squid-cache proxy which does it all

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

squid-cache proxy which does it all

robert k Wild

hi all,

I have made a script for squid that installs the following –

Squid – http proxy server
Squid ssl-bump – https interception for squid
C-ICAP – icap server
clamAV – AV engine to detect trojan viruses malware etc
squidclamav – to make it all integrated with squid

what do you think?

#!/bin/bash
#squid on DMZ host
#
#first things first lets disable firewalld and SElinux
#
systemctl stop firewalld
systemctl disable firewalld
sed -i -e 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
#
#squid packages
#
yum install -y epel-release swaks sed tar zip unzip curl telnet openssl openssl-devel bzip2-devel libarchive libarchive-devel perl perl-Data-Dumper gcc gcc-c++ binutils autoconf automake make sudo wget libxml2-devel libcap-devel libtool-ltdl-devel
#
#clamAV packages
#
yum install -y clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd
#
#download and compile from source
#
cd /tmp
wget http://www.squid-cache.org/Versions/v4/squid-4.9.tar.gz
wget http://sourceforge.net/projects/c-icap/files/c-icap/0.5.x/c_icap-0.5.6.tar.gz
wget http://sourceforge.net/projects/c-icap/files/c-icap-modules/0.5.x/c_icap_modules-0.5.4.tar.gz
wget https://sourceforge.net/projects/squidclamav/files/squidclamav/7.1/squidclamav-7.1.tar.gz
for f in *.tar.gz; do tar xf "$f"; done
cd /tmp/squid-4.9
./configure --with-openssl --enable-ssl-crtd --enable-icap-client && make && make install
#
cd /tmp/c_icap-0.5.6
./configure 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe' --without-bdb --prefix=/usr/local && make && make install
#
cd /tmp/squidclamav-7.1
./configure 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe' --with-c-icap=/usr/local --with-libarchive && make && make install
#
cd /tmp/c_icap_modules-0.5.4
./configure 'CFLAGS=-O3 -m64 -pipe' 'CPPFLAGS=-I/usr/local/clamav/include' 'LDFLAGS=-L/usr/local/lib -L/usr/local/clamav/lib/' && make && make install
#
#creating shortcuts and copying files
#
cp -f /usr/local/squid/etc/squid.conf /usr/local/squid/etc/squid.conf.orig
cp -f /usr/local/etc/c-icap.conf /usr/local/etc/c-icap.conf.orig
cp -f /usr/local/etc/squidclamav.conf /usr/local/etc/squidclamav.conf.orig
cp -f /usr/local/etc/clamav_mod.conf /usr/local/etc/clamav_mod.conf.orig
cp -f /usr/local/etc/virus_scan.conf /usr/local/etc/virus_scan.conf.orig
#
ln -s /usr/local/squid/etc/squid.conf /etc
ln -s /usr/local/etc/c-icap.conf /etc
ln -s /usr/local/etc/squidclamav.conf /etc
ln -s /usr/local/etc/clamav_mod.conf /etc
ln -s /usr/local/etc/virus_scan.conf /etc
#
mkdir -p /usr/local/clamav/share/clamav
ln -s /var/lib/clamav /usr/local/clamav/share/clamav
#
#tmpfiles for run files
#
echo "d /var/run/c-icap 0755 root root -" >> /etc/tmpfiles.d/c-icap.conf
echo "d /var/run/clamav 0755 root root -" >> /etc/tmpfiles.d/clamav.conf
#
#delete a few lines in squid
#
sed -i '/http_port 3128/d' /usr/local/squid/etc/squid.conf
sed -i '/http_access deny all/d' /usr/local/squid/etc/squid.conf
#
#whitelist in squid
#
sed -i '50i#HTTP_HTTPS whitelist websites' /usr/local/squid/etc/squid.conf
sed -i '51iacl whitelist ssl::server_name "/usr/local/squid/etc/urlwhite.txt"' /usr/local/squid/etc/squid.conf
sed -i '52ihttp_access allow whitelist' /usr/local/squid/etc/squid.conf
sed -i '53ihttp_access deny all' /usr/local/squid/etc/squid.conf
echo "#Microsoft" >> /usr/local/squid/etc/urlwhite.txt
echo ".bing.com" >> /usr/local/squid/etc/urlwhite.txt
echo ".msn.com" >> /usr/local/squid/etc/urlwhite.txt
echo ".msedge.net" >> /usr/local/squid/etc/urlwhite.txt
echo ".msftauth.net" >> /usr/local/squid/etc/urlwhite.txt
echo ".msauth.net" >> /usr/local/squid/etc/urlwhite.txt
echo ".msocdn.com" >> /usr/local/squid/etc/urlwhite.txt
echo ".outlook.com" >> /usr/local/squid/etc/urlwhite.txt
