Set up ClamAV virus scanning for incoming traffic

Description

This guide is for setting up ClamAV antivirus and the steps to set up virus scanning for files being uploaded by users onto OpenG2P Modules.

Please note that this guide only applies to enabling virus scanning for HTTP traffic coming into a particular module from outside (ingress), and this doesn't apply to virus scanning for service-to-service traffic.

Flow description

All the incoming traffic to the particular service will first be sent to Clammit. Clammit will then scan the requests for Virus with ClamAV. If no viruses are found, Clammit will forward the request to the backend service. If viruses are found, Clammit will deny the request.

Installation

Only one ClamAV + Clammit installation is enough for the entire Kubernetes Cluster (for all namespaces/sandboxes). This installation can be individually scaled up depending on incoming traffic.

ClamAV Installation

This section uses Wiremind Helm charts for ClamAV installation on Kubernetes.

Create clamav-system namespace.
```
kubectl create ns clamav-system
```
[Optional] Move clamav-system namespace into System project in Rancher to manage access control.

Add wiremind helm repo

helm repo add wiremind https://wiremind.github.io/wiremind-helm-charts
helm repo update

Install ClamAV in clamav-system namespace.

helm -n clamav-system upgrade --install clamav wiremind/clamav

Clammit Installation

Requires ClamAV from above.

Add openg2p helm repo

helm repo add openg2p https://openg2p.github.io/openg2p-helm
helm repo update

Install Clammit in clamav-system namespace.

helm -n clamav-system upgrade --install clammit openg2p/clammit

Virus-scan setup

This section describes the configuration process to pass all incoming traffic of a particular service for virus scanning, using the previously installed Clammit instance.

Navigate to Rancher -> Istio -> Virtual Services, choose the virtual service for which you want to enable virus scanning, and edit as YAML.
Copy the route -> destination -> host and port number. Under headers -> request -> set, add a header like:
```
x-clammit-backend: http://{destination_host}.{destination_namespace}:{destination_port}
```

Change the route -> destination -> host and port number to the following.

route:
  - destination:
      host: clammit.clamav-system.svc.cluster.local
      port:
        number: 80

Example

Say you want to virus-scan all incoming traffic of the Social Registry odoo module, the Istio Virtual Service social-registry-odoo would look like this.

Before

spec:
  ...
  http:
    ...
    - headers:
        request:
          set:
            ...
      route:
        - destination:
            host: social-registry-odoo
            port:
              number: 80

After

spec:
  ...
  http:
    ...
    - headers:
        request:
          set:
            x-clammit-backend: http://social-registry-odoo.dev
            ...
      route:
        - destination:
            host: clammit.clamav-system.svc.cluster.local
            port:
              number: 80

Sources

ClamAV website and docs.
Clammit site, source code and docs.
Wiremind ClamAV Helm chart source.
OpenG2P Clammit Helm chart & Docker source code.

PreviousInstall WebSub NextAir-gapped deployment setup using Gitlab

Last updated 6 months ago

Was this helpful?