Set up ClamAV virus scanning for incoming traffic
Last updated
Was this helpful?
latest
Last updated
Was this helpful?
This guide is for setting up ClamAV antivirus and the steps to set up virus scanning for files being uploaded by users onto OpenG2P Modules.
Please note that this guide only applies to enabling virus scanning for HTTP traffic coming into a particular module from outside (ingress), and this doesn't apply to virus scanning for service-to-service traffic.
All the incoming traffic to the particular service will first be sent to Clammit. Clammit will then scan the requests for Virus with ClamAV. If no viruses are found, Clammit will forward the request to the backend service. If viruses are found, Clammit will deny the request.
Only one ClamAV + Clammit installation is enough for the entire Kubernetes Cluster (for all namespaces/sandboxes). This installation can be individually scaled up depending on incoming traffic.
This section uses Wiremind Helm charts for ClamAV installation on Kubernetes.
Create clamav-system namespace.
[Optional] Move clamav-system namespace into System project in Rancher to manage access control.
Add wiremind helm repo
Install ClamAV in clamav-system namespace.
Requires ClamAV from above.
Add openg2p helm repo
Install Clammit in clamav-system namespace.
This section describes the configuration process to pass all incoming traffic of a particular service for virus scanning, using the previously installed Clammit instance.
Navigate to Rancher -> Istio -> Virtual Services, choose the virtual service for which you want to enable virus scanning, and edit as YAML.
Copy the route -> destination -> host and port number. Under headers -> request -> set, add a header like:
Change the route -> destination -> host and port number to the following.
Say you want to virus-scan all incoming traffic of the Social Registry odoo module, the Istio Virtual Service social-registry-odoo would look like this.
Before
After
ClamAV and .
Clammit .
Wiremind ClamAV .
OpenG2P Clammit .