echo ".onedrive.com" >> /usr/local/squid/etc/urlwhite.txt
echo ".office.net" >> /usr/local/squid/etc/urlwhite.txt
echo ".office.com" >> /usr/local/squid/etc/urlwhite.txt
echo ".office365.com" >> /usr/local/squid/etc/urlwhite.txt
echo ".microsoft.com" >> /usr/local/squid/etc/urlwhite.txt
echo ".microsoftonline.com" >> /usr/local/squid/etc/urlwhite.txt
echo ".live.com" >> /usr/local/squid/etc/urlwhite.txt
echo ".live.net" >> /usr/local/squid/etc/urlwhite.txt
echo ".akamaized.net" >> /usr/local/squid/etc/urlwhite.txt
echo ".akamaihd.net" >> /usr/local/squid/etc/urlwhite.txt
echo ".svc.ms" >> /usr/local/squid/etc/urlwhite.txt
echo ".lync.com" >> /usr/local/squid/etc/urlwhite.txt
echo ".skype.com" >> /usr/local/squid/etc/urlwhite.txt
echo ".gfx.ms" >> /usr/local/squid/etc/urlwhite.txt
echo ".sharepoint.com" >> /usr/local/squid/etc/urlwhite.txt
echo ".sharepointonline.com" >> /usr/local/squid/etc/urlwhite.txt
echo ".windowsupdate.com" >> /usr/local/squid/etc/urlwhite.txt
echo ".windows.net" >> /usr/local/squid/etc/urlwhite.txt
echo ".edgesuite.net" >> /usr/local/squid/etc/urlwhite.txt
echo ".a-msedge.net" >> /usr/local/squid/etc/urlwhite.txt
echo ".akamaiedge.net" >> /usr/local/squid/etc/urlwhite.txt
echo ".sfx.ms" >> /usr/local/squid/etc/urlwhite.txt
echo ".azureedge.net" >> /usr/local/squid/etc/urlwhite.txt
echo ".trafficmanager.net" >> /usr/local/squid/etc/urlwhite.txt
echo ".azure.com" >> /usr/local/squid/etc/urlwhite.txt
echo ".s-microsoft.com" >> /usr/local/squid/etc/urlwhite.txt
echo ".onestore.ms" >> /usr/local/squid/etc/urlwhite.txt
echo "#Google" >> /usr/local/squid/etc/urlwhite.txt
echo ".google.com" >> /usr/local/squid/etc/urlwhite.txt
echo ".google.co.uk" >> /usr/local/squid/etc/urlwhite.txt
echo ".googleusercontent.com" >> /usr/local/squid/etc/urlwhite.txt
echo ".googleapis.com" >> /usr/local/squid/etc/urlwhite.txt
echo ".withgoogle.com" >> /usr/local/squid/etc/urlwhite.txt
echo ".gstatic.com" >> /usr/local/squid/etc/urlwhite.txt
echo "#Adobe" >> /usr/local/squid/etc/urlwhite.txt
echo ".adobedtm.com" >> /usr/local/squid/etc/urlwhite.txt
echo ".adobe.io" >> /usr/local/squid/etc/urlwhite.txt
echo ".adobe.com" >> /usr/local/squid/etc/urlwhite.txt
echo ".adobelogin.com" >> /usr/local/squid/etc/urlwhite.txt
echo "#others" >> /usr/local/squid/etc/urlwhite.txt
echo ".digicert.com" >> /usr/local/squid/etc/urlwhite.txt
echo ".pixelogicmedia.com" >> /usr/local/squid/etc/urlwhite.txt
#
#ICAP in squid
#
echo "#ICAP" >> /usr/local/squid/etc/squid.conf
echo "icap_enable on" >> /usr/local/squid/etc/squid.conf
echo "adaptation_uses_indirect_client on" >> /usr/local/squid/etc/squid.conf
echo "icap_send_client_ip on" >> /usr/local/squid/etc/squid.conf
echo "icap_send_client_username on" >> /usr/local/squid/etc/squid.conf
echo "icap_client_username_header X-Authenticated-User" >> /usr/local/squid/etc/squid.conf
echo "icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav" >> /usr/local/squid/etc/squid.conf
echo "adaptation_access service_req allow all" >> /usr/local/squid/etc/squid.conf
echo "icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav" >> /usr/local/squid/etc/squid.conf
echo "adaptation_access service_resp allow all" >> /usr/local/squid/etc/squid.conf
#
#squid with SSL
#
mkdir -p /usr/local/squid/etc/ssl_cert
cd /usr/local/squid/etc/ssl_cert
adduser squid
chown squid:squid /usr/local/squid/etc/ssl_cert
chmod 700 /usr/local/squid/etc/ssl_cert
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout myCA.pem -out myCA.pem -batch
#must import the below cert on hosts in trusted root cert ie the .der file
openssl x509 -in myCA.pem -outform DER -out myCA.der
/usr/local/squid/libexec/security_file_certgen -c -s /var/lib/ssl_db -M 4MB
chown squid:squid -R /var/lib/ssl_db
chmod -R 777 /usr/local/squid/var/logs
sed -i '1ihttp_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB' /usr/local/squid/etc/squid.conf
