Skip to content

Instantly share code, notes, and snippets.

@korovamilk
Forked from e7d/README.md
Created December 7, 2015 07:36
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save korovamilk/df326d5311c5c2176139 to your computer and use it in GitHub Desktop.
Save korovamilk/df326d5311c5c2176139 to your computer and use it in GitHub Desktop.
[Debian] Build a Squid transparent proxy from source code

Build a Squid transparent proxy from source code

Please note that this whole manual refers to the version 3.5.11 of Squid. You probably would have to adapt some commands to the version you will actually download.

Table of contents

Automated install

Disclaimer

Read the install script before using it.
You may want to understand what the script is doing before executing it.
I will not be responsible for any damage caused to your server.

Squid installation script

cd ~
wget --no-check-certificate -O squid-install.sh https://gist.githubusercontent.com/e7d/1f784339df82c57a43bf/raw/squid-install.sh \
  && chmod +x squid-install.sh \
  && ./squid-install.sh

Manual install

Resolve compilation dependencies

Edit your /etc/apt/sources.list file, and check that you have deb-src entries like the following sample.

deb http://ftp.us.debian.org/debian wheezy main
deb-src http://ftp.us.debian.org/debian wheezy main
deb http://security.debian.org/ wheezy/updates main
deb-src http://security.debian.org/ wheezy/updates main

Build Squid 3 dependencies

aptitude update
aptitude build-dep squid3

Grab a copy of the source code

cd /usr/src
wget http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.5.tar.gz
tar zxvf squid-3.5.5.tar.gz
cd squid-3.5.5

Compile your Squid 3

./configure --prefix=/usr \
  --localstatedir=/var/squid \
  --libexecdir=${prefix}/lib/squid \
  --srcdir=. \
  --datadir=${prefix}/share/squid \
  --sysconfdir=/etc/squid \
  --with-default-user=proxy \
  --with-logdir=/var/log/squid \
  --with-pidfile=/var/run/squid.pid
make
make install

Resolve library dependencies

Extract the content of squid-lib.tar.gz to /usr/lib

cd /usr/lib
wget http://e7d.github.io/resources/squid-lib.tar.gz
tar zxvf squid-lib.tar.gz
rm squid_lib.tar.gz

Build configuration file

Copy squid.conf contents to /etc/squid/squid.conf.

rm -fr /etc/squid/squid.conf
wget --no-check-certificate -O /etc/squid/squid.conf https://gist.githubusercontent.com/e7d/1f784339df82c57a43bf/raw/squid.conf

With this sample configuration file, you can use a Htpasswd file at /etc/squid/users.pwd to manage a basic authentication.

rm -fr /etc/squid/users.pwd
wget --no-check-certificate -O /etc/squid/users.pwd https://gist.githubusercontent.com/e7d/1f784339df82c57a43bf/raw/users.pwd

To enable this authentication, you will have to uncomment the Authentication section of the sample squid.conf configuration file. You can create your users entries using the htpasswd tool from Apache. i.e. htpasswd -db /etc/squid/users.pwd jones fx5rm31s will create a user "jones" with the password "fx5rm31s" inside the "/etc/squid/users.pwd" file. You can directly use the users.pwd sample, providing you a basic user named proxy, using also proxy as password.

Build service runtime

Copy squid.sh contents to /etc/init/squid and make it executable.

wget --no-check-certificate -O /etc/init.d/squid https://gist.githubusercontent.com/e7d/1f784339df82c57a43bf/raw/squid.sh
chmod +x /etc/init.d/squid

Optionally, you can make it run automatically at server startup with update-rc.d squid defaults.

Prepare execution folders

mkdir /var/log/squid
mkdir /var/cache/squid
mkdir /var/spool/squid
chown -cR proxy /var/log/squid
chown -cR proxy /var/cache/squid
chown -cR proxy /var/spool/squid

squid -z

Start!

