[squid-users] Looking for additional information about securing squid

[Amos Jeffries]

On 14/12/2016 11:44 a.m., Steve Becker wrote:
> Hi all,
> 
>  
> 
> My background's in networking, I'm very new to unix/linux and server
> administration, I don't know a whole lot about security beyond ACLs and
> setting up crypto for VPNs. I'm setting up a box at home with CentOS and
> squid, among other features (I want this box to be a syslog server, etc).
> At the moment I have no plan to run a web server, but I'm still concerned.
> I know web servers are vulnerable to certain kinds of attacks, some of which
> could escalate user privileges or dump data people shouldn't have access to.
> Is squid, as a proxy server, I'm vulnerable to some of these kinds of
> attacks?

Generally no. Those types of attack require operations that Squid does
not do (executing something attacker-controlled). Though sometimes the
helpers and plugins people use might have such problems. Especially
badly written custom ones.

Squid (and other HTTP proxies) vulnerabilities tend to be along the
lines of; data leaks, DoS, cache poisoning, or message smuggling. The
result of those types is typically privacy abuses, or network hijacking
by allowing attack malwares to reach target servers or other clients.


>  I'll be limiting squid to only accept traffic from my LAN but you
> still never know.  A guest might use my network with an infected device,
> etc.
> 
> 
> I've looked at the security FAQ on the squid wiki, and I tried to search the
> mailing list archive using the link at
> http://www.squid-cache.org/Support/mailing-lists.html, however I get a 404
> error.  I downloaded the last 6 months worth of archives and searched for
> the word security, and I see references to SSL, TLS, bumping, etc.  I'm sure
> these conversations follow the requirements of people using squid at work
> but aside from one thread I don't see anything addressing my concerns, hence
> my post.
> 

It may not be easy to see at times, but most of the traffic on this list
includes a security aspect. The posters either have a specific
transaction problem, or some f'up in their config settings letting
traffic do unwanted things.
 To resolve that type of thing we not only have to provide a solution
but try to ensure the admin in question (and future readers) understands
why it solves the problem, and whether there are any risks associated
(ie security considerations).

(Thanks for the mention of that 404. Looking into it now.)

> 
> I suspect there's no more additional securing of squid I need to do - if
> there were I would've expected something to mention it in the FAQ - but I'd
> rather ask just in case.  Any thoughts/suggestions?
> 

Yes. The default installation of Squid is very secure so far as CVE type
vulnerability issues go. We do aim to be completely secure (if only it
were possible!). But that naturally varies by version and what is known
about.


As for an attacker in your LAN; they can use the proxy default config to
do some limited HTTP things, but they would be able to do even more
nasties if they didn't go through Squids protocol sanitizing/validation
logics. The risk is relative to your overall network security design,
and that should of course be considered before starting a proxy in any
network more secure than what the default squid.conf allows.


The wiki in general has a lot of info, most of it is under specific
config examples or feature documentations rather than the FAQ. The
squid.conf documentation also has 'WARNING' and mentions of issues
related to using the relevant directives.

If you want advice about specific features that is not mentioned in the
relevant squid.conf directive docs or the wiki, feel free to ask. But
security is a rather big topic so pardon if I dont try to brain-dump
everything right here :-)

Amos