In many cases, the basic configuration we've seen in the previous chapter can be sufficient for accelerating web access and protecting the network, but Squid can do much more. Below are just a few of the many things Squid can do.
Though most people implement only very basic access control, Squid's access system is very powerful and flexible, allowing for in-depth filtering of access to cache resources. So far we have mainly dealt with ACLs that filter based on source IP address or destination port, but there are many other ACL types. In this paragraph, we will take a brief look at the main ones, just to get an idea of what Squid ACLs can do; for a more detailed and comprehensive description of Squid ACLs, please refer to the documentation.
A Squid ACL is made up of at least four fields: the acl keyword, followed by a (possibly descriptive) unique name, the ACL type and one or more decision strings. Thus, the overall syntax of Squid ACLs looks like:
acl name type (string|"filename") [string2] [string3] ["filename2"]
An ACL containing multiple decision strings will return true if any of the decision strings matches (i.e. decision strings are ORed together). To avoid cluttering the configuration file with hundreds of ACL lines, you can specify the full pathname of a file (in double quotes) containing the decision strings one per line.
Listed below are the most commonly used ACL types:
# "Traditional" notation acl myNet1 src 192.168.0.0/255.255.255.0 # Address range with CIDR notation acl myNet2 src 172.16.0.0-172.16.2.0/24 # Filtering on destination address acl badNet dst 10.0.0.0/24
# Match a specific site acl badDomain dstdomain forbidden.site # Match the IP address of "forbidden.site" acl badDomainIP dst 1.2.3.4
# Match domains containing the word "sex" and a ".com" TLD (the match is case # insensitive because of the '-i' flag) acl badSites dstdom_regex -i sex.*\.com$
# Match the most common video files extensions acl movies urlpath_regex -i \.avi$ \.mpg$ \.mpeg$ \.wmv$ \.asf$ \.mov$ # Match JPG images from URLs containing the word "sex" acl sexImg url_regex -i sex.*\.jpg$
acl name time [day-list] [start_hour:minute-end_hour:minute]
acl workhours time MTWHF 08:00-18:00 acl weekend time SA acl morning time 07:00-13:00
acl SSL_ports port 443 563 acl Safe_ports port 80 21 443 563 70 210 280 488 591 777 1024-65535
acl www proto HTTP SSL acl ftp proto FTP
# Deny CONNECT to other than SSL ports acl connect method CONNECT http_access deny connect !SSL_ports
$ telnet bad.proxy.tld 3128 Trying 1.2.3.4... Connected to bad.proxy.tld. Escape character is '^]'. CONNECT telnet.server.tld:23 HTTP/1.1
# Deny access to MS Internet Explorer acl MSIE browser MSIE http_access deny MSIE
# /usr/bin/htpasswd -c /etc/squid/squid.passwd danix New password: dAn1x Re-type new password: dAn1x Adding password for user danix #
# Configure traditional (basic) proxy authentication auth_param basic program /usr/local/libexec/ncsa_auth /etc/squid/squid.passwd # Number of authenticator processes to spawn auth_param basic children 5 # Realm to be reported to the client auth_param basic realm Squid proxy-caching web server # Usernames are case insensitive auth_param basic casesensitive off # Credentials time to live auth_param basic credentialsttl 12 hours # Using REQUIRED will accept any valid username acl AUTH proxy_auth REQUIRED # Don't require authentication to localhost http_access allow localhost # Only allow authenticated requests coming from the LAN http_access allow AUTH lan # Default deny http_access deny all
# Address of the cache administrator acl snmpManager src 172.16.0.100 # Non-sensitive information acl SNMPPublic snmp_community public # Allow any request from the cache administrator snmp_access allow snmpManager # Clients on the LAN can only query non-sensitive information snmp_access allow SNMPPublic lan # Default deny snmp_access deny all
According to the documentation, enabling Squid's Accelerator Mode can be useful only in a limited set of circumstances:
Besides these cases, enabling the accelerator mode is strongly discouraged. The configuration is very simple; below is a sample configuration of a Squid server accelerating requests to a slow web server.
# In accelerator mode, Squid usually listens on the standard www port http_port 80 accel vhost # Do the SSL work at the accelerator level. To create the certificates, run: # openssl req -x509 -newkey rsa:2048 -keyout squid.key -out squid.crt \ # -days 365 -nodes https_port 443 cert=/etc/ssl/squid.crt key=/etc/ssl/private/squid.key # Accelerated server address and port cache_peer 172.16.1.217 parent 80 0 no-query originserver # Do not rewrite 'Host:' headers url_rewrite_host_header off # Process multiple requests for the same URI as one request collapsed_forwarding on # Allow requests when they are to the accelerated machine AND to the # right port acl webSrv dst 172.16.1.217 acl webPrt port 80 acl all src all http_access allow webSrv webPrt http_access allow all always_direct allow webSrv
Transparent caching means having a filtering device, such as a router or a firewall, silently redirecting web traffic to the cache server. Clients ignore the presence of the proxy between them and the web server and think they're talking directly to the server.
As a consequence, transparent caching doesn't require any configuration on the client side, thus making maintenance much easier and faster. On the other hand, however, a transparently intercepting proxy can't use authentication or transparently proxy the HTTPS protocol.
Before configuring Squid, we will need to enable web traffic redirection on our firewalls (the involved firewalls are those between the LAN, where clients reside, and the DMZ, where the cache server is placed). Below are some sample rules for the pf.conf(5) file:
[...]
# LAN interface
lan_if = rl1
# Cache server and port
cache_srv = proxy.kernel-panic.it
cache_port = 3128
# Transparently redirect web traffic to the cache server
pass in on $lan_if proto tcp from $lan_if:network to any port www \
rdr-to $cache_srv port $cache_port
[...]
Squid configuration is quite simple:
# Port on which connections are redirected http_port 3128 transparent
SNMP is a set of protocols for network management and monitoring. If you installed the "snmp" flavor of the Squid package, the proxy will be able to serve statistics and status information via SNMP.
SNMP configuration is rather simple:
# By default, Squid listens for SNMP packets on port 3401, to avoid conflicting # with any other SNMP agent listening on the standard port 161. snmp_port 3401 # Address to listen on (0.0.0.0 means all interfaces) snmp_incoming_address 0.0.0.0 # Address to reply on (255.255.255.255 means the same as snmp_incoming_address) # Only change this if you want to have SNMP replies sent using another address # than where Squid listens for SNMP queries. # snmp_incoming_address and snmp_outgoing_address can't have the same value # since they both use port 3401. snmp_outgoing_address 255.255.255.255 # Configuring access control is strongly recommended since some SNMP # information is confidential acl all src all acl lan src 172.16.0.0/24 acl snmpManager src 172.16.0.100 acl publicCommunity snmp_community public snmp_access allow snmpManager snmp_access allow publicCommunity lan snmp_access deny all
You can test whether SNMP is working with the snmpwalk program (snmpwalk is part of the NET-SNMP project). E.g.:
# snmpwalk -c public -v 1 proxy.kernel-panic.it:3401 .1.3.6.1.4.1.3495.1.1 SNMPv2-SMI::enterprises.3495.1.1.1.0 = INTEGER: 356 SNMPv2-SMI::enterprises.3495.1.1.2.0 = INTEGER: 744 SNMPv2-SMI::enterprises.3495.1.1.3.0 = Timeticks: (540791) 1:30:07.91 #
Please refer to the documentation for a detailed explanation of the output from the snmpwalk command.