Wow thanks Amos so much for this,
You think if I build it on rocky Linux, it would be easier?
On Thu, 17 Nov 2022, 06:07 Amos Jeffries, <squid3@xxxxxxxxxxxxx> wrote:
On 16/11/2022 6:31 am, robert k Wild wrote:
> hi all,
>
> atm i have written a script, once you have built a centos 7 VM, you
> just run the script and after the reboot its a complete running
> squidclamAV server
>
> i'm going to be moving the script to a ubuntu server as centos 7 is
> dead now (as i run clamAV on it, clamAV will stop getting virus
> definitions 2024 as i use this for virus scanning of internet packets)
>
> just want to know what lines i need to adjust to work with ubuntu
> instead of centos, obviously i know instead of yum install.... its apt
> install
>
My comments below assume that you want to keep the exact versions as-is
and custom build.
Otherwise, if you are okay following Ubuntu's official packages and
security fixes things could be a lot different (and simpler).
> heres my long script
>
> #!/bin/bash
> #
> #this script will download/install and configure the following packages
> #
> #squid - proxy server
> #squid ssl bump - intercept HTTPS traffic
> #clamAV - antivirus engine inc trojans,viruses,malware
> #c-icap - icap server
> #squidclamav - that integrates all the above in squid
You may not be aware squidclamav has been replaced with eCAP ClamAV module:
<https://www.e-cap.org/downloads/>
Ubuntu provides libecap package and Squid has support auto-enabled for it.
So all you should need to do is build the ecap-clamav adaptor and
configure it for use.
> #whitelist URL's
> #deny MIME types
> #
> #on the PROD host you only need squid
> #
> #first things first lets disable firewalld and SElinux
> #
> systemctl stop firewalld
> systemctl disable firewalld
> sed -i -e 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
> #
> #squid packages
> #
> yum install -y epel-release screen rsync net-tools ethtool swaks sed
> tar zip unzip curl telnet openssl openssl-devel bzip2-devel libarchive
> libarchive-devel perl perl-Data-Dumper gcc gcc-c++ binutils autoconf
> automake make sudo wget libxml2-devel libcap-devel libtool-ltdl-devel
> #
Drop "epel-release" as irrelevant on Ubuntu.
Ubuntu developer packages have "-dev" suffix instead of "-devel". So all
those should change.
To get access to simpler source building I recommend altering the apt
configuration like so:
sudo sed --in-place -E 's/# (deb-src.*updates main)/ \1/g'
/etc/apt/sources.list
sudo apt-get --quiet=2 update
There are some trivial package naming differences. When apt complains
about not finding a package you can use
<https://packages.ubuntu.com/search> to search for the Ubuntu naming
and/or any alternatives.
Many of those are not related to Squid in any way. Perhapse separate
them into a different install command?
After the above deb-src change the packages needed to build Squid for
Ubuntu can be installed like so:
sudo apt-get --quiet=2 build-dep squid
Similar commands also for clamav, c-icap any others which Ubuntu
provides packages for.
After that build-dep command you only need to install dependencies if
the Ubuntu package lacks support.
For example, Ubuntu older than 21.10 lack openssl natively, so "apt
install libssl-dev" may be needed specially.
> #clamAV packages
> #
> yum install -y clamav-server clamav-data clamav-update
> clamav-filesystem clamav clamav-scanner-systemd clamav-devel
> clamav-lib clamav-server-systemd
> #
> #download and compile from source
> #
> cd /tmp
> wget http://www.squid-cache.org/Versions/v4/squid-4.17.tar.gz
> wget
> http://sourceforge.net/projects/c-icap/files/c-icap/0.5.x/c_icap-0.5.10.tar.gz
> --no-check-certificate
> wget
> http://sourceforge.net/projects/c-icap/files/c-icap-modules/0.5.x/c_icap_modules-0.5.5.tar.gz
> --no-check-certificate
> wget
> https://sourceforge.net/projects/squidclamav/files/squidclamav/7.1/squidclamav-7.1.tar.gz
> --no-check-certificate
> #
> for f in *.tar.gz; do tar xf "$f"; done
> #
> cd /tmp/squid-4.17
> ./configure --with-openssl --enable-ssl-crtd --enable-icap-client
> --enable-http-violations && make && make install
The prefix can be a bit different on Debian/Ubuntu. To ensure it is
right add --prefix=/usr/local to the above options.
> #
> cd /tmp/c_icap-0.5.10
> ./configure 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe'
> --without-bdb --prefix=/usr/local && make && make install
> #
> cd /tmp/squidclamav-7.1
> ./configure 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe'
> --with-c-icap=/usr/local --with-libarchive && make && make install
> #
> cd /tmp/c_icap_modules-0.5.5
> ./configure 'CFLAGS=-O3 -m64 -pipe'
> 'CPPFLAGS=-I/usr/local/clamav/include' 'LDFLAGS=-L/usr/local/lib
> -L/usr/local/clamav/lib/' && make && make install
> #
> #creating shortcuts and copying files
> #
> cp -f /usr/local/squid/etc/squid.conf /usr/local/squid/etc/squid.conf.orig
> cp -f /usr/local/etc/c-icap.conf /usr/local/etc/c-icap.conf.orig
> cp -f /usr/local/etc/squidclamav.conf /usr/local/etc/squidclamav.conf.orig
> cp -f /usr/local/etc/clamav_mod.conf /usr/local/etc/clamav_mod.conf.orig
> cp -f /usr/local/etc/virus_scan.conf /usr/local/etc/virus_scan.conf.orig
> #
> ln -s /usr/local/squid/etc/squid.conf /etc
> ln -s /usr/local/etc/c-icap.conf /etc
> ln -s /usr/local/etc/squidclamav.conf /etc
> ln -s /usr/local/etc/clamav_mod.conf /etc
> ln -s /usr/local/etc/virus_scan.conf /etc
> #
> mkdir -p /usr/local/clamav/share/clamav
> ln -s /var/lib/clamav /usr/local/clamav/share/clamav
> #
> #tmpfiles for run files
> #
> echo "d /var/run/c-icap 0755 root root -" >> /etc/tmpfiles.d/c-icap.conf
> echo "d /var/run/clamav 0755 root root -" >> /etc/tmpfiles.d/clamav.conf
> #
> #original squid config
> #
> sed -i '/http_port 3128/d' /usr/local/squid/etc/squid.conf
> sed -i -e 's%http_access deny !Safe_ports%#http_access deny
> !Safe_ports%g' /usr/local/squid/etc/squid.conf
> sed -i -e 's%http_access deny CONNECT !SSL_ports%#http_access deny
> CONNECT !SSL_ports%g' /usr/local/squid/etc/squid.conf
Reason? this opens a large number of security vulnerabilities.
Modern Squid have an "include" directive to import extra squid.conf
rules from other files and/or directories.
I recommend adding this one line to squid.conf under where it says
"|INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS"|:
|include /etc/squid/conf.d/*.conf|
then placing all your custom Squid files in that conf.d directory.
> #
> #create URL, MIME and public key list
> #
> echo "#eicar" >> /usr/local/squid/etc/urlwhite.txt
> echo ".eicar.org <http://eicar.org>" >> /usr/local/squid/etc/urlwhite.txt
> #
> echo "http://updater.maxon.net/server_test" >>
> /usr/local/squid/etc/urlspecial.txt
> #
> echo "application/octet-stream" >> /usr/local/squid/etc/mimedeny.txt
> echo "application/x-msi" >> /usr/local/squid/etc/mimedeny.txt
> echo "application/zip" >> /usr/local/squid/etc/mimedeny.txt
> echo "application/x-7z-compressed" >> /usr/local/squid/etc/mimedeny.txt
> echo "application/vnd.ms-cab-compressed" >>
> /usr/local/squid/etc/mimedeny.txt
> echo "application/x-msdownload" >> /usr/local/squid/etc/mimedeny.txt
> echo "application/x-iso9660-image" >> /usr/local/squid/etc/mimedeny.txt
FWIW: squid config files are all agnostic to whitespace indentation. So
you should be able to improve script readability like this:
echo "
blah
blah
blah
blah
" >> path/to/file
Also, I see that you are adding systemd integration for the other software.
There is a file in squid tarball at tools/systemd/squid.service that can
be installed to add that.
You will need to adjust the binary paths inside it to your custom
/usr/local ones.
Also, consider using logrotate package to manage the log files instead
of cron.
HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
