Compilation of Squid 3.3.3 on Ubuntu 12
## Switch to root user
sudo su
apt-get update
apt-get upgrade
tar -xzvf squid-3.3.3.tar.gz
apt-get install g++ gawk m4 gcc-multilib
NOTE: if found any error regarding gcc then install it
------------------------------------------------------------------------
sudo add-apt-repository ppa:ubuntu-toolchain-r/test
sudo apt-get update
sudo apt-get install gcc-4.7
sudo apt-get update
sudo apt-get install gcc-4.7
------------------------------------------------------------------------
apt-get install smbclient
apt-get install openssl*
apt-get install libcap-*
## SQUID COMPILATION
./configure --prefix=/usr --includedir=/usr/include --datadir=/usr/share --bindir=/usr/sbin --libexecdir=/usr/lib/squid --localstatedir=/var --sysconfdir=/etc/squid3 --enable-delay-pools --enable-ssl --enable-ssl-crtd --enable-linux-netfilter --enable-arp-acl --enable-snmp --enable-gnuregex && echo $?
NOTE: for squid 3.3.3
--enable-arp-acl replaced with --enable-eui
make all && echo $?
make install && echo $?
## GENERATE CERTIFICATE
cd /usr/share/ssl-cert
openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout myCA.pem -out myCA.pem
openssl x509 -in myCA.pem -outform DER -out myCA.der
The result file should be imported into the 'Authorities' section of users' browsers.
For example, in FireFox:
- Open 'Preferences'
- Go to the 'Advanced' section, 'Encryption' tab
- Press the 'View Certificates' button and go to the 'Authorities' tab
- Press the 'Import' button, select the .der file that was created previously and pres 'OK'
## CONFIGURE SQUID
nano /etc/squid3/squid.conf
http_port 192.168.5.239:3128 transparent ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/share/ssl-cert/myCA.pem
##Also add the following lines to enable SSL bumping:
always_direct allow all
ssl_bump allow all
# the following two options are unsafe and not always necessary:
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
ssl_bump allow all
# the following two options are unsafe and not always necessary:
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
# Uncomment and adjust the following to add a disk cache directory.
cache_mem 100 MB
cache_dir ufs /var/cache/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid
## CREATE CACHE LOG FILE
touch /var/logs/cache.log
chown nobody:adm /var/logs/cache.log
touch /var/logs/access.log
chown nobody:adm /var/logs/access.log
chown nobody:adm /var/cache/squid
## TO INITIALIZE CACHE
/usr/sbin/squid -z
## TO RUN SQUID
/usr/sbin/squid &
NOTE: if you face below issue then disable or change this line “ssl_bump allow all” accordingly in /etc/squid3/squid.conf
SECURITY NOTICE: auto-converting deprecated "ssl_bump allow <acl>" to "ssl_bump client-first <acl>" which is usually inferior to the newer server-first bumping mode. Update your ssl_bump rules.
## IPTABLES ENTRIES FOR TRANSPARENT PROXY
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 3128
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
## TO ENABLE FORWARDING
echo "1">/proc/sys/net/ipv4/ip_forward