i#!/bin/bash
# make-proxy.sh — Squid SSL-Bump + ClamAV/ICAP Setup für Debian

set -e

# --- Netzwerk-Logik ---
IP=$(ip a s enp0s3 | grep "inet\>" | awk '{print $2}')
OKT=$(echo $IP | cut -f 3 -d .)
DOMAIN="it${OKT}.int"

echo "=== Proxy Setup ==="
echo "OKT:    $OKT"
echo "DOMAIN: $DOMAIN"
echo ""

# ============================================================
# CLEANUP
# ============================================================
echo "--- Aufräumen ---"
systemctl stop squid c-icap clamd clamav-daemon clamav-freshclam 2>/dev/null || true
apt purge -y squid squid-openssl c-icap clamav clamav-daemon clamav-freshclam 2>/dev/null || true
rm -rf /etc/squid/certs \
       /var/spool/squid/ssl_db \
       /etc/c-icap/squidclamav.conf \
       /usr/lib/c_icap/squidclamav.so \
       /root/squidclamav \
       /etc/systemd/system/c-icap.service.d

# ============================================================
# TEIL 1: Squid SSL-Bump
# ============================================================
echo "--- Squid installieren ---"
apt install -y squid-openssl

echo "--- Zertifikat erstellen ---"
mkdir -p /etc/squid/certs
cd /etc/squid/certs

openssl req -new -newkey rsa:4096 -sha256 -days 365 -nodes -x509 \
    -keyout squid_proxyCA.pem \
    -out squid_proxyCA.pem \
    -subj "/CN=proxy-ca"

chown -R proxy:proxy squid_proxyCA.pem
chmod 0400 squid_proxyCA.pem

openssl x509 -inform PEM -in squid_proxyCA.pem -out squid_proxyCA.crt
cp squid_proxyCA.crt /usr/local/share/ca-certificates/
update-ca-certificates

echo "--- SSL Cache initialisieren ---"
chown proxy:proxy /var/spool/squid
sudo -u proxy /usr/lib/squid/security_file_certgen \
    -c -s /var/spool/squid/ssl_db -M 4MB

echo "--- squid.conf schreiben ---"
cat > /etc/squid/squid.conf <<SQUIDCONF
acl localnet src 0.0.0.1-0.255.255.255
acl localnet src 10.0.0.0/8
acl localnet src 100.64.0.0/10
acl localnet src 169.254.0.0/16
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl it${OKT} src 10.88.${OKT}.0/24
acl it${OKT} src 172.26.${OKT}.0/24
acl it${OKT} src 10.${OKT}.1.0/24
http_access allow it${OKT}
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny to_localhost
http_access deny to_linklocal
http_access deny all
http_port 3128 ssl-bump cert=/etc/squid/certs/squid_proxyCA.pem generate-host-certificates=on options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1
http_port 3129 intercept
https_port 3130 ssl-bump intercept cert=/etc/squid/certs/squid_proxyCA.pem generate-host-certificates=on options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1
ssl_bump bump all
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all
adaptation_access service_resp allow all
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
SQUIDCONF

# ============================================================
# TEIL 2: nftables REDIRECT
# ============================================================
echo "--- nftables REDIRECT ---"
cat > /etc/nftables.conf <<NFTCONF
#!/usr/sbin/nft -f
flush ruleset
table inet nat {
    chain prerouting {
        type nat hook prerouting priority dstnat; policy accept;
        tcp dport 80 redirect to :3129
        tcp dport 443 redirect to :3130
    }
}
NFTCONF
systemctl enable --now nftables

# ============================================================
# TEIL 3: ClamAV + ICAP
# ============================================================
echo "--- Pakete installieren ---"
apt install -y c-icap clamav clamdscan clamav-daemon libicapapi-dev libssl-dev git gcc make

echo "--- squidclamav kompilieren ---"
cd /root
git clone https://github.com/darold/squidclamav
cd squidclamav
./configure && make && make install

echo "--- squidclamav konfigurieren ---"
sed -i 's|^clamd_local .*|clamd_local /var/run/clamav/clamd.ctl|' /etc/c-icap/squidclamav.conf
sed -i 's|^redirect .*|redirect https://virus-found.xinux.de|' /etc/c-icap/squidclamav.conf

echo "--- squidclamav in c-icap eintragen ---"
echo "Service squidclamav squidclamav.so" >> /etc/c-icap/c-icap.conf

echo "--- c-icap Startabhängigkeit setzen ---"
mkdir -p /etc/systemd/system/c-icap.service.d
cat > /etc/systemd/system/c-icap.service.d/override.conf <<OVERRIDE
[Unit]
After=clamav-daemon.service
Requires=clamav-daemon.service
OVERRIDE
systemctl daemon-reload

echo "--- Dienste starten ---"
systemctl enable --now clamav-freshclam
echo "Warte auf Virendatenbank..."
while [ ! -f /var/lib/clamav/main.cvd ] && [ ! -f /var/lib/clamav/main.cld ]; do
    sleep 5
    echo "  ... warte noch ..."
done
echo "Datenbank vorhanden — starte clamd, c-icap und squid"
systemctl enable --now clamav-daemon c-icap squid

echo ""
echo "=== Fertig ==="
echo "CA-Zertifikat liegt unter: /etc/squid/certs/squid_proxyCA.crt"
echo "Auf Clients kopieren und importieren!"