{"id":18952840,"url":"https://github.com/password123456/setup-squid-proxy-with-security-best-practice","last_synced_at":"2026-02-01T03:02:39.449Z","repository":{"id":205375368,"uuid":"714064878","full_name":"password123456/setup-squid-proxy-with-security-best-practice","owner":"password123456","description":"squid proxy security best practice","archived":false,"fork":false,"pushed_at":"2025-05-10T13:39:16.000Z","size":142,"stargazers_count":68,"open_issues_count":0,"forks_count":11,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-06-15T14:35:26.760Z","etag":null,"topics":["forward-proxy","proxy-security","proxy-server","proxy-service","proxy-settings","squid","squid-proxy","squid-proxy-security","squid-proxy-server","squid-security"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/password123456.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-11-03T20:53:25.000Z","updated_at":"2025-05-13T08:23:41.000Z","dependencies_parsed_at":null,"dependency_job_id":"fb08c93e-3685-4cbd-8f11-93e9c896f6bc","html_url":"https://github.com/password123456/setup-squid-proxy-with-security-best-practice","commit_stats":null,"previous_names":["password123456/setup-squid-proxy-with-security-best-practice"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/password123456/setup-squid-proxy-with-security-best-practice","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/password123456%2Fsetup-squid-proxy-with-security-best-practice","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/password123456%2Fsetup-squid-proxy-with-security-best-practice/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/password123456%2Fsetup-squid-proxy-with-security-best-practice/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/password123456%2Fsetup-squid-proxy-with-security-best-practice/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/password123456","download_url":"https://codeload.github.com/password123456/setup-squid-proxy-with-security-best-practice/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/password123456%2Fsetup-squid-proxy-with-security-best-practice/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28965436,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-01T02:14:24.993Z","status":"ssl_error","status_checked_at":"2026-02-01T02:13:55.706Z","response_time":56,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["forward-proxy","proxy-security","proxy-server","proxy-service","proxy-settings","squid","squid-proxy","squid-proxy-security","squid-proxy-server","squid-security"],"created_at":"2024-11-08T13:34:46.038Z","updated_at":"2026-02-01T03:02:39.432Z","avatar_url":"https://github.com/password123456.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Setup Squid Proxy With Security Best Practice\n[![Hits](https://hits.sh/github.com/password123456/setup-squid-proxy-with-security-best-practice.svg?view=today-total)](https://hits.sh/github.com/password123456/setup-squid-proxy-with-security-best-practice/)\n\n- Security best practices when a squid proxy is being used as a \"forward proxy\"\n- If you are configuring as a reverse proxy, some topics in this guide may not be applicable. We recommend cross-referencing other security guides for appropriate security hardening criteria when using Reverse Proxy.\n- Last Modified: May 31, 2024\n```\n# cat /etc/redhat-release\nRocky Linux release 8.8 (Green Obsidian)\n\n# rpm -qa rpm -qa | grep squid\nsquid-4.15-6.module+el8.8.0+1273+55f5b063.x86_64\n```\n***\n## Table of Contents\n* [1. Ensure that SQUID is run using a non-privileged, dedicated service account - groups](#1-ensure-that-squid-is-run-using-a-non-privileged-dedicated-service-account---groups)\n* [2. Ensure access to SQUID directories and files is restricted](#2-ensure-access-to-squid-directories-and-files-is-restricted)\n* [3. Ensure httpd_suppress_version_string directive is set to \"on\"](#3-ensure-httpd_suppress_version_string-directive-is-set-to-on)\n* [4. Ensure \"Via\" Header is removed](#4-ensure-via-header-is-removed)\n* [5. Ensure \"X-Cache, X-Cache-Lookup\" Headers are removed](#5-ensure-x-cache-x-cache-lookup-headers-are-removed)\n* [6. Ensure Inbound X-Forwarded-For Header is restricted](#6-ensure-inbound-x-forwarded-for-header-is-restricted)\n* [7. Ensure Outbound X-Forwarded-For Header is restricted](#7-ensure-outbound-x-forwarded-for-header-is-restricted)\n* [8. Ensure HTTP Method is restricted](#8-ensure-http-method-is-restricted)\n* [9. Ensure Access Control Policy (ACL) is correct](#9-ensure-access-control-policy-acl-is-correct)\n  + [9.1. Allow all external access for specific (source) hosts/ranges (Any destination)](#91-allow-all-external-access-for-specific-source-hostsranges-any-destination)\n  + [9.2. Allow specific (source) hosts/ranges to access specified (destination) URLs (Scenario 