HTTP Proxy for freshclam: avoid secrets in freshclam.conf and respect environment variable HTTP_PROXY
rriemann opened this issue · 3 comments
Problem Description
For a small project, my organisation runs clamav as a simple ICAP API in a restricted environment with no internet. We can though access the internet through a web proxy with the appropriate credentials.
As we deploy clamav+freshclam in kubernetes, we struggle to pass through the secret for the web proxy from the HashiCorp Vault part of the kubernetes environment made available as an environment variable to the /etc/clamav/freshclam.conf
file.
Kubernetes does not permit environment variable interpolation in ConfigMaps holding the freshclam.conf
. Putting the secret in the container image is an anti pattern. As a workaround I can only imagine to do some sed
whenever the container boots, but this would introduce unnecessary race conditions.
Possible Solution
Ideally, freshclam would respect the proxy configuration found in HTTP_PROXY and/or HTTPS_PROXY environment variable like many other applications do. Only if not set, it would use values from freshclam.conf
.
Example of curl: https://everything.curl.dev/usingcurl/proxies/env.html
@rriemann I agree we should be able to set the http proxy username, password, and port through environment variables rather than relying on HTTPProxyUsername
, HTTPProxyPassword
, and HTTPProxyPort
in freshclam.conf
. I'm a little surprised we don't have this already, at least for password.
We do have environment variables for freshclam client authentication with a certificate. From freshclam --help
:
Environment Variables:
CURL_CA_BUNDLE May be set to the path of a file (bundle)
containing one or more CA certificates.
This will override the default openssl
certificate path.
FRESHCLAM_CLIENT_CERT May be set to the path of a file (PEM)
containing the client certificate.
This may be used for client authentication
to a private mirror.
FRESHCLAM_CLIENT_KEY May be set to the path of a file (PEM)
containing the client private key.
This is required if FRESHCLAM_CLIENT_CERT is set.
FRESHCLAM_CLIENT_KEY_PASSWD May be set to a password for the client key PEM file.
This is required if FRESHCLAM_CLIENT_KEY is
set and the PEM file is password protected.
I wonder if you can use this for certificate-based authentication with your proxy.
Unfortunately, we have zero flexibility on the proxy. It is managed by a partner on which we have no influence.
In the meanwhile, I came up with this poor-programmers’ work-around:
I add this line to the /init
entrypoint file in the docker container:
echo "$(envsubst < /etc/clamav/freshclam.conf)" > /etc/clamav/freshclam.conf
I can put $PROXY_PASS
in the file and it will be replaced. Of course, support for a proper http_proxy
environment variable is cleaner. :)
My Containerfile
:
FROM clamav/clamav:$VERSION
RUN apk add --no-cache gettext
RUN sed -i '12iecho "$(envsubst < /etc/clamav/freshclam.conf)" > /etc/clamav/freshclam.conf' /init
Note for future dev: this also relates to / is supporting the need for #841