Squid

From Wiki
Jump to navigation Jump to search

!! Work in progress !!

Active Directory

  • Kerberos
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/squid.keytab -s HTTP/proxy.acme.local@ACME.LOCAL -d -i
auth_param negotiate children 10
auth_param negotiate keep_alive off
  • LDAP
external_acl_type ad_group_member_check ttl=120 %LOGIN /usr/lib/squid/ext_ldap_group_acl -d -v3 -Z -R -K -b "CN=Users,DC=acme,DC=local" -D "ldapuser@acme.local" -w "Password" -f "(&(objectclass=person)(sAMAccountName=%u)(memberOf=CN=%g,CN=Users,DC=acme,DC=local))" -h dc1.acme.local
  • ACL
acl kerb-auth proxy_auth REQUIRED
acl ldap-user external ad_group_member_check proxy-users

http_access allow kerb-auth ldap-user
http_access deny all

Basic Authentication

auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 2
auth_param basic realm myrealm
auth_param basic credentialsttl 4 hours

acl basic_auth proxy_auth REQUIRED
http_access allow basic_auth
http_access deny all

ClamAV

  • freshclam
  • clamd
  • squidclamav
  • c-icap

squid.conf:

icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all
adaptation_access service_resp allow all

Intercept

  • squid -v, look for --enable-ssl, --enable-ssl-crtd and --with-openssl
# openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout bump.pem -out bump.pem
# cp bump.pem /etc/squid
# openssl x509 -in bump.pem -outform DER -out bump.der

Import bump.der into your browser. In Firefox: preferencessecurityshow certificatescaimport

http_port 3128 ssl-bump \
  cert=/etc/squid/bump.pem \
  generate-host-certificates=on \
  dynamic_cert_mem_cache_size=20MB

sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 20MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
tls_outgoing_options options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1