Try to start your brand new Squid with service squid start

#!/bin/sh
SQUID_VERSION=3.5.11
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
echo "Add repositories to Aptitude"
echo "deb http://ftp.debian.org/debian stable main" >> /etc/apt/sources.list.d/squid.list
echo "deb-src http://ftp.debian.org/debian stable main" >> /etc/apt/sources.list.d/squid.list
echo "deb http://security.debian.org/ stable/updates main" >> /etc/apt/sources.list.d/squid.list
echo "deb-src http://security.debian.org/ stable/updates main" >> /etc/apt/sources.list.d/squid.list
echo "Update packages list"
apt-get update
echo "Build dependencies"
apt-get -y install build-essential libssl-dev apache2-utils
apt-get -y build-dep squid3
echo "Download source code"
cd /usr/src
wget http://www.squid-cache.org/Versions/v3/3.5/squid-${SQUID_VERSION}.tar.gz
tar zxvf squid-${SQUID_VERSION}.tar.gz
cd squid-${SQUID_VERSION}
echo "Build binaries"
./configure --prefix=/usr \
--localstatedir=/var/squid \
--libexecdir=${prefix}/lib/squid \
--srcdir=. \
--datadir=${prefix}/share/squid \
--sysconfdir=/etc/squid \
--with-default-user=proxy \
--with-logdir=/var/log/squid \
--with-pidfile=/var/run/squid.pid
make
echo "Stop running service"
service squid stop
echo "Install binaries"
make install
echo "Download libraries"
cd /usr/lib
wget -O /usr/lib/squid-lib.tar.gz http://e7d.github.io/resources/squid-lib.tar.gz
echo "Install libraries"
tar zxvf squid-lib.tar.gz
echo "Create configuration file"
rm -fr /etc/squid/squid.conf
wget --no-check-certificate -O /etc/squid/squid.conf https://gist.githubusercontent.com/e7d/1f784339df82c57a43bf/raw/squid.conf
echo "Create users database sample"
rm -fr /etc/squid/users.pwd
htpasswd -c -b -d /etc/squid/users.pwd proxy proxy
echo "Create service executable file"
wget --no-check-certificate -O /etc/init.d/squid https://gist.githubusercontent.com/e7d/1f784339df82c57a43bf/raw/squid.sh
chmod +x /etc/init.d/squid
echo "Register service to startup entries"
update-rc.d squid defaults
echo "Prepare environment for first start"
mkdir /var/log/squid
mkdir /var/cache/squid
mkdir /var/spool/squid
chown -cR proxy /var/log/squid
chown -cR proxy /var/cache/squid
chown -cR proxy /var/spool/squid
squid -z
echo "Start service"
service squid start
echo "Cleanup temporary files"
rm -rf /etc/apt/sources.list.d/squid.list
rm -rf /usr/src/squid-${SQUID_VERSION}.tar.gz
rm -rf /usr/src/squid-${SQUID_VERSION}
rm -rf /usr/lib/squid-lib.tar.gz
exit 0
# General
http_port 3128
visible_hostname Proxy
forwarded_for delete
via off
# Log
logformat squid %tg.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
access_log /var/log/squid/access.log squid
# Cache
cache_dir aufs /var/cache/squid 1024 16 256
coredump_dir /var/spool/squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# Network ACL
acl localnet src 10.0.0.0/8 # RFC 1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC 1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
# Port ACL
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rync
acl Safe_ports port 80 8080 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl purge method PURGE
acl CONNECT method CONNECT
# Authentication
# Uncomment the following lines to enable file based authentication BUT:
# The following section requires to have squid libs installed, especially `nsca_auth`, to be working.
# This sections uses a Htpasswd file named `users.pwd` file to store eligible accounts.
# You can generate yours using the htpasswd command from "apache2-utils" aptitude package, using "-d" flag to use system CRYPT.
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/users.pwd
