[squid-users] moving squid from centos 7 to ubuntu 22.04

Amos Jeffries squid3 at treenet.co.nz
Thu Nov 17 06:06:58 UTC 2022 

On 16/11/2022 6:31 am, robert k Wild wrote:
> hi all,
>
> atm i have written a script, once you have built a centos 7 VM, you 
> just run the script and after the reboot its a complete running 
> squidclamAV server
>
> i'm going to be moving the script to a ubuntu server as centos 7 is 
> dead now (as i run clamAV on it, clamAV will stop getting virus 
> definitions 2024 as i use this for virus scanning of internet packets)
>
> just want to know what lines i need to adjust to work with ubuntu 
> instead of centos, obviously i know instead of yum install.... its apt 
> install
>

My comments below assume that you want to keep the exact versions as-is 
and custom build.

Otherwise, if you are okay following Ubuntu's official packages and 
security fixes things could be a lot different (and simpler).


> heres my long script
>
> #!/bin/bash
> #
> #this script will download/install and configure the following packages
> #
> #squid - proxy server
> #squid ssl bump - intercept HTTPS traffic
> #clamAV - antivirus engine inc trojans,viruses,malware
> #c-icap - icap server
> #squidclamav - that integrates all the above in squid

You may not be aware squidclamav has been replaced with eCAP ClamAV module:
<https://www.e-cap.org/downloads/>

Ubuntu provides libecap package and Squid has support auto-enabled for it.
So all you should need to do is build the ecap-clamav adaptor and 
configure it for use.


> #whitelist URL's
> #deny MIME types
> #
> #on the PROD host you only need squid
> #
> #first things first lets disable firewalld and SElinux
> #
> systemctl stop firewalld
> systemctl disable firewalld
> sed -i -e 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
> #
> #squid packages
> #
> yum install -y epel-release screen rsync net-tools ethtool swaks sed 
> tar zip unzip curl telnet openssl openssl-devel bzip2-devel libarchive 
> libarchive-devel perl perl-Data-Dumper gcc gcc-c++ binutils autoconf 
> automake make sudo wget libxml2-devel libcap-devel libtool-ltdl-devel
> #

Drop "epel-release" as irrelevant on Ubuntu.

Ubuntu developer packages have "-dev" suffix instead of "-devel". So all 
those should change.

To get access to simpler source building I recommend altering the apt 
configuration like so:

     sudo sed --in-place -E 's/# (deb-src.*updates main)/  \1/g' 
/etc/apt/sources.list
     sudo apt-get --quiet=2 update


There are some trivial package naming differences. When apt complains 
about not finding a package you can use
<https://packages.ubuntu.com/search> to search for the Ubuntu naming 
and/or any alternatives.


Many of those are not related to Squid in any way. Perhapse separate 
them into a different install command?

After the above deb-src change the packages needed to build Squid for 
Ubuntu can be installed like so:

     sudo apt-get --quiet=2 build-dep squid

Similar commands also for clamav, c-icap any others which Ubuntu 
provides packages for.

After that build-dep command you only need to install dependencies if 
the Ubuntu package lacks support.
For example, Ubuntu older than 21.10 lack openssl natively, so "apt 
install libssl-dev" may be needed specially.


> #clamAV packages
> #
> yum install -y clamav-server clamav-data clamav-update 
> clamav-filesystem clamav clamav-scanner-systemd clamav-devel 
> clamav-lib clamav-server-systemd
> #


> #download and compile from source
> #
> cd /tmp
> wget http://www.squid-cache.org/Versions/v4/squid-4.17.tar.gz
> wget 
> http://sourceforge.net/projects/c-icap/files/c-icap/0.5.x/c_icap-0.5.10.tar.gz 
> --no-check-certificate
> wget 
> http://sourceforge.net/projects/c-icap/files/c-icap-modules/0.5.x/c_icap_modules-0.5.5.tar.gz 
> --no-check-certificate
> wget 
> https://sourceforge.net/projects/squidclamav/files/squidclamav/7.1/squidclamav-7.1.tar.gz 
> --no-check-certificate
> #
> for f in *.tar.gz; do tar xf "$f"; done
> #
> cd /tmp/squid-4.17
> ./configure --with-openssl --enable-ssl-crtd --enable-icap-client 
> --enable-http-violations && make && make install

The prefix can be a bit different on Debian/Ubuntu. To ensure it is 
right add --prefix=/usr/local to the above options.


