Configuring squid 3.0+ for SecureTower integration via ICAP (HTTP / HTTPS interception)

We support versions of SQUID over 3.0. To activate ICAP in squid, you need to add the following lines to the config:


 icap_enable on
 icap_send_client_ip on
 icap_preview_enable on
 icap_preview_size 4096
 icap_service_failure_limit -1
 icap_service service_req reqmod_precache 0 icap://INTERFACE_IP:1344/reqmod
 adaptation_access service_req allow all


INTERFACE_IP is the ip address of the SecureTower ICAP server. This setting will allow us to monitor our ICAP traffic passing through the squid (including ssl, if its interception is configured);
reqmod - used for forwarding to ICAP outbound traffic;
respmod - used to forward incoming traffic to ICAP (the reworked version of ICAP in ST is not supported, as there is no sense);
The precache and postcache modes differ in the order in which the data is received. Postcache (in version 3.4 is not implemented!) - ICAP receives data already placed in the cache SQUID, precache - the data is requested from the original server. A bit of information about this;
reqmod_precache 0 - the number indicates the method of handling the error. 0 - if ICAP can not process the traffic, the connection will be reset, 1 - traffic will be ignored by ICAP and the request will be executed (abbreviated use of the bypass command);
icap_service_failure_limit is needed on the downloaded squid servers. The option disables the monitoring of errors and temporary disabling icap;
Proxy server Squid can work in 2 modes: classic proxy and transparent. The classic method requires setting up the IP and proxy ports on the software (browsers, etc.), while the transparent proxy does not require additional configuration on the clients, all traffic is sent to the gateway in its pure form. These modes are configured differently in the config and firewall of the server.


Setting the classic proxy server mode to work through port 3128:

The default config is already configured for this mode and all you need is to fill acl access lists. Here is a working config with a few comments.


 # Recommended minimum configuration:
 # Example rule allowing access from your local networks.
 # Adapt to list your (internal) IP networks from where browsing
 # should be allowed
 visible_hostname lnx-sqd.contoso.local
 acl localnet src 
 acl SSL_ports port 443
 acl Safe_ports port 80 # http
 acl Safe_ports port 21 # ftp
 acl Safe_ports port 443 # https
 acl Safe_ports port 70 # gopher
 acl Safe_ports port 210 # wais
 acl Safe_ports port 1025-65535 # unregistered ports
 acl Safe_ports port 280 # http-mgmt
 acl Safe_ports port 488 # gss-http
 acl Safe_ports port 591 # filemaker
 acl Safe_ports port 777 # multiling http
 # Recommended minimum Access Permission configuration:
 # Deny requests to certain unsafe ports
 http_access deny !Safe_ports
 # Deny CONNECT to other than secure SSL ports
 http_access deny CONNECT !SSL_ports
 # Only allow cachemgr access from localhost
 http_access allow localhost manager
 http_access deny manager
 # We strongly recommend the following be uncommented to protect innocent
 # web applications running on the proxy server who think the only
 # one who can access services on "localhost" is a local user
 #http_access deny to_localhost
 # Example rule allowing access from your local networks.
 # Adapt localnet in the ACL section to list your (internal) IP networks
 # from where browsing should be allowed
 http_access allow localnet
 http_access allow localhost
 # And finally deny all other access to this proxy
 http_access deny all
 http_port 3128 
 # Uncomment and adjust the following to add a disk cache directory.
 cache_dir ufs /var/spool/squid 100 16 256
 # Leave coredumps in the first cache dir
 coredump_dir /var/spool/squid
 icap_enable on
 icap_preview_enable on
 icap_preview_size 4096
 icap_service_failure_limit -1
 icap_send_client_ip on
 icap_service service_req reqmod_precache 0 icap://
 adaptation_access service_req allow all
 # Add any of your own refresh_pattern entries above these.
 refresh_pattern ^ftp: 1440 20% 10080
 refresh_pattern ^gopher: 1440 0% 1440
 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
 refresh_pattern . 0 20% 4320

This is the working config squid on port 3128 with activated ICAP. Bold selected 2 lines, which must be adjusted for yourself.

acl localnet src - this acl contains the network range of the monitored local network and denotes it as localnet. Further in the settings of access control lists, you can use this designation.

http_port 3128 - specifies the server port and interface for listening (if the interface is not specified, then listens to all available).

icap_preview_enable on - enables the preview mode (only the first N bytes from the post request will be taken to analyze the content and make a decision about the acl action)
icap_preview_size 4096 - the size of the loaded block for the preview
This configuration is sufficient for the operation of ICAP in the classical mode and control of NOT encrypted traffic via ICAP by the SecureTower system.


