Title
Create new category
Edit page index title
Edit category
Edit link
Squid
Basic Configuration
Squid configuration should be done by modifying “squid.conf” (e.g, /etc/squid3/squid.conf). Below is an example of a simplified version of configuration for Squid. For more detailed documentation, please refer to the Squid manual.
- Enable acl localnet.
Search for “acl localnet” section, uncomment all “acl localnet” lines. Below is an example of how the configuration might look:
acl localnet src 10.0.0.0/8acl localnet src 172.16.0.0/12 # RFC1918 possible internal networkacl localnet src 192.168.0.0/16 # RFC1918 possible internal networkacl localnet src fc00::/7 # RFC 4193 local private network rangeacl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443acl Safe_ports port 80 # httpacl Safe_ports port 21 # ftpacl Safe_ports port 443 # httpsacl Safe_ports port 70 # gopheracl Safe_ports port 210 # waisacl Safe_ports port 1025-65535 # unregistered portsacl Safe_ports port 280 # http-mgmtacl Safe_ports port 488 # gss-httpacl Safe_ports port 591 # filemakeracl Safe_ports port 777 # multiling httpacl CONNECT method CONNECT- Allow localnet and localhost access by adding the following lines. (under the "Recommended minimum Access Permission configuration" section)
http_port 3128http_access allow localnethttp_access allow localhosthttp_access deny all- Enable ICAP and set the Preview Size to 0. (these values don't exist, so you simply add them anywhere in the file)
icap_enable onicap_send_client_ip onicap_preview_enable onicap_preview_size 0icap_service_failure_limit -1- Enable ReqMod (upload mode)...these don't exist, so add them anywhere
icap_service metascan_req reqmod_precache bypass=0 icap://<MetaDefender ICAP Server>:1344/OMSScanReq-AVadaptation_access metascan_req allow all- Enable RespMod (download mode) again, these don't exist, so add them anywhere
icap_service metascan_resp respmod_precache bypass=0 icap://<MetaDefender ICAP Server>:1344/OMSScanResp-AVadaptation_access metascan_resp allow allPersistent connections
By default, Squid is using persistent connections to the MetaDefender ICAP Server, this feature can be controlled explicitly by the following directive:
icap_persistent_connections on/offIf persistent connections are enabled in Squid, the same setting should be applied to the ICAP side or Squid might report some ICAP errors. See 3. Configuring MetaDefender ICAP Server.
Restart Squid to apply the new configuration.
If you are using Squid 3.1 there is a bug in Squid that drops the connection to the ICAP server. You will notice messages in Squid's cache.log file similar to the following:
essential ICAP service is down after an options fetch failure: icap://<MetaDefender ICAP Server>:1344/OMSScanReq-AV [down,!opt]
This may cause you to get Squid error messages when trying to access websites.
To fix this, either upgrade to Squid 3.2 or higher, or add icap_persistent_connections off to your squid.conf file.
Scanning HTTPS content
Learn how to configure Squid to scan HTTPS content below. This allows Squid to send HTTPS content to the MetaDefender ICAP Server for scanning purposes.
Requirements
- Version: Tested with 3.5.19
- Squid has to be compiled with SSL support. For further information, please see: http://docs.diladele.com/
Configuration
Tell Squid to listen on the following ports by modifying the line
http_port 3128to this:
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=<SQUIDFOLDER>\etc\ssl\myc.pemIn addition, the following lines have to be inserted:
sslcrtd_program <SQUIDFOLDER>\lib\squid\ssl_crtd.exe -s <SQUIDFOLDER>\var\cache\squid_ssldb -M 4MB ssl_bump stare allssl_bump bump allCertificate
Generate a new root certificate for Squid:
openssl.exe req -new -newkey rsa:1024 -days 1000 -nodes -x509 -keyout myc.pem -out myc.pemAfter generating a new certificate, the certificate storage should be reinitialized by deleting the <SQUIDFOLDER>\var\cache\squid_ssldb folder and running:
<SQUIDFOLDER>\lib\squid\ssl_crtd.exe -c -s <SQUIDFOLDER>\var\cache\squid_ssldbThe certificate has to be installed as a root certificate in the browser. Squid has to be restarted after the changes.
