Merge pull request #19 from GSA-TTS/clamav-debugging-from-main

Proxy patch for database signatures
GSA-TTS · Nov 25, 2024 · 8ac7574 · 8ac7574
2 parents f1d7f30 + 40f02c6
commit 8ac7574
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 30 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:alpine3.19 as build
+FROM golang:alpine3.19 AS build
 
 # Update libraries
 RUN apk update && apk upgrade

diff --git a/README.md b/README.md
@@ -7,17 +7,20 @@
     - [Status Codes](#status-codes)
 - [Configuration](#configuration)
     - [Environment Variables](#environment-variables)
-    - [Networking](#networking)  
+    - [Networking](#networking)
 - [Maintenance / Monitoring](#maintenance--monitoring)
     - [Shell Access](#shell-access)
 
-- [Developing](#developing)    
+- [Developing](#developing)
 - [References](#references)
 
 # Introduction
 
 This is a two in one docker image which runs the open source virus scanner ClamAV (https://www.clamav.net/), performs automatic virus definition updates as a background process and provides a REST API interface to interact with the ClamAV process.
 
+# FAC Updates
+An issue was found using `echo "RELOAD" | nc 127.0.0.1 3310` behind a proxy to force reload the sig database. Due to this, and with us rebuilding the image weekly to get a new sha256, on top of our terraform redeploying clamav during the week with new sha256's, force reloading the database like this makes it impossible to use the scanner, as `3310` gets soft locked on the database update, and causes any subsequent scans to fail.
+
 # Updates
 
 As of October 21 2024, freshclam notifies the correct `.clamd.conf` so that `clamd` is notified about updates and the correct version is returned now.

diff --git a/entrypoint.sh b/entrypoint.sh
@@ -4,6 +4,7 @@ mkdir -p /clamav/etc
 mkdir -p /clamav/data
 mkdir -p /clamav/tmp
 cp /etc/clamav/* /clamav/etc/
+chmod 0700 /clamav/etc/freshclam.conf
 
 # Replace values in freshclam.conf
 sed -i 's/^#\?NotifyClamd .*$/NotifyClamd \/clamav\/etc\/clamd.conf/g' /clamav/etc/freshclam.conf
@@ -13,6 +14,20 @@ sed -i 's/^#DatabaseDirectory .*$/DatabaseDirectory \/clamav\/data/g' /clamav/et
 
 # Replace values with environment variables in freshclam.conf
 sed -i 's/^#\?Checks .*$/Checks '"$SIGNATURE_CHECKS"'/g' /clamav/etc/freshclam.conf
+if [ -n "$PROXY_SERVER" ]; then
+    sed -i 's~^#HTTPProxyServer .*~HTTPProxyServer '"$PROXY_SERVER"'~g' /clamav/etc/freshclam.conf
+
+    # It's not required, but if they also provided a port, then configure it
+    if [ -n "$PROXY_PORT" ]; then
+        sed -i 's/^#HTTPProxyPort .*$/HTTPProxyPort '"$PROXY_PORT"'/g' /clamav/etc/freshclam.conf
+    fi
+
+    # It's not required, but if they also provided a username, then configure both the username and password
+    if [ -n "$PROXY_USERNAME" ]; then
+        sed -i 's/^#HTTPProxyUsername .*$/HTTPProxyUsername '"$PROXY_USERNAME"'/g' /clamav/etc/freshclam.conf
+        sed -i 's~^#HTTPProxyPassword .*~HTTPProxyPassword '"$PROXY_PASSWORD"'~g' /clamav/etc/freshclam.conf
+    fi
+fi
 
