[squid-users] moving squid from centos 7 to ubuntu 22.04
robert k Wild
robertkwild at gmail.com
Thu Nov 17 08:21:07 UTC 2022
Wow thanks Amos so much for this,
You think if I build it on rocky Linux, it would be easier?
On Thu, 17 Nov 2022, 06:07 Amos Jeffries, <squid3 at treenet.co.nz> wrote:
> On 16/11/2022 6:31 am, robert k Wild wrote:
> > hi all,
> >
> > atm i have written a script, once you have built a centos 7 VM, you
> > just run the script and after the reboot its a complete running
> > squidclamAV server
> >
> > i'm going to be moving the script to a ubuntu server as centos 7 is
> > dead now (as i run clamAV on it, clamAV will stop getting virus
> > definitions 2024 as i use this for virus scanning of internet packets)
> >
> > just want to know what lines i need to adjust to work with ubuntu
> > instead of centos, obviously i know instead of yum install.... its apt
> > install
> >
>
> My comments below assume that you want to keep the exact versions as-is
> and custom build.
>
> Otherwise, if you are okay following Ubuntu's official packages and
> security fixes things could be a lot different (and simpler).
>
>
> > heres my long script
> >
> > #!/bin/bash
> > #
> > #this script will download/install and configure the following packages
> > #
> > #squid - proxy server
> > #squid ssl bump - intercept HTTPS traffic
> > #clamAV - antivirus engine inc trojans,viruses,malware
> > #c-icap - icap server
> > #squidclamav - that integrates all the above in squid
>
> You may not be aware squidclamav has been replaced with eCAP ClamAV module:
> <https://www.e-cap.org/downloads/>
>
> Ubuntu provides libecap package and Squid has support auto-enabled for it.
> So all you should need to do is build the ecap-clamav adaptor and
> configure it for use.
>
>
> > #whitelist URL's
> > #deny MIME types
> > #
> > #on the PROD host you only need squid
> > #
> > #first things first lets disable firewalld and SElinux
> > #
> > systemctl stop firewalld
> > systemctl disable firewalld
> > sed -i -e 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
> > #
> > #squid packages
> > #
> > yum install -y epel-release screen rsync net-tools ethtool swaks sed
> > tar zip unzip curl telnet openssl openssl-devel bzip2-devel libarchive
> > libarchive-devel perl perl-Data-Dumper gcc gcc-c++ binutils autoconf
> > automake make sudo wget libxml2-devel libcap-devel libtool-ltdl-devel
> > #
>
> Drop "epel-release" as irrelevant on Ubuntu.
>
> Ubuntu developer packages have "-dev" suffix instead of "-devel". So all
> those should change.
>
> To get access to simpler source building I recommend altering the apt
> configuration like so:
>
> sudo sed --in-place -E 's/# (deb-src.*updates main)/ \1/g'
> /etc/apt/sources.list
> sudo apt-get --quiet=2 update
>
>
> There are some trivial package naming differences. When apt complains
> about not finding a package you can use
> <https://packages.ubuntu.com/search> to search for the Ubuntu naming
> and/or any alternatives.
>
>
> Many of those are not related to Squid in any way. Perhapse separate
> them into a different install command?
>
> After the above deb-src change the packages needed to build Squid for
> Ubuntu can be installed like so:
>
> sudo apt-get --quiet=2 build-dep squid
>
> Similar commands also for clamav, c-icap any others which Ubuntu
> provides packages for.
>
> After that build-dep command you only need to install dependencies if
> the Ubuntu package lacks support.
> For example, Ubuntu older than 21.10 lack openssl natively, so "apt
> install libssl-dev" may be needed specially.
>
>
> > #clamAV packages
> > #
> > yum install -y clamav-server clamav-data clamav-update
> > clamav-filesystem clamav clamav-scanner-systemd clamav-devel
> > clamav-lib clamav-server-systemd
> > #
>
>
> > #download and compile from source
> > #
> > cd /tmp
> > wget http://www.squid-cache.org/Versions/v4/squid-4.17.tar.gz
> > wget
> >
> http://sourceforge.net/projects/c-icap/files/c-icap/0.5.x/c_icap-0.5.10.tar.gz
> > --no-check-certificate
> > wget
> >
> http://sourceforge.net/projects/c-icap/files/c-icap-modules/0.5.x/c_icap_modules-0.5.5.tar.gz
> > --no-check-certificate
> > wget
> >
> https://sourceforge.net/projects/squidclamav/files/squidclamav/7.1/squidclamav-7.1.tar.gz
> > --no-check-certificate
> > #
> > for f in *.tar.gz; do tar xf "$f"; done
> > #
> > cd /tmp/squid-4.17
> > ./configure --with-openssl --enable-ssl-crtd --enable-icap-client
> > --enable-http-violations && make && make install
>
> The prefix can be a bit different on Debian/Ubuntu. To ensure it is
> right add --prefix=/usr/local to the above options.
