pantz.org banner
Paranoid squid proxy settings
Posted on 05-28-2007 00:13:00 UTC | Updated on 05-28-2007 00:13:00 UTC
Section: /software/squid/ | Permanent Link

1. This config file is for a non-caching secure squid proxy. It is used on a high speed, low latency, un-metered internet connection. It is very stingy on the information it gives out about the clients but is very functional.

2. It is very restrictive and the timings are set low as to reduce the number of open connections to the proxy.

3. The options are for the latest version squid-2.6.STABLE9 and built with transparent proxy support. This config below was tested on OpenBSD 4.1 but could be used with any version of Squid equal to or greater than the one mentioned above.

4. There are some url links at the bottom of the file so you can check out the squid options or browser http header definitions.

5. The log file is a custom config. I find it to be very informative.

6. During the install the location of the log files was changed. Thusly, if a person wants to use this file they must make the directory /var/log/squid/ and chown as the user squid runs as (_squid for OpenBSD).

7. There is no caching setup for this config nor does it use some of squids other helpful features.

OpenBSD's pf is used to redirect external port 8080 to localhost port 8080. Point the browsers proxy to port 8080.

## interface, port and proxy type
#http_port 127.0.0.1:3128 transparent
http_port 127.0.0.1:8080

## general options
cache_mgr not_to_be_disturbed
client_db on
collapsed_forwarding on
dns_defnames on
dns_defnames on
dns_retransmit_interval 2 seconds
detect_broken_pconn on
forwarded_for off
half_closed_clients off
httpd_suppress_version_string on
ignore_unknown_nameservers on
pipeline_prefetch on
retry_on_error on
strip_query_terms off
uri_whitespace strip
vary_ignore_expire on
visible_hostname localhost

## timeouts
forward_timeout 30 seconds
connect_timeout 30 seconds
read_timeout 30 seconds
request_timeout 30 seconds
persistent_request_timeout 1 minute
client_lifetime 21 hours

## host definitions
acl all src 0.0.0.0/0
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8

## proxy server client access
acl mynetworks src 127.0.0.0/8 192.168.0.0/16
http_access deny !mynetworks

## max connections per ip
acl maxuserconn src 127.0.0.0/8 10.0.10.0/28
acl limitusercon maxconn 500
http_access deny maxuserconn limitusercon

## disable caching
cache deny all
cache_dir null /tmp

## disable multicast icp
icp_port 0
icp_access deny all

## disable ident lookups
ident_lookup_access deny all

## no-trust for on-the-fly Content-Encoding
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

## logs
logformat combined [%tl] %>A %{Host}>h "%rm %ru HTTP/%rv" %Hs %<st"%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/access.log combined
cache_store_log /var/log/squid/store.log
cache_log  /var/log/squid/cache.log
logfile_rotate 8

## support files
coredump_dir /tmp
pid_filename /var/log/squid/squid.pid

## ports allowed
acl Safe_ports port 80 443
http_access deny !Safe_ports

## ssl ports/method allowed
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access deny CONNECT !SSL_ports

## protocols allowed
acl Safe_proto proto HTTP SSL
http_access deny !Safe_proto

## browsers allowed
# acl Safe_browser browser ^Mozilla/5\.0.*Firefox/2\.0\.0\.4
# http_access deny !Safe_Browser

## Ad Blocking 
## Check http://pgl.yoyo.org/adservers/ for good squid regex Ad block file.
## Uncomment 2 lines below and make a text file with regex's in them.
#acl ads dstdom_regex "/etc/squid/ad_block.txt"
#http_access deny ads

## Banned Sites
# acl Bad_Site dstdom_regex myspace.com youtube.com facebook.com 
# http_access deny Bad_Site

## methods allowed
acl Safe_method method CONNECT GET HEAD POST
http_access deny !Safe_method

## allow replies to client requests
http_reply_access allow all

## header re-write. Make it look like all user agents are Mozilla
#header_replace Accept */*
#header_replace Accept-Encoding gzip
#header_replace Accept-Language en
header_replace User-Agent Mozilla/5.0 (en)

## header list ( DENY all -> ALLOW listed )
header_access Accept allow all
header_access Accept-Encoding allow all
header_access Accept-Language allow all
header_access Authorization allow all
header_access Cache-Control allow all
header_access Content-Disposition allow all
header_access Content-Encoding allow all
header_access Content-Length allow all
header_access Content-Location allow all
header_access Content-Range allow all
header_access Content-Type allow all
header_access Cookie allow all
header_access Expires allow all
header_access Host allow all
header_access If-Modified-Since allow all
header_access Location allow all
header_access Range allow all
header_access Referer allow all
header_access Set-Cookie allow all
header_access WWW-Authenticate allow all
header_access All deny all
##########  END  ###########


#########  RESOURCES  ###########
## Squid directives
## http://www1.at.squid-cache.org/Versions/v2/HEAD/cfgman/index.html

## User ACL ideas
## http://www.kernel-panic.it/openbsd/proxy/proxy3.html

## Header Field Definitions
## http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html

## Test your headers
## http://www.xhaus.com/headers

## testing headers
# header_access Accept-Charset allow all
# header_access Authorization allow all
# header_access Cache-Control allow all
# header_access Connection allow all
# header_access Content-Language allow all
# header_access Date allow all
# header_access Expires allow all
# header_access If-Modified-Since allow all
# header_access Last-Modified allow all
# header_access Mime-Version allow all
# header_access Pragma allow all
# header_access Retry-After allow all
# header_access WWW-Authenticate allow all

Header definitions from above configuraton file

The Accept header is sent by the client to the server to explain what media types or page types the browser is willing to accept. This header is simply the browser "preferring" a set of media or text types in the specified format. The server can honor this request and send the data in the format listed or ignore it completely and send what ever the server has. For privacy concerns we can replace the true header of the client with "*/*" saying that we accept all data types. This option works with all clients.

 
  Example:    header_replace Accept text/plain; q=0.5, text/html, text/x-dvi; q=0.8, text/x-c
  Pantz.org:  header_replace Accept */*

The Accept-Encoding header is sent by the client to the server to explain what compression encoding the client will accept. Compression will make the data being transfered smaller in size at the expense of CPU time on the server and the client due to compressing/uncompressing the data. The server can honor this request and send the data in the format listed or ignore it completely and send the data clear text. For privacy concerns we can replace the true header of the client with a request for "gzip" only. This option works with all clients.

Example:     header_replace Accept-Encoding compress, gzip
Pantz.org:   header_replace Accept-Encoding gzip

The Accept-Language header is sent by the client to the server to explain what language we would like the page to be in. The server can honor this request and send the data in the format listed or ignore it completely and send what ever the server want to. For privacy concerns we can replace the true header of the client with our default language of "en". This option works with all clients.

  Example:     Accept-Language da, en-gb;q=0.8, en;q=0.7
  Pantz.org:   Accept-Language en

The User-Agent header is sent by the client to the server to explain what browser name, browser version, build type, compiler version and other information about the client. For some sites (www.digg.com) this header must be sent in the proper format as seen in the pantz.org example, but not necessarily have valid or true information. For privacy concerns we can replace the true header of the client with what ever we want as long as it is at least in the form of the pantz.org example.

  Example:     header_replace User-Agent Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
  Pantz.org:   header_replace User-Agent Pantaloons/1.0 (pantz.org)

The Authorization header is sent by the client to the server with the user name and password for access. This header can also be used with the pop-up user name/password box that WWW-Authentication provides. This header is _NOT_ used for the user name and password of Java scripted sites like Netflix, digg, and financial institutions. This header _IS_ used to send credentials in the URL to the server. You will need the Authorization header if you have hosts connecting to sites with ddclient for dyndns updates or for a machine with MythTV so it can receive updates from Zap2It Labs for TV programming. If you see errors on the machine running squid in your logs from ddclient with "authorization failed (HTTP/1.0 401 Unauthorized" or "X-UpdateCode: A" this is authorization not allowed in squid.

  Pantz.org:   header_access Authorization allow all

The Content-Disposition header is an extension to the MIME protocol instructing a MIME user agent on how it should display an download file. When the browser receives the header, it raises a "file download" dialog box with the file name specified by the server. One only needs this header if you use web pages that dynamically name the download file through a scripted process. For example, if the web page dynamically generates a list and specifies the filename as "pantz_file.txt", but you see the file being saved incorrectly as "file_script.pl" then blocking this header might be the problem.

  Pantz.org:   header_access Content-Disposition allow all

The Content-Encoding header is sent by the server back to the client to explain what compression method or factor the server is sending the data in. Since we specified the header Accept-Encoding as "gzip" the server should be sending the client the same.

  Pantz.org:   header_access Content-Encoding allow all

The Content-Length header is sent by the server back to the client to detail how much data the client should expect to receive. If the server says 1MB of data is being sent and only 0.9MB data arrived the client knows to wait longer or re-request the data.

  Pantz.org:   header_access Content-Length allow all

The Content-Type header field indicates the media type of the entity-body sent to the recipient or, in the case of the HEAD method, the media type that would have been sent had the request been a GET. If the server is sending text/html page to the client then "text/html" will be sent through this header.

