Subversion Repositories ALCASAR

#

# This is the configuration file for HAVP

#

# All lines starting with a hash (#) or empty lines are ignored.

# Uncomment parameters you want to change!

#

# All parameters configurable in this file are explained and their default

# values are shown. If no default value is defined "NONE" is specified.

# 

# General syntax: Parameter Value

# Value can be: true/false, number, or path

#

# Extra spaces and tabs are ignored.

#

# You must remove this line for HAVP to start.

# This makes sure you have (hopefully) reviewed the configuration. :)

# Hint: You must enable some scanner! Find them in the end..

# REMOVETHISLINE deleteme

#

# For reasons of security it is recommended to run a proxy program

# without root rights. It is recommended to create user that is not

# used by any other program.

#

# Default:

# USER havp

# GROUP havp

# If this is true HAVP is running as daemon in background.

# For testing you may run HAVP at your text console.

#

# Default:

# DAEMON true

#

# Process id (PID) of the main HAVP process is written to this file.

# Be sure that it is writeable by the user under which HAVP is running.

# /etc/init.d/havp script requires this to work.

#

# Default:

# PIDFILE /var/run/havp/havp.pid

#

# For performance reasons several instances of HAVP have to run.

# Specify how many servers (child processes) are simultaneously

# listening on port PORT for a connection. Minimum value should be

# the peak requests-per-second expected + 5 for headroom. For best

# performance, you should have atleast 1 CPU core per 16 processes.

#

# For single user home use, 8 should be minimum.

# For 500+ users corporate use, start at 40.

#

# Value can and should be higher than recommended. Memory and

# CPU usage is only affected by the number of concurrent requests.

#

# More childs are automatically created when needed, up to MAXSERVERS.

#

# Default:

# SERVERNUMBER 8

# MAXSERVERS 100

#

# Files where to log requests and info/errors.

# Needs to have write permission for HAVP user.

#

# Default:

# ACCESSLOG /var/log/havp/access.log

# ERRORLOG /var/log/havp/havp.log

#

# Syslog can be used instead of logging to file.

# For facilities and levels, see "man syslog".

#

# Default:

# USESYSLOG false

# SYSLOGNAME havp

# SYSLOGFACILITY daemon

# SYSLOGLEVEL info

# SYSLOGVIRUSLEVEL warning

#

# true: Log every request to access log

# false: Log only viruses to access log

#

# Default:

LOG_OKS false

#

# Level of HAVP logging

#  0 = Only serious errors and information

#  1 = Less interesting information is included

#

# Default:

# LOGLEVEL 0

#

# Temporary scan file.

# This file must reside on a partition for which mandatory

# locking is enabled. For Linux, use "-o mand" in mount command.

# See "man mount" for details. Solaris does not need any special

# steps, it works directly.

#

# Specify absolute path to a file which name must contain "XXXXXX".

# These characters are used by system to create unique named files.

#

# Default:

# SCANTEMPFILE /var/tmp/havp/havp-XXXXXX

#

# Directory for ClamAV and other scanner created tempfiles.

# Needs to be writable by HAVP user. Use ramdisk for best performance.

#

# Default:

# TEMPDIR /var/tmp

#

# HAVP reloads scanners virus database by receiving a signal

# (send SIGHUP to PID from PIDFILE, see "man kill") or after

# a specified period of time. Specify here the number of

# minutes to wait for reloading.

#

# This only affects library scanners (clamlib, trophie).

# Other scanners must be updated manually.

#

# Default:

# DBRELOAD 60 

#

# Run HAVP as transparent Proxy?

#

# If you don't know what this means read the mini-howto

# TransparentProxy written by Daniel Kiracofe.

# (e.g.: http://www.tldp.org/HOWTO/mini/TransparentProxy.html)

# Definitely you have more to do than setting this to true.

# You are warned!

#

# Default:

# TRANSPARENT false

#

# Specify a parent proxy (e.g. Squid) HAVP should use.

#

# Default: NONE

PARENTPROXY localhost

