Setup Squid with cache, antivirus and SSL-MITM mode on Managed Server

Introduction

In this tutorial we will learn how to install and configure a caching Squid HTTP proxy server with an antimalware check and SSL man-in-the-middle mode on a Managed Server. To extend Squid with an antimalware functionality we need to install C-ICAP and SquidClamav (an extension to C-ICAP). For the virus scan itself we can simply use the preinstalled ClamAV daemon. But now we have a small problem, since most content on www uses transport encryption, Squid won't be able to scan it in the default setting. In this case we can activate an SSL man-in-the-middle mode. In order to inspect the content Squid will finish the original encryption. After the antivirus check has applied, Squid will encrypt the connection again and serve it to the clients.

Prerequisites

• Managed Server with enabled SSH access
• Hetzner Development Package (hos-dev) -> please ask the support

Step 1 - Install Squid and other necessary components

First we need to download and and compile various sources.

Before we start, create a directory for the sources to keep the home directory clean.

cd
mkdir src
cd src

Step 1.1 - Squid source installation

Download and compile the Squid sources.

• Always check here for newer stable versions

wget http://www.squid-cache.org/Versions/v4/squid-4.13.tar.xz
tar xJvf squid-4.13.tar.xz
cd squid-4.13
./configure --prefix=/usr/home/holu/squid --enable-icap-client --with-openssl --enable-ssl-crtd
make -j $(($(grep ^cpu\ cores /proc/cpuinfo | uniq | sed s/[^0-9]//g)+1))
make install
cd ..

Step 1.2 - C-ICAP source installation

Next download and compile the C-ICAP sources.

• Always check here for newer stable versions

wget https://downloads.sourceforge.net/project/c-icap/c-icap/0.5.x/c_icap-0.5.7.tar.gz
tar xzvf c_icap-0.5.7.tar.gz
cd c_icap-0.5.7
./configure --prefix=/usr/home/holu/squid --enable-large-files
make -j $(($(grep ^cpu\ cores /proc/cpuinfo | uniq | sed s/[^0-9]//g)+1))
make install -i
cd ..

Step 1.3 - SquidClamav source installation

Finally, download and compile the SquidClamav sources.

• Always check here for newer stable versions

wget https://github.com/darold/squidclamav/archive/v7.1.tar.gz
tar xzvf v7.1.tar.gz
cd squidclamav-7.1
./configure --prefix=/usr/home/holu/squid --with-c-icap=/usr/home/holu/squid
make -j $(($(grep ^cpu\ cores /proc/cpuinfo | uniq | sed s/[^0-9]//g)+1))
make install

Step 2 - Basic configuration of Squid

In this step we will mainly edit the configuration of squid and do other preparatory steps.

The main squid configuration file can be found under

• /usr/home/holu/squid/etc/squid.conf

Step 2.1 - SSL

Create a certificate authority and a Diffie-Hellman params file.

mkdir /usr/home/holu/squid/etc/ssl
mkdir /usr/home/holu/squid/var/lib
openssl req -new -newkey rsa:4096 -sha512 -days 365 -nodes -x509 -extensions v3_ca -keyout /usr/home/holu/squid/etc/ssl/cakey.pem  -out /usr/home/holu/squid/etc/ssl/cacrt.pem
openssl dhparam -outform PEM -out /usr/home/holu/squid/etc/ssl/dhparam.pem 4096

Step 2.2 - WAN access

To access the proxy from outside, we need to specify an acl and allow access in the configuration file. It must be above the "http_access deny all" directive. Search for the commented text and insert your rules below.

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
acl wan src 198.51.100.1/32
acl wan src 2001:db8:9abc::1/128
http_access allow wan

Step 2.3 - SSL-MITM mode

Search for the directive "http_port 3128" and extend it with the following options.

# Squid normally listens to port 3128
http_port 3128 ssl-bump generate-host-certificates=on cert=/usr/home/holu/squid/etc/ssl/cacrt.pem key=/usr/home/holu/squid/etc/ssl/cakey.pem dynamic_cert_mem_cache_size=4MB options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,SINGLE_DH_USE,SINGLE_ECDH_USE cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/usr/home/holu/squid/etc/ssl/dhparam.pem

Then add the following additional configuration to the end of the file.

# Custom config SSL-MITM mode
tls_outgoing_options options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,SINGLE_DH_USE,SINGLE_ECDH_USE cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

sslcrtd_program /usr/home/holu/squid/libexec/security_file_certgen -s /usr/home/holu/squid/var/lib/ssl_db -M 4MB

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

Step 2.4 - C-ICAP bypass

To activate the C-ICAP bypass which handles the antivirus scan please add the following additional to the end of the file.

