The following steps show how to rebuild the latest stable Squid proxy capable of HTTPS filtering and SSL inspection on Ubuntu 16 Xenial.
Step 1: Update the System
It is recommended to update the system prior to installation. Run the script 01_update.sh from
this archive
to do it. Contents of this script are shown below.#!/bin/bash
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root" 1>&2
exit 1
fi
apt-get update && apt-get -y upgrade && reboot
Step 2: Install Build Tools
In order to rebuild Squid proxy we need to install some prerequisities. Run script 02_tools.sh from
this archive
to install those. Please note we first install dependencies for default Squid package and then remove conflicting package of libecap2.#!/bin/bash
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root" 1>&2
exit 1
fi
# install build tools
apt-get -y install devscripts build-essential fakeroot debhelper dh-autoreconf cdbs
# install build dependences for squid
apt-get -y build-dep libecap
apt-get -y build-dep squid3
# uninstall libecap2 as we will be using the libecap3
apt-get -y --purge remove libecap2-dev libecap2
# install additional packages for new squid
apt-get -y install nettle-dev libgnutls28-dev libssl-dev libdbi-perl \
libldap2-dev libpam0g-dev libdb-dev libsasl2-dev libcppunit-dev \
libkrb5-dev comerr-dev libcap2-dev libexpat1-dev libxml2-dev \
libnetfilter-conntrack-dev
# and reboot
reboot
Step 3: Build eCAP 3 Library
Latest Squid depends on presence of eCAP adapter library on the host machine. Default libecap2 library present in Ubuntu 16 Xenial is too old. We will need to build a newer version. In order to do that run script 03_build_ecap.sh from
this archive
.#!/bin/bash
if [[ $EUID -eq 0 ]]; then
echo "This script must NOT be run as root" 1>&2
exit 1
fi
# drop ecap build folder
rm -R build/libecap
# we will be working in a subfolder make it
mkdir -p build/libecap
# decend into working directory
pushd build/libecap
# get libecap from debian stretch
wget http://http.debian.net/debian/pool/main/libe/libecap/libecap_1.0.1-3.2.dsc
wget http://http.debian.net/debian/pool/main/libe/libecap/libecap_1.0.1.orig.tar.gz
wget http://http.debian.net/debian/pool/main/libe/libecap/libecap_1.0.1-3.2.debian.tar.xz
# unpack the source package
dpkg-source -x libecap_1.0.1-3.2.dsc
# build the package
cd libecap-1.0.1 && dpkg-buildpackage -rfakeroot -b
# and revert
popd
After build is successful, run script 04_install_ecap.sh from
this archive
to install the library and headers. These are needed to build Squid on the next step.#!/bin/bash
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root" 1>&2
exit 1
fi
# decend into working directory
pushd build/libecap
# install ecap packages
dpkg --install libecap3_1.0.1-3.2_amd64.deb
dpkg --install libecap3-dev_1.0.1-3.2_amd64.deb
# and revert
popd
Step 4: Recompile Squid to Support HTTPS/SSL Filtering
In order to get the latest Squid on Ubuntu 16 Xenial we will use the original version from Debian 8 testing repository with several additions necessary for SSL Bump and HTTPS filtering. Run script 05_build_squid.sh from this archive
to do the compilation.
#!/bin/bash
if [[ $EUID -eq 0 ]]; then
echo "This script must NOT be run as root" 1>&2
exit 1
fi
# drop squid3 build folder
rm -R build/squid3
# we will be working in a subfolder make it
mkdir -p build/squid3
# copy the patches to the working folder
cp rules.patch build/squid3/rules.patch
cp control.patch build/squid3/control.patch
# decend into working directory
pushd build/squid3
# get squid3 from debian stretch
wget http://http.debian.net/debian/pool/main/s/squid3/squid3_3.5.23-1.dsc
wget http://http.debian.net/debian/pool/main/s/squid3/squid3_3.5.23.orig.tar.gz
wget http://http.debian.net/debian/pool/main/s/squid3/squid3_3.5.23-1.debian.tar.xz
# unpack the source package
dpkg-source -x squid3_3.5.23-1.dsc
# modify configure options in debian/rules, add --enable-ssl --enable-ssl-crtd
patch squid3-3.5.23/debian/rules < ../../rules.patch
# modify control file, drop explicitly specified debhelper version
patch squid3-3.5.23/debian/control < ../../control.patch
# build the package
cd squid3-3.5.23 && dpkg-buildpackage -rfakeroot -b
# and revert
popd
Rules patch file adds specific compilation arguments to make SSL bump capable Squid.
