Set up ClamAV virus scanning for incoming traffic

Description

This guide is for setting up ClamAV antivirus and the steps to set up virus scanning for files being uploaded by users onto OpenG2P Modules.

Please note that this guide only applies to enabling virus scanning for HTTP traffic coming into a particular module from outside (ingress), and this doesn't apply to virus scanning for service-to-service traffic.

Flow description

All the incoming traffic to the particular service will first be sent to Clammit. Clammit will then scan the requests for Virus with ClamAV. If no viruses are found, Clammit will forward the request to the backend service. If viruses are found, Clammit will deny the request.

Installation

Only one ClamAV + Clammit installation is enough for the entire Kubernetes Cluster (for all namespaces/sandboxes). This installation can be individually scaled up depending on incoming traffic.

ClamAV Installation

This section uses Wiremind Helm charts for ClamAV installation on Kubernetes.

  • Create clamav-system namespace.

    kubectl create ns clamav-system
  • [Optional] Move clamav-system namespace into System project in Rancher to manage access control.

  • Add wiremind helm repo

    helm repo add wiremind https://wiremind.github.io/wiremind-helm-charts
    helm repo update
  • Install ClamAV in clamav-system namespace.

    helm -n clamav-system upgrade --install clamav wiremind/clamav

Clammit Installation

  • Requires ClamAV from above.

  • Add openg2p helm repo

    helm repo add openg2p https://openg2p.github.io/openg2p-helm
    helm repo update
  • Install Clammit in clamav-system namespace.

    helm -n clamav-system upgrade --install clammit openg2p/clammit

Virus-scan setup

This section describes the configuration process to pass all incoming traffic of a particular service for virus scanning, using the previously installed Clammit instance.

  • Navigate to Rancher -> Istio -> Virtual Services, choose the virtual service for which you want to enable virus scanning, and edit as YAML.

  • Copy the route -> destination -> host and port number. Under headers -> request -> set, add a header like:

    x-clammit-backend: http://{destination_host}.{destination_namespace}:{destination_port}
  • Change the route -> destination -> host and port number to the following.

    route:
      - destination:
          host: clammit.clamav-system.svc.cluster.local
          port:
            number: 80

Example

Say you want to virus-scan all incoming traffic of the Social Registry odoo module, the Istio Virtual Service social-registry-odoo would look like this.

  • Before

    spec:
      ...
      http:
        ...
        - headers:
            request:
              set:
                ...
          route:
            - destination:
                host: social-registry-odoo
                port:
                  number: 80
  • After

    spec:
      ...
      http:
        ...
        - headers:
            request:
              set:
                x-clammit-backend: http://social-registry-odoo.dev
                ...
          route:
            - destination:
                host: clammit.clamav-system.svc.cluster.local
                port:
                  number: 80

Sources

Last updated

Was this helpful?