Squid: Controlling network access using Squid and whitelisted domains

Having your production servers go through a proxy like Squid for internet access can be an architectural best practice that provides network security as well as caching efficiencies.

For further security, denying access to all requests but an explicit whitelist of domains provides auditable control.

Installation

For Ubuntu, you can pull the ‘squid3’ straight out of the main repository, and then ensure the 3128 port is open on the firewall.

# apt-get install squid3 -y
# ufw allow 3128/tcp

Configuration

The configuration file for squid can be found at ‘/etc/squid3/squid.conf’.  We will make several changes from the original.

First we will enable debugging by adding this line at the very top:

debug_options ALL,2

Then search and jump down to the ‘http_access deny’ line, and use the following values in that section.

# recommended minimum access permissions

# Deny requests to unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other thatn secure SSL ports
http_access deny CONNECT !SSL_ports

# only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# 
acl whitelist dstdomain .ubuntu.com wiki.squid-cache.org 
http_access allow whitelist 

# And finally deny all other access to this proxy
http_access deny all

They key here is our white listing of certain domains, namely: ubuntu.com (all subdomains) and wiki.squid-cache.org (limited to that particular subdomain).

Now check the validity of the conf file and then start the service

> squid3 -k parse
> sudo service squid3 start

By default the logs go to /var/log/squid3/{cache.log,access.log}

Validation

You can test these settings by going into your Firefox/Chrome browser, setting the manual proxy to the <IP>:3128 address of your squid cache and trying to visit https://www.yahoo.com (should be denied) and https://wiki.squid-cache.org (should be successful).

You can also validate from the console of an Ubuntu host using wget, just use the IP address of your specific squid server below:

> export squid=192.168.1.110:3128


> wget -e use_proxy=yes -e http_proxy=$squid -e https_proxy=$squid https://www.yahoo.com --no-check-certificate

> wget -e use_proxy=yes -e http_proxy=$squid -e https_proxy=$squid https://wiki.squid-cache.org --no-check-certificate

The first call to https://www.yahoo.com should be denied with a 403 error, while the call to https://wiki.squid-cache.org should be successful (as expected by the definition of our whitelist).

If you need an Ubuntu server to use the squid proxy by default for apt and interactive consoles, see my article here.

 

 

REFERENCES

http://wiki.squid-cache.org/FrontPage

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch32_:_Controlling_Web_Access_with_Squid

http://wiki.squid-cache.org/ConfigExamples/Authenticate/Bypass

http://wiki.squid-cache.org/SquidFaq/SquidAcl

http://www.webdnstools.com/articles/squid-proxy-whitelist

https://steelmon.wordpress.com/2009/11/22/setting-up-a-strict-whitelist-proxy-server-using-squid/

http://etutorials.org/Server+Administration/Squid.+The+definitive+guide/Chapter+16.+Debugging+and+Troubleshooting/16.2+Debugging+via+cache.log/ (debug_option categories)