Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...


Daniel Nashed

How do you secure a service like ClamAV with TLS?

Daniel Nashed – 8 May 2022 14:26:56

HTTP/HTTPs based services

When adding TLS to a web based/REST service like Apache Tika, it is very straightforward.

That's a typical HTTP/HTTPS configuration you can run with any load-balancer -- in case of K8s this would be the perfect example for a Ingress.
Actually Tika is a very good example of a scalable container. It has no data and just provides attachment parsing service via REST.

But what, if your service isn't HTTP based like the ClamAV protocol?

NGINX Stream config with TLS off-loading

You can create simple stream configuration with a TLS key/cert.

The example config below just uses one back-end. It could run in an extra container.

Or you could add it into the same container ClamAV container.

I looked into ICAP gateways from Trend Micro and McAfee.

Both support TPS but for security oriented companies they have a very lousy TLS implementation with older TLS versions...

They also only work well with their self signed certs. If you use a certificate from a CA, you will notice that they only send the certificate without the intermediates.

Remote clients usually expect the certificate chain and only have the CA root in their trust store.

And some have not really up to date Linux versions.

So you might want to put something more up to date in front of your ICAP servers - even they support TLS.

Here is the simple sample configuration.

-- Daniel


events {}

stream {

   upstream backend {



   server {

       listen     3311 ssl;

       proxy_pass backend;

       ssl_certificate         /local/cert.pem;

       ssl_certificate_key     /local/key.pem;

       ssl_ciphers             HIGH:!aNULL:!MD5;

       ssl_protocols           TLSv1.2 TLSv1.3;

       proxy_ssl_session_reuse on;





    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]