  Pantz.org:   header_access Content-Type allow all

The Cookie header field allows the client to accept the cookie file from the server. This does _NOT_ allow the client to use the cookie, but only accept the cookie object. This header is used in conjunction with the header Set-Cookie to allow the client to accept the cookie file and to use it for the server site. A site that requires the headers Cookie and Set-Cookie for example is netflix.com which will not even let you log in with out cookies enabled for the client. Other pages like digg.com and amazon.com will not recognize your client if you try to log into them with out this header.

  Pantz.org:   header_access Cookie allow all

The Host header is sent from the client to the server specifying the host the client wants to connect to. Some sites use many virtual hosts on one server on a single ip address. If the client does not send the Host header the server does not know which virtual host the client wants to connect to. This is required for most sites.

  Pantz.org:   header_access Host allow all

The Location header is used to redirect the recipient to a location other than the Request-URI for completion of the request or identification of a new resource. This header is sometimes used in conjunction with the Authorization header. For example, the client may log into one server to be authorized and then is redirected with the Location header to another server to access the site or receive the data.

  Pantz.org:   header_access Location allow all

The Range header specifies HTTP retrieval requests using conditional or unconditional GET methods and MAY request one or more sub-ranges of the entity, instead of the entire entity. For example a client may request the first 10KB of a 20MB file which includes descriptive information about a rpm package rather than download the entire file. If one is using the "yum" package maintainer and you see the error similar to "Header is not complete. Trying other mirror." then you need to add the Range header to squid.

  Pantz.org:   header_access Range allow all

The Set-Cookie header works in conjunction with the header Cookie. This header allows the client to use the cookie file download from a site and allowed by the Cookie header.

  Pantz.org:   header_access Set-Cookie allow all

The WWW-Authenticate header is the pop-up window or box the client sees to enter their user name and password into. This only allows the client to pop-up the box allowing the input of the credentials, it is nothing else. Once the user enters the user name/password in the box and hits "accept" the header Authenticate actually sends the user name/password to the server.You will need the WWW-Authenticate header if you have hosts connecting to sites like Zap2it or EasyTvData.org with MythTV so it can receive updates for TV programming.

  Pantz.org:   header_access WWW-Authenticate allow all

The All header is a variable squid uses to define "any" http header. This rule is to deny all headers and is used in conjunction with the above rules. In essence, if the header is not defined above then this rule will block it. Think of this methodology as paranoid mode.

  Pantz.org    header_access All deny all

Helpful Squid info

To stop squid:

squid -k kill

To re-read the squid.conf file without restarting squid:

squid -k reconfigure

To rotate the squid log files setup a cron job like:

  # rotate logs weekly (Sunday at midnight)
  0   0   0   *   *   0   squid -k rotate

In many Unix programs you can set the proxy using environment variables. The examples below are for a bash shell.

 export http_proxy="http://proxy.domain.lan:8080"
 export https_proxy="http://proxy.domain.lan:8080"

For other unix programs like wget you set them in a config file. Wget's settings config file is in /etc/wgetrc. The lines for the proxy would look like the ones below. Also a setting for using passive ftp.

passive_ftp = on
http_proxy = http://proxy.domain.lan:8080/
use_proxy = on

Del.icio.us! | Digg Me! | Reddit!

Related stories

Install and configure a squid proxy
Posted on 09-25-2006 00:13:00 UTC | Updated on 09-25-2006 00:13:00 UTC
Section: /software/squid/ | Permanent Link

Update: I found out any eaiser way to do a encrypted http tunnel through an untrusted network with just SSH. Please see the ssh section of my website for info on that or use my search feature to look for ssh and squid. It can also be done with Putty on windows. I'll leave the info below anyway.

I want to setup SSH to tunnel my web traffic through Squid. Squid would be the proxy server for my web traffic when I'm connected to a network I don't trust. For example if I'm using a public WiFi connection. SSH would tunnel http requests from the remote machine through my gateway at home. All http traffic is usually sent in the clear so anyone can see what sites your visiting because your on their network connection. So lets encrypt the traffic. I plan on doing this by tunneling my traffic thru SSH and running the Squid http proxy on localhost. I know all the traffic going from the gateway squid proxy to the internet is not encrypted but I trust the gateway. Any http request going out of there anyway would be unencrypted. It's just the way the protocol was designed.

Squid (version 2.5) will be setup on my OpenBSD 3.8 gateway machine at home. Squid will be listening on 127.0.0.1 (localhost) so no one can connect to it from the internal lan or the internet. The gateway machine only has SSHD running on it and is only available to certian IP ranges from the internet. The http requests will be tunneled from the client machine through SSH and sent to squid on the gateway machine. Squid will process the request and sent it back the browser on the client machine which has been setup to use proxy settings. Do the following steps below.

