Squid Proxy Best Practice Configuration (Secure Setup)
Squid Proxy best practice configuration, Security best practices guide. Proxy servers play an integral part in any network. They help users reach content quickly while preventing them from landing on unsafe or forbidden pages. While they share the allocated bandwidth among authorized users, they also make sure no particular user hogs the resources with large uploads and downloads.
A Squid Proxy is one such server.
Table of Contents
What is a Squid Proxy Server?
A Squid Proxy is a Unix-based proxy server that can do both caching and proxying. It can cache any web content from a data storage point that is closest to the user or requestor. It frequently caches large media files and web pages to reduce bandwidth congestion. Thus, it helps decrease website resolution and data loading periods.
Installing Squid Proxy
While the scope of this post is to explore the best practices in configuring Squid Proxy, it would be unfair to simply skip about how to get the software itself and how it can be installed.
Therefore, let’s touch a bit on that.
While many operating systems come with Squid already installed on them, the software itself can be downloaded from the official site. As for the installation and basic setup of the proxy, there is a multitude of tutorials and websites that show how it can be done on different operating systems with examples being Debian 10, Windows, Ubuntu, and CentOS – one of its flavors.
Squid Proxy Best Practice Configuration (Secure Setup)
Ok, let’s jump right in and have a look at some Squid Proxy best practice configuration tips for a secure setup:
Back up configuration files
A copy needs to be made of original files every time a change or configuration of components of a Squid Proxy Server is done.
A careful administrator will always make sure there is an older, working version of every file they tweak. This way, in case there is a misconfiguration, things can be reverted to their previous states by simply going replacing the erroneous files. Here’s the command to copy the squid.conf file to squid.conf.bak:
cp /etc/squid/squid.conf /etc/squid/squid.conf.bak
Using backup files also makes it easier to troubleshoot errors that may occur after a while. All that is needed to spot an error is to compare both versions of a configuration file.
Rotate log files
One way of improving the performance of a Squid Proxy Server is by regularly rotating its log files. It works better with smaller log files than it does with large ones. The best way to do it is with cron jobs:
0 0 * * * /usr/local/squid/sbin/squid -k rotate
Non-default ports
Many administrators are happy with leaving their Squid Proxy servers to use the default or most commonly used numbers – 8080 or 3128. Worse, they don’t even bother to secure the ports properly.
Apart from being a lazy move, it also puts the server and its users at risk. The very least they can do is spend time securing these ports or opt for an arbitrary port number that is above 10,000. After all, all it takes to change the ports is to edit the Squid config file and replace the 3128 with, for example, 12221:
http_port 12221
In case a specific IP address needs to be used, the new configuration becomes:
http_port 192.0.2.1:12221
Enforced authentication
No user should be allowed to access resources on a network without being authenticated. This is especially true when that resource gives access to the World Wide Web.
All users looking to access the Squid Proxy should have the proper authorization – even when they have been authenticated to use the domain.
Enable SOCKS protocol
Squid Proxy is designed to mainly work with HTTP and FTP protocols. But, it does support other protocols including HTTPS, SSL, and TLS, to name a few.
However, Squid doesn’t support the SOCKS protocol. Although life without this protocol is possible, it would make it a bit difficult to connect to some servers that require it to ensure a secure connection. Also, adding SOCKS support makes it possible for Squid to accept SOCKS connections as well as make outgoing connections to SOCKS cache peers. It can then, also send requests easily through to SOCKS gateways or act as an HTTP SOCKS gateway itself.
Here is a video that shows how to set up a Squid Proxy and then enable SOCKS to secure it (also includes copying the config file and enabling authentication):
Limiting download sizes
A proxy server is meant to be used by many users. Anyone who wants to hog the shared resources should be deterred by enforcing download size limits.
Administrators can opt to put a blanket limit on all users. Alternatively, they can put the cap on certain file types or by limiting select users and groups as shown below.
acl Group1 proxy_auth user1 user2
acl Group1 proxy_auth user3 user4
reply_body_max_size 20480 KB Group2
reply_body_max_size 10240 KB Group1
reply_body_max_size 5120 KB all
The administrators can also limit the download sizes allowed during certain times of the day – like for the duration of working hours, for example. This is shown in the following set of configuration commands.
acl WorkingHours time 08:00-17:00
reply_body_max_size 10240 KB WorkingHours
Regular patching
Although a Squid Proxy does help prevent attacks, it isn’t impervious to attacks itself. One of the most common mistakes an administrator can make is to skip Patch Tuesdays.
There should be a regular patching schedule that needs to be adhered to strictly. Administrators should also take care to ensure the patching process gets done without a hitch.
Installing antivirus
Another defense strategy that needs to be adopted is the installation of anti-viruses – both on the endpoints on the network as well as the servers themselves. This includes the Squid Proxy server.
The performance of a Squid Proxy Server can be enhanced with the help of antiviruses that also perform content filtering tasks. Preventing access to off-topic websites, blocking the download of certain file types, and scanning all files that pass through the network will help keep the proxy at optimal performance levels.
To log, or not to log?
There is one dilemma that poses a problem to many administrators: whether or not they should turn logging off to improve their proxy’s performance.
Let’s not forget that logs are the only way we can understand what is happening with a server. Logs help with tuning as well as disaster recovery. Without them, it would be an impossible task to find out why a server crashed.
With that being said, Squid Proxy does allow cache peers for a shared resource pool. Perhaps, that would be the better alternative to completely foregoing logging. Details on how to create a cache hierarchy can be found on the Squid Wiki.
Caching exceptions
Administrators can set custom refresh patterns for various areas of a website. This allows static content to remain cached for longer periods, while only dynamic content is updated more frequently.
They can plan where the contents reside to allow for more precise refresh_pattern statements. They can, for example, locate all images on a separate server or under a top-level /images path.
refresh_pattern . 15 75% 4320
refresh_pattern /blog/ 0 15% 360
refresh_pattern /blog/images/ 15 75% 4320
Load balancing
Load balancing is one way of ensuring the high availability of any server. In architectures where there is a high amount of Internet usage, it makes sense to share the workload among available Squid Proxy servers with the help of peers – find the details on how to do it by going here.
Squid Proxy Best Practice Security Configuration Complete
An organization looking to optimize its bandwidth consumption should consider installing a Squid Proxy instance on its network. As we have seen, this light and powerful proxy server can be easily configured to create a sturdy barrier against abuse from within the perimeter and malicious attacks from beyond it.
For organizations looking to adopt this proxy, we only have one piece of advice: always make sure that a professional is at hand to perform the installation and configuration.
