On 16/11/2022 6:31 am, robert k Wild wrote:
hi all,
atm i have written a script, once you have built a centos 7 VM, you
just run the script and after the reboot its a complete running
squidclamAV server
i'm going to be moving the script to a ubuntu server as centos 7 is
dead now (as i run clamAV on it, clamAV will stop getting virus
definitions 2024 as i use this for virus scanning of internet packets)
just want to know what lines i need to adjust to work with ubuntu
instead of centos, obviously i know instead of yum install.... its apt
install
My comments below assume that you want to keep the exact versions as-is
and custom build.
Otherwise, if you are okay following Ubuntu's official packages and
security fixes things could be a lot different (and simpler).
heres my long script
#!/bin/bash
#
#this script will download/install and configure the following packages
#
#squid - proxy server
#squid ssl bump - intercept HTTPS traffic
#clamAV - antivirus engine inc trojans,viruses,malware
#c-icap - icap server
#squidclamav - that integrates all the above in squid
You may not be aware squidclamav has been replaced with eCAP ClamAV module:
<https://www.e-cap.org/downloads/>
Ubuntu provides libecap package and Squid has support auto-enabled for it.
So all you should need to do is build the ecap-clamav adaptor and
configure it for use.
#whitelist URL's
#deny MIME types
#
#on the PROD host you only need squid
#
#first things first lets disable firewalld and SElinux
#
systemctl stop firewalld
systemctl disable firewalld
sed -i -e 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
#
#squid packages
#
yum install -y epel-release screen rsync net-tools ethtool swaks sed
tar zip unzip curl telnet openssl openssl-devel bzip2-devel libarchive
libarchive-devel perl perl-Data-Dumper gcc gcc-c++ binutils autoconf
automake make sudo wget libxml2-devel libcap-devel libtool-ltdl-devel
#
Drop "epel-release" as irrelevant on Ubuntu.
Ubuntu developer packages have "-dev" suffix instead of "-devel". So all
those should change.
To get access to simpler source building I recommend altering the apt
configuration like so:
sudo sed --in-place -E 's/# (deb-src.*updates main)/ \1/g'
/etc/apt/sources.list
sudo apt-get --quiet=2 update
There are some trivial package naming differences. When apt complains
about not finding a package you can use
<https://packages.ubuntu.com/search> to search for the Ubuntu naming
and/or any alternatives.
Many of those are not related to Squid in any way. Perhapse separate
them into a different install command?
After the above deb-src change the packages needed to build Squid for
Ubuntu can be installed like so:
sudo apt-get --quiet=2 build-dep squid
Similar commands also for clamav, c-icap any others which Ubuntu
provides packages for.
After that build-dep command you only need to install dependencies if
the Ubuntu package lacks support.
For example, Ubuntu older than 21.10 lack openssl natively, so "apt
install libssl-dev" may be needed specially.
#clamAV packages
#
yum install -y clamav-server clamav-data clamav-update
clamav-filesystem clamav clamav-scanner-systemd clamav-devel
clamav-lib clamav-server-systemd
#
#download and compile from source
#
cd /tmp
wget http://www.squid-cache.org/Versions/v4/squid-4.17.tar.gz
wget
http://sourceforge.net/projects/c-icap/files/c-icap/0.5.x/c_icap-0.5.10.tar.gz
--no-check-certificate
wget
http://sourceforge.net/projects/c-icap/files/c-icap-modules/0.5.x/c_icap_modules-0.5.5.tar.gz
--no-check-certificate
wget
https://sourceforge.net/projects/squidclamav/files/squidclamav/7.1/squidclamav-7.1.tar.gz
--no-check-certificate
#
for f in *.tar.gz; do tar xf "$f"; done
#
cd /tmp/squid-4.17
./configure --with-openssl --enable-ssl-crtd --enable-icap-client
--enable-http-violations && make && make install
The prefix can be a bit different on Debian/Ubuntu. To ensure it is
right add --prefix=/usr/local to the above options.
