Hardening Squid
Squid can poise to introduce additional network related threats. Hence, we must configure it to carefully handles requests to prevent network problems. This section guides you on how harden Squid via its configurations.
Updating Squid Configuration File
The only way to harden Squid is to configure the config file accordingly in /etc/squid/squid.conf
. In this section, we reviews each sections from top-to-bottom. Please keep in mind that the line orders are very important as Squid does act like a firewall.
Definition
To makes things simple, let's define the following access control list (ACL).
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
...
Restrict Cache Manager Access
We need to set who has the ability to access the cache manager to only localhost.
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
Restrict Purging From Localhost Only
We need to set who has the ability to purge the caches to only localhost.
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
Deny Connect to Unknown Ports
Before continuing to any connection, we should always deny any connections to unknown ports.
# Deny requests to unknown ports
http_access deny !Safe_ports
Deny Connect to Non-SSL Ports
Before reaching to custom rules, one shall deny all non-SSL ports rule.
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
Add In Custom Rules
Now in this section, you can insert your own caching rules.
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
Only Allow Localhost and Designated IPs
To allow localhost
access only, you should add the following (in line order since it's similar to firewall rules):
# allow only localhost and designated IPs
http_access allow localhost
http_access allow allowed_ips
# deny others
http_access deny all
Allow ICP Queries From Everyone
One last thing is to ensure ICP queries are allowed from everyone:
#Allow ICP queries from everyone
icp_access allow all
Restart Squid
Once done, you can restart the Squid service using root account.
$ /etc/init.d/squid restart
Enable Logging Analytics and Monitoring
Squid does produces log files periodically and always left not monitored and not analyzed. Hence, you should install the necessary analytic and monitoring package.
Install Calamaris
Calamaris handles the log analytics.
$ apt install calamaris -y
Install Squidtaild
squidtailed handles the log monitoring.
$ apt install squidtailed -y
That's all for hardening Squid.