Gentoo + Squid + Radius Auth + sslBump + remote SquidClamav + SquidGuard // intransparent official proxy in corporate environment

What to know:
Squid caches and breaks clients encryption in MITM style. After clients request he establishes conections to both server and client. To the server he impersonates a client and checks servers certificates. Dismissed Server certs will be reported to the real client. To the client he acts like a server. After a succeful check real servers cert he generates on the fly a new cert signed by his own root CA and delivered to the real client. Squids own root CA cert must be imported to your real clients browsers as trusted root CA cert.

There are a lot descriptions available, i will not retype them. But here are some hints for problems i stumbled upon:

Root CA cert creation
Use your companys real name as common name.

Check your servers openssl cipher set
Sometimes your default openssl installation does not support ECDH cipers. You will need them.

Some Hints

HTTPS:

squidclamav works proper on sslBumped traffic.

You can’t filter for URLpath stuff with squid alone even you have had sslBumped the traffic cs details will be tunneled via CONNECT protocol from client to server. In result you will need some kind of redirector or c-icap or ecap capable software who handles this CONNECT tunnel stuff for you. I’ve tried a lot of stuff, but either they were payware or they were no longer under development. I’ve ended up with old school squidGuard. You have to know, that first filters squid via its own ruleset and then squidGuard as the second filter instance.
There were three major problems with squidguard:

1.:
If he handles sslBumped https traffic (what means breaking the CONNECT tunnel) and filters someting based upon the domain part of an URL, he will not proper redirect to your error/info-cgi.
2.:
The squidGuard configuration files does not know any include functionality.
3.:
You cant quote the ‘#’ character in rulesets. That’s bad for filtering URL’s like icloud/#mail

The first Problem you can solve the following way: Use both the squid AND the squidGuard filtering opportunities. In first stage filter domain/hostname stuff only using squids own mechanism, in second stage use squidGuard for filtering stuff embedded in urlPATHES only.

Using Shalla

Shalla lists are great, but you have to process them for been used foe squid: They contain a lot of subdomain duplicates you will have to be removed automatically.
Don’t forget to ask the shalla girls and guys for a license.

squidClamav

ClamAV does not reside on the same machine.

My configuration:

squid.conf:

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl SSL_ports port 9001         # RadioPAD
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl Safe_ports port 901		# SWAT
#acl Safe_ports port 9001	# RadioPAD

# METHODS
acl PURGE method PURGE
acl CONNECT method CONNECT

#
# AUTH
#
auth_param basic program /usr/libexec/squid/basic_radius_auth -f /etc/squid/basic_radius_auth.conf
auth_param basic children 50
auth_param basic realm Your friendly proxy server
auth_param basic credentialsttl 5 hours
auth_param basic casesensitive on

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports


# AXXELZ CRAP 
#debug_options              ALL,1 11,3 20,3
dns_v4_first on
tcp_outgoing_address        0.0.0.0 all
forwarded_for               delete
strip_query_terms           on
ftp_user                    anonymous@yourcompany.com
visible_hostname            YOURSQUID
max_filedescriptors         64000     # TO PREVENT STALL
#connect_timeout            5 minutes # INCREASE FOR WETRANSFER UPLOADS
#request_timeout            5 minutes # INCREASE FOR WETRANSFER UPLOADS
#pconn_timeout              5 minutes
#persistent_request_timeout 5 minutes
# AXXELZ END

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost


##########################################################################################################################
# ACL HIVE ###############################################################################################################
##########################################################################################################################
# USERS
acl users_all                           proxy_auth                  REQUIRED
acl users_admins			proxy_auth                  "/etc/squid/db/users.ADMINS"
acl users_flash				proxy_auth                  "/etc/squid/db/users.flash"

acl proto_ftp                           port                        21
acl sites_noBump                        ssl::server_name_regex      "/etc/squid/db/sites.ssl.noBump.server_name_regex"
acl sites_ignoreCertError               dstdomain               -i  "/etc/squid/db/sites.ssl.ignoreCertError.dstdomain"
acl sites_noCache                       dstdom_regex            -i  "/etc/squid/db/sites.noCache.dstdom_regex"
acl intraservers                        dst                         192.168.100.0/24
acl sites_wl_ftp			dstdomain		-i  "/etc/squid/db/sites.wl.ftp.dstdomain"

