User Tools

Site Tools


en:tips_and_tricks


Part 6 - Tips and Tricks

…And Now For Something Completely Different…

  • Ok, now it's time for a small change to make things a bit more relaxed:
  • The main purpose of this part is to collect and describe several Tips and Tricks regarding - not only - the Copfilter-Addon but IPCop in general.
  • I won't repeat the usual safety precautions and notes from Part 4 at this point, but of course they're still have validity!

Please note:

Anyone who has kept up through herein, should know what can safely be done and what not:

V1-Logo

1. IPCop - Shutdown by power button

See: http://www.ipcop-forum.de/forum/viewtopic.php?t=11690

IPCop 1.4.x ONLY:

:!: In IPCop 1.9.x/2.x (V2) this feature is already installed.

Description

Shutting down IPCop via power button is possible with the help of a little “hack”.

Necessary conditions:

  • The computer / BIOS must be ACPI-compliant.
  • IPCop must be started with the ACPI kernel.

“Power-Button-Hack”

Simply add the following lines at the end of the file '/etc/rc.d/rc.local':

rc_local_power_button_mod
# power button shutdown
if grep -q '^button' /proc/modules ; then
head -1 /proc/acpi/event | grep -q 'button/power PWRF' && /usr/local/bin/ipcopreboot down &
fi

After a reboot (or manually executing /etc/rc.d/rc.local) IPCop will now perform a clean “shutdown” and power off the machine by simply pressing a button.

V1-Logo

2. CSS-Menue-Tuning

Description

Simple modification to the IPCOP css style menu . for a more visible menu hover color.

Info . to change the default menu hover color of a bright white to one of the colors in the IPCOP shield (a yellow-ish orange)

In the file … /home/httpd/html/include/ipcop.css … (near the bottom of the page) …
Find the following . clipped out of context.

div.ipcop_menuElementHover {
color: #FFCC33;
# DEFAULT: FFFFFF
}

div.ipcop_subMenuElementHover {
padding: 3px;
color: #FFCC33;
# DEFAULT: DEDFEF
}

Change the default color . to #FFCC33 . *(above example already modified)

Save the file … then refresh any IPCOP cgi page …
… the IPCOP menu should now be a little easier to see - n' navigate.“

Screenshot

Menu-Tuning

3. Options in 'setup_util'

This is a file in '/var/log/copfilter/default', whose existence and function is unfortunately often overlooked by many Copfilter-Users.

Many basic functions of an installed Copfilter can be controlled by this file:

root@Develcop:~/copfilter # ./setup_util
ERR: unknown option

Usage: setup_util OPTION

Options:
-a, --addmenu           add copfilter menu to the webgui (already done with -i)
-b, --backup [FILE]     backup current settings & logfiles (optional: backup file)
-d, --default           restore default configuration
-i, --install [--force] install (or reinstall) copfilter (use force if already inst.)
-f, --fprot FILE        install fprot, FILE: download and copy fprot >GZIP-ed TAR file< to ipcop
                        URL: http://www.f-prot.com/download/home_user/download_fplinux.html
                        example: setup_util -f fp-linux-ws.tar.gz
-r, --restore [FILE]    restore configuration (optional: restore file)
-U, --uninstall-icap    to restore default squid binary
-W, --with-icap         install squid with icap support
-R, --regrazor          register razor
-u, --uninstall         uninstall copfilter and fprot
-p, --permissions       set file permissions
-V, --version           print version information and exit
-x, --fixbackspace      fix backspace key in vi
-s, --symlinks          recreate symlinks for Copfilter logfiles
-y, --yes               install without confirmation

Copfilter 2.0.91beta2 for IPCop 2.x.x and above
by Markus Madlener <copfilter at gmx dot net>
and karesmakro <ipcop at it-connect-unix dot de>
http://www.copfilter.org

'setup_util' is particularly important during an update installation, or the installation of an additional virus scanner, such as
F-Prot.

4. 'monit' does not start due to incorrect file permissions of 'monit.rc'

Problem

In rare cases 'monit' won't start anymore.

