Squid - Proxy-Server einrichten | Blog

Squid ist ein leistungsstarker Proxy-Server für HTTP, HTTPS und FTP. Er beschleunigt Web-Zugriffe durch Caching und ermöglicht Zugriffskontrolle.

Installation

# Debian/Ubuntu
apt install squid

# RHEL/CentOS
dnf install squid

# Service aktivieren
systemctl enable squid
systemctl start squid

Grundkonfiguration

Minimale Konfiguration

# /etc/squid/squid.conf

# Port
http_port 3128

# Lokales Netzwerk erlauben
acl localnet src 192.168.0.0/16
acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12

# Sichere Ports
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 443         # https
acl Safe_ports port 21          # ftp
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl CONNECT method CONNECT

# Zugriffskontrolle
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all

Konfiguration neu laden

# Syntax prüfen
squid -k parse

# Konfiguration neu laden
squid -k reconfigure

# Oder
systemctl reload squid

Access Control Lists (ACL)

ACL-Typen

# IP-basiert
acl clients src 192.168.1.0/24
acl server dst 10.0.0.1

# Port-basiert
acl webports port 80 443 8080

# Zeit-basiert
acl workhours time MTWHF 08:00-18:00
acl weekend time SA SU

# Domain-basiert
acl blocked_sites dstdomain .facebook.com .youtube.com
acl allowed_domains dstdomain .example.de

# URL-basiert
acl blocked_urls url_regex -i porn gambling casino

# User-basiert (mit Auth)
acl users proxy_auth REQUIRED
acl admins proxy_auth admin manager

# Protokoll
acl FTP proto FTP
acl HTTP proto HTTP

ACL anwenden

# Zugriff erlauben
http_access allow clients
http_access allow workhours localnet

# Zugriff verbieten
http_access deny blocked_sites
http_access deny blocked_urls

# Reihenfolge wichtig! Erste Übereinstimmung gewinnt

Beispiel: Arbeitszeit-Policy

# ACLs
acl workhours time MTWHF 08:00-18:00
acl localnet src 192.168.1.0/24
acl social_media dstdomain .facebook.com .twitter.com .instagram.com

# Regeln
http_access deny social_media workhours
http_access allow localnet
http_access deny all

Caching

Cache-Verzeichnis

# Disk-Cache
cache_dir ufs /var/spool/squid 10000 16 256
# Format: TYPE PATH SIZE_MB L1 L2

# RAM-Cache
cache_mem 512 MB

# Maximale Objekt-Größe
maximum_object_size 100 MB
maximum_object_size_in_memory 10 MB

# Cache initialisieren (einmalig)
squid -z

Cache-Kontrolle

# Nicht cachen
acl no_cache dstdomain .example.de
cache deny no_cache

# Refresh-Pattern
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?)   0   0%      0
refresh_pattern .               0       20%     4320

Cache-Statistiken

# Cache-Status
squidclient -h localhost -p 3128 mgr:info

# Cache-Nutzung
squidclient -h localhost -p 3128 mgr:utilization

# Hit/Miss Ratio
squidclient -h localhost -p 3128 mgr:5min

Authentifizierung

Basic Auth

# Passwort-Datei erstellen
htpasswd -c /etc/squid/passwd user1
htpasswd /etc/squid/passwd user2

# In squid.conf
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic realm Proxy-Zugang
auth_param basic credentialsttl 2 hours

acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_access deny all

LDAP-Auth

auth_param basic program /usr/lib/squid/basic_ldap_auth \
    -b "ou=users,dc=example,dc=de" \
    -f "uid=%s" \
    -h ldap.example.de

auth_param basic realm LDAP-Proxy
auth_param basic credentialsttl 1 hour

acl ldap_users proxy_auth REQUIRED
http_access allow ldap_users

HTTPS/SSL

SSL-Bump (MITM)

# Zertifikat generieren
openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 \
    -keyout /etc/squid/ssl/squid.key \
    -out /etc/squid/ssl/squid.crt

# In squid.conf
http_port 3128 ssl-bump \
    cert=/etc/squid/ssl/squid.crt \
    key=/etc/squid/ssl/squid.key \
    generate-host-certificates=on \
    dynamic_cert_mem_cache_size=4MB