> #
> cd /tmp/c_icap-0.5.10
> ./configure 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe' 
> --without-bdb --prefix=/usr/local && make && make install
> #
> cd /tmp/squidclamav-7.1
> ./configure 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe' 
> --with-c-icap=/usr/local --with-libarchive && make && make install
> #
> cd /tmp/c_icap_modules-0.5.5
> ./configure 'CFLAGS=-O3 -m64 -pipe' 
> 'CPPFLAGS=-I/usr/local/clamav/include' 'LDFLAGS=-L/usr/local/lib 
> -L/usr/local/clamav/lib/' && make && make install
> #
> #creating shortcuts and copying files
> #
> cp -f /usr/local/squid/etc/squid.conf /usr/local/squid/etc/squid.conf.orig
> cp -f /usr/local/etc/c-icap.conf /usr/local/etc/c-icap.conf.orig
> cp -f /usr/local/etc/squidclamav.conf /usr/local/etc/squidclamav.conf.orig
> cp -f /usr/local/etc/clamav_mod.conf /usr/local/etc/clamav_mod.conf.orig
> cp -f /usr/local/etc/virus_scan.conf /usr/local/etc/virus_scan.conf.orig
> #
> ln -s /usr/local/squid/etc/squid.conf /etc
> ln -s /usr/local/etc/c-icap.conf /etc
> ln -s /usr/local/etc/squidclamav.conf /etc
> ln -s /usr/local/etc/clamav_mod.conf /etc
> ln -s /usr/local/etc/virus_scan.conf /etc
> #
> mkdir -p /usr/local/clamav/share/clamav
> ln -s /var/lib/clamav /usr/local/clamav/share/clamav
> #
> #tmpfiles for run files
> #
> echo "d /var/run/c-icap 0755 root root -" >> /etc/tmpfiles.d/c-icap.conf
> echo "d /var/run/clamav 0755 root root -" >> /etc/tmpfiles.d/clamav.conf
> #
> #original squid config
> #
> sed -i '/http_port 3128/d' /usr/local/squid/etc/squid.conf
> sed -i -e 's%http_access deny !Safe_ports%#http_access deny 
> !Safe_ports%g' /usr/local/squid/etc/squid.conf
> sed -i -e 's%http_access deny CONNECT !SSL_ports%#http_access deny 
> CONNECT !SSL_ports%g' /usr/local/squid/etc/squid.conf

Reason? this opens a large number of security vulnerabilities.


Modern Squid have an "include" directive to import extra squid.conf 
rules from other files and/or directories.
I recommend adding this one line to squid.conf under where it says 
"|INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS"|:

|include /etc/squid/conf.d/*.conf|

then placing all your custom Squid files in that conf.d directory.


> #
> #create URL, MIME and public key list
> #
> echo "#eicar" >> /usr/local/squid/etc/urlwhite.txt
> echo ".eicar.org <http://eicar.org>" >> /usr/local/squid/etc/urlwhite.txt
> #
> echo "http://updater.maxon.net/server_test" >> 
> /usr/local/squid/etc/urlspecial.txt
> #
> echo "application/octet-stream" >> /usr/local/squid/etc/mimedeny.txt
> echo "application/x-msi" >> /usr/local/squid/etc/mimedeny.txt
> echo "application/zip" >> /usr/local/squid/etc/mimedeny.txt
> echo "application/x-7z-compressed" >> /usr/local/squid/etc/mimedeny.txt
> echo "application/vnd.ms-cab-compressed" >> 
> /usr/local/squid/etc/mimedeny.txt
> echo "application/x-msdownload" >> /usr/local/squid/etc/mimedeny.txt
> echo "application/x-iso9660-image" >> /usr/local/squid/etc/mimedeny.txt

FWIW: squid config files are all agnostic to whitespace indentation. So 
you should be able to improve script readability like this:

  echo "
    blah
    blah
    blah
    blah
" >> path/to/file


Also, I see that you are adding systemd integration for the other software.
There is a file in squid tarball at tools/systemd/squid.service that can 
be installed to add that.
You will need to adjust the binary paths inside it to your custom 
/usr/local ones.

Also, consider using logrotate package to manage the log files instead 
of cron.


HTH
Amos

More information about the squid-users mailing list