Nothing can be found in the logs - output is quite simple:

starting monit <BR>
waiting 3 second(s) <BR>
monit is not running <BR>

Even

/var/log/copfilter/default/opt/monit/etc/init.d/copfilter_monit debug

only provides

mo:2345:respawn:/var/log/copfilter/default/opt/monit/default/bin/monit -I -c /var/log/copfilter/default/opt/monit/etc/monitrc
monit is not running
waiting 0 second(s)
/var/log/copfilter/default/opt/monit/etc/init.d/copfilter_monit: line 279: debug: command not found
monit is not running

Cause

Wrong file permissions of '/var/log/copfilter/default/opt/monit/etc/monit.rc'

Solution

Log in on the console as 'root' using a suitable client (ssh, PuTTY, …) and initiate the following commands:

cd /var/log/copfilter/default/opt/monit/etc
chown root.root monitrc
chmod 600 monitrc

Problem should be solved…

5. Turn off E-Mail notifications

Initiated by: http://www.copfilter.org/forum/viewtopic.php?p=621#p621

Please note:

  • This mod is already included in 3rd Party Signatures since version 0.55.0. Notification is switched ON/OFF via Email GUI.
  • Don't use this mod if you use a newer version!

Description

If someone doesn't want to get notifications about the various virus updates, you can switch these ON/OFF with the following patch.

This script will disable the email notifying for the database updates of clamav, avg and f-prot
and the rules update of spamassassin and furthermore the email of the bayes leraning process.
To disable these mails please choose “d” in the following dialog.
To reenable these mails run this script again with the parameter “e”.
Please note that you use this script on your own risk without any warranty of the author!

d = disable email notifying e = enable email notifying

Download

2010-04-16 20:00 v 0.01.3:

no_upd_mail_notif.tar.gz 2 KB
MD5SUM:DE4A2B81D151391BE70F5C60CA5B7E1E

Installation

6. 'crontab' prevents Copfilter-Installation

Problem

Copfilter-Installation on IPCop 1.4.21 stops with an error, even though the system requirements are met:

md5check       done
extracting ...   done
now executing /var/log/copfilter/0.84beta4/setup_util -i

This addon only works for IPCop 1.4.x and higher

Cause

There exists a file '/etc/crontab', a relic from a previous version of IPCop, which was inadvertently not deleted during the update process.

Solution

rm /etc/crontab

V1-Logo

7. Copfilter and BOT

A big “Thanks!” goes to 'cjmatsel' - this tip was originally published in Copfilter section of his IPCopWiki!

The following method applies to IPCop V1 (1.4.xx) ONLY - in V2 (2.x), the BOT addon was integrated by default. You only have to define administrative access to the Monit Service Manager (port 446).

Description

  • The highly recommended addon BOT (BlockOutTraffic) by default blocks all access to the IPCop and other networks.
  • For Copfilter to work properly, you have to release the following ports (or a subset, depending on the services used) for access to IPCop and for the affected clients.
User defined services (Copfilter): Since Copfilter 0.85.x: User defined services (IPCop):
Name Port Protokoll Name Port Protokoll Name Port Protokoll
IPCopProxy 800 TCP IPCop Imspector 16667 TCP IPCop GUI 81 TCP
IPCopPOP3Filter 8110 TCP


IPCopGUI 445 TCP
IPCopSMTPFilter 10025 TCP
IPCopFTPFilter 2121 TCP
IPCopFTPControl 50000-50199 TCP
IPCopFTPPassive 50200-50399 TCP
IPCopFTPActive 50400-50599 TCP
Monit Service Manager 446 TCP

You can add the following useful services (if required, these are not part of Copfilter):

Standard services:
Name Port Protokoll
bootpc 67 TCP&UDP
bootps 68 TCP&UDP
domain (DNS) 53 TCP&UDP
ntp (Timeserver) 123 TCP&UDP

Best is, to arrange required services in groups.

Here's a screenshot of a sample configuration that still contains some other services:

Screenshot

BOT

For all BOT specific problems: use BOT FAQ No.5!

If you're still not sure, use BOT FAQ No.11.

8. Testing sendEmail

Problem

Unfortunately, it happens every now and then that sendEmail has problems with the current service provider.