1)](#92-allow-specific-source-hostsranges-to-access-specified-destination-urls-scenario-1)\n  + [9.3. Allow specific (source) hosts/ranges to access specified (destination) URLs (Scenario 2)](#93-allow-specific-source-hostsranges-to-access-specified-destination-urls-scenario-2)\n  + [9.4. Configure policies with specified operating hours](#94-configure-policies-with-specified-operating-hours)\n* [10. Ensure detailed logging is enabled](#10-ensure-detailed-logging-is-enabled)\n* [11. Ensure log files are rotated](#11-ensure-log-files-are-rotated)\n* [12. Tips](#12-tips)\n  + [12.1. Completed Squid configuration](#121-completed-squid-configuration)\n  + [12.2. Proxying for Linux yum package updates](#122-proxying-for-linux-yum-package-updates)\n  + [12.3. Proxying for Windows updates service](#123-proxying-for-windows-updates-service)\n\n***\n## 1. Ensure that SQUID is run using a non-privileged, dedicated service account - groups\nThe Squid proxy runs using the default account, which is usually named 'squid'. If the Squid proxy is not running under the 'squid' account or is being executed with root privileges, you should change it.\n\n**Audit:**\n- Check the Squid process account.\n```bash\n[root@localhost ~]# ps -ef | grep squid\nroot        5346       1  0 Nov03 ?        00:00:00 /usr/sbin/squid --foreground -f /etc/squid/squid.conf\nsquid       5349    5346  0 Nov03 ?        00:00:04 (squid-1) --kid squid-1 --foreground -f /etc/squid/squid.conf\n```\n\n**Remediation:** \n- If the process account is not 'squid,' change it to 'squid' and restart the service.\n```bash\n[root@localhost ~]# vim /usr/lib/systemd/system/squid.service\n\n[Unit]\nDescription=Squid caching proxy\nDocumentation=man:squid(8)\nAfter=network.target network-online.target nss-lookup.target\n\n[Service]\nType=notify\nLimitNOFILE=16384\nPIDFile=/run/squid.pid\n...\nKillMode=mixed\nNotifyAccess=all\n\nUser=squid   # \u003c== Change to 'squid'\nGroup=squid  # \u003c== Change to 'squid'\n```\n- Ensure that the 'squid' account does not have shell login permissions for regular users.\n```bash\n[root@localhost ~]# cat /etc/passwd | grep -i squid\nsquid:x:23:23::/var/spool/squid:/sbin/nologin\n```\n\n\n## 2. Ensure access to SQUID directories and files is restricted\nDirectories and configuration files related to Squid should only be accessible by the 'squid' or 'root' user. Verify and adjust permissions if other users have access to these directories and files.\n\n**Audit:**\n- Check the permissions for directories and files related to the Squid proxy.\n```bash\n[root@localhost ~]# ls -al /etc/squid/\ntotal 72\ndrwxr-xr-x.  3 root root   4096 Oct 26 07:57 .\ndrwxr-xr-x. 87 root root   8192 Oct 20 14:06 ..\n-rw-r--r--.  1 root squid   692 May 10  2021 cachemgr.conf\n-rw-r--r--.  1 root root    692 May 10  2021 cachemgr.conf.default\ndrwxrwxr-x.  2 root root    102 Oct 26 07:56 conf.d\n-rw-r--r--.  1 root root   1800 May 10  2021 errorpage.css\n-rw-r--r--.  1 root root   1800 May 10  2021 errorpage.css.default\n-rw-r--r--.  1 root root  12077 May 10  2021 mime.conf\n-rw-r--r--.  1 root root  12077 May 10  2021 mime.conf.default\n-rw-r-----.  1 root squid  1859 Oct 17 17:08 squid.conf\n```\n\n**Remediation:** \n- Ensure that directories and files are owned by the 'root' user and that other users do not have access.\n```bash\n[root@localhost ~]# chown root:root -R /etc/squid\n[root@localhost ~]# chmod o-rwx -R /etc/squid\n```\n\n\n## 3. Ensure httpd_suppress_version_string directive is set to \"on\"\nBy default, the Squid proxy displays the installed proxy version information in the Server header and on error pages. To prevent the version information from being displayed, follow these steps.\n\n**Audit:**\n- Check if the proxy version information is exposed in the Server header.\n```bash\n[root@localhost ~]# curl -i -k 127.0.0.1:3128\nHTTP/1.1 400 Bad Request\nServer: squid/4.15\n...\n```\n- Also, confirm whether the proxy version information is exposed on error pages.\n```bash\n[root@localhost ~]# curl -i -k 127.0.0.1:3128\nHTTP/1.1 400 Bad Request\n...\n\n\u003chr\u003e\n\u003cdiv id=\"footer\"\u003e\n\u003cp\u003eGenerated Mon, 18 Sep 2023 05:50:08 GMT by blah-proxy01 (squid/4.15)\u003c/p\u003e\n\u003c!-- ERR_INVALID_URL --\u003e\n\u003c/div\u003e\n\u003c/body\u003e\u003c/html\u003e\n...\n```\n\n**Remediation:** \n- Prevent the version information from being displayed by setting \"httpd_suppress_version_string\" to \"on\" in the Squid configuration file. This will hide the version information in the Server header and on error pages.\n```bash\n[root@localhost ~]# vim /etc/squid/squid.conf\n...\n\nhttpd_suppress_version_string on  # \u003c== Add \n```\n\n\n## 4. Ensure \"Via\" Header is removed\nThe \"Via\" header reveals information about the server that received the proxy request from the client, including the hostname and proxy version information. To remove the \"Via\" header, follow these steps.