Powered by Blogger.

Build a Squid anonymous proxy from source code

Please note that this whole manual refers to the version 3.5.23 of Squid. You probably would have to adapt some commands to the version you will actually download.

Read the install script before using it.
You may want to understand what the script is doing before executing it.
I will not be responsible for any damage caused to your server.
Squid installation scriptwget -qO- https://gist.githubusercontent.com/e7d/1f784339df82c57a43bf/raw/squid-install.sh | sh

Manual install

Resolve compilation dependencies
Edit your /etc/apt/sources.list file, and check that you have deb-src entries like the following sample.deb http://httpredir.debian.org/debian stable main deb-src http://httpredir.debian.org/debian stable main deb http://security.debian.org/ stable/updates main deb-src http://security.debian.org/ stable/updates main

Build Squid 3 dependenciesapt-get update apt-get install build-essential libssl-dev apache2-utils apt-get build-dep squid3

Grab a copy of the source codecd /usr/src wget http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.23.tar.gz tar zxvf squid-3.5.23.tar.gz cd squid-3.5.23

Compile your Squid 3./configure --prefix=/usr \ --localstatedir=/var/squid \ --libexecdir=${prefix}/lib/squid \ --srcdir=. \ --datadir=${prefix}/share/squid \ --sysconfdir=/etc/squid \ --with-default-user=proxy \ --with-logdir=/var/log/squid \ --with-pidfile=/var/run/squid.pid make -j$(nproc) make install

Resolve library dependencies
Extract the content of squid-lib-3.4.8.tar.gz to /usr/libcd /usr/lib wget -O /usr/lib/squid-lib.tar.gz http://e7d.github.io/resources/squid-lib-3.4.8.tar.gz tar zxvf squid-lib.tar.gz rm squid-lib.tar.gz

Build configuration file
Copy squid.conf contents to /etc/squid/squid.conf.rm -rf /etc/squid/squid.conf wget --no-check-certificate -O /etc/squid/squid.conf https://gist.githubusercontent.com/e7d/1f784339df82c57a43bf/raw/squid.conf

With this sample configuration file, you can use a Htpasswd file at /etc/squid/users.pwd to manage a basic authentication.rm -rf /etc/squid/users.pwd htpasswd -cbd /etc/squid/users.pwd proxy proxy

This this authentication is enabled by default/ To disable it you will have to comment the Authentication section of the sample squid.conf configuration file. See Disable authentication.
You can create your users entries using the htpasswd tool from Apache. See Manage user accounts.
You can directly use the users.pwd sample, providing you a basic user named proxy, using also proxy as password.
Build service runtime
Copy squid.sh contents to /etc/init/squid and make it executable.wget --no-check-certificate -O /etc/init.d/squid https://gist.githubusercontent.com/e7d/1f784339df82c57a43bf/raw/squid.sh chmod +x /etc/init.d/squid

Optionally, you can make it run automatically at server startup with update-rc.d squid defaults.
Prepare execution foldersmkdir /var/log/squid mkdir /var/cache/squid mkdir /var/spool/squid chown -cR proxy /var/log/squid chown -cR proxy /var/cache/squid chown -cR proxy /var/spool/squid squid -z

Start!
Try to start your brand new Squid with service squid start
Additional configuration
Customize settings

Squid offers some interesting customisation options you should have a look at. This modifications implies to edit the file located at /etc/squid/squid.conf.
Listening ports
With the provided configuration, your proxy will be listening on HTTP port 3128, which is the squid default. You can change it to any available port that suits you with:http_port 3128

Disable authentication
Your proxy will respond to any request. If you want to limit its accessibility to a set of users, you may want to enable authentication, by uncommenting the following section:#acl Users proxy_auth REQUIRED #http_access allow Users


This authentication relies on a password file you will find at /etc/squid/users.pwd. A sample user is included, defined with the following identification:
username : proxy
password : proxy

This user file may be modified following the next section instructions.

