Louwrentius

I really like ZFS because with current data sets, I do believe that data corruption may start becoming an issue. The thing is that the license under which ZFS is released does not permit it to be used in the Linux kernel. That's quite unfortunate, but there is hope. There is a project called 'ZFS on Linux' which provides ZFS support through a kernel module, circumventing any license issues.

But as ZFS is a true next generation file system and the only one in its class stable enough for production use, I decided to give it a try.

I used my existing download server running Ubuntu 12.04 LTS. I followed these steps:

1. move all data to my big storage nas;
2. destroy the existing MDADM RAID arrays;
3. recreate a new storage array through ZFS;
4. move all data back to the new storage array.

Installation of ZFS is straight forward and well documented by the ZFSonLinux project. The main thing is how you setup your storage. My download server has six 500 GB disks and four 2 TB disks, thus a total of ten drives. So I decided to create a single zpool (logical volume) consisting of two vdevs (arrays). I thus created a vdev of 6 500 GB drives and a second vdev of the four 2 TB drives.

root@server:~# zpool status
  pool: zpool
 state: ONLINE
 scan: scrub repaired 0 in 1h12m with 0 errors on Fri Sep  7 
config:

    NAME                               STATE   READ WRITE CKSUM
    zpool                              ONLINE     0     0     0
      raidz1-0                         ONLINE     0     0     0
        pci-0000:03:04.0-scsi-0:0:1:0  ONLINE     0     0     0
        pci-0000:03:04.0-scsi-0:0:2:0  ONLINE     0     0     0
        pci-0000:03:04.0-scsi-0:0:3:0  ONLINE     0     0     0
        pci-0000:03:04.0-scsi-0:0:4:0  ONLINE     0     0     0
      raidz1-1                         ONLINE     0     0     0
        pci-0000:00:1f.2-scsi-2:0:0:0  ONLINE     0     0     0
        pci-0000:00:1f.2-scsi-3:0:0:0  ONLINE     0     0     0
        pci-0000:03:04.0-scsi-0:0:0:0  ONLINE     0     0     0
        pci-0000:03:04.0-scsi-0:0:5:0  ONLINE     0     0     0
        pci-0000:03:04.0-scsi-0:0:6:0  ONLINE     0     0     0
        pci-0000:03:04.0-scsi-0:0:7:0  ONLINE     0     0     0

So the zpool consists of two vdevs that each consist of the physical drives.

Everything is going smooth so far. I did have one issue though. I decided to remove a separate disk drive from the system that was no longer needed. As I initially setup the arrays based on device names (/dev/sda, /dev/sdb), the array broke as device names changed due to the missing drive.

So I repared that by issuing these commands:

zpool export zpool
zpool import zpool -d /dev/disk/by-path/

It's important to carefully read the FAQ of ZFS on Linux and understand that you should not use regular device names like /dev/sda for your ZFS array. It is recommended to use /dev/disk/by-path/ or /dev/disk/zpool/ exactly to prevent the issue I had with the disappeared drive.

As discussed in my blog entry on why I decided not to use ZFS for my big 18 TB storage NAS, ZFS does not support 'growing' of an array as Linux software RAID does.

As the zpool consists of different hard disk types, performance tests are not consistent. I've seen 450 MB/s read speeds on the zpool, which is more than sufficient for me.

ZFS on Linux works, is fast enough and easy to setup. If I would have setup my big storage NAS today, I would probably have chosen ZFS on Linux by now. I would have accepted that I could not just expand the array with extra drives the way MDADM permits you to grow an array.

In some way, ZFS on Linux is combining the best of both world. One of the best modern file systems with a modern and well-supported Linux distribution. Only the ZFS module itself may be the weak factor as it's fairly new for Linux and not optimised yet.

Or we might have to just wait until BTFS is mature enough for production use.

If you want to compile PAR2 with multicore support on Linux, it may not work right away from source. I used this version of PAR2 with multicore support. Update 2015: the original link is dead, I foud a copy of the source and put it on my own site here for you to download.