\n\n**Audit:**\n- Check if the \"Via\" header is present in the proxy response.\n```bash\n[root@localhost ~]# curl -i -k 127.0.0.1:3128\nHTTP/1.1 400 Bad Request\n...\nVia: 1.1 blah-proxy01 (squid/4.15)\nConnection: close\n```\n\n**Remediation:** \n- To prevent the \"Via\" header from being displayed, set the via configuration to \"off\" in the Squid configuration file.\n```bash\n[root@localhost ~]# vim /etc/squid/squid.conf\n...\n\nvia off    # \u003c== Add\n```\n\n\n## 5. Ensure \"X-Cache, X-Cache-Lookup\" Headers are removed\nThe \"X-Cache\" and \"X-Cache-Lookup\" headers provide information about the proxy's caching behavior. The \"X-Cache\" header can reveal the hostname of the proxy server and the installed proxy version, so it's a good practice to remove it.\n\n**Audit:**\n- Check if the \"X-Cache\" header is present in the proxy response.\n```bash\n[root@localhost ~]# curl -i -k 127.0.0.1:3128\nHTTP/1.1 400 Bad Request\n...\n\nX-Cache: MISS from blah-proxy01\nX-Cache-Lookup: NONE from blah-proxy01:3128\nVia: 1.1 blah-proxy01 (squid/4.15)\nConnection: close\n```\n\n**Remediation:** \n- To prevent the \"X-Cache\" and \"X-Cache-Lookup\" headers from being displayed, use the reply_header_access setting to deny access to these headers.\n```bash\n[root@localhost ~]# vim /etc/squid/squid.conf\n...\n\nreply_header_access X-Cache deny all          # \u003c== Add\nreply_header_access X-Cache-Lookup deny all   # \u003c== Add\n```\n\n( Notes )\n- Example of X-Cache Responses\n\nID | Value  | Description\n----- | ----- | ----- \n1 | X-Cache: MISS from blah-proxy01 | Indicates that the requested resource could not be found in Squid's cache via the blah-proxy01 server, so it needs to be retrieved from the remote server for the client.\n2 | X-Cache-Lookup: NONE from blah-proxy01:3128 | epresents the cache lookup result for the requested resource by Squid proxy. \"NONE\" indicates that Squid did not perform a cache lookup for this resource at blah-proxy01:3128. Since there is no cache lookup, it implies that the resource needs to be fetched from the remote server.\n\n\n## 6. Ensure Inbound X-Forwarded-For Header is restricted\nThe \"follow_x_forwarded_for\" feature allows you to identify the client's actual IP address through the X-Forwarded-For header. \u003cbr\u003e\n\nIt is equivalent to configuring the X-Forwarded-For header for client IP identification in web servers like Apache or Nginx. \u003cbr\u003e\nIn a Forward Proxy, you have the ability to modify the X-Forwarded-For header to include arbitrary changes before forwarding it. \u003cbr\u003e\nSince the proxy connection request IP may differ from the actual client IP, it's recommended not to use this feature.\u003cbr\u003e\n\n**Audit:**\n- Check if the \"follow_x_forwarded_for\" feature is restricted. If it's not explicitly specified in the configuration, it is in its default state (not restricted).\n```bash\n[root@localhost ~]# vim /etc/squid/squid.conf\n...\n\nfollow_x_forwarded_for ...\nfollow_x_forwarded_for ...\n```\n\n**Remediation:**\n- To restrict the \"follow_x_forwarded_for\" setting, limit it to the local host.\n```bash\n[root@localhost ~]# vim /etc/squid/squid.conf\n...\n\nfollow_x_forwarded_for allow localhost   # \u003c== Add\nfollow_x_forwarded_for deny all          # \u003c== Add\nrequest_header_access X-Forwarded-For deny all # \u003c=== Add\n```\n- This configuration ensures that the \"follow_x_forwarded_for\" setting only allows the localhost to modify the X-Forwarded-For header and denies all other clients from modifying it.\n  \n\n## 7. Ensure Outbound X-Forwarded-For Header is restricted\nThe \"forwarded_for\" feature allows you to add the client's actual IP address to the HTTP request header for transmission.\u003cbr\u003e\n\nIf the forwarded_for feature is enabled, the proxy server adds the client's IP address to the X-Forwarded-For header when making requests to external URLs.\u003cbr\u003e\nFor example, when system A connects to www.google.com through a proxy, the proxy server sends the web page request to www.google.com with system A's IP address set in the X-Forwarded-For header. \u003cbr\u003e\n\nSince the internal system's IP is being sent to external hosts and can be identified, it's recommended not to use this feature.\n\n**Audit:**\n- Check if the forwarded_for feature is disabled. If it's not explicitly specified in the configuration, it is in its default state (enabled).\n```bash\n[root@localhost ~]# vim /etc/squid/squid.conf\n...\n\nforwarded_for delete  # \u003c== It should be set to 'delete' or 'off'\n```\n\n**Remediation:**\n- Set the \"forwarded_for\" to \"delete\" to disable the feature.