Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/password123456/setup-squid-proxy-with-security-best-practice

squid proxy security best practice
https://github.com/password123456/setup-squid-proxy-with-security-best-practice

forward-proxy proxy-security proxy-server proxy-service proxy-settings squid squid-proxy squid-proxy-security squid-proxy-server squid-security

Last synced: 8 days ago
JSON representation

squid proxy security best practice

Host: GitHub
URL: https://github.com/password123456/setup-squid-proxy-with-security-best-practice
Owner: password123456
License: gpl-3.0
Created: 2023-11-03T20:53:25.000Z (about 1 year ago)
Default Branch: main
Last Pushed: 2024-05-31T08:25:31.000Z (7 months ago)
Last Synced: 2024-11-08T13:41:31.852Z (2 months ago)
Topics: forward-proxy, proxy-security, proxy-server, proxy-service, proxy-settings, squid, squid-proxy, squid-proxy-security, squid-proxy-server, squid-security
Homepage:
Size: 127 KB
Stars: 47
Watchers: 4
Forks: 8
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # Setup Squid Proxy With Security Best Practice

[![Hits](https://hits.seeyoufarm.com/api/count/incr/badge.svg?url=https%3A%2F%2Fgithub.com%2Fpassword123456%2Fsetup-squid-proxy-with-security-best-practice&count_bg=%2379C83D&title_bg=%23555555&icon=&icon_color=%23E7E7E7&title=hits&edge_flat=false)](https://hits.seeyoufarm.com)

- Security best practices when a squid proxy is being used as a "forward proxy"

- If you are configuring as a reverse proxy, some topics in this guide may not be applicable. We recommend cross-referencing other security guides for appropriate security hardening criteria when using Reverse Proxy.

- Last Modified: May 31, 2024

```

# cat /etc/redhat-release

Rocky Linux release 8.8 (Green Obsidian)

# rpm -qa rpm -qa | grep squid

squid-4.15-6.module+el8.8.0+1273+55f5b063.x86_64

```

***

## Table of Contents

* [1. Ensure that SQUID is run using a non-privileged, dedicated service account - groups](#1-ensure-that-squid-is-run-using-a-non-privileged-dedicated-service-account---groups)

* [2. Ensure access to SQUID directories and files is restricted](#2-ensure-access-to-squid-directories-and-files-is-restricted)

* [3. Ensure httpd_suppress_version_string directive is set to "on"](#3-ensure-httpd_suppress_version_string-directive-is-set-to-on)

* [4. Ensure "Via" Header is removed](#4-ensure-via-header-is-removed)

* [5. Ensure "X-Cache, X-Cache-Lookup" Headers are removed](#5-ensure-x-cache-x-cache-lookup-headers-are-removed)

* [6. Ensure Inbound X-Forwarded-For Header is restricted](#6-ensure-inbound-x-forwarded-for-header-is-restricted)

* [7. Ensure Outbound X-Forwarded-For Header is restricted](#7-ensure-outbound-x-forwarded-for-header-is-restricted)

* [8. Ensure HTTP Method is restricted](#8-ensure-http-method-is-restricted)

* [9. Ensure Access Control Policy (ACL) is correct](#9-ensure-access-control-policy-acl-is-correct)

  + [9.1. Allow all external access for specific (source) hosts/ranges (Any destination)](#91-allow-all-external-access-for-specific-source-hostsranges-any-destination)

  + [9.2. Allow specific (source) hosts/ranges to access specified (destination) URLs (Scenario 1)](#92-allow-specific-source-hostsranges-to-access-specified-destination-urls-scenario-1)

  + [9.3. Allow specific (source) hosts/ranges to access specified (destination) URLs (Scenario 2)](#93-allow-specific-source-hostsranges-to-access-specified-destination-urls-scenario-2)

  + [9.4. Configure policies with specified operating hours](#94-configure-policies-with-specified-operating-hours)

* [10. Ensure detailed logging is enabled](#10-ensure-detailed-logging-is-enabled)

