Hardening Squid

Squid can poise to introduce additional network related threats. Hence, we must configure it to carefully handles requests to prevent network problems. This section guides you on how harden Squid via its configurations.

Updating Squid Configuration File

Definition

Restrict Cache Manager Access

Restrict Purging From Localhost Only

Deny Connect to Unknown Ports

Deny Connect to Non-SSL Ports

Add In Custom Rules

Only Allow Localhost and Designated IPs

Allow ICP Queries From Everyone

Restart Squid

Enable Logging Analytics and Monitoring

Install Calamaris

Install Squidtaild

Updating Squid Configuration File

The only way to harden Squid is to configure the config file accordingly in /etc/squid/squid.conf. In this section, we reviews each sections from top-to-bottom. Please keep in mind that the line orders are very important as Squid does act like a firewall.

Definition

To makes things simple, let's define the following access control list (ACL).

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl SSL_ports port 443 563

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443 563     # https, snews

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl Safe_ports port 901         # SWAT

acl purge method PURGE

acl CONNECT method CONNECT

...

Restrict Cache Manager Access

We need to set who has the ability to access the cache manager to only localhost.

# Only allow cachemgr access from localhost

http_access allow manager localhost

http_access deny manager

Restrict Purging From Localhost Only

We need to set who has the ability to purge the caches to only localhost.

# Only allow purge requests from localhost

http_access allow purge localhost

http_access deny purge

Deny Connect to Unknown Ports

Before continuing to any connection, we should always deny any connections to unknown ports.

# Deny requests to unknown ports

http_access deny !Safe_ports

Deny Connect to Non-SSL Ports

Before reaching to custom rules, one shall deny all non-SSL ports rule.

# Deny CONNECT to other than SSL ports

http_access deny CONNECT !SSL_ports

Add In Custom Rules

Now in this section, you can insert your own caching rules.

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

Only Allow Localhost and Designated IPs

To allow localhost access only, you should add the following (in line order since it's similar to firewall rules):

# allow only localhost and designated IPs

http_access allow localhost

http_access allow allowed_ips

# deny others

http_access deny all

Allow ICP Queries From Everyone

One last thing is to ensure ICP queries are allowed from everyone:

#Allow ICP queries from everyone

icp_access allow all

Restart Squid

Once done, you can restart the Squid service using root account.

$ /etc/init.d/squid restart

Enable Logging Analytics and Monitoring

Squid does produces log files periodically and always left not monitored and not analyzed. Hence, you should install the necessary analytic and monitoring package.

Install Calamaris

Calamaris handles the log analytics.

$ apt install calamaris -y

Install Squidtaild

squidtailed handles the log monitoring.

$ apt install squidtailed -y

That's all for hardening Squid.

Back to Squid