\n- To prevent clients from inserting IP addresses into the X-Forwarded-For header, block it using request_header_access.\n```bash\n[root@localhost ~]# vim /etc/squid/squid.conf\n...\n\nforwarded_for delete  # \u003c== Add\nrequest_header_access X-Forwarded-For deny all # \u003c=== Add\n```\n\n\n## 8. Ensure HTTP Method is restricted\nConfiguring HTTP methods in Squid is the process of setting the allowed HTTP methods for URLs accessed through the proxy. \u003cbr\u003e\nTypically, only GET, POST, OPTIONS, and CONNECT should be allowed. \u003cbr\u003e\n\nThe CONNECT method is used to establish a tunnel through the proxy and is commonly used for HTTPS connections.\n\n**Remediation:**\n- Set the allowed HTTP methods for proxy access. If not explicitly specified, all HTTP methods are allowed.\n- For a \"Forward Proxy\", restrict the allowed methods to GET, POST, OPTIONS, and CONNECT.\n```bash\n[root@localhost ~]# vim /etc/squid/squid.conf\n\nacl Safe_ports port 80              # http\nacl Safe_ports port 443             # https\n...\n\nacl Safe_methods method GET POST OPTIONS CONNECT  # \u003c== Define allowed methods\n```\n- This configuration ensures that only the specified HTTP methods (GET, POST, OPTIONS, and CONNECT) are allowed through the proxy, enhancing security.\n\n  \n## 9. Ensure Access Control Policy (ACL) is correct\nAccess control policies can vary depending on the implementation approach. \u003cbr\u003e\n\nIf there are trusted internal hosts, domains, or IP ranges, you can configure the proxy to allow access to all external URLs. \u003cbr\u003e\n\nAlternatively, you can restrict access to specific external URLs only for trusted internal hosts, domains, or IP ranges. \u003cbr\u003e\n\nEach policy can also be controlled by setting a time limit for operation\n\n**Remediation:**\n- Package updates, library downloads, and other trusted targets (URLs) can be allowed for common usage.\n- For other cases, configure access control policies by specifying trusted (source) hosts, domains, or IP ranges and specifying the necessary (destination) external URLs to restrict access.\n- If proxy usage is required for a specific time period, set the operational hours using the time directive.\n\nHere are some example scenarios of access control policies:)\n\n### 9.1. Allow all external access for specific (source) hosts/ranges (Any destination)\n\u003c squid.conf \u003e\n```bash\n...\n\nacl Safe_ports port 80              # http\nacl Safe_ports port 443             # https\n...\n\nacl Safe_methods method GET POST OPTIONS CONNECT\n...\n\nacl service-src src \"/etc/squid/acl/infra-src.acl\"\nacl service-dst dst all\n...\n\nhttp_access deny !Safe_ports\n...\n\nhttp_access allow Safe_methods service-src service-dst\nhttp_access deny service-src\n\n# And finally deny all other access to this proxy\nhttp_access deny all\n \n \n# Squid normally listens to port 3128\nhttp_port 3128\n```\n\u003c infra-src.acl \u003e\n```bash\n192.168.100.22\nlive-oauth-app1\nlive-oauth-app2\nwww.mydomain.net    #Domain\n.google.com         #Depth Domain\n```\n\n### 9.2. Allow specific (source) hosts/ranges to access specified (destination) URLs (Scenario 1)\n\u003c squid.conf \u003e\n```bash\n...\n\nacl Safe_ports port 80              # http\nacl Safe_ports port 443             # https\n...\n\nacl Safe_methods method GET POST OPTIONS CONNECT\n...\n\nacl service-src src \"/etc/squid/acl/infra-src.acl\"\nacl service-dst dstdomain \"/etc/squid/acl/infra-dst.acl\"\n...\n\nhttp_access deny !Safe_ports\n\n...\nhttp_access allow Safe_methods service-src service-dst\nhttp_access allow localhost\nhttp_access deny service-src\n\n# And finally deny all other access to this proxy\nhttp_access deny all\n \n# Squid normally listens to port 3128\nhttp_port 3128\n```\n\u003c infra-src.acl \u003e\n```bash\n10.10.1000/24      # public zone\n192.168.100.0/24   # dev zone\n192.168.101.0/24   # public rc\n...\n```\n\u003c infra-dst.acl \u003e\n```bash\n.okta.com\nrpm.releases.hashicorp.com\ndownload.docker.com\n.github.com\nfiles.pythonhosted.org\napi.slack.com\n```\n\n### 9.3. Allow specific (source) hosts/ranges to access specified (destination) URLs (Scenario 2)\n\u003c squid.conf \u003e\n```bash\n...\n\nacl Safe_ports port 80              # http\nacl Safe_ports port 443             # https\n...\n\nacl Safe_methods method GET POST OPTIONS CONNECT\n...\n\ninclude /etc/squid/conf.d/object_src.conf\ninclude /etc/squid/conf.d/object_dst.conf\ninclude /etc/squid/conf.d/access_policy.conf\n...\n\nhttp_access deny Safe_methods !Safe_ports\n\n...