sed -i '2isslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB' /usr/local/squid/etc/squid.conf
sed -i '3iacl step1 at_step SslBump1' /usr/local/squid/etc/squid.conf
sed -i '4issl_bump peek step1' /usr/local/squid/etc/squid.conf
sed -i '5issl_bump bump all' /usr/local/squid/etc/squid.conf
#
#squidclamav conf
#
sed -i -e 's%redirect <a target="_blank" rel="nofollow noopener" href="http://proxy.domain.dom/cgi-bin/clwarn.cgi%#redirect">http://proxy.domain.dom/cgi-bin/clwarn.cgi%#redirect <a target="_blank" rel="nofollow noopener" href="http://proxy.domain.dom/cgi-bin/clwarn.cgi%g">http://proxy.domain.dom/cgi-bin/clwarn.cgi%g' /etc/squidclamav.conf
#sed -i -e 's%clamd_local /var/run/clamav/clamd.ctl%clamd_local /run/clamd.scan/clamd.sock%g' /etc/squidclamav.conf
sed -i -e 's%enable_libarchive 0%enable_libarchive 1%g' /etc/squidclamav.conf
#
#clamav conf
#
sed -i -e 's%#LocalSocket /run/clamd.scan/clamd.sock%LocalSocket /var/run/clamav/clamd.ctl%g' /etc/clamd.d/scan.conf
sed -i -e 's%Example%#Example%g' /etc/clamd.d/scan.conf
sed -i -e 's%User clamscan%User root%g' /etc/clamd.d/scan.conf
sed -i -e 's%#StreamMaxLength 10M%StreamMaxLength 5M%g' /etc/clamd.d/scan.conf
freshclam
echo "00 01,13 * * * /usr/bin/freshclam --quiet" >> /var/spool/cron/root
systemctl enable clamd@scan
#
#c-icap and c-icap modules
#
#sed -i -e 's%PidFile /var/run/c-icap/c-icap.pid%PidFile /run/c-icap/c-icap.pid%g' /etc/c-icap.conf
#sed -i -e 's%CommandsSocket /var/run/c-icap/c-icap.ctl%CommandsSocket /run/c-icap/c-icap.ctl%g' /etc/c-icap.conf
sed -i -e 's%#.*User wwwrun%User root%g' /etc/c-icap.conf
sed -i -e 's%#.*Group nogroup%Group root%g' /etc/c-icap.conf
sed -i -e 's%#.*Service echo_service srv_echo.so%Service squidclamav squidclamav.so%g' /etc/c-icap.conf
sed -i -e 's%DebugLevel 1%DebugLevel 0%g' /etc/c-icap.conf
sed -i -e 's%StartServers 3%StartServers 1%g' /etc/c-icap.conf
sed -i -e 's%MaxServers 10%MaxServers 20%g' /etc/c-icap.conf
sed -i -e 's%MaxRequestsPerChild 0%MaxRequestsPerChild 100%g' /etc/c-icap.conf
sed -i '520iacl localhost src 127.0.0.1/255.255.255.255' /etc/c-icap.conf
sed -i '521iacl PERMIT_REQUESTS type REQMOD RESPMOD' /etc/c-icap.conf
sed -i '522iicap_access allow localhost PERMIT_REQUESTS' /etc/c-icap.conf
sed -i '523iicap_access deny all' /etc/c-icap.conf
echo "clamav_mod.TmpDir /var/tmp" >> /etc/clamav_mod.conf
echo "clamav_mod.MaxFilesInArchive 1000" >> /etc/clamav_mod.conf
echo "clamav_mod.MaxScanSize 5M" >> /etc/clamav_mod.conf
echo "clamav_mod.HeuristicScanPrecedence on" >> /etc/clamav_mod.conf
echo "clamav_mod.OLE2BlockMacros on" >> /etc/clamav_mod.conf
echo "virus_scan.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE DOCUMENT" >> /etc/virus_scan.conf
echo "virus_scan.SendPercentData 5" >> /etc/virus_scan.conf
echo "virus_scan.PassOnError on" >> /etc/virus_scan.conf
echo "virus_scan.MaxObjectSize 5M" >> /etc/virus_scan.conf
echo "virus_scan.DefaultEngine clamav" >> /etc/virus_scan.conf
echo "Include clamav_mod.conf" >> /etc/virus_scan.conf
echo "Include virus_scan.conf" >> /etc/c-icap.conf
#
#make c-icap service
#
echo "[Unit]" >> /usr/lib/systemd/system/c-icap.service
echo "Description=c-icap service" >> /usr/lib/systemd/system/c-icap.service
echo "After=network.target" >> /usr/lib/systemd/system/c-icap.service
echo "[Service]" >> /usr/lib/systemd/system/c-icap.service
echo "Type=forking" >> /usr/lib/systemd/system/c-icap.service
echo "PIDFile=/var/run/c-icap/c-icap.pid" >> /usr/lib/systemd/system/c-icap.service
echo "ExecStart=/usr/local/bin/c-icap -f /etc/c-icap.conf" >> /usr/lib/systemd/system/c-icap.service
echo "KillMode=process" >> /usr/lib/systemd/system/c-icap.service
echo "[Install]" >> /usr/lib/systemd/system/c-icap.service
echo "WantedBy=multi-user.target" >> /usr/lib/systemd/system/c-icap.service
systemctl enable c-icap
reboot

