ClearFoundation Tracker - ClearOS |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0006791 | ClearOS | app-web-proxy - Web Proxy | public | 2016-01-01 06:26 | 2018-02-20 18:15 |
|
| Reporter | user2 | |
| Assigned To | user2 | |
| Priority | normal | Severity | minor | Reproducibility | have not tried |
| Status | closed | Resolution | won't fix | |
| Platform | | OS | | OS Version | |
| Product Version | 6.7.0 | |
| Target Version | 6.9.0 Updates | Fixed in Version | | |
|
| Summary | 0006791: Avast antivirus hammers web proxy with loop error |
| Description | The Avast antivirus engine gets itself into a loop in the web proxy. This not only degrades proxy performance, but also creates very large /var/log/squid/cache.log files.
Is this related:
https://forum.avast.com/index.php?topic=90129.0 [^] |
| Steps To Reproduce | |
| Additional Information | Work arounds.
To identify workstations running Avast, search the log files for entries of traffic browsing port 8080 that don't originate from the server...for example, if your server was 192.168.1.1:
1453207399.270 120000 192.168.1.96 TCP_MISS/000 0 GET http://192.168.1.1:8080/ [^] - DIRECT/192.168.1.1 -
you will see lines like this for the recursives, but you will also se other traffic like this:
1453207399.287 120046 192.168.1.159 TCP_MISS/000 0 GET http://192.168.1.1:8080/ [^] - DIRECT/192.168.1.123 -
This also may work:
grep "http://192.168.1.1:8080" [^] /var/log/squid/access.log | grep -v "DIRECT/192.168.1.1 "
(Notice the space at the end of the "DIRECT/192.168.1.1 " portion)
In this case, 192.168.1.123 is your culprit machine. Your options are to remove Avast from this workstation or to create a custom firewall rule so that it will bypass the proxy (see: https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_o_custom_firewall_module_examples [^]) |
| Tags | No tags attached. |
| Relationships | |
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2016-01-01 06:26 | user2 | New Issue | |
| 2016-01-01 06:27 | user2 | Status | new => confirmed |
| 2016-01-21 08:54 | dloper | Additional Information Updated | bug_revision_view_page.php?rev_id=791#r791 |
| 2016-02-16 12:55 | user2 | Target Version | 6.7.0 Updates => 6.8.0 Updates |
| 2016-03-15 10:50 | bchambers | Note Added: 0002831 | |
| 2016-03-15 11:01 | bchambers | Note Added: 0002841 | |
| 2016-03-15 11:01 | bchambers | Note Deleted: 0002841 | |
| 2016-03-15 11:06 | bchambers | Note Added: 0002851 | |
| 2016-04-28 13:26 | dloper | Note Added: 0003131 | |
| 2016-05-20 07:50 | bchambers | Note Added: 0003281 | |
| 2016-12-21 07:12 | dcclayton | Note Added: 0004431 | |
| 2017-03-21 08:42 | user2 | Target Version | 6.8.0 Updates => 6.9.0 Updates |
| 2018-02-20 18:15 | user2 | Note Added: 0007161 | |
| 2018-02-20 18:15 | user2 | Status | confirmed => resolved |
| 2018-02-20 18:15 | user2 | Resolution | open => won't fix |
| 2018-02-20 18:15 | user2 | Assigned To | => user2 |
| 2018-02-20 18:15 | user2 | Status | resolved => closed |
|
Notes |
|
|
|
The two workaround suggested (remove Avast and allow desktop running Avast to bypass proxy) don't work if you have a 'public' network where users bring their own laptops and connect to your network. In connecting, they can inadvertently bring down web access for all. Yikes.
Open ticket for just this scenario.
I found this suggestion:
In /etc/dansguardian-av/lists/bannedregexpheaderlist, add the following line:
User-Agent: avast.*
And then restart the ClearOS content filter:
service dansguardian-av restart
But I'm not sure it was reported to work. |
|
|
|
|
Possible solution???
...
follow_x_forwarded_for webconfig_lan
follow_x_forwarded_for deny all
... |
|
|
|
(0003131)
|
|
dloper
|
|
2016-04-28 13:26
|
|
If the client is using transparent mode you can use the custom firewall to block directed access to port 8080 on the LAN segment with a rule similar to:
iptables -t mangle -I PREROUTING -i eth1 -p tcp --destination-port 8080 -s ! 10.10.10.1 -j DROP # Drop 8080 queries from external
Or
iptables -t mangle -I PREROUTING -i eth1 -p tcp --dport 8080 -j DROP |
|
|
|
|
Alternative work around...move DG port to something other than 8080.
For now, you need to edit two files:
/etc/dansguardian-av/dansguardian.conf
filterport = 8080
and
/usr/clearos/apps/firewall/deploy/firewall.lua
local SQUID_FILTER_PORT = "8080"
Change the 8080 references to an alt port...eg. 8081.
Restart services:
service dansguardian-av restart
service firewall restart |
|
|
|
|
|
There is a very similar issue with Webroot AV which tries to look at an AWS hosted domain. |
|
|
|
(0007161)
|
|
user2
|
|
2018-02-20 18:15
|
|
|
Upgrade to ClearOS 7. The version of Squid in ClearOS 6 does not mitigate this issue. |
|