--- build/squid3/squid3-3.5.15/debian/rules 2016-02-17 01:13:33.000000000 +0100
+++ build/squid3/squid3-3.5.15/debian/rules.new 2016-02-22 22:50:04.079470555 +0100
@@ -45,7 +45,10 @@
--with-pidfile=/var/run/squid.pid \
--with-filedescriptors=65536 \
--with-large-files \
- --with-default-user=proxy
+ --with-default-user=proxy \
+ --with-openssl \
+ --enable-ssl \
+ --enable-ssl-crtd
BUILDINFO := $(shell lsb_release -si 2>/dev/null)
Control patch file removes dependency on explicit debhelper version.
--- control 2016-10-29 23:13:00.000000000 +0200
+++ control.new 2016-11-01 16:25:14.111887577 +0100
@@ -5,7 +5,7 @@
Homepage: http://www.squid-cache.org
Standards-Version: 3.9.8
Vcs-Git: git://anonscm.debian.org/pkg-squid/pkg-squid3.git/
-Build-Depends: libldap2-dev, libpam0g-dev, libdb-dev, cdbs, libsasl2-dev, debhelper (>=10), libcppunit-dev, libkrb5-dev, comerr-dev, libcap2-dev [linux-any], libecap3-dev (>= 1.0.1-2), libexpat1-dev, libxml2-dev, autotools-dev, libltdl-dev, dpkg-dev (>= 1.16.1~), pkg-config, libnetfilter-conntrack-dev [linux-any], nettle-dev, libgnutls28-dev, lsb-release
+Build-Depends: libldap2-dev, libpam0g-dev, libdb-dev, cdbs, libsasl2-dev, debhelper, libcppunit-dev, libkrb5-dev, comerr-dev, libcap2-dev [linux-any], libecap3-dev (>= 1.0.1-2), libexpat1-dev, libxml2-dev, autotools-dev, libltdl-dev, dpkg-dev (>= 1.16.1~), pkg-config, libnetfilter-conntrack-dev [linux-any], nettle-dev, libgnutls28-dev, lsb-release
XS-Testsuite: autopkgtest
Package: squid3
After build is successful, run script 06_install_squid.sh from this archive
to install Squid.
#!/bin/bash
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root" 1>&2
exit 1
fi
# decend into working directory
pushd build/squid3
# install ecap packages
sudo apt-get install squid-langpack
dpkg --install squid-common_3.5.22-1_all.deb
dpkg --install squid_3.5.22-1_amd64.deb
dpkg --install squidclient_3.5.22-1_amd64.deb
# and revert
popd
Ubuntu 16 Repository for Squid
If recompilation of Squid is not desirable you can always use the online repository at http://ubuntu16.diladele.com. To use the repository for the first time run the following commands as root user:
# add diladele apt key
wget -qO - http://packages.diladele.com/diladele_pub.asc | apt-key add -
# add repo
echo "deb http://ubuntu16.diladele.com/ubuntu/ xenial main" > /etc/apt/sources.list.d/ubuntu16.diladele.com.list
# update the apt cache
apt-get update
# install
apt-get install libecap3
apt-get install squid-common
apt-get install squid
apt-get install squidclient
If you have installed previous version of 3.5 from this repo then please run “sudo apt-get update && sudo apt-get upgrade”. Please also check that your current squid.conf file from previous version is not overwritten.
Blogger Comment
Facebook Comment