Build squid with time_quota external acl helper on FreeBSD for use with pfSense

gistfile1.txt

# The squid package for pfSense is compiled without the time_quota external acl helper.
# To get this helper, the only solution appears to be to build squid from source in FreeBSD.
# It is apparently necessary to explicitly install the package db6 and refer to it in the corresponding CFLAGS and LDFLAGS. 
# This configure command did the trick:

./configure --with-default-user=squid --bindir=/usr/local/sbin --sbindir=/usr/local/sbin --datadir=/usr/local/etc/squid --libexecdir=/usr/local/libexec/squid --localstatedir=/var --sysconfdir=/usr/local/etc/squid --with-logdir=/var/log/squid --with-pidfile=/var/run/squid/squid.pid --with-swapdir=/var/squid/cache --without-gnutls --with-included-ltdl --enable-auth --enable-zph-qos --enable-build-info --enable-loadable-modules --enable-removal-policies=lru heap --disable-epoll --disable-linux-netfilter --disable-linux-tproxy --disable-translation --disable-arch-native --disable-strict-error-checking --enable-eui --enable-cache-digests --enable-delay-pools --disable-ecap --disable-esi --enable-follow-x-forwarded-for --with-mit-krb5=/usr/local CFLAGS="-I/usr/local/include -O2 -pipe  -I/usr/local/include/db6 -fstack-protector-strong -DLDAP_DEPRECATED -fno-strict-aliasing"  LDFLAGS="-L/usr/local/lib -pthread -L/usr/local/lib/db5 -lpcreposix -lpcre -Wl,-rpath,/usr/local/lib:/usr/lib  -fstack-protector-strong"  LIBS="-lkrb5 -lgssapi_krb5"  KRB5CONFIG=/usr/local/bin/krb5-config krb5_config=/usr/local/bin/krb5-config --enable-htcp --enable-icap-client --enable-icmp --enable-ident-lookups --enable-ipv6 --enable-kqueue --with-large-files --enable-http-violations --without-nettle --enable-snmp --enable-ssl --with-openssl=/usr --enable-security-cert-generators=file LIBOPENSSL_CFLAGS=-I/usr/include LIBOPENSSL_LIBS="-lcrypto -lssl" --enable-ssl-crtd --disable-stacktraces --disable-ipf-transparent --disable-ipfw-transparent --enable-pf-transparent --with-nat-devpf --disable-forw-via-db --enable-wccp --enable-wccpv2 --enable-auth-basic="LDAP SASL DB SMB_LM NCSA PAM POP3 RADIUS fake getpwnam" --enable-auth-digest="eDirectory LDAP file" --enable-external-acl-helpers="LDAP_group eDirectory_userip file_userip unix_group delayer kerberos_ldap_group time_quota" --enable-auth-negotiate="kerberos wrapper" --enable-auth-ntlm="fake SMB_LM" --enable-storeio="aufs diskd ufs" --enable-disk-io="DiskThreads DiskDaemon AIO Blocking IpcIo Mmapped" --enable-log-daemon-helpers="file DB" --enable-url-rewrite-helpers="fake LFS" --enable-storeid-rewrite-helpers=file --enable-security-cert-validators=fake --prefix=/usr/local --mandir=/usr/local/man --disable-silent-rules --infodir=/usr/local/share/info/ --build=amd64-portbld-freebsd12.1 build_alias=amd64-portbld-freebsd12.1 CC=cc CPPFLAGS="-I/usr/local/include -I/usr/local/include/db6" CXX=c++ CXXFLAGS="-O2 -pipe -I/usr/local/include -I/usr/local/include/db6 -fstack-protector-strong -DLDAP_DEPRECATED -fno-strict-aliasing" CPP=cpp --enable-ltdl-convenience --host=amd64-portbld-freebsd12.1

A bit more info/refinements (assuming a clean FreeBSD install):

Get the configure options for squid from the pfSense box:

/usr/local/sbin/squid --version
Squid Cache: Version 4.15
Service Name: squid

This binary uses OpenSSL 1.1.1l-freebsd  24 Aug 2021. For legal restrictions on distribution see https://www.openssl.org/source/license.html

configure options:  '--with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache' '--without-gnutls' '--with-included-ltdl' '--enable-auth' '--enable-zph-qos' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--disable-arch-native' '--disable-strict-error-checking' '--enable-eui' '--enable-cache-digests' '--enable-delay-pools' '--disable-ecap' '--disable-esi' '--enable-follow-x-forwarded-for' '--with-mit-krb5=/usr/local' 'CFLAGS=-I/usr/local/include -O2 -pipe  -I/usr/local/include -I/usr/local/include -fstack-protector-strong -DLDAP_DEPRECATED -fno-strict-aliasing ' 'LDFLAGS=-L/usr/local/lib  -L/usr/local/lib -L/usr/local/lib -pthread -L/usr/local/lib -lpcreposix -lpcre -Wl,-rpath,/usr/local/lib:/usr/lib  -fstack-protector-strong ' 'LIBS=-lkrb5 -lgssapi_krb5 ' 'KRB5CONFIG=/usr/local/bin/krb5-config' 'krb5_config=/usr/local/bin/krb5-config' '--enable-htcp' '--enable-icap-client' '--enable-icmp' '--enable-ident-lookups' '--enable-ipv6' '--enable-kqueue' '--with-large-files' '--enable-http-violations' '--without-nettle' '--enable-snmp' '--enable-ssl' '--with-openssl=/usr' '--enable-security-cert-generators=file' 'LIBOPENSSL_CFLAGS=-I/usr/include' 'LIBOPENSSL_LIBS=-lcrypto -lssl' '--enable-ssl-crtd' '--disable-stacktraces' '--disable-ipf-transparent' '--disable-ipfw-transparent' '--enable-pf-transparent' '--with-nat-devpf' '--disable-forw-via-db' '--enable-wccp' '--enable-wccpv2'
'--enable-auth-basic=LDAP SASL DB SMB_LM NCSA PAM POP3 RADIUS fake getpwnam' '--enable-auth-digest=eDirectory LDAP file' '--enable-external-acl-helpers=LDAP_group eDirectory_userip file_userip unix_group delayer kerberos_ldap_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake SMB_LM' '--enable-storeio=aufs diskd ufs' '--enable-disk-io=DiskThreads DiskDaemon AIO Blocking IpcIo Mmapped' '--enable-log-daemon-helpers=file DB' '--enable-url-rewrite-helpers=fake LFS' '--enable-storeid-rewrite-helpers=file' '--enable-security-cert-validators=fake' '--prefix=/usr/local' '--mandir=/usr/local/man' '--disable-silent-rules' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.3' 'build_alias=amd64-portbld-freebsd12.3' 'CC=cc' 'CPPFLAGS=-I/usr/local/include -I/usr/local/include' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -I/usr/local/include -I/usr/local/include -fstack-protector-strong -DLDAP_DEPRECATED -fno-strict-aliasing  ' 'CPP=cpp' --enable-ltdl-convenience

