Tag Archives: squid

Squid 2.5 digest authentication

More then a year ago I wrote a post where I explained how to set up secure digest authentication for Squid proxy server so passwords would not be sent in plain text to the server when authenticating.

That post was written for squid 2.6 but recently I had to set up the same thing on Squid 2.5 and I found out that the setup was a bit different.

Squid 2.5 is really very old and fewer and fewer will be using it in the future as even Squid 2.6 becomes obsolete with the release of Squid 3.0 .
So if you are considering setting up a new proxy server using squid please use Squid 2.6 and take a look at how to set up digest authentication in squid 2.6

The differences are really minor but here there are listed in case I or someone else needs to still set up squid 2.5 with it.

The first difference is in the way you have to specify the "digest program" auth param.

for squid 2.6 it has to be like this :

auth_param digest program /usr/lib/squid/digest_pw_auth  -c /etc/squid/digest_passwd 

but for squid 2.5 it has to be :

auth_param digest program /usr/lib/squid/digest_pw_auth  /etc/squid/digest_passwd 

The second difference is in how the passwords are stored. In Squid 2.6 the passwords are stored securely as an md5 hash but in squid 2.5 they are stored in plain text in this format "username:password" . ( one more reason to make sure /etc/squid/digest_passwd can't be read by anyone other then squid user )

So for squid 2.5 what you gain in security over the network transmission of the password you lose in security at the password storage. This may still be a good deal if your local security is high but there isn't any way you can control the security of the network between you and the proxy server.

Weekend’s piece of shell magic

A few days ago I wrote a post about setting up squid as an anonymous proxy using multiple ips.

That setup would basically make squid listen for connections on certain ips and will create outgoing connections ( for fetching the requested page ) from the same ip that received the connection. The setup, as described in my previous post involves creating one acl and specifying one tcp_outgoing_address for each ip you want to use. Now that's ok if you have just a few ips or even a full class (because you can create one acl to match the whole class ) , but what do you do if you have multiple classes and in each class non consecutive ips? And I'm talking about many such ips not just 10, but 100 or more...

The shell Magic

Well if you have already defined the ips on your interface(s) and you want to use all those ips in squid then you can use this simple shell script that will parse the output of ifconfig and output the acls and tcp_outgoing_address directives for each ip.

  1.  
  2. for i in $(ifconfig -a|grep "inet addr"|cut -f2 -d:|cut -f1 -d' '|grep -v 127.0.0.1) ; do
  3. an=$(echo $i | tr . _) ;
  4. echo "acl in_$an myip $i" ;
  5. echo "tcp_outgoing_address $i in_$an" ;
  6. done

Run this script on the server where you want to install squid and it will output the acls and directives needed for using all the ips ( except 127.0.0.1 ) . then just copy and paste them into squid.conf.

Now shell magic is nice but if you want to get your hands dirty you might want to look into patching squid to do the same thing. With the squid outoing ip patch you will not have to write any acl or tcp_ougoing_address for it, but of course you'll have to do the "get source - patch - compile" stuff .. which some may find harder and others more fun 🙂

How to set up an anonymous proxy on debian

This document describes the steps required to install squid proxy server from http://squid-cache.org and webmin from http://webmin.com on a debian 4.0 system as well as basic steps required to configure squid to listen on multiple ip addresses and use them as outgoing source address for connections. This will also show you how to configure squid from webmin to accept connections only from predefined clients based on the client's ip address.

For the steps presented below root access over ssh on the server or physical ( console ) access will be required.

Squid installation

Installing squid on a debian system is straight forward. The administrator must be logged in as root and just type: apt-get install squid. This will install squid along with all required dependencies (it may ask for the user permission to install, in that case just approve ).

Webmin installation

download the webmin .deb package from http://webmin.com/download.html and upload it on your server, then type: dpkg -i webmin_1.xyz.deb where xyz is the current webmin version.
This will look for required dependencies and will let you know if something is missing. In case anything is missing you can just install it using apt-get install command simiar to how you installed squid.

Once webmin is installed you can access it over web from your browser like https://yourdomain.com:10000

Webmin configuration

If wedmin and squid were both installed from the standard debian package then webmin should already know where squid configuration files are and be able to modify it and stop/start squid. If this is not the case then you can set the paths in the module's configuration section.

Squid Anonymous configuration

Set http_port to specify the port and ips where squid will listen for incoming connections. If you want squid to listen on any of the available ips just set it like this: http_port 3128

Make squid anonymous by specifying which headers it should allow/deny. For highly anonymous proxies here is the suggested configuration:
header_access Allow allow all
header_access Authorization allow all
header_access WWW-Authenticate allow all
header_access Proxy-Authorization allow all
header_access Proxy-Authenticate allow all
header_access Cache-Control allow all
header_access Content-Encoding allow all
header_access Content-Length allow all
header_access Content-Type allow all
header_access Date allow all
header_access Expires allow all
header_access Host allow all
header_access If-Modified-Since allow all
header_access Last-Modified allow all
header_access Location allow all
header_access Pragma allow all
header_access Accept allow all
header_access Accept-Charset allow all
header_access Accept-Encoding allow all
header_access Accept-Language allow all
header_access Content-Language allow all
header_access Mime-Version allow all
header_access Retry-After allow all
header_access Title allow all
header_access Connection allow all
header_access Proxy-Connection allow all
header_access Cookie allow all
header_access Set-Cookie allow all
header_access All deny all

Some may want to remove the lines that contain Cookie and Set-Cookie headers but if you do that most sites will not work anymore cause most require cookie / session support.