PARENTPORT 3128

#

# Write X-Forwarded-For: to log instead of connecters IP?

#

# If HAVP is used as parent proxy by some other proxy, this allows

# to write the real users IP to log, instead of proxy IP.

#

# Default:

# FORWARDED_IP false

#

# Send X-Forwarded-For: header to servers?

#

# If client sent this header, FORWARDED_IP setting defines the value,

# then it is passed on. You might want to keep this disabled for security

# reasons. Enable this if you use your own parent proxy after HAVP, so it

# will see the original client IP.

#

# Disabling this also disables Via: header generation.

#

# Default:

# X_FORWARDED_FOR false

#

# Port HAVP is listening on.

#

# Default:

PORT 8090

#

# IP address that HAVP listens on.

# Let it be undefined to bind all addresses.

#

# Default: NONE

BIND_ADDRESS 127.0.0.1

#

# IP address used for sending outbound packets.

# Let it be undefined if you want OS to handle right address.

#

# Default: NONE

# SOURCE_ADDRESS 1.2.3.4

#

# Path to template files.

#

# Default:

TEMPLATEPATH /usr/local/etc/havp/templates/fr

#

# Set to true if you want to prefer Whitelist.

# If URL is Whitelisted, then Blacklist is ignored.

# Otherwise Blacklist is preferred.

#

# Default:

# WHITELISTFIRST true

#

# List of URLs not to scan.

#

# Default:

# WHITELIST /usr/local/etc/havp/whitelist

#

# List of URLs that are denied access.

#

# Default:

# BLACKLIST /usr/local/etc/havp/blacklist

#

# Is scanner error fatal?

#

# For example, archive types that are not supported by scanner

# may return error. Also if scanner has invalid pattern files etc.

#

# true: User gets error page

# false: No error is reported (viruses might not be detected)

#

# Default:

# FAILSCANERROR true

#

# When scanning takes longer than this, it will be aborted.

# Timer is started after HAVP has fully received all data.

# If set too low, complex files/archives might produce timeout.

# Timeout is always a fatal error regardless of FAILSCANERROR.

#

# Time in minutes!

#

# Default:

# SCANNERTIMEOUT 10

#

# Allow HTTP Range requests?

#

# false: Broken downloads can NOT be resumed

# true: Broken downloads can be resumed

#

# Allowing Range is a security risk, because partial

# HTTP requests may not be properly scanned.

#

# Whitelisted sites are allowed to use Range in any case.

#

# Default:

# RANGE false

#

# Allow HTTP Range request to get the ZIP header first?

#

# This allows (partial) scanning of ZIP files that are bigger than

# MAXSCANSIZE. Scanning is done up to that many bytes into the file.

#

# Default:

# PRELOADZIPHEADER true

#

# If you really need more performance, you can disable scanning of

# JPG, GIF and PNG files. These are probably the most common files

# around, so it will save lots of CPU. But be warned, image exploits

# exist and more could be found. Think twice if you want to disable!

#

# Default:

# SCANIMAGES true

#

# Temporary file will grow only up to this size. This means scanner

# will scan data until this limit is reached.

#

# There are two sides to this setting. By limiting the size, you gain

# performance, less waiting for big files and less needed temporary space.

# But there is slightly higher chance of virus slipping through (though

# scanning large archives should not be gateways function, HAVP is more

# geared towards small exploit detection etc).

