Configure Squid (4.17) with ICAP & SSL

In this article, we'll be setting up Squid Proxy [version 4.17] with ICAP. We will be configuring Squid to enable SSL, ICAP (echo mode) & use Squid to filter requests based on file type.

This setup is running on Ubuntu Server 20.04.

Prerequisites

• Squid 4.17

• c-icap 0.5.10 source

Download the sources and copy them to your server.

$ sudo scp /dir/to/dowloaded/source linux@remote-server:/home/

In your server, run the following commands:

$ tar xzf squid-4.17.tar.gz 
$ cd squid-4.17/

Configure Squid Proxy

• Update

$ sudo apt-get update && sudo apt-get -y upgrade

• Install additional header packages

$ sudo apt-get -y install \
libcppunit-dev \
libsasl2-dev \
libxml2-dev \
libkrb5-dev \
libdb-dev \
libnetfilter-conntrack-dev \
libexpat1-dev \
libcap2-dev \
libldap2-dev \
libpam0g-dev \
libgnutls28-dev \
libssl-dev \
libdbi-perl \
libecap3 \
libecap3-dev \
libsystemd-dev

• Compile your squid source to enable SSL and ICAP [Reference]

$ ./configure --prefix=/usr \
> --localstatedir=/var \
> --libexecdir=${prefix}/lib/squid \
> --datadir=${prefix}/share/squid \
> --sysconfdir=/etc/squid \
> --with-default-user=proxy \
> --with-logdir=/var/log/squid \
> --with-pidfile=/var/run/squid.pid \
> --with-default-user=proxy \
> --with-openssl \
> --enable-ssl-crtd \
> --enable-icap-client \
> --enable-ltdl-convenience
$ sudo make
$ sudo make install

• Verify Squid Installation

$ squid -v

You should be able to see the following:

• Navigate to Squid's logs & modify folder ownership

$ cd /var/log 
$ sudo chown -R proxy:proxy squid

• Start squid & verify it running on the server

$ sudo squid
$ sudo netstat -tulnp

You should be able to see the following

SSL Configuration In Squid [Reference]

• Navigate to the Squid service folder & create a self-signed SSL certificate

$ cd /etc/squid
$ sudo openssl req -new -newkey rsa:2048 -days <certificate validity period in days> -nodes -x509 -keyout squidCA.pem -out squidCA.pem

Fill in the fields of the self-signed SSL certificate.

• Create a trusted certificate to be imported into a browser.

$ sudo openssl x509 -in squidCA.pem -outform DER -out squid.der

Import certificate file squid.der to client browsers.

• Configure permissions to use the certificate file

$ sudo chown proxy:proxy squidCA.pem

$ sudo chmod 400 squidCA.pem

• Create a folder for future certificates.

$ sudo mkdir -p /var/lib/squid
$ sudo /usr/lib/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 4MB
$ sudo chown -R proxy:proxy /var/lib/squid

• Add these lines to squid.conf file

$ sudo nano /etc/squid/squid.conf
ctrl + w
http_port [enter]

#http_port 3128
http_port 3128 ssl-bump cert=/etc/squid/squidCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 4MB
acl step1 at_step SslBump1 
ssl_bump peek step1 
ssl_bump bump all 
sslproxy_cert_error deny all

• Reconfigure squid file. This command is to be run every time you modify your squid.conf file

$ sudo squid -k reconfigure

• You can verify your setup by navigating into a website from your client browser and checking your self-assigned certificate by clicking on the lock in the address bar.

ICAP Configuration in Squid

• Compile your ICAP source. In this case, only the echo service will be created.

$ sudo tar xvzf c_icap-0.5.10.tar.gz 
$ cd c_icap-0.5.10/
$ ./configure --prefix=/usr/local/c-icap --without-clamav
$ sudo make
$ sudo make install

• Run ICAP

$ sudo /usr/local/c-icap/bin/c-icap

• Test your ICAP setup with ICAP Client

$ /usr/local/c-icap/bin/c-icap-client

You should get:

• Verify ICAP is running

$ sudo netstat -tulnp

You should see it running on port 1344

• Add these lines to squid.conf file

$ sudo nano /etc/squid/squid.conf

icap_enable on
adaptation_send_username on
adaptation_send_client_ip on
icap_service srv_resp respmod_precache 0 icap://127.0.0.1:1344/echo
#icap_service srv_req reqmod_precache 0 icap://localhost:1344/echo
adaptation_access srv_resp allow all
#adaptation_access srv_req allow all
icap_service_failure_limit -1
icap_preview_enable off

Filter Requests based on file type/extension

In this example, we use squid to filter upload and download to the ICAP based on whether the file type is PDF.

• edit rule_name and content/type and add these lines to squid.conf file

• for request mode

acl rule_name req_mime_type -i content/type
http_access allow|deny rule_name

example:

acl pdf_upload req_mime_type -i application/pdf
http_access allow pdf_upload

• for response mode

acl rule_name rep_mime_type -i content/type
http_reply_acces allow rule_name

example:

acl pdf_download rep_mime_type -i application/pdf
http_access allow pdf_download

Content of squid.conf

Modify squid.conf and reconfigure squid

acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8     # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10      # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16     # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12      # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16     # RFC 1918 local private network (LAN)
acl localnet src fc00::/7           # RFC 4193 local private network range
acl localnet src fe80::/10          # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443     # https
acl Safe_ports port 70      # gopher
acl Safe_ports port 210     # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280     # http-mgmt
acl Safe_ports port 488     # gss-http
acl Safe_ports port 591     # filemaker
acl Safe_ports port 777     # multiling http
acl CONNECT method CONNECT
acl pdf_upload req_mime_type -i application/pdf
acl pdf_download rep_mime_type -i application/pdf
http_access allow pdf_upload
http_access allow pdf_download
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
# ICAP Configuration
icap_enable on
adaptation_send_username on
adaptation_send_client_ip on
icap_service srv_resp respmod_precache 0 icap://127.0.0.1:1344/echo
icap_service srv_req reqmod_precache 0 icap://127.0.0.1:1344/echo
adaptation_access srv_resp allow pdf_download
adaptation_access srv_req allow pdf_upload
#adaptation_access srv_req allow all
icap_service_failure_limit -1
http_access allow localhost
http_access allow localnet
http_access deny all
#http_port 3128
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/squidCA.pem
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 4MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
sslproxy_cert_error deny all
coredump_dir /var/spool/squid
refresh_pattern ^ftp:       1440    20% 10080
refresh_pattern ^gopher:    1440    0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern .       0   20% 4320
cache_mem 512 MB

$ sudo squid -k reconfigure

Testing it all together

• Capture packets on the server while downloading a PDF from your client browser

$ sudo tcpdump -i lo -s 65535 -w icap.pcap port 1344
ctrl + c when download completed

• Open .pcap file with Wireshark and apply content type filter

http.content_type == "application/pdf"

You should be able to see the following for your PDF download.