Step 3: Recompile Squid to Support HTTPS/SSL Filtering

Squid present in default Debian 10 repository does not contain necessary compiler switches for HTTPS filtering and SSL Bumping. We will need to rebuild it from scratch. We will apply one small patch to enable SSL filtering. Navigate to core.debian10 sub folder and run script 03_squid.sh to do it.

#!/bin/bash

# we will compile squid as normal user, and NOT as root
if [[ $EUID -eq 0 ]]; then
   echo "This script must NOT be run as root" 1>&2
   exit 1
fi

# drop squid build folder
rm -R build/squid

# we will be working in a subfolder make it
mkdir -p build/squid

# copy the patches to the working folder
cp rules.patch build/squid/rules.patch

# set squid version
source squid.ver

# decend into working directory
pushd build/squid

# get squid from debian experimental
wget http://http.debian.net/debian/pool/main/s/squid/squid_${SQUID_PKG}.dsc
wget http://http.debian.net/debian/pool/main/s/squid/squid_${SQUID_VER}.orig.tar.xz
wget http://http.debian.net/debian/pool/main/s/squid/squid_${SQUID_VER}.orig.tar.xz.asc
wget http://http.debian.net/debian/pool/main/s/squid/squid_${SQUID_PKG}.debian.tar.xz

# unpack the source package
dpkg-source -x squid_${SQUID_PKG}.dsc

# modify configure options in debian/rules, add --enable-ssl --enable-ssl-crtd
patch squid-${SQUID_VER}/debian/rules < ../../rules.patch

# build the package
cd squid-${SQUID_VER} && dpkg-buildpackage -rfakeroot -b

# and revert
popd

Contents of the rules.patch are shown below. Basically the patch adds the –enable-ssl, –enable-ssl-crtd and –with-openssl switches to the compiler arguments. It also fixes the error with Squid compilation on Raspberry PI as indicated in https://github.com/diladele/websafety/issues/1391 (fixed).

--- rules.orig  2020-02-10 13:12:54.000000000 +0000
+++ rules       2020-04-13 07:49:07.329340183 +0100
@@ -4,7 +4,7 @@
 export DEB_CFLAGS_MAINT_APPEND = -Wall

 DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed
-ifneq (,$(filter $(DEB_HOST_ARCH), armel m68k mips mipsel powerpc powerpcspe sh4))
+ifneq (,$(filter $(DEB_HOST_ARCH), armhf armel m68k mips mipsel powerpc powerpcspe sh4))
        DEB_LDFLAGS_MAINT_APPEND += -latomic
 endif
 export DEB_LDFLAGS_MAINT_APPEND
@@ -41,6 +41,9 @@
                --enable-delay-pools \
                --enable-cache-digests \
                --enable-icap-client \
+               --enable-ssl \
+               --enable-ssl-crtd \
+               --with-openssl \
                --enable-follow-x-forwarded-for \
                --enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB" \
                --enable-auth-digest="file,LDAP" \

The squid.ver file specifies the version of Squid we are rebuilding.

#!/usr/bin/env bash

# set squid version
SQUID_VER="4.11"
SQUID_PKG="${SQUID_VER}-3"

Press Next to continue to Step 4.