[squid-users] How to setup a secure(!) squid proxy

L.P.H. van Belle belle at bazuin.nl
Mon Jan 18 10:11:48 UTC 2016


Hai, 

 

> I just checked it. It'll work at the moment. But only because the dependencies (and the dependency version) doesn't changed from 3.4.8 to 3.5. So there's is no guarantee that it will work > with further releases.

Yes and if depencies change, you can do the same for these packages, and/or you can change the dependies in the control file for example.

That is what i do, if needed, i change the control file, so least packages are from sid. 

And yes, there is always a risk on errors with future releases, but that risk is always there. 

 

> On the other hand: Installing unstable software is not the way the state system works/should work. I talked to the debian guys. That's exactly the reason why they don't release squid 3.5 > for jessie but writing patches to solve critical issues on their own.

I do rebuild from sid, i dont install from sid, that will give a big mess and we dont want that. 

Since the build also uses configure for the packages, i dont see the problem here, maybe im missing something, 

but i do this for years now with squid, and never had any problems. 

 

 

I use squid 3.5.12 rebuild from sid in debian Jessie without any problem, and works better for me then 3.4.8. ( I need the ssl part from 3.5.12+ ) 

 

The following is needed to get squid 3.5.12 in Jessie with least changes of the stable packages. 

squid 

libecap 

c-icap 

 

and i really dont know why there isnt any jessie-backported package of this (jet).. since 3.5.12 is in testing since 15 dec 2015. 

 

I could not wait for that, so I changed in debain/rules the following.

 

Added 

                --enable-ssl \

                --with-open-ssl=/etc/ssl/openssl.cnf \

                --enable-linux-netfilter

 

And changed the changelog.

I changed it to the following to keep track of the debian packages also. 

 

squid3 (3.5.12-1lvb1-ssl) unstable; urgency=medium

I only added lvb1-ssl so it can use the debian packages and/or my own packages.

 

 

> Then I have to move every software to unstable state (because of the security) I can install an unstable debian directly.

Really, NEVER use sid for production, if you want to get into troubles, this is the way.. 

Sid can change rapidly, and put your server in an un-usable stated, i learned the hard way.  Years ago. 

 

And for the security, subscribe to the debian and squid list ( .. done ) and keep track of messages. 

 

 

Greetz, 

 

Louis

 

 

 

 


Van: startrekfan [mailto:startrekfan75 at freenet.de] 
Verzonden: maandag 18 januari 2016 10:25
Aan: L.P.H. van Belle; squid-users at lists.squid-cache.org
Onderwerp: Re: [squid-users] How to setup a secure(!) squid proxy


 

I just checked it. It'll work at the moment. But only because the dependencies (and the dependency version) doesn't changed from 3.4.8 to 3.5. So there's is no guarantee that it will work with further releases.


 


On the other hand: Installing unstable software is not the way the state system works/should work. I talked to the debian guys. That's exactly the reason why they don't release squid 3.5 for jessie but writing patches to solve critical issues on their own.


 


Then I have to move every software to unstable state (because of the security) I can install an unstable debian directly.


 

L.P.H. van Belle <belle at bazuin.nl> schrieb am Mo., 18. Jan. 2016 um 09:07 Uhr:


Really this is an easy thing to do. 

 

Add in you sources.list.d/sid.list    ad the sid  repo.  ( only src-deb ) 

Run apt-get update. 

 

apt-get source squid 

apt-get build-dep squid 

 make changes if needed, in debian/rules and debian/changelog IF you changed something.

 

Build it

apt-get source squid –b 

it errors, thats ok, get the 2 or 3 extra packages, the same way, after installing them you can build squid again. 

 

put the debs in a repo you can access and your done. 

Did it here, works fine. 

 

 

Greetz, 

 

Louis

 

 


Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens startrekfan
Verzonden: maandag 18 januari 2016 8:07
Aan: squid-users at lists.squid-cache.org; squid3 at treenet.co.nz
Onderwerp: Re: [squid-users] How to setup a secure(!) squid proxy


 




Just talked to the debian guys. They won't upgrade squid to 3.5 in debian jessi. It's also hard for me, to implement unstable components in a productive system. 

But the debian guys told me, that they will build own patches for 3.4.8 to fix critical problems if you report them properly to

https://packages.qa.debian.org/s/squid3.html or 

security at debian.org 









I hope/think you already do. So I think 3.4.8 should work for me as well.

 

> Hello

> 

> I`m sorry. I'm not a native speaker so I maybe don't find the right words.

> 

> I'd like to setup a proxy that can scan the incoming traffic for virus 

> (squidclamav). To do that for a https/ssl connection I need the squid 

> ssl-bump feature or is there an other solution?

> 

> Now I want to setup the ssl-bump feature as safe as using no ssl-bump. 

> Is this possible with squid 3.4? (Of course every one who has my CA 

> cert can decrypt the traffic, but I keep it safe.)

> Squid is communicating with the remote server(webserver). I'd like to 

> have at least this communication as safe as using a normal browser.

> 

> Does squid 3.4 do all the necessary steps like checking the 

> certificate validity? What about advanced features like cert pinning?

I don't think 3.4 is enough. May be 3.5 or higher.

> 

> How do I configure ssl virus scanning? Are this steps enough: 

> http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/C-ICAP

> 

> Thank you again :)

> 

> 

> _______________________________________________

> squid-users mailing list





>  MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "lists.squid-cache.org"  squid-users at lists.squid-cache.org

> http://lists.squid-cache.org/listinfo/squid-users

 










-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160118/4b95639f/attachment-0001.html>


More information about the squid-users mailing list