[squid-users] moving squid from centos 7 to ubuntu 22.04
robert k Wild
robertkwild at gmail.com
Tue Nov 15 17:31:40 UTC 2022
hi all,
atm i have written a script, once you have built a centos 7 VM, you just
run the script and after the reboot its a complete running squidclamAV
server
i'm going to be moving the script to a ubuntu server as centos 7 is dead
now (as i run clamAV on it, clamAV will stop getting virus definitions 2024
as i use this for virus scanning of internet packets)
just want to know what lines i need to adjust to work with ubuntu instead
of centos, obviously i know instead of yum install.... its apt install
heres my long script
#!/bin/bash
#
#this script will download/install and configure the following packages
#
#squid - proxy server
#squid ssl bump - intercept HTTPS traffic
#clamAV - antivirus engine inc trojans,viruses,malware
#c-icap - icap server
#squidclamav - that integrates all the above in squid
#whitelist URL's
#deny MIME types
#
#on the PROD host you only need squid
#
#first things first lets disable firewalld and SElinux
#
systemctl stop firewalld
systemctl disable firewalld
sed -i -e 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
#
#squid packages
#
yum install -y epel-release screen rsync net-tools ethtool swaks sed tar
zip unzip curl telnet openssl openssl-devel bzip2-devel libarchive
libarchive-devel perl perl-Data-Dumper gcc gcc-c++ binutils autoconf
automake make sudo wget libxml2-devel libcap-devel libtool-ltdl-devel
#
#clamAV packages
#
yum install -y clamav-server clamav-data clamav-update clamav-filesystem
clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd
#
#download and compile from source
#
cd /tmp
wget http://www.squid-cache.org/Versions/v4/squid-4.17.tar.gz
wget
http://sourceforge.net/projects/c-icap/files/c-icap/0.5.x/c_icap-0.5.10.tar.gz
--no-check-certificate
wget
http://sourceforge.net/projects/c-icap/files/c-icap-modules/0.5.x/c_icap_modules-0.5.5.tar.gz
--no-check-certificate
wget
https://sourceforge.net/projects/squidclamav/files/squidclamav/7.1/squidclamav-7.1.tar.gz
--no-check-certificate
#
for f in *.tar.gz; do tar xf "$f"; done
#
cd /tmp/squid-4.17
./configure --with-openssl --enable-ssl-crtd --enable-icap-client
--enable-http-violations && make && make install
#
cd /tmp/c_icap-0.5.10
./configure 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe' --without-bdb
--prefix=/usr/local && make && make install
#
cd /tmp/squidclamav-7.1
./configure 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe'
--with-c-icap=/usr/local --with-libarchive && make && make install
#
cd /tmp/c_icap_modules-0.5.5
./configure 'CFLAGS=-O3 -m64 -pipe' 'CPPFLAGS=-I/usr/local/clamav/include'
'LDFLAGS=-L/usr/local/lib -L/usr/local/clamav/lib/' && make && make install
#
#creating shortcuts and copying files
#
cp -f /usr/local/squid/etc/squid.conf /usr/local/squid/etc/squid.conf.orig
cp -f /usr/local/etc/c-icap.conf /usr/local/etc/c-icap.conf.orig
cp -f /usr/local/etc/squidclamav.conf /usr/local/etc/squidclamav.conf.orig
cp -f /usr/local/etc/clamav_mod.conf /usr/local/etc/clamav_mod.conf.orig
