Squid Config Snippets

squid.conf.md

Squid configuration snippets - Ansible Role: ansible-role-squid

Basics

Path	Description
"/etc/squid/squid.conf"	Default config file with includes
"/etc/squid/conf.d"	Custom config folder
"/etc/squid/acl.d"	Custom acls folder
"/etc/squid/errors.d"	Custom error pages folder

Squid config:

# Custom config folder
include /etc/squid/conf.d/*.conf

Squid acl scheme:

/etc/squid/acl.d/acl_{src,dst,dstdomain,url_regex}_{allow,deny}_<name>.lst

Block by keywords

$ vim /etc/squid/acl.d/block_keywords.lst
facebook
tube
youporn
xnnx
pornhub

$ vim /etc/squid/squid.conf
acl mynetwork src 10.0.0.0/8
acl block_keyword url_regex -i "/etc/squid/acl.d/block_keywords.lst" 
http_access deny mynetworks block_keyword
http_access allow mynetworks

Block by extension

$ vim /etc/squid/acl.d/block_extensions.lst
\.exe$
\.cmd$
\.bat$
\.ps1$

$ vim /etc/squid/squid.conf
acl mynetwork src 10.0.0.0/8
acl block_extensions url_regex -i "/etc/squid/acl.d/block_extensions.lst" 
http_access deny mynetworks block_extensions
http_access allow mynetworks

Block browsers

$ vim /etc/squid/acl.d/block_browsers.txt
Firefox
Chrome

$ vim /etc/squid/squid.conf
acl mynetwork src 10.0.0.0/8
acl block_browsers url_regex -i "/etc/squid/acl.d/block_browsers.lst" 
http_access deny mynetworks block_browsers
http_access allow mynetworks

Define ACLs

## "dstdomain"
# Domains with "." as first char says, that the main domain and all subdomains
# Domains without "." as first char says, that exact this domain
$ vim /etc/squid/acl.d/acl_dstdomain_{allow,deny}_mydefinition.lst
.facebook.com
.youtube.de
bild.de

## "dst"
# define ip's and networks
$ vim /etc/squid/acl.d/acl_dstdomain_{allow,deny}_mydefinition.lst
# Cloudflare
104.16.132.229
104.16.133.229
# Google
172.217.22.131
# Github
140.82.121.3

## "url_regex"
# Legend:
# ^ = this is the beginning of the url
# . = anything, for example, can be a subdomain or a www
# * = the expression BEFORE (the subdomain or www) can happen or not
# \ = the next char is not "anything" but a real dot
# . = the real dot...
# * = ...that can happen or not
# /* = a dash that can happen or not (covering all the possible websites configurations here)
# .* = anything can happen or not after the last dash (/index.php, blah blah)
#
$ vim /etc/squid/acl.d/acl_url_regex_{allow,deny}_mydefinition.lst
\.sex\.com$
\.redtube\.com$
.*\.*sex\.com/*.*$
.*\.*redtube\.com/*.*$

$ vim /etc/squid/squid.conf
acl mynetwork src 10.0.0.0/8
acl dstdomain_mydefinition dstdomain "/etc/squid/acl.d/acl_dstdomain_{allow,deny}_mydefinition.lst"
acl dst_mydefinition dst "/etc/squid/acl.d/acl_dst_{allow,deny}_mydefinition.lst"
acl regex_mydefinition url_regex -i "/etc/squid/acl.d/acl_url_regex_{allow,deny}_mydefinition.lst"
http_access {allow,deny} mynetworks regex_mydefinition
http_access {allow,deny} mynetworks dst_mydefinition
http_access {allow,deny} mynetworks dstdomain_mydefinition
http_access deny

Limit rate

# Limit the maximum simultaneous web access from the same client ip
$ vim /etc/squid/squid.conf
acl mynetwork src 10.0.0.0/8
acl limitusercon maxconn 10
http_access deny mynetwork limitusercon