1. Install the simple version of squid without any packages with the words like "transparent" or "SNMP" on the OpenBSD gateway machine

pkg_add -vf ftp://ftp.usa.openbsd.org/pub/OpenBSD/3.8/packages/i386/squid-2.5.STABLE10.tgz

2. Edit /etc/squid/squid.conf and see below for the only lines I changed from the default config file. The rest of the settings were left to default. Just check yours match the ones below at a minimum. Change your file according to your tastes then save it.

# These lines are only the ones that were
# changed from the default config. There
# are more config options the conf file.

http_port 127.0.0.1:8080
udp_incoming_address 127.0.0.1
cache_access_log none
cache_store_log none
dns_nameservers 192.168.0.1
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl our_networks src 127.0.0.1

3. Initialize the cache with the following command.

squid -z

4. Start squid with the following command.

/usr/local/sbin/squid

5. To test it go to a machine on the inside lan or a machine that can access the gateway from outside the lan. SSh to the gateway machine with the command "ssh -L 8080:localhost:8080 192.168.0.1". This command creates a port that listens on port 8080 on the local machine (locahost). We will be pointing our browsers to this port to have our traffic tunneled to the gateway machine. When that encrypted traffic gets to the other side it is directed to localhost port 8080 on the gateway where Squid has been setup to listen for requests.

6. After that ssh connection is connected open your web browser. Go to the proxy settings of the browser (in firefox Edit->Preferences->General->Connection->Connection Settings->Manual Proxy Configuration"). Under the http proxy section put in the proxy host name of "locahost" and port "8080". Click ok and your done.

7. Surf to ipchicken.com and your IP address that shows up should be the IP address of the gateway. If your on the internal lan then this is no big deal but if you set the proxy settings correctly you should be able to hit any webpage and if it comes up your working through the proxy.

8. If it worked then make Squid start on boot by putting this in your /etc/rc.local file.

    if [ -x /usr/local/sbin/squid ]; then
        echo -n ' squid';       /usr/local/sbin/squid
    fi

Del.icio.us! | Digg Me! | Reddit!

Related stories


RSS Feed RSS feed logo
About


3com
3ware
alsa
alsactl
alsamixer
amd
android
apache
areca
arm
ati
auditd
awk
badblocks
bash
bind
bios
bonnie
cable
carp
cat5
cdrom
cellphone
centos
chart
chrome
cifs
cisco
cloudera
comcast
commands
comodo
compiz-fusion
corsair
cpufreq
cpufrequtils
cpuspeed
cron
crontab
crossover
cu
cups
cvs
database
dbus
dd
dd_rescue
ddclient
debian
decimal
dhclient
dhcp
diagnostic
diskexplorer
disks
dkim
dns
dos
dovecot
drac
dsniff
dvdauthor
e-mail
echo
editor
emerald
ethernet
expect
ext3
ext4
fat32
fedora
fetchmail
fiber
filesystems
firefox
firewall
flac
flexlm
floppy
flowtools
fonts
format
freebsd
ftp
gdm
gmail
gnome
greasemonkey
greylisting
growisofs
grub
hacking
hadoop
harddrive
hba
hex
hfsc
html
html5
http
https
idl
ie
ilo
intel
ios
iperf
ipmi
iptables
ipv6
irix
javascript
kde
kernel
kickstart
kmail
kprinter
krecord
kubuntu
kvm
lame
ldap
linux
logfile
lp
lpq
lpr
maradns
matlab
memory
mencoder
mhdd
mkinitrd
mkisofs
moinmoin
motherboard
mouse
movemail
mplayer
multitail
mutt
myodbc
mysql
mythtv
nagios
nameserver
netflix
netflow
nginx
nic
ntfs
ntp
nvidia
odbc
openbsd
openntpd
openoffice
openssh
openssl
opteron
parted
partimage
patch
perl
pf
pfflowd
pfsync
photorec
php
pop3
pop3s
ports
postfix
power
procmail
proftpd
proxy
pulseaudio
putty
pxe
python
qemu
r-studio
raid
recovery
redhat
router
rpc
rsync
ruby
saltstack
samba
schedule
screen
scsi
seagate
seatools
sed
sendmail
sgi
shell
siw
smtp
snort
solaris
soundcard
sox
spam
spamd
spf
sql
sqlite
squid
srs
ssh
ssh.com
ssl
su
subnet
subversion
sudo
sun
supermicro
switches
symbols
syslinux
syslog
systemrescuecd
t1
tcpip
tcpwrappers
telnet
terminal
testdisk
tftp
thttpd
thunderbird
timezone
ting
tls
tools
tr
trac
tuning
tunnel
ubuntu
unbound
vi
vpn
wget
wiki
windows
windowsxp
wireless
wpa_supplicant
x
xauth
xfree86
xfs
xinearama
xmms
youtube
zdump
zeromq
zic
zlib