How to Install and Configure Squid Proxy Server, ClamAV, SquidClamav, C-ICAP Server – Debian – Linux.


Networ Configuration:
Internal newtork: eth1
Internal address IP: eth1

Squid (3.1) non-SSL

Server WWW required.


1. Install some needed dependencies.

sudo apt-get install gcc make curl libcurl4-gnutls-dev


2. Install and Configure Squid Proxy Server.

sudo apt-get install squid3 calamaris


Edit configfile /etc/squid3/squid.conf.

sudo nano /etc/squid3/squid.conf


Make sure the line is uncommented (#).



Create new access lists acl LAN to your internal network

acl LAN src


Additional access lists blacklist, whitelist, malware_block_list to block spam, commercials, malware, viruses…

acl malware_block_list url_regex -i "/etc/squid3/malware_block_list"
acl blacklist dstdom_regex "/etc/squid3/blacklist"
acl whitelist dstdom_regex "/etc/squid3/whitelist"


Access new acl lists – order matters:

http_access allow whitelist
http_access deny blacklist
http_access deny malware_block_list
http_access allow LAN


Inform users about blocked website. Blocked commercials will be displayed as empty transparent place..

deny_info http://YourServerName/error/dot-transparent.png blacklist
deny_info http://YourServerName/error/dot-transparent.png whitelist
deny_info http://YourServerName/error/error.html malware_block_list


  Make sure the rules look like these. Do not change order.

http_access allow localhost
http_access allow manager localhost
http_access deny manager
http_access allow !Safe_ports
http_access allow CONNECT !SSL_ports
http_access allow localhost
http_access deny all


Setup address IP and listening port. Transparent mean no caching.

http_port intercept


Additional  setup – Anonymizer. Blocking headers:

request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access Referer deny all
request_header_access X-Forwarded-For deny all
request_header_access Via deny all
request_header_access All deny all
request_header_access Cache-Control deny all
httpd_suppress_version_string on


Cache (400MB)

cache_dir ufs /var/spool/squid3 400 16 256


Disable cache for access list – LAN:

cache deny LAN



visible_hostname YourServerName


Hiding IP

forwarded_for off



Download files: blacklist i whitelist, unpack and save it to /etc/squid3/.

sudo wget
sudo tar -xvf blacklist.tar.bz2
sudo mv blacklist whitelist /etc/squid3


Restart Squid.

sudo /etc/init.d/squid3 restart


Restarting Squid HTTP Proxy 3.x: squid3 Waiting.....................done.


Download script malware_block_list to update domains and IP addresses , unpack and save it to /etc/squid3/.

sudo tar -xvf malware_block_list.tar.bz2
sudo mv malware_block_list /usr/local/bin/
sudo chmod +x /usr/local/bin/malware_block_list
sudo touch  /var/log/malware_block_list.log


Add script malware_block_list to Cron.

sudo crontab -e


@daily /etc/squid3/


Logfile location: /var/log/malware_block_list.log.   Go to, click tab: Block List. You should see subscription list: free and paid. Click Free/Subscribe. Subscribe the list. You should get password/receipt number on email. Log in to:; and find Squid Web Proxy ACL and click Download. You will be redirected to website/text with malware list. Every subscription has unique receipt number receipt=f1234567890. Copy URL and paste to script near link. Edit: link, user, pass.

sudo nano /usr/local/bin/malware_block_list




sudo sh /usr/local/bin/malware_block_list


3. Install Clamav-server.


sudo apt-get install clamav-daemon


4. Install and configure C-ICAP server.

Create temporary folder install, download, unpack, configure and install ICAP server.

sudo mkdir install
cd install
sudo wget -O c_icap-0.3.5.tar.gz
sudo tar -xvf c_icap-0.3.5.tar.gz
cd c_icap-0.3.5
sudo ./configure
sudo make
sudo make install
cd ..