Solution

In this case, the following guide should help to verify the correct function:

Enter following commands on the console - fill in sender address, recipient address etc. (omit the square brackets!):

cd /var/log/copfilter/default/opt/tools/bin
./sendEmail -f [sender-address] -u [Subject] -t [recipient-address] -s [SMTP-serveraddress] -xu [SMTP-username] -xp [SMTP-password]

[ENTER]

A successful result should look like this:

root@coprouter:/tmp # […place of 'sendEmail'-commands…]
Reading message body from STDIN because the '-m' option was not used.
If you are manually typing in a message:
- First line must be received within 60 seconds.
- End manual input with a CTRL-D on its own line.
testmail nummer 3
Jan 02 21:52:59 coprouter sendemail[10044]: Message input complete.
Jan 02 21:52:59 coprouter sendemail[10044]: NOTICE ⇒ Authentication not supported by the remote SMTP server!
Jan 02 21:52:59 coprouter sendemail[10044]: Email was sent successfully!
\\

Check all outputs for errors!

To be sure, successively press the buttons “Send test email virus”, “Send test e-mail SPAM” and “Send a test email” in Copfilter Test & Logs.

Testmails

Wait a few seconds and then take a look at '/var/log/messages' …:

Jan 2 21:54:25 coprouter copfilter send testvirus:
Jan 2 21:54:25 coprouter copfilter send testvirus: please wait until scripts finishes
Jan 2 21:54:25 coprouter copfilter send testvirus: this script only works if you have correctly configured your email address
Jan 2 21:54:25 coprouter copfilter send testvirus: and smtp server in the copfilter webgui
Jan 2 21:54:25 coprouter copfilter send testvirus:
Jan 2 21:54:29 coprouter copfilter send testspam:
Jan 2 21:54:29 coprouter copfilter send testspam: please wait until scripts finishes
Jan 2 21:54:29 coprouter copfilter send testspam: this script only works if you have correctly configured your email address
Jan 2 21:54:29 coprouter copfilter send testspam: and smtp server in the copfilter webgui
Jan 2 21:54:29 coprouter copfilter send testspam:
Jan 2 21:54:29 coprouter copfilter send testspam: Reading message body from STDIN because the '-m' option was not used.
Jan 2 21:54:29 coprouter copfilter send testspam: If you are manually typing in a message:
Jan 2 21:54:29 coprouter copfilter send testspam: - First line must be received within 60 seconds.
Jan 2 21:54:29 coprouter copfilter send testspam: - End manual input with a CTRL-D on its own line.
Jan 2 21:54:29 coprouter copfilter send testspam:
Jan 2 21:54:29 coprouter copfilter send testspam: Jan 02 21:54:29 coprouter sendEmail[8535]: Message input complete.
Jan 2 21:54:29 coprouter copfilter send testvirus: Jan 02 21:54:29 coprouter sendEmail[8524]: Email was sent successfully!
Jan 2 21:54:30 coprouter copfilter send testspam: Jan 02 21:54:30 coprouter sendEmail[8535]: Email was sent successfully!
Jan 2 21:54:31 coprouter copfilter send exe attachment:
Jan 2 21:54:32 coprouter copfilter send exe attachment: please wait until scripts finishes
Jan 2 21:54:32 coprouter copfilter send exe attachment: this script only works if you have correctly configured your email address
Jan 2 21:54:32 coprouter copfilter send exe attachment: and smtp server in the copfilter webgui
Jan 2 21:54:32 coprouter copfilter send exe attachment:
Jan 2 21:54:32 coprouter copfilter send exe attachment: Jan 02 21:54:32 coprouter sendEmail[8546]: Email was sent successfully!

Shortly thereafter a total of three e-mails should arrive - one with an “EXE”-Attachment, the other two - if 'p3scan' was activated - starting with roughly the following text body.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Copfilter hat einen Virus in einer an Sie gesendeten Mail gefunden (POP3)!
Anstatt der verseuchten Mail erhalten Sie diesen Hinweis.