# CPT. FLASH
acl type_flash                          rep_mime_type               video/flv
acl type_flash                          rep_mime_type               application/x-shockwave-flash

# BLACKLISTED
acl sites_bl_absolute_dstdomain         dstdomain               -i  "/etc/squid/db/sites.bl.absolute.dstdomain"
acl sites_bl_dstdomain                  dstdomain               -i  "/etc/squid/db/sites.bl.dstdomain"
acl sites_bl_dstdom_regex               dstdom_regex            -i  "/etc/squid/db/sites.bl.dstdom_regex"
acl sites_bl_url_regex                  url_regex               -i  "/etc/squid/db/sites.bl.url_regex"
acl sites_bl_urlpath_regex              urlpath_regex           -i  "/etc/squid/db/sites.bl.urlpath_regex"

# WHITELISTED
acl sites_wl_dstdomain                  dstdomain               -i  "/etc/squid/db/sites.wl.dstdomain"

############################################################################################################################
# ACL HIVE END #############################################################################################################
############################################################################################################################

############################################################################################################################
# ACCESS RULES #############################################################################################################
############################################################################################################################

# ATTENTION: READ CAREFULLY
# FIRST BLOCKS SQUIDS OWN http_access MECHANISM
# THEN BLOCKS SQUIDGUARD
# HTTPS URLPATH REGEX STUFF WILL NOT BE BLOCKED BY SQUID ---> USE SQUIDGUARD FOR THIS
# ATTENTION2: REGEX PATTERNS IN DOMAINS CATCHED BY SQUIDGUARD WILL CAUSE A SQUIDGUARD-REDIRECT-CERT-FUCKUP ---> CATCH DOMAIN REGEX PATTERNS IN SQUID FIRST 
# BEST USE: BLOCK ALL REGEX DOMAIN STUFF IN SQUID + BLOCK ALL URLPATH STUFF IN SQUIDGUARD

# PREPARING THE BATTLEFIELD 
always_direct     allow   all
http_access       allow   intraservers
http_access       allow   sites_wl_ftp
http_access       deny    sites_bl_absolute_dstdomain
deny_info         http://proxy.intranet/cgi-bin/squidGuard.cgi?targetgroup=sites_bl_absolute_dstdomain&app=Squid&url=%u sites_bl_absolute_dstdomain
http_access       allow   PURGE localhost
http_access       deny    PURGE

# ALLOW SOME FOR THE GOOD GUYS
# FEEL FREE TO ADD GOOD GUY GROUPS FOR SOLVING SPECIAL CASES
http_access       allow   users_admins
http_reply_access allow   users_flash type_flash
http_access       allow   users_flash type_flash

# WHITELISTING
http_access       allow   sites_wl_dstdomain

# WHITELIST SPECIAL
include "/etc/squid/sites_wl_special.include"


# DENY FOR ALL THE OTHER GUYS
include "/etc/squid/shalla.include"

http_access       deny    sites_bl_dstdomain
deny_info         http://proxy.intranet/cgi-bin/squidGuard.cgi?targetgroup=sites_bl_dstdomain&app=Squid&url=%u sites_bl_dstdomain
http_access       deny    sites_bl_dstdom_regex
deny_info         http://proxy.intranet/cgi-bin/squidGuard.cgi?targetgroup=sites_bl_dstdom_regex&app=Squid&url=%u sites_bl_dstdom_regex
http_access       deny    sites_bl_url_regex
deny_info         http://proxy.intranet/cgi-bin/squidGuard.cgi?targetgroup=sites_bl_url_regex&app=Squid&url=%u sites_bl_url_regex
http_access       deny    sites_bl_urlpath_regex
deny_info         http://proxy.intranet/cgi-bin/squidGuard.cgi?targetgroup=sites_bl_urlpath_regex&app=Squid&url=%u sites_bl_urlpath_regex

