Squid 5.x
    • PDF

    Squid 5.x

    • PDF

    Article summary

    To configure the Squid Proxy Server and integrate it with the Glasswall Halo ICAP server, please follow this configuration guide.

    Note: this guide is based on Squid version 5.x and outlines the essential steps for integrating it with the Glasswall Halo ICAP Server. For more detailed information on Squid, please refer to Squid Documentation.

    Squid 5.x Integration with Glasswall Halo ICAP Server

    This guide outlines the steps required to integrate Squid 5.x with the Glasswall Halo ICAP Server for enhanced content disarm and reconstruction (CDR) and advanced threat protection. Ensure that you have the correct versions and prerequisites before beginning the configuration.

    Basic Configuration

    To integrate Squid 5.x with the Glasswall Halo ICAP Server, you need to modify the squid.conf file, typically located at /etc/squid/squid.conf or /etc/squid5/squid.conf. Below is a simplified configuration example. For detailed configuration options, refer to the Squid 5.x manual.

    1. Enable acl localnet:
    • Locate the section for "acl localnet" in the configuration file and uncomment all relevant lines. An example configuration looks like this:
    acl localnet src 10.0.0.0/8
    acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
    acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
    acl localnet src fc00::/7       # RFC 4193 local private network range
    acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
    
    acl SSL_ports port 443
    acl Safe_ports port 80          # http
    acl Safe_ports port 21          # ftp
    acl Safe_ports port 443         # https
    acl Safe_ports port 70          # gopher
    acl Safe_ports port 210         # wais
    acl Safe_ports port 1025-65535  # unregistered ports
    acl Safe_ports port 280         # http-mgmt
    acl Safe_ports port 488         # gss-http
    acl Safe_ports port 591         # filemaker
    acl Safe_ports port 777         # multiling http
    acl CONNECT method CONNECT
    
    1. Allow access for localnet and localhost:
    • Add the following lines under the "Recommended minimum Access Permission configuration" section to allow access for local network and localhost:
    http_port 3128
    http_access allow localnet
    http_access allow localhost
    http_access deny all
    
    1. Enable ICAP and set Preview Size:
    • Enable ICAP and set the preview size to 0. These entries do not exist by default, so add them anywhere in the squid.conf file:
    icap_enable on
    icap_send_client_ip on
    icap_preview_enable on
    icap_preview_size 0
    icap_service_failure_limit -1
    
    1. Enable ReqMod for Upload Mode:
    • To configure request modification mode (upload mode), add the following lines. These settings are not predefined and can be placed anywhere in the configuration file:
    icap_service glasswall_req reqmod_precache bypass=0 icap://<Halo ICAP Server>:1344/req-cdr-service
    adaptation_access glasswall_req allow all
    
    1. Enable RespMod for Download Mode:
    • Similarly, configure response modification mode (download mode) by adding these lines anywhere in the file:
    icap_service glasswall_resp respmod_precache bypass=0 icap://<Halo ICAP Server>:1344/req-cdr-service
    adaptation_access glasswall_resp allow all
    

    Persistent Connections

    Squid 5.x uses persistent connections to the ICAP server by default.
    This feature can be explicitly controlled using the following directive:

    icap_persistent_connections on
    

    If persistent connections are enabled in Squid, the same setting should be applied on the ICAP server side to prevent Squid from reporting ICAP errors. Check the Glasswall Halo ICAP Server configuration for compatibility.

    Restart Squid to apply changes

    After making these changes, restart Squid to apply the new configurations.

    Addressing potential issues in Squid 5.x

    If you encounter issues with ICAP connections or if Squid logs errors such as:

    essential ICAP service is down after an options fetch failure: icap://<Halo ICAP Server>:1344/req-cdr-service [down,!opt]
    

    This could indicate a problem with the ICAP connection handling in Squid. To resolve this, ensure you are using the latest stable release of Squid 5.x. If the issue persists, try adding the following directive to your squid.conf to disable persistent connections:

    icap_persistent_connections off
    

    Scanning HTTPS Content

    To configure Squid 5.x to scan HTTPS content, which allows forwarding HTTPS traffic to the Glasswall Halo ICAP Server for inspection, follow the instructions below.

    Requirements

    • Compatible with Squid version 5.x.
    • Squid must be compiled with SSL support.

    Configuration Steps:

    1. Modify Listening Ports:
    • Update Squid to listen on the following ports by modifying:
    http_port 3128
    

    to:

    http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=<SQUIDFOLDER>\etc\ssl\myc.pem
    
    1. Add SSL Bump Configuration:
    • Include the following lines to configure SSL bumping:
    sslcrtd_program <SQUIDFOLDER>\lib\squid\ssl_crtd -s <SQUIDFOLDER>\var\cache\squid_ssldb -M 4MB
    sslcrtd_children 5
    ssl_bump server-first all
    acl step1 at_step SslBump1
    ssl_bump peek step1
    ssl_bump bump all
    sslproxy_cert_error deny all
    

    Ensure that sslcrtd_program is correctly configured for Squid 5.x and that the paths reflect your system's setup.

    Certificate Management

    To generate a new root certificate for Squid:

    openssl req -new -newkey rsa:2048 -days 1000 -nodes -x509 -keyout myc.pem -out myc.pem
    

    After generating the certificate, reinitialize the certificate storage by deleting the \var\cache\squid_ssldb directory and running:

    <SQUIDFOLDER>\lib\squid\ssl_crtd -c -s <SQUIDFOLDER>\var\cache\squid_ssldb
    

    Note: ensure the generated certificate is installed as a root certificate in your web browser.

    Restart Squid after making these changes.


    Was this article helpful?

    What's Next