TrainingSupportCommunity

Configure Squid to forward traffic to SIA Proxy

Suggest Edits

Before you begin

  1. Make sure you install Squid on an operating system that supports SSL on Squid. For example, you can use Windows or Ubuntu 16 and later.

  2. Make sure that you upgrade Squid to version 3.5 or later. When preparing to compile the installation files, use these settings to enable SSL:

    ./configure --with-default-user=proxy --with-openssl --enable-ssl--crtd

  3. Make sure you generate a MITM CA TLS certificate in ā€‹SIAā€‹ and distribute this certificate to computers or TLS clients in your network. See ā€‹SIAā€‹ Proxy as a TLS intermediary and Distribute the ā€‹SIAā€‹ Proxy certificate.

  4. On the system where Squid is installed, create a copy of the squid.conf file to make sure that you keep the original configuration file as a reference. For example, on Linux, enter this command to copy the file:

    sudo cp /etc/squid/squid.conf /etc/squid/<NEWNAME>.conf
sudo chmod a-w /etc/squid/<NEWNAME>.conf

    where <NEWNAME> is the name of the Squid configuration file.

  5. In ā€‹SIAā€‹, make sure the IP address for Squid is added to a location configuration. To add or edit a location, see Create a location.

  6. If you configured proxy authorization in ā€‹SIAā€‹, make sure you copy the username and remember the password that you configured for the proxy credential in ā€‹SIAā€‹. For more information, see Configure proxy authorization and Create a proxy credential.

If your organization currently uses Squid as a caching and forward HTTP web proxy, you can configure it to forward traffic to ā€‹SIAā€‹. This feature is supported on Squid version 3.5 or later.

To configure Squid to forward traffic to ā€‹SIAā€‹ Proxy:

  1. Open the renamed configuration file.

  2. Confirm that the forwarded-for option is set on. This option should be enabled by default.

  3. At the end of the renamed configuration file, add this information:

    cache_peer nevada.proxy.akaetp.net parent 443 0 ssl sslcafile=/etc/ssl/certs
dns nameservers <<<PRODUCT_NICKNAME>>_DNS_IP_Primary> <<<PRODUCT_NICKNAME>>_DNS_IP_Secondary>

    where:

    • <ā€‹SIAā€‹_DNS_IP_Primary> is the IP address of the primary ā€‹SIAā€‹ DNS server.

    • <ā€‹SIAā€‹_DNS_IP_Secondary> is the IP address of the secondary ā€‹SIAā€‹ DNS server.

  4. If you enabled proxy authorization in an ā€‹SIAā€‹ policy and configured proxy credentials in ā€‹SIAā€‹, you need to also configure these credentials in Squid. In the cache_peer configuration, add this authentication option:

    login=<username>:<password>

    where:

    • <username> is the username that you configured in ā€‹SIAā€‹. You can copy this username from ā€‹SIAā€‹. Make sure the username includes the ID number that's associated with your organization.

    • <password> is the password that you configured in ā€‹SIAā€‹ for the proxy credential.

    For more information, see Enable proxy authorization and Create a proxy credential.

  5. Optionally, configure user authentication. As part of this process, you need to add proxy_auth ACL entries to the configuration file. For more information, see the Squid documentation.

  6. Review the configuration file and confirm that it looks like this:

    http_access allow localhost
visible_hostname = localhost
forwarded_for on
cache_peer nevada.proxy.akaetp.net parent 443 0 ssl sslcafile=/etc/ssl/certs login=<username>: 
<password>
dns_nameservers <<<PRODUCT_NICKNAME>>_DNS_IP_Primary> <<<PRODUCT_NICKNAME>>_DNS_IP_Secondary>

acl all src all
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access allow all
never_direct allow all
prefer_direct off
http_port 3128

    where:

    • <username> is the username that you configured in ā€‹SIAā€‹ as a proxy credential. Make sure the username includes the ID that's associated with your organization. For more information on the credential in ā€‹SIAā€‹, see Create a proxy credential.

    • <password> is the password that you configured in ā€‹SIAā€‹ as a proxy credential.

    • <ā€‹SIAā€‹_DNS_IP_Primary> is the IP address of the primary ā€‹SIAā€‹ DNS server.

    • <ā€‹SIAā€‹_DNS_IP_Secondary> is the IP address of the secondary ā€‹SIAā€‹ DNS server.

  7. To validate the configuration file, enter this command:

    squid -k parse

  8. Restart Squid. The command and process you use for this operation may vary depending on Squid version. For example, on version 3.5, you enter this command:

    sudo systemctl restart squid

    For more information, see the Squid product documentation.

  9. To check Squid's status, enter this command:

    service squid status

  10. Go to the Squid logs and confirm there are no errors. The path to log files varies depending on the Squid version. For example, on version 3.5, the path is var/log/squid/access.log, while in later versions the path is/usr/local/squid/var/logs.

Next steps

  1. On an end user's machine or browser, manually configure Squid as a proxy server. You need to specify the Squid IP address and 3128as the port. See the documentation for the browser or the operating system that you need to configure.

  2. Test that requests in the network are handled by ā€‹SIAā€‹ proxy. For example, request a domain or URL that is blocked by the AUP. After verifying that the request is handled based on a policy configuration, you can return to the logs and confirm that you see logs entries for TCP_TUNNEL.

Updated 11 months ago