Merge pull request #1 from ajilaag/develop

HTTPS & malware signature database

Author: ajila-fmeyer

Dockerfile

@@ -17,16 +17,18 @@ RUN sed -i 's/^#Foreground .*$/Foreground true/g' /etc/clamav/clamd.conf \
     && sed -i 's/^#TCPSocket .*$/TCPSocket 3310/g' /etc/clamav/clamd.conf \
     && sed -i 's/^#Foreground .*$/Foreground true/g' /etc/clamav/freshclam.conf
 
-RUN freshclam --quiet --no-dns --checks=2
+RUN freshclam --quiet --no-dns
 
 # Build go package
 ADD . /go/src/clamav-rest/
+ADD ./server.* /etc/ssl/clamav-rest/
 RUN cd /go/src/clamav-rest && go build -v
 
 COPY entrypoint.sh /usr/bin/
 RUN mv /go/src/clamav-rest/clamav-rest /usr/bin/ && rm -Rf /go/src/clamav-rest
 
 EXPOSE 9000
+EXPOSE 9443
 
 ENV MAX_SCAN_SIZE=100M
 ENV MAX_FILE_SIZE=25M
@@ -41,5 +43,6 @@ ENV MAX_PARTITIONS=50
 ENV MAX_ICONSPE=100
 ENV PCRE_MATCHLIMIT=100000
 ENV PCRE_RECMATCHLIMIT=2000
+ENV SIGNATURE_CHECKS=24
 
 ENTRYPOINT [ "entrypoint.sh" ]

README.md

@@ -36,10 +36,12 @@ The following image tags are available:
 
 Run clamav-rest docker image:
 ```bash
-docker run -p 9000:9000 -itd --name clamav-rest ajilaag/clamav-rest
+docker run -p 9000:9000 -p 9443:9443 -itd --name clamav-rest ajilaag/clamav-rest
 ```
 
 Test that service detects common test virus signature:
+
+**HTTP**
 ```bash
 $ curl -i -F "[email protected]" http://localhost:9000/scan
 HTTP/1.1 100 Continue
@@ -52,7 +54,22 @@ Content-Length: 56
 { Status: "FOUND", Description: "Eicar-Test-Signature" }
 ```
 
+**HTTPS**
+```bash
+$ curl -i -k -F "[email protected]" https://localhost:9443/scan
+HTTP/1.1 100 Continue
+
+HTTP/1.1 406 Not Acceptable
+Content-Type: application/json; charset=utf-8
+Date: Mon, 28 Aug 2017 20:22:34 GMT
+Content-Length: 56
+
+{ Status: "FOUND", Description: "Eicar-Test-Signature" }
+```
+
 Test that service returns 200 for clean file:
+
+**HTTP**
 ```bash
 $ curl -i -F "[email protected]" http://localhost:9000/scan
 
@@ -65,6 +82,21 @@ Content-Length: 33
 
 { Status: "OK", Description: "" }
 ```
+**HTTPS**
+```bash
+$ curl -i -k -F "[email protected]" https://localhost:9443/scan
+
+HTTP/1.1 100 Continue
+
+HTTP/1.1 200 OK
+Content-Type: application/json; charset=utf-8
+Date: Mon, 28 Aug 2017 20:23:16 GMT
+Content-Length: 33
+
+{ Status: "OK", Description: "" }
+```
+
+
 
 ## Status Codes
 - 200 - clean file = no KNOWN infections
@@ -94,6 +126,7 @@ Below is the complete list of available options that can be used to customize yo
 | `MAX_ICONSPE` | How many Icons in PE to scan - Default `100` |
 | `PCRE_MATCHLIMIT` | Maximum PCRE Match Calls - Default `100000` |
 | `PCRE_RECMATCHLIMIT` | Maximum Recursive Match Calls to PCRE - Default `2000` |
+| `SIGNATURE_CHECKS` | Check times per day for a new database signature. Must be between 1 and 50. - Default `24` |
 
 ## Networking
 
@@ -108,7 +141,7 @@ Below is the complete list of available options that can be used to customize yo
 For debugging and maintenance purposes you may want access the containers shell. 
 
 ```bash
-docker exec -it (whatever your container name is e.g. clamav) bash
+docker exec -it (whatever your container name is e.g. clamav-rest) /bin/sh
 ```
 
 # Developing
@@ -118,7 +151,7 @@ Build golang (linux) binary and docker image:
 ```bash
 # env GOOS=linux GOARCH=amd64 go build
 docker build . -t clamav-go-rest
-docker run -p 9000:9000 -itd --name clamav-rest clamav-go-rest
+docker run -p 9000:9000 -p 9443:9443 -itd --name clamav-rest clamav-go-rest
 ```
 
 # References

centos.Dockerfile

@@ -28,15 +28,32 @@ RUN sed -i 's/^Example$/# Example/g' /etc/clamd.d/scan.conf \
     && sed -i 's/^#TCPSocket .*$/TCPSocket 3310/g' /etc/clamd.d/scan.conf \
     && sed -i 's/^#Foreground .*$/Foreground true/g' /etc/freshclam.conf
 
+RUN freshclam --quiet --no-dns
+
 # Build go package
 ADD . /go/src/clamav-rest/
+ADD ./server.* /etc/ssl/clamav-rest/
 RUN cd /go/src/clamav-rest/ && go build -v
 
 COPY entrypoint.sh /usr/bin/
 RUN mv /go/src/clamav-rest/clamav-rest /usr/bin/ && rm -Rf /go/src/clamav-rest
 
