Squid3 with SSL support, on Ubuntu 13.04
A few years ago, I spent many hours getting Squid with SSL working on Ubuntu 10.10. The core issue is that the Ubuntu-provided binary for Squid does not include SSL support. Thus, you have to compile Squid yourself, from source. Unfortunately, it’s not as simple as you might think, due to a lot of inconsistent information and errors that you’ll run into. I set up Squid on my Linode VPS, to act as a transparent proxy, to allow me to get my web traffic past firewall filters and other proxies. I also wanted all of the data in transit to be encrypted, which is done via SSL. Chrome would redirect all of my web traffic to Squid via an encrypted SSL tunnel, and Squid would go out to the internet and fetch my pages for me. I had everything working great for a long time.
I thought I was still good to go, until a recent update of a seemingly unrelated module caused my Squid authentication mechanism, ncsa, to start segfaulting any time I tried to log in. This is the story of how I got Squid3 working again, via a rebuild.
Download the newest source code
My first mistake was trying to use the source code provided by Ubuntu, via “apt-get source squid3”. The version of Squid3 that is provided by Ubuntu didn’t have the ncsa fix in it, so I spent a lot of time compiling source for absolutely nothing.
Head straight to the official Squid website and grab the latest release build (3.3.5 in my case) and download the tar.gz file via wget.
No debian/rules file?
Because the Squid source code directly from their site doesn’t have the nice debian/rules file built-in, you have to pass all of the variables to theĀ configure script. I took bits from the Squid compiling guide and other sources. Here’s what my final command looked like:
./configure --prefix=/usr --localstatedir=/var --libexecdir=${prefix}/lib/squid3 --srcdir=. --datadir=${prefix}/share/squid3 --sysconfdir=/etc/squid3 --with-default-user=proxy --with-logdir=/var/log --with-pidfile=/var/run/squid3.pid --enable-inline --enable-async-io=8 --enable-storeio="ufs,aufs,diskd" --enable-removal-policies="lru,heap" --enable-delay-pools --enable-cache-digests --enable-underscores --enable-icap-client --enable-follow-x-forwarded-for --enable-basic-auth-helpers="LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM" --enable-ntlm-auth-helpers="smb_lm," --enable-digest-auth-helpers="ldap,password" --enable-negotiate-auth-helpers="squid_kerb_auth" --enable-external-acl-helpers="ip_user,ldap_group,session,unix_group,wbinfo_group" --enable-arp-acl --enable-esi **--enable-ssl** --enable-zph-qos --enable-wccpv2 --disable-translation --with-logdir=/var/log/squid3 --with-filedescriptors=65536 --with-large-files --with-default-user=proxy
So, that’s quite the long string. It pulls the Ubuntu/Debian defaults from the Squid page, then adds in several of the parameters that are in the debian/rules file that Ubuntu provides when you download the source straight from their PPA. It also includes the essential –enable-ssl flag, which is what gives Squid the capabilities to do SSL.
Configure/Make All/Make Install
Just follow along with the basic Squid compiling instructions and you’ll be fine. You’ll have to build your own service or /etc/init.d/ files for controlling squid, and you’ll also need to set it up to start at system boot. I’ll leave the /etc/squid/squid.conf settings for another day, they’re pretty simple. Look for “https_port” and “ncsa_users” to find some of the common guides.