clamav
clamav copied to clipboard
Cisco-Talos
Freshclam with Proxy enabled over HTTP uses CONNECT instead of GET. Proxy only allows CONNECT for HTTPS
Describe the bug
Our freshclam process is trying to updates the signature through a mirror server.
The connexion must go through a proxy
freshclam seems to make a HTTP call with the verb CONNECT on port 80
However the proxy only allow CONNECT call on port 443
┌─────────────┐ ┌─────────────────┐ ┌─────────────┐
│ │ │ │ │ │
│ ClamAV │ CONNECT proxy-server.org:80 HTTP │ PROXY │ │ Database │
│ freshclam ├────────────────────────────────────►│ port 443 only ├────────────►│ │
└─────────────┘ └─────────────────┘ └─────────────┘
Is it possible to configure the port ?
What happens when you change the :80 to :443?
That would be awesome !
Is there a way to configure the port freshclam is making the call ?
I suppose the example config doesn't show it, but you have some options to customize the DatabaseMirror URL.
Some examples:
For a basic HTTPS connection on port 443
DatabaseMirror yourserver
For a HTTP connection on port 8000
DatabaseMirror http://yourserver:8000
For a HTTP connection on port 8000 with a subdirectory
DatabaseMirror http://yourserver:8000/somepath
But these are just for a regular mirror. You say there's a proxy between you and the mirror. FreshClam has some proxy config options as well. Some examples for how to use it can be found in the sample config: https://github.com/Cisco-Talos/clamav/blob/dev/0.104/etc/freshclam.conf.sample#L120
Let me reprecise the observed and annoying behaviour, it is mainly due to the fact that even when trying to reach a mirror with http (not https), freshclam tries to use a CONNECT verb with the proxy, which is really uncommon : Example with an expected behaviour:
# freshclam.conf
HTTPProxyServer myproxyserver.com
HTTPProxyPort 1234
HTTPProxyUsername myusername
HTTPProxyPassword mypass
In this case freshclam will issue a CONNECT verb to the proxy in order to reach the public mirrors (on port 443 I guess), which totally makes sense.
Example with an unexpected behaviour:
# freshclam.conf
HTTPProxyServer myproxyserver.com
HTTPProxyPort 1234
HTTPProxyUsername myusername
HTTPProxyPassword mypass
PrivateMirror machine1.mylan
DatabaseMirror machine1.mylan
In this case fresh clam still issues a CONNECT verb to the proxy even when trying to reach the internal mirror (machine1.mylan) on port 80, which is very unusual.
This is an issue because then the (eg. squid) proxy opens a tunnel and won't apply any more filtering once the tunnel is open. Here is the issue: https://github.com/Cisco-Talos/clamav/blob/main/libfreshclam/libfreshclam_internal.c#L706
I've noticed that calling freshclam -v on a shell w/ http_proxy/https_proxy environment variables works, so i've removed the HTTPProxyServer and HTTPProxyPort from the config and added a systemd dropin (/etc/systemd/system/clamav-freshclam.service.d/10-Proxy.conf):
[Service]
Environment=http_proxy=<host>:<port>
Environment=https_proxy=<host>:<port>
After systemd daemon-reload and systemd restart clamav-freshclam everything works :tada:
Hello,
I have ran into this same issue, even when defining DatabaseMirror as http://database.clamav.net the request keeps going through the proxy using CONNECT. I think this is caused because when freshclam sees that the HTTPProxy parameters are set it applies the CURLOPT_HTTPPROXYTUNNEL option, which forces the request to be sent using tunneling (https://curl.se/libcurl/c/CURLOPT_HTTPPROXYTUNNEL.html).
So for now the only option to be able to actually cache the database files is to comment the HTTPProxy parameters from freshclam.conf and set the http_proxy and https_proxy environment variables before calling the freshclam script as @morph027 suggested
