This assumes you’re installing squid on Centos 7.
Update the packages: yum -y update
Install squid using from the yum repository: yum -y install squid
Squid is installed with a default configuration and can be used immediately, albeit with reduced functionality. The following commands can be used to control squid.
Check the version number: squid -v
Configure Squid to start on boot: systemctl enable squid
Start Squid: systemctl start squid
Check the status of Squid: systemctl status squid
Check the squid port is listening - by default 3128/tcp: ss -ln
Stop squid: systemctl stop squid
By default Squid does not cache any content, this can be enabled by uncommenting one line in the squid configuration file, modify /etc/squid/squid.conf and uncomment the following line:
Initialise the Squid ssl_db directory, type this into the console:
Create the certificate folder and generate the certificates:
Configure the /etc/squid/squid.conf file to intercept HTTPS. Below is an example of the default squid.conf modified with the minimum changes required to make this work:
You will now need to distribute the client certificate to any client which will be communicating through the proxy over HTTPS.
If you attempt to start squid again you may get the following error:
Or you may see the following in /var/log/squid/cache.log:
This is because of SELinux running on the host, looking in the /var/log/audit/audit.log we see:
In a lab environment it should be acceptible to simply put SELinux in permissive mode by modifying /etc/selinux/config and issuing the setenforce 0 command.
CEF Logging Configuration
By default the ArcSight SmartConnector framework will parse Squid logs in the default format, this provides a good amount of information, but with some additional configuration we can provide more detailed information in CEF format. This reduces the processing overhead on the ArcSight SmartConnector and provides more event data for analysts and/or content development.
Squid ResponseSize to Client
Server IP address or HostName
Response time (milliseconds)
Squid hierarchy status (DEFAULT_PARENT, etc.)
HTTP status code sent to the client
“Squid Web Proxy Server”
Milliseconds since epoch
HTTP status code sent to the client
MIME Content Type
Squid request status (TCP_MISS etc)
Request Method (GET/POST, etc)
Client Source Address
Client IP address or HostName
Server IP address
RequestSize from Client
The ArcSight CEF Configuration guide defines the CEF Header as follows:
CEF:Version|Device Vendor|Device Product|Device Version|Device Event Class ID|Name|Severity|[Extension]
Version is an integer and identifies the version of the CEF format. Event consumers use this
information to determine what the following fields represent. The current CEF version is 0 ( CEF:0 ).
Severity is a string or integer and reflects the importance of the event. The valid string values are
Unknown, Low, Medium, High, and Very-High. The valid integer values are 0-3=Low, 4-6=Medium,
7- 8=High, and 9-10=Very-High.
For our configuration the following CEF Header will be suitable:
CEF:0|Squid|Squid Web Proxy Server|3.5|%>Hs|%Ss|3|
Including the key value pairs from table above our full configuration added to the bottom of the squid.conf file this looks like:
This will change the log format of the access logs to CEF a sample is provided below:
To send the CEF logs to a TCP Syslog receiver the following configuration line should be added to the end of the /etc/squid/squid.conf file:
As you can see - we now have a more detailed log being provided from the Squid Proxy Server, we do not have to do any parsing on the SmartConnector, and the existing Categorization files are still in effect because the deviceVendor/deviceProduct and deviceEventClassId are all maintained from the original configuration.
Note by default for user privacy the Squid Proxy does not log query terms in the requestUrl, to prevent it from stripping these query terms the configuration option strip_query_terms off should be added anywhere in the squid.conf file