Re: How to setup a secure(!) squid proxy

startrekfan <startrekfan75@xxxxxxxxxx> · Mon, 18 Jan 2016 09:24:44 +0000

I just checked it. It'll work at the moment. But only because the dependencies (and the dependency version) doesn't changed from 3.4.8 to 3.5. So there's is no guarantee that it will work with further releases.

On the other hand: Installing unstable software is not the way the state system works/should work. I talked to the debian guys. That's exactly the reason why they don't release squid 3.5 for jessie but writing patches to solve critical issues on their own.

Then I have to move every software to unstable state (because of the security) I can install an unstable debian directly.

L.P.H. van Belle <belle@xxxxxxxxx> schrieb am Mo., 18. Jan. 2016 um 09:07 Uhr:

Really this is an easy thing to do. 

Add in you sources.list.d/sid.list    ad
the sid  repo.  ( only src-deb ) 

Run apt-get update. 

apt-get source squid 

apt-get build-dep squid 

 make changes if needed, in debian/rules
and debian/changelog IF you changed something.

Build it

apt-get source squid –b 

it errors, thats ok, get the 2 or 3 extra
packages, the same way, after installing them you can build squid again. 

put the debs in a repo you can access and
your done. 

Did it here, works fine. 

Greetz, 

Louis

Van: squid-users
[mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens startrekfan

Verzonden: maandag 18 januari 2016
8:07

Aan:
squid-users@xxxxxxxxxxxxxxxxxxxxx; squid3@xxxxxxxxxxxxx

Onderwerp: Re:  How
to setup a secure(!) squid proxy

Just talked to the debian guys. They won't upgrade squid to 3.5 in debian jessi. It's also hard for me, to implement unstable components in a productive system. 
But the debian guys told me, that they will build own patches for 3.4.8 to fix critical problems if you report them properly to
https://packages.qa.debian.org/s/squid3.html or 
security@xxxxxxxxxx 

I hope/think you already do. So I think 3.4.8 should work for me as well.

> Hello
> 
> I`m sorry. I'm not a native speaker so I maybe don't find the right words.
> 
> I'd like to setup a proxy that can scan the incoming traffic for virus 
> (squidclamav). To do that for a https/ssl connection I need the squid 
> ssl-bump feature or is there an other solution?
> 
> Now I want to setup the ssl-bump feature as safe as using no ssl-bump. 
> Is this possible with squid 3.4? (Of course every one who has my CA 
> cert can decrypt the traffic, but I keep it safe.)
> Squid is communicating with the remote server(webserver). I'd like to 
> have at least this communication as safe as using a normal browser.
> 
> Does squid 3.4 do all the necessary steps like checking the 
> certificate validity? What about advanced features like cert pinning?
I don't think 3.4 is enough. May be 3.5 or higher.
> 
> How do I configure ssl virus scanning? Are this steps enough: 
> http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/C-ICAP
> 
> Thank you again :)
> 
> 
> _______________________________________________
> squid-users mailing list
>  MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "lists.squid-cache.org"  squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users