cp -f /usr/local/etc/virus_scan.conf /usr/local/etc/virus_scan.conf.orig
#
ln -s /usr/local/squid/etc/squid.conf /etc
ln -s /usr/local/etc/c-icap.conf /etc
ln -s /usr/local/etc/squidclamav.conf /etc
ln -s /usr/local/etc/clamav_mod.conf /etc
ln -s /usr/local/etc/virus_scan.conf /etc
#
mkdir -p /usr/local/clamav/share/clamav
ln -s /var/lib/clamav /usr/local/clamav/share/clamav
#
#tmpfiles for run files
#
echo "d /var/run/c-icap 0755 root root -" >> /etc/tmpfiles.d/c-icap.conf
echo "d /var/run/clamav 0755 root root -" >> /etc/tmpfiles.d/clamav.conf
#
#original squid config
#
sed -i '/http_port 3128/d' /usr/local/squid/etc/squid.conf
sed -i -e 's%http_access deny !Safe_ports%#http_access deny !Safe_ports%g'
/usr/local/squid/etc/squid.conf
sed -i -e 's%http_access deny CONNECT !SSL_ports%#http_access deny CONNECT
!SSL_ports%g' /usr/local/squid/etc/squid.conf
#
#create URL, MIME and public key list
#
echo "#eicar" >> /usr/local/squid/etc/urlwhite.txt
echo ".eicar.org" >> /usr/local/squid/etc/urlwhite.txt
#
echo "http://updater.maxon.net/server_test" >>
/usr/local/squid/etc/urlspecial.txt
#
echo "application/octet-stream" >> /usr/local/squid/etc/mimedeny.txt
echo "application/x-msi" >> /usr/local/squid/etc/mimedeny.txt
echo "application/zip" >> /usr/local/squid/etc/mimedeny.txt
echo "application/x-7z-compressed" >> /usr/local/squid/etc/mimedeny.txt
echo "application/vnd.ms-cab-compressed" >>
/usr/local/squid/etc/mimedeny.txt
echo "application/x-msdownload" >> /usr/local/squid/etc/mimedeny.txt
echo "application/x-iso9660-image" >> /usr/local/squid/etc/mimedeny.txt
#
echo ".activation.paceap.com" >> /usr/local/squid/etc/pubkey.txt
#
#ICAP in squid
#
echo "#ICAP" >> /usr/local/squid/etc/squid.conf
echo "icap_enable on" >> /usr/local/squid/etc/squid.conf
echo "adaptation_uses_indirect_client on" >> /usr/local/squid/etc/squid.conf
echo "icap_send_client_ip on" >> /usr/local/squid/etc/squid.conf
echo "icap_send_client_username on" >> /usr/local/squid/etc/squid.conf
echo "icap_client_username_header X-Authenticated-User" >>
/usr/local/squid/etc/squid.conf
echo "icap_service service_req reqmod_precache bypass=0 icap://
127.0.0.1:1344/squidclamav" >> /usr/local/squid/etc/squid.conf
echo "adaptation_access service_req allow all" >>
/usr/local/squid/etc/squid.conf
echo "icap_service service_resp respmod_precache bypass=0 icap://
127.0.0.1:1344/squidclamav" >> /usr/local/squid/etc/squid.conf
echo "adaptation_access service_resp allow all" >>
/usr/local/squid/etc/squid.conf
#
#creating SSL
#
mkdir -p /usr/local/squid/etc/ssl_cert
cd /usr/local/squid/etc/ssl_cert
adduser squid
chown squid:squid /usr/local/squid/etc/ssl_cert
chmod 700 /usr/local/squid/etc/ssl_cert
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509
-extensions v3_ca -keyout myCA.pem -out myCA.pem -batch
#must import the below cert on hosts in trusted root cert ie the .der file
openssl x509 -in myCA.pem -outform DER -out myCA.der
/usr/local/squid/libexec/security_file_certgen -c -s /var/lib/ssl_db -M 4MB
chown squid:squid -R /var/lib/ssl_db