#

# VALUE IN BYTES NOT KB OR MB!!!!

#  0 = No size limit

#

# Default:

# MAXSCANSIZE 5000000

#

# Amount of data going to browser that is held back, until it

# is scanned. When we know file is clean, this held back data

# can be sent to browser. You can safely set bigger value, only

# thing you will notice is some "delay" in beginning of download.

# Virus found in files bigger than this might not produce HAVP

# error page, but result in a "broken" download.

#

# VALUE IN BYTES NOT KB OR MB!!!!

#

# Default:

# KEEPBACKBUFFER 200000

#

# This setting complements KEEPBACKBUFFER. It tells how many Seconds to

# initially receive data from server, before sending anything to client.

# Even trickling is not done before this time elapses. This way files that

# are received fast are more secure and user can get virus report page for

# files bigger than KEEPBACKBUFFER.

#

# Setting to 0 will disable this, and only KEEPBACKBUFFER is used.

#

# Default:

# KEEPBACKTIME 5

#

# After Trickling Time (seconds), some bytes are sent to browser

# to keep the connection alive. Trickling is not needed if timeouts

# are not expected for files smaller than KEEPBACKBUFFER, but it is

# recommended to set anyway.

#

# 0 = No Trickling

#

# Default:

# TRICKLING 30

#

# Send this many bytes to browser every TRICKLING seconds, see above

#

# Default:

# TRICKLINGBYTES 1

#

# Downloads larger than MAXDOWNLOADSIZE will be blocked.

# Only if not Whitelisted!

#

# VALUE IN BYTES NOT KB OR MB!!!!

#  0 = Unlimited Downloads

#

# Default:

# MAXDOWNLOADSIZE 0

#

# Space separated list of strings to partially match User-Agent: header.

# These are used for streaming content, so scanning is generally not needed

# and tempfiles grow unnecessary. Remember when enabled, that user could

# fake header and pass some scanning. HTTP Range requests are allowed for

# these, so players can seek content.

#

# You can uncomment here a list of most popular players.

#

# Default: NONE

# STREAMUSERAGENT Player Winamp iTunes QuickTime Audio RMA/ MAD/ Foobar2000 XMMS

#

# Bytes to scan from beginning of streams.

# When set to 0, STREAMUSERAGENT scanning will be completely disabled.

# It is not recommended as there are some exploits for players.

#

# Default:

# STREAMSCANSIZE 20000

#

# Disable mandatory locking (dynamic scanning) for certain file types.

# This is intended for fixing cases where a scanner forces use of mmap()

# call. Mandatory locking might not allow this, so you could get errors

# regarding memory allocation or I/O. You can test the "None" option

# anyway, as it might even work depending on your OS (some Linux seems

# to allow mand+mmap).

# 

# Allowed values:

#   None

#   ClamAV:BinHex  (mmap forced in all versions, no ETA for fix)

#   ClamAV:PDF     (mmap forced in all versions, no ETA for fix)

#   ClamAV:ZIP     (mmap forced in 0.93.x, should work in 0.94)

#   AVG:ALL        (AVG 8.5 does not work, uses mmap MAP_SHARED)

#

# Default:

# DISABLELOCKINGFOR ClamAV:BinHex ClamAV:PDF ClamAV:ZIP AVG:ALL

#

# Whitelist specific viruses by case-insensitive substring match.

# For example, "Oversized." and "Encrypted." are good candidates,

# if you can't disable those checks any other way.

#

# Default: NONE

# IGNOREVIRUS Oversized. Encrypted. Phishing.

#####

##### ClamAV Library Scanner (libclamav)

#####

ENABLECLAMLIB true