\n\n# And finally deny all other access to this proxy\nhttp_access allow localhost\nhttp_access deny all\n \n \n# Squid normally listens to port 3128\nhttp_port 3128\n```\n\u003c object_src.conf \u003e\n```bash\nacl ip_all src 10.0.0.0/24          # office \nacl ip_all src 192.168.0.0/24       # office \nacl sandbox-webapp01 src 192.168.100.20\n```\n\u003c object_dst.conf \u003e\n```bash\n# dom_linux_mirror\nacl dom_linux_mirror dstdomain mirrors.fedoraproject.org        # EPEL\nacl dom_linux_mirror dstdomain vault.centos.org                 # CentOS 6\nacl dom_linux_mirror dstdomain mirrors.rockylinux.org           # Rocky 8~9\nacl dom_linux_mirror dstdomain mirror.anigil.com                # CentOS 6~7, Rocky 8~9, Ubuntu\nacl dom_linux_mirror dstdomain dl.rockylinux.org                # Rocky Mirror\n\nacl dom_python dstdomain pypi.python.org\nacl dom_python dstdomain pypi.org\nacl dom_python dstdomain files.pythonhosted.org\n\nacl dom_slack dstdomain slack.com\nacl dom_slack dstdomain api.slack.com\nacl dom_slack dstdomain hooks.slack.com\n\n```\n\u003c access_policy.conf \u003e \n```bash\nhttp_access allow Safe_methods ip_all dom_linux_mirror\nhttp_access allow Safe_methods sandbox-webapp01 dom_slack\nhttp_access allow Safe_methods sandbox-webapp01 dom_python\n```\n\n### 9.4. Configure policies with specified operating hours\n- policy set to work only from 00:00-19:00 every day\n  \n```bash\nacl all_weekdays time 00:00-19:00\n...\n\nhttp_access allow Safe_methods all_weekdays service-src service-dst\nhttp_access allow localhost\nhttp_access deny service-src\n```\n\n- policy set to work on Saturday and Sunday only\n  \n```bash\nacl weekend time S Su 00:00-23:59\n...\n\nhttp_access allow Safe_methods weekend service-src service-dst\nhttp_access allow localhost\nhttp_access deny service-src\n```\n \n\n## 10. Ensure detailed logging is enabled\nIn the Squid proxy access logs, the timestamp is recorded in Unix timestamp format, which is not human-readable.\u003cbr\u003e\nTo improve log readability, you should convert the timestamp into a human-readable format, and the log's timezone should be set to the local system timezone. \u003cbr\u003e\n\nAdditionally, access logs should include essential information for access log analysis, such as remote IP, requested URL, User-Agent, response status, data transfer size (bytes sent and received), and more.\n\n**Audit:**\n- Check if the proxy logs are currently stored in the default format.\n```bash\n[root@localhost ~]# tail -f /var/log/squid/access.log\n1694992833.804     17 192.168.130.229 TCP_MISS/200 4814 GET http://mirror.anigil.com/rocky/8/BaseOS/x86_64/os/repodata/repomd.xml - HIER_DIRECT/123.215.145.59 text/xml\n1694992833.907     87 192.168.130.229 TCP_REFRESH_UNMODIFIED/200 299272 GET http://mirror.anigil.com/rocky/8/BaseOS/x86_64/os/repodata/dae7e104812099a2f632ea4c5ef2769aca18ca1205abdd2c3ba6d171e319df3d-comps-BaseOS.x86_64.xml - HIER_DIRECT/123.215.145.59 text/xml\n1694992833.979     68 192.168.130.229 TCP_REFRESH_UNMODIFIED/200 180225 GET http://mirror.anigil.com/rocky/8/BaseOS/x86_64/os/repodata/6e06094b5adbf763f3fb52604759f8ebcdc553db9dc920c9b30b61a65754dca7-updateinfo.xml.gz - HIER_DIRECT/123.215.145.59 application/octet-stream\n1694992834.185    370 192.168.130.229 TCP_REFRESH_UNMODIFIED/200 2669167 GET http://mirror.anigil.com/rocky/8/BaseOS/x86_64/os/repodata/56d8b0ff58f5b55a73b424d817141f9f3e010b5554988993ba82a7143b0282b8-filelists.xml.gz - HIER_DIRECT/123.215.145.59 application/octet-stream\n1694992834.191    380 192.168.130.229 TCP_REFRESH_UNMODIFIED/200 3141032 GET http://mirror.anigil.com/rocky/8/BaseOS/x86_64/os/repodata/f39a0bb438dd2cec4fecba48a4947d9bb0c2726a5ab4c5525e5d41817c7c436e-primary.xml.gz - HIER_DIRECT/123.215.145.59 application/octet-stream\n1694992840.818     45 192.168.130.229 TCP_MISS/200 3538 GET http://mirror.anigil.com/rocky/8/extras/x86_64/os/repodata/repomd.xml - HIER_DIRECT/123.215.145.59 text/xml\n1694992846.285      3 192.168.130.229 TCP_DENIED/403 3951 CONNECT rpm.dl.getenvoy.io:443 - HIER_NONE/- text/html\n1694992846.296      3 192.168.130.229 TCP_DENIED/403 3951 CONNECT rpm.dl.getenvoy.io:443 - HIER_NONE/- text/html\n1694992846.309      4 192.168.130.229 TCP_DENIED/403 3951 CONNECT rpm.dl.getenvoy.io:443 - HIER_NONE/- text/html\n```\n\n**Remediation:**\n- change the timestamps to human-readable format\n- set the timezone to the local system timezone\n- Set the remote IP, requested URL, User-Agent, transfer result, and sent/received data size in the log format\n```bash\n[root@localhost ~]# vim /etc/squid/squid.conf\n...\n\nlogformat custom_log %{%Y-%m-%d %H:%M:%S}tl %\u003ea:%\u003ep %Ss/%03\u003eHs:%Sh \"%rm %ru HTTP/%rv\" %mt %\u003eHs %\u003cst %tr \"%{User-Agent}\u003eh\" \"%{Referer}\u003eh\"\naccess_log /var/log/squid/access.log custom_log\n```\n- This configuration changes the log format to a human-readable format and includes the desired information. For example:\n```bash\n[root@localhost ~]# cat /var/log/squid/access.log\n...