chmod -R 777 /usr/local/squid/var/logs
#
#squid config
#
sed -i '51i#SSL NO Interception' /usr/local/squid/etc/squid.conf
sed -i '52iacl DiscoverSNIHost at_step SslBump1'
/usr/local/squid/etc/squid.conf
sed -i '53iacl NoSSLIntercept ssl::server_name
"/usr/local/squid/etc/pubkey.txt"' /usr/local/squid/etc/squid.conf
sed -i '54issl_bump splice NoSSLIntercept' /usr/local/squid/etc/squid.conf
sed -i '55issl_bump peek DiscoverSNIHost' /usr/local/squid/etc/squid.conf
sed -i '56issl_bump bump all' /usr/local/squid/etc/squid.conf
sed -i '57i#' /usr/local/squid/etc/squid.conf
sed -i '58i#SSL Bump' /usr/local/squid/etc/squid.conf
sed -i '59ihttp_port 3128 ssl-bump
cert=/usr/local/squid/etc/ssl_cert/myCA.pem generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB' /usr/local/squid/etc/squid.conf
sed -i '60isslcrtd_program /usr/local/squid/libexec/security_file_certgen
-s /var/lib/ssl_db -M 4MB' /usr/local/squid/etc/squid.conf
sed -i '61iacl step1 at_step SslBump1' /usr/local/squid/etc/squid.conf
sed -i '62issl_bump peek step1' /usr/local/squid/etc/squid.conf
sed -i '63issl_bump bump all' /usr/local/squid/etc/squid.conf
sed -i '64i#' /usr/local/squid/etc/squid.conf
sed -i '65iacl activation port 80 443 8090 9251 # office adobe web'
/usr/local/squid/etc/squid.conf
sed -i '66i#' /usr/local/squid/etc/squid.conf
sed -i '67i#allow special URL paths' /usr/local/squid/etc/squid.conf
sed -i '68iacl special_url url_regex "/usr/local/squid/etc/urlspecial.txt"'
/usr/local/squid/etc/squid.conf
sed -i '69i#' /usr/local/squid/etc/squid.conf
sed -i '70i#deny MIME types' /usr/local/squid/etc/squid.conf
sed -i '71iacl mimetype rep_mime_type "/usr/local/squid/etc/mimedeny.txt"'
/usr/local/squid/etc/squid.conf
sed -i '72i#' /usr/local/squid/etc/squid.conf
sed -i '73ihttp_reply_access allow special_url'
/usr/local/squid/etc/squid.conf
sed -i '74ihttp_reply_access deny mimetype' /usr/local/squid/etc/squid.conf
sed -i '75i#' /usr/local/squid/etc/squid.conf
sed -i '76i#HTTP_HTTPS whitelist websites' /usr/local/squid/etc/squid.conf
sed -i '77iacl whitelist ssl::server_name
"/usr/local/squid/etc/urlwhite.txt"' /usr/local/squid/etc/squid.conf
sed -i '78i#' /usr/local/squid/etc/squid.conf
sed -i '79i#HTTP_HTTPS whitelist websites regex'
/usr/local/squid/etc/squid.conf
sed -i '80iacl whitelistreg ssl::server_name_regex
"/usr/local/squid/etc/urlregwhite.txt"' /usr/local/squid/etc/squid.conf
sed -i '81i#' /usr/local/squid/etc/squid.conf
sed -i '82ihttp_access allow activation whitelist'
/usr/local/squid/etc/squid.conf
sed -i '83ihttp_access allow activation whitelistreg'
/usr/local/squid/etc/squid.conf
sed -i '84ihttp_access deny all' /usr/local/squid/etc/squid.conf
#
#squidclamav conf
#
sed -i -e 's%redirect http://proxy.domain.dom/cgi-bin/clwarn.cgi%#redirect
http://proxy.domain.dom/cgi-bin/clwarn.cgi%g' /etc/squidclamav.conf
sed -i -e 's%enable_libarchive 0%enable_libarchive 1%g'
/etc/squidclamav.conf
#
#clamav conf
#
sed -i -e 's%#LocalSocket /run/clamd.scan/clamd.sock%LocalSocket
/var/run/clamav/clamd.ctl%g' /etc/clamd.d/scan.conf