# Custom config C-ICAP bypass
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_avi_req reqmod_precache icap://127.0.0.1:1344/squidclamav bypass=off
adaptation_access service_avi_req allow all
icap_service service_avi_resp respmod_precache icap://127.0.0.1:1344/squidclamav bypass=on
adaptation_access service_avi_resp allow all

Step 2.5 - Cache

To activate the disk cache, search and uncomment the cache_dir directive.

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /usr/home/holu/squid/var/cache/squid 100 16 256

Then add the following additional configuration to the end of the file.

# Custom config cache
acl dynamic urlpath_regex cgi-bin \?
cache deny dynamic
cache_mem 64 MB
maximum_object_size_in_memory 256 KB

Step 2.6 - X-Forwarded-For

It would be a good idea to disable the X-Forwarded-For header for privacy. Add the following additional configuration to the end of the file.

# Custom config X-Forwarded-For
forwarded_for off

Step 3 - Basic configuration of C-ICAP and SquidClamav

In this step we will mainly edit the configuration of C-ICAP and do other steps to prepare. Also we will edit the the SquidClamav configuration.

The main C-ICAP configuration file can be found under

• /usr/home/holu/squid/etc/c-icap.conf

The main SquidClamav configuration file can be found under

• /usr/home/holu/squid/etc/squidclamav.conf

Step 3.1 - Create directories

Create necessary directories for the PidFile, CommandSocket and TmpDir.

mkdir /usr/home/holu/squid/var/run/c-icap
mkdir /usr/home/holu/squid/var/tmp

Step 3.2 - C-ICAP configuration

First we need to correct some paths in the C-ICAP configuration file. Search for the "PidFile" directive and replace it as shown below.

# TAG: PidFile
# Format: PidFile pid_file
# Description:
#       The file to store the pid of the main process of the c-icap server.
# Default:
#       PidFile /var/run/c-icap/c-icap.pid
PidFile /usr/home/holu/squid/var/run/c-icap/c-icap.pid

Do the same for the "CommandsSocket" directive.

# TAG: CommandsSocket
# Format: CommandsSocket socket_file
# Description:
#       The path of file to use as control socket for c-icap
# Default:
#       CommandsSocket /var/run/c-icap/c-icap.ctl
CommandsSocket /usr/home/holu/squid/var/run/c-icap/c-icap.ctl

And repeat for the "TmpDir" directive.

# TAG: TmpDir
# Format: TmpDir dir
# Description:
#       dir is the location of temporary files.
# Default:
#       TmpDir /var/tmp
TmpDir /usr/home/holu/squid/var/tmp

Finally add the following additional configuration to the end of the file to enable SquidClamav.

# Custom config
Service squidclamav squidclamav.so

Step 3.3 - SquidClamav configuration

Open the SquidClamav configuration file, search for the redirect directive and disable it.

# When a virus is found then redirect the user to this URL. If this directive
# is disabled squidclamav will use c-icap error templates to report issues.
#redirect http://proxy.domain.dom/cgi-bin/clwarn.cgi

We don't want to use the redirect, otherwise we will get a wrong page if we run into a virus detection.

If we disable it, SquidClamav will use a template that works without further configuration.

If you want to use the perl cgi script "clwarn.cgi" feel free to copy it to your webserver and activate the redirect.

Step 4 - Post installation

Step 4.1 - The first start

Create and initialize the cache directory for SSL certificates

/usr/home/holu/squid/libexec/security_file_certgen -c -s /usr/home/holu/squid/var/lib/ssl_db -M 4MB

Initialize proxy cache directory

/usr/home/holu/squid/sbin/squid -z

Start the services

/usr/home/holu/squid/bin/c-icap
/usr/home/holu/squid/sbin/squid

Don't forget to add an incoming firewall rule to port 3128/TCP in konsoleH. I strongly recommend to release only trusted IP addresses.

If you want to run the processes as permanent services, please consider to ask the support for process releases of "squid" and "c-icap".

Step 4.2 - Prepare your browser

If you use the proxy with SSL functionality you will only see the certificates generated by the Squid CA. In this case we need to import the CA certificate into the certificate trust store.

Convert the ca certificate to a usual format.

openssl x509 -in /usr/home/holu/squid/etc/ssl/cacrt.pem -outform DER -out /usr/home/holu/cacrt.crt

Now you can download this ca certificate and distribute it to your clients certificate trust stores.

Step 4.3 - Test it

• Please test some SSL failures at badssl.com
• Please visit eicar.org to test the malware detection

Conclusion

Now you have a basic introduction on how to install and configure a Squid proxy with a bunch of additional services on a managed server. It is your responsibility to secure the proxy, stay up to date and tweak the configuration. Please read the following documentation for further information.

• Squid Wiki
• Squid Configuration Reference
• C-ICAP Documentation
• SquidClamav Documentation

License: MIT