\n\n2023-10-31 08:44:22 192.168.0.182:48834 NONE/000:HIER_NONE \"NONE error:transaction-end-before-headers HTTP/0.0\" - 0 0 0 \"-\" \"-\"\n2023-10-31 08:45:22 192.168.0.182:45606 NONE/000:HIER_NONE \"NONE error:transaction-end-before-headers HTTP/0.0\" - 0 0 0 \"-\" \"-\"\n2023-10-31 08:46:22 192.168.0.182:55104 NONE/000:HIER_NONE \"NONE error:transaction-end-before-headers HTTP/0.0\" - 0 0 0 \"-\" \"-\"\n2023-10-31 08:46:32 192.168.0.149:53972 TCP_MISS/200:HIER_DIRECT \"GET http://dl.rockylinux.org/pub/rocky/8/AppStream/x86_64/os/repodata/repomd.xml HTTP/1.1\" text/xml 200 5265 6665 \"libdnf (Rocky Linux 8.8; generic; Linux.x86_64)\" \"-\"\n2023-10-31 08:46:37 192.168.0.149:49404 TCP_MISS/200:HIER_DIRECT \"GET http://dl.rockylinux.org/pub/rocky/8/BaseOS/x86_64/os/repodata/repomd.xml HTTP/1.1\" text/xml 200 4793 234 \"libdnf (Rocky Linux 8.8; generic; Linux.x86_64)\" \"-\"\n2023-10-31 08:46:42 192.168.0.149:49420 TCP_MISS/200:HIER_DIRECT \"GET http://dl.rockylinux.org/pub/rocky/8/extras/x86_64/os/repodata/repomd.xml HTTP/1.1\" text/xml 200 3517 233 \"libdnf (Rocky Linux 8.8; generic; Linux.x86_64)\" \"-\"\n2023-10-31 08:46:42 192.168.130.225:40470 TCP_TUNNEL/200:HIER_DIRECT \"CONNECT plugins.nessus.org:443 HTTP/1.1\" - 200 5710 5674 \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36\" \"-\"\n2023-10-31 08:46:52 192.168.0.149:49432 TCP_TUNNEL/200:HIER_DIRECT \"CONNECT mirror.kakao.com:443 HTTP/1.1\" - 200 9445 10393 \"libdnf (Rocky Linux 8.8; generic; Linux.x86_64)\" \"-\"\n2023-10-31 08:47:22 192.168.0.182:54734 NONE/000:HIER_NONE \"NONE error:transaction-end-before-headers HTTP/0.0\" - 0 0 0 \"-\" \"-\"\n2023-10-31 08:48:22 192.168.0.182:40026 NONE/000:HIER_NONE \"NONE error:transaction-end-before-headers HTTP/0.0\" - 0 0 0 \"-\" \"-\"\n2023-10-31 08:48:58 192.168.2.109:39028 TCP_MISS/200:HIER_DIRECT \"GET http://dl.rockylinux.org/pub/rocky/8/AppStream/x86_64/os/repodata/repomd.xml HTTP/1.1\" text/xml 200 5264 5428 \"libdnf (Rocky Linux 8.8; generic; Linux.x86_64)\" \"-\"\n2023-10-31 08:48:58 192.168.2.109:39038 TCP_MISS/200:HIER_DIRECT \"GET http://dl.rockylinux.org/pub/rocky/8/BaseOS/x86_64/os/repodata/repomd.xml HTTP/1.1\" text/xml 200 4791 236 \"libdnf (Rocky Linux 8.8; generic; Linux.x86_64)\" \"-\"\n2023-10-31 08:48:58 192.168.2.109:39044 TCP_MISS/200:HIER_DIRECT \"GET http://dl.rockylinux.org/pub/rocky/8/extras/x86_64/os/repodata/repomd.xml HTTP/1.1\" text/xml 200 3515 232 \"libdnf (Rocky Linux 8.8; generic; Linux.x86_64)\" \"-\"\n2023-10-31 08:49:04 192.168.2.109:55508 TCP_TUNNEL/200:HIER_DIRECT \"CONNECT mirror.kakao.com:443 HTTP/1.1\" - 200 9442 63 \"libdnf (Rocky Linux 8.8; generic; Linux.x86_64)\" \"-\"\n```\n- The timestamp is now in the format \"YYYY-MM-DD HH:MM:SS,\" which is much more readable.\n\n## 11. Ensure log files are rotated\nLogs should be managed on a daily basis and stored for more than 30 days. For cache logs, you can set the retention period as needed.\n\n[ Logs to be retained ]\n\nID | Value  | File | Description\n----- | ----- | ----- | -----\n1 | Access Logs | /var/log/squid/access.log | Records information about HTTP requests and responses processed by the proxy.\n2 | Cache Logs | /var/log/squid/cache.log | Contains information about the operation of the proxy server. It is used for Squid debugging, performance monitoring, and troubleshooting.\n\n**Remediation:**\n- use logrotate to automatically manage and retain logs as specified. Below is an example logrotate configuration for Squid logs:\n```bash\n[root@localhost ~]# vim /etc/logrotate.d/squid\n...\n\n/var/log/squid/*.log {\n    daily\n    rotate 30\n    compress\n    notifempty\n    missingok\n    nocreate\n    dateext\n    sharedscripts\n    postrotate\n      # Ask Squid to reopen its logs. (logfile_rotate 0 is set in squid.conf)\n      # Errors are redirected to make it silent if Squid is not running\n      /usr/sbin/squid -k rotate 2\u003e/dev/null\n      # Wait a little to allow Squid to catch up before the logs are compressed\n      sleep 1\n    endscript\n}\n```\n- Logs files after logrotate\n```bash\n[root@localhost ~]# ls -al /var/log/squid\ntotal 342364\ndrwxrwx---.  2 squid root      4096 Oct 31 03:08 .\ndrwxr-xr-x. 13 root  root      4096 Oct 29 03:21 ..\n-rw-r-----.  1 squid squid    94241 Oct 31 10:22 access.log\n-rw-r-----.  1 squid squid      153 Oct 23 13:48 access.log-20231023.gz\n-rw-r-----.  1 squid squid    17695 Oct 24 03:37 access.log-20231024.gz\n-rw-r-----.  1 squid squid    28262 Oct 25 03:05 access.log-20231025.gz\n-rw-r-----.  1 squid squid    24459 Oct 26 03:45 access.log-20231026.gz\n-rw-r-----.  1 squid squid    23465 Oct 27 03:47 access.log-20231027.gz\n-rw-r-----.  1 squid squid    24322 Oct 28 03:37 access.log-20231028.gz\n-rw-r-----.  1 squid squid    22576 Oct 29 03:20 access.log-20231029.gz\n-rw-r-----.  1 squid squid    22012 Oct 30 03:18 access.log-20231030.gz\n-rw-r-----.  1 squid squid    29883 Oct 31 03:07 access.log-20231031.gz\n...\n```\n\n***\n  \n## 12. Tips\n## 12.1. Completed Squid configuration\n\u003c squid.conf \u003e\n```bash\nacl Safe_ports port 80              # http\nacl Safe_ports port 443             # https\n\n# Method Setting\nacl Safe_methods method GET POST OPTIONS CONNECT # HTTP request method [fast]\n\n#\n# ACL For Server\n#\n# ec2 server \nacl ec2-server-src src \"/etc/squid/acl/ec2-servers-src.acl\"\n# ec2 server outbound URL\nacl ec2-server-dst dstdomain \"/etc/squid/acl/ec2-servers-dst-commons.acl\"\n# Linux dnf/yum linux pkg update manager\nacl pkg-update-user-agent browser -i libdnf yum\n\n\n# Deny requests to certain unsafe ports\nhttp_access deny !Safe_ports\n\n# Only allow cachemgr access from localhost\nhttp_access allow localhost\n\n\n#\n# HTTP Access Policy\n#\n\n# ACL outbound Server Common URLs\nhttp_access allow Safe_methods ec2-server-src ec2-server-dst\n# ACL outbound Server Linux pkg-Updates\nhttp_access allow Safe_methods ec2-server-src pkg-update-user-agent\n\n\n# And finally deny all other access to this proxy\nhttp_access deny all\n\n# Squid normally listens to port 3128\nhttp_port 3128\n\n#\n# Uncomment and adjust the following to add a disk cache directory.\n#\ncache_dir ufs /var/spool/squid 50000 16 256\n\n# Leave coredumps in the first cache dir\ncoredump_dir /var/spool/squid\n\n#\n# Add any of your own refresh_pattern entries above these.\n#\nrefresh_pattern ^ftp:           1440    20%     10080\nrefresh_pattern ^gopher:        1440    0%      1440\nrefresh_pattern -i (/cgi-bin/|\\?) 0     0%      0\nrefresh_pattern .               0       20%     4320\n\n#\n# Log Format\n#\nlogformat custom_log %{%Y-%m-%d %H:%M:%S}tl %\u003ea:%\u003ep %Ss/%03\u003eHs:%Sh \"%rm %ru HTTP/%rv\" %mt %\u003eHs %\u003cst %tr \"%{User-Agent}\u003eh\" \"%{Referer}\u003eh\"\naccess_log /var/log/squid/access.log custom_log\n\n#\n# Security Configuration\n#\n\nhttpd_suppress_version_string on\nvia off\nforwarded_for delete\nfollow_x_forwarded_for deny all\nrequest_header_access X-Forwarded-For deny all\nreply_header_access X-Cache deny all\nreply_header_access X-Cache-Lookup deny all\nreply_header_access Server deny all\n```\n\n## 12.2. Proxying for Linux yum package updates\nWhen performing Linux yum or dnf package updates through a Squid proxy, it is often necessary to specify all the URLs that yum or dnf may access, which can be a cumbersome and error-prone task.\u003cbr\u003e\u003cbr\u003e\nHowever, you can take advantage of the User-Agent information provided by these package managers to simplify the access control configuration in Squid. \u003cbr\u003e\n\nHere's how you can do it:\n\n**Remediation:**\n- In your squid.conf configuration file, define an access control list (ACL) for dnf/yum Linux package update managers based on the User-Agent:\n  \n\u003c squid.conf \u003e\n```bash\n\n# ACL for dnf/yum linux pkg update manager\nacl pkg-update-user-agent browser -i libdnf yum\n\n# ACL outbound Server Linux pkg-Updates\nhttp_access allow Safe_methods avd-server-src pkg-update-user-agent\n```\n\nThis configuration ensures that Squid allows access to URLs requested by package managers based on their User-Agent information, eliminating the need to explicitly manage URL lists.\n\n\nThis approach simplifies the configuration and ensures that requests from package managers such as yum and dnf are correctly routed through the proxy.\n\n\nHere's an example of the Squid access log showing this configuration in action:\n```\n# cat /var/log/squid/access.log\n...\n\n2023-11-03 14:57:04 10.10.120.10:54326 NONE/503:HIER_NONE \"CONNECT mirrors.rockylinux.org:443 HTTP/1.1\" - 503 0 0 \"libdnf (Rocky Linux 8.8; generic; Linux.x86_64)\" \"-\"\n2023-11-03 14:57:04 10.10.120.10:54334 NONE/503:HIER_NONE \"CONNECT mirrors.rockylinux.org:443 HTTP/1.1\" - 503 0 0 \"libdnf (Rocky Linux 8.8; generic; Linux.x86_64)\" \"-\"\n2023-11-03 14:57:04 10.10.120.10:54346 NONE/503:HIER_NONE \"CONNECT mirrors.rockylinux.org:443 HTTP/1.1\" - 503 0 0 \"libdnf (Rocky Linux 8.8; generic; Linux.x86_64)\" \"-\"\n...\n2023-11-03 16:02:03 10.100.120.11:43496 TCP_MISS/200:HIER_DIRECT \"GET http://nginx.org/packages/centos/7/x86_64/repodata/4395bce9c52aa8a4cc475e180bcce2399c8a4d720b16ce726d6fded994a7f89b-primary.sqlite.bz2 HTTP/1.1\" application/octet-stream 200 88823 709 \"urlgrabber/3.10 yum/3.4.3\" \"-\"\n2023-11-03 16:02:09 10.100.120.11:43508 TCP_HIT/200:HIER_NONE \"GET http://nginx.org/packages/centos/7/x86_64/RPMS/nginx-1.24.0-1.el7.ngx.x86_64.rpm HTTP/1.1\" application/x-redhat-package-manager 200 823278 2 \"urlgrabber/3.10 yum/3.4.3\" \"-\"\n\n```\n\n## 12.3. Proxying for Windows updates service\n\nThrough Squid Proxy, you can also handle Windows Updates. However, it requires some configuration adjustments. The domains and applications used by Windows Updates are known to have SSL pinning applied. Since Squid cannot decrypt the traffic involved in Windows Updates, it bypasses the segments where SSL pinning is active and treats trusted domains as exceptions. To bypass the pinned segments, the SSLBump option is used with the 'splice' mode (becoming a TCP tunnel without decrypting proxied traffic).