Developers Club geek daily blog

2 years, 6 months ago
Hi everyone! Last article about transparent proxying of HTTPS by means of Squid'a was quite successful. The set of responses about successful installation of this system came by mail. But also also letters with requests for the help arrived. Problems were quite solvable. But not so long ago one colleague about the help in installation of this system on h64 to architecture (Debian) appealed to me. Here we were puzzled. First, it turned out that last article is unsuitable for this purpose because of lack of the necessary source codes in Debian repository (there now 3.5.10). It was not succeeded to find the necessary source codes in the first article Debian'ovskiye, and checkinstall gave strange error messages. Secondly, there was a wish for more universal solution which without problems would work both on h64, and on h86, and (whenever possible) at other distribution kits. The solution was found. Small addition to the previous article + some amendments turned out. This instruction allows to compile both h86, and h64 Squid'a versions and to create the corresponding packets. The instruction will be broken into several points and subparagraphs. If it is interesting, we go under kat:
We go on - to an order.
a) For a start, we will be prepared for packet assembly:
apt-get install git fakeroot checkinstall build-essential devscripts patch
apt-cache policy squid3
apt-get build-dep squid3
apt-get build-dep libecap2
apt-get install libssl-dev libgnutls28-dev

Do not forget to pass into that folder where you will collect source codes not to dirty to yourself Home.
b) Further we will download Libressl:
tar -xzvf libressl-2.1.6.tar.gz
cd libressl-2.1.6

c) And now we collect:
checkinstall --pkgname libressl --pkgversion 2.1.6

2) Now it is possible to set Libressl:
dpkg -i libressl_2.1.6-1_amd64.deb	

After installation it is necessary to configure use of LibreSSL by default:
mv /usr/bin/openssl /usr/bin/openssl-1
update-alternatives --install /usr/bin/openssl openssl /usr/bin/openssl-1 10
update-alternatives --install /usr/bin/openssl openssl /usr/local/bin/openssl 50
update-alternatives --config openssl

Let's check whether it turned out to deliver to Libressl:
openssl version
    LibreSSL 2.1.6

If a console exhaust similar, then everything turned out. We go further.

3) In line Libecap.
a) It is necessary to edit sources.list, having included source codes from testing branch there (it is necessary as we need to compile new libecap which is in turn necessary for assembly of Squid):
deb-src testing main contrib non-free

Let's update a cache of packets:
apt-get update

And now we will download the necessary source codes from Testing:
apt-get source libecap3/testing

Further we will collect libecap:
cd libecap-1.0.1/
dpkg-buildpackage -us -uc -nc -d

b) Let's delete second-hand articles, and we will set to a novya:
apt-get purge libecap2

4) Approached compilation of Squid'a.
a) We swing the last Squid'a which is most working snepshot:

Let's unpack:
tar -xf squid-3.5.8.tar.gz
cd squid-3.5.8

b) We swing a patch for, and a patch:
wget -O bug-4330-put_cipher_by_char-t1.patch
patch bug-4330-put_cipher_by_char-t1.patch
»  patching file src/ssl/

5) And this stage one of the most responsible. It is necessary to configure Squid with the necessary options. In the previous article the debian/rules file was used, but we will compile Squid in this instruction by means of make, and we will create packets by means of checkinstall. Therefore it will be more options. And here what:
./configure --build=x86_64-linux-gnu \
--prefix=/usr \
--includedir=${prefix}/include \
--mandir=${prefix}/share/man \
--infodir=${prefix}/share/info \
--sysconfdir=/etc \
--localstatedir=/var \
--libexecdir=${prefix}/lib/squid \
--srcdir=. \
--disable-maintainer-mode \
--disable-dependency-tracking \
--disable-silent-rules \
--datadir=/usr/share/squid \
--sysconfdir=/etc/squid \
--mandir=/usr/share/man \
--enable-inline \
--disable-arch-native \
--enable-async-io=8 \
--enable-storeio=ufs,aufs,diskd,rock \
--enable-removal-policies=lru,heap \
--enable-delay-pools \
--enable-cache-digests \
--enable-icap-client \
--enable-follow-x-forwarded-for \
--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB \
--enable-auth-digest=file,LDAP \
--enable-auth-negotiate=kerberos,wrapper \
--enable-auth-ntlm=fake,smb_lm \
--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group \
--enable-url-rewrite-helpers=fake \
--enable-eui \
--enable-esi \
--enable-icmp \
--enable-zph-qos \
--enable-ecap \
--disable-translation \
--with-swapdir=/var/spool/squid \
--with-logdir=/var/log/squid \
--with-pidfile=/var/run/ \
--with-filedescriptors=65536 \
--with-large-files \
--with-default-user=proxy \
--enable-ssl \
--enable-ssl-crtd \
--with-openssl \
--enable-linux-netfilter \
'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' \
'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' \
'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security'

Be extremely attentive. We are interested more, as well as in the previous article, three options: - enable-ssl, - enable-ssl-crtd, - with-openssl. You can change other options in compliance with your preferences (if you want to change them, surely read documentation on configuring).

