File havp.conf-suse of Package havp
# # This is the configuration file for HAVP # # All lines starting with a hash (#) or empty lines are ignored. # Uncomment parameters you want to change! # # All parameters configurable in this file are explained and their default # values are shown. If no default value is defined "NONE" is specified. # # General syntax: Parameter Value # Value can be: true/false, number, or path # # Extra spaces and tabs are ignored. # # You must remove this line for HAVP to start. # This makes sure you have (hopefully) reviewed the configuration. :) # Hint: You must enable some scanner! Find them in the end.. REMOVETHISLINE deleteme # # For reasons of security it is recommended to run a proxy program # without root rights. It is recommended to create user that is not # used by any other program. # # Default: # USER havp # GROUP havp USER vscan GROUP vscan # # If this is true HAVP is running as daemon in background. # For testing you may run HAVP at your text console. # # Default: # DAEMON true DAEMON true # # Display initial messages on console when starting HAVP. # # Default: # DISPLAYINITIALMESSAGES true DISPLAYINITIALMESSAGES true # # Process id (PID) of the main HAVP process is written to this file. # Be sure that it is writeable by the user under which HAVP is running. # /etc/init.d/havp script requires this to work. # # Default: # PIDFILE /var/run/havp/havp.pid PIDFILE /var/run/havp/havp.pid # # For performance reasons several instances of HAVP have to run. # Specify how many servers (child processes) are simultaneously # listening on port PORT for a connection. Minimum value should be # the peak requests-per-second expected + 5 for headroom. # # For single user home use, 8 should be minimum. # For 500 users corporate use, start at 40. # # Value can and should be higher than recommended. Memory and # CPU usage is only affected by the number of concurrent requests. # # Default: # SERVERNUMBER 8 SERVERNUMBER 32 # # For big traffic spikes, servers (child processes) will be # automatically created more if needed. This is the hard limit # for concurrent requests processed. # # Default: # MAXSERVERS 100 MAXSERVERS 150 # # File where we log requests. # Needs to have write permission for HAVP user. # # Default: # ACCESSLOG /var/log/havp/access.log ACCESSLOG /var/log/havp/access.log # # true: Log every request to access log # false: Log only viruses to access log # # Default: # LOG_OKS true LOG_OKS true # # File where we log HAVP messages and errors. # Needs to have write permission for HAVP user. # # Default: # ERRORLOG /var/log/havp/havp.log ERRORLOG /var/log/havp/havp.log # # Level of HAVP logging # 0 = Only serious errors and information # 1 = Less interesting information is included # # Default: # LOGLEVEL 1 LOGLEVEL 1 # # Temporary scan file. # This file must reside on a partition for which hard locks # are enabled (so called mandatory locking). For Linux, use # "-o mand" in the mount command. See mount(1) for details. # Solaris does not need any special steps, it works directly. # # Specify absolute path to a file which name must # contain "XXXXXX". These six characters are overwritten # by system call to create unique named tempfiles. # # Default: # SCANTEMPFILE /var/tmp/havp/havp-XXXXXX SCANTEMPFILE /var/spool/havp/havp-XXXXXX # # Directory for ClamAV and other scanner created tempfiles. # Needs to be writable by HAVP user. # # Default: # TEMPDIR /var/tmp TEMPDIR /var/tmp # # HAVP reloads scanners virus database by receiving a signal # (send SIGHUP to PID from PIDFILE, see kill(1)) or after # a specified period of time. Specify here the number of # minutes to wait for reloading. # # Default: # DBRELOAD 60 DBRELOAD 10 # # Run HAVP as transparent Proxy? # # If you don't know what this means read the mini-howto # TransparentProxy written by Daniel Kiracofe. # (e.g.: http://www.tldp.org/HOWTO/mini/TransparentProxy.html) # Definitely you have more to do than setting this to true. # You are warned! # # Default: # TRANSPARENT false TRANSPARENT false # # Specify a parent proxy (e.g. Squid) HAVP should use. # # Default: NONE # PARENTPROXY localhost # PARENTPORT 3128 # # Write X-Forwarded-For: to log instead of connecters IP? # # If HAVP is used as parent proxy by some other proxy, this allows # to write the real users IP to log, instead of proxy IP. # # Default: # FORWARDED_IP false FORWARDED_IP true # # Port HAVP is listening on. # # Default: # PORT 8080 PORT 8081 # # IP address that HAVP listens on. # Let it be undefined to bind all addresses. # # Default: NONE # BIND_ADDRESS 127.0.0.1 # # IP address used for sending outbound packets. # Let it be undefined if you want OS to handle right address. # # Default: NONE # SOURCE_ADDRESS 1.2.3.4 # # Path to template files. # # Default: # TEMPLATEPATH /usr/local/etc/havp/templates/en TEMPLATEPATH /usr/local/etc/havp/templates/en # # Set to true if you want to prefer Whitelist. # If URL is Whitelisted, then Blacklist is ignored. # Otherwise Blacklist is preferred. # # Default: # WHITELISTFIRST true # # Whitelist of URLs not to scan. # # Default: # WHITELIST /usr/local/etc/havp/whitelist WHITELIST /etc/havp/whitelist # # Blacklist of URLs that are denied access. # # Default: # BLACKLIST /usr/local/etc/havp/blacklist BLACKLIST /etc/havp/blacklist # # Is scanner error fatal? # # For example, archive types that are not supported by scanner # may return error. Also is scanner has invalid pattern files etc. # # true: User gets error page # false: No error is reported (viruses might not be detected) # # Default: # FAILSCANERROR true # # How many minutes to wait for scanner to finish. # # When scanning takes longer than this, it will be killed. Timer is started # after file is received, long transfers do not affect it. If set too low, # large files/archives could produce timeout. This is always considered a # fatal error regardless of FAILSCANERROR. # # Default: # SCANNERTIMEOUT 10 # # Allow HTTP Range Requests # # false: Broken downloads can NOT resumed # true: Broken downloads can be resumed # # True is a security risk, because partial HTTP requests may # not be properly scanned. # # Default: # RANGE false # # Max size of temporary files on disk. # 0 = No size limit # # Temporary file will grow only up to this size. This means scanner # will scan data until this limit is reached. # # NOTE: Setting limit is a security risk, because some archives like # ZIP need all the data to be scanned properly! Use this only if you # can't afford temporary space for big files. Also scanner settings # will affect how many files will be scanned inside an archive etc. # # VALUE IN BYTES NOT KB OR MB!!!! # # Default: # MAXSCANSIZE 0 # # Amount of data going to browser that is held back, until it # is scanned. When we know file is clean, this held back data # can be sent to browser. You can safely set bigger value, only # thing you will notice is some "delay" in beginning of download. # Virus found in files bigger than this might not produce HAVP # error page, but result in a "broken" download. # # VALUE IN BYTES NOT KB OR MB!!!! # # Default: # KEEPBACKBUFFER 200000 # # This setting complements KEEPBACKBUFFER. It tells how many Seconds to # initially receive data from server, before sending anything to client. # Even trickling is not done before this time elapses. This way files that # are received fast are more secure and user can get virus report page for # files bigger than KEEPBACKBUFFER. # # Should not be set very high, if memory is an issue. All data received # during this time is kept in memory (10 seconds at 1MB/s would reserve # 10MB+ memory during request). # # Setting to 0 will disable this, and only KEEPBACKBUFFER is used. # # Default: # KEEPBACKTIME 5 # # After Trickling Time (seconds), some bytes are sent to browser # to keep the connection alive. Trickling is not needed if timeouts # are not expected for files smaller than KEEPBACKBUFFER, but it is # recommended to set anyway. # # 0 = No Trickling # # Default: # TRICKLING 30 # # Space separated list of strings to partially match User-Agent: header. # These are used for streaming content, so scanning is generally not needed # and tempfiles grow unnecessary. Remember when enabled, that user could # fake header and pass some scanning. HTTP Range-requests are allowed for # these, so players can seek content. # # You can uncomment here a list of most popular players. # # Default: NONE # STREAMUSERAGENT Player Winamp iTunes QuickTime Audio RMA/ MAD/ Foobar2000 XMMS # # Bytes to scan from beginning of streams. # When set to 0, STREAMUSERAGENT scanning will be completely disabled. # It is not recommended as there are some exploits for players. # # Default: # STREAMSCANSIZE 20000 ##### ##### ClamAV Library Scanner (libclamav) ##### ENABLECLAMLIB true # HAVP uses libclamav hardcoded pattern directory, which usually is # /usr/local/share/clamav. You only need to set CLAMDBDIR, if you are # using non-default DatabaseDirectory setting in clamd.conf. # # Default: NONE # CLAMDBDIR /path/to/directory # Should we block encrypted archives? # CLAMBLOCKENCRYPTED false # Should we block files that go over maximum archive values? # CLAMBLOCKMAX true # Scanning limits for archives (filesize = MB): # CLAMMAXFILES 1000 # CLAMMAXFILESIZE 10 # CLAMMAXRECURSION 8 # CLAMMAXRATIO 250 ##### ##### ClamAV Socket Scanner (clamd) ##### ##### NOTE: ClamAV Library Scanner should be preferred (better performance) ##### ENABLECLAMD false # Path to clamd socket # # Default: # CLAMDSOCKET /tmp/clamd ##### ##### F-Prot Socket Scanner ##### ENABLEFPROT false # F-Prot daemon needs to run on same server as HAVP # # Default: # FPROTSERVER 127.0.0.1 # FPROTPORT 10200 ##### ##### AVG Socket Scanner ##### ENABLEAVG false # AVG daemon needs to run on the same server as HAVP # # Default: # AVGSERVER 127.0.0.1 # AVGPORT 55555 ##### ##### Kaspersky Socket Scanner ##### ENABLEAVESERVER false # Path to aveserver socket # # Default: # AVESOCKET /var/run/aveserver ##### ##### Sophos Scanner (Sophie) ##### ENABLESOPHIE false # Path to sophie socket # # Default: # SOPHIESOCKET /var/run/sophie ##### ##### Trend Micro Library Scanner (Trophie) ##### ENABLETROPHIE false ##### ##### NOD32 Socket Scanner ##### ENABLENOD32 false # Path to nod32d socket # # Default: # NOD32SOCKET /tmp/nod32d.sock
