Useful Squid Proxy Command Reference

Useful Squid Proxy Command Reference

Recently I’ve been working with Squid as a proxying solution to protect AWS VPCs, I wrote a short quick reference to get started with that provides simple site whitelist functionality.

The instance hosting Squid can be put into a public subnet with an internet gateway such that instances in other subnets with access to the public subnet can reference it1 for controlled internet egress to allowed sites. This is great for AMI baking, querying external APIs (such as Amazon services that don’t have a VPC endpoint) and generally any stateful outbound access.

This is a very basic reference; Squid provides a lot of very fine grained control which you can fall down the rabbit hole with, if you are curious check out some of the examples from the official Squid page.

Context

  • Version: 3.5.12
  • OS: RHEL7, Debian
  • Use: Content whitelist
  • Service manager: Systemd


Useful debugging commands

# get the basic status of Squid
squid -k check | echo $?

# check the squid configuration for errors
squid -k parse

# test connectivity to the chosen site
squidclient -h <squidendpoint> -p3128 http://<testurl>

# get list of recent attempts to reach forbidden sites
grep -nR '/403' /var/log/squid/access.log

# get real-time list of sites forbidden by Squid
tail -f /var/log/squid/access.log | grep '/403'

# get useful information about the proxy process and tail logs
systemctl status squid

# if you change the squid config and want to run it on the existing server
systemctl reload squid

# restart the proxy
systemctl restart squid

# get the feed of Squid logs
journalctl -u squid


Proxy specification example

Different applications may look for different capitalisations/http(s). 169.254.169.254 is the metadata endpoint of AWS. If you do not circumvent the proxy for this endpoint and reference this IP address you will get metadata about the proxy, not the current EC2 instance.

export no_proxy=169.254.169.254,127.0.0.1
export NO_PROXY=${no_proxy}
export http_proxy=<proxyname>:3128
export https_proxy=${http_proxy}
export HTTP_PROXY=${http_proxy}
export HTTPS_PROXY=${http_proxy}


Proxy configuration example

/etc/squid/squid.conf

# A simplified quickstart Squid config
# This is what you get when you first install Squid
# Also included is the spec for an outbound traffic whitelist

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing should be allowed
#acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
#acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
#acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
#acl localnet src fc00::/7       # RFC 4193 local private network range
#acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

# standard allowed outbound ports
acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
acl manager proto cache_object
http_access allow localhost manager
http_access deny manager

# allow outbound if from on the Squid host
http_access allow localhost

# only allow outbound from the whitelist in /etc/squid/
acl egress_domains dstdomain "/etc/squid/whitelist"
http_access allow localnet egress_domains

# allow egress to an IP from the internal network
acl outbound_ip dst 1.2.3.4
http_access allow localnet outbound_ip

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# Caching patterns for squid cache objects
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
# example lin deb packages
#refresh_pattern (\.deb|\.udeb)$   129600 100% 129600
refresh_pattern .		0	20%	4320


/etc/squid/whitelist

.aws.amazon.com
.amazonaws.com
.aws.ce.redhat.com

See Also


  1. or not in the case of a transparent NAT proxy. [return]
comments powered by Disqus