Secured ICAP with stunnel TLS proxy
You can use the stunnel service to manage encrypted connection for ICAP scanning to increase security.
1.Install and activate ESET Server Security for Linux.
2.To enable ICAP scanning click Setup > Detection engine > Remote scanning > click the toggle next to Enable remote scanning using ICAP service.
3.Install stunnel by package manager. On Ubuntu 20.04, execute the following command from a Terminal window as a privileged user:
sudo apt install stunnel |
4.Store private and public keys to encrypt communication by stunnel in a file with restricted access. This certificate needs to be trusted by an ICAP client, which will connect to ESSL via this secured connection. Example of how to store keys and set permissions:
sudo cat private_key.pem ca_key.pem >> /etc/pki/tls/private/stunnel.pem sudo chmod 400 /etc/pki/tls/private/stunnel.pem |
5.Create a configuration file /etc/stunnel/stunnel.conf readable only by root (chmod 0600) containing the following lines:
[efs_icap] accept = 0.0.0.0:11344 connect = 0.0.0.0:1344 cert = /etc/pki/tls/private/stunnel.pem |
•efs_icap—Service name, which we configure in the following lines. Stunnel supports forwarding of multiple connections.
•accept—IP address and port that will accept ICAPS connections. In this example is localhost and port 11344
•connect—IP address and port where ESSL listen for ICAP requests. In this example is the same machine and the default port 1344
Stunnel can even run on a dedicated server and connect to multiple machines with ESSL or be sandboxed in chroot. For all stunnel options see the manual. |
6.Start stunnel by systemd and enable it to run automatically after system boot:
sudo systemctl start stunnel sudo systemctl enable stunnel |
7.Open port for ICAPS port in a firewall. On Ubuntu 20.04, execute the following commands from a Terminal window as a privileged user:
sudo ufw allow 11344/tcp |
8.Configure ICAP client (for example, storage) according to its guide and connect it to port 11344, where ESSL runs with stunnel and trusts the used certificate. Then test if the antivirus connection works, for example, on the eicar sample.