Manage users
Using the command htpasswd, you can manage the users able to use the proxy:
create/update a user: htpasswd -bd /etc/squid3/users.pwd myuser mypw
remove a user: htpasswd -D /etc/squid3/users.pwd myuser

NOTE: Provided authentication relies on CRYPT algorithm. Information defined in users.pwd must respect that, meaning that passwords can only be up to 8 characters.

squid-install.sh

#!/bin/sh

SQUID_VERSION=3.5.23

if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi

echo "Add repositories to Aptitude"
echo "deb http://httpredir.debian.org/debian stable main" > /etc/apt/sources.list.d/squid.list
echo "deb-src http://httpredir.debian.org/debian stable main" >> /etc/apt/sources.list.d/squid.list
echo "deb http://security.debian.org/ stable/updates main" >> /etc/apt/sources.list.d/squid.list
echo "deb-src http://security.debian.org/ stable/updates main" >> /etc/apt/sources.list.d/squid.list

echo "Update packages list"
apt-get update

echo "Build dependencies"
apt-get -y install build-essential libssl-dev apache2-utils
apt-get -y build-dep squid3

echo "Download source code"
cd /usr/src
wget http://www.squid-cache.org/Versions/v3/3.5/squid-${SQUID_VERSION}.tar.gz
tar zxvf squid-${SQUID_VERSION}.tar.gz
cd squid-${SQUID_VERSION}

echo "Build binaries"
./configure --prefix=/usr \
--localstatedir=/var/squid \
--libexecdir=${prefix}/lib/squid \
--srcdir=. \
--datadir=${prefix}/share/squid \
--sysconfdir=/etc/squid \
--with-default-user=proxy \
--with-logdir=/var/log/squid \
--with-pidfile=/var/run/squid.pid
make -j$(nproc)

echo "Stop running service"
service squid stop

echo "Install binaries"
make install

echo "Download libraries"
cd /usr/lib
wget -O /usr/lib/squid-lib.tar.gz http://e7d.github.io/resources/squid-lib-3.4.8.tar.gz

echo "Install libraries"
tar zxvf squid-lib.tar.gz

echo "Create configuration file"
rm -rf /etc/squid/squid.conf
wget --no-check-certificate -O /etc/squid/squid.conf https://gist.githubusercontent.com/e7d/1f784339df82c57a43bf/raw/squid.conf

echo "Create users database sample"
rm -rf /etc/squid/users.pwd
htpasswd -cbd /etc/squid/users.pwd proxy proxy

echo "Create service executable file"
wget --no-check-certificate -O /etc/init.d/squid https://gist.githubusercontent.com/e7d/1f784339df82c57a43bf/raw/squid.sh
chmod +x /etc/init.d/squid

echo "Register service to startup entries"
update-rc.d squid defaults

echo "Prepare environment for first start"
mkdir /var/log/squid
mkdir /var/cache/squid
mkdir /var/spool/squid
chown -cR proxy /var/log/squid
chown -cR proxy /var/cache/squid
chown -cR proxy /var/spool/squid
squid -z

echo "Start service"
service squid start

echo "Cleanup temporary files"
rm -rf /etc/apt/sources.list.d/squid.list
rm -rf /usr/src/squid-${SQUID_VERSION}.tar.gz
rm -rf /usr/src/squid-${SQUID_VERSION}
rm -rf /usr/lib/squid-lib.tar.gz

exit 0

squid.conf

# General

http_port 3128
visible_hostname Proxy
forwarded_for delete
via off

# Log

logformat squid %tg.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
access_log /var/log/squid/access.log squid

# Cache

cache_dir aufs /var/cache/squid 1024 16 256
coredump_dir /var/spool/squid

acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

# Network ACL

acl localnet src 10.0.0.0/8 # RFC 1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC 1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

# Port ACL

acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rync
acl Safe_ports port 80 8080 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl purge method PURGE
acl CONNECT method CONNECT

# Authentication
# Uncomment the following lines to enable file based authentication BUT:
# The following section requires to have squid libs installed, especially `nsca_auth`, to be working.
# This sections uses a Htpasswd file named `users.pwd` file to store eligible accounts.
# You can generate yours using the htpasswd command from "apache2-utils" aptitude package, using "-d" flag to use system CRYPT.

auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/users.pwd
auth_param basic children 5
auth_param basic realm Proxy
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive on

acl Users proxy_auth REQUIRED
http_access allow Users

# Access Restrictions

http_access allow manager localhost
http_access deny manager

http_access allow purge localhost
http_access deny purge

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_reply_access allow all
htcp_access deny all
icp_access allow all
always_direct allow all

