On https://docs.clamav.net/appendix/CvdPrivateMirror.html#use-an-http-proxy
Am looking for best practices on how an http proxy should be configured in this scenario. Some questions:
1) What mechanism should a proxy use to detect a stale cached file? Want to avoid stale files obviously, but also reduce load to the public mirrors and chance of rate limiting. I see ETag, Cache-Control, Expires headers in HTTP responses from database.clamav.net. And have seen cvdupdate specify the If-Modified-Since header in requests. So a lot of choices, which are preferred?
2) I see that curl requests to database.clamav.net fail unless I override the User-Agent header to have a value similar to what freshclam does, such as "CVDUPDATE/0". If I have to manually set this in a proxy, is there guidance on what a good future-proof value is? It feels weird to lie in the request.
3) Happy to hear any dissenting opinions on the HTTP proxy idea. Is it lower risk to just run cvdupdate, or a freshclam coupled with a web server internally? On the surface a caching proxy seems simpler, less moving parts, less to maintain.
Thanks!
Aaron
Am looking for best practices on how an http proxy should be configured in this scenario. Some questions:
1) What mechanism should a proxy use to detect a stale cached file? Want to avoid stale files obviously, but also reduce load to the public mirrors and chance of rate limiting. I see ETag, Cache-Control, Expires headers in HTTP responses from database.clamav.net. And have seen cvdupdate specify the If-Modified-Since header in requests. So a lot of choices, which are preferred?
2) I see that curl requests to database.clamav.net fail unless I override the User-Agent header to have a value similar to what freshclam does, such as "CVDUPDATE/0". If I have to manually set this in a proxy, is there guidance on what a good future-proof value is? It feels weird to lie in the request.
3) Happy to hear any dissenting opinions on the HTTP proxy idea. Is it lower risk to just run cvdupdate, or a freshclam coupled with a web server internally? On the surface a caching proxy seems simpler, less moving parts, less to maintain.
Thanks!
Aaron