[squid-users] How to setup a secure(!) squid proxy

2016-01-13 Thread startrekfan 
Hello

I need to setup a squid 3 proxy with https bumping. Unfortunately I'm not
very familiar with squid and https in general.

I already perfomed the following steps:

*1.) compile from source*
./configure --with-openssl   --enable-ssl-crtd
make
make install

*2.) configuration (http)*
I used this guide: https://help.ubuntu.com/community/Squid

*3.) configuration (https)*
I used this guide: http://wiki.squid-cache.org/ConfigExamp ... mpExplicit


The server is now working for http and https, but is the server secure, too?

Is the default config already secure or do I need to configure additional
security features? (e.g. things like cert validation, cert pinning, [dont
know what's importend], ...)

Thank you

Diese
E-Mail wurde von einem virenfreien Computer gesendet, der von Avast
geschützt wird.
www.avast.com

<#DDB4FAA8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to setup a secure(!) squid proxy

2016-01-13 Thread startrekfan 
It's a debian. But an ubuntu howto will also work with debian.
Here is the broken link:

I combined this two instructions:
http://wiki.squid-cache.org/Features/SslBump
http://wiki.squid-cache.org/Features/DynamicSslCert

(The latest stable squid on ubuntu is 3.4)


Message: 5
> Date: Wed, 13 Jan 2016 23:19:21 +1300
> From: Amos Jeffries 
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] How to setup a secure(!) squid proxy
> Message-ID: <569624a9@treenet.co.nz>
> Content-Type: text/plain; charset=utf-8
>
> On 13/01/2016 10:16 p.m., startrekfan wrote:
> > Hello
> >
> > I need to setup a squid 3 proxy with https bumping. Unfortunately I'm not
> > very familiar with squid and https in general.
> >
> > I already perfomed the following steps:
> >
> > *1.) compile from source*
> > ./configure --with-openssl   --enable-ssl-crtd
> > make
> > make install
>
> You now have Squid pieces installed in the BSD default locations.
>
> >
> > *2.) configuration (http)*
> > I used this guide: https://help.ubuntu.com/community/Squid
> >
>
> Is this an Ubuntu system? if not the Ubuntu advice will be wrong.
>
> At the very least the advice to start installing Squid with "apt-get
> install apache2" is wrong.
>
>
>
> > *3.) configuration (https)*
> > I used this guide: http://wiki.squid-cache.org/ConfigExamp ...
> mpExplicit
>
> huh? what URL was that supposed to be?
>
> >
> > The server is now working for http and https, but is the server secure,
> too?
> >
> > Is the default config already secure or do I need to configure additional
> > security features? (e.g. things like cert validation, cert pinning, [dont
> > know what's importend], ...)
> >
>
> The default squid.conf perfoms HTTP securely. Without HTTPS. What your
> config does nobody can say without seeing what it is.
>
> Amos
>
>
>
> --
>
> Subject: Digest Footer
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
> --
>
> End of squid-users Digest, Vol 17, Issue 43
> ***
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to setup a secure(!) squid proxy

2016-01-14 Thread startrekfan 
Hello,

thank you for your answer. I'm using the debian stable version(3.4.8) at
the moment. The squid server is working very well.

But I have a different question: How to secure/hardening my squid _https_
proxy?

I used the following page to configure my https proxy:
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

Is this enough or do I have to perform additional steps to secure my server?

Thank you
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Suggestion: https compile option as default

2016-01-14 Thread startrekfan 
Hello

I'd like to suggest that the pre compiled squid packages (e.g *.deb) should
be build with the flags
--enable-ssl \
--with-openssl \
--enable-ssl-crtd"
 by default

It would make things much easier for me then I can install a https ready
squid directly from the repository(apt-get)
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to setup a secure(!) squid proxy

2016-01-15 Thread startrekfan 
Hello

I`m sorry. I'm not a native speaker so I maybe don't find the right words.

I'd like to setup a proxy that can scan the incoming traffic for virus
(squidclamav). To do that for a https/ssl connection I need the squid
ssl-bump feature or is there an other solution?

Now I want to setup the ssl-bump feature as safe as using no ssl-bump. Is
this possible with squid 3.4? (Of course every one who has my CA cert can
decrypt the traffic, but I keep it safe.)
Squid is communicating with the remote server(webserver). I'd like to have
at least this communication as safe as using a normal browser.

Does squid 3.4 do all the necessary steps like checking the certificate
validity? What about advanced features like cert pinning?

How do I configure ssl virus scanning? Are this steps enough:
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

Thank you again :)
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to setup a secure(!) squid proxy

2016-01-17 Thread startrekfan 
Just talked to the debian guys. They won't upgrade squid to 3.5 in
debian jessi. It's also hard for me, to implement unstable components
in a productive system.

But the debian guys told me, that they will build own patches for
3.4.8 to fix critical problems if you report them properly to

https://packages.qa.debian.org/s/squid3.html or

secur...@debian.org


I hope/think you already do. So I think 3.4.8 should work for me as well.


>* Hello
*>>* I`m sorry. I'm not a native speaker so I maybe don't find the right words.
*>>* I'd like to setup a proxy that can scan the incoming traffic for virus
*>* (squidclamav). To do that for a https/ssl connection I need the squid
*>* ssl-bump feature or is there an other solution?
*>>* Now I want to setup the ssl-bump feature as safe as using no ssl-bump.
*>* Is this possible with squid 3.4? (Of course every one who has my CA
*>* cert can decrypt the traffic, but I keep it safe.)
*>* Squid is communicating with the remote server(webserver). I'd like to
*>* have at least this communication as safe as using a normal browser.
*>>* Does squid 3.4 do all the necessary steps like checking the
*>* certificate validity? What about advanced features like cert pinning?
*I don't think 3.4 is enough. May be 3.5 or higher.
>>* How do I configure ssl virus scanning? Are this steps enough:
*>* http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

*http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/C-ICAP
>>* Thank you again :)
*>>>* ___
*>* squid-users mailing list
*>* squid-users at lists.squid-cache.org

*>* http://lists.squid-cache.org/listinfo/squid-users

*
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to setup a secure(!) squid proxy

2016-01-18 Thread startrekfan 
I just checked it. It'll work at the moment. But only because the
dependencies (and the dependency version) doesn't changed from 3.4.8 to
3.5. So there's is no guarantee that it will work with further releases.

On the other hand: Installing unstable software is not the way the state
system works/should work. I talked to the debian guys. That's exactly the
reason why they don't release squid 3.5 for jessie but writing patches to
solve critical issues on their own.

Then I have to move every software to unstable state (because of the
security) I can install an unstable debian directly.

L.P.H. van Belle  schrieb am Mo., 18. Jan. 2016 um
09:07 Uhr:

> Really this is an easy thing to do.
>
>
>
> Add in you sources.list.d/sid.listad the sid  repo.  ( only src-deb )
>
> Run apt-get update.
>
>
>
> apt-get source squid
>
> apt-get build-dep squid
>
>  make changes if needed, in debian/rules and debian/changelog IF you
> changed something.
>
>
>
> Build it
>
> apt-get source squid –b
>
> it errors, thats ok, get the 2 or 3 extra packages, the same way, after
> installing them you can build squid again.
>
>
>
> put the debs in a repo you can access and your done.
>
> Did it here, works fine.
>
>
>
>
>
> Greetz,
>
>
>
> Louis
>
>
>
>
> --
>
> *Van:* squid-users [mailto:squid-users-boun...@lists.squid-cache.org] *Namens
> *startrekfan
> *Verzonden:* maandag 18 januari 2016 8:07
> *Aan:* squid-users@lists.squid-cache.org; squ...@treenet.co.nz
> *Onderwerp:* Re: [squid-users] How to setup a secure(!) squid proxy
>
>
>
> Just talked to the debian guys. They won't upgrade squid to 3.5 in debian 
> jessi. It's also hard for me, to implement unstable components in a 
> productive system.
>
> But the debian guys told me, that they will build own patches for 3.4.8 to 
> fix critical problems if you report them properly to
>
> https://packages.qa.debian.org/s/squid3.html or
>
> secur...@debian.org
>
>
>
> I hope/think you already do. So I think 3.4.8 should work for me as well.
>
>
>
> >* Hello*
>
> >
>
> >* I`m sorry. I'm not a native speaker so I maybe don't find the right words.*
>
> >
>
> >* I'd like to setup a proxy that can scan the incoming traffic for virus *
>
> >* (squidclamav). To do that for a https/ssl connection I need the squid *
>
> >* ssl-bump feature or is there an other solution?*
>
> >
>
> >* Now I want to setup the ssl-bump feature as safe as using no ssl-bump. *
>
> >* Is this possible with squid 3.4? (Of course every one who has my CA *
>
> >* cert can decrypt the traffic, but I keep it safe.)*
>
> >* Squid is communicating with the remote server(webserver). I'd like to *
>
> >* have at least this communication as safe as using a normal browser.*
>
> >
>
> >* Does squid 3.4 do all the necessary steps like checking the *
>
> >* certificate validity? What about advanced features like cert pinning?*
>
> I don't think 3.4 is enough. May be 3.5 or higher.
>
> >
>
> >* How do I configure ssl virus scanning? Are this steps enough: *
>
> >* http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit 
> ><http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit>*
>
> http://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/C-ICAP
>
> >
>
> >* Thank you again :)*
>
> >
>
> >
>
> >* ___*
>
> >* squid-users mailing list*
>
> >*  MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden 
> >van "lists.squid-cache.org"  squid-users at lists.squid-cache.org 
> ><http://lists.squid-cache.org/listinfo/squid-users>*
>
> >* http://lists.squid-cache.org/listinfo/squid-users 
> ><http://lists.squid-cache.org/listinfo/squid-users>*
>
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Fwd: Problem with sha1 certs and bump server first

2016-01-21 Thread startrekfan 
Hi,

I have some small problems:

1.) Squid generates dynamic certificates with the sha1 algorithm. Is this
just a configuration issue or do I have to update to squid 3.5 to fix this?
(When I upgrade: Do I still have to change the config?)

2.) When I use bump server-first squid doesn't check for wrong hostnames
itselfs. Does squid provides enough infos so that any browser can detect
the wrong hostname by itself or is client-first a more secure option?

Thank you for your answer and time.

Ps: Squid is a great proxy. Works very well for my needs. I like it :)


Diese
E-Mail wurde von einem virenfreien Computer gesendet, der von Avast
geschützt wird.
www.avast.com

<#DDB4FAA8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to setup a secure(!) squid proxy

2016-01-22 Thread startrekfan 
Talked to the debian guys again. There seems to be a problem with the
complete release system.

They apply  security patches for the stable squid 3.4.8 in debian jessie.
But not for the ssl part of squid because it's disabled by default. So when
I enable ssl I have to take care about everything by myself.

So the only thing that I can do is compiling an "unstable" squid 3.5 by
myself. But this has several disadvantages: No auto-update, problems with
the dependencies (This can get serious, if squid changes common
dependencies), unstable software in a stable environment (Squid _could_ run
unstable)

Is there any chance that squid modifies its license so that it's compatible
with openssl? The current situation makes the administration more
complicated than it's necessary for everyone.

Thanks
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to setup a secure(!) squid proxy

2016-01-22 Thread startrekfan 
I tried to compile squid from sid repo. It fails, but I'm not sure why.

When I only add the src-deb apt-get build-dep squid3 says libecap3-dev was
not found and fails.(Im not sure why it`s needed. libecap3-dev is not
listed in the dependencies. https://packages.debian.org/sid/squid3)

When I add deb and deb-src apt-get build-dep squid3  wants to
update/install  adwaita-icon that is not compatible with gnome.

So I can't build squid 3.5 on an stable Jessie. Do you have any ideas why?

L.P.H. van Belle http://lists.squid-cache.org/listinfo/squid-users>> schrieb am Mo.,
18. Jan. 2016 um
09:07 Uhr:

>* Really this is an easy thing to do.
** Add in you sources.list.d/sid.listad the sid  repo.  ( only src-deb )
*>>* Run apt-get update.
** apt-get source squid
*>>* apt-get build-dep squid
*>>*  make changes if needed, in debian/rules and debian/changelog IF you
*>* changed something.
** Build it
*>>* apt-get source squid –b
*>>* it errors, thats ok, get the 2 or 3 extra packages, the same way, after
*>* installing them you can build squid again.
** put the debs in a repo you can access and your done.
*>>* Did it here, works fine.
*>>* Greetz,
** Louis
*>>>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to setup a secure(!) squid proxy

2016-01-22 Thread startrekfan 
Found the problem:

The dependencies has changed: https://packages.debian.org/sid/squid (not
sure why there is also a https://packages.debian.org/sid/squid3 entry)

Thats excactly the problem with unstable sources. squid3 3.5 requires
libecap3 instead of libecap2 (squid3 version 3.4). I can't install libecap3
because it has further dependencies.
I also can't even compile libecap3 without installing n more dependencies.

So I have to use squid 3.4 with the unsafe sha1 furthermore.

startrekfan  schrieb am Fr., 22. Jan. 2016 um
15:45 Uhr:

> I tried to compile squid from sid repo. It fails, but I'm not sure why.
>
> When I only add the src-deb apt-get build-dep squid3 says libecap3-dev was
> not found and fails.(Im not sure why it`s needed. libecap3-dev is not
> listed in the dependencies. https://packages.debian.org/sid/squid3)
>
> When I add deb and deb-src apt-get build-dep squid3  wants to
> update/install  adwaita-icon that is not compatible with gnome.
>
> So I can't build squid 3.5 on an stable Jessie. Do you have any ideas why?
>
> L.P.H. van Belle  <http://lists.squid-cache.org/listinfo/squid-users>> schrieb am Mo., 18. Jan. 
> 2016 um
> 09:07 Uhr:
>
> >* Really this is an easy thing to do.
> *>>>>* Add in you sources.list.d/sid.listad the sid  repo.  ( only 
> src-deb )
> *>>* Run apt-get update.
> *>>>>* apt-get source squid
> *>>* apt-get build-dep squid
> *>>*  make changes if needed, in debian/rules and debian/changelog IF you
> *>* changed something.
> *>>>>* Build it
> *>>* apt-get source squid –b
> *>>* it errors, thats ok, get the 2 or 3 extra packages, the same way, after
> *>* installing them you can build squid again.
> *>>>>* put the debs in a repo you can access and your done.
> *>>* Did it here, works fine.
> *>>>>>>* Greetz,
> *>>>>* Louis
> *>>>
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] simple script to get squid 3.5.12 from Debian sid on Jessie.

2016-01-22 Thread startrekfan 
I'm not sure that this script will work. The script isn't doing much more
then adding an unstable entry to the sources list and trying to *_install_*
the dependencies (Yes, apt-get build-deb squid will install the depencies
directly on my debian jessie system)

As I described before: This will not work, because of the missing libecap3
that could not be installed on a stable debian without installing a bunch
of other dependencies.


L.P.H. van Belle  schrieb am Fr., 22. Jan. 2016 um
16:46 Uhr:

> No, this is NOT a problem at all.
> You need 4 ! files and no other sid depends, just debian Jessie.
> Its a quick write, but should be error free, tested until the squid
> compile.
>
> I use a separated VM for this and all my created debs are available throuh
> webaccess, like normal, below is based on "local install" if you want to
> have is network available, look het het apt/sources.list.d/lcoalrepo.list,
> change to needed hostname for your webserver etc.. not explained here..
> but should be easy to do.
>
> Create a file, add content below ( sed CODE ),
> chmod +x and run it. (as root)
>
> In the end you have a compiled squid 3.5.12, ready to instal with ssl
> enabled. Which is just a apt-get install squid then.
> And !! all squid3 is now changed to squid !!
>
> Enjoy, and have a nice weekend,
>
> Greetz,
>
> Louis
>
>
> ### CODE, run as root, can be beter, but a quicky for you.
> #!/bin/bash
>
> SETPATH=`pwd`
> if [ ! -e /etc/apt/sources.list.d/sid.list ]; then
> # adding sid repo
> cat << EOF >> /etc/apt/sources.list.d/sid.list
> #
> #deb http://ftp.nl.debian.org/debian/ sid main non-free contrib
> deb-src http://ftp.nl.debian.org/debian/ sid main non-free contrib
> EOF
> fi
>
> if [ ! -e /etc/apt/sources.list.d/localrepo.list ]; then
> # adding local repo ( webserver based )
> cat << EOF >> /etc/apt/sources.list.d/localrepo.list
> #
> # change if you done have a webserver.
> #file:/var/www/mydebs ./
> deb http://localhost/mydebs/ ./
> EOF
>
> fi
>
> if [ ! -e /var/www/mydebs ]; then
> # get dependes, sources and build sources, setup local apt.
> mkdir -p  /var/www/mydebs
> apt-get install dpkg-dev -y
> fi
>
> for x in c-icap c-icap-modules libecap squid ; do
> apt-get build-dep $x
> apt-get source $x
> if [ $x = squid ]; then
> sed -i 's/--with-default-user=proxy/--with-default-user=proxy
> \\/g' squid3-3.5.12/debian/rules
> sed -i '/with-default-user=proxy/a \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
> --enable-ssl \\'  squid3-3.5.12/debian/rules
> sed -i '/enable-ssl/a \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
> --with-open-ssl=/etc/ssl/openssl.cnf \\'  squid3-3.5.12/debian/rules
> sed -i '/with-open-ssl/a \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
> --enable-linux-netfilter'  squid3-3.5.12/debian/rules
> fi
> apt-get source $x -b
>
> cp *.deb /var/www/mydebs
> cd /var/www/mydebs
> dpkg-scanpackages . /dev/null | gzip -9c > Packages.gz
> cd $SETPATH
> echo "Running apt-get update, please wait."
> apt-get update 2> /dev/null
> sleep 1
> done
>
> ## CODE ENDS,.
>
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to setup a secure(!) squid proxy

2016-01-22 Thread startrekfan 
Thank you. Works great!

Rafael Akchurin  schrieb am Fr., 22. Jan.
2016 um 16:48 Uhr:

> Hello  Startrekfan,
>
>
>
> The patch from SHA1 to SHA256 is quite simple. See
> http://docs.diladele.com/administrator_guide_4_4/install/debian8/squid.html
> at the bottom of the page.
>
>
>
> Best regards,
>
> Rafael
>
>
>
> *From:* squid-users [mailto:squid-users-boun...@lists.squid-cache.org] *On
> Behalf Of *startrekfan
> *Sent:* Friday, January 22, 2016 4:15 PM
> *To:* squid-users@lists.squid-cache.org; L.P.H. van Belle  >
> *Subject:* Re: [squid-users] How to setup a secure(!) squid proxy
>
>
>
> Found the problem:
>
>
>
> The dependencies has changed: https://packages.debian.org/sid/squid (not
> sure why there is also a https://packages.debian.org/sid/squid3 entry)
>
>
>
> Thats excactly the problem with unstable sources. squid3 3.5 requires
> libecap3 instead of libecap2 (squid3 version 3.4). I can't install libecap3
> because it has further dependencies.
>
> I also can't even compile libecap3 without installing n more dependencies.
>
>
>
> So I have to use squid 3.4 with the unsafe sha1 furthermore.
>
>
>
> startrekfan  schrieb am Fr., 22. Jan. 2016 um
> 15:45 Uhr:
>
> I tried to compile squid from sid repo. It fails, but I'm not sure why.
>
>
>
> When I only add the src-deb apt-get build-dep squid3 says libecap3-dev was
> not found and fails.(Im not sure why it`s needed. libecap3-dev is not
> listed in the dependencies. https://packages.debian.org/sid/squid3)
>
>
>
> When I add deb and deb-src apt-get build-dep squid3  wants to
> update/install  adwaita-icon that is not compatible with gnome.
>
>
>
> So I can't build squid 3.5 on an stable Jessie. Do you have any ideas why?
>
> L.P.H. van Belle  <http://lists.squid-cache.org/listinfo/squid-users>> schrieb am Mo., 18. Jan. 
> 2016 um
>
> 09:07 Uhr:
>
>
>
> >* Really this is an easy thing to do.*
>
> >
>
> >
>
> >
>
> >* Add in you sources.list.d/sid.listad the sid  repo.  ( only src-deb )*
>
> >
>
> >* Run apt-get update.*
>
> >
>
> >
>
> >
>
> >* apt-get source squid*
>
> >
>
> >* apt-get build-dep squid*
>
> >
>
> >*  make changes if needed, in debian/rules and debian/changelog IF you*
>
> >* changed something.*
>
> >
>
> >
>
> >
>
> >* Build it*
>
> >
>
> >* apt-get source squid –b*
>
> >
>
> >* it errors, thats ok, get the 2 or 3 extra packages, the same way, after*
>
> >* installing them you can build squid again.*
>
> >
>
> >
>
> >
>
> >* put the debs in a repo you can access and your done.*
>
> >
>
> >* Did it here, works fine.*
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >* Greetz,*
>
> >
>
> >
>
> >
>
> >* Louis*
>
> >
>
> >
>
> >
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] simple script to get squid 3.5.12 from Debian sid on Jessie.

2016-01-24 Thread startrekfan 
I tried your script in a VM and.it fails because of the missing
libcap3 dependencie.

I tried to run the script serveral times.

Here are the interesting outputs of the last run:


   1. root@debian123:/home/ich/tmp# squid3 -v
   2. Squid Cache: Version 3.4.8



   1. root@debian123:/home/ich/tmp# dir /var/www/html/mydebs/
   2. c-icap_0.4.2-2_amd64.deb  libicapapi4_0.4.2-2_amd64.deb
   3. libc-icap-mod-clamav_0.4.2-1_all.deb
   libicapapi4-dbg_0.4.2-2_amd64.deb
   4. libc-icap-mod-contentfiltering_0.4.2-1_amd64.deb
libicapapi-dev_0.4.2-2_amd64.deb
   5. libc-icap-mod-urlcheck_0.4.2-1_amd64.deb  Packages.gz
   6. libc-icap-mod-virus-scan_0.4.2-1_amd64.deb



   1. dpkg-buildpackage: Quellpaket squid3
   2. dpkg-buildpackage: Quellversion 3.5.12-1
   3. dpkg-buildpackage: Quelldistribution unstable
   4. dpkg-buildpackage: Quellen geändert durch Luigi Gangitano <
   lu...@debian.org>
   5. dpkg-buildpackage: Host-Architektur amd64
   6.  dpkg-source --before-build squid3-3.5.12
   7. dpkg-checkbuilddeps: Nicht erfüllte Bauabhängigkeiten: libecap3-dev
   (>= 1.0.1-2) libgnutls28-dev
   8. dpkg-buildpackage: Warnung: Bauabhängigkeiten/-konflikte nicht
   erfüllt; Abbruch
   9. dpkg-buildpackage: Warnung: (Verwenden Sie -d, um sich darüber
   hinwegzusetzen.)
   10. Build-Befehl »cd squid3-3.5.12 && dpkg-buildpackage -b -uc«
   fehlgeschlagen.
   11. E: Kindprozess fehlgeschlagen


I also tried to change "libecap" to "libecap3" within the script and I also
tried to add "libecap-dev"/"libecap3-dev" to the script: Without any
result.
Of course I used apt-get upgrade after the script finished...no upgrade
packages available. If you still don`t believe me I can send you
screenshots.

I'm sure that it's possible to get it to work this way, if you spend enough
time.

But I still think that this isn't a good way to do it. When I get it to
work after hours of trying and squid releases a new version with
new dependencies I have to do the work again(and it's not capable to
auto/apt upgrade). On the other hand this way is prone to failure(unstable
software, custom installation path, ...)

At the end this should be a productive system not a tinker pc. It should
run without doing a lot of tricks that can fail at any time.

*So the only _good_ solution is a modification of the license so that the
debian team can build squid with ssl support. This will solve every problem
immediately.*




L.P.H. van Belle  schrieb am Sa., 23. Jan. 2016 um
09:10 Uhr:

>
>
> i wrote you.. i tested it...
> yes it works
> i have installed 2 x squid 3.5.10 from sid. and updated these 3.5.12.
>
> both servers are my production proxys...
>
> Your not reading or trying.
>
> libecap3 is replaced by libecap4 !!!!
>
> go try this or go compile yourself...
>
> im done..
>
>
>
> Op 22 jan. 2016 om 19:15 heeft startrekfan  het
> volgende geschreven:
>
> I'm not sure that this script will work. The script isn't doing much more
> then adding an unstable entry to the sources list and trying to
> *_install_* the dependencies (Yes, apt-get build-deb squid will install
> the depencies directly on my debian jessie system)
>
> As I described before: This will not work, because of the missing libecap3
> that could not be installed on a stable debian without installing a bunch
> of other dependencies.
>
>
> L.P.H. van Belle  schrieb am Fr., 22. Jan. 2016 um
> 16:46 Uhr:
>
>> No, this is NOT a problem at all.
>> You need 4 ! files and no other sid depends, just debian Jessie.
>> Its a quick write, but should be error free, tested until the squid
>> compile.
>>
>> I use a separated VM for this and all my created debs are available
>> throuh webaccess, like normal, below is based on "local install" if you
>> want to have is network available, look het het
>> apt/sources.list.d/lcoalrepo.list,
>> change to needed hostname for your webserver etc.. not explained here..
>> but should be easy to do.
>>
>> Create a file, add content below ( sed CODE ),
>> chmod +x and run it. (as root)
>>
>> In the end you have a compiled squid 3.5.12, ready to instal with ssl
>> enabled. Which is just a apt-get install squid then.
>> And !! all squid3 is now changed to squid !!
>>
>> Enjoy, and have a nice weekend,
>>
>> Greetz,
>>
>> Louis
>>
>>
>> ### CODE, run as root, can be beter, but a quicky for you.
>> #!/bin/bash
>>
>> SETPATH=`pwd`
>> if [ ! -e /etc/apt/sources.list.d/sid.list ]; then
>> # adding sid repo
>> cat << EOF >> /etc/apt/sources.list.d/sid.list
>> #
>> #deb http://ftp.nl.debian.org/debian/ sid main non-free contrib
>>

Re: [squid-users] How to setup a secure(!) squid proxy

2016-01-26 Thread startrekfan 
Hi,

the script is working and I have a running squid 3.5. Thank you.

But I still think things like this:

echo "change GCC 5.2 to Jessie G++ 4.9 in libecap-1.0.1/debian/control"
sed -i 's/g++ (>= 4:5.2)/g++/g' libecap-1.0.1/debian/control

isn't a good practice. I'm pretty sure that the >=5.2 restriction has a
purpose and is not only there to annoy admins. In this case every thing
seems to work. But modifications like this can always lead to unforeseen
situations.

But thank you again. It's working atm :)

L.P.H. van Belle  schrieb am Mo., 25. Jan. 2016 um
17:14 Uhr:

>
> Hai,
>
> Ok, i missed few of my modifications i did, they arent big changes.
> Sorry about that.
>
> This script is tested on a clean debian jessie, with only ssh installed.
> Have a look at the script.
>
> The files with modifactions get the extention custom1 to so they wont mixup
> Or messup original debian files.
> Like :
> libecap3_1.0.1-2-custom1_amd64.deb
> libecap3-dev_1.0.1-2-custom1_amd64.deb
>
> Files without modifactions keep the original debian name, when updateing
> to newer debian dist, its automatily upgraded.
>
> And again this should work fine, i doing this already as of debian
> squeeze..
> And Debian wheezy was running 3.4.8 for me, my jessie now is running
> 3.5.12.
>
>
> Greetz,
>
> Louis
>
>
>
>
> 
> Van: startrekfan [mailto:startrekfa...@freenet.de]
> Verzonden: vrijdag 22 januari 2016 16:15
> Aan: squid-users@lists.squid-cache.org; L.P.H. van Belle
> Onderwerp: Re: [squid-users] How to setup a secure(!) squid proxy
>
> Found the problem:
>
> The dependencies has changed: https://packages.debian.org/sid/squid (not
> sure why there is also a https://packages.debian.org/sid/squid3 entry)
>
> Thats excactly the problem with unstable sources. squid3 3.5 requires
> libecap3 instead of libecap2 (squid3 version 3.4). I can't install libecap3
> because it has further dependencies.
> I also can't even compile libecap3 without installing n more dependencies.
>
> So I have to use squid 3.4 with the unsafe sha1 furthermore.
>
> startrekfan  schrieb am Fr., 22. Jan. 2016 um
> 15:45 Uhr:
> I tried to compile squid from sid repo. It fails, but I'm not sure why.
>
> When I only add the src-deb apt-get build-dep squid3 says libecap3-dev was
> not found and fails.(Im not sure why it`s needed. libecap3-dev is not
> listed in the dependencies. https://packages.debian.org/sid/squid3)
>
> When I add deb and deb-src apt-get build-dep squid3  wants to
> update/install  adwaita-icon that is not compatible with gnome.
>
> So I can't build squid 3.5 on an stable Jessie. Do you have any ideas why?
> L.P.H. van Belle  schrieb am Mo., 18. Jan. 2016 um
> 09:07 Uhr:
>
> > Really this is an easy thing to do.
> >
> >
> >
> > Add in you sources.list.d/sid.listad the sid  repo.  ( only src-deb )
> >
> > Run apt-get update.
> >
> >
> >
> > apt-get source squid
> >
> > apt-get build-dep squid
> >
> >  make changes if needed, in debian/rules and debian/changelog IF you
> > changed something.
> >
> >
> >
> > Build it
> >
> > apt-get source squid ?b
> >
> > it errors, thats ok, get the 2 or 3 extra packages, the same way, after
> > installing them you can build squid again.
> >
> >
> >
> > put the debs in a repo you can access and your done.
> >
> > Did it here, works fine.
> >
> >
> >
> >
> >
> > Greetz,
> >
> >
> >
> > Louis
> >
> >
> >
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users