Build (e.g. on a FreeBSD VM)

If you have an "appliance" freebsd install with not enough space (on kvm), first resize according to https://marcocetica.com/posts/grow_partitions_freebsd/.

Get squid:

wget http://www.squid-cache.org/Versions/v4/squid-4.15.tar.xz

Install build deps

sudo pkg install pcre perl5 krb5-devel openldap26-client db18

./configure --with-default-user=squid --bindir=/usr/local/sbin --sbindir=/usr/local/sbin --datadir=/usr/local/etc/squid \
    --libexecdir=/usr/local/libexec/squid --localstatedir=/var --sysconfdir=/usr/local/etc/squid \
    --with-logdir=/var/log/squid --with-pidfile=/var/run/squid/squid.pid --with-swapdir=/var/squid/cache \
    --without-gnutls --with-included-ltdl --enable-auth --enable-zph-qos --enable-build-info --enable-loadable-modules \
    --enable-removal-policies="lru heap" --disable-epoll --disable-linux-netfilter --disable-linux-tproxy --disable-translation \
    --disable-arch-native --disable-strict-error-checking --enable-eui --enable-cache-digests --enable-delay-pools \
    --disable-ecap --disable-esi --enable-follow-x-forwarded-for --with-mit-krb5=/usr/local \
    CFLAGS="-I/usr/local/include -O2 -pipe -I/usr/local/include/db18 -fstack-protector-strong -DLDAP_DEPRECATED -fno-strict-aliasing" \
    LDFLAGS="-L/usr/local/lib -L/usr/local/lib/db18 -pthread -L/usr/local/lib -lpcreposix -lpcre -Wl,-rpath,/usr/local/lib:/usr/lib -fstack-protector-strong" \
    LIBS="-lkrb5 -lgssapi_krb5" \
    KRB5CONFIG=/usr/local/bin/krb5-config krb5_config=/usr/local/bin/krb5-config \
    --enable-htcp --enable-icap-client --enable-icmp --enable-ident-lookups --enable-ipv6 --enable-kqueue --with-large-files \
    --enable-http-violations --without-nettle --enable-snmp --enable-ssl --with-openssl=/usr \
    --enable-security-cert-generators=file \
    LIBOPENSSL_CFLAGS="-I/usr/include" LIBOPENSSL_LIBS="-lcrypto -lssl" \
    --enable-ssl-crtd --disable-stacktraces --disable-ipf-transparent --disable-ipfw-transparent --enable-pf-transparent \
    --with-nat-devpf --disable-forw-via-db --enable-wccp --enable-wccpv2 \
    --enable-auth-basic="LDAP SASL DB SMB_LM NCSA PAM POP3 RADIUS fake getpwnam" --enable-auth-digest="eDirectory LDAP file" \
    --enable-external-acl-helpers="LDAP_group eDirectory_userip file_userip unix_group delayer kerberos_ldap_group time_quota" \
    --enable-auth-negotiate="kerberos wrapper" --enable-auth-ntlm="fake SMB_LM" \
    --enable-storeio="aufs diskd ufs" --enable-disk-io="DiskThreads DiskDaemon AIO Blocking IpcIo Mmapped" \
    --enable-log-daemon-helpers="file DB" --enable-url-rewrite-helpers="fake LFS" --enable-storeid-rewrite-helpers=file \
    --enable-security-cert-validators=fake \
    --prefix=/usr/local --mandir=/usr/local/man --disable-silent-rules --infodir=/usr/local/share/info/ \
    --build=amd64-portbld-freebsd12.3 build_alias=amd64-portbld-freebsd12.3 \
    CC=cc CPPFLAGS="-I/usr/local/include -I/usr/local/include/db18" \
    CXX=c++ CXXFLAGS="-O2 -pipe -I/usr/local/include -I/usr/local/include/db18 -fstack-protector-strong -DLDAP_DEPRECATED -fno-strict-aliasing" \
    CPP=cpp \
    --enable-ltdl-convenience

Make (and optionally install in a temp dir so it is easier to pick the things to copy over as a drop-in)

make &&  make DESTDIR=$(pwd)/.install install

After configure is succesful, make and copy the new extentions (i.e. ext_time_quota_acl) over to the pfSense box (target location: /usr/local/libexec/squid/)