# HAVP uses libclamav hardcoded pattern directory, which usually is

# /usr/local/share/clamav. You only need to set CLAMDBDIR, if you are

# using non-default DatabaseDirectory setting in clamd.conf.

#

# Default: NONE

# CLAMDBDIR /path/to/directory

# Should we block broken executables?

#

# Default:

# CLAMBLOCKBROKEN false

# Should we block encrypted archives?

#

# Default:

# CLAMBLOCKENCRYPTED false

# Should we block files that go over maximum archive limits?

#

# Default:

# CLAMBLOCKMAX false

# Scanning limits?

# You can find some additional info from documentation or clamd.conf

#

# Stop when this many total bytes scanned (MB)

# CLAMMAXSCANSIZE 20

#

# Stop when this many files have been scanned

# CLAMMAXFILES 50

#

# Don't scan files over this size (MB)

# CLAMMAXFILESIZE 100

#

# Maximum archive recursion

# CLAMMAXRECURSION 8

#####

##### ClamAV Socket Scanner (clamd)

#####

##### NOTE: ClamAV Library Scanner should be preferred (less overhead)

#####

ENABLECLAMD false

# Path to clamd socket

#

# Default:

# CLAMDSOCKET /tmp/clamd

# ..OR if you use clamd TCP socket, uncomment to enable use

#

# Clamd daemon needs to run on the same server as HAVP

#

# Default: NONE

# CLAMDSERVER 127.0.0.1

# CLAMDPORT 3310

#####

##### F-Prot Socket Scanner

#####

ENABLEFPROT false

# F-Prot daemon needs to run on same server as HAVP

#

# Default:

# FPROTSERVER 127.0.0.1

# FPROTPORT 10200

# F-Prot options (only for version 6+ !)

#

# See "fpscand-client.sh --help" for possible options.

#

# At the moment:

#  --scanlevel=<n>  Which scanlevel to use, 0-4 (2).

#  --heurlevel=<n>  How aggressive heuristics should be used, 0-4 (2).

#  --archive=<n>    Scan inside supported archives n levels deep 1-99 (5).

#  --adware         Instructs the daemon to flag adware.

#  --applications   Instructs the daemon to flag potentially unwanted applications.

#

# Default: NONE

# FPROTOPTIONS --scanlevel=2 --heurlevel=2

#####

##### AVG Socket Scanner

#####

ENABLEAVG false

# AVG daemon needs to run on the same server as HAVP

#

# Default:

# AVGSERVER 127.0.0.1

# AVGPORT 55555

#####

##### Kaspersky Socket Scanner

#####

ENABLEAVESERVER false

# Path to aveserver socket

#

# Default:

# AVESOCKET /var/run/aveserver

#####

##### Sophos Scanner (Sophie)

#####

ENABLESOPHIE false

# Path to sophie socket

#

# Default:

# SOPHIESOCKET /var/run/sophie

#####

##### Trend Micro Library Scanner (Trophie)

#####

ENABLETROPHIE false

# Scanning limits inside archives (filesize = MB):

#

# Default:

# TROPHIEMAXFILES 50

# TROPHIEMAXFILESIZE 10

# TROPHIEMAXRATIO 250

#####

##### NOD32 Socket Scanner

#####

ENABLENOD32 false

# Path to nod32d socket

#

# For 3.0+ version, try /tmp/esets.sock

#

# Default:

# NOD32SOCKET /tmp/nod32d.sock

# Used NOD32 Version

#

#  30 = 3.0+

#  25 = 2.5+

#  21 = 2.x (very old)

#

# Default:

# NOD32VERSION 25

#####

##### Avast! Socket Scanner

#####

ENABLEAVAST false

# Path to avastd socket

#

# Default:

# AVASTSOCKET /var/run/avast4/local.sock

# ..OR if you use avastd TCP socket, uncomment to enable use

#

# Avast daemon needs to run on the same server as HAVP

#

# Default: NONE

# AVASTSERVER 127.0.0.1

# AVASTPORT 5036

#####

##### Arcavir Socket Scanner

#####

ENABLEARCAVIR false

# Path to arcavird socket

#

# For version 2008, default socket is /var/run/arcad.ctl

#

# Default:

# ARCAVIRSOCKET /var/run/arcavird.socket

# Used Arcavir version

#  2007 = Version 2007 and earlier

#  2008 = Version 2008 and later

#

# Default:

# ARCAVIRVERSION 2007

#####

##### DrWeb Socket Scanner

#####

ENABLEDRWEB false

# Enable heuristic scanning?

#

# Default:

# DRWEBHEURISTIC true

# Enable malware detection?

# (Adware, Dialer, Joke, Riskware, Hacktool)

#

# Default:

# DRWEBMALWARE true

# Path to drwebd socket

#

# Default:

# DRWEBSOCKET /var/drweb/run/.daemon

# ..OR if you use drwebd TCP socket, uncomment to enable use

#

# DrWeb daemon needs to run on the same server as HAVP

#

# Default: NONE

# DRWEBSERVER 127.0.0.1

# DRWEBPORT 3000