# Request Headers Forcing

request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all

# Response Headers Spoofing

reply_header_access Via deny all
reply_header_access X-Cache deny all
reply_header_access X-Cache-Lookup deny all

squid.sh
#! /bin/sh
#
# squid3 Startup script for the SQUID HTTP proxy-cache.
#
# Version: @(#)squid3.rc 1.0 07-Jul-2006 luigi@debian.org
#
### BEGIN INIT INFO
# Provides: squid
# Required-Start: $network $remote_fs $syslog
# Required-Stop: $network $remote_fs $syslog
# Should-Start: $named
# Should-Stop: $named
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Squid HTTP Proxy version 3.x
### END INIT INFO

NAME=squid
DESC="Squid HTTP Proxy 3.x"
DAEMON=/usr/sbin/squid
PIDFILE=/var/run/$NAME.pid
CONFIG=/etc/squid/squid.conf
SQUID_ARGS="-YC -f $CONFIG"

[ ! -f /etc/default/squid ] || . /etc/default/squid

. /lib/lsb/init-functions

PATH=/bin:/usr/bin:/sbin:/usr/sbin

[ -x $DAEMON ] || exit 0

ulimit -n 65535

find_cache_dir () {
w=" " # space tab
res=`sed -ne '
s/^'$1'['"$w"']\+[^'"$w"']\+['"$w"']\+\([^'"$w"']\+\).*$/\1/p;
t end;
d;
:end q' < $CONFIG`
[ -n "$res" ] || res=$2
echo "$res"
}

find_cache_type () {
w=" " # space tab
res=`sed -ne '
s/^'$1'['"$w"']\+\([^'"$w"']\+\).*$/\1/p;
t end;
d;
:end q' < $CONFIG`
[ -n "$res" ] || res=$2
echo "$res"
}

start () {
cache_dir=`find_cache_dir cache_dir`
cache_type=`find_cache_type cache_dir`

#
# Create spool dirs if they don't exist.
#
if [ "$cache_type" = "coss" -a -d "$cache_dir" -a ! -f "$cache_dir/stripe" ] || [ "$cache_type" != "coss" -a -d "$cache_dir" -a ! -d "$cache_dir/00" ]
then
log_warning_msg "Creating $DESC cache structure"
$DAEMON -z -f $CONFIG
fi

umask 027
ulimit -n 65535
cd $cache_dir
start-stop-daemon --quiet --start \
--pidfile $PIDFILE \
--exec $DAEMON -- $SQUID_ARGS < /dev/null
return $?
}

stop () {
PID=`cat $PIDFILE 2>/dev/null`
start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON
#
# Now we have to wait until squid has _really_ stopped.
#
sleep 2
if test -n "$PID" && kill -0 $PID 2>/dev/null
then
log_action_begin_msg " Waiting"
cnt=0
while kill -0 $PID 2>/dev/null
do
cnt=`expr $cnt + 1`
if [ $cnt -gt 24 ]
then
log_action_end_msg 1
return 1
fi
sleep 5
log_action_cont_msg ""
done
log_action_end_msg 0
return 0
else
return 0
fi
}

case "$1" in
start)
log_daemon_msg "Starting $DESC" "$NAME"
if start ; then
log_end_msg $?
else
log_end_msg $?
fi
;;
stop)
log_daemon_msg "Stopping $DESC" "$NAME"
if stop ; then
log_end_msg $?
else
log_end_msg $?
fi
;;
reload|force-reload)
log_action_msg "Reloading $DESC configuration files"
start-stop-daemon --stop --signal 1 \
--pidfile $PIDFILE --quiet --exec $DAEMON
log_action_end_msg 0
;;
restart)
log_daemon_msg "Restarting $DESC" "$NAME"
stop
if start ; then
log_end_msg $?
else
log_end_msg $?
fi
;;
status)
status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit 3
;;
*)
echo "Usage: /etc/init.d/$NAME {start|stop|reload|force-reload|restart|status}"
exit 3
;;
esac

exit 0
    Blogger Comment
    Facebook Comment