<div dir="ltr">thanks for this Amos, really appreciate it :)<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 9 Jan 2020 at 19:00, Amos Jeffries <<a href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 9/01/20 8:34 pm, robert k Wild wrote:<br>
> hi all,<br>
> <br>
> I have made a script for squid that installs the following –<br>
> <br>
> Squid – http proxy server<br>
> Squid ssl-bump – https interception for squid<br>
> C-ICAP – icap server<br>
> clamAV – AV engine to detect trojan viruses malware etc<br>
> squidclamav – to make it all integrated with squid<br>
> <br>
> what do you think?<br>
> <br>
> #!/bin/bash<br>
> #squid on DMZ host<br>
> #<br>
> #first things first lets disable firewalld and SElinux<br>
> #<br>
> systemctl stop firewalld<br>
> systemctl disable firewalld<br>
> sed -i -e 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config<br>
> #<br>
<br>
Why?<br>
<br>
<br>
<br>
> #squid packages<br>
> #<br>
> yum install -y epel-release swaks sed tar zip unzip curl telnet openssl<br>
> openssl-devel bzip2-devel libarchive libarchive-devel perl<br>
> perl-Data-Dumper gcc gcc-c++ binutils autoconf automake make sudo wget<br>
> libxml2-devel libcap-devel libtool-ltdl-devel<br>
> #<br>
> #clamAV packages<br>
> #<br>
> yum install -y clamav-server clamav-data clamav-update clamav-filesystem<br>
> clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd<br>
> #<br>
> #download and compile from source<br>
> #<br>
> cd /tmp<br>
> wget <a href="http://www.squid-cache.org/Versions/v4/squid-4.9.tar.gz" rel="noreferrer" target="_blank">http://www.squid-cache.org/Versions/v4/squid-4.9.tar.gz</a><br>
<br>
Please use rsync for this, and verify against the *.asc file signature<br>
that you got the file correctly.<br>
<br>
> wget<br>
> <a href="http://sourceforge.net/projects/c-icap/files/c-icap/0.5.x/c_icap-0.5.6.tar.gz" rel="noreferrer" target="_blank">http://sourceforge.net/projects/c-icap/files/c-icap/0.5.x/c_icap-0.5.6.tar.gz</a><br>
> wget<br>
> <a href="http://sourceforge.net/projects/c-icap/files/c-icap-modules/0.5.x/c_icap_modules-0.5.4.tar.gz" rel="noreferrer" target="_blank">http://sourceforge.net/projects/c-icap/files/c-icap-modules/0.5.x/c_icap_modules-0.5.4.tar.gz</a><br>
> wget<br>
> <a href="https://sourceforge.net/projects/squidclamav/files/squidclamav/7.1/squidclamav-7.1.tar.gz" rel="noreferrer" target="_blank">https://sourceforge.net/projects/squidclamav/files/squidclamav/7.1/squidclamav-7.1.tar.gz</a><br>
> for f in *.tar.gz; do tar xf "$f"; done<br>
> cd /tmp/squid-4.9<br>
> ./configure --with-openssl --enable-ssl-crtd --enable-icap-client &&<br>
> make && make install<br>
> #<br>
<br>
IIRC this was a CentoOS machine right?<br>
If so, see <<a href="https://wiki.squid-cache.org/KnowledgeBase/CentOS#Compiling" rel="noreferrer" target="_blank">https://wiki.squid-cache.org/KnowledgeBase/CentOS#Compiling</a>><br>
otherwise see the equivalent wiki page for your chosen OS compile.<br>
<br>
Those settings install Squid as a system application. So no need for the<br>
/usr/local stuff.<br>
<br>
<br>
> cd /tmp/c_icap-0.5.6<br>
> ./configure 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe'<br>
> --without-bdb --prefix=/usr/local && make && make install<br>
> #<br>
> cd /tmp/squidclamav-7.1<br>
> ./configure 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe'<br>
> --with-c-icap=/usr/local --with-libarchive && make && make install<br>
> #<br>
> cd /tmp/c_icap_modules-0.5.4<br>
> ./configure 'CFLAGS=-O3 -m64 -pipe'<br>
> 'CPPFLAGS=-I/usr/local/clamav/include' 'LDFLAGS=-L/usr/local/lib<br>
> -L/usr/local/clamav/lib/' && make && make install<br>
> #<br>
> #creating shortcuts and copying files<br>
> #<br>
> cp -f /usr/local/squid/etc/squid.conf /usr/local/squid/etc/squid.conf.orig<br>
> cp -f /usr/local/etc/c-icap.conf /usr/local/etc/c-icap.conf.orig<br>
> cp -f /usr/local/etc/squidclamav.conf /usr/local/etc/squidclamav.conf.orig<br>
> cp -f /usr/local/etc/clamav_mod.conf /usr/local/etc/clamav_mod.conf.orig<br>
> cp -f /usr/local/etc/virus_scan.conf /usr/local/etc/virus_scan.conf.orig<br>
> #<br>
> ln -s /usr/local/squid/etc/squid.conf /etc<br>
> ln -s /usr/local/etc/c-icap.conf /etc<br>
> ln -s /usr/local/etc/squidclamav.conf /etc<br>
> ln -s /usr/local/etc/clamav_mod.conf /etc<br>
> ln -s /usr/local/etc/virus_scan.conf /etc<br>
> #<br>
> mkdir -p /usr/local/clamav/share/clamav<br>
> ln -s /var/lib/clamav /usr/local/clamav/share/clamav<br>
> #<br>
> #tmpfiles for run files<br>
> #<br>
> echo "d /var/run/c-icap 0755 root root -" >> /etc/tmpfiles.d/c-icap.conf<br>
> echo "d /var/run/clamav 0755 root root -" >> /etc/tmpfiles.d/clamav.conf<br>
> #<br>
> #delete a few lines in squid<br>
> #<br>
> sed -i '/http_port 3128/d' /usr/local/squid/etc/squid.conf<br>
> sed -i '/http_access deny all/d' /usr/local/squid/etc/squid.conf<br>
<br>
Please do not remove that second line from yoru squid.conf. It will<br>
result in unpredictable default allow/deny behaviour from your proxy.<br>
<br>
Instead I recommend (mind the wrap):<br>
<br>
 sed -i '/# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR<br>
CLIENTS/include "/etc/squid/squid.conf.d/*"/'<br>
/usr/local/squid/etc/squid.conf<br>
<br>
Then you can just drop files into the /etc/squid/squid.conf.d/ directory<br>
and they will be loaded as config on next start or reconfigure.<br>
<br>
<br>
<br>
HTH<br>
Amos<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr">Regards, <br><br>Robert K Wild.<br></div></div>