#!/bin/bash
# make-proxy.sh — Squid SSL-Bump + ClamAV/ICAP Setup für Rocky Linux

set -e

# --- Netzwerk-Logik ---
IP=$(ip a s enp0s3 | grep "inet\>" | awk '{print $2}')
OKT=$(echo $IP | cut -f 3 -d .)
DOMAIN="it${OKT}.int"

echo "=== Proxy Setup ==="
echo "OKT:    $OKT"
echo "DOMAIN: $DOMAIN"
echo ""

# ============================================================
# CLEANUP
# ============================================================
echo "--- Aufräumen ---"
systemctl stop squid c-icap clamd@scan clamav-freshclam 2>/dev/null || true
dnf remove -y squid c-icap c-icap-libs c-icap-modules c-icap-devel \
    clamav clamd clamav-update 2>/dev/null || true
rm -rf /etc/squid/certs \
       /var/spool/squid/ssl_db \
       /etc/c-icap/squidclamav.conf \
       /usr/lib64/c_icap/squidclamav.so \
       /root/squidclamav \
       /etc/tmpfiles.d/clamd.conf \
       /etc/systemd/system/c-icap.service.d
systemctl daemon-reload

# ============================================================
# TEIL 1: Squid SSL-Bump
# ============================================================
echo "--- Squid installieren ---"
dnf install -y squid policycoreutils-python-utils

echo "--- Firewall ---"
firewall-cmd --zone=public --add-service=squid --permanent
firewall-cmd --reload

echo "--- Zertifikat erstellen ---"
mkdir -p /etc/squid/certs
cd /etc/squid/certs

openssl req -new -newkey rsa:4096 -sha256 -days 365 -nodes -x509 \
    -keyout squid_proxyCA.pem \
    -out squid_proxyCA.pem \
    -subj "/CN=proxy-ca"

chown -R squid:squid squid_proxyCA.pem
chmod 0400 squid_proxyCA.pem

openssl x509 -inform PEM -in squid_proxyCA.pem -out squid_proxyCA.crt
cp squid_proxyCA.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust

echo "--- SSL Cache initialisieren ---"
chown squid:squid /var/spool/squid
sudo -u squid /usr/lib64/squid/security_file_certgen \
    -c -s /var/spool/squid/ssl_db -M 4MB

echo "--- squid.conf schreiben ---"
cat > /etc/squid/squid.conf <<SQUIDCONF
acl localnet src 0.0.0.1-0.255.255.255
acl localnet src 10.0.0.0/8
acl localnet src 100.64.0.0/10
acl localnet src 169.254.0.0/16
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl it${OKT} src 10.88.${OKT}.0/24
acl it${OKT} src 172.26.${OKT}.0/24
acl it${OKT} src 10.${OKT}.1.0/24
http_access allow it${OKT}
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny to_localhost
http_access deny to_linklocal
http_access deny all
http_port 3128 ssl-bump cert=/etc/squid/certs/squid_proxyCA.pem generate-host-certificates=on options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1
ssl_bump bump all
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all
adaptation_access service_resp allow all
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
SQUIDCONF

# ============================================================
# TEIL 2: ClamAV + ICAP
# ============================================================
echo "--- EPEL + Pakete installieren ---"
dnf install -y epel-release
dnf install -y clamav clamd clamav-update c-icap c-icap-libs c-icap-modules \
    git gcc make c-icap-devel redhat-rpm-config

echo "--- clamd konfigurieren ---"
sed -i 's|^#LocalSocket .*|LocalSocket /run/clamd.scan/clamd.sock|' /etc/clamd.d/scan.conf
sed -i 's|^#LocalSocketGroup .*|LocalSocketGroup virusgroup|' /etc/clamd.d/scan.conf
sed -i 's|^#LocalSocketMode .*|LocalSocketMode 666|' /etc/clamd.d/scan.conf

echo "--- tmpfiles für clamd Socket ---"
cat > /etc/tmpfiles.d/clamd.conf <<TMPFILES
d /run/clamd.scan 0755 clamscan virusgroup -
TMPFILES
systemd-tmpfiles --create /etc/tmpfiles.d/clamd.conf

echo "--- squidclamav kompilieren ---"
cd /root
git clone https://github.com/darold/squidclamav
cd squidclamav
./configure && make && make install

echo "--- squidclamav konfigurieren ---"
sed -i 's|^clamd_local .*|clamd_local /run/clamd.scan/clamd.sock|' /etc/c-icap/squidclamav.conf
sed -i 's|^redirect .*|redirect https://virus-found.xinux.de|' /etc/c-icap/squidclamav.conf

echo "--- squidclamav in c-icap eintragen ---"
echo "Service squidclamav squidclamav.so" >> /etc/c-icap/c-icap.conf

echo "--- c-icap Startabhängigkeit setzen ---"
mkdir -p /etc/systemd/system/c-icap.service.d
cat > /etc/systemd/system/c-icap.service.d/override.conf <<OVERRIDE
[Unit]
After=clamd@scan.service
Requires=clamd@scan.service
OVERRIDE
systemctl daemon-reload

echo "--- Firewall ICAP ---"
firewall-cmd --zone=public --add-port=1344/tcp --permanent
firewall-cmd --reload

echo "--- Dienste starten ---"
# Erst freshclam starten und Datenbank herunterladen lassen
systemctl enable --now clamav-freshclam
echo "Warte auf Virendatenbank (kann einige Minuten dauern)..."
while [ ! -f /var/lib/clamav/main.cvd ] && [ ! -f /var/lib/clamav/main.cld ]; do
    sleep 5
    echo "  ... warte noch ..."
done
echo "Datenbank vorhanden — starte clamd, c-icap und squid"
systemctl enable --now clamd@scan c-icap squid

echo ""
echo "=== Fertig ==="
echo "CA-Zertifikat liegt unter: /etc/squid/certs/squid_proxyCA.crt"
echo "Auf Clients kopieren und importieren!"