[squid-users] Looking for additional information about securing squid

Wed Dec 14 02:55:51 UTC 2016

> First question - what are you aiming / hoping to achieve by implementing
> Squid?

1. Some ad blocking via an MVPS hosts file. I'm not trying for a perfect solution, some ad blocking is better than none.

2. Parental control abilities. I like that squid can serve a local webpage that can say, "Facebook is only allowed between X hours on X days" instead of giving an unreachable response.

3. Possible small improvements in page response times due to web caching and ad blocking.

> Second question - do you really give guests full access to your home
> network, rather than just "a gateway to the Internet with no visibility
> of my private machines"?

At the moment, yes.  It's a work in progress.  I can count on one hand the number of people I've allowed access to in the last year and my wifi is secured as best it can be.  That said, I recognize that - as the saying goes - locks only keep good people out.

> data leaks
> cache poisoning
> message smuggling

I need to read up on cache poisoning, haven't heard of that one. Not sure what you mean by message smuggling.  And yes, the data leaks was what I knew enough to be asking about.  Specifically my concern is that someone could gain control of my server and install malware/trojan/work/whatever.  I'm not that good with Linux yet so I probably wouldn't even know where to begin looking for something like that, much less clean it off.  And I would expect the malware/antivirus safeguards I have on my PCs would be less effective if there's a server on the same LAN possibly attacking them 24/7.

> The risk is relative to your overall network security design, and that
> should of course be considered before starting a proxy in any network
> more secure than what the default squid.conf allows.

<joke>
Well I'm sure my network is *less* secure than what the default squid.conf allows so no worries, eh?
</joke>

> If you want advice about specific features that is not mentioned in the
> relevant squid.conf directive docs or the wiki, feel free to ask. But
> security is a rather big topic so pardon if I dont try to brain-dump
> everything right here :-)

Understood. Antony was on the right track with asking about my objectives.

As far as non-standard squid config ... I really wish I could link you to the website I used as a template to add onto the default squid install. Normally I save the web link in the txt file with the notes I've made but I seem to have forgotten to save the link in this one.  I've spent about the last 20 minutes searching but I can't find the page.  There were a few things I added for rate limiting Windows update and allowing Youtube and cgi-bin pages to be cached, but the modifications shouldn't have affect permissions, etc.  I don't think they would, but would've liked to have linked you to that page.