First, make sure that you have these libraries on your system:

libtbb-dev
libaio-dev

According to this source, after downloading the source, you need to add this line:

#include <backward/auto_ptr.h>

To these files:

par2cmdline.cpp
commandline.cpp
par2creator.cpp
par2repairer.cpp

Then edit the Makefile and find the LDADD variable. Add the -lrt option like this:

LDADD = -lstdc++ -ltbb -lrt -L.

This did the trick for me and compiled the PAR2 source with multicore support. Hope it helps somebody.

If you want to use Multicore PAR2 with SABNZBD you need to go to the Config menu. Then select 'Special' and enable 'par2_multicore'. Save the changes. Then go to 'Switches' and enter '-t+' at the Extra PAR2 Parameters field.

Security is all about a defence-in-depth strategy. Create multiple layers of defence. Every layer presenting a different set of challenges, requiring different skill sets and technology. So every layer will increase the time and effort to compromise your environment.

A content-scanning proxy server may provide you with one of these defensive layers. A content scanning proxy checks all data for malware. It blocks all content presumed to be infected. This may prevent numerous infections of company computers. Basically, the proxy server is virusscanning all network traffic.

But there is a severe limitation. Any data requested through an SSL-connection (https://) cannot be scanned, precisely because it is encrypted. So if a blackhat is smart and serves all malware through HTTPS, a content scanning proxy will not stop that malware. There are man-in-the-midle solutions that do allow you to inspect SSL traffic, but there are some limitations and this is outside the scope of this post.

As I believe that most malware is still being served through unencrypted HTTP sites, a content-scanning proxy does create an extra layer of defence. I think it is worth the effort.

So I decided to create a content-scanning proxy based on available open-source software. In this case, open-source as in free to use in commercial settings.

So in this post I will document how to setup a content-scanning proxy based on Squid 3.1, c-icap version 1, the Squidclamav module and the Clamav anti-virus scanner.

The basis of this proxy server is Ubuntu 12.10 LTS.

Important:

How does it work?

The Squid proxy server must pass all content to the Clamav daemon. Squid can't do that by itself. It's needs some glue service. For this purpose, a standard protocol has been designed called 'ICAP'. The c-icap daemon, combined with the squidclamav module, is the glue between the proxy server and the anti-virus software. The fun thing about c-icap is that you can add extra content scanning features if you want, just by adding those modules. You can decide to implement additional commercial anti-virus products in addition to Clamav.

Installing Clamav and c-icap + development files

1. apt-get install clamav-daemon c-icap  libicapapi-dev apache2
2. freshclam (update clamav on the spot)

Apache or any other HTTP server with CGI support is required to display virus-warnings to end-users.

Installing squidclamav module for c-icap

Do not install squidclamav with apt-get, this version seems to contain bugs that prevent pages from loading properly. The latest version straight from the vendor does work properly.

1. cd /usr/src/
2. download the source from: 
"http://sourceforge.net/projects/squidclamav/"
3. tar xzf squidclamav-6.8.tar.gz
4. cd squidclamav-6.8
5. ./configure
6. make -j 2
7. make install

Squid configuration

Please download my sample Squid.conf configuration. The icap lines are of interest.

icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024

icap_service service_req reqmod_precache bypass=0 \ 
    icap://127.0.0.1:1344/squidclamav
icap_service service_resp respmod_precache bypass=0 \ 
    icap://127.0.0.1:1344/squidclamav

adaptation_access service_req allow all
adaptation_access service_resp allow all

It is the icap:// URL that calls a particular icap service (squidclamav) that processes all data.

