Embedded Files
Squid can poise to introduce additional network related threats. Hence, we must configure it to carefully handles requests to prevent network problems. This section guides you on how harden Squid via its configurations.
Updating Squid Configuration File
Updating Squid Configuration File
The only way to harden Squid is to configure the config file accordingly in /etc/squid/squid.conf. In this section, we reviews each sections from top-to-bottom. Please keep in mind that the line orders are very important as Squid does act like a firewall.
Definition
Definition
To makes things simple, let's define the following access control list (ACL).
acl all src 0.0.0.0/0.0.0.0acl manager proto cache_objectacl localhost src 127.0.0.1/255.255.255.255acl SSL_ports port 443 563acl Safe_ports port 80 # httpacl Safe_ports port 21 # ftpacl Safe_ports port 443 563 # https, snewsacl Safe_ports port 70 # gopheracl Safe_ports port 210 # waisacl Safe_ports port 1025-65535 # unregistered portsacl Safe_ports port 280 # http-mgmtacl Safe_ports port 488 # gss-httpacl Safe_ports port 591 # filemakeracl Safe_ports port 777 # multiling httpacl Safe_ports port 901 # SWATacl purge method PURGEacl CONNECT method CONNECT...Restrict Cache Manager Access
Restrict Cache Manager Access
We need to set who has the ability to access the cache manager to only localhost.
# Only allow cachemgr access from localhosthttp_access allow manager localhosthttp_access deny managerRestrict Purging From Localhost Only
Restrict Purging From Localhost Only
We need to set who has the ability to purge the caches to only localhost.
# Only allow purge requests from localhosthttp_access allow purge localhosthttp_access deny purgeDeny Connect to Unknown Ports
Deny Connect to Unknown Ports
Before continuing to any connection, we should always deny any connections to unknown ports.
# Deny requests to unknown portshttp_access deny !Safe_portsDeny Connect to Non-SSL Ports
Deny Connect to Non-SSL Ports
Before reaching to custom rules, one shall deny all non-SSL ports rule.
# Deny CONNECT to other than SSL portshttp_access deny CONNECT !SSL_portsAdd In Custom Rules
Add In Custom Rules
Now in this section, you can insert your own caching rules.
## INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS#Only Allow Localhost and Designated IPs
Only Allow Localhost and Designated IPs
To allow localhost access only, you should add the following (in line order since it's similar to firewall rules):
# allow only localhost and designated IPshttp_access allow localhosthttp_access allow allowed_ips# deny othershttp_access deny allAllow ICP Queries From Everyone
Allow ICP Queries From Everyone
One last thing is to ensure ICP queries are allowed from everyone:
#Allow ICP queries from everyoneicp_access allow allRestart Squid
Restart Squid
Once done, you can restart the Squid service using root account.
$ /etc/init.d/squid restartEnable Logging Analytics and Monitoring
Enable Logging Analytics and Monitoring
Squid does produces log files periodically and always left not monitored and not analyzed. Hence, you should install the necessary analytic and monitoring package.
Install Calamaris
Install Calamaris
Calamaris handles the log analytics.
$ apt install calamaris -yInstall Squidtaild
Install Squidtaild
squidtailed handles the log monitoring.
$ apt install squidtailed -yThat's all for hardening Squid.
Page updated
Google Sites
Report abuse