#
cd /tmp/c_icap-0.5.10
./configure 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe'
--without-bdb --prefix=/usr/local && make && make install
#
cd /tmp/squidclamav-7.1
./configure 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe'
--with-c-icap=/usr/local --with-libarchive && make && make install
#
cd /tmp/c_icap_modules-0.5.5
./configure 'CFLAGS=-O3 -m64 -pipe'
'CPPFLAGS=-I/usr/local/clamav/include' 'LDFLAGS=-L/usr/local/lib
-L/usr/local/clamav/lib/' && make && make install
#
#creating shortcuts and copying files
#
cp -f /usr/local/squid/etc/squid.conf /usr/local/squid/etc/squid.conf.orig
cp -f /usr/local/etc/c-icap.conf /usr/local/etc/c-icap.conf.orig
cp -f /usr/local/etc/squidclamav.conf /usr/local/etc/squidclamav.conf.orig
cp -f /usr/local/etc/clamav_mod.conf /usr/local/etc/clamav_mod.conf.orig
cp -f /usr/local/etc/virus_scan.conf /usr/local/etc/virus_scan.conf.orig
#
ln -s /usr/local/squid/etc/squid.conf /etc
ln -s /usr/local/etc/c-icap.conf /etc
ln -s /usr/local/etc/squidclamav.conf /etc
ln -s /usr/local/etc/clamav_mod.conf /etc
ln -s /usr/local/etc/virus_scan.conf /etc
#
mkdir -p /usr/local/clamav/share/clamav
ln -s /var/lib/clamav /usr/local/clamav/share/clamav
#
#tmpfiles for run files
#
echo "d /var/run/c-icap 0755 root root -" >> /etc/tmpfiles.d/c-icap.conf
echo "d /var/run/clamav 0755 root root -" >> /etc/tmpfiles.d/clamav.conf
#
#original squid config
#
sed -i '/http_port 3128/d' /usr/local/squid/etc/squid.conf
sed -i -e 's%http_access deny !Safe_ports%#http_access deny
!Safe_ports%g' /usr/local/squid/etc/squid.conf
sed -i -e 's%http_access deny CONNECT !SSL_ports%#http_access deny
CONNECT !SSL_ports%g' /usr/local/squid/etc/squid.conf
Reason? this opens a large number of security vulnerabilities.
Modern Squid have an "include" directive to import extra squid.conf
rules from other files and/or directories.
I recommend adding this one line to squid.conf under where it says
"|INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS"|:
|include /etc/squid/conf.d/*.conf|
then placing all your custom Squid files in that conf.d directory.
#
#create URL, MIME and public key list
#
echo "#eicar" >> /usr/local/squid/etc/urlwhite.txt
echo ".eicar.org <http://eicar.org>" >> /usr/local/squid/etc/urlwhite.txt
#
echo "http://updater.maxon.net/server_test"; >>
/usr/local/squid/etc/urlspecial.txt
#
echo "application/octet-stream" >> /usr/local/squid/etc/mimedeny.txt
echo "application/x-msi" >> /usr/local/squid/etc/mimedeny.txt
echo "application/zip" >> /usr/local/squid/etc/mimedeny.txt
echo "application/x-7z-compressed" >> /usr/local/squid/etc/mimedeny.txt
echo "application/vnd.ms-cab-compressed" >>
/usr/local/squid/etc/mimedeny.txt
echo "application/x-msdownload" >> /usr/local/squid/etc/mimedeny.txt
echo "application/x-iso9660-image" >> /usr/local/squid/etc/mimedeny.txt
FWIW: squid config files are all agnostic to whitespace indentation. So
you should be able to improve script readability like this:
echo "
blah
blah
blah
blah
" >> path/to/file
Also, I see that you are adding systemd integration for the other software.
There is a file in squid tarball at tools/systemd/squid.service that can
be installed to add that.
You will need to adjust the binary paths inside it to your custom
/usr/local ones.
Also, consider using logrotate package to manage the log files instead
of cron.
HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