#http_access       deny    sites_bl_dstdomain
#http_access       deny    sites_bl_dstdom_regex
#http_access       deny    sites_bl_url_regex
#http_access       deny    sites_bl_urlpath_regex
#http_reply_access deny    type_flash

# THE LAST FRONTIER
http_access       deny    proto_ftp
deny_info         http://proxy.intranet/cgi-bin/squidGuard.cgi?targetgroup=proto_ftp&app=Squid&url=%u proto_ftp
http_reply_access deny    type_flash
http_access       deny    type_flash
deny_info         http://proxy.intranet/cgi-bin/squidGuard.cgi?targetgroup=type_flash&app=Squid&url=%u type_flash
http_access       allow   all
http_access       deny    all

http_access       allow   all
http_access       deny    all

############################################################################################################################
# ACCESS RULES END #########################################################################################################
############################################################################################################################


############################################################################################################################
# MAIN STUFF 

# CACHE DIRECTIVES
cache deny sites_noCache

# LISTENING TO
#http_port 127.0.0.1:8082 transparent
http_port  127.0.0.1:8080 ssl-bump generate-host-certificates=on options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/proxy.de.cert key=/etc/squid/ssl_cert/proxy.de.private cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
#https_port 127.0.0.1:8082 intercept ssl-bump generate-host-certificates=on version=1 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/proxy.de.cert key=/etc/squid/ssl_cert/proxy.de.private 
#ftp_port   127.0.0.1:8083 transparent


# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/cache/squid 1024 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320


# ICAP STUFF
# CLAMAV
icap_enable on
 icap_send_client_ip on
 icap_send_client_username on
 icap_client_username_header X-Authenticated-User
 icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
 adaptation_access service_req allow all
 icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
 adaptation_access service_resp allow all

# REDIRECT STUFF
# SQUIDGUARD
# url_rewrite_program # IS UNUSED
redirect_program /usr/bin/squidGuard -c /etc/squidGuard/squidGuard.conf
#redirect_children 8
#redirector_bypass off

# SSL STUFF
sslcrtd_program /usr/libexec/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 32 startup=1 idle=1
sslproxy_cipher HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE
sslproxy_cert_error allow intraservers
sslproxy_cert_error allow sites_ignoreCertError
ssl_bump splice sites_noBump
ssl_bump terminate sites_bl_urlpath_regex
ssl_bump server-first all
ssl_bump bump all

#######
# END #

shalla.include:

# SHALLA INCLUDE FILE
# DO NOT EDIT BY HAND
# Tue Jun  6 00:00:17 CEST 2017

# sites_bl_shalla_aggressive_dstdomain
acl sites_bl_shalla_aggressive_dstdomain dstdomain "/etc/squid/db/shalla/aggressive.dstdom"
http_access deny  sites_bl_shalla_aggressive_dstdomain
deny_info http://proxy.intranet/cgi-bin/squidGuard.cgi?targetgroup=sites_bl_shalla_aggressive_dstdomain&app=Squid&url=%u sites_bl_shalla_aggressive_dstdomain

# sites_bl_shalla_gamble_dstdomain
acl sites_bl_shalla_gamble_dstdomain dstdomain "/etc/squid/db/shalla/gamble.dstdom"
http_access deny  sites_bl_shalla_gamble_dstdomain
deny_info http://proxy.intranet/cgi-bin/squidGuard.cgi?targetgroup=sites_bl_shalla_gamble_dstdomain&app=Squid&url=%u sites_bl_shalla_gamble_dstdomain

...

