[squid-users] squid-cache proxy which does it all

Thu Jan 9 19:00:13 UTC 2020

On 9/01/20 8:34 pm, robert k Wild wrote:
> hi all,
> 
> I have made a script for squid that installs the following –
> 
> Squid – http proxy server
> Squid ssl-bump – https interception for squid
> C-ICAP – icap server
> clamAV – AV engine to detect trojan viruses malware etc
> squidclamav – to make it all integrated with squid
> 
> what do you think?
> 
> #!/bin/bash
> #squid on DMZ host
> #
> #first things first lets disable firewalld and SElinux
> #
> systemctl stop firewalld
> systemctl disable firewalld
> sed -i -e 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
> #

Why?

> #squid packages
> #
> yum install -y epel-release swaks sed tar zip unzip curl telnet openssl
> openssl-devel bzip2-devel libarchive libarchive-devel perl
> perl-Data-Dumper gcc gcc-c++ binutils autoconf automake make sudo wget
> libxml2-devel libcap-devel libtool-ltdl-devel
> #
> #clamAV packages
> #
> yum install -y clamav-server clamav-data clamav-update clamav-filesystem
> clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd
> #
> #download and compile from source
> #
> cd /tmp
> wget http://www.squid-cache.org/Versions/v4/squid-4.9.tar.gz

Please use rsync for this, and verify against the *.asc file signature
that you got the file correctly.

> wget
> http://sourceforge.net/projects/c-icap/files/c-icap/0.5.x/c_icap-0.5.6.tar.gz
> wget
> http://sourceforge.net/projects/c-icap/files/c-icap-modules/0.5.x/c_icap_modules-0.5.4.tar.gz
> wget
> https://sourceforge.net/projects/squidclamav/files/squidclamav/7.1/squidclamav-7.1.tar.gz
> for f in *.tar.gz; do tar xf "$f"; done
> cd /tmp/squid-4.9
> ./configure --with-openssl --enable-ssl-crtd --enable-icap-client &&
> make && make install
> #

IIRC this was a CentoOS machine right?
If so, see <https://wiki.squid-cache.org/KnowledgeBase/CentOS#Compiling>
otherwise see the equivalent wiki page for your chosen OS compile.

Those settings install Squid as a system application. So no need for the
/usr/local stuff.

> cd /tmp/c_icap-0.5.6
> ./configure 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe'
> --without-bdb --prefix=/usr/local && make && make install
> #
> cd /tmp/squidclamav-7.1
> ./configure 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe'
> --with-c-icap=/usr/local --with-libarchive && make && make install
> #
> cd /tmp/c_icap_modules-0.5.4
> ./configure 'CFLAGS=-O3 -m64 -pipe'
> 'CPPFLAGS=-I/usr/local/clamav/include' 'LDFLAGS=-L/usr/local/lib
> -L/usr/local/clamav/lib/' && make && make install
> #
> #creating shortcuts and copying files
> #
> cp -f /usr/local/squid/etc/squid.conf /usr/local/squid/etc/squid.conf.orig
> cp -f /usr/local/etc/c-icap.conf /usr/local/etc/c-icap.conf.orig
> cp -f /usr/local/etc/squidclamav.conf /usr/local/etc/squidclamav.conf.orig
> cp -f /usr/local/etc/clamav_mod.conf /usr/local/etc/clamav_mod.conf.orig
> cp -f /usr/local/etc/virus_scan.conf /usr/local/etc/virus_scan.conf.orig
> #
> ln -s /usr/local/squid/etc/squid.conf /etc
> ln -s /usr/local/etc/c-icap.conf /etc
> ln -s /usr/local/etc/squidclamav.conf /etc
> ln -s /usr/local/etc/clamav_mod.conf /etc
> ln -s /usr/local/etc/virus_scan.conf /etc
> #
> mkdir -p /usr/local/clamav/share/clamav
> ln -s /var/lib/clamav /usr/local/clamav/share/clamav
> #
> #tmpfiles for run files
> #
> echo "d /var/run/c-icap 0755 root root -" >> /etc/tmpfiles.d/c-icap.conf
> echo "d /var/run/clamav 0755 root root -" >> /etc/tmpfiles.d/clamav.conf
> #
> #delete a few lines in squid
> #
> sed -i '/http_port 3128/d' /usr/local/squid/etc/squid.conf
> sed -i '/http_access deny all/d' /usr/local/squid/etc/squid.conf

Please do not remove that second line from yoru squid.conf. It will
result in unpredictable default allow/deny behaviour from your proxy.

Instead I recommend (mind the wrap):

 sed -i '/# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR
CLIENTS/include "/etc/squid/squid.conf.d/*"/'
/usr/local/squid/etc/squid.conf

Then you can just drop files into the /etc/squid/squid.conf.d/ directory
and they will be loaded as config on next start or reconfigure.

HTH
Amos