Step 4: Recompile Squid to Support HTTPS/SSL Filtering

Squid present in default Debian 10 repository does not contain necessary compiler switches for HTTPS filtering and SSL Bumping. We will need to rebuild it from scratch. We will apply one small patch to enable SSL filtering. Run script to do it.


# we will compile squid as normal user, and NOT as root
if [[ $EUID -eq 0 ]]; then
   echo "This script must NOT be run as root" 1>&2
   exit 1

# drop squid build folder
rm -R build/squid

# we will be working in a subfolder make it
mkdir -p build/squid

# copy the patches to the working folder
cp rules.patch build/squid/rules.patch

# set squid version
source squid.ver

# decend into working directory
pushd build/squid

# get squid from debian experimental

# unpack the source package
dpkg-source -x squid_${SQUID_PKG}.dsc

# modify configure options in debian/rules, add --enable-ssl --enable-ssl-crtd
patch squid-${SQUID_VER}/debian/rules < ../../rules.patch

# build the package
cd squid-${SQUID_VER} && dpkg-buildpackage -rfakeroot -b

# and revert

Contents of the rules.patch are shown below. Basically the patch adds the –enable-ssl, –enable-ssl-crtd and –with-openssl switches to the compiler arguments.

--- rules   2018-01-23 10:39:24.000000000 +0100
+++   2018-02-07 22:07:59.285432839 +0100
@@ -30,6 +30,9 @@
        --enable-delay-pools \
        --enable-cache-digests \
        --enable-icap-client \
+       --enable-ssl \
+       --enable-ssl-crtd \
+       --with-openssl \
        --enable-follow-x-forwarded-for \
        --enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB" \
        --enable-auth-digest="file,LDAP" \

The squid.ver file specifies the version of Squid we are rebuilding.

#!/usr/bin/env bash

# set squid version

Press Next to continue to Step 5.