Configuring the transparent mode of the proxy server through port 3128.

In this mode, traffic from clients goes to ports 80 and 443, but squid only listens to its 3128 port. Therefore, you need to redirect traffic from ports 80/443 to port 3128. Here are the necessary rules for iptables:


 -A INPUT -p tcp --dport 80 -j ACCEPT
 -A INPUT -p tcp --dport 3128 -j ACCEPT
 -A PREROUTING -s source_ip -p tcp --dport 80 -j REDIRECT --to-port 3128


The first 2 rules allow incoming traffic to the server for the required ports, the 4 th rule redirects the necessary traffic to port 3128.

source_ip - the client or network address ( that uses the proxy;

 And also you need 1 line in the config that activates the transparent mode:

 http_port 3128 intercept

In versions of squid up to 3.1, instead of intercept is transparent. On version 3.4 it works equally intercept / transparent.


 Configure the interception of SSL traffic passing through Squid.

It should be noted that there is no need to configure and support ICAP to intercept encrypted traffic, everything is done by squid itself, and if configured correctly, the traffic will be decrypted and sent in expanded form to the ICAP server ST.

Required config lines for activating SSL interception mode:


 http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key
 sslproxy_flags DONT_VERIFY_PEER
 sslproxy_cert_error allow all
 always_direct allow all
 ssl_bump client-first all
 ssl_bump server-first all
 sslcrtd_program /usr/lib64/squid/ssl_crtd -s /usr/share/squid/ssl_db -M 4MB
 sslcrtd_children 5

The first line contains the path to the CA root certificate and its private key, you must generate it yourself (self-signed) or specify the location of your own. Surely, rights to them are still important, so it's better to put 400 at once. Important: this certificate of the CA (but not the key!) Should be added to trusted certification authorities on client computers - this will avoid notification of the user about a non-trusted certificate and the sites will work correctly (without this many sites crumble).


sslcrtd_program /usr/lib64/squid/ssl_crtd -s /usr/share/squid/ssl_db -M 4MB

indicates the location of the utility for the generation of certificates, in different distributions will be a different path, so it is better to look for it by searching and to specify the correct path. The second part specifies the folder for storing the generated certificates when it is intercepted. It can be created anywhere (if not created during the installation), the main thing is to provide it with the necessary rights to access squid (squid: squid), if the daemon is running from the user nobody (that is recommended), then nobody: xxx


The procedure for generating a certificate and a certificate database is as follows:

generation of self-signed certificate and key CA:

 # mkdir /etc/squid/ssl && cd /etc/squid/ssl && chown -R squid:squid /etc/squid/ssl
 # openssl genrsa -out /etc/squid/ssl/squid.key
 # openssl req -new -key /etc/squid/ssl/squid.key -out /etc/squid/ssl/squid.csr
 # openssl x509 -req -days 3650 -in /etc/squid/ssl/squid.csr -signkey /etc/squid/ssl/squid.key -out /etc/squid/ssl/squid.pem
create a folder and a database for certificates
 # /usr/lib64/squid/ssl_crtd -c -s /usr/share/squid/ssl_db && chown -R squid:squid /usr/share/squid/ssl_db

These actions are valid for CentOS, in other distributions some directories may be missing and will have to act on the circumstances.

On the Squid side, this is all you need, now you need to configure the direction of traffic from 443 to the proxy port:


 -A INPUT -p tcp --dport 80 -j ACCEPT
 -A INPUT -p tcp --dport 443 -j ACCEPT
 -A INPUT -p tcp --dport 3128 -j ACCEPT
 -A INPUT -p tcp --dport 3129 -j ACCEPT
 -A PREROUTING -s -p tcp --dport 80 -j REDIRECT --to-port 3128
 -A PREROUTING -s -p tcp --dport 443 -j REDIRECT --to-port 3128


As a bonus, there are some optimization options for squid (compared to the default configuration, the work has significantly accelerated):​


 cache_replacement_policy heap LFUDA
 cache_swap_low 90
 cache_swap_high 95
 maximum_object_size_in_memory 50 KB
 cache_mem 100 MB
 logfile_rotate 10
 memory_pools off
 maximum_object_size 50 MB
 quick_abort_min 0 KB
 quick_abort_max 0 KB
 log_icp_queries off
 client_db off
 buffered_logs on
 half_closed_clients off


This setting will allow the SecureTower system to intercept all HTTP / HTTPS traffic of the proxy server through its ICAP.

Proxy server Squid is not a SOCKS proxy and it makes no sense to wrap it on a different from http traffic.