 # Replace values with environment variables in clamd.conf
 sed -i 's/^#MaxScanSize .*$/MaxScanSize '"$MAX_SCAN_SIZE"'/g' /clamav/etc/clamd.conf
@@ -35,35 +50,37 @@ if [ -z "$(ls -A /clamav/data)" ]; then
 fi
 
 if [ -n "$PROXY_SERVER" ]; then
-    sed -i 's~^#HTTPProxyServer .*~HTTPProxyServer '"$PROXY_SERVER"'~g' /clamav/etc/freshclam.conf
-
-    # It's not required, but if they also provided a port, then configure it
-    if [ -n "$PROXY_PORT" ]; then
-        sed -i 's/^#HTTPProxyPort .*$/HTTPProxyPort '"$PROXY_PORT"'/g' /clamav/etc/freshclam.conf
-    fi
-
-    # It's not required, but if they also provided a username, then configure both the username and password
-    if [ -n "$PROXY_USERNAME" ]; then
-        sed -i 's/^#HTTPProxyUsername .*$/HTTPProxyUsername '"$PROXY_USERNAME"'/g' /clamav/etc/freshclam.conf
-        sed -i 's~^#HTTPProxyPassword .*~HTTPProxyPassword '"$PROXY_PASSWORD"'~g' /clamav/etc/freshclam.conf
-    fi
+    echo "Proxy Detected"
+    (
+        freshclam --config-file=/clamav/etc/freshclam.conf --daemon &
+        clamd --config-file=/clamav/etc/clamd.conf &
+        /usr/bin/clamav-rest &
+        # Despite not having the [echo "RELOAD" | nc 127.0.0.1 3310] force reload of the clamd database
+        # after checking the running instance behind the proxy a day later, it was succcessfully doing
+        # its own internal self check.
+        # 2024-11-22T08:49:47.37-0500 [APP/PROC/WEB/0] OUT Fri Nov 22 14:49:47 2024 -> SelfCheck: Database status OK.
+        # Since the nc command holds 3310 behind our proxy for some unknown reason, we are willing to not have immediate
+        # clamd database signature reload in favor of freshclam successfully going through the proxy
+        # and clamd doing the database reload on its own, validating that the SelfCheck is working as intended
+    ) 2>&1 | tee -a /var/log/clamav/clamav.log
+else
+    echo "No Proxy Detected"
+    (
+        freshclam --config-file=/clamav/etc/freshclam.conf --daemon &
+        clamd --config-file=/clamav/etc/clamd.conf &
+        /usr/bin/clamav-rest &
+        # Force reload the virus database through the clamd socket after 120s.
+        # Starting freshclam and clamd async ends up that a newer database version is loaded with
+        # freshclam, but the clamd still keep the old version existing before the update because
+        # the socket from clamd is not yet ready to inform, what is indicated in the log
+        # during the startup of the container (WARNING: Clamd was NOT notified: Can't connect to clamd through /run/clamav/clamd.sock: No such file or directory).
+        # So only if a newer database version is available clamd will be notified next time, and this can take hours/days.
+        # Remarks: The socket port is configured in the .Dockerfile itself.
+        sleep 120s
+        echo "RELOAD" | nc 127.0.0.1 3310 &
+    ) 2>&1 | tee -a /var/log/clamav/clamav.log
 fi
 
-(
-    freshclam --config-file=/clamav/etc/freshclam.conf --daemon &
-    clamd --config-file=/clamav/etc/clamd.conf &
-    /usr/bin/clamav-rest &
-    # Force reload the virus database through the clamd socket after 120s.
-    # Starting freshclam and clamd async ends up that a newer database version is loaded with
-    # freshclam, but the clamd still keep the old version existing before the update because 
-    # the socket from clamd is not yet ready to inform, what is indicated in the log
-    # during the startup of the container (WARNING: Clamd was NOT notified: Can't connect to clamd through /run/clamav/clamd.sock: No such file or directory).
-    # So only if a newer database version is available clamd will be notified next time, and this can take hours/days.
-    # Remarks: The socket port is configured in the .Dockerfile itself.
-    sleep 120s
-    echo RELOAD | nc 127.0.0.01 3310 &
-) 2>&1 | tee -a /var/log/clamav/clamav.log
-
 pids=`jobs -p`
 
 exitcode=0