Recently I’ve been working with Squid as a proxying solution to protect AWS VPCs, I wrote a short quick reference to get started with that provides simple site whitelist functionality.
The instance hosting Squid can be put into a public subnet with an internet gateway such that instances in other subnets with access to the public subnet can reference it1 for controlled internet egress to allowed sites. This is great for AMI baking, querying external APIs (such as Amazon services that don’t have a VPC endpoint) and generally any stateful outbound access.
This is a very basic reference; Squid provides a lot of very fine grained control which you can fall down the rabbit hole with, if you are curious check out some of the examples from the official Squid page.
Context
- Version: 3.5.12
- OS: RHEL7, Debian
- Use: Content whitelist
- Service manager: Systemd
#### Useful debugging commands ``` # get the basic status of Squid squid -k check | echo $?
check the squid configuration for errors
squid -k parse
test connectivity to the chosen site
squidclient -h
get list of recent attempts to reach forbidden sites
grep -nR ‘/403’ /var/log/squid/access.log
get real-time list of sites forbidden by Squid
tail -f /var/log/squid/access.log | grep ‘/403’
get useful information about the proxy process and tail logs
systemctl status squid
if you change the squid config and want to run it on the existing server
systemctl reload squid
restart the proxy
systemctl restart squid
get the feed of Squid logs
journalctl -u squid
<br>
#### Proxy specification example
Different applications may look for different capitalisations/http(s). `169.254.169.254` is the metadata endpoint of AWS. If you do not circumvent the proxy for this endpoint and reference this IP address you will get metadata about the proxy, not the current EC2 instance.
export no_proxy=169.254.169.254,127.0.0.1
export NO_PROXY=${no_proxy}
export http_proxy=
<br>
#### Proxy configuration example
*/etc/squid/squid.conf*
``` original
# A simplified quickstart Squid config
# This is what you get when you first install Squid
# Also included is the spec for an outbound traffic whitelist
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing should be allowed
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#acl localnet src fc00::/7 # RFC 4193 local private network range
#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
# standard allowed outbound ports
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
acl manager proto cache_object
http_access allow localhost manager
http_access deny manager
# allow outbound if from on the Squid host
http_access allow localhost
# only allow outbound from the whitelist in /etc/squid/
acl egress_domains dstdomain "/etc/squid/whitelist"
http_access allow localnet egress_domains
# allow egress to an IP from the internal network
acl outbound_ip dst 1.2.3.4
http_access allow localnet outbound_ip
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
# Caching patterns for squid cache objects
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
# example lin deb packages
#refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600
refresh_pattern . 0 20% 4320
*/etc/squid/whitelist* ``` .aws.amazon.com .amazonaws.com .aws.ce.redhat.com ```
See Also
- Squid Caching Proxy Quick Reference
- Squid Proxy
- RHEL 7: Installing and running Squid
- RHEL 7: Configuring Squid
- How to Add DNS Filtering to Your NAT Instance with Squid
- Enforcing a Squid Access Policy for Amazon S3 and Yum
-
or not in the case of a transparent NAT proxy. ↩︎