Virus-Name: Eicar-Test-Signature (gefunden durch ClamAV)
Anhang: eicar.com

Absender: [Absendeadresse von oben…!]
Empfaenger: [Empfängeradresse von oben…!]
Betreff: harmless VIRUS test mail from Copfilter
Datum: Sat, 02 Jan 2010 21:58:34 +0100
Server: [IP-Adresse…!]
Client: [IP-Adresse+Port!]
Email-Datei: p3scan.j2iBxb
gescannt auf: coprouter

Diese Mail wurde zwischengespeichert.
Bitte nehmen Sie zur Kenntnis, dass die Absende-Adresse gefaelscht sein koennte!

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Header der Original-Nachricht:

X-Filtered-With: Copfilter Version 0.84beta4 (P3Scan 2.3.2)
X-Copfilter-Virus-Scanned: ClamAV 0.95.3/10248/Sat Jan 2 21:58:50 2010
Return-Path: …[usw.usf.]

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Filtered-With-Copfilter: Version 0.84beta4 (P3Scan 2.3.2)
Copfilter-Virus-Scanned: ClamAV 0.95.3/10248/Sat Jan 2 21:58:52 2010
by Markus Madlener @ http://www.copfilter.org
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
P3Scan 2.3.2 (modified by Markus Madlener for Copfilter)
by Jack S. Lai <laitcg@cox.net>

If the current 'sendEmail' version is running into problems, it has to be tested:

cd /var/log/copfilter/default/opt/tools/bin

For simplicity, you should copy different 'sendEmail'-[versions] to this directory:

sendEmail-Testversions

For testing, just copy the desired 'sendEmail'-[version] to 'sendEmail':

cp sendEmail-1.54 sendEmail

By overwriting the destination file you can immediately start a new testrun.

V2-Logo

9. IPCop-Installation - adjusting partitions manually (V2)

Problem

The installation routine for IPCop V2 creates a root partition with only 768MB.

This is enough for most installations - but not (for example) for the developer version.

Solution

It is therefore advisable to create the necessary partitions during the installation manually.

For this purpose, 'parted' is needed, which is included on the IPCop CD.

More informations regarding 'parted' can be found on http://ftp.gnu.org/old-gnu/Manuals/parted-1.6.1/html_mono/parted.html

Method

1. Burn IPCop-V2-ISO-Image to CD.

2. Boot from CD.

3. At Boot-Prompt type:

install parted

[ENTER]

4. After the hardware initialization and the media selection you'll see a message box:

Do your thing with parted now!

[Don't press ENTER now!]



5. Press [ALT-F5] or [ALT-F6]

6. On the console type:

cat /proc/partitions

[ENTER]

This command displays the existing partitions and the type of the target hard disk (hda or sda):

cat /proc/partitions

7. Now type (depending on hard disk type):

parted /dev/hda

(or /dev/sda, see above)
[ENTER]

'Parted' is started and you are now on the 'parted' command line:

parted /dev/sda

8. Type print to display the partition table.

print

[ENTER]

print

9. If necessary, remove existing partitions by typing rm [Number]. [Number] corresponds to the partition numbering of the “Number” column.

10. If you get an error message like “unrecognized disk label”, type mklabel msdos to create a msdos-Disklabel:

mklabel msdos

[ENTER]

11. The following command creates a root-Partition with 8 GB.

mkpart primary ext2 2048s 8191

[ENTER]

12. Next, a second partition must be created for var - the following command uses the entire remaining disk space:

mkpart primary ext2 8192 100%

[ENTER]

13. Make root-partition bootable:

set 1 boot on

[ENTER]

14. Leave 'parted':

quit

[ENTER]

15. Type sync to write pending changes immediately to disk (important for SCSI-Systems!):

sync

[ENTER]

16. List new partitions:

parted -l

[ENTER]

17. Press [ALT-F1] to return to the first shell (above, item 4.).

18. Press [ENTER] to continue with IPCop-V2-Installation.

Download Addon-friendly

If you're not familiar with this procedure, you can download an Addon-friendly-IPCop-V2-Version which automatically creates a bigger root partition from this URL:

Download:
http://sourceforge.net/projects/copfilter/files/copfilter%20v2/IPCop-ISO/

Such an installation requires at least a 10 GB hard disk - a 5 GB root partition and a 256 MB swapfile is created.