 EXPOSE 9000
-
-RUN freshclam --quiet
+EXPOSE 9443
+
+ENV MAX_SCAN_SIZE=100M
+ENV MAX_FILE_SIZE=25M
+ENV MAX_RECURSION=16
+ENV MAX_FILES=10000
+ENV MAX_EMBEDDEDPE=10M
+ENV MAX_HTMLNORMALIZE=10M
+ENV MAX_HTMLNOTAGS=2M
+ENV MAX_SCRIPTNORMALIZE=5M
+ENV MAX_ZIPTYPERCG=1M
+ENV MAX_PARTITIONS=50
+ENV MAX_ICONSPE=100
+ENV PCRE_MATCHLIMIT=100000
+ENV PCRE_RECMATCHLIMIT=2000
+ENV SIGNATURE_CHECKS=24
 
 ENTRYPOINT [ "entrypoint.sh" ]

clamrest.go

@@ -10,6 +10,7 @@ import (
 	"os"
 	"strings"
 	"time"
+
 	"github.com/dutchcoders/go-clamd"
 )
 
@@ -157,6 +158,11 @@ func waitForClamD(port string, times int) {
 
 func main() {
 
+	const (
+		PORT     = ":9000"
+		SSL_PORT = ":9443"
+	)
+
 	opts = make(map[string]string)
 
 	for _, e := range os.Environ() {
@@ -178,10 +184,9 @@ func main() {
 	http.HandleFunc("/scanPath", scanPathHandler)
 	http.HandleFunc("/", home)
 
-	//Listen on port PORT
-	if opts["PORT"] == "" {
-		opts["PORT"] = "9000"
-	}
-	fmt.Printf("Listening on port " + opts["PORT"])
-	http.ListenAndServe(":"+opts["PORT"], nil)
-}
+	// Start the HTTPS server in a goroutine
+	go http.ListenAndServeTLS(SSL_PORT, "/etc/ssl/clamav-rest/server.crt", "/etc/ssl/clamav-rest/server.key", nil)
+
+	// Start the HTTP server
+	http.ListenAndServe(PORT, nil)
+}

docker-compose.yml

@@ -5,4 +5,5 @@ services:
     mem_limit: 1048576000
     image: ajilaag/clamav-rest
     ports:
-      - "9000:9000"
+      - "9000:9000"
+      - "9443:9443"

entrypoint.sh

@@ -16,7 +16,7 @@ sed -i 's/^#MaxIconsPE .*$/MaxIconsPE '"$MAX_ICONSPE"'/g' /etc/clamav/clamd.conf
 sed -i 's/^#PCREMatchLimit.*$/PCREMatchLimit '"$PCRE_MATCHLIMIT"'/g' /etc/clamav/clamd.conf
 sed -i 's/^#PCRERecMatchLimit .*$/PCRERecMatchLimit '"$PCRE_RECMATCHLIMIT"'/g' /etc/clamav/clamd.conf
 
-freshclam -d &
+freshclam --daemon --checks=$SIGNATURE_CHECKS &
 clamd &
 /usr/bin/clamav-rest &
 

server.crt

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB2TCCAV8CCQDifaD7KfcXjzAKBggqhkjOPQQDBDBWMQswCQYDVQQGEwJDSDEQ
+MA4GA1UECAwHTHVjZXJuZTEPMA0GA1UEBwwGU3Vyc2VlMREwDwYDVQQKDAhhamls
+YSBBRzERMA8GA1UECwwIYWppbGEgQUcwHhcNMjAwMjA1MTI1MTQzWhcNMzAwMjAy
+MTI1MTQzWjBWMQswCQYDVQQGEwJDSDEQMA4GA1UECAwHTHVjZXJuZTEPMA0GA1UE
+BwwGU3Vyc2VlMREwDwYDVQQKDAhhamlsYSBBRzERMA8GA1UECwwIYWppbGEgQUcw
+djAQBgcqhkjOPQIBBgUrgQQAIgNiAARqaWNMhncO9fc3bhLHNvcpT+Oml4yXEMX3
+gUXb3SNeyW5dE74x6hxQQ04qIB/UmC5zi+USJmvrbUwm+nFehqBvn5S8aZgeXklL
+MpKFzXepzsgHIisYG3U943+7Fj6m67cwCgYIKoZIzj0EAwQDaAAwZQIxAKatG/Zw
+TR2yYRPExR8bFalQYle1JqNbHcfv8p2bqb9+ISqIaXmJde5S+5gvez0VOwIwKIpE
+gteclRk6IQy9NKxCsoflcMwXI4r45Tffi3PV7x2O4rMbPGVwyk4IGms9hb+S
+-----END CERTIFICATE-----

server.key

@@ -0,0 +1,9 @@
+-----BEGIN EC PARAMETERS-----
+BgUrgQQAIg==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDBZM2J/UKtGWJ5iu/VWRb5tUt2G41EcQKrgmrJT473hackaLP0C1peI
+ubjs6qbBmaigBwYFK4EEACKhZANiAARqaWNMhncO9fc3bhLHNvcpT+Oml4yXEMX3
+gUXb3SNeyW5dE74x6hxQQ04qIB/UmC5zi+USJmvrbUwm+nFehqBvn5S8aZgeXklL
+MpKFzXepzsgHIisYG3U943+7Fj6m67c=
+-----END EC PRIVATE KEY-----