Build a Squid transparent proxy ubuntu from source code - no check certificate squid

Build a Squid transparent proxy from source code

Please note that this whole manual refers to the version 3.5.15 of Squid. You probably would have to adapt some commands to the version you will actually download.

Table of contents

• Automated Install
  • Disclaimer
  • Squid installation script
• Manual Install
  • Resolve compilation dependencies
  • Grab a copy of the source code
  • Compile your Squid 3
  • Resolve library dependencies
  • Build configuration file
  • Build service runtime
  • Prepare execution folders
  • Start!

Automated install

Disclaimer

Read the install script before using it.
You may want to understand what the script is doing before executing it.
I will not be responsible for any damage caused to your server.

Squid installation script

cd ~
wget --no-check-certificate -O squid-install.sh https://gist.githubusercontent.com/e7d/1f784339df82c57a43bf/raw/squid-install.sh \
  && chmod +x squid-install.sh \
  && ./squid-install.sh

Manual install

Resolve compilation dependencies

Edit your /etc/apt/sources.list file, and check that you have deb-src entries like the following sample.

deb http://httpredir.debian.org/debian stable main
deb-src http://httpredir.debian.org/debian stable main
deb http://security.debian.org/ stable/updates main
deb-src http://security.debian.org/ stable/updates main

Build Squid 3 dependencies

aptitude update
aptitude build-dep squid3

Grab a copy of the source code

cd /usr/src
wget http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.15.tar.gz
tar zxvf squid-3.5.15.tar.gz
cd squid-3.5.15

Compile your Squid 3

./configure --prefix=/usr \
  --localstatedir=/var/squid \
  --libexecdir=${prefix}/lib/squid \
  --srcdir=. \
  --datadir=${prefix}/share/squid \
  --sysconfdir=/etc/squid \
  --with-default-user=proxy \
  --with-logdir=/var/log/squid \
  --with-pidfile=/var/run/squid.pid
make
make install

Resolve library dependencies

Extract the content of squid-lib.tar.gz to /usr/lib

cd /usr/lib
wget http://e7d.github.io/resources/squid-lib.tar.gz
tar zxvf squid-lib.tar.gz
rm squid_lib.tar.gz

Build configuration file

Copy squid.conf contents to /etc/squid/squid.conf.

rm -fr /etc/squid/squid.conf
wget --no-check-certificate -O /etc/squid/squid.conf https://gist.githubusercontent.com/e7d/1f784339df82c57a43bf/raw/squid.conf

With this sample configuration file, you can use a Htpasswd file at /etc/squid/users.pwd to manage a basic authentication.

rm -fr /etc/squid/users.pwd
wget --no-check-certificate -O /etc/squid/users.pwd https://gist.githubusercontent.com/e7d/1f784339df82c57a43bf/raw/users.pwd

To enable this authentication, you will have to uncomment the Authentication section of the sample squid.confconfiguration file. You can create your users entries using the htpasswd tool from Apache. i.e. htpasswd -db /etc/squid/users.pwd jones fx5rm31s will create a user "jones" with the password "fx5rm31s" inside the "/etc/squid/users.pwd" file. You can directly use the users.pwd sample, providing you a basic user named proxy, using also proxy as password.

Build service runtime

Copy squid.sh contents to /etc/init/squid and make it executable.

wget --no-check-certificate -O /etc/init.d/squid https://gist.githubusercontent.com/e7d/1f784339df82c57a43bf/raw/squid.sh
chmod +x /etc/init.d/squid

Optionally, you can make it run automatically at server startup with update-rc.d squid defaults.

Prepare execution folders

mkdir /var/log/squid
mkdir /var/cache/squid
mkdir /var/spool/squid
chown -cR proxy /var/log/squid
chown -cR proxy /var/cache/squid
chown -cR proxy /var/spool/squid

squid -z

Start!