\n\nBelow is an example configuration applied via Squid for WSUS server synchronization with Windows Update, which is functioning well as of April 2024.\n\nPlease note that certain domains in the configuration may vary depending on the location/region where the proxy is set up.\n\nHere's configuration:\n\n\u003c squid.conf \u003e\n```bash\n..\n....\n\n# define wsus objects\nacl wsus-src src \"/etc/squid/acl/wsus-src.acl\"\nacl wsus-dst dstdomain \"/etc/squid/acl/wsus-dst.acl\"\n\n\n# define windows update agents\nacl windows-pkg-agent browser -i Microsoft-CryptoAPI Microsoft-Delivery-Optimization Microsoft BITS Windows-Update-Agent Microsoft WSUS Server\n\n# Allow outbound for wsus-server\nhttp_access allow Safe_methods wsus-src wsus-dst\nhttp_access allow Safe_methods wsus-src windows-pkg-agent\n\n# Configuration for wsus to windows_update\nacl DiscoverSNIHost at_step SslBump1\nacl NoSSLIntercept_windows_updates ssl::server_name_regex -i \"/etc/squid/acl/sslpin_windowsupdates.nobump\"\nssl_bump splice NoSSLIntercept_windows_updates\nssl_bump peek DiscoverSNIHost\nssl_bump bump all\n```\n\u003c wsus-dst.acl \u003e\n```bash\n.windowsupdate.com\n# au.download.windowsupdate.com\n# ctldl.windowsupdate.com\n# download.windowsupdate.com\n\nwustat.windows.com\n.windowsupdate.microsoft.com\n\n.edge.microsoft.com\n.cloudapp.azure.com\n.akamaiedge.net\n\n.akamaized.net\n# img-prod-cms-rt-microsoft-com.akamaized.net\n\n.microsoft.net\n# cxcs.microsoft.net\n\n.digicert.com\n# ocsp.digicert.com\n\n.azureedge.net\n# edgeassetservice.azureedge.net\n# fp-as-nocache.azureedge.net\n\n.msedge.net\n# fp.msedge.net\n# a-ring.msedge.net\n\ndownload.microsoft.com\nntservicepack.microsoft.com\nsupport.microsoft.com\nemdl.ws.microsoft.com\n\n.api.cdp.microsoft.com\n# msedge.api.cdp.microsoft.com\n\nsettings-win.data.microsoft.com\n.events.data.microsoft.com\n# v10.events.data.microsoft.com\n\n.update.microsoft.com\n# fe2cr.update.microsoft.com\n# slscr.update.microsoft.com\n\n.delivery.mp.microsoft.com\n# msedge.b.tlu.dl.delivery.mp.microsoft.com\n# fe3.delivery.mp.microsoft.com\n# tlu.dl.delivery.mp.microsoft.com\n\n.prod.do.dsp.mp.microsoft.com\n.trafficshaping.dsp.mp.microsoft.com\n# fe3.delivery.mp.microsoft.com\n# geover.prod.do.dsp.mp.microsoft.com\n# cp501.prod.do.dsp.mp.microsoft.com\n# geo.prod.do.dsp.mp.microsoft.com\n# kv501.prod.do.dsp.mp.microsoft.com\n# tsfe.trafficshaping.dsp.mp.microsoft.com\n\n.prod.cms.rt.microsoft.com\n# query.prod.cms.rt.microsoft.com\n\nwww.bing.com\nieonlinews.microsoft.com\narc.msn.com\ng.live.com\n.weather.microsoft.com\nconfig.edge.skype.com\n\n.msftconnecttest.com\n# ipv6.msftconnecttest.com\n# www.msftconnecttest.com\n\noneclient.sfx.ms\nnav-edge.smartscreen.microsoft.com\ncheckappexec.microsoft.com\napi.msn.com\n.azr.footprintdns.com\ngo.microsoft.com\n```\n\n\u003c sslpin_windowsupdates.nobump \u003e\n```bash\n\\.windowsupdate\\.com\nupdate\\.microsoft\\.com\nupdate\\.microsoft\\.com\\.akadns\\.net\n\\.windows\\.com\n\\.edge\\.microsoft\\.com\n\\.data\\.microsoft\\.com\n\\.mp\\.microsoft\\.com\n\\.edge\\.microsoft\\.com\n\\.rt\\.microsoft\\.com\n\\.cdp\\.microsoft\\.com\n\\.cloudapp\\.azure.com\n\\.akamaiedge\\.net\n\\.microsoft\\.net\n\\.digicert\\.com\n\\.azureedge\\.net\n\\.akamaized\\.net\nsettings-win\\.data\\.microsoft\\.com\n\\.events\\.data\\.microsoft\\.com\n\\.msedge\\.net\ncheckappexec\\.microsoft\\.com\n```\n( Notes ) \n- The domain list shown in the configuration is not a hardened adjustment for Windows Updates related domains required for WSUS operation.\n- It roughly allows domains necessary for Windows Updates to function correctly and also allows some basic domains required for Windows usage from the WSUS server. Please refer to this context.\n\n# And...\n- If you find this helpful, please the **\"star\"**:star2: to support further improvements.\n\n---\n### Read Next\n- [Setup WordPress With Security Best Practice](https://github.com/password123456/setup-wordpress-with-security-best-practice)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpassword123456%2Fsetup-squid-proxy-with-security-best-practice","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpassword123456%2Fsetup-squid-proxy-with-security-best-practice","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpassword123456%2Fsetup-squid-proxy-with-security-best-practice/lists"}