Installation

This assumes you’re installing squid on Centos 7.
Update the packages:
yum -y update
Install squid using from the yum repository:
yum -y install squid

Basic Configuration

Squid is installed with a default configuration and can be used immediately, albeit with reduced functionality. The following commands can be used to control squid.

Check the version number:
squid -v
Configure Squid to start on boot:
systemctl enable squid
Start Squid:
systemctl start squid
Check the status of Squid:
systemctl status squid
Check the squid port is listening - by default 3128/tcp:
ss -ln
Stop squid:
systemctl stop squid

By default Squid does not cache any content, this can be enabled by uncommenting one line in the squid configuration file, modify /etc/squid/squid.conf and uncomment the following line:

cache_dir ufs /var/spool/squid 100 16 256

HTTPS Configuration

Initialise the Squid ssl_db directory, type this into the console:

/usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db
chown -R squid:squid /var/lib/ssl_db

Create the certificate folder and generate the certificates:

mkdir /etc/squid/ssl_cert
chown -R squid.squid /etc/squid/ssl_cert
cd /etc/squid/ssl_cert
openssl req -new -newkey rsa:1024 -days 1365 -nodes -x509 -keyout myca.pem -out myca.pem # for the server
openssl x509 -in myca.pem -outform DER -out myca.der # for the client
chown -R squid.squid /etc/squid/ssl_cert

Configure the /etc/squid/squid.conf file to intercept HTTPS. Below is an example of the default squid.conf modified with the minimum changes required to make this work:

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/myca.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

acl step1 at_step SslBump1

ssl_bump peek step1
ssl_bump bump all

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

You will now need to distribute the client certificate to any client which will be communicating through the proxy over HTTPS.

If you attempt to start squid again you may get the following error:

Dec 17 13:21:47 squid.basec.internal systemd[1]: squid.service: main process exited, code=exited, status=1/FAILURE
Dec 17 13:21:47 squid.basec.internal systemd[1]: Unit squid.service entered failed state.
Dec 17 13:21:47 squid.basec.internal systemd[1]: squid.service failed.

Or you may see the following in /var/log/squid/cache.log:

2017/12/17 13:21:47 kid1| WARNING: ssl_crtd #Hlpr1 exited
2017/12/17 13:21:47 kid1| Too few ssl_crtd processes are running (need 1/32)
2017/12/17 13:21:47 kid1| Closing HTTP port [::]:3128
2017/12/17 13:21:47 kid1| storeDirWriteCleanLogs: Starting...
2017/12/17 13:21:47 kid1|   Finished.  Wrote 0 entries.
2017/12/17 13:21:47 kid1|   Took 0.00 seconds (  0.00 entries/sec).
FATAL: The ssl_crtd helpers are crashing too rapidly, need help!

This is because of SELinux running on the host, looking in the /var/log/audit/audit.log we see:

type=SYSCALL msg=audit(1513517576.892:1677): arch=c000003e syscall=2 success=no exit=-13 a0=7f62d11402b8 a1=0 a2=1b6 a3=24 items=0 ppid=52660 pid=52664 auid=4294967295 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=4294967295 comm="ssl_crtd" exe="/usr/lib64/squid/ssl_crtd" subj=system_u:system_r:squid_t:s0 key=(null)
type=AVC msg=audit(1513517576.895:1678): avc:  denied  { read } for  pid=52665 comm="ssl_crtd" name="index.txt" dev="dm-0" ino=67366007 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1513517576.895:1678): arch=c000003e syscall=2 success=no exit=-13 a0=7fdecb2932b8 a1=0 a2=1b6 a3=24 items=0 ppid=52660 pid=52665 auid=4294967295 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=4294967295 comm="ssl_crtd" exe="/usr/lib64/squid/ssl_crtd" subj=system_u:system_r:squid_t:s0 key=(null)

In a lab environment it should be acceptible to simply put SELinux in permissive mode by modifying /etc/selinux/config and issuing the setenforce 0 command.

CEF Logging Configuration

By default the ArcSight SmartConnector framework will parse Squid logs in the default format, this provides a good amount of information, but with some additional configuration we can provide more detailed information in CEF format. This reduces the processing overhead on the ArcSight SmartConnector and provides more event data for analysts and/or content development.