Try to start your brand new Squid with service squid start

Raw

 squid-install.sh

	#!/bin/sh
	SQUID_VERSION=3.5.15
	if [ "$(id -u)" != "0" ]; then
	echo "This script must be run as root" 1>&2
	exit 1
	fi
	echo "Add repositories to Aptitude"
	echo "deb http://httpredir.debian.org/debian stable main" > /etc/apt/sources.list.d/squid.list
	echo "deb-src http://httpredir.debian.org/debian stable main" >> /etc/apt/sources.list.d/squid.list
	echo "deb http://security.debian.org/ stable/updates main" >> /etc/apt/sources.list.d/squid.list
	echo "deb-src http://security.debian.org/ stable/updates main" >> /etc/apt/sources.list.d/squid.list
	echo "Update packages list"
	apt-get update
	echo "Build dependencies"
	apt-get -y install build-essential libssl-dev apache2-utils
	apt-get -y build-dep squid3
	echo "Download source code"
	cd /usr/src
	wget http://www.squid-cache.org/Versions/v3/3.5/squid-${SQUID_VERSION}.tar.gz
	tar zxvf squid-${SQUID_VERSION}.tar.gz
	cd squid-${SQUID_VERSION}
	echo "Build binaries"
	./configure --prefix=/usr \
	--localstatedir=/var/squid \
	--libexecdir=${prefix}/lib/squid \
	--srcdir=. \
	--datadir=${prefix}/share/squid \
	--sysconfdir=/etc/squid \
	--with-default-user=proxy \
	--with-logdir=/var/log/squid \
	--with-pidfile=/var/run/squid.pid
	make
	echo "Stop running service"
	service squid stop
	echo "Install binaries"
	make install
	echo "Download libraries"
	cd /usr/lib
	wget -O /usr/lib/squid-lib.tar.gz http://e7d.github.io/resources/squid-lib.tar.gz
	echo "Install libraries"
	tar zxvf squid-lib.tar.gz
	echo "Create configuration file"
	rm -fr /etc/squid/squid.conf
	wget --no-check-certificate -O /etc/squid/squid.conf https://gist.githubusercontent.com/e7d/1f784339df82c57a43bf/raw/squid.conf
	echo "Create users database sample"
	rm -fr /etc/squid/users.pwd
	htpasswd -c -b -d /etc/squid/users.pwd proxy proxy
	echo "Create service executable file"
	wget --no-check-certificate -O /etc/init.d/squid https://gist.githubusercontent.com/e7d/1f784339df82c57a43bf/raw/squid.sh
	chmod +x /etc/init.d/squid
	echo "Register service to startup entries"
	update-rc.d squid defaults
	echo "Prepare environment for first start"
	mkdir /var/log/squid
	mkdir /var/cache/squid
	mkdir /var/spool/squid
	chown -cR proxy /var/log/squid
	chown -cR proxy /var/cache/squid
	chown -cR proxy /var/spool/squid
	squid -z
	echo "Start service"
	service squid start
	echo "Cleanup temporary files"
	rm -rf /etc/apt/sources.list.d/squid.list
	rm -rf /usr/src/squid-${SQUID_VERSION}.tar.gz
	rm -rf /usr/src/squid-${SQUID_VERSION}
	rm -rf /usr/lib/squid-lib.tar.gz
	exit 0