# sites_bl_shalla_violence_dstdomain
acl sites_bl_shalla_violence_dstdomain dstdomain "/etc/squid/db/shalla/violence.dstdom"
http_access deny  sites_bl_shalla_violence_dstdomain
deny_info http://proxy.intranet/cgi-bin/squidGuard.cgi?targetgroup=sites_bl_shalla_violence_dstdomain&app=Squid&url=%u sites_bl_shalla_violence_dstdomain

# END #

squidclamav.conf

#-----------------------------------------------------------------------------
# SquidClamav v6.1 default configuration file
#
# To know to customize your configuration file, see squidclamav manpage
# or go to http://squidclamav.darold.net/
#
#-----------------------------------------------------------------------------
#
# Global configuration
#

# Maximum size of a file that may be scanned. Any file bigger that this value
# will not be scanned.
maxsize 5000000

# When a virus is found then redirect the user to this URL
#redirect http://proxy.domain.dom/cgi-bin/clwarn.cgi
redirect http://proxy.intranet/cgi-bin/virusWarn.cgi

# Path to the squiGuard binary if you want URL filtering, note that you'd better
# use the squid configuration directive 'url_rewrite_program' instead.
#squidguard /usr/local/squidGuard/bin/squidGuard

# Path to the clamd socket, use clamd_local if you use Unix socket or if clamd
# is listening on an Inet socket, comment clamd_local and set the clamd_ip and
# clamd_port to the corresponding value.
#clamd_local /var/run/clamav/clamd.sock
clamd_ip 192.168.100.8
clamd_port 3310

# Set the timeout for clamd connection. Default is 1 second, this is a good
# value but if you have slow service you can increase up to 3.
timeout 1

# Force SquidClamav to log all virus detection or squiguard block redirection
# to the c-icap log file.
logredir 1

# Enable / disable DNS lookup of client ip address. Default is enabled '1' to
# preserve backward compatibility but you must desactivate this feature if you
# don't use trustclient with hostname in the regexp or if you don't have a DNS
# on your network. Disabling it will also speed up squidclamav.
dnslookup 1

#
# Here is some defaut regex pattern to have a high speed proxy on system
# with low resources.
#

# Do not scan images
#abort ^.*\.(ico|gif|png|jpg)$
#abortcontent ^image\/.*$

# Do not scan text files
#abort ^.*\.(css|xml|xsl|js|html|jsp)$
#abortcontent ^text\/.*$
#abortcontent ^application\/x-javascript$

# Do not scan streamed videos
#abortcontent ^video\/x-flv$
#abortcontent ^video\/mp4$

# Do not scan flash files
#abort ^.*\.swf$
#abortcontent ^application\/x-shockwave-flash$

# Do not scan sequence of framed Microsoft Media Server (MMS) data packets
#abortcontent ^.*application\/x-mms-framed.*$

# White list some sites
#whitelist .*\.clamav.net

# See also 'trustuser' and 'trustclient' configuration directives

#
# Here is some defaut regex pattern to have a high speed proxy on system
# with low resources.
#
# Abort AV scan, but not chained program
#abort \.google\.*
#abort \.youtube\.com
#abort \.googlevideo\.com
#abort \.ytimg\.com
#abort \.yimg\.com

# Do not scan images
#abort ^.*\.([j|J][p|P][?:[e|E]?[g|G]|gif|png|bmp|ico|svg|web[p|m])
#abortcontent ^image\/.*$

# Do not scan text files
#abort ^.*\.((cs|d?|m?|p?|r?|s?|w?|x?|z?)h?t?m?(l?)|php[3|5]?|rss|atom|vr(t|ml)|(c|x|j)s[s|t|px]?)
#abortcontent ^text\/.*$
#abortcontent ^application\/x-javascript$
#abortcontent ^application\/javascript$
#abortcontent ^application\/json$

# Do not scan fonts
#abort ^.*\.(ttf|eot|woff2?)
#abortcontent ^font\/.*$
#abortcontent ^application\/x-woff$
#abortcontent ^application\/font-woff2?$
#abortcontent ^application\/x-font-ttf$

# Do not scan (streamed) videos and audios
abort ^.*\.(flv|f4f|mp(3|4))
abortcontent ^video\/.*$
abortcontent ^audio\/.*$
abortcontent ^application\/mp4$

