This package configure the well-known Squid web proxy.
Squid rpms are from upstream.
All properties are saved in the
squid key under the
- BlueMode: change Squid operation mode on blue networks. It has same values and defaults of
- BypassDomains: comma separeted list of domains bypassed when the proxy is set in transparent mode
- DiskCache: disabled by default, if enabled it actives the disk caching system for squid
- DiskCacheSize: maximum value of squid cache on disk
- GreenMode: change Squid operation mode on green networks.
transparent_ssl. Default is:
- KrbPrimaryList: name for Kerberos keytab (used for Active Directory integration)
- KrbStatus: if set to enabled a ticket credential cache file is kept valid by the hourly cron job (used for Active Directory integration)
- MaxObjSize: objects larger than this setting will not be saved on disk. If speed is more desirable than saving bandwidth, this should be set to a low value
- MemCacheSize: value of squid cache on memory
- MinObjSize: can be left at 0 to cache everything, but may be raised if small objects are not desired in the cache.
- NoCache: comma separated list of domains which will be not cached
- ParentProxy: in the form host:port, if omitted port is default to 3128. Default is empty
- PortBlock: if enabled, block port 80 and 443. Default is:
- SafePorts: comma separated list of ports thath can be accessed through the proxy. Listed ports will be added to the default list of safe and ssl ports
squid=service BlueMode=manual DiskCache=disabled DiskCacheSize=100 GreenMode=transparent KrbPrimaryList=HTTP KrbStatus=enabled MaxObjSize=4096 MemCacheSize=256 MinObjSize=1 NoCache=www.nethserver.org ParentProxy= PortBlock=disabled TCPPorts=3128,3129,3130 access=private status=enabled
When the proxy is enabled in transparent mode, all traffic destined to the port 80 is redirect to the Squid (port 3129). This configuration requires Shorewall.
SSL peek and splice¶
If the proxy is enabled in transparent SSL mode, also all traffic destined to port 443 is redirected to Squid (port 3130). The daemon does not inspect SSL traffic, but visited sites can be processed using the web filter.
You could find this kind of errors inside
2016/12/09 09:44:18 kid1| SECURITY ALERT: on URL: avatars0.githubusercontent.com:443 2016/12/09 09:44:18 kid1| SECURITY ALERT: Host header forgery detected on local=188.8.131.52:443 remote=192.168.5.22:40950 FD 166 flags=33 (local IP does not match any domain IP)
In this case, when accessing github, the avatars won’t be displayed by the browser, and you can find a “Timeout error” for the not loaded images.
This kind of errors can’t be fixed. See official documentation for workarounds:
Authentication schema depends on system configuration:
- standard authentication for system users is done over LDAP
- if Samba AD is installed, clients can use Kerberos (SPNEGO/GSSAPI)
The implementation supports 3 kind of bypass:
- source bypass
- destination bypass
- domains bypass
Source and destination bypass¶
Bypass rules are saved inside the
A bypass can be of two types:
- bypass-src: listed origin host are bypassed
- bypass-dst: listed target host are bypassed
- Host: a host object, like a remote or local host
- status: can be
- Description: optional description
boss=bypass-src Description=Boss without proxy Host=host;bosspc status=enabled
All requests to domains listed inside the
BypassDomains property will not
be redirect to the transparent proxy.
The implementation uses the ipset feature of Dnsmasq.
Each time a listed domain is accessed from the client, Dnsmasq resolves the IP
and add it to
squid-bypass ipset is then used as exception inside Shorewall REDIRECT rule.
- all clients must use the server as DNS
- Dnsmasq name resolution works for the listed domains and all sub-domains
There is an event called
nethserver-squid-clear-cache that empties the cache.
Priority and divert rules¶
squid database contains multiple records of type
Each rule has following properties:
key: it’s a numeric uniq id
priority;low: add low priority packet marker using
priority;high: add high priority packet marker using
provider;<name>: add packet marker for provider
force;<name>: force output traffic to
Description: optional description
Dst: comma-separeted list of domains, this is converted to a
Src: firewall object, supported objects are: role, host, zone, ip range and cidr . This is converted to
status: can be
1=rule Action=priority;low Description= Dst=yahoo.com Src=host;giacomo status=enabled 2=rule Action=provider;fast Description= Dst=nethserver.org,nethesis.it Src=host;birro status=enabled 3=rule Action=force;slow Description= Dst= Src=cidr;cidr1 status=enabled
WPAD is located at
The web server is configured to allow the download only from trusted and blue networks,
but be aware that you need to manually open the httpd port for blue networks (see Add a new service).
The WPAD returns:
- DIRECT, if squid is disabled or the requesting client is inside a network where the proxy is configured in transparent mode
- IP of corresponding network interface, if the requesting client is inside a network where the proxy is configured in manual or authenticated mode
- proxy.<domain>, if the server is joined to Active Directory and the requesting client is inside a network where the proxy is configured in manual or authenticated mode
Also WPAD file includes all source and destination bypasses.
The following options are always enabled:
- buffered logs
- SNMP support on port 3401