squid安全配置

jsnjzlw

Network Hosts:
linuxcbtwork1 -> Primary DNS server -> 192.168.1.72
linuxcbtserv1 -> 192.168.1.10
linuxcbtserv2 -> 192.168.1.20
linuxcbtserv3 -> 192.168.1.30
cache1 -> CNAME -> linuxcbtserv2
Squid client/server logic:
client(www.google.com) -> Squid -> server/peer cache
Steps to Squid installation
1. Setup DNS - cache1.linuxcbt.internal
2. Install Squid
3. Start Squid and attempt to use - modify ACLs
4. Access to the Internet is granted
Notes: Squid defaults to TCP:3128
Squid Logging:
Default Directory: /var/log/squid
cache.log -> system info (RAM/CPU/Virtual Memory/Networking)
squid.out -> basic system info
access.log -> main user log file
access.log Fields using Native Squid Log Format:
1. Request_Time(Unix Epoch.ms) - 2. elapsed_time(ms) of page/object delivery 3. remotehost(ip) 4. code(Squid actions)/status(http errors)
5. bytes delivered to client 6. Method(Get/Post/Connect) 7. URL 8. IDENT 9. hierarchy (DIRECT/IP) 10. Type(MIME)
Note: Squid also supports Common Log Format (CLF)
Store.log (stores objects in cache) Fields:
1. Time 2. action(Release,Create,Swapout,Swapin) 3. file number(location disk /var/spool/squid) 4. HTTP Status 5. HTTP Date 6. Last Modified
7. expiration of content 8. MIME type 9. size of content content_length/actual size read 10. method (Get/Post/Connect) 11. URL
Change Squid's default TCP Port:
1. modify /etc/squid/squid.conf
2. updated http_port 8080
3. /sbin/service squid reload
Note: https_port functions as follows:
#client -> Squid -> HTTPS Web Server
ACLs:
Safe Ports:
1. Definition of ACL:
acl Safe_ports port 999
acl unique_name type(src/dst/dstdomain/srcdomain/time_of_day/etc.) descision_string
2. Apply ACL using criteria:
http_access
linuxcbtserv1 - 192.168.1.10 - deny
linuxcbtserv2 - 192.168.1.20
linuxcbtserv3 - 192.168.1.30
linuxcbtwork1 - 192.168.1.72
192.168.1.0/24 - CIDR
Lists:
1. can be built by repeating the ACLs. i.e.:
acl linuxcbt_bad_hosts src 192.168.1.10
acl linuxcbt_bad_hosts src 192.168.1.30
http_access linuxcbt_bad_hosts deny
2.acl linuxcbt_bad_hosts src "/etc/squid/linuxcbt_bad_hosts"
ACLs based Time:
days of week (DOW) = SMTWHFA
Hours and minutes: hh:mm-hh:mm
ACLs based specific destination domains:
1. build redundant list in squid.conf
2. build list in text file
ACLs based ANDed logic. i.e. deny access to site during business hours
1. build separate rules
2. combine rules
3. apply tag to combined rules
Business Rule: No casual browsing during work hours
1. Work Hours = MTWHF 08:30 17:30
2. Source Subnet = 192.168.1.0/24
3. Permit access to research-related websites - wikipedia.org
Business Rule: No browsing of sites with keyword 'sex'
1. define url_regex ACL
acl bad_keyword url_regex -i sex
http_access deny bad_keyword
Business Rule: No download of prohibited extensions
1. define url_regex ACL
acl bad_suffixes url_regex "/etc/squid/bad_suffixes"
http_access deny bad_suffixes
Business Rule: No outbound access to certain TLDs (.cn,.jp, etc.)
acl bad_tlds dstdom_regex "/etc/squid/bad_tlds"
http_access deny bad_tlds
urlpath_regex - http://www.china.cn/downloads
Business Rule: Setup Squid as a non-caching Proxy Server
acl noncaching_hosts src 0.0.0.0/0.0.0.0
no_cache deny noncaching_hosts
Business Rule: Disable caching for specific sites (Internet/Intranet)
acl no_cache_sites dstdomain .yale.edu
no_cache deny no_cache_sites
Business Rule: Disable caching for dynamic sites (.php/.asp/pl/cgi/jsp/)
acl no_cache_dynamic_sites "/etc/squid/dynamic_sites"
no_cache deny no_cache_dynamic_sites
Business Rule: No Cache for Executives and Admins - Cache everyone else.
acl no_cache_execs src 192.168.1.10 192.168.1.20
no_cache deny no_cache_execs
Business Rule: Ensure that non-proxy servers have direct Internet-access
1. outbound Cisco Firewall (PIX) rules
Squid in a load-balanced fashion
192.168.1.0/24 -> 192.168.1.20
    192.168.1.30
192.168.1.0/24 -> Content Switches -> 192.168.1.20
          192.168.1.30
Business Rule: Implement Bandwidth management using Delay Pools
Note: Delay Pools have 3 different classes
a. class 1 allows us to restrict the rate for large downloads
1a. acl worker_bees src 192.168.1.0/24
1b. delay_pools 1 - defines the number of delay pools
2. delay_class 1 1 - setup class based pool #1 and using class #1
3. delay_parameters 1 restore_rate/max_size
a. delay_parameters 1 20000/15000
4. delay_access 1 allow worker_bees
Business Rule: Implement Bandwidth Management with Aggregate Rate
delay_pools 1
delay_class 1 2
delay_parameters 1 62500/62500 (max/max) 6250/6250
Note: T1 - 1,544,000
Ceiling: 500k(500,000 bits/second) = 62,500 bytes/second
Business Rule: Ensure that requests are routed through parent cache
Cache Hierarchy - Parent-Child
192.168.1.0/24 -> linuxcbtserv2(child) -> linuxcbtserv3(parent) -> INTERNET
cache_peer linuxcbtserv3.linuxcbt.internal parent 8080 3130 default
Note: CARP, ICP, HTCP, Cache-Digests
Business Rule: Ensure that local Intranet requests bypass the parent
cache_peer linuxcbtserv3.linuxcbt.internal parent 8080 3130 default
cache_peer_domain linuxcbtserv3.linuxcbt.internal !.linuxcbt.internal
Business Rule: Treat 192.168.1.10 as a privileged user bypassing the parent - linuxcbtserv3.linuxcbt.internal
acl avoid_parent_cache src 192.168.1.10
cache_peer_access linuxcbtserv3.linuxcbt.internal deny avoid_parent_cache

Business Rule: Treat caches as siblings
cache_peer linuxcbtserv3.linuxcbt.internal parent 8080 3130 default
Note: Parent-Child hierarchy - constitutes a centralized deployment
Note: Sibling hierarchy - constitutes a distributed deployment
#Business Rule: Limit simultaneous cache/proxy connections per-client
#MaxConn = 10
acl conn_limit maxconn 10
http_access deny conn_limit all