Note

The ISO files, which are available at the above URL for downloading are no official IPCop versions!

V1-Logo

10. HAVP-Optimization with RAM-Disk

Description

To speed up access to the temporary files created by HAVP in /var/log/copfilter/default/opt/havp/tmp during scanning, there are only a few adjustments needed.

Afterwards, temporary files are stored in a Ramdisk and can be accessed faster.

In this tutorial the ramdisk is created with a size of 64MB, which has so far proved to be sufficient for standard use - higher values are possible, but go at the expense of available memory.

Please note:

  • The Ramdisk must in any case be able to manage the temporary files of many simultaneous downloads.
  • With a value of eg MAXSCANSIZE 30720000 (30MB), a 64MB ramdisk may be fully utilized with the simultaneous downloads of two large files - this can cause problems.
  • In this case, a bigger ramdisk must be created or the value of MAXSCANSIZE has to be reduced!

  • Don't delete the original directory /var/log/copfilter/default/opt/havp/tmp!
  • After changing this option, a reboot of the IPCop computer is mandatory.

Environment

This optimization was performed on a IPCop 1.4.21, using current HAVP and ClamAV-versions. HAVP-parameter were as follows (Copfilter 0.84beta4, ClamAV running in library-mode):

OptionValueUnit
SERVERNUMBER 20 Number
MAXSERVERS 100 Number
MAXSCANSIZE 20971520 Bytes
CLAMMAXSCANSIZE 20 MB
KEEPBACKBUFFER 400000 Bytes
TRICKLING 10 Seconds
TRICKLINGBYTES 10240 Bytes
ENABLECLAMLIB true
CLAMMAXSCANSIZE 20 MB
CLAMMAXFILES 5000 Number
CLAMMAXFILESIZE 25 MB
CLAMMAXRECURSION 16 Number


Please note:

IPCop 1.4.x ONLY! V1-Logo

  • In IPCop-versions 1.9.x/2.x (V2), kernel modul for Ramdisk has been removed.
  • Copfilter-Version 2.0.x (IPCop 1.9.x/2.x) therefore uses TMPFS - this option can be switched ON/OFF using Enable HAVP Scanner to run in Memory via HAVP-GUI:

TMPFS-Switch


Method

First you have to make BACKUPS of the following files!

  • /boot/grub/grub.conf
  • /var/log/copfilter/default/etc/global_settings
  • /var/log/copfilter/default/opt/havp/etc/init.d/copfilter_havp

1. Edit 'grub.conf':

Add option ramdisk_size=64000 to kernel line in /boot/grub/grub.conf.

Example:

kernel /vmlinuz root=/dev/sda4 panic=10 init=/linuxrc rw ramdisk_size=64000

2. Edit 'global_settings':

Insert line HAVP_RAMDISK=on in file '/var/log/copfilter/default/etc/global_settings.

This is case-sensitive, 'on' resp. 'off' must be lower case!

3. Edit 'copfilter_havp':

In file '/var/log/copfilter/default/opt/havp/etc/init.d/copfilter_havp' replace this section from subroutine start ():

        /bin/mount | grep -v grep |grep man >/dev/null 2>&1
        RESULT=$?
        if [ "x${RESULT}" = "x1" ]; then 
          echo $CP_havp_mount $APPEND
          /bin/mount -o remount,mand  /var/log
        fi

with this section:

copfilter_havp_ramdisk_mod_01
# Creating Ramdisk
        /bin/mount | grep -v grep |grep man >/dev/null 2>&1
        RESULT=$?
        if [ "x${RESULT}" = "x1" ]; then 
            if [ "x${HAVP_RAMDISK}" = "xon" ]; then
                echo "$CP_havp_mount Ramdisk $APPEND"
                if [ ! -d /var/log/copfilter/default/opt/havp/tmp ]; then
                    mkdir /var/log/copfilter/default/opt/havp/tmp
                fi
                /sbin/mkfs.ext3 /dev/ram1
                /bin/mount -o mand  /dev/ram1 /var/log/copfilter/default/opt/havp/tmp
                chown -R havp.havp /var/log/copfilter/default/opt/havp/tmp
            else
                echo $CP_havp_mount $APPEND
                /bin/mount -o remount,mand  /var/log
            fi
        fi

