OCIS with ClamAV?

Infinite Scale
1

I’m trying to create a working config work OCIS with ClamAV running behind reverse proxy (which also handles TLS etc) - thus I can use the OCIS-full generation utility only for reference purposes.

After failing to add ClamAV to my working instance with Collabora and external IdP I’ve created a pretty minimal compose.yaml with following content:

services:
  ocis:
    container_name: ocis
    hostname: ocis
    image: owncloud/ocis:latest
    restart: unless-stopped
    entrypoint:
      - /bin/sh
    command: ["-c", "ocis init || true; ocis server"]
    expose:
      - 9200
    ports:
      - "9200:9200"
      - "9233:9233"
    environment:
      DEMO_USERS: false
      PROXY_TLS: false
      OCIS_INSECURE: false
      OCIS_URL: https://testocis.mydomain.app
      # Antivir section
      ANTIVIRUS_EVENTS_ENABLE_TLS: false
      OCIS_ADD_RUN_SERVICES: antivirus
      ANTIVIRUS_SCANNER_TYPE: clamav
      ANTIVIRUS_CLAMAV_SOCKET: /var/run/clamav/clamd.sock
      POSTPROCESSING_STEPS: virusscan
    volumes:
      - $PWD/config:/etc/ocis
      - $PWD/data:/var/lib/ocis
      - clamav-socket:/var/run/clamav

  clamav:
    container_name: clamav-ocis
    image: clamav/clamav:latest
    logging:
      driver: local
    restart: always
    volumes:
      - clamav-socket:/tmp
      - clamav-db:/var/lib/clamav

volumes:
  clamav-socket:
  clamav-db:

After starting I’ve checked whether clamd socket is present in ocis container:

obraz
obraz764×204 92.3 KB

But when I try to upload a file I get:

{
  "level": "error",
  "service": "antivirus",
  "error": "Get \"https://localhost:9200/data/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsicmV2YSJdLCJleHAiOjE3NDk5MDA3NDMsImlhdCI6MTc0OTgxNDM0MywidGFyZ2V0IjoiaHR0cDovL2xvY2FsaG9zdDo5MTU4L2RhdGEvdHVzL2RhODcxNDdiLTlhYWQtNGI0Yi05MjZhLTk1M2YyYzViODhjYyJ9.dD_MkO1lyaS32Jh2qetMpEEjXufJYo3OOb4OM3fI-q0\": http: server gave HTTP response to HTTPS client",
  "uploadid": "da87147b-9aad-4b4b-926a-953f2c5b88cc",
  "time": "2025-06-13T11:42:58Z",
  "message": "error downloading file"
}

Any suggestions howto configure antivirus with OCIS?

2

and btw - I know I could turn on TLS behind the reverse proxy by setting PROXY_TLS: true, but I wonder whether there’s a way to set it up in more common IMO scenario with TLS offloaded to reverse proxy.

With TLS behind reverse proxy configuration works and ClamAV correctly catches malicious files:

obraz
obraz584×223 51.6 KB

3

Interesting find. The antivirus service downloads the file via a downlink provided by the storage-users service. This download link is based on the STORAGE_USERS_DATA_SERVER_URL and STORAGE_USERS_DATA_GATEWAY_URL envvars in the storage-users service. So adjusting those could fix the problem.

1 Like
4

Thank you @kobergj - how do think those should be set? If I simply put something like http://127.0.0.1:9200 under this variables (and revert reverse proxy to redirect to http://<SERVER_IP>) the whole thing naturally will stop working (in the best case scenario I’ll get “Client sent an HTTP request to an HTTPS server.”).

Also I wonder - what’s the point of exposing ClamAV socket then?

5

I’ve just realized I’m a dummy - I’ve forgotten to revert PROXY_TLS, OCIS_INSECURE to proper values (one of the most annoying thing about OCIS is the number of env. variables and interdependecies between them).

So I’ve reverted to this basic set of variables and without ClamAV it works:

obraz
obraz504×119 39.5 KB

But when I add antivirus variables along with storage ones - I can log in, but can’t upload anything:

obraz
obraz676×303 72.6 KB

obraz
obraz413×184 35.1 KB

6

Ok, it seems I may have working config for OCIS behind reverse proxy and TLS offloaded:

obraz
obraz738×298 71.5 KB

Thank you @kobergj - without you finding the info about storage variables would be much more painful (as there’s no hint in antivir section those tweaks might be needed).

Now I just need to test it in a more complex setup, with external OIDC provider and extra services (Collabora).

1 Like