<div dir="ltr">
<p>hi all,</p><p>
I have made a script for squid that installs the following –<br>
<br>
Squid – http proxy server<br>
Squid ssl-bump – https interception for squid<br>
C-ICAP – icap server<br>
clamAV – AV engine to detect trojan viruses malware etc<br>
squidclamav – to make it all integrated with squid <br></p><p>what do you think?</p><p>#!/bin/bash<br>#squid on DMZ host<br>#<br>#first things first lets disable firewalld and SElinux<br>#<br>systemctl stop firewalld<br>systemctl disable firewalld<br>sed -i -e 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config<br>#<br>#squid packages<br>#<br>yum
 install -y epel-release swaks sed tar zip unzip curl telnet openssl 
openssl-devel bzip2-devel libarchive libarchive-devel perl 
perl-Data-Dumper gcc gcc-c++ binutils autoconf automake make sudo wget 
libxml2-devel libcap-devel libtool-ltdl-devel<br>#<br>#clamAV packages<br>#<br>yum
 install -y clamav-server clamav-data clamav-update clamav-filesystem 
clamav clamav-scanner-systemd clamav-devel clamav-lib 
clamav-server-systemd<br>#<br>#download and compile from source<br>#<br>cd /tmp<br>wget <a target="_blank" rel="nofollow  noopener" href="http://www.squid-cache.org/Versions/v4/squid-4.9.tar.gz">http://www.squid-cache.org/Versions/v4/squid-4.9.tar.gz</a><br>wget <a target="_blank" rel="nofollow  noopener" href="http://sourceforge.net/projects/c-icap/files/c-icap/0.5.x/c_icap-0.5.6.tar.gz">http://sourceforge.net/projects/c-icap/files/c-icap/0.5.x/c_icap-0.5.6.tar.gz</a><br>wget <a target="_blank" rel="nofollow  noopener" href="http://sourceforge.net/projects/c-icap/files/c-icap-modules/0.5.x/c_icap_modules-0.5.4.tar.gz">http://sourceforge.net/projects/c-icap/files/c-icap-modules/0.5.x/c_icap_modules-0.5.4.tar.gz</a><br>wget <a target="_blank" rel="nofollow  noopener" href="https://sourceforge.net/projects/squidclamav/files/squidclamav/7.1/squidclamav-7.1.tar.gz">https://sourceforge.net/projects/squidclamav/files/squidclamav/7.1/squidclamav-7.1.tar.gz</a><br>for f in *.tar.gz; do tar xf "$f"; done<br>cd /tmp/squid-4.9<br>./configure --with-openssl --enable-ssl-crtd --enable-icap-client && make && make install<br>#<br>cd /tmp/c_icap-0.5.6<br>./configure
 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe' --without-bdb 
--prefix=/usr/local && make && make install<br>#<br>cd /tmp/squidclamav-7.1<br>./configure
 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe' 
--with-c-icap=/usr/local --with-libarchive && make && 
make install<br>#<br>cd /tmp/c_icap_modules-0.5.4<br>./configure 
'CFLAGS=-O3 -m64 -pipe' 'CPPFLAGS=-I/usr/local/clamav/include' 
'LDFLAGS=-L/usr/local/lib -L/usr/local/clamav/lib/' && make 
&& make install<br>#<br>#creating shortcuts and copying files<br>#<br>cp -f /usr/local/squid/etc/squid.conf /usr/local/squid/etc/squid.conf.orig<br>cp -f /usr/local/etc/c-icap.conf /usr/local/etc/c-icap.conf.orig<br>cp -f /usr/local/etc/squidclamav.conf /usr/local/etc/squidclamav.conf.orig<br>cp -f /usr/local/etc/clamav_mod.conf /usr/local/etc/clamav_mod.conf.orig<br>cp -f /usr/local/etc/virus_scan.conf /usr/local/etc/virus_scan.conf.orig<br>#<br>ln -s /usr/local/squid/etc/squid.conf /etc<br>ln -s /usr/local/etc/c-icap.conf /etc<br>ln -s /usr/local/etc/squidclamav.conf /etc<br>ln -s /usr/local/etc/clamav_mod.conf /etc<br>ln -s /usr/local/etc/virus_scan.conf /etc<br>#<br>mkdir -p /usr/local/clamav/share/clamav<br>ln -s /var/lib/clamav /usr/local/clamav/share/clamav<br>#<br>#tmpfiles for run files<br>#<br>echo "d /var/run/c-icap 0755 root root -" >> /etc/tmpfiles.d/c-icap.conf<br>echo "d /var/run/clamav 0755 root root -" >> /etc/tmpfiles.d/clamav.conf<br>#<br>#delete a few lines in squid<br>#<br>sed -i '/http_port 3128/d' /usr/local/squid/etc/squid.conf<br>sed -i '/http_access deny all/d' /usr/local/squid/etc/squid.conf<br>#<br>#whitelist in squid<br>#<br>sed -i '50i#HTTP_HTTPS whitelist websites' /usr/local/squid/etc/squid.conf<br>sed -i '51iacl whitelist ssl::server_name "/usr/local/squid/etc/urlwhite.txt"' /usr/local/squid/etc/squid.conf<br>sed -i '52ihttp_access allow whitelist' /usr/local/squid/etc/squid.conf<br>sed -i '53ihttp_access deny all' /usr/local/squid/etc/squid.conf<br>echo "#Microsoft" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://bing.com">bing.com</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://msn.com">msn.com</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://msedge.net">msedge.net</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://msftauth.net">msftauth.net</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://msauth.net">msauth.net</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://msocdn.com">msocdn.com</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://outlook.com">outlook.com</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://onedrive.com">onedrive.com</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://office.net">office.net</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://office.com">office.com</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://office365.com">office365.com</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://microsoft.com">microsoft.com</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://microsoftonline.com">microsoftonline.com</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://live.com">live.com</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://live.net">live.net</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://akamaized.net">akamaized.net</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://akamaihd.net">akamaihd.net</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://svc.ms">svc.ms</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://lync.com">lync.com</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://skype.com">skype.com</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://gfx.ms">gfx.ms</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://sharepoint.com">sharepoint.com</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://sharepointonline.com">sharepointonline.com</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://windowsupdate.com">windowsupdate.com</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://windows.net">windows.net</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://edgesuite.net">edgesuite.net</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://a-msedge.net">a-msedge.net</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://akamaiedge.net">akamaiedge.net</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://sfx.ms">sfx.ms</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://azureedge.net">azureedge.net</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://trafficmanager.net">trafficmanager.net</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://azure.com">azure.com</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://s-microsoft.com">s-microsoft.com</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://onestore.ms">onestore.ms</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo "#Google" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://google.com">google.com</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://google.co.uk">google.co.uk</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://googleusercontent.com">googleusercontent.com</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://googleapis.com">googleapis.com</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://withgoogle.com">withgoogle.com</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://gstatic.com">gstatic.com</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo "#Adobe" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://adobedtm.com">adobedtm.com</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://adobe.io">adobe.io</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://adobe.com">adobe.com</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://adobelogin.com">adobelogin.com</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo "#others" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://digicert.com">digicert.com</a>" >> /usr/local/squid/etc/urlwhite.txt<br>echo ".<a href="http://pixelogicmedia.com">pixelogicmedia.com</a>" >> /usr/local/squid/etc/urlwhite.txt<br>#<br>#ICAP in squid<br>#<br>echo "#ICAP" >> /usr/local/squid/etc/squid.conf<br>echo "icap_enable on" >> /usr/local/squid/etc/squid.conf<br>echo "adaptation_uses_indirect_client on" >> /usr/local/squid/etc/squid.conf<br>echo "icap_send_client_ip on" >> /usr/local/squid/etc/squid.conf<br>echo "icap_send_client_username on" >> /usr/local/squid/etc/squid.conf<br>echo "icap_client_username_header X-Authenticated-User" >> /usr/local/squid/etc/squid.conf<br>echo
 "icap_service service_req reqmod_precache bypass=0 
icap://<a href="http://127.0.0.1:1344/squidclamav">127.0.0.1:1344/squidclamav</a>" >> 
/usr/local/squid/etc/squid.conf<br>echo "adaptation_access service_req allow all" >> /usr/local/squid/etc/squid.conf<br>echo
 "icap_service service_resp respmod_precache bypass=0 
icap://<a href="http://127.0.0.1:1344/squidclamav">127.0.0.1:1344/squidclamav</a>" >> 
/usr/local/squid/etc/squid.conf<br>echo "adaptation_access service_resp allow all" >> /usr/local/squid/etc/squid.conf<br>#<br>#squid with SSL<br>#<br>mkdir -p /usr/local/squid/etc/ssl_cert<br>cd /usr/local/squid/etc/ssl_cert<br>adduser squid<br>chown squid:squid /usr/local/squid/etc/ssl_cert<br>chmod 700 /usr/local/squid/etc/ssl_cert<br>openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout myCA.pem  -out myCA.pem -batch<br>#must import the below cert on hosts in trusted root cert ie the .der file<br>openssl x509 -in myCA.pem -outform DER -out myCA.der<br>/usr/local/squid/libexec/security_file_certgen -c -s /var/lib/ssl_db -M 4MB<br>chown squid:squid -R /var/lib/ssl_db<br>chmod -R 777 /usr/local/squid/var/logs<br>sed
 -i '1ihttp_port 3128 ssl-bump 
cert=/usr/local/squid/etc/ssl_cert/myCA.pem 
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB' 
/usr/local/squid/etc/squid.conf<br>sed -i '2isslcrtd_program 
/usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 
4MB' /usr/local/squid/etc/squid.conf<br>sed -i '3iacl step1 at_step SslBump1' /usr/local/squid/etc/squid.conf<br>sed -i '4issl_bump peek step1' /usr/local/squid/etc/squid.conf<br>sed -i '5issl_bump bump all' /usr/local/squid/etc/squid.conf<br>#<br>#squidclamav conf<br>#<br>sed -i -e 's%redirect <a target="_blank" rel="nofollow  noopener" href="http://proxy.domain.dom/cgi-bin/clwarn.cgi%#redirect">http://proxy.domain.dom/cgi-bin/clwarn.cgi%#redirect</a> <a target="_blank" rel="nofollow  noopener" href="http://proxy.domain.dom/cgi-bin/clwarn.cgi%g">http://proxy.domain.dom/cgi-bin/clwarn.cgi%g</a>' /etc/squidclamav.conf<br>#sed -i -e 's%clamd_local /var/run/clamav/clamd.ctl%clamd_local /run/clamd.scan/clamd.sock%g' /etc/squidclamav.conf<br>sed -i -e 's%enable_libarchive 0%enable_libarchive 1%g' /etc/squidclamav.conf<br>#<br>#clamav conf<br>#<br>sed -i -e 's%#LocalSocket /run/clamd.scan/clamd.sock%LocalSocket /var/run/clamav/clamd.ctl%g' /etc/clamd.d/scan.conf<br>sed -i -e 's%Example%#Example%g' /etc/clamd.d/scan.conf<br>sed -i -e 's%User clamscan%User root%g' /etc/clamd.d/scan.conf<br>sed -i -e 's%#StreamMaxLength 10M%StreamMaxLength 5M%g' /etc/clamd.d/scan.conf<br>freshclam<br>echo "00 01,13 * * *  /usr/bin/freshclam --quiet" >> /var/spool/cron/root<br>systemctl enable clamd@scan<br>#<br>#c-icap and c-icap modules<br>#<br>#sed -i -e 's%PidFile /var/run/c-icap/c-icap.pid%PidFile /run/c-icap/c-icap.pid%g' /etc/c-icap.conf<br>#sed -i -e 's%CommandsSocket /var/run/c-icap/c-icap.ctl%CommandsSocket /run/c-icap/c-icap.ctl%g' /etc/c-icap.conf<br>sed -i -e 's%#.*User wwwrun%User root%g' /etc/c-icap.conf<br>sed -i -e 's%#.*Group nogroup%Group root%g' /etc/c-icap.conf<br>sed -i -e 's%#.*Service echo_service srv_echo.so%Service squidclamav squidclamav.so%g' /etc/c-icap.conf<br>sed -i -e 's%DebugLevel 1%DebugLevel 0%g' /etc/c-icap.conf<br>sed -i -e 's%StartServers 3%StartServers 1%g' /etc/c-icap.conf<br>sed -i -e 's%MaxServers 10%MaxServers 20%g' /etc/c-icap.conf<br>sed -i -e 's%MaxRequestsPerChild  0%MaxRequestsPerChild  100%g' /etc/c-icap.conf<br>sed -i '520iacl localhost src <a href="http://127.0.0.1/255.255.255.255">127.0.0.1/255.255.255.255</a>' /etc/c-icap.conf<br>sed -i '521iacl PERMIT_REQUESTS type REQMOD RESPMOD' /etc/c-icap.conf<br>sed -i '522iicap_access allow localhost PERMIT_REQUESTS' /etc/c-icap.conf<br>sed -i '523iicap_access deny all' /etc/c-icap.conf<br>echo "clamav_mod.TmpDir /var/tmp" >> /etc/clamav_mod.conf<br>echo "clamav_mod.MaxFilesInArchive 1000" >> /etc/clamav_mod.conf<br>echo "clamav_mod.MaxScanSize 5M" >> /etc/clamav_mod.conf<br>echo "clamav_mod.HeuristicScanPrecedence on" >> /etc/clamav_mod.conf<br>echo "clamav_mod.OLE2BlockMacros on" >> /etc/clamav_mod.conf<br>echo "virus_scan.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE DOCUMENT" >> /etc/virus_scan.conf<br>echo "virus_scan.SendPercentData 5" >> /etc/virus_scan.conf<br>echo "virus_scan.PassOnError on" >> /etc/virus_scan.conf<br>echo "virus_scan.MaxObjectSize  5M" >> /etc/virus_scan.conf<br>echo "virus_scan.DefaultEngine clamav" >> /etc/virus_scan.conf<br>echo "Include clamav_mod.conf" >> /etc/virus_scan.conf<br>echo "Include virus_scan.conf" >> /etc/c-icap.conf<br>#<br>#make c-icap service<br>#<br>echo "[Unit]" >> /usr/lib/systemd/system/c-icap.service<br>echo "Description=c-icap service" >> /usr/lib/systemd/system/c-icap.service<br>echo "After=network.target" >> /usr/lib/systemd/system/c-icap.service<br>echo "[Service]" >> /usr/lib/systemd/system/c-icap.service<br>echo "Type=forking" >> /usr/lib/systemd/system/c-icap.service<br>echo "PIDFile=/var/run/c-icap/c-icap.pid" >> /usr/lib/systemd/system/c-icap.service<br>echo "ExecStart=/usr/local/bin/c-icap -f /etc/c-icap.conf" >> /usr/lib/systemd/system/c-icap.service<br>echo "KillMode=process" >> /usr/lib/systemd/system/c-icap.service<br>echo "[Install]" >> /usr/lib/systemd/system/c-icap.service<br>echo "WantedBy=multi-user.target" >> /usr/lib/systemd/system/c-icap.service<br>systemctl enable c-icap<br>reboot<br></p><p>thanks,</p><p>rob</p>

<br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Regards, <br><br>Robert K Wild.<br></div></div></div>