Attention:

Since Copfilter Version 0.85.3 line:

chown -R havp.havp /var/log/copfilter/default/opt/havp/tmp

has to be replaced with:

chown -R havp.copfilter /var/log/copfilter/default/opt/havp/tmp

4. Edit 'copfilter_havp':

In file '/var/log/copfilter/default/opt/havp/etc/init.d/copfilter_havp replace subroutine stop () with the following section:

copfilter_havp_ramdisk_mod_02
stop () {
        PRG_PID=`pidof $PRG`
        if [ $? != 0 ]; then 
          PRG_PID=""
        fi

        if [ "x$PRG_PID" = "x" ]; then
          echo $PRG $CP_not_running $APPEND
        else
          $MONIT unmonitor $PRG
          if kill $PRG_PID 2>/dev/null; then
            progress_msg="<BR>Waiting ."
            cnt=0
            while kill $PRG_PID 2>/dev/null; do
              cnt=`expr "$cnt" + 1`
                if [ "$cnt" -gt 15 ]; then
                    kill -9 -$PRG_PID
                    break
                fi
                sleep 1
                echo -n $progress_msg
                progress_msg=" ."
            done
          fi
        fi
        # echo $CP_waiting $WAIT $CP_seconds $APPEND
        if [ "x${HAVP_RAMDISK}" = "xon" ]; then
            echo "$CP_havp_umount Ramdisk $APPEND"
            /bin/umount /dev/ram1
        fi
}

Afterwards, IPCop-PC must be restarted for the changes to take effect.

Note:

Whether the changes were successful, can easily be verified via GUI.

  • In IPCop-SYSTEM-STATUS Ramdisk must be visible under 'Disk usage:' and 'Inodes usage':

IPCop HDD- and Inodes

Verification through the log files:

  • In /var/log/messages Ramdisk initializing can be seen:
coprouter kernel: RAMDISK driver initialized: 16 RAM disks of 5120K size 1024 blocksize

Check filesystem:

  • Under /var/log/copfilter/default/opt/havp/tmp there's a new directory: lost+found

Specials

  • During Copfilter-“Restart all services”, HAVP start procedure is “somewhat” more detailed - don't worry, following output is normal:

HAVP Restart

V2-Logo

11. P3scan and mails are delayed (V2)

Problem

Mails are fetched with extreme delay.

  • SpamAssassin and Razor-, DCC- and DNSBL-lists are enabled.
  • In addition, the mails are checked with ClamAV.

Cause

IPCop scripts for traffic accounting consume more system resources, the higher the level of detail is set.
Depending on CPU and RAM, the scripts are running for several minutes.

Tested term of '/usr/local/bin/aggregatetraffic.pl':

  • Detail level “Low”: approx. 9 seconds
  • Detail level “High”: approx. 130 seconds and more

A scan time of up to 30 seconds per mail can be normal, depending on the number of activated Copfilter-components.

If a mail retrieval, however, happens at the exact period of the traffic accounting, scan time from SpamAssassin etc., increases extremely!

During problems with P3Scan/ProxSMTP and SpamAssassin also the timeout settings of the individual components have to be considered.

These include - in addition to the client that fetches the mails:

  • P3scan (default value is 120 seconds: /var/log/copfilter/default/opt/p3scan/etc/p3scan.conftimeout=120)
  • ProxSMTP (default value is 180 seconds: /var/log/copfilter/default/opt/proxsmtp/etc/proxsmtpd.confTimeout: 180)

So, under certain circumstances, scanning can take more than 90 seconds (or more) per mail!

Solution

1. Set detail level to “Low”:

Traffic Accounting

2. With the following patch for Copfilter version 2.0.90 and 2.0.91beta1 RBL checks can be disabled in Antispam GUI when Razor, DCC and DNSBL are enabled:

AntiSpam-Patch

Download

For Copfilter 2.0.90:

V1:cp-spamd_v2-2.0.90-speedup.tgz 2 KB
MD5SUM: A5CA5BBABC2E69BA0286778EEA3A0DBE

For Copfilter 2.0.91beta1:

V2:cp-spamd_v2-2.0.91beta-speedup.tgz 2 KB
MD5SUM: F0D3E48EF0E1B2137626C699602EB4E8

Installation

12. HAVP - Authentification-Problem

Italic quotes are from the original posting - it's unfortunately no longer available.