Limit bandwith

## Class 1 type delay
# Configuring the limitation of bandwidth using class 1 delay. In this we have to mention the delay pool. Delay pools allows you to limit the traffic for clients.
# delay_pools      = next 1 indicates,only one pool is to be created
# delay_class      = the first 1 indicates pool count order and the second 1 indicates the class type.
# delay_parameters = next 1 indicates pool count order and next is the maximum allowable bandwidth usage(64kbps) for the IP’ s comes under the acl name test.
# delay_access     = 1 is the pool count order and next is “allow mynetwork”.
#
# Calculate: For  64kbps = (64/8)*1000      = 8000
# Calculate: For 512kbps = (512/8)*1000     = 64000
# Calculate: For   1mbps = (1024/8)*1000    = 128000
# Calculate: For   2mbps = (2048/8)*1000    = 256000
# Calculate: For  10mbps = (10240/8)*1000   = 1280000
# Calculate: For 100mbps = (102400/8)*1000  = 12800000
# Calculate: For   1gbps = (1024000/8)*1000 = 128000000
#
#
$ vim /etc/squid/squid.conf
acl mynetwork src 10.0.0.0/8
delay_pools 1
delay_class 1 1
delay_parameters 1 8000/8000
delay_access 1 allow mynetwork

## Class 2 type delay
# This tells to create a cieling of 500K (62500) for our bandwidth having (1.5M) with a indivigual cieling of  #10% of the cieling (Any given time the users will be restricted to the 10% of the cieling bandwidth 500k)
# delay_pools      = next 1 indicates, only one pool is to be created.
# delay_class      = the first 1 indicates pool count order and the 2 indicates the class type 2.
# delay_parameters = next 1 indicates pool count order and next is the maximum allowable overall bandwidth (2Mbps) for the 10.0.0.0/8 network. The next(512kbps) is the maximum allowable bandwidth for individual IP comes under the network.
# delay_access     = 1 is the pool count order and next is “allow mynetwork”.
#
$ vim /etc/squid/squid.conf
acl mynetwork src 10.0.0.0/8
delay_pools 1
delay_class 1 2 
delay_parameters 1 256000/256000 64000/64000
delay_access 1 allow mynetwork

## Class 3 type delay
# This tells to create a cieling of 500K (62500) for our bandwidth having (1.5M) with a subnets cieling of 50% of the cieling (Any given time the request from the each subnets will be restricted to the 50% of the cieling bandwidth 500k and each users in subnet will have 20% of the bandwidth rate of subnet cieling)
# delay_pools      = next 1 indicates, only one pool is to be created.
# delay_class      = the first 1 indicates pool count order and the 3 indicates the class type 3.
# delay_parameters = next 1 indicates pool count order and next is the maximum allowable overall bandwidth (2Mbps) for the 10.0.0.0/8 network. The next(512kbps) is the maximum allowable bandwidth for individual IP comes under the network.
# delay_access     = 1 is the pool count order and next is “allow mynetwork”.
#
$ vim /etc/squid/squid.conf
acl mynetwork src 10.0.0.0/8
delay_pools 1
delay_class 1 3 
delay_parameters 1 256000/256000 64000/64000 64000/64000
delay_access 1 allow mynetwork

## Class time based
$ vim /etc/squid/squid.conf
acl mynetwork src 10.0.0.0/8
acl work_time time MTWHF 07:00-18:00
delay_pools 1
delay_class 1 2 
delay_parameters 1 256000/256000 64000/64000
delay_access 1 allow mynetwork work_time

Define error pages

# Define custom error page in html
# The filename is the deny_info acl name
$ vim /etc/squid/error.d/ERR_CUSTOM_ACCESS_DENIED # beginn with ERR_ and all upper
access denied
$ vim /etc/squid/error.d/ERR_CUSTOM_ACCESS_BLOCKED # beginn with ERR_ and all upper
access blocked

