Tags: ssl


  09:32:00 am, by The Dreamer   , 659 words  
Categories: Software, Ubuntu, FreeBSD

Ubuntu squid with SSL

Link: http://lawrencechen.net/ddclient-aamp-squid

This is an update to the "ddclient & squid" here

Ran into a new problem recently....though the need for SSL in squid on ubuntu is deprecated, by the fact that I'm slowly replacing this server with a FreeBSD server.

As a result, I don't pay attention to this ubuntu server as much as I used to, so I've configured unattended-upgrade. It was installed, but it didn't seem to do anything in that on other servers I'd log in to find that there are lots (40+) of patches available and more than half that are security. Since I came across how to configure it to do more than just security patches, including send me email and on some systems automatically reboot when necessary. (should've thought to see how unattended-upgrade is configured and doing such things in the Ubuntu AMI I have in AWS)

Since I got unattended-upgrade configured on this old server (32-bit Ubuntu Server, which I've heard they have a 12.04LTS download for??? They had said they dropped 32-bit server support, so there was version with 10.04LTS. So I couldn't upgrade and now I'm way past EOL, which is causing problems...probably need to hunt down the landscape and ubuntuone services and nuke them, instead of letting them degrade my server for being EOL.) I've also had to update packages on here from outside sources to keep things running, so guess I should work harder on abandoning this server.... Where it'll likely get reborn as [yet ]a[nother] FreeBSD server....along with the server that I think I have all the parts collected for it, but just need to sit down and put it together. It started as a mostly function pulled 1U server, in need of ... well either new fans or a new case.... I opted for the new case route. It also needed drives and memory. But, as a result of the new case route...aside from case/powersupply...it meant I would need to get heatsinks...since the passive ones based on the 1U case channeling air flow....would be hard to recreate in the tower case I went with. Its a huge tower case, given that its an E-ATX motherboard...yet it isn't a full tower (like the formerly windows machine called TARDIS...someday I'll work its regeneration....need money to buy all the bits and pieces that'll make that up, which I haven't fully worked out what those will be....or where it'll go since my dual 23" widescreen FreeBSD desktop has consumed all of the desk that it would've shared....and not really keen on the idea of a KVM for this situation. :hmm: )

Anyways...every day I get an email from unattended-upgrade for this system.... with:

Unattended upgrade returned: True

Packages that are upgraded:
Packages with upgradable origin but kept back:
 squid squid-cgi 

Package installation log:

Unattended-upgrades log:
Initial blacklisted packages: 
Starting unattended upgrades script
Allowed origins are: ["['Ubuntu', 'heron-security']", "['Ubuntu', 'heron-updates']"]
package 'squid' upgradable but fails to be marked for upgrade (E:Unable to correct problems, you have held broken packages.)
Packages that are upgraded: squid-common
Writing dpkg log to '/var/log/unattended-upgrades/unattended-upgrades-dpkg_2013-07-06_08:05:42.056193.log'
All upgrades installed

This is because of that quirk where even though I rebuilt my version with SSL, and kept it the same version...it wants to install its version to replace mine (of the same version). Which is why I did the hold thing.

I could do the alternative of add a string to make my version advance from current....though I suppose I won't unhold...so that unattended-upgrade won't upgrade should such a thing appear (unlikely since both the OS and squid are ancient...and there'll be no more updates.) But, the intent is to hopefully silence unattended-upgrade in this matter.

Though kind of surprised its still doing something....hmmm, guess there was a new security patch to squid 2.7 back on January 29, 2013....that I've been missing (suppose its already downloaded the update in its 'cache'....or the backend is still there, its just not getting updates beyond what's there....whatever, I think I'm down to one more service to move off....)


  01:40:00 pm, by The Dreamer   , 389 words  
Categories: Software, Networking, Cox HSI, AT&T DSL, Ubuntu

ddclient & squid

In the aftermath of the summer storm of August 13th, (hmmm, totally missed that it was a Friday the 13th), I made a tweak to my ddclient config for updating dyndns for my DSL line. Because I found that it wasn't able to update the IP change while Cox was down.

Couldn't find a way to make ddclient to bind to the local IP that routes out by DSL (or use non-default gateway). But, since I have squid proxy on the same box...and depending on what port I come in on, it can use either of my connections.

I set proxy=box.lhaven.homeip.net:3128

Couldn't use localhost, because ddclient does some kind of validation to require an fqdn+port, and localhost isn't an fqdn. And, yes, I use my dyndns domain as my home domain. So I can have bookmarks that'll work whether I'm at home or on the road &#59;D

But, this change wasn't tested...as it has been less than 28 days for a refresh, and no IP change.

That was until this morning, when my IP did change.

The updates weren't working....seems that ddclient wants to do SSL all the way or not at all. No using an http proxy to connect out on SSL. But, I didn't feel like sending my dyndns password out non-SSL.... So, after some thought, I decided I would figure out how to set up SSL on squid.

I made the necessary configuration change, but no go. Seems that ubuntu doesn't distribute squid with SSL, because squid and openssl have incompatible open source licenses. So, I did a quick search to find the ubuntu way of rebuilding it from source.

apt-get source squid
apt-get build-dep squid
apt-get install devscripts build-essential fakeroot
cd squid-2.7.STABLE7
vi debian/rules
     Add --enable-ssl \ to “# Configure the package” section
debuild -us -uc -b
cd ..
dpkg -i squid??? squid-common???

Change to proxy=box.lhaven.homeip.net:3218, and it worked. :cool:

Full story »

Now instead of subjecting some poor random forum to a long rambling thought, I will try to consolidate those things into this blog where they can be more easily ignored profess to be collected thoughts from my mind.

Latest Poopli Updaters -- http://lkc.me/poop


There are 20 years 8 months 19 days 57 minutes and 31 seconds until the end of time.
And, it has been 4 years 4 months 8 days 13 hours 5 minutes and 25 seconds since The Doctor saved us all from the end of the World!


April 2017
Mon Tue Wed Thu Fri Sat Sun
 << <   > >>
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30


  XML Feeds

Who's Online?

  • Guest Users: 0
This seal is issued to lawrencechen.net by StopTheHacker Inc.
blog engine

hosted by
Green Web Hosting! This site hosted by DreamHost.

monitored by
Monitored by eXternalTest
SiteUptime Web Site Monitoring Service
website uptime