Raw

 squid.conf

	# General
	http_port 3128
	visible_hostname Proxy
	forwarded_for delete
	via off
	# Log
	logformat squid %tg.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
	access_log /var/log/squid/access.log squid
	# Cache
	cache_dir aufs /var/cache/squid 1024 16 256
	coredump_dir /var/spool/squid
	acl QUERY urlpath_regex cgi-bin \?
	cache deny QUERY
	refresh_pattern ^ftp: 1440 20% 10080
	refresh_pattern ^gopher: 1440 0% 1440
	refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
	refresh_pattern . 0 20% 4320
	# Network ACL
	acl localnet src 10.0.0.0/8 # RFC 1918 possible internal network
	acl localnet src 172.16.0.0/12 # RFC 1918 possible internal network
	acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network
	acl localnet src fc00::/7 # RFC 4193 local private network range
	acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
	# Port ACL
	acl SSL_ports port 443 # https
	acl SSL_ports port 563 # snews
	acl SSL_ports port 873 # rync
	acl Safe_ports port 80 8080 # http
	acl Safe_ports port 21 # ftp
	acl Safe_ports port 443 563 # https
	acl Safe_ports port 70 # gopher
	acl Safe_ports port 210 # wais
	acl Safe_ports port 1025-65535 # unregistered ports
	acl Safe_ports port 280 # http-mgmt
	acl Safe_ports port 488 # gss-http
	acl Safe_ports port 591 # filemaker
	acl Safe_ports port 777 # multiling http
	acl purge method PURGE
	acl CONNECT method CONNECT
	# Authentication
	# Uncomment the following lines to enable file based authentication BUT:
	# The following section requires to have squid libs installed, especially `nsca_auth`, to be working.
	# This sections uses a Htpasswd file named `users.pwd` file to store eligible accounts.
	# You can generate yours using the htpasswd command from "apache2-utils" aptitude package, using "-d" flag to use system CRYPT.
	auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/users.pwd
	auth_param basic children 5
	auth_param basic realm Proxy
	auth_param basic credentialsttl 2 hours
	auth_param basic casesensitive off
	#acl users proxy_auth REQUIRED
	#http_access allow users
	# Access Restrictions
	http_access allow manager localhost
	http_access deny manager
	http_access allow purge localhost
	http_access deny purge
	http_access deny !Safe_ports
	http_access deny CONNECT !SSL_ports
	http_reply_access allow all
	htcp_access deny all
	icp_access allow all
	always_direct allow all
	# Request Headers Forcing
	request_header_access Allow allow all
	request_header_access Authorization allow all
	request_header_access WWW-Authenticate allow all
	request_header_access Proxy-Authorization allow all
	request_header_access Proxy-Authenticate allow all
	request_header_access Cache-Control allow all
	request_header_access Content-Encoding allow all
	request_header_access Content-Length allow all
	request_header_access Content-Type allow all
	request_header_access Date allow all
	request_header_access Expires allow all
	request_header_access Host allow all
	request_header_access If-Modified-Since allow all
	request_header_access Last-Modified allow all
	request_header_access Location allow all
	request_header_access Pragma allow all
	request_header_access Accept allow all
	request_header_access Accept-Charset allow all
	request_header_access Accept-Encoding allow all
	request_header_access Accept-Language allow all
	request_header_access Content-Language allow all
	request_header_access Mime-Version allow all
	request_header_access Retry-After allow all
	request_header_access Title allow all
	request_header_access Connection allow all
	request_header_access Proxy-Connection allow all
	request_header_access User-Agent allow all
	request_header_access Cookie allow all
	request_header_access All deny all
	# Response Headers Spoofing
	reply_header_access Via deny all
	reply_header_access X-Cache deny all
	reply_header_access X-Cache-Lookup deny all

