Contents x
Squid
    • PDF
    Contents

    Squid

      • PDF
      Article summary

      This guide explains how to configure Squid 6.x to work with the Glasswall Halo ICAP Server, enabling advanced threat protection through content disarm and reconstruction (CDR).

      Note: This guide is based on Squid version 6.x built with OpenSSL. For comprehensive Squid configuration options, refer to the official Squid documentation.

      Squid 6.x Integration with Glasswall Halo ICAP Server Guide

      Step 1 - Basic Configuration

      To begin, locate and edit your Squid configuration file, typically found at:

      • /etc/squid/squid.conf
      • or /etc/squid5/squid.conf

      1. Enable acl localnet

      Uncomment or add the following lines to define access control lists for common local networks:

      acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10

acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT

      2. Allow Local Network Access

      Add the following lines under the Recommended minimum access permission configuration section to allow traffic from localnet and localhost:

      http_port 3128
http_access allow localnet
http_access allow localhost
http_access deny all

      3. Enable ICAP and Configure Preview Size

      To enable ICAP and configure preview settings, add these lines anywhere in squid.conf:

      icap_enable on
icap_send_client_ip on
icap_preview_enable on
icap_preview_size 0
icap_service_failure_limit -1

      4. Configure Request Modification (Upload Mode)

      Add the following to enable request modification via the Halo ICAP server:

      icap_service glasswall_req reqmod_precache bypass=0 icap://<Halo ICAP Server>:1344/req-cdr-service
adaptation_access glasswall_req allow all

      5. Configure Response Modification (Download Mode)

      Similarly, add the following for response modification:

      icap_service glasswall_resp respmod_precache bypass=0 icap://<Halo ICAP Server>:1344/req-cdr-service
adaptation_access glasswall_resp allow all

      Step 2 - Persistent Connections

      Squid 6.x supports persistent ICAP connections by default. You can explicitly enable or disable this behavior:

      icap_persistent_connections on

      Tip: If you enable persistent connections in Squid, ensure that the same setting is configured on the ICAP server to avoid communication errors.

      Step 3 - Restart Squid

      After saving your configuration changes, restart Squid to apply them:

      sudo systemctl restart squid

      Step 4 - Troubleshooting Common Issues (Optional)

      If you encounter ICAP-related errors in your Squid logs such as:

      essential ICAP service is down after an options fetch failure: icap://<Halo ICAP Server>:1344/req-cdr-service [down,!opt]

      This may indicate a connection issue between Squid and the ICAP server. To mitigate:

      • Verify you are using the latest stable release of Squid 6.x.
      • If persistent connections are causing the issue, disable them:
      icap_persistent_connections off

      Step 5 - Scanning HTTPS Content

      To scan encrypted HTTPS traffic, Squid must be compiled with SSL support and configured for SSL bumping.

      Requirements

      • Squid 6.x built with OpenSSL.
      • A valid root certificate for SSL interception.

      Configuration Steps

      1. Update Listening Port for SSL

      Modify the default listening port to enable SSL bumping:

      http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=<SQUIDFOLDER>/etc/ssl/myc.pem

      2. Configure SSL Bump

      Add the following lines to configure SSL bumping:

      sslcrtd_program <SQUIDFOLDER>/lib/squid/ssl_crtd -s <SQUIDFOLDER>/var/cache/squid_ssldb -M 4MB
sslcrtd_children 5
ssl_bump server-first all

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

sslproxy_cert_error deny all

      Ensure all paths are correct for your system.

      Certificate Management

      To generate a root certificate for Squid:

      openssl req -new -newkey rsa:2048 -days 1000 -nodes -x509 -keyout myc.pem -out myc.pem

      Then initialize the certificate storage:

      rm -rf <SQUIDFOLDER>/var/cache/squid_ssldb
<SQUIDFOLDER>/lib/squid/ssl_crtd -c -s <SQUIDFOLDER>/var/cache/squid_ssldb

      Important: Install the generated certificate (myc.pem) as a trusted root certificate in your browser.

      Step 6 - Final Step: Restart Squid

      Restart Squid to apply all changes:

      sudo systemctl restart squid
      Was this article helpful?
      What's Next