Problem

Because this issue comes up every now and then and was asked by several users, I would like to post a workaround to solve possible problems with the HAVP authentication.

Since HAVP can not perform authentication on websites, you can define an exclusion rule which excludes the affected website.

Response from the HAVP developer:


Quote:
Hi,
This site uses M$ NTLM authentication. It is impossible to get working with
current HAVP as it requires special features and architecture from a proxy
(connection pinning etc). Only Squid 2.6/2.7 are capable, even 3.0 doesn't
seem to have support for it.

Such sites are most likely to be internal and should require no scanning.
Your workaround with Squid is the correct way - also you can add such sites
as no-proxy in browser.

Solution

Log in on the console as 'root' using a suitable client (ssh, PuTTY, …) and initiate the following commands:
(The code paragraphs contain always a single command line, the bold formatted words in angular clips in between are standing for the corresponding keystrokes.)

cd /tmp 

[ENTER]

Create backup first:

cd /var/log/copfilter/default/opt/havp/etc/init.d
cp copfilter_havp copfilter_havp_backup

Open file for editing:

nano copfilter_havp

Or:

vi copfilter_havp

Replace:

# COPFILTER START - havp - do not modify
acl copfilter_all src 0.0.0.0/0.0.0.0
acl Scan_HTTP proto HTTP
acl Scan_FTP proto FTP

cache_peer 127.0.0.1 parent 10080 0 no-query no-digest no-netdb-exchange default
cache_peer_access 127.0.0.1 allow copfilter_all

always_direct allow Scan_FTP
never_direct allow Scan_HTTP
# COPFILTER END - havp - do not modify

With:

copfilter_havp_acl
# COPFILTER START - havp - do not modify
acl copfilter_all src 0.0.0.0/0.0.0.0
acl Scan_HTTP proto HTTP
acl Scan_FTP proto FTP

cache_peer 127.0.0.1 parent 10080 0 no-query no-digest no-netdb-exchange default
cache_peer_access 127.0.0.1 allow copfilter_all

acl NOSCAN dstdomain www.websitehere.de
always_direct allow NOSCAN

always_direct allow Scan_FTP
never_direct allow Scan_HTTP
# COPFILTER END - havp - do not modify

These two lines are important:

acl NOSCAN dstdomain www.websitehere.de
always_direct allow NOSCAN

…don't forget to save!
Thus, this setting is stored permanently on IPCop and Copfilter can still change the settings through the GUI, without overwriting these entries. Next, restart HAVP via console:

/usr/local/bin/copfilter_restarthavp

Or restart HAVP via GUI.

If you wish to exclude other sites of HAVP, separated by a space, eg:

acl NOSCAN dstdomain www.websitehere.de anotherwebseite.com

Please note:

  • This somewhat complicated procedure about editing 'copfilter_havp' is necessary so that these changes are not overwritten when Copfilter or Squid restart - upon restarting HAVP they will be placed in '/var/ipcop/proxy/squid.conf'.

Note

The desired exceptions can also be expanded very easily (by inserting in '/var/ipcop/proxy/acls/include.acl'):

Exception rule for another Client-PC:

acl NOSCANIP src <your IP-address>/32 <next IP>/32
always_direct allow NOSCANIP

Exception rule for specific file types (here: 'mpq'):

acl site url_regex -i mpq
always_direct allow site

Block certain IP-addresses:

acl BANNED dst ip1 ip2 ip3 ip4 ip5
http_access deny BANNED

Block all IP-based accesses:

acl ipacl dstdom_regex ^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*
http_access deny ipacl


An overview of the Squid access list options can be found here:
http://wiki.squid-cache.org/SquidFaq/SquidAcl

en/tips_and_tricks.txt · Last modified: 2016/12/04 13:01 by fischerm