Squidclamav icap module configuration

The configuration is stored in /etc/squidclamav.conf, and this is what I used:

maxsize 5000000
redirect http://proxy.company.local/cgi-bin/clwarn.cgi
clamd_ip 127.0.0.1
clamd_port 3310
timeout 1
logredir 0
dnslookup 1

Of interest is the redirect url, which tells the user that a virus is found. That line redirects the user towards a page as shown at the beginning of this post. You can customise this page with CSS, for example, you can add the company logo to make it more official.

c-icap configuration

This is the configuration I use:

PidFile /var/run/c-icap/c-icap.pid
CommandsSocket /var/run/c-icap/c-icap.ctl
Timeout 300
MaxKeepAliveRequests 100
KeepAliveTimeout 600  
StartServers 3
MaxServers 10
MinSpareThreads     10
MaxSpareThreads     20
ThreadsPerChild     10
MaxRequestsPerChild  0
Port 1344 
User c-icap
Group nogroup
ServerAdmin you@your.address
ServerName Anti-Virus-Proxy
TmpDir /tmp
MaxMemObject 1048576
DebugLevel 0
ModulesDir /usr/lib/c_icap
ServicesDir /usr/lib/c_icap
TemplateDir /usr/share/c_icap/templates/
TemplateDefaultLanguage en
LoadMagicFile /etc/c-icap/c-icap.magic
RemoteProxyUsers off
RemoteProxyUserHeader X-Authenticated-User
RemoteProxyUserHeaderEncoded on
ServerLog /var/log/c-icap/server.log
AccessLog /var/log/c-icap/access.log
Service echo srv_echo.so
Service squidclamav squidclamav.so

Configuring Apahce web server

The warning page should be put in /usr/lib/cgi-bin. You may have to copy clwarn.cgi into this directory. Also make sure that your Apache configuration contains a directive like:

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
</Directory>

Automatic proxy configuration through DHCP and WPAD

To make the entire setup extra nice, use your DHCP configuraiton to inform clients about the proxy configuration. Clients must be configured to autodetect proxy settings for this to work.

Put a wpad.dat in the root directory of your http server:

function FindProxyForURL(url, host)
{
    if (dnsDomainIs(host, "localhost")) return "DIRECT"; 
    if (isInNet(host, "127.0.0.0", "255.0.0.0")) return "DIRECT";
    if (isPlainHostName(host)) return "DIRECT";
    if (isInNet(host, "192.168.0.0", "255.255.255.0")) return "DIRECT";
    return "PROXY proxy.company.local:3128";
}

And also add the appropriate mime type for .dat files in /etc/mime.types

application/x-ns-proxy-autoconfig           dat

Restart the apache webserver after these modifications.

Now add the proxy to the DNS configuration of your DNS server like proxy.company.local.

Most important, add this directive to the general portion of the configuration file:

option local-proxy-config code 252 = text;

Add this directive to the particular scope for your network:

option local-proxy-config "http://proxy.company.local/wpad.dat";

Restart your DNS and DHCP server.

Monitoring proxy performance

The cagemgr.cgi file provides very detailed information about the performance of your Squid proxy. This is more relevant regarding actual cahcing performance than for anti-virus scanning, but this may be of interest. Especially the 'general runtime information' is of interest, as it shows the hit-rate, memory usage, etc.

First, make sure you take the appropirate precautions as not to expose this page to the entire company network without some protection, as it can contain sensitive information.

If you have installed squid-cgi just browse to http://your.proxy.server/cgi-bin/cachemgr.cgi

Some example data:

Cache information for squid:
    Hits as % of all requests:  5min: 10.3%, 60min: 4.1%
    Hits as % of bytes sent:    5min: 81.4%, 60min: 5.2%
    Memory hits as % of hit requests:   5min: 0.0%, 60min: 14.8%
    Disk hits as % of hit requests: 5min: 0.0%, 60min: 74.1%

Final words

This whole configuration shouldbe sufficient to setup a content-scanning proxy server. I have no experience how well this solution performs and you may have to do some benchmarks if your own to determine if it is capable of handling the traffic users generate. The fun thing about this setup is that it is modular. For example, you can have one Squid + HTTP box, and a separate host just for the c-icap service and Clamav service.

Besides the whole content scanning part, a proxy server, based on some non-scientific tests, does seem to improve performance for end-users. It may save you an expensive upgrade to a faster corporate internet connection.