>
>
> > #
> > cd /tmp/c_icap-0.5.10
> > ./configure 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe'
> > --without-bdb --prefix=/usr/local && make && make install
> > #
> > cd /tmp/squidclamav-7.1
> > ./configure 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe'
> > --with-c-icap=/usr/local --with-libarchive && make && make install
> > #
> > cd /tmp/c_icap_modules-0.5.5
> > ./configure 'CFLAGS=-O3 -m64 -pipe'
> > 'CPPFLAGS=-I/usr/local/clamav/include' 'LDFLAGS=-L/usr/local/lib
> > -L/usr/local/clamav/lib/' && make && make install
> > #
> > #creating shortcuts and copying files
> > #
> > cp -f /usr/local/squid/etc/squid.conf
> /usr/local/squid/etc/squid.conf.orig
> > cp -f /usr/local/etc/c-icap.conf /usr/local/etc/c-icap.conf.orig
> > cp -f /usr/local/etc/squidclamav.conf
> /usr/local/etc/squidclamav.conf.orig
> > cp -f /usr/local/etc/clamav_mod.conf /usr/local/etc/clamav_mod.conf.orig
> > cp -f /usr/local/etc/virus_scan.conf /usr/local/etc/virus_scan.conf.orig
> > #
> > ln -s /usr/local/squid/etc/squid.conf /etc
> > ln -s /usr/local/etc/c-icap.conf /etc
> > ln -s /usr/local/etc/squidclamav.conf /etc
> > ln -s /usr/local/etc/clamav_mod.conf /etc
> > ln -s /usr/local/etc/virus_scan.conf /etc
> > #
> > mkdir -p /usr/local/clamav/share/clamav
> > ln -s /var/lib/clamav /usr/local/clamav/share/clamav
> > #
> > #tmpfiles for run files
> > #
> > echo "d /var/run/c-icap 0755 root root -" >> /etc/tmpfiles.d/c-icap.conf
> > echo "d /var/run/clamav 0755 root root -" >> /etc/tmpfiles.d/clamav.conf
> > #
> > #original squid config
> > #
> > sed -i '/http_port 3128/d' /usr/local/squid/etc/squid.conf
> > sed -i -e 's%http_access deny !Safe_ports%#http_access deny
> > !Safe_ports%g' /usr/local/squid/etc/squid.conf
> > sed -i -e 's%http_access deny CONNECT !SSL_ports%#http_access deny
> > CONNECT !SSL_ports%g' /usr/local/squid/etc/squid.conf
>
> Reason? this opens a large number of security vulnerabilities.
>
>
> Modern Squid have an "include" directive to import extra squid.conf
> rules from other files and/or directories.
> I recommend adding this one line to squid.conf under where it says
> "|INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS"|:
>
> |include /etc/squid/conf.d/*.conf|
>
> then placing all your custom Squid files in that conf.d directory.
>
>
> > #
> > #create URL, MIME and public key list
> > #
> > echo "#eicar" >> /usr/local/squid/etc/urlwhite.txt
> > echo ".eicar.org <http://eicar.org>" >>
> /usr/local/squid/etc/urlwhite.txt
> > #
> > echo "http://updater.maxon.net/server_test" >>
> > /usr/local/squid/etc/urlspecial.txt
> > #
> > echo "application/octet-stream" >> /usr/local/squid/etc/mimedeny.txt
> > echo "application/x-msi" >> /usr/local/squid/etc/mimedeny.txt
> > echo "application/zip" >> /usr/local/squid/etc/mimedeny.txt
> > echo "application/x-7z-compressed" >> /usr/local/squid/etc/mimedeny.txt
> > echo "application/vnd.ms-cab-compressed" >>
> > /usr/local/squid/etc/mimedeny.txt
> > echo "application/x-msdownload" >> /usr/local/squid/etc/mimedeny.txt
> > echo "application/x-iso9660-image" >> /usr/local/squid/etc/mimedeny.txt
>
> FWIW: squid config files are all agnostic to whitespace indentation. So
> you should be able to improve script readability like this:
>
> echo "
> blah
> blah
> blah
> blah
> " >> path/to/file
>
>
> Also, I see that you are adding systemd integration for the other software.
> There is a file in squid tarball at tools/systemd/squid.service that can
> be installed to add that.
> You will need to adjust the binary paths inside it to your custom
> /usr/local ones.
>
> Also, consider using logrotate package to manage the log files instead
> of cron.
>
>
> HTH
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20221117/150716c6/attachment.htm>
More information about the squid-users
mailing list