[squid-users] How to setup a secure(!) squid proxy

startrekfan startrekfan75 at freenet.de
Mon Jan 18 09:24:44 UTC 2016


I just checked it. It'll work at the moment. But only because the
dependencies (and the dependency version) doesn't changed from 3.4.8 to
3.5. So there's is no guarantee that it will work with further releases.

On the other hand: Installing unstable software is not the way the state
system works/should work. I talked to the debian guys. That's exactly the
reason why they don't release squid 3.5 for jessie but writing patches to
solve critical issues on their own.

Then I have to move every software to unstable state (because of the
security) I can install an unstable debian directly.

L.P.H. van Belle <belle at bazuin.nl> schrieb am Mo., 18. Jan. 2016 um
09:07 Uhr:

> Really this is an easy thing to do.
>
>
>
> Add in you sources.list.d/sid.list    ad the sid  repo.  ( only src-deb )
>
> Run apt-get update.
>
>
>
> apt-get source squid
>
> apt-get build-dep squid
>
>  make changes if needed, in debian/rules and debian/changelog IF you
> changed something.
>
>
>
> Build it
>
> apt-get source squid –b
>
> it errors, thats ok, get the 2 or 3 extra packages, the same way, after
> installing them you can build squid again.
>
>
>
> put the debs in a repo you can access and your done.
>
> Did it here, works fine.
>
>
>
>
>
> Greetz,
>
>
>
> Louis
>
>
>
>
> ------------------------------
>
> *Van:* squid-users [mailto:squid-users-bounces at lists.squid-cache.org] *Namens
> *startrekfan
> *Verzonden:* maandag 18 januari 2016 8:07
> *Aan:* squid-users at lists.squid-cache.org; squid3 at treenet.co.nz
> *Onderwerp:* Re: [squid-users] How to setup a secure(!) squid proxy
>
>
>
> Just talked to the debian guys. They won't upgrade squid to 3.5 in debian jessi. It's also hard for me, to implement unstable components in a productive system.
>
> But the debian guys told me, that they will build own patches for 3.4.8 to fix critical problems if you report them properly to
>
> https://packages.qa.debian.org/s/squid3.html or
>
> security at debian.org
>
>
>
> I hope/think you already do. So I think 3.4.8 should work for me as well.
>
>
>
> >* Hello*
>
> >
>
> >* I`m sorry. I'm not a native speaker so I maybe don't find the right words.*
>
> >
>
> >* I'd like to setup a proxy that can scan the incoming traffic for virus *
>
> >* (squidclamav). To do that for a https/ssl connection I need the squid *
>
> >* ssl-bump feature or is there an other solution?*
>
> >
>
> >* Now I want to setup the ssl-bump feature as safe as using no ssl-bump. *
>
> >* Is this possible with squid 3.4? (Of course every one who has my CA *
>
> >* cert can decrypt the traffic, but I keep it safe.)*
>
> >* Squid is communicating with the remote server(webserver). I'd like to *
>
> >* have at least this communication as safe as using a normal browser.*
>
> >
>
> >* Does squid 3.4 do all the necessary steps like checking the *
>
> >* certificate validity? What about advanced features like cert pinning?*
>
> I don't think 3.4 is enough. May be 3.5 or higher.
>
> >
>
> >* How do I configure ssl virus scanning? Are this steps enough: *
>
> >* http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit <http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit>*
>
> http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/C-ICAP
>
> >
>
> >* Thank you again :)*
>
> >
>
> >
>
> >* _______________________________________________*
>
> >* squid-users mailing list*
>
> >*  MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "lists.squid-cache.org"  squid-users at lists.squid-cache.org <http://lists.squid-cache.org/listinfo/squid-users>*
>
> >* http://lists.squid-cache.org/listinfo/squid-users <http://lists.squid-cache.org/listinfo/squid-users>*
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160118/793b52f5/attachment-0001.html>


More information about the squid-users mailing list