[squid-users] Recommended squid settings when using IPS-based domain blocking

Jason Marshall jason.marshall at gmail.com
Wed Mar 13 09:09:13 UTC 2024


I would certainly be willing to give it a shot, yes!

Thank you!

Jason

<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Virus-free.www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

On Wed, Mar 13, 2024 at 4:38 AM <ngtech1ltd at gmail.com> wrote:

> Hey Jason,
>
> I can try to build Squid 6.8 for RHEL 9, would this help you to test it as
> a solution?
>
> Eliezer
>
> From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf
> Of Jason Marshall
> Sent: Wednesday, March 6, 2024 4:49 PM
> To: squid-users at lists.squid-cache.org
> Subject: [squid-users] Recommended squid settings when using IPS-based
> domain blocking
>
> Good morning,
>
> We have been using squid (version squid-5.5-6.el9_3.5) under RHEL9 as a
> simple pass-through proxy without issue for the past month or so. Recently
> our security team implemented an IPS product that intercepts domain names
> known to be associated with malware and ransomware command and control.
> Once this was in place, we started having issues with the behavior of squid.
>
> Through some troubleshooting, it appears that what is happening is that
> that when a user's machine make a request through squid for one of these
> bad domains, the request is dropped by the IPS, squid waits for the DNS
> timeout, and then all requests made to squid after that result in
> NONE_NONE/500 errors, and it never seems to recover until we do a restart
> or reload of the service.
>
> Initially the dns_timeout was set for 30 seconds. I reduced this, thinking
> that perhaps requests were building up or something along those lines. I
> set it to 5 seconds, but that just got us to a failure state faster.
>
> I also found the negative_dns_ttl setting and thought it might be having
> an effect, but setting this to 0 seconds resulted in no change to the
> behavior.
>
> Are there any configuration tips that anyone can provide that might work
> better with dropped/intercepted DNS requests? My current configuration is
> included here:
> acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
> acl localnet src http://10.0.0.0/8             # RFC 1918 local private
> network (LAN)
> acl localnet src http://100.64.0.0/10          # RFC 6598 shared address
> space (CGN)
> acl localnet src http://169.254.0.0/16         # RFC 3927 link-local
> (directly plugged) machines
> acl localnet src http://172.16.0.0/12          # RFC 1918 local private
> network (LAN)
> acl localnet src http://192.168.0.0/16         # RFC 1918 local private
> network (LAN)
>
> acl localnet src fc00::/7               # RFC 4193 local private network
> range
> acl localnet src fe80::/10              # RFC 4291 link-local (directly
> plugged) machines
>
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 443         # https
> acl Safe_ports port 9191        # papercut
> http_access deny !Safe_ports
> http_access allow localhost manager
> http_access deny manager
>
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> http_port http://0.0.0.0:3128
> http_port http://0.0.0.0:3129
> cache deny all
> coredump_dir /var/spool/squid
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
> debug_options rotate=1 ALL,2
> negative_dns_ttl 0 seconds
> dns_timeout 5 seconds
>
> Thank you for any help that you can provide.
>
> Jason Marshall
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240313/1f1e7fe9/attachment-0001.htm>


More information about the squid-users mailing list