Configure Squid to forward traffic to SIA Proxy
Before you begin
-
Make sure you install Squid on an operating system that supports SSL on Squid. For example, you can use Windows or Ubuntu 16 and later.
-
Make sure that you upgrade Squid to version 3.5 or later. When preparing to compile the installation files, use these settings to enable SSL:
./configure --with-default-user=proxy --with-openssl --enable-ssl--crtd
-
Make sure you generate a MITM CA TLS certificate in āSIAā and distribute this certificate to computers or TLS clients in your network. See āSIAā Proxy as a TLS intermediary and Distribute the āSIAā Proxy certificate.
-
On the system where Squid is installed, create a copy of the squid.conf file to make sure that you keep the original configuration file as a reference. For example, on Linux, enter this command to copy the file:
sudo cp /etc/squid/squid.conf /etc/squid/<NEWNAME>.conf sudo chmod a-w /etc/squid/<NEWNAME>.conf
where <NEWNAME> is the name of the Squid configuration file.
-
In āSIAā, make sure the IP address for Squid is added to a location configuration. To add or edit a location, see Create a location.
-
If you configured proxy authorization in āSIAā, make sure you copy the username and remember the password that you configured for the proxy credential in āSIAā. For more information, see Configure proxy authorization and Create a proxy credential.
If your organization currently uses Squid as a caching and forward HTTP web proxy, you can configure it to forward traffic to āSIAā. This feature is supported on Squid version 3.5 or later.
To configure Squid to forward traffic to āSIAā Proxy:
-
Open the renamed configuration file.
-
Confirm that the forwarded-for option is set on. This option should be enabled by default.
-
At the end of the renamed configuration file, add this information:
cache_peer nevada.proxy.akaetp.net parent 443 0 ssl sslcafile=/etc/ssl/certs dns nameservers <<<PRODUCT_NICKNAME>>_DNS_IP_Primary> <<<PRODUCT_NICKNAME>>_DNS_IP_Secondary>
where:
-
<āSIAā_DNS_IP_Primary> is the IP address of the primary āSIAā DNS server.
-
<āSIAā_DNS_IP_Secondary> is the IP address of the secondary āSIAā DNS server.
-
-
If you enabled proxy authorization in an āSIAā policy and configured proxy credentials in āSIAā, you need to also configure these credentials in Squid. In the cache_peer configuration, add this authentication option:
login=<username>:<password>
where:
-
<username> is the username that you configured in āSIAā. You can copy this username from āSIAā. Make sure the username includes the ID number that's associated with your organization.
-
<password> is the password that you configured in āSIAā for the proxy credential.
For more information, see Enable proxy authorization and Create a proxy credential.
-
-
Optionally, configure user authentication. As part of this process, you need to add proxy_auth ACL entries to the configuration file. For more information, see the Squid documentation.
-
Review the configuration file and confirm that it looks like this:
http_access allow localhost visible_hostname = localhost forwarded_for on cache_peer nevada.proxy.akaetp.net parent 443 0 ssl sslcafile=/etc/ssl/certs login=<username>: <password> dns_nameservers <<<PRODUCT_NICKNAME>>_DNS_IP_Primary> <<<PRODUCT_NICKNAME>>_DNS_IP_Secondary> acl all src all acl SSL_ports port 443 acl CONNECT method CONNECT http_access allow all never_direct allow all prefer_direct off http_port 3128
where:
-
<username> is the username that you configured in āSIAā as a proxy credential. Make sure the username includes the ID that's associated with your organization. For more information on the credential in āSIAā, see Create a proxy credential.
-
<password> is the password that you configured in āSIAā as a proxy credential.
-
<āSIAā_DNS_IP_Primary> is the IP address of the primary āSIAā DNS server.
-
<āSIAā_DNS_IP_Secondary> is the IP address of the secondary āSIAā DNS server.
-
-
To validate the configuration file, enter this command:
squid -k parse
-
Restart Squid. The command and process you use for this operation may vary depending on Squid version. For example, on version 3.5, you enter this command:
sudo systemctl restart squid
For more information, see the Squid product documentation.
-
To check Squid's status, enter this command:
service squid status
-
Go to the Squid logs and confirm there are no errors. The path to log files varies depending on the Squid version. For example, on version 3.5, the path is
var/log/squid/access.log
, while in later versions the path is/usr/local/squid/var/logs
.
Next steps
-
On an end user's machine or browser, manually configure Squid as a proxy server. You need to specify the Squid IP address and
3128
as the port. See the documentation for the browser or the operating system that you need to configure. -
Test that requests in the network are handled by āSIAā proxy. For example, request a domain or URL that is blocked by the AUP. After verifying that the request is handled based on a policy configuration, you can return to the logs and confirm that you see logs entries for TCP_TUNNEL.
Updated 11 months ago