Squid Proxy Best Practice Configuration (Secure Setup)

Squid Proxy best practice configuration, Security best practices guide.  Proxy servers play an integral part in any network. They help users reach content quickly while preventing them from landing on unsafe or forbidden pages. While they share the allocated bandwidth among authorized users, they also make sure no particular user hogs the resources with large uploads and downloads.

A Squid Proxy is one such server.

Squid Proxy Best Practice Configuration

Table of Contents

What is a Squid Proxy Server?

A Squid Proxy is a Unix-based proxy server that can do both caching and proxying. It can cache any web content from a data storage point that is closest to the user or requestor. It frequently caches large media files and web pages to reduce bandwidth congestion. Thus, it helps decrease website resolution and data loading periods.

Installing Squid Proxy

While the scope of this post is to explore the best practices in configuring Squid Proxy, it would be unfair to simply skip about how to get the software itself and how it can be installed.

Therefore, let’s touch a bit on that.

While many operating systems come with Squid already installed on them, the software itself can be downloaded from the official site. As for the installation and basic setup of the proxy, there is a multitude of tutorials and websites that show how it can be done on different operating systems with examples being Debian 10, Windows, Ubuntu, and CentOS – one of its flavors.

Squid Proxy Best Practice Configuration (Secure Setup)

Ok, let’s jump right in and have a look at some Squid Proxy best practice configuration tips for a secure setup:

Back up configuration files

A copy needs to be made of original files every time a change or configuration of components of a Squid Proxy Server is done.

A careful administrator will always make sure there is an older, working version of every file they tweak. This way, in case there is a misconfiguration, things can be reverted to their previous states by simply going replacing the erroneous files. Here’s the command to copy the squid.conf file to squid.conf.bak:

				
					cp /etc/squid/squid.conf /etc/squid/squid.conf.bak
				
			

Using backup files also makes it easier to troubleshoot errors that may occur after a while. All that is needed to spot an error is to compare both versions of a configuration file.

Rotate log files

One way of improving the performance of a Squid Proxy Server is by regularly rotating its log files. It works better with smaller log files than it does with large ones. The best way to do it is with cron jobs:

				
					0 0 * * * /usr/local/squid/sbin/squid -k rotate
				
			

Non-default ports

Many administrators are happy with leaving their Squid Proxy servers to use the default or most commonly used numbers – 8080 or 3128. Worse, they don’t even bother to secure the ports properly.

Apart from being a lazy move, it also puts the server and its users at risk. The very least they can do is spend time securing these ports or opt for an arbitrary port number that is above 10,000. After all, all it takes to change the ports is to edit the Squid config file and replace the 3128 with, for example, 12221:

				
					http_port 12221
				
			

In case a specific IP address needs to be used, the new configuration becomes:

				
					http_port 192.0.2.1:12221
				
			

Enforced authentication

No user should be allowed to access resources on a network without being authenticated. This is especially true when that resource gives access to the World Wide Web.

All users looking to access the Squid Proxy should have the proper authorization – even when they have been authenticated to use the domain.

Enable SOCKS protocol

Squid Proxy is designed to mainly work with HTTP and FTP protocols. But, it does support other protocols including HTTPS, SSL, and TLS, to name a few.

However, Squid doesn’t support the SOCKS protocol. Although life without this protocol is possible, it would make it a bit difficult to connect to some servers that require it to ensure a secure connection. Also, adding SOCKS support makes it possible for Squid to accept SOCKS connections as well as make outgoing connections to SOCKS cache peers. It can then, also send requests easily through to SOCKS gateways or act as an HTTP SOCKS gateway itself.

Here is a video that shows how to set up a Squid Proxy and then enable SOCKS to secure it (also includes copying the config file and enabling authentication):

Limiting download sizes

A proxy server is meant to be used by many users. Anyone who wants to hog the shared resources should be deterred by enforcing download size limits.

Administrators can opt to put a blanket limit on all users. Alternatively, they can put the cap on certain file types or by limiting select users and groups as shown below.

				
					acl Group1 proxy_auth user1 user2

acl Group1 proxy_auth user3 user4


reply_body_max_size 20480 KB Group2
reply_body_max_size 10240 KB Group1
reply_body_max_size 5120 KB all
				
			

The administrators can also limit the download sizes allowed during certain times of the day – like for the duration of working hours, for example. This is shown in the following set of configuration commands.

				
					acl WorkingHours time 08:00-17:00

reply_body_max_size 10240 KB WorkingHours
				
			

Regular patching

Although a Squid Proxy does help prevent attacks, it isn’t impervious to attacks itself. One of the most common mistakes an administrator can make is to skip Patch Tuesdays.

There should be a regular patching schedule that needs to be adhered to strictly. Administrators should also take care to ensure the patching process gets done without a hitch.

Installing antivirus

Another defense strategy that needs to be adopted is the installation of anti-viruses – both on the endpoints on the network as well as the servers themselves. This includes the Squid Proxy server.

The performance of a Squid Proxy Server can be enhanced with the help of antiviruses that also perform content filtering tasks. Preventing access to off-topic websites, blocking the download of certain file types, and scanning all files that pass through the network will help keep the proxy at optimal performance levels.

To log, or not to log?

 There is one dilemma that poses a problem to many administrators: whether or not they should turn logging off to improve their proxy’s performance.

Let’s not forget that logs are the only way we can understand what is happening with a server. Logs help with tuning as well as disaster recovery. Without them, it would be an impossible task to find out why a server crashed.

With that being said, Squid Proxy does allow cache peers for a shared resource pool. Perhaps, that would be the better alternative to completely foregoing logging. Details on how to create a cache hierarchy can be found on the Squid Wiki.

Caching exceptions

Administrators can set custom refresh patterns for various areas of a website. This allows static content to remain cached for longer periods, while only dynamic content is updated more frequently.

They can plan where the contents reside to allow for more precise refresh_pattern statements. They can, for example, locate all images on a separate server or under a top-level /images path.

				
					refresh_pattern .                            15   75%   4320
refresh_pattern /blog/                        0   15%    360
refresh_pattern /blog/images/                15   75%   4320
				
			

Load balancing

Load balancing is one way of ensuring the high availability of any server. In architectures where there is a high amount of Internet usage, it makes sense to share the workload among available Squid Proxy servers with the help of peers – find the details on how to do it by going here.

Squid Proxy Best Practice Security Configuration Complete

An organization looking to optimize its bandwidth consumption should consider installing a Squid Proxy instance on its network. As we have seen, this light and powerful proxy server can be easily configured to create a sturdy barrier against abuse from within the perimeter and malicious attacks from beyond it.

For organizations looking to adopt this proxy, we only have one piece of advice: always make sure that a professional is at hand to perform the installation and configuration.

Avatar for Liku Zelleke
Liku Zelleke

Liku Zelleke is a technology blogger who has over two decades experience in the IT industry. He hasn’t looked back since the day, years ago, when he discovered he could combine that experience with his other passion: writing. Today, he writes on topics related to network configuration, optimization, and security for Cloud Infrastructure Services.

0 0 votes
Article Rating
Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x