Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. It runs on most available operating systems, including Windows and is licensed under the GNU GPL.
Step 1: Install Packages
The ModSecurity module for Apache is included in the default Debian/Ubuntu repository. To install it, run
# apt install squid
Enable the service and start it
# systemctl enable squid # systemctl start squid
Step 2: Configure Squid Network Access
In the /etc/squid/squid.conf configuration file define what the proper local networks are, remove all other entries.
# Define local networks acl corporatenet src 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines .... # Allow local define networks http_access allow corporatenet
Step 3: Configure Parameters
X-Forwarder-For
Configure Squid not to append your client’s IP address in the HTTP requests it forwards:
# If set to "on", Squid will append your client's IP address # in the HTTP requests it forwards. By default it looks like: # # X-Forwarded-For: 192.1.2.3 # # If set to "off", it will appear as # # X-Forwarded-For: unknown # # If set to "transparent", Squid will not alter the # X-Forwarded-For header in any way. # # If set to "delete", Squid will delete the entire # X-Forwarded-For header. # # If set to "truncate", Squid will remove all existing # X-Forwarded-For entries, and place the client IP as the sole entry. forwarded_for off
SNMP
Configure Squid can be queried by SNMP daemons in order to provide statistics and other information:
# The port number where Squid listens for SNMP requests. To enable # SNMP support set this to a suitable port number. Port number # 3401 is often used for the Squid SNMP agent. By default it's # set to "0" (disabled) snmp_port 3401 # snmp_incoming_address is used for the SNMP socket receiving # messages from SNMP agents. snmp_incoming_address 192.168.0.232 # acl aclname snmp_community string ... # A community string to limit access to your SNMP Agent [fast] acl snmppublic snmp_community corporatero # Allowing or denying access to the SNMP port. snmp_access allow snmppublic localhost snmp_access allow snmppublic corporatenet snmp_access deny all
Authentication: Active Directory
Make sure entire environment of the host is properly configured with kerberos and other items, preferrably that SSSD is pre-configured and working. Use the following command to login to kerberos as Domain Administrator to create new kerberos keys for the proxy server:
# kinit administrator
Create the new kerberos keys for Squid:
# msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy.company.org -k /etc/squid/PROXY.keytab \ --computer-name proxy --upn HTTP/proxy.company.org --server dc1.company.org --verbose
Set the appropriate permissions on these files:
# chgrp proxy /etc/squid3/PROXY.keytab # chmod g+r /etc/squid3/PROXY.keytab
Destroy the administrator credentials used to create the account.
# kdestroy
On the Windows Server reset the Computer Account in AD by right clicking on the host Computer object and select “Reset Account”, then run msktutil as follows to ensure the keytab is updated as expected and that the keytab is being sourced by msktutil from /etc/krb5.conf correctly. This is not completely necessary but is useful to ensure msktutil works as expected. Then run the following:
# msktutil --auto-update --verbose --computer-name proxy -k /etc/squid/PROXY.keytab
Edit squid3’s init script to export the KRB5_KTNAME variable so squid knows where to find the kerberos keytab. On Debian the simplest way to do that is to define a default file in /etc/default/squid
KRB5_KTNAME=/etc/squid3/PROXY.keytab export KRB5_KTNAME
Step 4: Test and Restart
Once the configuration has been completed it can be tested using the following command:
# squid -k parse
Once the configuration is ok, Squid configuration can be reloaded without restarting Squid using the command:
# squid -k reconfigure
If you want to restart the service, then;
# systemctl restart squid