Search

How to configure Squid Proxy with ICAP

Updated: Jan 3

In this article, we setup squid proxy with ICAP. We will be configuring squid to enable SSL , ICAP (echo mode) & use squid to filter requests based on file type.


Prerequisites

Download the sources and copy them to your server.

$ sudo scp /dir/to/dowloaded/source linux@remote-server:/home/

In your server, run the following commands:

$ tar xzf squid-5.2.tar.gz 
$ cd squid-5.2/

Configure Squid Proxy


Compile your squid source to enable SSL and ICAP

$ ./configure  --prefix=/usr --localstatedir=/var --libexecdir=${prefix}/lib/squid --datadir=${prefix}/share/squid --sysconfdir=/etc/squid --with-default-user=proxy --with-logdir=/var/log --with-pidfile=/var/run/squid.pid --with-default-user=proxy --with-openssl --enable-ssl-crtd --enable-icap-client --enable-ltdl-convenience
$ sudo make
$ sudo make install

Configure permissions

$ sudo chown -R proxy:proxy /usr/local/squid -R

Start squid

$ sudo /usr/local/squid/sbin/squid

Note: after every modification in squid.conf file in order to apply the changes you should reconfigure squid, you can find how to reconfigure it at the end of this article


SSL Configuration In Squid [Reference]

Create directory for SSL certificates and change permissions

$ sudo mkdir /usr/local/squid/etc/ssl_cert -p
$ sudo chown proxy:proxy /usr/local/squid/etc/ssl_cert -R
$ sudo chmod 700 /usr/local/squid/etc/ssl_cert -R

Change directory and create a self-signed SSL certificate.

$ cd /usr/local/squid/etc/ssl_cert
$ sudo openssl req -new -newkey rsa:2048 -days <certificate validity period in days> -nodes -x509 -keyout squidCA.pem -out squidCA.pem

Create a trusted certificate to be imported into a browser.

$ sudo openssl x509 -in squidCA.pem -outform DER -out squid.der

Create a folder for future certificates.

$ sudo /usr/local/squid/libexec/security_file_certgen -c -s /usr/local/squid/var/cache/squid/ssl_db -M 4MB
$ sudo chown -R proxy:proxy  /usr/local/squid/var/cache/squid

Add these lines to squid.conf file

$ sudo vi /usr/local/squid/etc/squid.conf

http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/squidCA.pem  generate-host-certificates=on dynamic_cert_mem_cache_size=8MB
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /usr/local/squid/var/cache/squid/ssl_db -M 4MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
sslproxy_cert_error deny all

ICAP Configuration in Squid


Compile your ICAP source

$ sudo tar xvzf c_icap-0.5.10.tar.gz 
$ cd c_icap-0.5.10/
$ sudo make
$ sudo make install

Test your ICAP setup with ICAP Client

$ sudo /usr/local/c-icap/bin/c-icap -N -D -d 10
$ sudo /usr/local/c-icap/bin/c-icap-client

You should get:

ICAP server:localhost, ip:127.0.0.1, port:1344

OPTIONS:
	Allow 204: Yes
	Allow 206: No
	Preview: 1024
	Keep alive: Yes

ICAP HEADERS:
	ICAP/1.0 200 OK
	Methods: RESPMOD, REQMOD
	Service: C-ICAP/0.5.10 server - Echo demo service
	ISTag: "CI0001-XXXXXXXXX"
	Transfer-Preview: *
	Options-TTL: 3600
	Date: Sun, 12 Dec 2021 13:47:01 GMT
	Preview: 1024
	Allow: 204
	X-Include: X-Authenticated-User, X-Authenticated-Groups
	Encapsulated: null-body=0

Add these lines to squid.conf file

icap_enable on
adaptation_send_username on
adaptation_send_client_ip on
icap_service srv_resp respmod_precache 0 icap://127.0.0.1:1344/echo
#icap_service srv_req reqmod_precache 0 icap://localhost:1344/echo
adaptation_access srv_resp allow all
#adaptation_access srv_req allow all
icap_service_failure_limit -1
icap_preview_enable off


Filter Requests based on file type/extension

In this example, we use squid to filter upload and download to the ICAP based on whether the file type is PDF.

  • edit rule_name and content/type and add these lines to squid.conf file

  • for request mode

acl rule_name req_mime_type -i content/type
http_access allow|deny rule_name

example:

acl pdf_upload req_mime_type -i application/pdf
http_access allow pdf_upload
  • for response mode

acl rule_name rep_mime_type -i content/type
http_reply_acces allow rule_name

example:

acl pdf_download rep_mime_type -i application/pdf
http_access allow pdf_download

Content of squid.conf

acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8     # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10      # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16     # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12      # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16     # RFC 1918 local private network (LAN)
acl localnet src fc00::/7           # RFC 4193 local private network range
acl localnet src fe80::/10          # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443     # https
acl Safe_ports port 70      # gopher
acl Safe_ports port 210     # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280     # http-mgmt
acl Safe_ports port 488     # gss-http
acl Safe_ports port 591     # filemaker
acl Safe_ports port 777     # multiling http
acl CONNECT method CONNECT
acl pdf_upload req_mime_type -i application/pdf
acl pdf_download rep_mime_type -i application/pdf
http_access allow pdf_upload
http_access allow pdf_download
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager

# ICAP Configuration
icap_enable on

adaptation_send_username on

adaptation_send_client_ip on

icap_service srv_resp respmod_precache 0 icap://127.0.0.1:1344/echo

icap_service srv_req reqmod_precache 0 icap://127.0.0.1:1344/echo

adaptation_access srv_resp allow pdf_download
adaptation_access srv_req allow pdf_upload
#adaptation_access srv_req allow all

icap_service_failure_limit -1

http_access allow localhost
http_access allow localnet

http_access deny all
#http_port 3128

http_port 3128 ssl-bump cert=/usr/local/squid/etc/squidCA.pem  generate-host-certificates=on dynamic_cert_mem_cache_size=8MB
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /usr/local/squid/var/cache/squid/ssl_db -M 4MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
sslproxy_cert_error deny all
coredump_dir /var/spool/squid
refresh_pattern ^ftp:       1440    20% 10080
refresh_pattern ^gopher:    1440    0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern .       0   20% 4320
cache_mem 512 MB

Reconfigure Squid.conf

$ sudo /usr/local/squid/sbin/squid -k reconfigure


References

0 comments