thanks,

rob



--
Regards,

Robert K Wild.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid-cache proxy which does it all

Amos Jeffries
Administrator
On 9/01/20 8:34 pm, robert k Wild wrote:

> hi all,
>
> I have made a script for squid that installs the following –
>
> Squid – http proxy server
> Squid ssl-bump – https interception for squid
> C-ICAP – icap server
> clamAV – AV engine to detect trojan viruses malware etc
> squidclamav – to make it all integrated with squid
>
> what do you think?
>
> #!/bin/bash
> #squid on DMZ host
> #
> #first things first lets disable firewalld and SElinux
> #
> systemctl stop firewalld
> systemctl disable firewalld
> sed -i -e 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
> #

Why?



> #squid packages
> #
> yum install -y epel-release swaks sed tar zip unzip curl telnet openssl
> openssl-devel bzip2-devel libarchive libarchive-devel perl
> perl-Data-Dumper gcc gcc-c++ binutils autoconf automake make sudo wget
> libxml2-devel libcap-devel libtool-ltdl-devel
> #
> #clamAV packages
> #
> yum install -y clamav-server clamav-data clamav-update clamav-filesystem
> clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd
> #
> #download and compile from source
> #
> cd /tmp
> wget http://www.squid-cache.org/Versions/v4/squid-4.9.tar.gz

Please use rsync for this, and verify against the *.asc file signature
that you got the file correctly.

