Step 4: Recompile Squid to Support HTTPS/SSL Filtering

In order to get the latest Squid on Ubuntu 16 Xenial we will use the original version from Debian Unstable Repository with several additions necessary for SSL Bump and HTTPS filtering. Run script 05_build_squid.sh to do the compilation.

#!/bin/bash

if [[ $EUID -eq 0 ]]; then
   echo "This script must NOT be run as root" 1>&2
   exit 1
fi

# drop squid build folder
rm -R build/squid

# we will be working in a subfolder make it
mkdir -p build/squid

# copy the patches to the working folder
cp rules.patch build/squid/rules.patch
cp control.patch build/squid/control.patch

# set squid version
source squid.ver

# decend into working directory
pushd build/squid

# get squid from debian experimental
wget http://http.debian.net/debian/pool/main/s/squid/squid_${SQUID_PKG}.dsc
wget http://http.debian.net/debian/pool/main/s/squid/squid_${SQUID_VER}.orig.tar.gz
wget http://http.debian.net/debian/pool/main/s/squid/squid_${SQUID_PKG}.debian.tar.xz

# unpack the source package
dpkg-source -x squid_${SQUID_PKG}.dsc

# modify dependencies to match those of Ubuntu 16
patch squid-${SQUID_VER}/debian/control < ../../control.patch

# modify configure options in debian/rules, add --enable-ssl --enable-ssl-crtd
patch squid-${SQUID_VER}/debian/rules < ../../rules.patch

# build the package
cd squid-${SQUID_VER} && dpkg-buildpackage -rfakeroot -b

# and revert
popd

Rules patch file adds specific compilation arguments to enable SSL bumping on Squid 4.

--- rules   2018-10-30 14:57:15.000000000 +0100
+++ rules.new   2018-11-15 11:11:08.410546782 +0100
@@ -36,7 +36,7 @@
        --enable-removal-policies="lru,heap" \
        --enable-delay-pools \
        --enable-cache-digests \
-       --enable-icap-client \
+       --enable-icap-client --enable-ssl --enable-ssl-crtd --with-openssl \
        --enable-follow-x-forwarded-for \
        --enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB" \
        --enable-auth-digest="file,LDAP" \
@@ -57,8 +57,7 @@
        --with-pidfile=/var/run/squid.pid \
        --with-filedescriptors=65536 \
        --with-large-files \
-       --with-default-user=proxy \
-       --with-gnutls
+       --with-default-user=proxy

 ifeq ($(DEB_HOST_ARCH_OS), kfreebsd)
        DEB_CONFIGURE_EXTRA_FLAGS += --enable-kqueue

squid.ver file is just to easier manage Squid versions in script.

#!/usr/bin/env bash

# set squid version
SQUID_VER="4.4"
SQUID_PKG="${SQUID_VER}-1"

Control patch file removes references do unneeded dependencies.

--- control 2018-10-30 14:57:15.000000000 +0100
+++ control.new 2018-11-15 11:14:16.000000000 +0100
@@ -10,13 +10,12 @@
 Build-Depends: ed, libltdl-dev, pkg-config
    , g++ (>= 4.9) | clang (>= 3.7)
    , gcc (>= 4.9) | clang (>= 3.7)
-   , cdbs, debhelper (>=10), dpkg-dev (>= 1.17.11~), lsb-release
+   , cdbs, debhelper (>=9), dpkg-dev (>= 1.17.11~), lsb-release
    , libcppunit-dev
    , libcap2-dev [linux-any]
    , libdb-dev
    , libecap3-dev (>= 1.0.1-2)
    , libexpat1-dev
-   , libgnutls28-dev (>= 3.5)
    , libkrb5-dev, comerr-dev
    , libldap2-dev
    , libnetfilter-conntrack-dev [linux-any]

After build is successful, run script 06_install_squid.sh to install Squid.

#!/bin/bash
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# set squid version
source squid.ver

# decend into working directory
pushd build/squid

# install ecap packages
sudo apt-get install squid-langpack
dpkg --install squid-common_${SQUID_PKG}_all.deb
dpkg --install squid_${SQUID_PKG}_amd64.deb
dpkg --install squidclient_${SQUID_PKG}_amd64.deb

# and revert
popd

Press Next to continue to Step 5.