ESM Field CEF Field Format Code Meaning Default CEF
bytesOut out %<st Squid ResponseSize to Client X X
destinationHostName dhost %<A Server IP address or HostName X X
destinationUserName duser %un User Name X X
deviceCustomNumber1 cn1 %tr Response time (milliseconds) X X
deviceCustomString1 cs1 %Sh Squid hierarchy status (DEFAULT_PARENT, etc.) X X
deviceEventClassId CEFHeader %>Hs HTTP status code sent to the client X X
deviceProduct CEFHeader “Squid Web Proxy Server” n/a X X
deviceReceiptTime rt %ts%03tu Milliseconds since epoch X X
deviceSeverity deviceSeverity %Hs HTTP status code sent to the client X X
deviceVendor CEFHeader “Squid” n/a X X
fileType fileType %mt MIME Content Type X X
name CEFHeader %Ss Squid request status (TCP_MISS etc) X X
requestMethod requestMethod %rm Request Method (GET/POST, etc) X X
requestUrl request %ru Request URL X X
sourceAddress src %>a Client Source Address X X
sourceHostName shost %>A Client IP address or HostName   X
sourcePort spt %>p Client Port   X
destinationAddress dst %<a Server IP address   X
destinationPort dpt %<p Server Port   X
bytesIn in %>st RequestSize from Client   X
deviceCustomString2 cs2 %{Referer}>h Referer   X
requestClientApplication requestClient %{User-Agent}>h Request Application   X

CEF Header

The ArcSight CEF Configuration guide defines the CEF Header as follows:

CEF:Version|Device Vendor|Device Product|Device Version|Device Event Class ID|Name|Severity|[Extension]

Version is an integer and identifies the version of the CEF format. Event consumers use this
information to determine what the following fields represent. The current CEF version is 0 ( CEF:0 ).

Severity is a string or integer and reflects the importance of the event. The valid string values are
Unknown, Low, Medium, High, and Very-High. The valid integer values are 0-3=Low, 4-6=Medium,
7- 8=High, and 9-10=Very-High.

For our configuration the following CEF Header will be suitable:

CEF:0|Squid|Squid Web Proxy Server|3.5|%>Hs|%Ss|3|

Including the key value pairs from table above our full configuration added to the bottom of the squid.conf file this looks like:

logformat CEF CEF:0|Squid|Squid Web Proxy Server|3.5|%>Hs|%Ss|3|out=%<st dhost=%<A duser=%un cn1=%tr cs1=%Sh rt=%ts%03tu deviceSeverity=%Hs fileType=%mt requestMethod=%rm request=%ru src=%>a shost=%>A spt=%>p dst=%<a dpt=%<p in=%>st cs2=%{Referer}>h requestClientApplication=%{User-Agent}>h cs1Label=Hierarchy Status cs2Label=Referer cn1Label=Response Time
access_log daemon:/var/log/squid/access.log CEF

This will change the log format of the access logs to CEF a sample is provided below:

CEF:0|Squid|Squid Web Proxy Server|3.5|200|TCP_MISS|3|out=72545 dhost=- duser=- cn1=718 cs1=HIER_DIRECT rt=1513954994458 deviceSeverity=200 fileType=text/html requestMethod=GET request=https://www.microfocus.com/ src=192.168.2.108 shost=192.168.2.108 spt=34820 dst=130.57.66.9 dpt=443 in=720 cs2=https://www.google.co.uk/ requestClientApplication=Mozilla/5.0%20(X11;%20Fedora;%20Linux%20x86_64;%20rv:57.0)%20Gecko/20100101%20Firefox/57.0 cs1Label=Hierarchy Status cs2Label=Referer cn1Label=Response Time

To send the CEF logs to a TCP Syslog receiver the following configuration line should be added to the end of the /etc/squid/squid.conf file:

access_log tcp://192.168.3.8:1514 CEF

img
img

As you can see - we now have a more detailed log being provided from the Squid Proxy Server, we do not have to do any parsing on the SmartConnector, and the existing Categorization files are still in effect because the deviceVendor/deviceProduct and deviceEventClassId are all maintained from the original configuration.

Note by default for user privacy the Squid Proxy does not log query terms in the requestUrl, to prevent it from stripping these query terms the configuration option strip_query_terms off should be added anywhere in the squid.conf file