This guide explains how to configure **Squid 6.x** with the **Glasswall Halo ICAP server**, enabling advanced threat protection through our advanced Content Disarm and Reconstruction (CDR) technology via Glasswall Halo. **Note:** instructions are based on **Squid 6.x built with OpenSSL**. for a full list of configuration options, please refer to the [Squid documentation](http://www.squid-cache.org/doc/). ## Squid Integration Guide * [Step 1 - Basic configuration](/halo/icap-squid#step-1-basic-configuration) * [Step 2 - Persistent connections](/halo/icap-squid#step-2---persistent-connections) * [Step 3 - Restart squid](/halo/icap-squid#step-3---restart-squid) * [Step 4 - Troubleshooting (Optional)](/halo/icap-squid#step-4---troubleshooting-optional) * [Step 5 - Enabling https scanning](/halo/icap-squid#step-5---scanning-https-content) * [Step 6 - Final restart](/halo/icap-squid#step-6---final-restart) ### Step 1: Basic configuration Locate and edit your Squid configuration file, typically at: * `/etc/squid/squid.conf` * `/etc/squid5/squid.conf` #### 1A - Define access control lists Uncomment or add the following ACLs for local networks and safe ports: ```bash acl localnet src 10.0.0.0/8 acl localnet src 172.16.0.0/12 acl localnet src 192.168.0.0/16 acl localnet src fc00::/7 acl localnet src fe80::/10 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT ``` #### 1B - Allow local network access Under recommended minimum access permission configuration, add: ```bash http_port 3128 http_access allow localnet http_access allow localhost http_access deny all ``` #### 1C - Enable ICAP Add the following to turn on ICAP support: ```bash icap_enable on icap_send_client_ip on icap_preview_enable on icap_preview_size 0 icap_service_failure_limit -1 ``` ### 1D - Configure request modification (uploads) ```bash icap_service glasswall_req reqmod_precache bypass=0 icap://:1344/req-cdr-service adaptation_access glasswall_req allow all ``` ### 1E - Configure response modification (downloads) ```bash icap_service glasswall_resp respmod_precache bypass=0 icap://:1344/req-cdr-service adaptation_access glasswall_resp allow all ``` ### Step 2 - Persistent connections Squid 6.x supports persistent ICAP connections by default. To enforce: ```bash icap_persistent_connections on ``` **Tip:** ensure the ICAP server is also configured for persistent connections. Otherwise, disable them (off) to prevent errors. ### Step 3 - Restart squid Apply changes: ```bash sudo systemctl restart squid ``` ### Step 4 - Troubleshooting (optional) If you see errors like: ```bash essential ICAP service is down after an options fetch failure: icap://:1344/req-cdr-service [down,!opt] ``` Check the following: * Confirm you are running the latest stable Squid 6.x * If persistent connections cause issues, disable them: ```bash icap_persistent_connections off ``` ### Step 5 - Scanning HTTPs content To scan encrypted https traffic, Squid must be compiled with SSL and configured for SSL bumping. **Requirements** * Squid 6.x with openssl * A root certificate for SSL interception #### 5A - Update listening port ```bash http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/myc.pem ``` #### 5B - Configure SSL bump ```bash sslcrtd_program /lib/squid/ssl_crtd -s /var/cache/squid_ssldb -M 4MB sslcrtd_children 5 ssl_bump server-first all acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all sslproxy_cert_error deny all ``` #### 5C - Generate and install root certificate ```bash openssl req -new -newkey rsa:2048 -days 1000 -nodes -x509 -keyout myc.pem -out myc.pem ``` Initialize certificate storage: ```bash rm -rf /var/cache/squid_ssldb /lib/squid/ssl_crtd -c -s /var/cache/squid_ssldb ``` **Important:** install myc.pem as a trusted root certificate in your browser. ### Step 6 - Final restart Restart Squid to finalize all changes: ```bash sudo systemctl restart squid ```