Monday, September 6, 2010

Squid Proxy (Secure, Paranoid and Non-caching)

Squid is a caching proxy for the Web supporting HTTP, HTTPS and FTP. It can be used to protect internal lans from questionable servers and provide accounting of where clients go and what servers clients are allowed to go to.
Squid allows you to enforce policies with your users. If you have a policy stating no one can access CNN unless it is lunch time between 12noon and 2pm then you have that control. If you need to block MySpace or YouTube or if you only allow the latest version of Firefox outside your network, you have that ability. Squid also allows one to limit the headers a client can send and receive. If you want to block clients from logging into, but still allow them to look at, any external sites like Gmail then filtering the "authorization" header will do it.

If you are a parent and need to filter web access at home then Squid is the perfect tool. It can run on a separate machine inaccessible to children thus securing it from tampering. You can setup search parameters that stop pages from loading if certain words are found on the remote page. Pages can be blocked by URL or ip address and you can even setup times your children can access the web. Squid gives you the ability to enforce the rules you set down for your home network. As an added bonus Squid will keep logs of every URL, search query and server your network accesses for future review.
The best part is Squid is Open Source and completely free.

Introduction to the squid.conf

This squid proxy configuration is setup to be a non-caching secure proxy for HTTP and HTTPS only. This machine is accessing a low latency, high speed and un-metered Internet connection. Since our example network has unlimited bandwidth and it is fast, we are _not_ going to use caching. This config only allows access by the internal LAN (10.10.10/28), applies short timeouts for connections and enables the calomel.org "anti-ad server" modification. To protect our internal browsers squid will deny all headers except those specifically listed and obfuscate the Accept and User-Agent headers anonymizing our browsers.
Below you will find the link to the squid.conf example file and below that is the same squid.conf file in a text box. Both formats are available to make it easier for you to review the code. This squid.conf is a fully working config file with the exception of setting up a few variables for your environment.

Courtesy : https://calomel.org/squid.html