# SSL-Bump ACLs
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

# SSL-Cache
sslcrtd_program /usr/lib/squid/security_file_certgen \
    -s /var/lib/squid/ssl_db -M 4MB

Transparenter Proxy

# In squid.conf
http_port 3128 transparent

# Firewall-Redirect (iptables)
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \
    -j REDIRECT --to-port 3128

# Für HTTPS
http_port 3129 intercept ssl-bump \
    cert=/etc/squid/ssl/squid.crt \
    key=/etc/squid/ssl/squid.key

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 \
    -j REDIRECT --to-port 3129

Logging

Access-Log

# Format
access_log /var/log/squid/access.log squid

# Custom Format
logformat custom %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
access_log /var/log/squid/access.log custom

Log-Analyse

# Top-URLs
awk '{print $7}' /var/log/squid/access.log | sort | uniq -c | sort -rn | head -20

# Top-Clients
awk '{print $3}' /var/log/squid/access.log | sort | uniq -c | sort -rn | head -10

# Cache-Hit-Rate
grep -c "TCP_HIT" /var/log/squid/access.log
grep -c "TCP_MISS" /var/log/squid/access.log

Log-Rotation

# /etc/logrotate.d/squid
/var/log/squid/*.log {
    daily
    compress
    delaycompress
    rotate 30
    missingok
    notifempty
    sharedscripts
    postrotate
        squid -k rotate
    endscript
}

Content-Filterung

URL-Blacklist

# Blacklist-Datei
# /etc/squid/blocked.txt
.facebook.com
.youtube.com
.tiktok.com

# In squid.conf
acl blocked dstdomain "/etc/squid/blocked.txt"
http_access deny blocked

SquidGuard

# Installation
apt install squidguard

# In squid.conf
url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
url_rewrite_children 5 startup=0 idle=1 concurrency=0

Reverse Proxy

# Als Reverse-Proxy
http_port 80 accel vhost
cache_peer backend.example.de parent 8080 0 no-query originserver name=backend

acl sites dstdomain www.example.de
cache_peer_access backend allow sites

http_access allow sites

Performance-Tuning

# Mehr File-Descriptors
max_filedescriptors 65535

# Worker-Prozesse
workers 4

# Client-Verbindungen
client_persistent_connections on
server_persistent_connections on

# DNS
dns_nameservers 8.8.8.8 8.8.4.4
positive_dns_ttl 6 hours
negative_dns_ttl 1 minute

# Memory
memory_pools on
memory_pools_limit 256 MB

Monitoring

SNMP

# In squid.conf
snmp_port 3401
acl snmppublic snmp_community public
snmp_access allow snmppublic localhost
snmp_access deny all

Cache-Manager

# Manager-Zugriff
http_access allow localhost manager
cachemgr_passwd secret all

# Zugriff
squidclient -h localhost -p 3128 mgr:info

Zusammenfassung

| Befehl | Funktion | |--------|----------| | squid -k parse | Config prüfen | | squid -k reconfigure | Config neu laden | | squid -k rotate | Logs rotieren | | squid -z | Cache initialisieren | | squidclient mgr:info | Status anzeigen |

| Port | Verwendung | |------|------------| | 3128 | HTTP-Proxy (Standard) | | 3129 | HTTPS-Intercept | | 3401 | SNMP |

| ACL-Typ | Beispiel | |---------|----------| | src | Client-IP | | dst | Ziel-IP | | dstdomain | Ziel-Domain | | port | Ziel-Port | | time | Zeitbereich | | proxy_auth | Benutzer |

| Datei | Beschreibung | |-------|--------------| | /etc/squid/squid.conf | Hauptkonfiguration | | /var/log/squid/access.log | Zugriffs-Log | | /var/spool/squid | Cache-Verzeichnis |

Fazit

Squid ist vielseitig für Proxy-Aufgaben einsetzbar. Das Caching beschleunigt Netzwerke spürbar. ACLs ermöglichen granulare Zugriffskontrolle. SSL-Bump erlaubt HTTPS-Filterung (mit Vorsicht). Für Unternehmensnetzwerke ist Squid nach wie vor eine solide Wahl.