# Do not scan flash files
#abort ^.*\.swfx?
#abortcontent ^application\/x-shockwave-flash$

# Do not scan sequence of framed Microsoft Media Server (MMS) data packets
#abortcontent ^.*application\/x-mms-framed.*$

# White list some sites
# Abort both AV and chained program
#whitelist clamav\.net
#whitelist securiteinfo\.com
#whitelist sanesecurity\.com
#whitelist clamav\.bofhland\.org
#whitelist threatcenter\.crdf\.fr
#whitelist \.avast\.*
#whitelist \.gdatasoftware\.com
#whitelist \.emsisoft\.*
#whitelist \.chilisecurity\.*
#whitelist pcpitstop\.com
#whitelist \.unthreat\.com
#whitelist \.preventon\.com
#whitelist lavasoft\.com
#whitelist \.norton\.com
#whitelist \.symantec\.com
#whitelist \.symantecliveupdate\.com
#whitelist \.kaspersky\.*
#whitelist \.drweb\.*
#whitelist \.mcafee\.com
#whitelist \.fsecure\.com
#whitelist \.f-secure\.com
#whitelist \.esetnod32\.*
#whitelist \.eset\.*
#whitelist \.escanav\.com
#whitelist \.360totalsecurity\.com
#whitelist \.bitdefender\.com
#whitelist pckeeper\.com
#whitelist \.mysecuritycenter\.com
#whitelist \.avira\.com
#whitelist \.pandasecurity\.com
#whitelist \.vipreantivirus\.com
#whitelist \.quickheal\.com
#whitelist \.trustport\.*
#whitelist \.trustport-ru\.*
#whitelist \.sophos\.com
#whitelist \.spamfighter\.com
#whitelist \.webroot\.com
#whitelist \.k7computing\.com
#whitelist \.charityantivirus\.com
#whitelist \.avg\.com
#whitelist \.trendmicro\.*
#whitelist \.zonealarm\.com
#whitelist \.comodo\.com
#whitelist update\.microsoft\.com
#whitelist update\.microsoft\.com\.akadns\.net 
#whitelist download\.windowsupdate\.com
#whitelist download\.microsoft\.com
#whitelist update\.microsoft\.com
#whitelist \.oracle\.com
#whitelist \.shallalist\.de
#whitelist \.eicar\.org
#whitelist opencsw\.org

#whitelist wetransfer\.com
#whitelist wetransfer\.net
#whitelist amazonaws\.com
whitelist shallalist\.de

# See also 'trustuser' and 'trustclient' configuration directives
#
#trustuser thatsmeasauser

squidGuard.conf

logdir /var/log/squidGuard
dbhome /etc/squidGuard/db

dest whitesites {
	domainlist     whitesites_dom
#	expressionlist whitesites_expr
#	urllist        whitesites_url
}

dest blockedsites {
#	domainlist     blockedsites_dom
	expressionlist blockedsites_expr
	urllist        blockedsites_url
        # THE LOG FILE blockedsites.log IS ALWAYS EMPTY
        # INFOS APPEAR IN /var/log/squid/cache.log
        log            blockedsites.log
}

src admins {
    userlist users_admin
}

# DO NOT CHANGE THIS LINE! NEVER!!!!
dest aggressive {
   urllist     /etc/squidGuard/db/shalla/aggressive.urls
}

dest gamble {
   urllist     /etc/squidGuard/db/shalla/gamble.urls
}

dest ringtones {
   urllist     /etc/squidGuard/db/shalla/ringtones.urls
}

dest warez {
   urllist     /etc/squidGuard/db/shalla/warez.urls
}

dest urlshortener {
   urllist     /etc/squidGuard/db/shalla/urlshortener.urls
}

dest chat {
   urllist     /etc/squidGuard/db/shalla/chat.urls
}

dest drugs {
   urllist     /etc/squidGuard/db/shalla/drugs.urls
}

dest spyware {
   urllist     /etc/squidGuard/db/shalla/spyware.urls
}

dest costtraps {
   urllist     /etc/squidGuard/db/shalla/costtraps.urls
}

dest porn {
   urllist     /etc/squidGuard/db/shalla/porn.urls
}

dest tracker {
   urllist     /etc/squidGuard/db/shalla/tracker.urls
}

dest webmail {
   urllist     /etc/squidGuard/db/shalla/webmail.urls
}

dest downloads {
   urllist     /etc/squidGuard/db/shalla/downloads.urls
}

dest remotecontrol {
   urllist     /etc/squidGuard/db/shalla/remotecontrol.urls
}

