We support versions of SQUID over 3.0. To activate ICAP in squid, you need to add the following lines to the config:

squid.conf

 icap_enable on

 icap_send_client_ip on

 icap_preview_enable on

 icap_preview_size 4096

 icap_service_failure_limit -1

 icap_service service_req reqmod_precache 0 icap://INTERFACE_IP:1344/reqmod

 adaptation_access service_req allow all

Where:

INTERFACE_IP is the ip address of the SecureTower ICAP server. This setting will allow us to monitor our ICAP traffic passing through the squid (including ssl, if its interception is configured);
reqmod - used for forwarding to ICAP outbound traffic;
respmod - used to forward incoming traffic to ICAP (the reworked version of ICAP in ST is not supported, as there is no sense);
The precache and postcache modes differ in the order in which the data is received. Postcache (in version 3.4 is not implemented!) - ICAP receives data already placed in the cache SQUID, precache - the data is requested from the original server. A bit of information about this;
reqmod_precache 0 - the number indicates the method of handling the error. 0 - if ICAP can not process the traffic, the connection will be reset, 1 - traffic will be ignored by ICAP and the request will be executed (abbreviated use of the bypass command);
icap_service_failure_limit is needed on the downloaded squid servers. The option disables the monitoring of errors and temporary disabling icap;
Proxy server Squid can work in 2 modes: classic proxy and transparent. The classic method requires setting up the IP and proxy ports on the software (browsers, etc.), while the transparent proxy does not require additional configuration on the clients, all traffic is sent to the gateway in its pure form. These modes are configured differently in the config and firewall of the server.

 

Setting the classic proxy server mode to work through port 3128:

The default config is already configured for this mode and all you need is to fill acl access lists. Here is a working config with a few comments.

squid.conf 

 #

 # Recommended minimum configuration:

 #

 # Example rule allowing access from your local networks.

 # Adapt to list your (internal) IP networks from where browsing

 # should be allowed

 visible_hostname lnx-sqd.contoso.local

 acl localnet src 192.168.70.0/24 

 acl SSL_ports port 443

 acl Safe_ports port 80 # http

 acl Safe_ports port 21 # ftp

 acl Safe_ports port 443 # https

 acl Safe_ports port 70 # gopher

 acl Safe_ports port 210 # wais

 acl Safe_ports port 1025-65535 # unregistered ports

 acl Safe_ports port 280 # http-mgmt

 acl Safe_ports port 488 # gss-http

 acl Safe_ports port 591 # filemaker

 acl Safe_ports port 777 # multiling http

 acl CONNECT method CONNECT

 #

 # Recommended minimum Access Permission configuration:

 #

 # Deny requests to certain unsafe ports

 http_access deny !Safe_ports

 # Deny CONNECT to other than secure SSL ports

 http_access deny CONNECT !SSL_ports

 # Only allow cachemgr access from localhost

 http_access allow localhost manager

 http_access deny manager

 # We strongly recommend the following be uncommented to protect innocent

 # web applications running on the proxy server who think the only

 # one who can access services on "localhost" is a local user

 #http_access deny to_localhost

 #

 # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

 #

 # Example rule allowing access from your local networks.

 # Adapt localnet in the ACL section to list your (internal) IP networks

 # from where browsing should be allowed

 http_access allow localnet

 http_access allow localhost

 # And finally deny all other access to this proxy

 http_access deny all

 http_port 3128 

 # Uncomment and adjust the following to add a disk cache directory.

 cache_dir ufs /var/spool/squid 100 16 256

 # Leave coredumps in the first cache dir

 coredump_dir /var/spool/squid

 icap_enable on

 icap_preview_enable on

 icap_preview_size 4096

 icap_service_failure_limit -1

 icap_send_client_ip on

 icap_service service_req reqmod_precache 0 icap://192.168.70.2:1344/req_mod

 adaptation_access service_req allow all

 #

 # Add any of your own refresh_pattern entries above these.

 #

 refresh_pattern ^ftp: 1440 20% 10080

 refresh_pattern ^gopher: 1440 0% 1440

 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

 refresh_pattern . 0 20% 4320

This is the working config squid on port 3128 with activated ICAP. Bold selected 2 lines, which must be adjusted for yourself.

acl localnet src 192.168.70.0/24 - this acl contains the network range of the monitored local network and denotes it as localnet. Further in the settings of access control lists, you can use this designation.

http_port 3128 - specifies the server port and interface for listening (if the interface is not specified, then listens to all available).

icap_preview_enable on - enables the preview mode (only the first N bytes from the post request will be taken to analyze the content and make a decision about the acl action)
icap_preview_size 4096 - the size of the loaded block for the preview
This configuration is sufficient for the operation of ICAP in the classical mode and control of NOT encrypted traffic via ICAP by the SecureTower system.