$ vim /etc/squid/squid.conf
acl mynetwork src 10.0.0.0/8
acl dstdomain_mydefinition dstdomain "/etc/squid/acl.d/acl_dstdomain_{allow,deny}_mydefinition.lst"
deny_info ERR_CUSTOM_ACCESS_DENIED mynetwork
deny_info ERR_CUSTOM_ACCESS_BLOCKED dstdomain_mydefinition
http_access deny dstdomain_mydefinition
http_access deny mynetwork
http_access allow

JSON logformat

$ vim /etc/squid/squid.conf
logformat squid_json {"proxy_squid_ip":"%la","proxy_squid_fqdn":"proxy.hostname","proxy_client_ip":"%>a","proxy_client_fqdn":"%>A","proxy_user_agent":"%{User-Agent}>h","proxy_timestamp":"%tl","proxy_short_message":"%rm %ru HTTP/%rv","proxy_dst_host":"%{Host}>h","proxy_dst_ip":"%<a","proxy_dst_url":"%ru","proxy_http_status":"%>Hs","proxy_http_method":"%rm","proxy_http_referer":"%{Referer}>h","proxy_mime_content_type":"%mt","proxy_response_time":"%tr","proxy_request_size":"%>st","proxy_reply_size":"%<st","proxy_squid_request_status":"%Ss","proxy_squid_hierarchy_status":"%Sh"}
access_log /var/log/squid/access.log squid_json
# Exmaple to find alle entrys for <ip>
$ cat /var/log/squid/access.log | jq -cr 'select(.proxy_client_ip|test("<ip>")) | [.proxy_client_ip,.proxy_client_fqdn,.proxy_http_status,.proxy_dst_host]'

Time based download size

acl weekday_access time M T W H 6:30-20:00
acl friday_access time F 6:30-16:00
acl saturday_access time A 7:00-21:30
acl sunday_access time S 7:00-21:00

reply_body_max_size 30 MB weekday_access
reply_body_max_size 300 MB friday_access
reply_body_max_size 3 GB saturday_access
reply_body_max_size 3 GB sunday_access

Blocklists Phishing and Teamviewer (Use with Rate Limiting)

# This list is from https://phishing.army/
$ curl -s "https://phishing.army/download/phishing_army_blocklist_extended.txt" -o /etc/squid/acl.d/acl_dstdomain_block_phishing.lst
$ curl -s "https://raw.githubusercontent.com/maravento/blackip/master/bipupdate/wlst/tw.txt" -o /etc/squid/acl.d/acl_dst_block_teamviewer.lst

# Other Lists
https://github.com/StevenBlack/hosts
https://github.com/maravento/blackweb
https://github.com/austinheap/sophos-xg-block-lists
https://github.com/bmyjacks/adlists

# Alternativ you can use DNS Blocking with nice tools like
https://github.com/chrisruffalo/gudgeon

# Cronjob:
$ vim /etc/cron.d/squid_update_phishing.sh
@daily /usr/bin/curl -s "https://phishing.army/download/phishing_army_blocklist_extended.txt" -o /etc/squid/acl.d/acl_dstdomain_block_phishing.lst > /dev/null 2>&1
$ vim /etc/cron.d/squid_update_teamviewer.sh
@daily /usr/bin/curl -s "https://raw.githubusercontent.com/maravento/blackip/master/bipupdate/wlst/tw.txt" -o /etc/squid/acl.d/acl_dst_block_teamviewer.lst > /dev/null 2>&1

$ vim /etc/squid/squid.conf
acl mynetwork src 10.0.0.0/8
acl block_phishing dstdomain "/etc/squid/acl.d/acl_dstdomain_block_phishing.lst"
acl block_teamviewer dst "/etc/squid/acl.d/acl_dst_block_teamviewer.lst"
http_access deny block_phishing
http_access deny block_teamviewer
http_access allow mynetworks

Blocklist IP's

# Everythin is in README
https://github.com/maravento/blackip

Reject header

$ vim /etc/squid/squid.conf
# Remove identifying headers
request_header_access Cache-Control deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all