[squid-users] General security and usage questions

Amos Jeffries squid3 at treenet.co.nz
Tue Apr 11 02:52:20 UTC 2017 

On 8/04/2017 1:01 a.m., j m wrote:
> I have a Ubuntu server set up that does various things in addition to
> being a web proxy (squid 3.3.8) to use remotely over the internet.
> This allows me to directly access internal devices with a web page on
> my LAN since my employer, like most, blocks VPN connections.

Please upgrade to a current Ubuntu (Xenial or later) - that will give
you access to a much better version of Squid.


>  My
> intention is to have the squid service running at all times, with a
> login, so I can use it any time.  However, there's a few things I
> have not been able to answer/resolve through my own research:

> 1. I am
> not able to SSH into my server from my employer.  It's rare I'd need
> to do this, but ethical considerations aside, could this work with
> PuTTY over the squid proxy?  I'm confused over how or if this would
> work using the Connection -> Proxy config in PuTTY.  I can
> successfully use my proxy from a web browser, but have had no luck
> with SSH despite entering the proxy info into PuTTY.  Supposedly the
> proxy needs to support the CONNECT method, but I'm unclear what this
> is or how to enable this.  As an aside, I have experimented with
> shellinabox, but abandoned it when I learned it's not encrypted by
> default.

PuTTY should be doable. You just have to configure it to use an HTTP proxy.

Then you have to configure your squid.conf to allow those requests. You
do that by:

 1) adding port 22 to the SSL_Ports and Safe_ports ACLs.

 2) adding extra custom rules to permit CONNECT to port 22 from the
IP(s) your PuTTY connections will be coming from.

 3) explicitly deny all other port 22 connections since the default
securuty lines no longer do that for you.

PuTTY should now be able to go through the proxy to wherever, the rest
is up to the server permissions at the destination.

I highly recommend that you use client cert verification and good cert
crypto rather than user:pass login - the login method would be visible
across the whole Internet to (and from) the proxy.


> 
> 2. How good is squid's security as far as leaving its port open to
> the Internet, which I obviously have to do in my case?

Depends on what you are meaning by "security".

Squid can be used as a relay to reach anywhere your http_access rules
permit. That is why the very first things we do is close off ports
0-1024 tight as possible.

So treat it as being an open hole in your network firewall to *any*
machines port 22.



>  I found it
> interesting that if I enter http://myip:myport from over the
> Internet, it responds with a "The requested URL could not be
> retrieved" page, along with information that identifies it as squid,
> along with the version number and server name, without asking for a
> login. Being unfamiliar with web proxies, this might be the norm for
> all I know.  If I set up a browser to use it as a proxy, it does ask
> for a login.  It appears the error pages are in
> /usr/share/squid/errors, but is there a way for it to be more
> discrete, preferably to not respond at all or ask for a login? Below
> is my squid.conf.  I removed all the commented lines, and pieced one
> together from information online.  My goal is to have it proxy
> basically anything thrown at it if authenticated,

That is not possible. As my most frequent comment says "Squid is an HTTP
proxy".

Meaning it only proxies/relays the protocols it understands - primary
HTTP, nowdays also FTP. Nothing else.

Any other protocol must use an HTTP CONNECT request to get through
reliably, and that depend on the sending software being aware of the
proxy being an HTTP one. Which is why the default behaviour is to
respond with an HTTP error page - so smart senders can use that info to
switch to HTTP.


> be as secure as
> reasonably possible,

FYI: Proxying anything and being secure are opposites. You only get to
pick one.


> absolutely no caching, and enable SSH
> connections through it, if possible. Thanks in advance. auth_param
> basic program /usr/lib/squid3/basic_ncsa_auth
> /etc/squid3/passwordsauth_param basic realm proxyacl authenticated
> proxy_auth REQUIREDhttp_access allow authenticated # Choose the port
> you want. Below we set it to default 3128.http_port 8092cache deny
> allaccess_log none acl CONNECT method CONNECT
> 

Please use at minimum the config file lines shown here for your current
Squid version:
 <http://wiki.squid-cache.org/Squid-3.3>
(or if you upgrade the relevant wiki page for that series)

Your own customisations should be added to those, not replacing.

NP: while debugging this new configuration it is a good idea to
re-enable the access.log outputs so you can see what is actually going
on. There is no way to decide if something is actually correct if you
cannot see it happening.

Amos

More information about the squid-users mailing list