[squid-users] Looking for additional information about securing squid
sb33781 at gmail.com
Wed Dec 14 02:55:51 UTC 2016
> First question - what are you aiming / hoping to achieve by implementing
1. Some ad blocking via an MVPS hosts file. I'm not trying for a perfect solution, some ad blocking is better than none.
2. Parental control abilities. I like that squid can serve a local webpage that can say, "Facebook is only allowed between X hours on X days" instead of giving an unreachable response.
3. Possible small improvements in page response times due to web caching and ad blocking.
> Second question - do you really give guests full access to your home
> network, rather than just "a gateway to the Internet with no visibility
> of my private machines"?
At the moment, yes. It's a work in progress. I can count on one hand the number of people I've allowed access to in the last year and my wifi is secured as best it can be. That said, I recognize that - as the saying goes - locks only keep good people out.
> data leaks
> cache poisoning
> message smuggling
I need to read up on cache poisoning, haven't heard of that one. Not sure what you mean by message smuggling. And yes, the data leaks was what I knew enough to be asking about. Specifically my concern is that someone could gain control of my server and install malware/trojan/work/whatever. I'm not that good with Linux yet so I probably wouldn't even know where to begin looking for something like that, much less clean it off. And I would expect the malware/antivirus safeguards I have on my PCs would be less effective if there's a server on the same LAN possibly attacking them 24/7.
> The risk is relative to your overall network security design, and that
> should of course be considered before starting a proxy in any network
> more secure than what the default squid.conf allows.
Well I'm sure my network is *less* secure than what the default squid.conf allows so no worries, eh?
> If you want advice about specific features that is not mentioned in the
> relevant squid.conf directive docs or the wiki, feel free to ask. But
> security is a rather big topic so pardon if I dont try to brain-dump
> everything right here :-)
Understood. Antony was on the right track with asking about my objectives.
As far as non-standard squid config ... I really wish I could link you to the website I used as a template to add onto the default squid install. Normally I save the web link in the txt file with the notes I've made but I seem to have forgotten to save the link in this one. I've spent about the last 20 minutes searching but I can't find the page. There were a few things I added for rate limiting Windows update and allowing Youtube and cgi-bin pages to be cached, but the modifications shouldn't have affect permissions, etc. I don't think they would, but would've liked to have linked you to that page.
More information about the squid-users