Squid Proxy best practice configuration, Security best practices guide. Proxy servers play an integral part in any network. They help users reach content quickly while preventing them from landing on unsafe or forbidden pages. While they share the allocated bandwidth among authorized users, they also make sure no particular user hogs the resources with large uploads and downloads.
A Squid Proxy is one such server.
Table of Contents
What is a Squid Proxy Server?
A Squid Proxy is a Unix-based proxy server that can do both caching and proxying. It can cache any web content from a data storage point that is closest to the user or requestor. It frequently caches large media files and web pages to reduce bandwidth congestion. Thus, it helps decrease website resolution and data loading periods.
Installing Squid Proxy
While the scope of this post is to explore the best practices in configuring Squid Proxy, it would be unfair to simply skip about how to get the software itself and how it can be installed.
Therefore, let’s touch a bit on that.
While many operating systems come with Squid already installed on them, the software itself can be downloaded from the official site. As for the installation and basic setup of the proxy, there is a multitude of tutorials and websites that show how it can be done on different operating systems with examples being Debian 10, Windows, Ubuntu, and CentOS – one of its flavors.
Squid Proxy Best Practice Configuration (Secure Setup)
Back up configuration files
A copy needs to be made of original files every time a change or configuration of components of a Squid Proxy Server is done.
A careful administrator will always make sure there is an older, working version of every file they tweak. This way, in case there is a misconfiguration, things can be reverted to their previous states by simply going replacing the erroneous files. Here’s the command to copy the squid.conf file to squid.conf.bak:
cp /etc/squid/squid.conf /etc/squid/squid.conf.bak
Using backup files also makes it easier to troubleshoot errors that may occur after a while. All that is needed to spot an error is to compare both versions of a configuration file.
Rotate log files
0 0 * * * /usr/local/squid/sbin/squid -k rotate
Many administrators are happy with leaving their Squid Proxy servers to use the default or most commonly used numbers – 8080 or 3128. Worse, they don’t even bother to secure the ports properly.
Apart from being a lazy move, it also puts the server and its users at risk. The very least they can do is spend time securing these ports or opt for an arbitrary port number that is above 10,000. After all, all it takes to change the ports is to edit the Squid config file and replace the 3128 with, for example, 12221:
In case a specific IP address needs to be used, the new configuration becomes:
No user should be allowed to access resources on a network without being authenticated. This is especially true when that resource gives access to the World Wide Web.
Enable SOCKS protocol
However, Squid doesn’t support the SOCKS protocol. Although life without this protocol is possible, it would make it a bit difficult to connect to some servers that require it to ensure a secure connection. Also, adding SOCKS support makes it possible for Squid to accept SOCKS connections as well as make outgoing connections to SOCKS cache peers. It can then, also send requests easily through to SOCKS gateways or act as an HTTP SOCKS gateway itself.
Here is a video that shows how to set up a Squid Proxy and then enable SOCKS to secure it (also includes copying the config file and enabling authentication):
Limiting download sizes
A proxy server is meant to be used by many users. Anyone who wants to hog the shared resources should be deterred by enforcing download size limits.
acl Group1 proxy_auth user1 user2 acl Group1 proxy_auth user3 user4 reply_body_max_size 20480 KB Group2 reply_body_max_size 10240 KB Group1 reply_body_max_size 5120 KB all
The administrators can also limit the download sizes allowed during certain times of the day – like for the duration of working hours, for example. This is shown in the following set of configuration commands.
acl WorkingHours time 08:00-17:00 reply_body_max_size 10240 KB WorkingHours
Another defense strategy that needs to be adopted is the installation of anti-viruses – both on the endpoints on the network as well as the servers themselves. This includes the Squid Proxy server.
The performance of a Squid Proxy Server can be enhanced with the help of antiviruses that also perform content filtering tasks. Preventing access to off-topic websites, blocking the download of certain file types, and scanning all files that pass through the network will help keep the proxy at optimal performance levels.
To log, or not to log?
There is one dilemma that poses a problem to many administrators: whether or not they should turn logging off to improve their proxy’s performance.
Let’s not forget that logs are the only way we can understand what is happening with a server. Logs help with tuning as well as disaster recovery. Without them, it would be an impossible task to find out why a server crashed.
Administrators can set custom refresh patterns for various areas of a website. This allows static content to remain cached for longer periods, while only dynamic content is updated more frequently.
refresh_pattern . 15 75% 4320 refresh_pattern /blog/ 0 15% 360 refresh_pattern /blog/images/ 15 75% 4320
Squid Proxy Best Practice Security Configuration Complete
An organization looking to optimize its bandwidth consumption should consider installing a Squid Proxy instance on its network. As we have seen, this light and powerful proxy server can be easily configured to create a sturdy barrier against abuse from within the perimeter and malicious attacks from beyond it.
For organizations looking to adopt this proxy, we only have one piece of advice: always make sure that a professional is at hand to perform the installation and configuration.