dest hobby_games-misc {
   urllist     /etc/squidGuard/db/shalla/hobby_games-misc.urls
}

dest hobby_games-online {
   urllist     /etc/squidGuard/db/shalla/hobby_games-online.urls
}

dest hacking {
   urllist     /etc/squidGuard/db/shalla/hacking.urls
}

dest dating {
   urllist     /etc/squidGuard/db/shalla/dating.urls
}

dest socialnet {
   urllist     /etc/squidGuard/db/shalla/socialnet.urls
}

dest anonvpn {
   urllist     /etc/squidGuard/db/shalla/anonvpn.urls
}

dest redirector {
   urllist     /etc/squidGuard/db/shalla/redirector.urls
}

dest violence {
   urllist     /etc/squidGuard/db/shalla/violence.urls
}

acl {
	admins  {
	    pass all
	}
	default {
		pass whitesites !blockedsites  !aggressive !gamble !ringtones !warez !urlshortener !chat !drugs !spyware !costtraps !porn !tracker !webmail !downloads !remotecontrol !hobby_games-misc !hobby_games-online !hacking !dating !socialnet !anonvpn !redirector !violence all
		redirect http://proxy.intranet/cgi-bin/squidGuard.cgi?app=SquidGuard&clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
	}
}

squidGuard.cgi:

use URI::Encode qw(uri_encode uri_decode);


$QUERY_STRING = $ENV{'QUERY_STRING'};
$DOCUMENT_ROOT = $ENV{'DOCUMENT_ROOT'};

# Email Adresse des Proxy Administrators:
my $PROXYEMAIL = "support\@mycompany.com";
my $PROXYWEB = "http://proxy.intranet";
open(DATA, "<$DOCUMENT_ROOT/css/mystyle.css");
#
#
$clientaddr = "";
$clientname = "";
$clientuser = "";
$clientgroup = "";
$targetgroup = "";
$app = "";
$url = "";
$time = time;
@day = ("Sunday","Monday","Tuesday","Wednesday","Thursday","Friday","Saturday");
@month = ("Jan","Feb","Mar","Apr","May","Jun","Jul","Aug","Sep","Oct","Nov","Dec");

while ($QUERY_STRING =~ /^\&?([^&=]+)=([^&=]*)(.*)/) {
  $key = $1;
  $value = $2;
  $QUERY_STRING = $3;
  if ($key =~ /^(clientaddr|clientname|clientuser|clientgroup|targetgroup|url|app)$/) {
    eval "\$$key = \$value";
  }
  if ($QUERY_STRING =~ /^url=(.*)/) {
    $url = $1;
    $QUERY_STRING = "";
  }
}


my $urldec = uri_decode($url);

if ($url =~ /\.(gif|jpg|jpeg|mpg|mpeg|avi|mov)$/i) {
  print "Content-Type: image/gif\n";
  ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = gmtime($time);
  printf "Expires: %s, %02d-%s-%02d %02d:%02d:%02d GMT\n\n", $day[$wday],$mday,$month[$mon],$year,$hour,$min,$sec;
 
  open(GIF, "$DOCUMENT_ROOT/images/blocked.gif");
  while () {
    print;
  }
  close(GIF)
} else {
  print "Content-type: text/html\n";
  ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = gmtime($time);
    printf "Expires: %s, %02d-%s-%02d %02d:%02d:%02d GMT\n\n", $day[$wday],$mday,$month[$mon],$year,$hour,$min,$sec;
    print "\n";  
    print "  \n";
    print "    Zugriff verweigert\n";
    print "     ";
    while(){
       print "$_";
       };
    print "     ";
    print "  \n";
    print "  \n";
    print "    
\n"; print " \n"; print "
\n"; print " Ende des Internets.