sed -i -e 's%Example%#Example%g' /etc/clamd.d/scan.conf
sed -i -e 's%User clamscan%User root%g' /etc/clamd.d/scan.conf
sed -i -e 's%#StreamMaxLength 10M%StreamMaxLength 5M%g'
/etc/clamd.d/scan.conf
freshclam
systemctl enable clamd at scan
#
#crontab
#
echo "00 01,13 * * * /usr/bin/freshclam --quiet" >> /var/spool/cron/root
echo "@reboot /usr/local/squid/sbin/squid" >> /var/spool/cron/root
echo "*/15 * * * * /usr/local/squid/sbin/squid -k reconfigure" >>
/var/spool/cron/root
echo "0 21 * * 0 /usr/local/squid/sbin/squid -k rotate" >>
/var/spool/cron/root
#
#c-icap and c-icap modules
#
sed -i -e 's%#.*User wwwrun%User root%g' /etc/c-icap.conf
sed -i -e 's%#.*Group nogroup%Group root%g' /etc/c-icap.conf
sed -i -e 's%#.*Service echo_service srv_echo.so%Service squidclamav
squidclamav.so%g' /etc/c-icap.conf
sed -i -e 's%DebugLevel 1%DebugLevel 0%g' /etc/c-icap.conf
sed -i -e 's%StartServers 3%StartServers 1%g' /etc/c-icap.conf
sed -i -e 's%MaxServers 10%MaxServers 20%g' /etc/c-icap.conf
sed -i -e 's%MaxRequestsPerChild 0%MaxRequestsPerChild 100%g'
/etc/c-icap.conf
sed -i '520iacl localhost src 127.0.0.1/255.255.255.255' /etc/c-icap.conf
sed -i '521iacl PERMIT_REQUESTS type REQMOD RESPMOD' /etc/c-icap.conf
sed -i '522iicap_access allow localhost PERMIT_REQUESTS' /etc/c-icap.conf
sed -i '523iicap_access deny all' /etc/c-icap.conf
echo "clamav_mod.TmpDir /var/tmp" >> /etc/clamav_mod.conf
echo "clamav_mod.MaxFilesInArchive 1000" >> /etc/clamav_mod.conf
echo "clamav_mod.MaxScanSize 5M" >> /etc/clamav_mod.conf
echo "clamav_mod.HeuristicScanPrecedence on" >> /etc/clamav_mod.conf
echo "clamav_mod.OLE2BlockMacros on" >> /etc/clamav_mod.conf
echo "virus_scan.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE DOCUMENT" >>
/etc/virus_scan.conf
echo "virus_scan.SendPercentData 5" >> /etc/virus_scan.conf
echo "virus_scan.PassOnError on" >> /etc/virus_scan.conf
echo "virus_scan.MaxObjectSize 5M" >> /etc/virus_scan.conf
echo "virus_scan.DefaultEngine clamav" >> /etc/virus_scan.conf
echo "Include clamav_mod.conf" >> /etc/virus_scan.conf
echo "Include virus_scan.conf" >> /etc/c-icap.conf
#
#make c-icap service
#
echo "[Unit]" >> /usr/lib/systemd/system/c-icap.service
echo "Description=c-icap service" >> /usr/lib/systemd/system/c-icap.service
echo "After=network.target" >> /usr/lib/systemd/system/c-icap.service
echo "[Service]" >> /usr/lib/systemd/system/c-icap.service
echo "Type=forking" >> /usr/lib/systemd/system/c-icap.service
echo "PIDFile=/var/run/c-icap/c-icap.pid" >>
/usr/lib/systemd/system/c-icap.service
echo "ExecStart=/usr/local/bin/c-icap -f /etc/c-icap.conf" >>
/usr/lib/systemd/system/c-icap.service
echo "KillMode=process" >> /usr/lib/systemd/system/c-icap.service
echo "[Install]" >> /usr/lib/systemd/system/c-icap.service
echo "WantedBy=multi-user.target" >> /usr/lib/systemd/system/c-icap.service
systemctl enable c-icap
reboot
thanks,
rob
--
Regards,
Robert K Wild.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20221115/f8ebf898/attachment-0001.htm>
More information about the squid-users
mailing list