On 9/01/20 8:34 pm, robert k Wild wrote: > hi all, > > I have made a script for squid that installs the following – > > Squid – http proxy server > Squid ssl-bump – https interception for squid > C-ICAP – icap server > clamAV – AV engine to detect trojan viruses malware etc > squidclamav – to make it all integrated with squid > > what do you think? > > #!/bin/bash > #squid on DMZ host > # > #first things first lets disable firewalld and SElinux > # > systemctl stop firewalld > systemctl disable firewalld > sed -i -e 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config > # Why? > #squid packages > # > yum install -y epel-release swaks sed tar zip unzip curl telnet openssl > openssl-devel bzip2-devel libarchive libarchive-devel perl > perl-Data-Dumper gcc gcc-c++ binutils autoconf automake make sudo wget > libxml2-devel libcap-devel libtool-ltdl-devel > # > #clamAV packages > # > yum install -y clamav-server clamav-data clamav-update clamav-filesystem > clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd > # > #download and compile from source > # > cd /tmp > wget http://www.squid-cache.org/Versions/v4/squid-4.9.tar.gz Please use rsync for this, and verify against the *.asc file signature that you got the file correctly. > wget > http://sourceforge.net/projects/c-icap/files/c-icap/0.5.x/c_icap-0.5.6.tar.gz > wget > http://sourceforge.net/projects/c-icap/files/c-icap-modules/0.5.x/c_icap_modules-0.5.4.tar.gz > wget > https://sourceforge.net/projects/squidclamav/files/squidclamav/7.1/squidclamav-7.1.tar.gz > for f in *.tar.gz; do tar xf "$f"; done > cd /tmp/squid-4.9 > ./configure --with-openssl --enable-ssl-crtd --enable-icap-client && > make && make install > # IIRC this was a CentoOS machine right? If so, see <https://wiki.squid-cache.org/KnowledgeBase/CentOS#Compiling> otherwise see the equivalent wiki page for your chosen OS compile. Those settings install Squid as a system application. So no need for the /usr/local stuff. > cd /tmp/c_icap-0.5.6 > ./configure 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe' > --without-bdb --prefix=/usr/local && make && make install > # > cd /tmp/squidclamav-7.1 > ./configure 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe' > --with-c-icap=/usr/local --with-libarchive && make && make install > # > cd /tmp/c_icap_modules-0.5.4 > ./configure 'CFLAGS=-O3 -m64 -pipe' > 'CPPFLAGS=-I/usr/local/clamav/include' 'LDFLAGS=-L/usr/local/lib > -L/usr/local/clamav/lib/' && make && make install > # > #creating shortcuts and copying files > # > cp -f /usr/local/squid/etc/squid.conf /usr/local/squid/etc/squid.conf.orig > cp -f /usr/local/etc/c-icap.conf /usr/local/etc/c-icap.conf.orig > cp -f /usr/local/etc/squidclamav.conf /usr/local/etc/squidclamav.conf.orig > cp -f /usr/local/etc/clamav_mod.conf /usr/local/etc/clamav_mod.conf.orig > cp -f /usr/local/etc/virus_scan.conf /usr/local/etc/virus_scan.conf.orig > # > ln -s /usr/local/squid/etc/squid.conf /etc > ln -s /usr/local/etc/c-icap.conf /etc > ln -s /usr/local/etc/squidclamav.conf /etc > ln -s /usr/local/etc/clamav_mod.conf /etc > ln -s /usr/local/etc/virus_scan.conf /etc > # > mkdir -p /usr/local/clamav/share/clamav > ln -s /var/lib/clamav /usr/local/clamav/share/clamav > # > #tmpfiles for run files > # > echo "d /var/run/c-icap 0755 root root -" >> /etc/tmpfiles.d/c-icap.conf > echo "d /var/run/clamav 0755 root root -" >> /etc/tmpfiles.d/clamav.conf > # > #delete a few lines in squid > # > sed -i '/http_port 3128/d' /usr/local/squid/etc/squid.conf > sed -i '/http_access deny all/d' /usr/local/squid/etc/squid.conf Please do not remove that second line from yoru squid.conf. It will result in unpredictable default allow/deny behaviour from your proxy. Instead I recommend (mind the wrap): sed -i '/# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS/include "/etc/squid/squid.conf.d/*"/' /usr/local/squid/etc/squid.conf Then you can just drop files into the /etc/squid/squid.conf.d/ directory and they will be loaded as config on next start or reconfigure. HTH Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