auth_param basic children 5
auth_param basic realm Proxy
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
#acl users proxy_auth REQUIRED
#http_access allow users
# Access Restrictions
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_reply_access allow all
htcp_access deny all
icp_access allow all
always_direct allow all
# Request Headers Forcing
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all
# Response Headers Spoofing
reply_header_access Via deny all
reply_header_access X-Cache deny all
reply_header_access X-Cache-Lookup deny all
#! /bin/sh
#
# squid3 Startup script for the SQUID HTTP proxy-cache.
#
# Version: @(#)squid3.rc 1.0 07-Jul-2006 luigi@debian.org
#
### BEGIN INIT INFO
# Provides: squid
# Required-Start: $network $remote_fs $syslog
# Required-Stop: $network $remote_fs $syslog
# Should-Start: $named
# Should-Stop: $named
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Squid HTTP Proxy version 3.x
### END INIT INFO
NAME=squid
DESC="Squid HTTP Proxy 3.x"
DAEMON=/usr/sbin/squid
PIDFILE=/var/run/$NAME.pid
CONFIG=/etc/squid/squid.conf
SQUID_ARGS="-YC -f $CONFIG"
[ ! -f /etc/default/squid ] || . /etc/default/squid
. /lib/lsb/init-functions
PATH=/bin:/usr/bin:/sbin:/usr/sbin
[ -x $DAEMON ] || exit 0
ulimit -n 65535
find_cache_dir () {
w=" " # space tab
res=`sed -ne '
s/^'$1'['"$w"']\+[^'"$w"']\+['"$w"']\+\([^'"$w"']\+\).*$/\1/p;
t end;
d;
:end q' < $CONFIG`
[ -n "$res" ] || res=$2
echo "$res"
}
find_cache_type () {
w=" " # space tab
res=`sed -ne '
s/^'$1'['"$w"']\+\([^'"$w"']\+\).*$/\1/p;
t end;
d;
:end q' < $CONFIG`
[ -n "$res" ] || res=$2
echo "$res"
}
start () {
cache_dir=`find_cache_dir cache_dir`
cache_type=`find_cache_type cache_dir`
#
# Create spool dirs if they don't exist.
#
if [ "$cache_type" = "coss" -a -d "$cache_dir" -a ! -f "$cache_dir/stripe" ] || [ "$cache_type" != "coss" -a -d "$cache_dir" -a ! -d "$cache_dir/00" ]
then
log_warning_msg "Creating $DESC cache structure"
$DAEMON -z -f $CONFIG
fi
umask 027
ulimit -n 65535
cd $cache_dir
start-stop-daemon --quiet --start \
--pidfile $PIDFILE \
--exec $DAEMON -- $SQUID_ARGS < /dev/null
return $?
}
stop () {
PID=`cat $PIDFILE 2>/dev/null`
start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON
#
# Now we have to wait until squid has _really_ stopped.
#
sleep 2
if test -n "$PID" && kill -0 $PID 2>/dev/null
then
log_action_begin_msg " Waiting"
cnt=0
while kill -0 $PID 2>/dev/null
do
cnt=`expr $cnt + 1`
if [ $cnt -gt 24 ]
then
log_action_end_msg 1
return 1
fi
sleep 5
log_action_cont_msg ""
done
log_action_end_msg 0
return 0
else
return 0
fi
}
case "$1" in
start)
log_daemon_msg "Starting $DESC" "$NAME"
if start ; then
log_end_msg $?
else
log_end_msg $?
fi
;;
stop)
log_daemon_msg "Stopping $DESC" "$NAME"
if stop ; then
log_end_msg $?
else
log_end_msg $?
fi
;;
reload|force-reload)
log_action_msg "Reloading $DESC configuration files"
start-stop-daemon --stop --signal 1 \
--pidfile $PIDFILE --quiet --exec $DAEMON
log_action_end_msg 0
;;
restart)
log_daemon_msg "Restarting $DESC" "$NAME"
stop
if start ; then
log_end_msg $?
else
log_end_msg $?
fi
;;
status)
status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit 3
;;
*)
echo "Usage: /etc/init.d/$NAME {start|stop|reload|force-reload|restart|status}"
exit 3
;;
esac
exit 0
proxy:V3SumwH0Poabk
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment