Step 4: Recompile Squid to Support HTTPS/SSL Filtering

Squid present in default Debian 9 repository does not contain necessary compiler switches for HTTPS filtering and SSL Bumping. We will need to rebuild a newer Squid version from scratch. We will apply one small patch to enable SSL filtering. Run script 04_squid.sh to do it.

#!/bin/bash

# we will compile squid as normal user, and NOT as root
if [[ $EUID -eq 0 ]]; then
   echo "This script must NOT be run as root" 1>&2
   exit 1
fi

# drop squid3 build folder
rm -R build/squid3

# we will be working in a subfolder make it
mkdir -p build/squid3

# copy the patch to the working folder
cp rules.patch build/squid3/rules.patch

# decend into working directory
pushd build/squid3

# get squid3 from debian stretch
wget http://http.debian.net/debian/pool/main/s/squid3/squid3_3.5.23-5.dsc
wget http://http.debian.net/debian/pool/main/s/squid3/squid3_3.5.23.orig.tar.gz
wget http://http.debian.net/debian/pool/main/s/squid3/squid3_3.5.23-5.debian.tar.xz

# unpack the source package
dpkg-source -x squid3_3.5.23-5.dsc

# modify configure options in debian/rules, add --enable-ssl --enable-ssl-crtd and --with-openssl
patch squid3-3.5.23/debian/rules < rules.patch

# build the package
cd squid3-3.5.23 && dpkg-buildpackage -rfakeroot -b

# and revert
popd

Contents of the rules.patch are shown below. Basically the patch adds the –enable-ssl, –enable-ssl-crtd and –with-openssl switches to the compiler arguments.

--- rules   2017-06-02 18:36:55.000000000 -0400
+++ rules.new   2017-09-21 15:43:40.085186837 -0400
@@ -28,6 +28,9 @@
        --enable-delay-pools \
        --enable-cache-digests \
        --enable-icap-client \
+       --enable-ssl \
+       --enable-ssl-crtd \
+       --with-openssl \
        --enable-follow-x-forwarded-for \
        --enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB" \
        --enable-auth-digest="file,LDAP" \

Press Next to continue to Step 5.