Raw

 squid.sh

	#! /bin/sh
	#
	# squid3 Startup script for the SQUID HTTP proxy-cache.
	#
	# Version: @(#)squid3.rc 1.0 07-Jul-2006 luigi@debian.org
	#
	### BEGIN INIT INFO
	# Provides: squid
	# Required-Start: $network $remote_fs $syslog
	# Required-Stop: $network $remote_fs $syslog
	# Should-Start: $named
	# Should-Stop: $named
	# Default-Start: 2 3 4 5
	# Default-Stop: 0 1 6
	# Short-Description: Squid HTTP Proxy version 3.x
	### END INIT INFO
	NAME=squid
	DESC="Squid HTTP Proxy 3.x"
	DAEMON=/usr/sbin/squid
	PIDFILE=/var/run/$NAME.pid
	CONFIG=/etc/squid/squid.conf
	SQUID_ARGS="-YC -f $CONFIG"
	[ ! -f /etc/default/squid ] || . /etc/default/squid
	. /lib/lsb/init-functions
	PATH=/bin:/usr/bin:/sbin:/usr/sbin
	[ -x $DAEMON ] || exit 0
	ulimit -n 65535
	find_cache_dir () {
	w=" " # space tab
	res=`sed -ne '
	s/^'$1'['"$w"']\+[^'"$w"']\+['"$w"']\+\([^'"$w"']\+\).*$/\1/p;
	t end;
	d;
	:end q' < $CONFIG`
	[ -n "$res" ] || res=$2
	echo "$res"
	}
	find_cache_type () {
	w=" " # space tab
	res=`sed -ne '
	s/^'$1'['"$w"']\+\([^'"$w"']\+\).*$/\1/p;
	t end;
	d;
	:end q' < $CONFIG`
	[ -n "$res" ] || res=$2
	echo "$res"
	}
	start () {
	cache_dir=`find_cache_dir cache_dir`
	cache_type=`find_cache_type cache_dir`
	#
	# Create spool dirs if they don't exist.
	#
	if [ "$cache_type" = "coss" -a -d "$cache_dir" -a ! -f "$cache_dir/stripe" ] || [ "$cache_type" != "coss" -a -d "$cache_dir" -a ! -d "$cache_dir/00" ]
	then
	log_warning_msg "Creating $DESC cache structure"
	$DAEMON -z -f $CONFIG
	fi
	umask 027
	ulimit -n 65535
	cd $cache_dir
	start-stop-daemon --quiet --start \
	--pidfile $PIDFILE \
	--exec $DAEMON -- $SQUID_ARGS < /dev/null
	return $?
	}
	stop () {
	PID=`cat $PIDFILE 2>/dev/null`
	start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON
	#
	# Now we have to wait until squid has _really_ stopped.
	#
	sleep 2
	if test -n "$PID" && kill -0 $PID 2>/dev/null
	then
	log_action_begin_msg " Waiting"
	cnt=0
	while kill -0 $PID 2>/dev/null
	do
	cnt=`expr $cnt + 1`
	if [ $cnt -gt 24 ]
	then
	log_action_end_msg 1
	return 1
	fi
	sleep 5
	log_action_cont_msg ""
	done
	log_action_end_msg 0
	return 0
	else
	return 0
	fi
	}
	case "$1" in
	start)
	log_daemon_msg "Starting $DESC" "$NAME"
	if start ; then
	log_end_msg $?
	else
	log_end_msg $?
	fi
	;;
	stop)
	log_daemon_msg "Stopping $DESC" "$NAME"
	if stop ; then
	log_end_msg $?
	else
	log_end_msg $?
	fi
	;;
	reload|force-reload)
	log_action_msg "Reloading $DESC configuration files"
	start-stop-daemon --stop --signal 1 \
	--pidfile $PIDFILE --quiet --exec $DAEMON
	log_action_end_msg 0
	;;
	restart)
	log_daemon_msg "Restarting $DESC" "$NAME"
	stop
	if start ; then
	log_end_msg $?
	else
	log_end_msg $?
	fi
	;;
	status)
	status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit 3
	;;
	*)
	echo "Usage: /etc/init.d/$NAME {start|stop|reload|force-reload|restart|status}"
	exit 3
	;;
	esac
	exit 0

Raw

 users.pwd

proxy:V3SumwH0Poabk

kedenya commented on Apr 30, 2015

authentication not working
it work for transparent proxy?
many time try.. still get error request pass
thank you

suardika commented on May 9, 2015

how can see the log ?

suardika commented on May 11, 2015

finally I can see the access.log.. thank you so much!

Owner

e7d commented on May 29, 2015

I just updated the gist to fix this.

The authentication file was not valid anymore since the crypted hash generated by http://www.htaccesstools.com/htpasswd-generator/ is not reliable on all environment. Consider using "htpasswd" from "apache-utils" package, as does now the installation script.

For example, using
htpasswd -c -b -d /etc/squid/users.pwd proxy proxy
you would create a /etc/squid/users.pwd empty password file, then filled with a user "proxy" with the pasword "proxy" encrypted using system supported libraries.

onekuyak commented on Jun 26, 2015

how to setup this proxy full transparent without setting anything at client browser using 1 NIC in proxy machine?

Tweet