Powered by Blogger.
/ / / Build Squid 3.5.23 on Ubuntu 16 Xenial

Build Squid 3.5.23 on Ubuntu 16 Xenial

,
Fully functional web filtering virtual appliance based on Squid with support of HTTPS filtering and SSL Bumping and latest version of Web Safety for VMWare vSphere (ESXi 5+) is available at our site.

The following steps show how to rebuild the latest stable Squid proxy capable of HTTPS filtering and SSL inspection on Ubuntu 16 Xenial.

Step 1: Update the System

It is recommended to update the system prior to installation. Run the script 01_update.sh from this archive to do it. Contents of this script are shown below.
#!/bin/bash
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi
apt-get update && apt-get -y upgrade && reboot

Step 2: Install Build Tools

In order to rebuild Squid proxy we need to install some prerequisities. Run script 02_tools.sh from this archive to install those. Please note we first install dependencies for default Squid package and then remove conflicting package of libecap2.
#!/bin/bash

if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# install build tools
apt-get -y install devscripts build-essential fakeroot debhelper dh-autoreconf cdbs

# install build dependences for squid
apt-get -y build-dep libecap
apt-get -y build-dep squid3

# uninstall libecap2 as we will be using the libecap3
apt-get -y --purge remove libecap2-dev libecap2

# install additional packages for new squid
apt-get -y install nettle-dev libgnutls28-dev libssl-dev libdbi-perl \
    libldap2-dev  libpam0g-dev libdb-dev libsasl2-dev libcppunit-dev \
    libkrb5-dev comerr-dev libcap2-dev libexpat1-dev libxml2-dev \
    libnetfilter-conntrack-dev

# and reboot
reboot

Step 3: Build eCAP 3 Library

Latest Squid depends on presence of eCAP adapter library on the host machine. Default libecap2 library present in Ubuntu 16 Xenial is too old. We will need to build a newer version. In order to do that run script 03_build_ecap.sh from this archive.
#!/bin/bash

if [[ $EUID -eq 0 ]]; then
   echo "This script must NOT be run as root" 1>&2
   exit 1
fi

# drop ecap build folder
rm -R build/libecap

# we will be working in a subfolder make it
mkdir -p build/libecap

# decend into working directory
pushd build/libecap

# get libecap from debian stretch
wget http://http.debian.net/debian/pool/main/libe/libecap/libecap_1.0.1-3.2.dsc
wget http://http.debian.net/debian/pool/main/libe/libecap/libecap_1.0.1.orig.tar.gz
wget http://http.debian.net/debian/pool/main/libe/libecap/libecap_1.0.1-3.2.debian.tar.xz

# unpack the source package
dpkg-source -x libecap_1.0.1-3.2.dsc

# build the package
cd libecap-1.0.1 && dpkg-buildpackage -rfakeroot -b

# and revert
popd
After build is successful, run script 04_install_ecap.sh from this archive to install the library and headers. These are needed to build Squid on the next step.
#!/bin/bash

if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# decend into working directory
pushd build/libecap

# install ecap packages
dpkg --install libecap3_1.0.1-3.2_amd64.deb
dpkg --install libecap3-dev_1.0.1-3.2_amd64.deb

# and revert
popd

Step 4: Recompile Squid to Support HTTPS/SSL Filtering



In order to get the latest Squid on Ubuntu 16 Xenial we will use the original version from Debian 8 testing repository with several additions necessary for SSL Bump and HTTPS filtering. Run script 05_build_squid.sh from this archive to do the compilation.






