How to Set Up an HTTP Anti-Virus Proxy Using pfSense and HAVP

Updated on January 15, 2018
skear profile image

Sam works as a Network Analyst for an algorithmic trading firm. He obtained his Bachelors Degree in Information Technology from UMKC.

In this hub I'll be demonstrating how to configure a pfSense router to function as an anti-virus proxy using the HAVP package.

Anti-virus proxies act like traditional web proxies except they scan all content passing through the proxy for virus or malware signatures. If the proxy identifies the content as malicious the download will be blocked and the client computer will be redirected to an error page.

The biggest advantage of scanning for viruses directly on the router or gateway is that viruses can be blocked before they ever enter your network. This feature is especially useful for public networks or wireless hotspots or other situations where you can't be sure all computers have an antivirus application installed.

Even though my computers all have antivirus programs installed I like to add another layer of protection to my network, HAVP works great for this.

Prerequisites for HAVP

If you've never installed pfSense before check out the guide how to install pfSense.

In order to get the HAVP package working you need to already have a functioning transparent squid proxy running on pfSense.

Installing the HAVP Package

To get started you'll need to install the HAVP package. Click on the packages menu item in the system menu to load the pfSense package manager. Locate the HAVP package and click the plus symbol on the right side of the package description to install it.

Install the HAVP package using the pfSense package manager.
Install the HAVP package using the pfSense package manager.

Configuring HAVP

Once you have installed HAVP there are a few settings that need to be changed before it will function properly. Click on the antivirus entry in the services menu to access the HAVP settings.

Next click on the HTTP proxy tab and check the first check box to enable the proxy. For the proxy mode setting select parent for squid. By setting squid as the parent proxy traffic will flow as indicated below

Client <-> pfSense Gateway <-> Squid Proxy <-> HAVP <-> Internet

Make sure the proxy interface is set to LAN, the default port number will work fine. You will probably need to change the language setting since English is not the default. The language you choose affects what language the client error messages will be displayed in.

Next scroll all the way down to the bottom and click the save button.

The HAVP configuration page is found in the antivirus page of the services menu.
The HAVP configuration page is found in the antivirus page of the services menu.

Automatic Definition Updates

To enable automatic updates of the virus definitions click on the settings tab. I recommend setting the AV base update to occur every 24 hours. If you're really paranoid of zero day threats you can set the updates to occur more often although you will be using more of your internet bandwidth if you do.

It's also a good idea to choose a regional download mirror that is located near you, selecting a close mirror will allow the definitions to download much quicker.

If your having trouble downloading updates you can enable logging to help figure out what the problem is.

HAVP can be configured to automatically download definition updates.
HAVP can be configured to automatically download definition updates.

Checking the Status of the Services

At this point HAVP should be up and running. I like to check the status just to make sure all of the services started and the definition file was downloaded. On the HAVP general page you should see green arrows next to both the proxy service and the antivirus server.

In the version field you should see ClamAV followed by the date of the virus definition file you are using. If the file is out of date go to the settings tab and click the Update_AV button to manually start the update process.

If HAVP is working both the proxy and antivirus server should have green status icons.
If HAVP is working both the proxy and antivirus server should have green status icons.

Testing Virus Detection

If you want to see what your users will experience when they attempt to download a virus you can download the EICAR virus test file from eicar.org.

The test file is not an actual virus, the file contains a standardized signature that is used to test antivirus software.

If HAVP is working properly then you should be redirected to a page with an access denied message. If you don't see the warning page go back and check the status of the services on the main HAVP settings page.

Users who attempt to download a malicious file will be redirected to an error page.
Users who attempt to download a malicious file will be redirected to an error page.

Customizing the Error Pages

To give your error pages a more professional look I recommend customizing the HTML pages, or even replacing them entirely. You can add your company name and logo, contact information for your IT department, or any other information that you think might be useful.

The HTML files for the default pages are located in /usr/local/share/examples/havp/templates. You can edit these files directly by connecting to the console with SSH, or you can use WinSCP to copy the files to another machine, edit them, and then replace the existing files.

Within the templates directory there is a folder for each of the supported languages. The language you select on the settings page will determine which HTML files will be used.

If you do decide to use your own HTML files you still need to use the same file names.

Questions & Answers

    © 2011 Sam Kear

    Comments

      0 of 8192 characters used
      Post Comment

      • skear profile imageAUTHOR

        Sam Kear 

        2 years ago from Kansas City

        @Ben

        The HAVP package is not present in pfSense 2.3. Antivirus support is now integrated in the Squid proxy server package via C-ICAP.

        After installing Squid you'll notice there is an Antivirus tab in the Squid service settings package. This allows you to enable ClamAV antivirus scanning through the proxy.

      • profile image

        Ben 

        2 years ago

        HAVP not listed in available updates on my pf system, there are however other packages showing available that is not shown on that screenshot... strange.

      • profile image

        mrcharles 

        2 years ago

        Thank you very much for the writeup.

        I have a problem, i followed your guide to setup Squid and HAVP, unfortunately, the HAVP Service remains stopped and when i check the logs i get the error below, kindly support me:

        php-fpm[61497]: /antivirus.php: HAVP: RAMDisk not used. Diagnostic: system MB, available MB, calculated MB. Try reducing 'MAXSCANSIZE' value.

      • profile image

        akinti kole 

        3 years ago

        Hi. Thanks for the information provided. I was able to installed the HAVP successful but after some minutes of installations, it disconnect itself and an error read " read only/file/http/havp/" . Please what should do?

      • profile image

        zon 

        3 years ago

        Its old look at the date in the picture.

      • profile image

        Francois 

        5 years ago

        Hello,

        I like your solution. Its light, simple and efficient.

        However, on my side, I never managed to install HAVP on my alix 2d13 (235MB of RAM available). Whatever the version of pfSense (2.0, 2.0.3, 2.1), I always had some bug (swap space, read-only /var, fresh clam bug, etc.).

        Do you know if it exists compact-flash image of pfSense with pre-installed HAVP ?

        Thanks

      • profile image

        karanik 

        5 years ago

        Hello ,

        I have problem with that. After seconds stop squid service.

        What is wrong ?

      working

      This website uses cookies

      As a user in the EEA, your approval is needed on a few things. To provide a better website experience, turbofuture.com uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

      For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at: https://turbofuture.com/privacy-policy#gdpr

      Show Details
      Necessary
      HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
      LoginThis is necessary to sign in to the HubPages Service.
      Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
      AkismetThis is used to detect comment spam. (Privacy Policy)
      HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
      HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
      Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
      CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
      Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the googleapis.com or gstatic.com domains, for performance and efficiency reasons. (Privacy Policy)
      Features
      Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
      Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
      Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
      Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
      Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
      VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
      PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
      Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
      MavenThis supports the Maven widget and search functionality. (Privacy Policy)
      Marketing
      Google AdSenseThis is an ad network. (Privacy Policy)
      Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
      Index ExchangeThis is an ad network. (Privacy Policy)
      SovrnThis is an ad network. (Privacy Policy)
      Facebook AdsThis is an ad network. (Privacy Policy)
      Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
      AppNexusThis is an ad network. (Privacy Policy)
      OpenxThis is an ad network. (Privacy Policy)
      Rubicon ProjectThis is an ad network. (Privacy Policy)
      TripleLiftThis is an ad network. (Privacy Policy)
      Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
      Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
      Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
      Statistics
      Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
      ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
      Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)