> wget
> http://sourceforge.net/projects/c-icap/files/c-icap/0.5.x/c_icap-0.5.6.tar.gz
> wget
> http://sourceforge.net/projects/c-icap/files/c-icap-modules/0.5.x/c_icap_modules-0.5.4.tar.gz
> wget
> https://sourceforge.net/projects/squidclamav/files/squidclamav/7.1/squidclamav-7.1.tar.gz
> for f in *.tar.gz; do tar xf "$f"; done
> cd /tmp/squid-4.9
> ./configure --with-openssl --enable-ssl-crtd --enable-icap-client &&
> make && make install
> #

IIRC this was a CentoOS machine right?
If so, see <https://wiki.squid-cache.org/KnowledgeBase/CentOS#Compiling>
otherwise see the equivalent wiki page for your chosen OS compile.

Those settings install Squid as a system application. So no need for the
/usr/local stuff.


> cd /tmp/c_icap-0.5.6
> ./configure 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe'
> --without-bdb --prefix=/usr/local && make && make install
> #
> cd /tmp/squidclamav-7.1
> ./configure 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe'
> --with-c-icap=/usr/local --with-libarchive && make && make install
> #
> cd /tmp/c_icap_modules-0.5.4
> ./configure 'CFLAGS=-O3 -m64 -pipe'
> 'CPPFLAGS=-I/usr/local/clamav/include' 'LDFLAGS=-L/usr/local/lib
> -L/usr/local/clamav/lib/' && make && make install
> #
> #creating shortcuts and copying files
> #
> cp -f /usr/local/squid/etc/squid.conf /usr/local/squid/etc/squid.conf.orig
> cp -f /usr/local/etc/c-icap.conf /usr/local/etc/c-icap.conf.orig
> cp -f /usr/local/etc/squidclamav.conf /usr/local/etc/squidclamav.conf.orig
> cp -f /usr/local/etc/clamav_mod.conf /usr/local/etc/clamav_mod.conf.orig
> cp -f /usr/local/etc/virus_scan.conf /usr/local/etc/virus_scan.conf.orig
> #
> ln -s /usr/local/squid/etc/squid.conf /etc
> ln -s /usr/local/etc/c-icap.conf /etc
> ln -s /usr/local/etc/squidclamav.conf /etc
> ln -s /usr/local/etc/clamav_mod.conf /etc
> ln -s /usr/local/etc/virus_scan.conf /etc
> #
> mkdir -p /usr/local/clamav/share/clamav
> ln -s /var/lib/clamav /usr/local/clamav/share/clamav
> #
> #tmpfiles for run files
> #
> echo "d /var/run/c-icap 0755 root root -" >> /etc/tmpfiles.d/c-icap.conf
> echo "d /var/run/clamav 0755 root root -" >> /etc/tmpfiles.d/clamav.conf
> #
> #delete a few lines in squid
> #
> sed -i '/http_port 3128/d' /usr/local/squid/etc/squid.conf
> sed -i '/http_access deny all/d' /usr/local/squid/etc/squid.conf

Please do not remove that second line from yoru squid.conf. It will
result in unpredictable default allow/deny behaviour from your proxy.

Instead I recommend (mind the wrap):

 sed -i '/# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR
CLIENTS/include "/etc/squid/squid.conf.d/*"/'
/usr/local/squid/etc/squid.conf

Then you can just drop files into the /etc/squid/squid.conf.d/ directory
and they will be loaded as config on next start or reconfigure.



HTH
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid-cache proxy which does it all

robert k Wild
thanks for this Amos, really appreciate it :)

On Thu, 9 Jan 2020 at 19:00, Amos Jeffries <[hidden email]> wrote:
On 9/01/20 8:34 pm, robert k Wild wrote:
> hi all,
>
> I have made a script for squid that installs the following –
>
> Squid – http proxy server
> Squid ssl-bump – https interception for squid
> C-ICAP – icap server
> clamAV – AV engine to detect trojan viruses malware etc
> squidclamav – to make it all integrated with squid
>
> what do you think?
>
> #!/bin/bash
> #squid on DMZ host
> #
> #first things first lets disable firewalld and SElinux
> #
> systemctl stop firewalld
> systemctl disable firewalld
> sed -i -e 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
> #

Why?



