Having your production servers go through a proxy like Squid for internet access can be an architectural best practice that provides network security as well as caching efficiencies.
For further security, denying access to all requests but an explicit whitelist of domains provides auditable control.
Installation
For Ubuntu, you can pull the ‘squid3’ straight out of the main repository, and then ensure the 3128 port is open on the firewall.
# apt-get install squid3 -y # ufw allow 3128/tcp
Configuration
The configuration file for squid can be found at ‘/etc/squid3/squid.conf’. We will make several changes from the original.
First we will enable debugging by adding this line at the very top:
debug_options ALL,2
Then search and jump down to the ‘http_access deny’ line, and use the following values in that section.
# recommended minimum access permissions # Deny requests to unsafe ports http_access deny !Safe_ports # Deny CONNECT to other thatn secure SSL ports http_access deny CONNECT !SSL_ports # only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # acl whitelist dstdomain .ubuntu.com wiki.squid-cache.org http_access allow whitelist # And finally deny all other access to this proxy http_access deny all
They key here is our white listing of certain domains, namely: ubuntu.com (all subdomains) and wiki.squid-cache.org (limited to that particular subdomain).
Now check the validity of the conf file and then start the service
> squid3 -k parse > sudo service squid3 start
By default the logs go to /var/log/squid3/{cache.log,access.log}
Validation
You can test these settings by going into your Firefox/Chrome browser, setting the manual proxy to the <IP>:3128 address of your squid cache and trying to visit https://www.yahoo.com (should be denied) and https://wiki.squid-cache.org (should be successful).
You can also validate from the console of an Ubuntu host using wget, just use the IP address of your specific squid server below:
> export squid=192.168.1.110:3128 > wget -e use_proxy=yes -e http_proxy=$squid -e https_proxy=$squid https://www.yahoo.com --no-check-certificate > wget -e use_proxy=yes -e http_proxy=$squid -e https_proxy=$squid https://wiki.squid-cache.org --no-check-certificate
The first call to https://www.yahoo.com should be denied with a 403 error, while the call to https://wiki.squid-cache.org should be successful (as expected by the definition of our whitelist).
If you need an Ubuntu server to use the squid proxy by default for apt and interactive consoles, see my article here.
REFERENCES
http://wiki.squid-cache.org/FrontPage
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Bypass
http://wiki.squid-cache.org/SquidFaq/SquidAcl
http://www.webdnstools.com/articles/squid-proxy-whitelist
https://steelmon.wordpress.com/2009/11/22/setting-up-a-strict-whitelist-proxy-server-using-squid/
http://etutorials.org/Server+Administration/Squid.+The+definitive+guide/Chapter+16.+Debugging+and+Troubleshooting/16.2+Debugging+via+cache.log/ (debug_option categories)