* [11. Ensure log files are rotated](#11-ensure-log-files-are-rotated)

* [12. Tips](#12-tips)

  + [12.1. Completed Squid configuration](#121-completed-squid-configuration)

  + [12.2. Proxying for Linux yum package updates](#122-proxying-for-linux-yum-package-updates)

  + [12.3. Proxying for Windows updates service](#123-proxying-for-windows-updates-service)

***

## 1. Ensure that SQUID is run using a non-privileged, dedicated service account - groups

The Squid proxy runs using the default account, which is usually named 'squid'. If the Squid proxy is not running under the 'squid' account or is being executed with root privileges, you should change it.

**Audit:**

- Check the Squid process account.

```bash

[root@localhost ~]# ps -ef | grep squid

root        5346       1  0 Nov03 ?        00:00:00 /usr/sbin/squid --foreground -f /etc/squid/squid.conf

squid       5349    5346  0 Nov03 ?        00:00:04 (squid-1) --kid squid-1 --foreground -f /etc/squid/squid.conf

```

**Remediation:** 

- If the process account is not 'squid,' change it to 'squid' and restart the service.

```bash

[root@localhost ~]# vim /usr/lib/systemd/system/squid.service

[Unit]

Description=Squid caching proxy

Documentation=man:squid(8)

After=network.target network-online.target nss-lookup.target

[Service]

Type=notify

LimitNOFILE=16384

PIDFile=/run/squid.pid

...

KillMode=mixed

NotifyAccess=all

User=squid   # <== Change to 'squid'

Group=squid  # <== Change to 'squid'

```

- Ensure that the 'squid' account does not have shell login permissions for regular users.

```bash

[root@localhost ~]# cat /etc/passwd | grep -i squid

squid:x:23:23::/var/spool/squid:/sbin/nologin

```

## 2. Ensure access to SQUID directories and files is restricted

Directories and configuration files related to Squid should only be accessible by the 'squid' or 'root' user. Verify and adjust permissions if other users have access to these directories and files.

**Audit:**

- Check the permissions for directories and files related to the Squid proxy.

```bash

[root@localhost ~]# ls -al /etc/squid/

total 72

drwxr-xr-x.  3 root root   4096 Oct 26 07:57 .

drwxr-xr-x. 87 root root   8192 Oct 20 14:06 ..

-rw-r--r--.  1 root squid   692 May 10  2021 cachemgr.conf

-rw-r--r--.  1 root root    692 May 10  2021 cachemgr.conf.default

drwxrwxr-x.  2 root root    102 Oct 26 07:56 conf.d

-rw-r--r--.  1 root root   1800 May 10  2021 errorpage.css

-rw-r--r--.  1 root root   1800 May 10  2021 errorpage.css.default

-rw-r--r--.  1 root root  12077 May 10  2021 mime.conf

-rw-r--r--.  1 root root  12077 May 10  2021 mime.conf.default

-rw-r-----.  1 root squid  1859 Oct 17 17:08 squid.conf

```

**Remediation:** 

- Ensure that directories and files are owned by the 'root' user and that other users do not have access.

```bash

[root@localhost ~]# chown root:root -R /etc/squid

[root@localhost ~]# chmod o-rwx -R /etc/squid

```

## 3. Ensure httpd_suppress_version_string directive is set to "on"

By default, the Squid proxy displays the installed proxy version information in the Server header and on error pages. To prevent the version information from being displayed, follow these steps.

**Audit:**

- Check if the proxy version information is exposed in the Server header.

```bash

[root@localhost ~]# curl -i -k 127.0.0.1:3128

HTTP/1.1 400 Bad Request

Server: squid/4.15

...

```

- Also, confirm whether the proxy version information is exposed on error pages.

```bash

[root@localhost ~]# curl -i -k 127.0.0.1:3128

HTTP/1.1 400 Bad Request

...





Generated Mon, 18 Sep 2023 05:50:08 GMT by blah-proxy01 (squid/4.15)