Squid multiple ip configuration

We want connections that come from one ip to go out on the same ip. First set acls to identify the ips where squid listens for incoming connections. Let's say we have 3 ips : 10.0.0.1 , 10.0.1.1 and 10.0.2.1 . The acls would look like this:
acl in_10_0_0_1 myip 10.0.0.1/32
acl in_10_0_1_1 myip 10.0.1.1/32
acl in_10_0_2_1 myip 10.0.2.1/32

Now you can set up tcp_outgoing address using the above acls:

tcp_outgoing_address 10.0.0.1 in_10_0_0_1
tcp_outgoing_address 10.0.1.1 in_10_0_1_1
tcp_outgoing_address 10.0.2.1 in_10_0_2_1

Set up access rules based on client ip

You will have to set up acls similar to the above but they identify the client's ip ( not proxy server's ip). The the acls will be used in the http_access directive. This can be done directly from the configuration file.

Here is a sample that shows how to allow access for a client with the ip 10.0.0.10 :
acl cli_10_0_0_10 src 10.0.0.0.10
http_access allow cli_10_0_0_10
Just put those two lines in squid.conf before the “http_access deny All” line.

You can also add an ACL from webmin -> Servers -> Squid Proxy Server -> Access Control ->> Edit Acl . The acl type has to be “Client address” . You just have to set a name and a “From address” ( the address you want to allow access to squid ) for it and then save it. After you set the ACL you have to go to "Add proxy restriction" , set the Action on “Allow” , select your acl from the "Match ACLs" box and click save. After the save you should be redirected on the main acls page where you should see your acl in the “Proxy restrictions” list, right at the bottom.
You will have to make sure your acl goes before the “Deny all” entry or else it will have no effect. You can put it one row up by clicking the “Up” arrow.

Now you can Start/Restart squid from command line /etc/init.d/squid start/restart or from webmin -> squid proxy server
You can test your squid configuration by setting any of the available ips as a HTTP proxy in your browser ( port 3128 ) and then go to http://spotip.com . That site should show you the exact ip you have set up as proxy in your browser.

squid outgoing ip patch

Some time ago a client of mine was running squid on a system with multiple interfaces and ips. He wanted a setup where squid would use the same ip on which it received the connection to create the connection to the destination server for fetching the content.

Let's say we have 3 ips 1.1.1.1, 1.1.1.2 and squid listens on both interfaces. Now if a client would connect to the proxy server on ip 1.1.1.1 and request google.com, squid will use 1.1.1.1 to make the connection to google. If the client will connect to 1.1.1.2 squid will use 1.1.1.2 to connect to the destination server.

Continue reading

squid digest authentication


If you use authentication in squid you have several mechanisms ( authenticators ) to chose from. The Basic authenticator is the easiest to set up and the most insecure because the client sends the username and password in plain text to the proxy server.

Instead of using the basic you would consider using the digest authenticator. This authenticator does not require the client to send the user and password in plain text but encoded in an MD5 hash so that an attacker that captures the data between the client and proxy server will not be able to use the user and password.

Continue reading

squid 2.6 transparent proxy

In case you used squid 2.5 to create a transparent proxy and you decided to switch to 2.6 or this is the first time you try to set up a transparent proxy and most/all of the tutorials out there are for squid 2.5 here is a brief howto for this setup.

In squid 2.6 the configuration options:
httpd_accel_host
httpd_accel_port
httpd_accel_with_proxy
httpd_accel_uses_host_header
are not defined anymore ( see squid 2.6 release notes ), so if you are using them in your config file squid will give you an error like "parseConfigFile: line 41 unrecognized: 'httpd_accel_host virtual'" and will refuse to start.

To activate transparent proxy in squid 2.6 all you have to do is use the "tranparent" option on http_port. Something like:

http_port 3128 transparent

Of course squid has to be compiled with transparent proxy support for netfilter (iptables) by adding --enable-linux-netfilter to the ./configure line, the linux kernel needs to be compiled with netfilter and you will also need a rule in iptables that will redirect packets from your local network interface with a destination port 80 to the port squid is listening on.

Assuming your local network interface is eth1 and squid listens on port 3128 here is the rule that has to be added to iptables:

iptables -A PREROUTING -i "eth1" -p tcp –dport 80 -j REDIRECT –to-port 3128