Search squid archive

Re: How to setup a secure(!) squid proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hai,

 

> I just checked it. It'll work at the moment. But only because the dependencies (and the dependency version) doesn't changed from 3.4.8 to 3.5. So there's is no guarantee that it will work > with further releases.

Yes and if depencies change, you can do the same for these packages, and/or you can change the dependies in the control file for example.

That is what i do, if needed, i change the control file, so least packages are from sid.

And yes, there is always a risk on errors with future releases, but that risk is always there.

 

> On the other hand: Installing unstable software is not the way the state system works/should work. I talked to the debian guys. That's exactly the reason why they don't release squid 3.5 > for jessie but writing patches to solve critical issues on their own.

I do rebuild from sid, i dont install from sid, that will give a big mess and we dont want that.

Since the build also uses configure for the packages, i dont see the problem here, maybe im missing something,

but i do this for years now with squid, and never had any problems.

 

 

I use squid 3.5.12 rebuild from sid in debian Jessie without any problem, and works better for me then 3.4.8. ( I need the ssl part from 3.5.12+ )

 

The following is needed to get squid 3.5.12 in Jessie with least changes of the stable packages.

squid

libecap

c-icap

 

and i really dont know why there isnt any jessie-backported package of this (jet).. since 3.5.12 is in testing since 15 dec 2015.

 

I could not wait for that, so I changed in debain/rules the following.

 

Added

                --enable-ssl \

                --with-open-ssl=/etc/ssl/openssl.cnf \

                --enable-linux-netfilter

 

And changed the changelog.

I changed it to the following to keep track of the debian packages also.

 

squid3 (3.5.12-1lvb1-ssl) unstable; urgency=medium

I only added lvb1-ssl so it can use the debian packages and/or my own packages.

 

 

> Then I have to move every software to unstable state (because of the security) I can install an unstable debian directly.

Really, NEVER use sid for production, if you want to get into troubles, this is the way..

Sid can change rapidly, and put your server in an un-usable stated, i learned the hard way.  Years ago.

 

And for the security, subscribe to the debian and squid list ( .. done ) and keep track of messages.

 

 

Greetz,

 

Louis

 

 

 

 

Van: startrekfan [mailto:startrekfan75@xxxxxxxxxx]
Verzonden: maandag 18 januari 2016 10:25
Aan: L.P.H. van Belle; squid-users@xxxxxxxxxxxxxxxxxxxxx
Onderwerp: Re: How to setup a secure(!) squid proxy

 

I just checked it. It'll work at the moment. But only because the dependencies (and the dependency version) doesn't changed from 3.4.8 to 3.5. So there's is no guarantee that it will work with further releases.

 

On the other hand: Installing unstable software is not the way the state system works/should work. I talked to the debian guys. That's exactly the reason why they don't release squid 3.5 for jessie but writing patches to solve critical issues on their own.

 

Then I have to move every software to unstable state (because of the security) I can install an unstable debian directly.

 

L.P.H. van Belle <belle@xxxxxxxxx> schrieb am Mo., 18. Jan. 2016 um 09:07 Uhr:

Really this is an easy thing to do.

 

Add in you sources.list.d/sid.list    ad the sid  repo.  ( only src-deb )

Run apt-get update.

 

apt-get source squid

apt-get build-dep squid

 make changes if needed, in debian/rules and debian/changelog IF you changed something.

 

Build it

apt-get source squid –b

it errors, thats ok, get the 2 or 3 extra packages, the same way, after installing them you can build squid again.

 

put the debs in a repo you can access and your done.

Did it here, works fine.

 

 

Greetz,

 

Louis

 

 

Van: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens startrekfan
Verzonden: maandag 18 januari 2016 8:07
Aan: squid-users@xxxxxxxxxxxxxxxxxxxxx; squid3@xxxxxxxxxxxxx
Onderwerp: Re: How to setup a secure(!) squid proxy

 

Just talked to the debian guys. They won't upgrade squid to 3.5 in debian jessi. It's also hard for me, to implement unstable components in a productive system. 
But the debian guys told me, that they will build own patches for 3.4.8 to fix critical problems if you report them properly to
https://packages.qa.debian.org/s/squid3.html or 
security@xxxxxxxxxx 










I hope/think you already do. So I think 3.4.8 should work for me as well.
 
> Hello
> 
> I`m sorry. I'm not a native speaker so I maybe don't find the right words.
> 
> I'd like to setup a proxy that can scan the incoming traffic for virus 
> (squidclamav). To do that for a https/ssl connection I need the squid 
> ssl-bump feature or is there an other solution?
> 
> Now I want to setup the ssl-bump feature as safe as using no ssl-bump. 
> Is this possible with squid 3.4? (Of course every one who has my CA 
> cert can decrypt the traffic, but I keep it safe.)
> Squid is communicating with the remote server(webserver). I'd like to 
> have at least this communication as safe as using a normal browser.
> 
> Does squid 3.4 do all the necessary steps like checking the 
> certificate validity? What about advanced features like cert pinning?
I don't think 3.4 is enough. May be 3.5 or higher.
> 
> How do I configure ssl virus scanning? Are this steps enough: 
> http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/C-ICAP
> 
> Thank you again :)
> 
> 
> _______________________________________________
> squid-users mailing list
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux