Step 6: Integrate Squid, Apache and ICAP Server

To integrate Squid, Apache and Web Safety ICAP server run the script. The script first adds exception to built in firewall for ports 80 and 443 (needed for Apache and Web UI), port 3128 (needed for Squid). Then it replaces Squid configuration with the one with ICAP integration and enabled HTTPS filtering. Finally it creates the SSL storage of mimicked certificates generated by Squid.


# integration should be done as root
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1

# allow connection to 80, 443 and 3128 ports for apache and squid
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --permanent --zone=public --add-port=3128/tcp
firewall-cmd --reload

# adjust the squid.conf
if [ ! -f /etc/squid/squid.conf.original ]; then
    mv /etc/squid/squid.conf /etc/squid/squid.conf.original

# copy new config
cp squid.conf /etc/squid/squid.conf

# allow web ui read-only access to squid configuration file
chmod o+r /etc/squid/squid.conf

# create storage for generated ssl certificates
if [ -d $SSL_DB ]; then
    rm -Rf $SSL_DB

/usr/lib64/squid/ssl_crtd -c -s $SSL_DB

# and change its ownership
chown -R squid:squid $SSL_DB

# parse the resulting config just to be sure
/usr/sbin/squid -k parse

# restart squid to load all config
systemctl restart squid.service

Please note, RPM install package copied the preconfigured virtual host file to /etc/httpd/conf.d/websafety.conf. This host is loaded automatically after startup of Apache web server.

If you have other virtual hosts listening on port 80 you may need to manually modify the contents of /etc/httpd/conf.d/websafety.conf and/or remove default welcome.conf virtual host by running rm /etc/httpd/conf.d/welcome.conf.