Edit configfile  /usr/local/etc/c-icap.conf.

sudo nano /usr/local/etc/c-icap.conf



ServerAdmin root@localhost


ServerName YourServerName


Service squidclamav


C-ICAP server autostart script.


sudo wget
sudo tar xvf c-icap-autostart.tar.gz
sudo rsync -avh init.d default /etc
sudo update-rc.d c-icap defaults


Usage: /etc/init.d/c-icap {start|stop|restart|force-reload|status|force-stop}


Create logrotate script for c-icap server.

sudo cat << EOT > /etc/logrotate.d/c-icap
/usr/local/var/log/server.log /usr/local/var/log/access.log {
     rotate 4
     create 0644 root root
     /etc/init.d/c-icap force-reload > /dev/null


Change permission for c-icap logrotate script and server logs.

sudo chmod 644 /etc/logrotate.d/c-icap
sudo chown root:root /etc/logrotate.d/c-icap
sudo chmod 644 /usr/local/var/log/ -R
sudo chown root:root /usr/local/var/log/ -R
sudo ln -s /usr/local/var/log/server.log /var/log/server.log
sudo ln -s /usr/local/var/log/access.log /var/log/access.lo


C-icap server logs location:





5. Install Squidclamav.

Download, unpack, configure and install squidclamav.

cd install
sudo wget -O squidclamav-6.15.tar.gz
sudo tar zxvf squidclamav-6.15.tar.gz
cd squidclamav-6.15
sudo ./configure
sudo make
sudo make install
cp -rf cgi-bin /usr/lib/
chmod +x /usr/lib/cgi-bin/clwarn* -R
chown www-data:www-data /usr/lib/cgi-bin/clwarn* -R
sudo ldconfig 


Configure squidclamav.

Download file error.tar.bz2 and save it to /var/www.

sudo wget
sudo tar -xvf error.tar
sudo mv error /var/www/
sudo chmod 750 -R /var/www/error/


Edit configfile /etc/squidclamav.conf.
sudo nano /etc/squidclamav.conf


sudo nano /usr/lcocal/etc/squidclamav.conf


Add redirect URL – default script – clwarn.cgi (en).
You can choose diferent language: DE, FR, BR, RU.

redirect http://YourServerName/cgi-bin/clwarn.cgi


Make sure the rule occurs in configfile.

clamd_local /var/run/clamav/clamd.ctl


6. Checking config file – ClamAV.

Make sure the rule occurs in configfile.

sudo nano /etc/clamav/clamd.conf

LocalSocket /var/run/clamav/clamd.ctl

Configure Freshclam.

sudo nano /etc/clamav/freshclam.conf
SafeBrowsing true


Register on

Subscribe basic list for clamav
You should get auto generated urls for clamav database under tab: Setup.

Download allowed from 1 IP address, limited to 24 downloads per day

Add generated URLS to freshclam configuration file at the end.



Restart ClamAV.

sudo /etc/init.d/clamav-daemon restart


7. Configure Squid with C-ICAP.

Configuration for Squid version – 3.1.20.
sudo nano /etc/squid3/squid.conf


icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_service service_req reqmod_precache bypass=1 icap://
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=1 icap://
adaptation_access service_resp allow all


Configuration for Squid version – 3.1.6.
sudo nano /etc/squid3/squid.conf


icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Client-Username
icap_preview_enable on
icap_preview_size 1024

adaptation_service_set service_req
icap_service service_req reqmod_precache bypass=1 icap://
adaptation_access service_req allow all

adaptation_service_set service_resp
icap_service service_resp respmod_precache bypass=0 icap://
adaptation_access service_resp allow all


Run C-ICAP server.

sudo /usr/local/bin/c-icap &


You should see [PID]:

[1] 28936


8. Restart Squid.

sudo /etc/init.d/squid3 restart


Restarting Squid HTTP Proxy 3.x: squid3 Waiting.....................done.


9. Configure firewall – masquerade, prerouting.

Enable forwarding.
Edit configfile sysctl.conf

sudo nano /etc/sysctl.conf


Uncomment IPv4 i IPv6 and change to 1:

Net.ipv4.ip_forward = 1
Net.ipv6.conf.all.forwarding = 1


Configure firewall – iptables.

sudo nano /etc/iptables.up.rules


Add rules (Change address IP and network interface)

-A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j REDIRECT --to-ports 3128


10. Test.

If you have done it right then..
.. go to:
and try to download file:
68 Bytes

You should be redirected to:

  • http://YourServerName/cgi-bin/clwarn.cgi,
  • http://YourServerName/error.html.