nethserver-squid¶
This package configure the well-known Squid web proxy.
Squid rpms are from upstream.
Configuration¶
All properties are saved in the squid
key under the configuration
database.
Properties:
- BlueMode: change Squid operation mode on blue networks. It has same values and defaults of
GreenMode
- BypassDomains: comma separeted list of domains bypassed when the proxy is set in transparent mode
- DiskCache: disabled by default, if enabled it actives the disk caching system for squid
- DiskCacheSize: maximum value of squid cache on disk
- GreenMode: change Squid operation mode on green networks.
Can be:
manual
,authenticated
,transparent
,transparent_ssl
. Default is:manual
- KrbPrimaryList: name for Kerberos keytab (used for Active Directory integration)
- KrbStatus: if set to enabled a ticket credential cache file is kept valid by the hourly cron job (used for Active Directory integration)
- MaxObjSize: objects larger than this setting will not be saved on disk. If speed is more desirable than saving bandwidth, this should be set to a low value
- MemCacheSize: value of squid cache on memory
- MinObjSize: can be left at 0 to cache everything, but may be raised if small objects are not desired in the cache.
- NoCache: comma separated list of domains which will be not cached
- ParentProxy: in the form host:port, if omitted port is default to 3128. Default is empty
- PortBlock: if enabled, block port 80 and 443. Default is:
disabled
- SafePorts: comma separated list of ports thath can be accessed through the proxy. Listed ports will be added to the default list of safe and ssl ports
Database example¶
Example:
squid=service
BlueMode=manual
DiskCache=disabled
DiskCacheSize=100
GreenMode=transparent
KrbPrimaryList=HTTP
KrbStatus=enabled
MaxObjSize=4096
MemCacheSize=256
MinObjSize=1
NoCache=www.nethserver.org
ParentProxy=
PortBlock=disabled
TCPPorts=3128,3129,3130
access=private
status=enabled
Transparent mode¶
When the proxy is enabled in transparent mode, all traffic destined to the port 80 is redirect to the Squid (port 3129). This configuration requires Shorewall.
SSL peek and splice¶
If the proxy is enabled in transparent SSL mode, also all traffic destined to port 443 is redirected to Squid (port 3130). The daemon does not inspect SSL traffic, but visited sites can be processed using the web filter.
Known bugs¶
You could find this kind of errors inside /var/log/squid/cache.log
2016/12/09 09:44:18 kid1| SECURITY ALERT: on URL: avatars0.githubusercontent.com:443
2016/12/09 09:44:18 kid1| SECURITY ALERT: Host header forgery detected on local=151.101.60.133:443 remote=192.168.5.22:40950 FD 166 flags=33 (local IP does not match any domain IP)
In this case, when accessing github, the avatars won’t be displayed by the browser, and you can find a “Timeout error” for the not loaded images.
This kind of errors can’t be fixed. See official documentation for workarounds:
Authenticated mode¶
Authentication schema depends on system configuration:
- standard authentication for system users is done over LDAP
- if Samba AD is installed, clients can use Kerberos (SPNEGO/GSSAPI)
Bypasses¶
The implementation supports 3 kind of bypass:
- source bypass
- destination bypass
- domains bypass
Source and destination bypass¶
Bypass rules are saved inside the fwrules
databases.
A bypass can be of two types:
- bypass-src: listed origin host are bypassed
- bypass-dst: listed target host are bypassed
Properties:
- Host: a host object, like a remote or local host
- status: can be
enabled
ordisabled
- Description: optional description
Bypass example:
boss=bypass-src
Description=Boss without proxy
Host=host;bosspc
status=enabled
Domains bypass¶
All requests to domains listed inside the BypassDomains
property will not
be redirect to the transparent proxy.
The implementation uses the ipset feature of Dnsmasq.
Each time a listed domain is accessed from the client, Dnsmasq resolves the IP
and add it to squid-bypass
ipset.
The squid-bypass
ipset is then used as exception inside Shorewall REDIRECT rule.
Notes:
- all clients must use the server as DNS
- Dnsmasq name resolution works for the listed domains and all sub-domains
Cache¶
There is an event called nethserver-squid-clear-cache
that empties the cache.
Priority and divert rules¶
The squid
database contains multiple records of type rule
.
Each rule has following properties:
key
: it’s a numeric uniq idAction
:priority;low
: add low priority packet marker usingtcp_outgoing_mark
priority;high
: add high priority packet marker usingtcp_outgoing_mark
provider;<name>
: add packet marker for provider<name>
usingtcp_outgoing_mark
force;<name>
: force output traffic to<name>
provider usingtcp_outgoing_address
Description
: optional descriptionDst
: comma-separeted list of domains, this is converted to adstdomain
ACLSrc
: firewall object, supported objects are: role, host, zone, ip range and cidr . This is converted tosrc
ACLstatus
: can beenabled
ordisabled
Example:
1=rule
Action=priority;low
Description=
Dst=yahoo.com
Src=host;giacomo
status=enabled
2=rule
Action=provider;fast
Description=
Dst=nethserver.org,nethesis.it
Src=host;birro
status=enabled
3=rule
Action=force;slow
Description=
Dst=
Src=cidr;cidr1
status=enabled
WPAD¶
WPAD is located at /var/www/html/wpad.dat
.
The web server is configured to allow the download only from trusted and blue networks,
but be aware that you need to manually open the httpd port for blue networks (see Add a new service).
The WPAD returns:
- DIRECT, if squid is disabled or the requesting client is inside a network where the proxy is configured in transparent mode
- IP of corresponding network interface, if the requesting client is inside a network where the proxy is configured in manual or authenticated mode
- proxy.<domain>, if the server is joined to Active Directory and the requesting client is inside a network where the proxy is configured in manual or authenticated mode
Also WPAD file includes all source and destination bypasses.
Miscellaneous options¶
The following options are always enabled:
- buffered logs
- SNMP support on port 3401