Wow thanks Amos so much for this, You think if I build it on rocky Linux, it would be easier?
On Thu, 17 Nov 2022, 06:07 Amos Jeffries, <squ...@treenet.co.nz> wrote: > On 16/11/2022 6:31 am, robert k Wild wrote: > > hi all, > > > > atm i have written a script, once you have built a centos 7 VM, you > > just run the script and after the reboot its a complete running > > squidclamAV server > > > > i'm going to be moving the script to a ubuntu server as centos 7 is > > dead now (as i run clamAV on it, clamAV will stop getting virus > > definitions 2024 as i use this for virus scanning of internet packets) > > > > just want to know what lines i need to adjust to work with ubuntu > > instead of centos, obviously i know instead of yum install.... its apt > > install > > > > My comments below assume that you want to keep the exact versions as-is > and custom build. > > Otherwise, if you are okay following Ubuntu's official packages and > security fixes things could be a lot different (and simpler). > > > > heres my long script > > > > #!/bin/bash > > # > > #this script will download/install and configure the following packages > > # > > #squid - proxy server > > #squid ssl bump - intercept HTTPS traffic > > #clamAV - antivirus engine inc trojans,viruses,malware > > #c-icap - icap server > > #squidclamav - that integrates all the above in squid > > You may not be aware squidclamav has been replaced with eCAP ClamAV module: > <https://www.e-cap.org/downloads/> > > Ubuntu provides libecap package and Squid has support auto-enabled for it. > So all you should need to do is build the ecap-clamav adaptor and > configure it for use. > > > > #whitelist URL's > > #deny MIME types > > # > > #on the PROD host you only need squid > > # > > #first things first lets disable firewalld and SElinux > > # > > systemctl stop firewalld > > systemctl disable firewalld > > sed -i -e 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config > > # > > #squid packages > > # > > yum install -y epel-release screen rsync net-tools ethtool swaks sed > > tar zip unzip curl telnet openssl openssl-devel bzip2-devel libarchive > > libarchive-devel perl perl-Data-Dumper gcc gcc-c++ binutils autoconf > > automake make sudo wget libxml2-devel libcap-devel libtool-ltdl-devel > > # > > Drop "epel-release" as irrelevant on Ubuntu. > > Ubuntu developer packages have "-dev" suffix instead of "-devel". So all > those should change. > > To get access to simpler source building I recommend altering the apt > configuration like so: > > sudo sed --in-place -E 's/# (deb-src.*updates main)/ \1/g' > /etc/apt/sources.list > sudo apt-get --quiet=2 update > > > There are some trivial package naming differences. When apt complains > about not finding a package you can use > <https://packages.ubuntu.com/search> to search for the Ubuntu naming > and/or any alternatives. > > > Many of those are not related to Squid in any way. Perhapse separate > them into a different install command? > > After the above deb-src change the packages needed to build Squid for > Ubuntu can be installed like so: > > sudo apt-get --quiet=2 build-dep squid > > Similar commands also for clamav, c-icap any others which Ubuntu > provides packages for. > > After that build-dep command you only need to install dependencies if > the Ubuntu package lacks support. > For example, Ubuntu older than 21.10 lack openssl natively, so "apt > install libssl-dev" may be needed specially. > > > > #clamAV packages > > # > > yum install -y clamav-server clamav-data clamav-update > > clamav-filesystem clamav clamav-scanner-systemd clamav-devel > > clamav-lib clamav-server-systemd > > # > > > > #download and compile from source > > # > > cd /tmp > > wget http://www.squid-cache.org/Versions/v4/squid-4.17.tar.gz > > wget > > > http://sourceforge.net/projects/c-icap/files/c-icap/0.5.x/c_icap-0.5.10.tar.gz > > --no-check-certificate > > wget > > > http://sourceforge.net/projects/c-icap/files/c-icap-modules/0.5.x/c_icap_modules-0.5.5.tar.gz > > --no-check-certificate > > wget > > > https://sourceforge.net/projects/squidclamav/files/squidclamav/7.1/squidclamav-7.1.tar.gz > > --no-check-certificate > > # > > for f in *.tar.gz; do tar xf "$f"; done > > # > > cd /tmp/squid-4.17 > > ./configure --with-openssl --enable-ssl-crtd --enable-icap-client > > --enable-http-violations && make && make install > > The prefix can be a bit different on Debian/Ubuntu. To ensure it is > right add --prefix=/usr/local to the above options. > > > > # > > cd /tmp/c_icap-0.5.10 > > ./configure 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe' > > --without-bdb --prefix=/usr/local && make && make install > > # > > cd /tmp/squidclamav-7.1 > > ./configure 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe' > > --with-c-icap=/usr/local --with-libarchive && make && make install > > # > > cd /tmp/c_icap_modules-0.5.5 > > ./configure 'CFLAGS=-O3 -m64 -pipe' > > 'CPPFLAGS=-I/usr/local/clamav/include' 'LDFLAGS=-L/usr/local/lib > > -L/usr/local/clamav/lib/' && make && make install > > # > > #creating shortcuts and copying files > > # > > cp -f /usr/local/squid/etc/squid.conf > /usr/local/squid/etc/squid.conf.orig > > cp -f /usr/local/etc/c-icap.conf /usr/local/etc/c-icap.conf.orig > > cp -f /usr/local/etc/squidclamav.conf > /usr/local/etc/squidclamav.conf.orig > > cp -f /usr/local/etc/clamav_mod.conf /usr/local/etc/clamav_mod.conf.orig > > cp -f /usr/local/etc/virus_scan.conf /usr/local/etc/virus_scan.conf.orig > > # > > ln -s /usr/local/squid/etc/squid.conf /etc > > ln -s /usr/local/etc/c-icap.conf /etc > > ln -s /usr/local/etc/squidclamav.conf /etc > > ln -s /usr/local/etc/clamav_mod.conf /etc > > ln -s /usr/local/etc/virus_scan.conf /etc > > # > > mkdir -p /usr/local/clamav/share/clamav > > ln -s /var/lib/clamav /usr/local/clamav/share/clamav > > # > > #tmpfiles for run files > > # > > echo "d /var/run/c-icap 0755 root root -" >> /etc/tmpfiles.d/c-icap.conf > > echo "d /var/run/clamav 0755 root root -" >> /etc/tmpfiles.d/clamav.conf > > # > > #original squid config > > # > > sed -i '/http_port 3128/d' /usr/local/squid/etc/squid.conf > > sed -i -e 's%http_access deny !Safe_ports%#http_access deny > > !Safe_ports%g' /usr/local/squid/etc/squid.conf > > sed -i -e 's%http_access deny CONNECT !SSL_ports%#http_access deny > > CONNECT !SSL_ports%g' /usr/local/squid/etc/squid.conf > > Reason? this opens a large number of security vulnerabilities. > > > Modern Squid have an "include" directive to import extra squid.conf > rules from other files and/or directories. > I recommend adding this one line to squid.conf under where it says > "|INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS"|: > > |include /etc/squid/conf.d/*.conf| > > then placing all your custom Squid files in that conf.d directory. > > > > # > > #create URL, MIME and public key list > > # > > echo "#eicar" >> /usr/local/squid/etc/urlwhite.txt > > echo ".eicar.org <http://eicar.org>" >> > /usr/local/squid/etc/urlwhite.txt > > # > > echo "http://updater.maxon.net/server_test"; >> > > /usr/local/squid/etc/urlspecial.txt > > # > > echo "application/octet-stream" >> /usr/local/squid/etc/mimedeny.txt > > echo "application/x-msi" >> /usr/local/squid/etc/mimedeny.txt > > echo "application/zip" >> /usr/local/squid/etc/mimedeny.txt > > echo "application/x-7z-compressed" >> /usr/local/squid/etc/mimedeny.txt > > echo "application/vnd.ms-cab-compressed" >> > > /usr/local/squid/etc/mimedeny.txt > > echo "application/x-msdownload" >> /usr/local/squid/etc/mimedeny.txt > > echo "application/x-iso9660-image" >> /usr/local/squid/etc/mimedeny.txt > > FWIW: squid config files are all agnostic to whitespace indentation. So > you should be able to improve script readability like this: > > echo " > blah > blah > blah > blah > " >> path/to/file > > > Also, I see that you are adding systemd integration for the other software. > There is a file in squid tarball at tools/systemd/squid.service that can > be installed to add that. > You will need to adjust the binary paths inside it to your custom > /usr/local ones. > > Also, consider using logrotate package to manage the log files instead > of cron. > > > HTH > Amos > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
