Squid
    • PDF

    Squid

    • PDF

    Article summary

    This guide explains how to configure Squid 6.x with the Glasswall Halo ICAP Server, enabling advanced threat protection through our advanced Content Disarm and Reconstruction (CDR) technology via Glasswall Halo.

    Note: Instructions are based on Squid 6.x built with OpenSSL. For a full list of configuration options, please refer to the Squid Documentation.

    Squid Integration Guide

    Step 1: Basic configuration

    Locate and edit your Squid configuration file, typically at:

    • /etc/squid/squid.conf
    • /etc/squid5/squid.conf

    1A - Define access control lists

    Uncomment or add the following ACLs for local networks and safe ports:

    acl localnet src 10.0.0.0/8
    acl localnet src 172.16.0.0/12
    acl localnet src 192.168.0.0/16
    acl localnet src fc00::/7
    acl localnet src fe80::/10
    
    acl SSL_ports port 443
    acl Safe_ports port 80
    acl Safe_ports port 21
    acl Safe_ports port 443
    acl Safe_ports port 70
    acl Safe_ports port 210
    acl Safe_ports port 1025-65535
    acl Safe_ports port 280
    acl Safe_ports port 488
    acl Safe_ports port 591
    acl Safe_ports port 777
    acl CONNECT method CONNECT
    

    1B - Allow local network access

    Under Recommended minimum access permission configuration, add:

    http_port 3128
    http_access allow localnet
    http_access allow localhost
    http_access deny all
    

    1C - Enable ICAP

    Add the following to turn on ICAP support:

    icap_enable on
    icap_send_client_ip on
    icap_preview_enable on
    icap_preview_size 0
    icap_service_failure_limit -1
    

    1D - Configure request modification (uploads)

    icap_service glasswall_req reqmod_precache bypass=0 icap://<Halo ICAP Server>:1344/req-cdr-service
    adaptation_access glasswall_req allow all
    

    1E - Configure response modification (downloads)

    icap_service glasswall_resp respmod_precache bypass=0 icap://<Halo ICAP Server>:1344/req-cdr-service
    adaptation_access glasswall_resp allow all
    

    Step 2 - Persistent Connections

    Squid 6.x supports persistent ICAP connections by default. To enforce:

    icap_persistent_connections on
    

    Tip: Ensure the ICAP server is also configured for persistent connections. Otherwise, disable them (off) to prevent errors.

    Step 3 - Restart Squid

    Apply changes:

    sudo systemctl restart squid
    

    Step 4 - Troubleshooting (Optional)

    If you see errors like:

    essential ICAP service is down after an options fetch failure: icap://<Halo ICAP Server>:1344/req-cdr-service [down,!opt]
    

    Check the following:

    • Confirm you are running the latest stable Squid 6.x
    • If persistent connections cause issues, disable them:
    icap_persistent_connections off
    

    Step 5 - Scanning HTTPS Content

    To scan encrypted HTTPS traffic, Squid must be compiled with SSL and configured for SSL bumping.

    Requirements

    • Squid 6.x with OpenSSL
    • A root certificate for SSL interception

    5A - Update listening port

    http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=<SQUIDFOLDER>/etc/ssl/myc.pem
    

    5B - Configure SSL bump

    sslcrtd_program <SQUIDFOLDER>/lib/squid/ssl_crtd -s <SQUIDFOLDER>/var/cache/squid_ssldb -M 4MB
    sslcrtd_children 5
    ssl_bump server-first all
    
    acl step1 at_step SslBump1
    ssl_bump peek step1
    ssl_bump bump all
    
    sslproxy_cert_error deny all
    

    5C - Generate and install root certificate

    openssl req -new -newkey rsa:2048 -days 1000 -nodes -x509 -keyout myc.pem -out myc.pem
    

    Initialize certificate storage:

    rm -rf <SQUIDFOLDER>/var/cache/squid_ssldb
    <SQUIDFOLDER>/lib/squid/ssl_crtd -c -s <SQUIDFOLDER>/var/cache/squid_ssldb
    

    Important: Install myc.pem as a trusted root certificate in your browser.

    Step 6 - Final Restart

    Restart Squid to finalize all changes:

    sudo systemctl restart squid
    

    Was this article helpful?

    What's Next