 

Configuring the transparent mode of the proxy server through port 3128.

In this mode, traffic from clients goes to ports 80 and 443, but squid only listens to its 3128 port. Therefore, you need to redirect traffic from ports 80/443 to port 3128. Here are the necessary rules for iptables:

iptables

 *filter

 -A INPUT -p tcp --dport 80 -j ACCEPT

 -A INPUT -p tcp --dport 3128 -j ACCEPT

 *nat

 -A PREROUTING -s source_ip -p tcp --dport 80 -j REDIRECT --to-port 3128

 

The first 2 rules allow incoming traffic to the server for the required ports, the 4 th rule redirects the necessary traffic to port 3128.

source_ip - the client or network address (192.168.1.0/24) that uses the proxy;

 And also you need 1 line in the config that activates the transparent mode:

 http_port 3128 intercept

In versions of squid up to 3.1, instead of intercept is transparent. On version 3.4 it works equally intercept / transparent.

 

 Configure the interception of SSL traffic passing through Squid.

It should be noted that there is no need to configure and support ICAP to intercept encrypted traffic, everything is done by squid itself, and if configured correctly, the traffic will be decrypted and sent in expanded form to the ICAP server ST.

Required config lines for activating SSL interception mode:

squid.conf

 http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key

 sslproxy_flags DONT_VERIFY_PEER

 sslproxy_cert_error allow all

 always_direct allow all

 ssl_bump client-first all

 ssl_bump server-first all

 sslcrtd_program /usr/lib64/squid/ssl_crtd -s /usr/share/squid/ssl_db -M 4MB

 sslcrtd_children 5

The first line contains the path to the CA root certificate and its private key, you must generate it yourself (self-signed) or specify the location of your own. Surely, rights to them are still important, so it's better to put 400 at once. Important: this certificate of the CA (but not the key!) Should be added to trusted certification authorities on client computers - this will avoid notification of the user about a non-trusted certificate and the sites will work correctly (without this many sites crumble).

Line

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /usr/share/squid/ssl_db -M 4MB

indicates the location of the utility for the generation of certificates, in different distributions will be a different path, so it is better to look for it by searching and to specify the correct path. The second part specifies the folder for storing the generated certificates when it is intercepted. It can be created anywhere (if not created during the installation), the main thing is to provide it with the necessary rights to access squid (squid: squid), if the daemon is running from the user nobody (that is recommended), then nobody: xxx

 

The procedure for generating a certificate and a certificate database is as follows:

generation of self-signed certificate and key CA:

 # mkdir /etc/squid/ssl && cd /etc/squid/ssl && chown -R squid:squid /etc/squid/ssl

 # openssl genrsa -out /etc/squid/ssl/squid.key

 # openssl req -new -key /etc/squid/ssl/squid.key -out /etc/squid/ssl/squid.csr

 # openssl x509 -req -days 3650 -in /etc/squid/ssl/squid.csr -signkey /etc/squid/ssl/squid.key -out /etc/squid/ssl/squid.pem

create a folder and a database for certificates

 # /usr/lib64/squid/ssl_crtd -c -s /usr/share/squid/ssl_db && chown -R squid:squid /usr/share/squid/ssl_db

These actions are valid for CentOS, in other distributions some directories may be missing and will have to act on the circumstances.

On the Squid side, this is all you need, now you need to configure the direction of traffic from 443 to the proxy port:

iptables

 *filter

 -A INPUT -p tcp --dport 80 -j ACCEPT

 -A INPUT -p tcp --dport 443 -j ACCEPT

 -A INPUT -p tcp --dport 3128 -j ACCEPT

 -A INPUT -p tcp --dport 3129 -j ACCEPT

 *nat

 -A PREROUTING -s 192.168.70.13 -p tcp --dport 80 -j REDIRECT --to-port 3128

 -A PREROUTING -s 192.168.70.13 -p tcp --dport 443 -j REDIRECT --to-port 3128

 

As a bonus, there are some optimization options for squid (compared to the default configuration, the work has significantly accelerated):​

squid.conf 

 cache_replacement_policy heap LFUDA

 cache_swap_low 90

 cache_swap_high 95

 maximum_object_size_in_memory 50 KB

 cache_mem 100 MB

 logfile_rotate 10

 memory_pools off

 maximum_object_size 50 MB

 quick_abort_min 0 KB

 quick_abort_max 0 KB

 log_icp_queries off

 client_db off

 buffered_logs on

 half_closed_clients off

 

This setting will allow the SecureTower system to intercept all HTTP / HTTPS traffic of the proxy server through its ICAP.

Proxy server Squid is not a SOCKS proxy and it makes no sense to wrap it on a different from http traffic.