\n"; print " \n"; # if ($clientuser ne "") { print "Hallo ".$clientuser."!\n"}; if ($urldec ne "") { print "Die URL ".$urldec." ist gesperrt.\n"}; if ($app ne "") { print "Geblockt durch ".$app.".\n"}; if ($targetgroup ne "") { print "Die blockierende Regel ist ".$targetgroup.".\n"}; print " "; print " "; print " Enttäuscht?
Kontaktieren Sie bitte den Support per ".$PROXYEMAIL." oder via 555.
\n"; print "
\n"; print "

\n"; print "
\n"; print " \n"; print "\n"; } exit 0;

mystyle.css:

div.bg {
    background-image: url(http://proxy.intranet/pix/bg.jpg);
    background-repeat: no-repeat;
    background-attachment: fixed;
    background-position: center;
    background-size: cover;
    height: 100vh;
    color: white;
}

div.info {
    background-color: rgba(255,0,0,0.2);
    font-family: BENDER;
    text-align: center; 
    #vertical-align: middle;
    font-size: 2em; 
    position: absolute;
    left: 10%;
    top: 20%;
    clear: both;
    float: left;
    border: 0px solid red;
    border-radius: 3%;
    box-shadow: 10px 10px 5px rgba(0, 0, 0, 0.3);
    padding: 3%;
    xtransform: rotate(-10deg);
}

div.logo {
    background-color: rgba(255,255,255,0.2);
    font-family: BENDER;
    text-align: center; 
    #vertical-align: middle;
    font-size: 1em; 
    position: relative;
    right: 10px;
    top: 10px;
    height: 340px;
    width: 73px;
    clear: both;
    float: right;
    border: 0px solid red;
    border-radius: 3%;
    box-shadow: 10px 10px 5px rgba(0, 0, 0, 0.3);
    #padding: 3%;
    #transform: rotate(-10deg);
}

#logo_irmedia {
   position: absolute;
   top: 145px;
   left: 5px;
   right: 5px;
   bottom: 5px;
   background-image: url("http://proxy.intranet/pix/a_logo.jpg");
   background-repeat: no-repeat;
   background-size: contain;
}

#logo_bbr {
   position: absolute;
   top: 5px;
   left: 5px;
   right: 5px;
   bottom: 5px;
   background-image: url("http://proxy.intranet/pix/b_logo.png");
   background-repeat: no-repeat;
   background-size: contain;
}

#logo_tdy {
   position: absolute;
   top: 75px;
   left: 5px;
   right: 5px;
   bottom: 5px;
   background-image: url("http://proxy.intranet/pix/c_logo.png");
   background-repeat: no-repeat;
   background-size: contain;
}

span.header {
    font-size: 3em;
    font-weight: bold;
}

span.body {
    font-size: 1em;
    font-weight: bold;
}

span.element {
    position: relative;
    display: block;
    color: red;
}

span.footer {
    position: relative;
    top: 25px;
    font-weight: bold;
}

a {
    color: white;
}

@font-face { 
font-family: "BENDER";
src: url("http://proxy.intranet/fonts/HelveticaNeue.ttf"); 
}

virusWarn.cgi:

#!/usr/bin/perl
use strict;

use CGI;

my $DOCUMENT_ROOT = $ENV{'DOCUMENT_ROOT'};

my $VERSION = '6.8';
my $TITLE_VIRUS = "Virus Alarm";

my $cgi = new CGI;
my $url = CGI::escapeHTML($cgi->param('url')) || '';
my $virus = CGI::escapeHTML($cgi->param('virus')) || '';
my $source = CGI::escapeHTML($cgi->param('source')) || '';
$source =~ s/\/-//;
my $user = CGI::escapeHTML($cgi->param('user')) || '';

my $subtitle = 'contains this virus:';
if ($virus =~ /Safebrowsing/) {
	$TITLE_VIRUS = "Unsafe Browsing Alarm";
	$subtitle = 'Safe Browsing message';
}

