squid and avast

This is one that I’ve been looking forward to solving.  The other programs I wanted to update always downloaded their files from the same url.  This made it easy to write refresh patterns that would cause them to retreive the cached version.  Avast, on the other hand, seems to download it’s updates from a random mirror each time.  Some of them use urls in the form of http://download%5Bmirror number].avast.com/iavs4x/* while others use an ip address instead of a hostname like http://%5Bip address]/iavs4x/*.

To allow squid to serve up cached versions, we have to redirect all the requests to the same url.  I chose a random mirror, http://download682.avast.com.  For the redirection, I used a program called squirm.  Squirm uses two configuration files: a list of addresses allowed to use redirects, and the redirect pattern file.

The documentation for squirm leaves a lot to be desired, but it wasn’t too hard to figure out.  For instance, in the documentation squirm says squrim.local (the allowable addresses) should contain a list of networks in the form xxx.xxx.xxx that would match a class C address range.  If you run it that way, though, you get an error.  Mine was 192.168.2, but the error said something like “Invalid IP address range 192.168.”  By that I figured out that it wanted trailing periods, but that’s not what the documentation said.  Using the correct syntax, mine is now 192.168.2.

The installation is also pretty clunky, requiring the user to manually run make in a subfolder and move some files, and manually edit the main Makefile. The website says there is a new, undocumented version that fixes the installation issues, but if the current version is “documented” then I hate to see what “undocumented” means.

My biggest initial mistake after taking care of the installation was trying to use perl compatible regex syntax in squirm.patterns (the redirection pattern file).  It is in fact posix (extended?) syntax.  It uses the GNU regex library.

The way I got it to work was to use the following in my squirm.patterns:

regex ^http://.*/iavs4x(.*) http://download682.avast.com/iavs4x1;

Short, sweet, and to the point.  That line is actually the only thing in the file.  This will take any source url that contains the path element “iavs4x” (unique enough not to cause any problems, I think) and point it to the server I picked.

Now as for the squid configuration, that took just a tad of google searching.  The guide I found wanted you to set a directive called “redirector_program”, and another called “httpd_accel_uses_host_header”.  These have changed a bit in the most recent version of squid (and I don’t know how far back).  The “redirector_program” directive has become “url_rewrite_program”, but it works the same way.  You’ll also want to set “url_rewrite_children”, and squirm recommends 10 as a default.  Thats the number of instances of your redirector squid will keep on hand; each one will handle 1 url at a time.  If you have a really busy server, you may have to increase this in order to keep your clients from having to wait.  As for “httpd_accel_uses_host_header”, it is supposed to be handled automatically as part of the http_port line.  The example I saw used “http_port 3128 transparent”, so I don’t know if the redirector would work on a non-transparent squid proxy or not.

The last part is the refresh pattern.  It’s just a variation on the patterns I used for the other anti-malware programs:

refresh_pattern http://download682.avast.com/.* 1440 100% 1441 ignore-reload override-lastmod override-expire

Note that we just matched it against the url AFTER the redirection. Cool, ne?

BTW, everything seems to be going well with my refresh pattern lines.  They seem to be downloading fresh copies once per day.  I’ll still keep an eye out, though.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: