Step 4: Recompile Squid to Support HTTPS/SSL Filtering

Squid present in default Debian 9 repository does not contain necessary compiler switches for HTTPS filtering and SSL Bumping. We will need to rebuild a newer Squid version from scratch. We will apply one small patch to enable SSL filtering. Run script to do it.


# we will compile squid as normal user, and NOT as root
if [[ $EUID -eq 0 ]]; then
   echo "This script must NOT be run as root" 1>&2
   exit 1

# drop squid3 build folder
rm -R build/squid3

# we will be working in a subfolder make it
mkdir -p build/squid3

# copy the patch to the working folder
cp rules.patch build/squid3/rules.patch

# decend into working directory
pushd build/squid3

# get squid3 from debian stretch

# unpack the source package
dpkg-source -x squid3_3.5.23-5.dsc

# modify configure options in debian/rules, add --enable-ssl --enable-ssl-crtd and --with-openssl
patch squid3-3.5.23/debian/rules < rules.patch

# build the package
cd squid3-3.5.23 && dpkg-buildpackage -rfakeroot -b

# and revert

Contents of the rules.patch are shown below. Basically the patch adds the –enable-ssl, –enable-ssl-crtd and –with-openssl switches to the compiler arguments.

--- rules   2017-06-02 18:36:55.000000000 -0400
+++   2017-09-21 15:43:40.085186837 -0400
@@ -28,6 +28,9 @@
        --enable-delay-pools \
        --enable-cache-digests \
        --enable-icap-client \
+       --enable-ssl \
+       --enable-ssl-crtd \
+       --with-openssl \
        --enable-follow-x-forwarded-for \
        --enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB" \
        --enable-auth-digest="file,LDAP" \

Press Next to continue to Step 5.