#!/bin/bash

if [[ $EUID -eq 0 ]]; then
   echo "This script must NOT be run as root" 1>&2
   exit 1
fi

# drop squid3 build folder
rm -R build/squid3

# we will be working in a subfolder make it
mkdir -p build/squid3

# copy the patches to the working folder
cp rules.patch build/squid3/rules.patch
cp control.patch build/squid3/control.patch

# decend into working directory
pushd build/squid3

# get squid3 from debian stretch
wget http://http.debian.net/debian/pool/main/s/squid3/squid3_3.5.23-1.dsc
wget http://http.debian.net/debian/pool/main/s/squid3/squid3_3.5.23.orig.tar.gz
wget http://http.debian.net/debian/pool/main/s/squid3/squid3_3.5.23-1.debian.tar.xz

# unpack the source package
dpkg-source -x squid3_3.5.23-1.dsc

# modify configure options in debian/rules, add --enable-ssl --enable-ssl-crtd
patch squid3-3.5.23/debian/rules < ../../rules.patch

# modify control file, drop explicitly specified debhelper version
patch squid3-3.5.23/debian/control < ../../control.patch

# build the package
cd squid3-3.5.23 && dpkg-buildpackage -rfakeroot -b

# and revert
popd








Rules patch file adds specific compilation arguments to make SSL bump capable Squid.






--- build/squid3/squid3-3.5.15/debian/rules 2016-02-17 01:13:33.000000000 +0100
+++ build/squid3/squid3-3.5.15/debian/rules.new 2016-02-22 22:50:04.079470555 +0100
@@ -45,7 +45,10 @@
        --with-pidfile=/var/run/squid.pid \
        --with-filedescriptors=65536 \
        --with-large-files \
-       --with-default-user=proxy
+       --with-default-user=proxy \
+       --with-openssl \
+       --enable-ssl \
+       --enable-ssl-crtd

 BUILDINFO := $(shell lsb_release -si 2>/dev/null)








Control patch file removes dependency on explicit debhelper version.






--- control 2016-10-29 23:13:00.000000000 +0200
+++ control.new 2016-11-01 16:25:14.111887577 +0100
@@ -5,7 +5,7 @@
 Homepage: http://www.squid-cache.org
 Standards-Version: 3.9.8
 Vcs-Git: git://anonscm.debian.org/pkg-squid/pkg-squid3.git/
-Build-Depends: libldap2-dev, libpam0g-dev, libdb-dev, cdbs, libsasl2-dev, debhelper (>=10), libcppunit-dev, libkrb5-dev, comerr-dev, libcap2-dev [linux-any], libecap3-dev (>= 1.0.1-2), libexpat1-dev, libxml2-dev, autotools-dev, libltdl-dev, dpkg-dev (>= 1.16.1~), pkg-config, libnetfilter-conntrack-dev [linux-any], nettle-dev, libgnutls28-dev, lsb-release
+Build-Depends: libldap2-dev, libpam0g-dev, libdb-dev, cdbs, libsasl2-dev, debhelper, libcppunit-dev, libkrb5-dev, comerr-dev, libcap2-dev [linux-any], libecap3-dev (>= 1.0.1-2), libexpat1-dev, libxml2-dev, autotools-dev, libltdl-dev, dpkg-dev (>= 1.16.1~), pkg-config, libnetfilter-conntrack-dev [linux-any], nettle-dev, libgnutls28-dev, lsb-release
 XS-Testsuite: autopkgtest

Package: squid3








After build is successful, run script 06_install_squid.sh from this archive to install Squid.






#!/bin/bash

if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# decend into working directory
pushd build/squid3

# install ecap packages
sudo apt-get install squid-langpack
dpkg --install squid-common_3.5.22-1_all.deb
dpkg --install squid_3.5.22-1_amd64.deb
dpkg --install squidclient_3.5.22-1_amd64.deb

# and revert
popd



Ubuntu 16 Repository for Squid



If recompilation of Squid is not desirable you can always use the online repository at http://ubuntu16.diladele.com. To use the repository for the first time run the following commands as root user:






# add diladele apt key
wget -qO - http://packages.diladele.com/diladele_pub.asc | apt-key add -

# add repo
echo "deb http://ubuntu16.diladele.com/ubuntu/ xenial main" > /etc/apt/sources.list.d/ubuntu16.diladele.com.list

# update the apt cache
apt-get update

# install
apt-get install libecap3
apt-get install squid-common
apt-get install squid
apt-get install squidclient








If you have installed previous version of 3.5 from this repo then please run “sudo apt-get update && sudo apt-get upgrade”. Please also check that your current squid.conf file from previous version is not overwritten.
    Blogger Comment
    Facebook Comment