scanning of |
# JPG, GIF and PNG files. These are probably the most common files |
# around, so it will save lots of CPU. But be warned, image exploits |
# exist and more could be found. Think twice if you want to disable! |
# |
# Default: |
# SCANIMAGES true |
|
# |
# Temporary file will grow only up to this size. This means scanner |
# will scan data until this limit is reached. |
# |
# There are two sides to this setting. By limiting the size, you gain |
# performance, less waiting for big files and less needed temporary space. |
# But there is slightly higher chance of virus slipping through (though |
# scanning large archives should not be gateways function, HAVP is more |
# geared towards small exploit detection etc). |
# |
# VALUE IN BYTES NOT KB OR MB!!!! |
# 0 = No size limit |
# |
# Default: |
# MAXSCANSIZE 5000000 |
|
# |
# Amount of data going to browser that is held back, until it |
# is scanned. When we know file is clean, this held back data |
# can be sent to browser. You can safely set bigger value, only |
# thing you will notice is some "delay" in beginning of download. |
# Virus found in files bigger than this might not produce HAVP |
# error page, but result in a "broken" download. |
# |
# VALUE IN BYTES NOT KB OR MB!!!! |
# |
# Default: |
# KEEPBACKBUFFER 200000 |
|
# |
# This setting complements KEEPBACKBUFFER. It tells how many Seconds to |
# initially receive data from server, before sending anything to client. |
# Even trickling is not done before this time elapses. This way files that |
# are received fast are more secure and user can get virus report page for |
# files bigger than KEEPBACKBUFFER. |
# |
# Setting to 0 will disable this, and only KEEPBACKBUFFER is used. |
# |
# Default: |
# KEEPBACKTIME 5 |
|
# |
# After Trickling Time (seconds), some bytes are sent to browser |
# to keep the connection alive. Trickling is not needed if timeouts |
# are not expected for files smaller than KEEPBACKBUFFER, but it is |
# recommended to set anyway. |
# |
# 0 = No Trickling |
# |
# Default: |
# TRICKLING 30 |
|
# |
# Send this many bytes to browser every TRICKLING seconds, see above |
# |
# Default: |
# TRICKLINGBYTES 1 |
|
# |
# Downloads larger than MAXDOWNLOADSIZE will be blocked. |
# Only if not Whitelisted! |
# |
# VALUE IN BYTES NOT KB OR MB!!!! |
# 0 = Unlimited Downloads |
# |
# Default: |
# MAXDOWNLOADSIZE 0 |
|
# |
# Space separated list of strings to partially match User-Agent: header. |
# These are used for streaming content, so scanning is generally not needed |
# and tempfiles grow unnecessary. Remember when enabled, that user could |
# fake header and pass some scanning. HTTP Range requests are allowed for |
# these, so players can seek content. |
# |
# You can uncomment here a list of most popular players. |
# |
# Default: NONE |
# STREAMUSERAGENT Player Winamp iTunes QuickTime Audio RMA/ MAD/ Foobar2000 XMMS |
|
# |
# Bytes to scan from beginning of streams. |
# When set to 0, STREAMUSERAGENT scanning will be completely disabled. |
# It is not recommended as there are some exploits for players. |
# |
# Default: |
# STREAMSCANSIZE 20000 |
|
# |
# Disable mandatory locking (dynamic scanning) for certain file types. |
# This is intended for fixing cases where a scanner forces use of mmap() |
# call. Mandatory locking might not allow this, so you could get errors |
# regarding memory allocation or I/O. You can test the "None" option |
# anyway, as it might even work depending on your OS (some Linux seems |
# to allow mand+mmap). |
# |
# Allowed values: |
# None |
# ClamAV:BinHex (mmap forced in all versions, no ETA for fix) |
# ClamAV:PDF (mmap forced in all versions, no ETA for fix) |
# ClamAV:ZIP (mmap forced in 0.93.x, should work in 0.94) |
# AVG:ALL (AVG 8.5 does not work, uses mmap MAP_SHARED) |
# |
# Default: |
# DISABLELOCKINGFOR ClamAV:BinHex ClamAV:PDF ClamAV:ZIP AVG:ALL |
|
# |
# Whitelist specific viruses by case-insensitive substring match. |
# For example, "Oversized." and "Encrypted." are good candidates, |
# if you can't disable those checks any other way. |
# |
# Default: NONE |
# IGNOREVIRUS Oversized. Encrypted. Phishing. |
|
|
##### |
##### ClamAV Library Scanner (libclamav) |
##### |
|
ENABLECLAMLIB true |
|
