Compilation
of Squid 3.3.3 on Ubuntu 12
## Switch to root user
sudo su
apt-get update
apt-get upgrade
tar
-xzvf squid-3.3.3.tar.gz
apt-get
install g++ gawk m4 gcc-multilib
NOTE:
if found any error regarding gcc then install it
------------------------------------------------------------------------
sudo
add-apt-repository ppa:ubuntu-toolchain-r/test
sudo apt-get update
sudo apt-get install gcc-4.7
sudo apt-get update
sudo apt-get install gcc-4.7
------------------------------------------------------------------------
apt-get
install smbclient
apt-get
install openssl*
apt-get
install libcap-*
##
SQUID COMPILATION
./configure
--prefix=/usr --includedir=/usr/include --datadir=/usr/share --bindir=/usr/sbin
--libexecdir=/usr/lib/squid --localstatedir=/var --sysconfdir=/etc/squid3
--enable-delay-pools --enable-ssl --enable-ssl-crtd --enable-linux-netfilter
--enable-arp-acl --enable-snmp --enable-gnuregex && echo $?
NOTE:
for squid 3.3.3
--enable-arp-acl
replaced with --enable-eui
make
all && echo $?
make
install && echo $?
## GENERATE CERTIFICATE
cd
/usr/share/ssl-cert
openssl
req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout myCA.pem -out
myCA.pem
openssl
x509 -in myCA.pem -outform DER -out myCA.der
The
result file should be imported into the 'Authorities' section of users'
browsers.
For
example, in FireFox:
- Open
'Preferences'
- Go to the
'Advanced' section, 'Encryption' tab
- Press the
'View Certificates' button and go to the 'Authorities' tab
- Press the 'Import' button, select the .der file that was created previously and pres 'OK'
## CONFIGURE SQUID
nano
/etc/squid3/squid.conf
http_port
192.168.5.239:3128 transparent ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/usr/share/ssl-cert/myCA.pem
##Also
add the following lines to enable SSL bumping:
always_direct
allow all
ssl_bump allow all
# the following two options are unsafe and not always necessary:
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
ssl_bump allow all
# the following two options are unsafe and not always necessary:
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
#
Uncomment and adjust the following to add a disk cache directory.
cache_mem
100 MB
cache_dir
ufs /var/cache/squid 100 16 256
#
Leave coredumps in the first cache dir
coredump_dir
/var/cache/squid
## CREATE CACHE LOG FILE
touch
/var/logs/cache.log
chown
nobody:adm /var/logs/cache.log
touch
/var/logs/access.log
chown
nobody:adm /var/logs/access.log
chown
nobody:adm /var/cache/squid
## TO INITIALIZE CACHE
/usr/sbin/squid
-z
## TO RUN SQUID
/usr/sbin/squid
&
NOTE:
if you face below issue then disable or change this line “ssl_bump allow all” accordingly in /etc/squid3/squid.conf
SECURITY NOTICE: auto-converting
deprecated "ssl_bump allow <acl>" to "ssl_bump
client-first <acl>" which is usually inferior to the newer
server-first bumping mode. Update your ssl_bump rules.
## IPTABLES ENTRIES FOR
TRANSPARENT PROXY
iptables
-t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 --tcp-flags
FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 3128
iptables
-t nat -A POSTROUTING -o eth0 -j MASQUERADE
## TO ENABLE FORWARDING
echo
"1">/proc/sys/net/ipv4/ip_forward
No comments:
Post a Comment