Der GockelNeulich hatte ich ja schon einen fruchtlosen Versuch unternommen, meinen Squid mit dem ClamAV zu leieren. Die dort vorgestellte Variante nervt leider den Anwender mit weiterer Klickerei. Auch die ganzen automatischen Software-Updates funktionierten mit der ICAP-Lösung nicht mehr. – Firefox und Co. haben scheinbar keinen Zeigefinger, um mit der Mouse auf den Download-Button zu klicken ;-)
Also habe ich jetzt mal noch einen zweiten Durchgang versucht, dieses mal mit HAVP.
Ich fand auch eine ganz gute Anleitung ‚Havp between Squid‚, die auch auf Anhieb funktioniert hat und auch super performant läuft:

~# apt-get install havp
....
~# lsof -i :8080
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
havp 24098 havp 4u IPv4 990545171 TCP *:webcache (LISTEN)
havp 24107 havp 4u IPv4 990545171 TCP *:webcache (LISTEN)
havp 24109 havp 4u IPv4 990545171 TCP *:webcache (LISTEN)
havp 24111 havp 4u IPv4 990545171 TCP *:webcache (LISTEN)
havp 24117 havp 4u IPv4 990545171 TCP *:webcache (LISTEN)
havp 24119 havp 4u IPv4 990545171 TCP *:webcache (LISTEN)
havp 24121 havp 4u IPv4 990545171 TCP *:webcache (LISTEN)
havp 24123 havp 4u IPv4 990545171 TCP *:webcache (LISTEN)
havp 24126 havp 4u IPv4 990545171 TCP *:webcache (LISTEN)
~# vi /etc/havp/havp.config

...
# You must remove this line for HAVP to start.
# This makes sure you have (hopefully) reviewed the configuration. :)
# Hint: You must enable some scanner! Find them in the end..
# REMOVETHISLINE deleteme
# PARENTPROXY localhost
# PARENTPORT 3128
PARENTPROXY localhost
PARENTPORT 3128

...
# Default:
# X_FORWARDED_FOR false
X_FORWARDED_FOR true
....
# ENABLESOPHIE false
# Default:
# SOPHIESOCKET /var/run/sophie


vi /etc/squid3/squid.conf

...
# Sandwich config for HAVP
icp_port 0
# scanning through HAVP
cache_peer localhost parent 8080 0 no-query no-digest no-netdb-exchange default

....
#Default:
# cache_mem 8 MB
# Memory usage values
cache_mem 64 MB

....
#Default:
# maximum_object_size 4096 KB
maximum_object_size 65536 KB
....
#Default:
# memory_pools on
memory_pools off
....
#Default:
# cache_dir ufs /var/spool/squid 100 16 256
# 4 GB store on disk
cache_dir aufs /var/spool/squid 4096 16 256

....
#Default:
#cache_store_log /var/log/squid/proxy01.store.log
# no store log
cache_store_log none

....
#Default:
# ftp_passive on
ftp_passive off
....
#Default:
# forwarded_for on
# no X-Forwarded-For header
forwarded_for off

....
#Default:
# buffered_logs off
# Speed up logging
buffered_logs on

....
#Default:
# strip_query_terms on
# no logfile entry stripping
strip_query_terms off

....
#Default:
# pipeline_prefetch off
# Speed, speed, speed
pipeline_prefetch on

#Default:
# half_closed_clients on
half_closed_clients off
#Default:
# shutdown_lifetime 30 seconds
shutdown_lifetime 1 second
....
#We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
....
#Suggested default:
##refresh_pattern ^ftp: 1440 20% 10080
##refresh_pattern ^gopher: 1440 0% 1440
##refresh_pattern . 0 20% 4320
# And now: define caching parameters
refresh_pattern ^ftp: 20160 50% 43200
refresh_pattern -i \.(jpe?g|gif|png|ico)$ 43200 100% 43200
refresh_pattern -i \.(zip|rar|arj|cab|exe)$ 43200 100% 43200
refresh_pattern windowsupdate.com/.*\.(cab|exe)$ 43200 100% 43200
refresh_pattern download.microsoft.com/.*\.(cab|exe)$ 43200 100% 43200
refresh_pattern -i \.(cgi|asp|php|fcgi)$ 0 20% 60
refresh_pattern . 20160 50% 43200

....
acl HTTP proto HTTP
acl localhost src 127.0.0.0/8
# Do not scan the following domains
acl noscan urlpath_regex -i \.(jpe?g|gif|png|ico)$
# XXX acl noscan dstdomain proxy.domain.com
# We do not want traffic to these sites:
# XXX acl evil dstdomain www.veryevildomain.dom

....
# TAG: via on|off
# If set (default), Squid will include a Via header in requests and
# replies as required by RFC2616.
#
#Default:
# via on
## header_access Via deny all
# 'header_access Via ..' gibt es nicht mehr!!
via off
# Ergibt aber eine Warnung: WARNING: HTTP requires the use of Via
....
#We recommend you to use the following two lines.
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
# Do not cache requests from localhost, SSL-encrypted or dynamic content.
acl localhost src 127.0.0.1/32
no_cache deny localhost
no_cache deny CONNECT
no_cache allow all

....
#Default:
# none
# Do not forward parent requests from localhost (loop-prevention) or
# to "noscan"-domains or SSL-encrypted requests to parent.
always_direct allow localhost
always_direct allow CONNECT
always_direct allow noscan
always_direct deny HTTP

....
#Default:
# none
never_direct deny localhost
never_direct deny CONNECT
never_direct deny noscan
never_direct allow HTTP

....

~# /etc/init.d/havp restart
Restarting havp: Starting HAVP Version: 0.86
havp.
~#
/etc/init.d/squid3 restart
Restarting Squid HTTP Proxy 3.0: squid3 Waiting......done.
2008/01/09 18:25:57| WARNING: HTTP requires the use of Via
.
~#

Der Test-Download eines Eicar-Test Virus brachte auch gleich eine saubere Fehlermeldung:
HAVP sagt 'Hallo!'
Anmerkung:
Den neuen Parameter ‚via off‚ zu nutzen, scheint aber auch keine schlechte Idee zu sein. Ohne ihn klappt zwar (scheinbar) auch alles, aber des /var/log/messages ist voller Zeilen wie dieser:
...
Jan 09 18:31:18 proxy squid[17279]: WARNING: Forwarding loop detected for: GET /squid-users@squid-cache.org/msg
...