Make build system and compile Squid 3.5
1) Install Debian 9 (amd64) from net install ISO. Make a minimal installation.
2) apt-get -y update ; apt-get -y upgrade ; apt-get -y install openssh-server net-tools
3) apt-get -y install openssl devscripts build-essential fakeroot libdbi-perl libssl1.0-dev
4) cd ~ ; apt-get source -y squid3 # You may ignore the following warning: W: Download is performed unsandboxed as root as file 'squid3_3.5.23-5+deb9u1.dsc' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
5) apt-get build-dep -y squid3
6) cd squid3-3.5.23
7) vi debian/rules # Make sure the following is defined in the end for "DEB_CONFIGURE_EXTRA_FLAGS":
--with-default-user=proxy \
--enable-ssl \
--enable-ssl-crtd \
--with-openssl \
--disable-ipv6
8) debuild -us -uc # .deb packages will be in ~/

Installation of .deb packages
*) If target machine is different from where you built Squid, install Debian 9 (amd64) from net install ISO. Make a minimal installation.
1) apt-get -y install logrotate net-tools firewalld openssh-server apache2-utils openssl libdbi-perl devscripts
2) cd ~/ ; mv squid3*.deb squid3.deb.NotIncluded ; dpkg -i *.deb # Install the .deb packages created during compilation. You may ignore the errors.
3) apt-get -y install -f
4) mkdir /etc/squid/ssl_cert
cd /etc/squid/ssl_cert
openssl req -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509 -extensions v3_ca -keyout myCA.pem -out myCA.pem
5) chown -R proxy:proxy /etc/squid/ssl_cert
chmod 700 /etc/squid/ssl_cert
/usr/lib/squid/ssl_crtd -c -s /var/ssl_db -M 4MB
6) chown -R proxy:proxy /var/ssl_db
7) cd /etc/squid ; mv squid.conf squid.conf.orig ; wget http://blog.balcos.net/squid/squid.conf ; wget http://blog.balcos.net/squid/slack.acl ; mkdir /etc/squid/BL
8) Edit "/etc/squid/BL/blacklist" with domains you want to black list. A domain should start with a "." (eg: ".youtube.com"). Give 1 line for each domain.
9) systemctl enable squid.service
10) cd /etc/ssh
cp -p sshd_config sshd_config.orig
vi sshd_config
# Configure the following in sshd_config:
Port 2222
ListenAddress 0.0.0.0
PermitRootLogin no
11) systemctl restart sshd.service
12) firewall-cmd --zone=public --change-interface=enp0s3 --permanent # Substitute proper interface name
firewall-cmd --zone=public --add-port=2222/tcp --permanent
firewall-cmd --zone=public --add-port=8080/tcp --permanent
firewall-cmd --zone=public --add-port=8081/tcp --permanent
firewall-cmd --zone=public --remove-service=ssh --permanent
firewall-cmd --zone=public --remove-service=dhcpv6-client --permanent
systemctl enable firewalld.service
systemctl restart squid.service
systemctl restart firewalld.service # If you're connected via SSH, you will be blocked here. Reconnect SSH at port 2222.
13) apt-mark hold squid3 squid squid-cgi squidclient squid-common squid-dbg squid-purge

To create Squid proxy users:
htpasswd -c /etc/squid/.htpasswd user1
htpasswd /etc/squid/.htpasswd user2
htpasswd /etc/squid/.htpasswd user3

Create a DER-encoded certificate to import into users' browsers
1) cd /etc/squid/ssl_cert ; openssl x509 -in myCA.pem -outform DER -out myCA.der
2) The result file (myCA.der) should be imported into the 'Authorities' section of users' browsers.

For Internet Explorer:
Tools -> Internet Options -> Content -> Certificates Click on
Import , select myca.der file , make sure that you import to
Root Trusted Certificates -or- Trusted Root Certification Authorities, close down the browser and try
www.grc.com for example.

For Mozilla Firefox :
Edit-> Preferences-> Advanced -> Certificates - > View Certificates
Import
(x) Trust this CA to identify websites
(x) Trust this CA to identify email users
(x) Trust this CA to identify software developers
Click OK you are done.

For Google Chrome: same as Internet Explorer.

To correct /etc/squid/errorpage.css
cd /etc/squid ; cp -p errorpage.css errorpage.css.orig ; vi errorpage.css # Do the following:

Change: background: url('/squid-internal-static/icons/SN.png') no-repeat left;
To: background: url('http://www.squid-cache.org/Artwork/SN.png') no-repeat left;
-or set to-
#titles {
margin-left: 15px;
padding: 10px;
padding-left: 0px;
}

To install SARG (Source: https://www.server-world.info/en/note?os=Debian_9&p=squid&f=8 )
1) apt -y install sarg
2) cp -p /etc/sarg/sarg.conf /etc/sarg/sarg.conf.orig ; vi /etc/sarg/sarg.conf +120 #uncomment and comment out
output_dir /var/www/html/squid-reports
#output_dir /var/lib/sarg
3) vi /etc/sarg/sarg.conf +132 #add
resolve_ip yes
4) vi /etc/sarg/sarg.conf +377 #change
charset UTF-8
5) vi /etc/sarg/exclude_hosts #write hosts you'd like to exclude from log reports
127.0.0.1
6) vi /etc/apache2/conf-available/sarg.conf #create new

<Directory "/var/www/html/squid-reports">
Options FollowSymLinks

# add access permission
# Require local
# Require ip 10.0.0.0/24

AuthUserFile /var/www/html/.htpasswd
AuthType Basic
AuthName "Secured Site"
Require valid-user
</Directory>

7) cp -p /etc/apache2/apache2.conf /etc/apache2/apache2.conf.orig ; vi /etc/apache2/apache2.conf # Make sure the following is set in the file:
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
8) mkdir /var/www/html/squid-reports
9) htpasswd -c /var/www/html/.htpasswd admin
10) a2enconf sarg
11) systemctl reload apache2
12) /usr/bin/sarg # Generate HTML pages.
13) firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
systemctl restart firewalld.service

To install Light Squid (Source: https://www.server-world.info/en/note?os=Debian_9&p=squid&f=7 )
1) apt -y install lightsquid libcgi-pm-perl
2) cp -p /etc/lightsquid/lightsquid.cfg /etc/lightsquid/lightsquid.cfg.orig ; vi /etc/lightsquid/lightsquid.cfg +23 # line 23: change the PATH to log file

$logpath ="/var/log/squid";
3) vi /etc/apache2/conf-available/lightsquid.conf # Make the "Location" section look like the following:

<Location "/lightsquid/">
# add like follows
Options FollowSymLinks ExecCGI

AddHandler cgi-script .cgi .pl
# Require local
# Require ip 10.0.0.0/24

AuthUserFile /var/www/html/.htpasswd
AuthType Basic
AuthName "Secured Site"
Require valid-user
</Location>

4) a2enmod cgi
5) a2enconf lightsquid
6) systemctl restart apache2
7) /usr/share/lightsquid/lightparser.pl # Generate HTML pages.
8) vi /usr/lib/cgi-bin/lightsquid/.htaccess
AuthUserFile /var/www/html/.htpasswd
AuthType Basic
AuthName "Secured Site"
Require valid-user

To make Shalla Blacklist work:
https://github.com/marcopaganini/shalla2squid/blob/master/shalla2squid