4.4.5 Squid

Basic Configuration

Squid configuration should be done by modifying “squid.conf” (e.g, /etc/squid3/squid.conf). Below is an example of a simplified version of configuration for Squid. For more detailed documentation, please refer to the Squid manual.

1. Enable acl localnet.

Search for “acl localnet” section, uncomment all “acl localnet” lines. Below is an example of how the configuration might look:

acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT 

2. Allow localnet and localhost access by adding the following lines. (under the "Recommended minimum Access Permission configuration" section)

http_port 3128
http_access allow localnet
http_access allow localhost
http_access deny all

3. Enable ICAP and set the Preview Size to 0. (these values don't exist, so you simply add them anywhere in the file)

icap_enable on
icap_send_client_ip on
icap_preview_enable on
icap_preview_size 0
icap_service_failure_limit -1

Enable ReqMod (upload mode)...again, these don't exist, so add them anywhere

icap_service metascan_req reqmod_precache bypass=0 icap://<Metadefender ICAP Server>:1344/OMSScanReq-AV
adaptation_access metascan_req allow all 

Enable RespMod (download mode) again, these don't exist, so add them anywhere

icap_service metascan_resp respmod_precache bypass=0 icap://<Metadefender ICAP Server>:1344/OMSScanResp-AV
adaptation_access metascan_resp allow all 

4. Persistent connections


By default, Squid is using persistent connections to the Metadefender ICAP Server, this feature can be controlled explicitly by the following directive:

icap_persistent_connections on/off

If persistent connections are enabled in Squid, the same setting should be applied to the ICAP side or Squid might report some ICAP errors. See 3. Configuring Metadefender ICAP Server.


5. Restart Squid to apply the new configuration.

If you are using Squid 3.1 there is a bug in Squid that drops the connection to the ICAP server. You will notice messages in Squid's cache.log file similar to the following:

essential ICAP service is down after an options fetch failure: icap://<Metadefender ICAP Server>:1344/OMSScanReq-AV [down,!opt]

This may cause you to get Squid error messages when trying to access websites.

To fix this, either upgrade to Squid 3.2 or higher, or add icap_persistent_connections off to your squid.conf file.

Scanning HTTPS content

Learn how to configure Squid to scan HTTPS content below. This allows Squid to send HTTPS content to the Metadefender ICAP Server for scanning purposes.

Requirements

  • Version: Tested with 3.5.19

  • Squid has to be compiled with SSL support. For further information, please see: http://docs.diladele.com/

Configuration

Tell Squid to listen on the following ports:

http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=<SQUIDFOLDER>\etc\ssl\myc.pem

In addition, the following lines have to be inserted:

sslcrtd_program <SQUIDFOLDER>\lib\squid\ssl_crtd.exe -s <SQUIDFOLDER>\var\cache\squid_ssldb -M 4MB
 
ssl_bump stare all
ssl_bump bump all

Certificate

Generate a new root certificate for Squid:

openssl.exe req -new -newkey rsa:1024 -days 1000 -nodes -x509 -keyout myc.pem -out myc.pem

After generating a new certificate, the certificate storage should be reinitialized by deleting the <SQUIDFOLDER>\var\cache\squid_ssldb folder and running:

<SQUIDFOLDER>\lib\squid\ssl_crtd.exe -c -s <SQUIDFOLDER>\var\cache\squid_ssldb

The certificate has to be installed as a root certificate in the browser. Squid has to be restarted after the changes.