# HAVP uses libclamav hardcoded pattern directory, which usually is |
# /usr/local/share/clamav. You only need to set CLAMDBDIR, if you are |
# using non-default DatabaseDirectory setting in clamd.conf. |
# |
# Default: NONE |
# CLAMDBDIR /path/to/directory |
|
# Should we block broken executables? |
# |
# Default: |
# CLAMBLOCKBROKEN false |
|
# Should we block encrypted archives? |
# |
# Default: |
# CLAMBLOCKENCRYPTED false |
|
# Should we block files that go over maximum archive limits? |
# |
# Default: |
# CLAMBLOCKMAX false |
|
# Scanning limits? |
# You can find some additional info from documentation or clamd.conf |
# |
# Stop when this many total bytes scanned (MB) |
# CLAMMAXSCANSIZE 20 |
# |
# Stop when this many files have been scanned |
# CLAMMAXFILES 50 |
# |
# Don't scan files over this size (MB) |
# CLAMMAXFILESIZE 100 |
# |
# Maximum archive recursion |
# CLAMMAXRECURSION 8 |
|
|
##### |
##### ClamAV Socket Scanner (clamd) |
##### |
##### NOTE: ClamAV Library Scanner should be preferred (less overhead) |
##### |
|
ENABLECLAMD false |
|
# Path to clamd socket |
# |
# Default: |
# CLAMDSOCKET /tmp/clamd |
|
# ..OR if you use clamd TCP socket, uncomment to enable use |
# |
# Clamd daemon needs to run on the same server as HAVP |
# |
# Default: NONE |
# CLAMDSERVER 127.0.0.1 |
# CLAMDPORT 3310 |
|
|
##### |
##### F-Prot Socket Scanner |
##### |
|
ENABLEFPROT false |
|
# F-Prot daemon needs to run on same server as HAVP |
# |
# Default: |
# FPROTSERVER 127.0.0.1 |
# FPROTPORT 10200 |
|
# F-Prot options (only for version 6+ !) |
# |
# See "fpscand-client.sh --help" for possible options. |
# |
# At the moment: |
# --scanlevel=<n> Which scanlevel to use, 0-4 (2). |
# --heurlevel=<n> How aggressive heuristics should be used, 0-4 (2). |
# --archive=<n> Scan inside supported archives n levels deep 1-99 (5). |
# --adware Instructs the daemon to flag adware. |
# --applications Instructs the daemon to flag potentially unwanted applications. |
# |
# Default: NONE |
# FPROTOPTIONS --scanlevel=2 --heurlevel=2 |
|
|
##### |
##### AVG Socket Scanner |
##### |
|
ENABLEAVG false |
|
# AVG daemon needs to run on the same server as HAVP |
# |
# Default: |
# AVGSERVER 127.0.0.1 |
# AVGPORT 55555 |
|
|
##### |
##### Kaspersky Socket Scanner |
##### |
|
ENABLEAVESERVER false |
|
# Path to aveserver socket |
# |
# Default: |
# AVESOCKET /var/run/aveserver |
|
|
##### |
##### Sophos Scanner (Sophie) |
##### |
|
ENABLESOPHIE false |
|
# Path to sophie socket |
# |
# Default: |
# SOPHIESOCKET /var/run/sophie |
|
|
##### |
##### Trend Micro Library Scanner (Trophie) |
##### |
|
ENABLETROPHIE false |
|
# Scanning limits inside archives (filesize = MB): |
# |
# Default: |
# TROPHIEMAXFILES 50 |
# TROPHIEMAXFILESIZE 10 |
# TROPHIEMAXRATIO 250 |
|
|
##### |
##### NOD32 Socket Scanner |
##### |
|
ENABLENOD32 false |
|
# Path to nod32d socket |
# |
# For 3.0+ version, try /tmp/esets.sock |
# |
# Default: |
# NOD32SOCKET /tmp/nod32d.sock |
|
# Used NOD32 Version |
# |
# 30 = 3.0+ |
# 25 = 2.5+ |
# 21 = 2.x (very old) |
# |
# Default: |
# NOD32VERSION 25 |
|
|
##### |
##### Avast! Socket Scanner |
##### |
|
ENABLEAVAST false |
|
# Path to avastd socket |
# |
# Default: |
# AVASTSOCKET /var/run/avast4/local.sock |
|
# ..OR if you use avastd TCP socket, uncomment to enable use |
# |
# Avast daemon needs to run on the same server as HAVP |
# |
# Default: NONE |
# AVASTSERVER 127.0.0.1 |
# AVASTPORT 5036 |
|
|
##### |
##### Arcavir Socket Scanner |
##### |
|
ENABLEARCAVIR false |
|
# Path to arcavird socket |
# |
# For version 2008, default socket is /var/run/arcad.ctl |
# |
# Default: |
# ARCAVIRSOCKET /var/run/arcavird.socket |
|
# Used Arcavir version |
# 2007 = Version 2007 and earlier |
# 2008 = Version 2008 and later |
# |
# Default: |
# ARCAVIRVERSION 2007 |
|
|
##### |
##### DrWeb Socket Scanner |
##### |
|
ENABLEDRWEB false |
|
# Enable heuristic scanning? |
# |
# Default: |
# DRWEBHEURISTIC true |
|
# Enable malware detection? |
# (Adware, Dialer, Joke, Riskware, Hacktool) |
# |
# Default: |
# DRWEBMALWARE true |
|
# Path to drwebd socket |
# |
# Default: |
# DRWEBSOCKET /var/drweb/run/.daemon |
|
# ..OR if you use drwebd TCP socket, uncomment to enable use |
# |
# DrWeb daemon needs to run on the same server as HAVP |
# |
# Default: NONE |
# DRWEBSERVER 127.0.0.1 |
# DRWEBPORT 3000 |
|