# Remove clamd infos
$virus =~ s/stream: //;
$virus =~ s/ FOUND//;

my $PROXYEMAIL = "support\@mycompany.com";
my $PROXYWEB = "http://proxy.intranet.de";
open(DATA, "header();
print "\n";  
print "  \n";
print "    Virus gefunden\n";
#print "Expires: %s, %02d-%s-%02d %02d:%02d:%02d GMT\n\n", $day[$wday],$mday,$month[$mon],$year,$hour,$min,$sec;
print "     ";
while(){
    print "$_";
};
print "     ";
print "  \n";
print "  \n";
print "    
\n"; print " \n"; print "
\n"; print " Virus gefunden!

\n"; print " \n"; #if ($clientuser ne "") { print "Hallo ".$clientuser."!\n"}; if ($url ne "") { print "Die URL ".$url." ist infiziert.\n"}; if ($virus ne "") { print "".$virus.".\n"}; print " "; print " "; print " Schockiert?
Kontaktieren Sie bitte den Support per ".$PROXYEMAIL." oder via 555.
\n"; print "
\n"; print "

\n"; print "
\n"; print " \n"; print "\n";

virusstyle.css:

div.bg {
    background-image: url(http://proxy.intranet/pix/virus.jpg);
    background-repeat: no-repeat;
    background-attachment: fixed;
    background-position: center;
    background-size: cover;
    xheight: 100vh;
    height: 100%;
    color: white;
}

div.info {
    background-color: rgba(255,0,0,0.2);
    font-family: BENDER;
    text-align: center; 
    #vertical-align: middle;
    font-size: 2em; 
    position: absolute;
    left: 10%;
    top: 10%;
    clear: both;
    float: left;
    border: 0px solid red;
    border-radius: 3%;
    box-shadow: 10px 10px 5px rgba(0, 0, 0, 0.3);
    padding: 3%;
    xtransform: rotate(-10deg);
}

div.logo {
    background-color: rgba(255,255,255,0.2);
    font-family: BENDER;
    text-align: center; 
    #vertical-align: middle;
    font-size: 1em; 
    position: relative;
    right: 10px;
    top: 10px;
    height: 340px;
    width: 73px;
    clear: both;
    float: right;
    border: 0px solid red;
    border-radius: 3%;
    box-shadow: 10px 10px 5px rgba(0, 0, 0, 0.3);
    #padding: 3%;
    #transform: rotate(-10deg);
}

#logo_irmedia {
   position: absolute;
   top: 145px;
   left: 5px;
   right: 5px;
   bottom: 5px;
   background-image: url("http://proxy.intranet/pix/a_logo.jpg");
   background-repeat: no-repeat;
   background-size: contain;
}

#logo_bbr {
   position: absolute;
   top: 5px;
   left: 5px;
   right: 5px;
   bottom: 5px;
   background-image: url("http://proxy.intranet/pix/b_logo.png");
   background-repeat: no-repeat;
   background-size: contain;
}

#logo_tdy {
   position: absolute;
   top: 75px;
   left: 5px;
   right: 5px;
   bottom: 5px;
   background-image: url("http://proxy.intranet/pix/c_logo.png");
   background-repeat: no-repeat;
   background-size: contain;
}

span.header {
    font-size: 3em;
    font-weight: bold;
}

span.body {
    font-size: 1em;
    font-weight: bold;
}

span.element {
    position: relative;
    display: block;
    color: red;
}

span.footer {
    position: relative;
    top: 25px;
    font-weight: bold;
}

a {
    color: white;
}

@font-face { 
font-family: "BENDER";
src: url("http://proxy.intranet/fonts/HelveticaNeue.ttf"); 
}

/etc/security/limits.conf

* soft nofile 94000
* hard nofile 94000 
* hard noproc 64000
* soft noproc 64000
root soft nofile 94000
root hard nofile 94000 
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s