> #squid packages
> #
> yum install -y epel-release swaks sed tar zip unzip curl telnet openssl
> openssl-devel bzip2-devel libarchive libarchive-devel perl
> perl-Data-Dumper gcc gcc-c++ binutils autoconf automake make sudo wget
> libxml2-devel libcap-devel libtool-ltdl-devel
> #
> #clamAV packages
> #
> yum install -y clamav-server clamav-data clamav-update clamav-filesystem
> clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd
> #
> #download and compile from source
> #
> cd /tmp
> wget http://www.squid-cache.org/Versions/v4/squid-4.9.tar.gz

Please use rsync for this, and verify against the *.asc file signature
that you got the file correctly.

> wget
> http://sourceforge.net/projects/c-icap/files/c-icap/0.5.x/c_icap-0.5.6.tar.gz
> wget
> http://sourceforge.net/projects/c-icap/files/c-icap-modules/0.5.x/c_icap_modules-0.5.4.tar.gz
> wget
> https://sourceforge.net/projects/squidclamav/files/squidclamav/7.1/squidclamav-7.1.tar.gz
> for f in *.tar.gz; do tar xf "$f"; done
> cd /tmp/squid-4.9
> ./configure --with-openssl --enable-ssl-crtd --enable-icap-client &&
> make && make install
> #

IIRC this was a CentoOS machine right?
If so, see <https://wiki.squid-cache.org/KnowledgeBase/CentOS#Compiling>
otherwise see the equivalent wiki page for your chosen OS compile.

Those settings install Squid as a system application. So no need for the
/usr/local stuff.


> cd /tmp/c_icap-0.5.6
> ./configure 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe'
> --without-bdb --prefix=/usr/local && make && make install
> #
> cd /tmp/squidclamav-7.1
> ./configure 'CXXFLAGS=-O2 -m64 -pipe' 'CFLAGS=-O2 -m64 -pipe'
> --with-c-icap=/usr/local --with-libarchive && make && make install
> #
> cd /tmp/c_icap_modules-0.5.4
> ./configure 'CFLAGS=-O3 -m64 -pipe'
> 'CPPFLAGS=-I/usr/local/clamav/include' 'LDFLAGS=-L/usr/local/lib
> -L/usr/local/clamav/lib/' && make && make install
> #
> #creating shortcuts and copying files
> #
> cp -f /usr/local/squid/etc/squid.conf /usr/local/squid/etc/squid.conf.orig
> cp -f /usr/local/etc/c-icap.conf /usr/local/etc/c-icap.conf.orig
> cp -f /usr/local/etc/squidclamav.conf /usr/local/etc/squidclamav.conf.orig
> cp -f /usr/local/etc/clamav_mod.conf /usr/local/etc/clamav_mod.conf.orig
> cp -f /usr/local/etc/virus_scan.conf /usr/local/etc/virus_scan.conf.orig
> #
> ln -s /usr/local/squid/etc/squid.conf /etc
> ln -s /usr/local/etc/c-icap.conf /etc
> ln -s /usr/local/etc/squidclamav.conf /etc
> ln -s /usr/local/etc/clamav_mod.conf /etc
> ln -s /usr/local/etc/virus_scan.conf /etc
> #
> mkdir -p /usr/local/clamav/share/clamav
> ln -s /var/lib/clamav /usr/local/clamav/share/clamav
> #
> #tmpfiles for run files
> #
> echo "d /var/run/c-icap 0755 root root -" >> /etc/tmpfiles.d/c-icap.conf
> echo "d /var/run/clamav 0755 root root -" >> /etc/tmpfiles.d/clamav.conf
> #
> #delete a few lines in squid
> #
> sed -i '/http_port 3128/d' /usr/local/squid/etc/squid.conf
> sed -i '/http_access deny all/d' /usr/local/squid/etc/squid.conf

Please do not remove that second line from yoru squid.conf. It will
result in unpredictable default allow/deny behaviour from your proxy.

Instead I recommend (mind the wrap):

 sed -i '/# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR
CLIENTS/include "/etc/squid/squid.conf.d/*"/'
/usr/local/squid/etc/squid.conf

Then you can just drop files into the /etc/squid/squid.conf.d/ directory
and they will be loaded as config on next start or reconfigure.



HTH
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


--
Regards,

Robert K Wild.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users