6) Now we reached compilation.
a) We compile.

b) Ambiguous stage. It is necessary to create directory/usr/share/squid/and / usr/share/squid/icons, otherwise the following phase will not be completed due to the lack of these folders (why checkinstall does not create them, I did not understand, unfortunately):
mkdir -p  /usr/share/squid/icons 

c) And now we create setup packages:
checkinstall --pkgname squid --pkgversion 3.5.8

7) We approach the final. We set Squid:
dpkg -i squid_3.5.8-1_amd64.deb

Spoiler heading
Yes, everything is right, only one file while in their previous article there was a little turned out, as well as it is accepted in Debian.

8) We try to start squid:
systemctl start squid

Also we see a big FIG! It is necessary … We try in the old manner:
service squid start

And too we see a big FIG. Why? Because checkinstall did not include files of the Squid service in a packet. It does not matter. Let's create the necessary systemd service:
touch /etc/systemd/system/squid.service
nano /etc/systemd/system/squid.service

With the following contents:
## Copyright (C) 1996-2015 The Squid Software Foundation and contributors
## Squid software is distributed under GPLv2+ license and includes
## contributions from numerous individuals and organizations.
## Please see the COPYING and CONTRIBUTORS files for details.

Description=Squid Web Proxy Server

ExecStart=/usr/sbin/squid -sYC -N
ExecReload=/bin/kill -HUP $MAINPID


Spoiler heading
Actually, this service is in archive with source codes of Squid'a. For what reasons of Checkinstall did not include it in a packet, it is not known.

Let's include the created service
systemctl enable squid

9) Yes, you are right, there is more to come. As we compiled completely original source codes (except for a patch on, configuration files at us were established a type of squid.conf.default, mime.conf.default, etc. Of course, Squid also did not hear about them. Let's rename them into Squid'ochitayemy a type:
cp /etc/squid/squid.conf.default /etc/squid/squid.conf
cp /etc/squid/mime.conf.default /etc/squid/mime.conf
cp /etc/squid/cachemgr.conf.default /etc/squid/cachemgr.conf
cp /etc/squid/errorpage.css.default /etc/squid/errorpage.css

10) And there is more to come =) It is necessary to create manually the folder for logs of Squid'a and to assign by it the corresponding rights:
mkdir /var/log/squid
chown proxy /var/log/squid

11) And here it is a final stage. Start of Squid'a and verification of the status of service!
systemctl start squid

systemctl status -l squid
● squid.service - Squid Web Proxy Server
   Loaded: loaded (/etc/systemd/system/squid.service; enabled)
   Active: active (running) since Пт 2015-12-04 23:32:04 YEKT; 2min 41s ago
 Main PID: 590 (squid)
   CGroup: /system.slice/squid.service
           ├─590 /usr/sbin/squid -sYC -N
           └─591 (logfile-daemon) /var/log/squid/access.log

дек 04 23:32:04 squidX64 squid[590]: Max Swap size: 0 KB
дек 04 23:32:04 squidX64 squid[590]: Using Least Load store dir selection
дек 04 23:32:04 squidX64 squid[590]: Current Directory is /
дек 04 23:32:04 squidX64 squid[590]: Finished loading MIME types and icons.
дек 04 23:32:04 squidX64 squid[590]: HTCP Disabled.
дек 04 23:32:04 squidX64 squid[590]: Pinger socket opened on FD 16
дек 04 23:32:04 squidX64 squid[590]: Squid plugin modules loaded: 0
дек 04 23:32:04 squidX64 squid[590]: Adaptation support is off.
дек 04 23:32:04 squidX64 squid[590]: Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 14 flags=9
дек 04 23:32:05 squidX64 squid[590]: storeLateRelease: released 0 objects

If the exhaust of the console looks probably, to be exact in it there are no errors and surely there is a line "Active: active (running)", you successfully set yourself Squid with support of transparent proxying of HTTPS! I congratulate!

If there is no wish to compile anything, then you can download archive with ready deb packets (x64 the version!). If you set from ready packets, then you will be need steps: 2, 3 (b), 7, 8, 9, 10, 11.

Also I want to note that checkinstall allows to create rpm packets, and you can use it. The only thing, it is necessary to collect all packets by means of checkinstall, but I think, problems with it will not be as the main and the most difficult is already collected by checkinstall'om.

The configuration file Squid'a with the necessary directives, the description of work, etc. read in the previous article!
Thanks to Tatyana Illarionova and Squid'a developers for the help in creation of this recipe!

Spoiler heading
In poll the last point of course comic =) If ATTENTIVELY to read the previous article, then it will become clear at once that there is no attack to the user as there is no substitution of certificates!!!

You watch also discussion of article in my blog
You already set Squid with transparent proxying of HTTPS?

20 people voted. 13 people refrained.

The users only registered can participate in poll. Enter, please.

This article is a translation of the original post at
If you have any questions regarding the material covered in the article above, please, contact the original author of the post.
If you have any complaints about this article or you want this article to be deleted, please, drop an email here:

We believe that the knowledge, which is available at the most popular Russian IT blog, should be accessed by everyone, even though it is poorly translated.
Shared knowledge makes the world better.
Best wishes.

comments powered by Disqus