Squid

https://blog.barclayhowe.com/keeping-the-kids-safe-from-the-internet-with-filtering/

https://www.linux-magazine.com/Issues/2014/158/Security-Lessons-Squid-Filtering

https://techexpert.tips/de/squid-de/installieren-sie-squid-mit-https-unterstuetzung-unter-ubuntu-linux/

https://www.howtoforge.de/anleitung/installation-des-squid-proxy-servers-unter-ubuntu-2004/

https://computingforgeeks.com/install-and-configure-squid-proxy-server-on-ubuntu/

https://phoenixnap.com/kb/setup-install-squid-proxy-server-ubuntu

SARG: https://www.tecmint.com/sarg-squid-analysis-report-generator-and-internet-bandwidth-monitoring-tool/

Port: 3128

Installation

• apt install squid
• vi /etc/squid/squid.conf

  • http_access allow localhost
    
    acl my_lan src 10.10.46.0/24
    http_access allow my_lan
    
    # And finally deny all other access to this proxy
    http_access deny all
    

  • acl client1 src 192.168.10.10
    acl client2 src 192.168.10.11
    http_access allow client1 client2

• Add SSL Support
  • wget -qO - https://packages.diladele.com/diladele_pub.asc | sudo apt-key add -
  • echo "deb https://squid413-ubuntu20.diladele.com/ubuntu/ focal main"     > /etc/apt/sources.list.d/squid413-ubuntu20.diladele.com.list
  • apt update
  • apt-get install -y     squid-common     squid-openssl     squidclient     libecap3 libecap3-dev
  • squid -v | grep ssl
• Cert
  • mkdir /etc/squid/ssl_cert
  • chmod 700 /etc/squid/ssl_cert
  • cd /etc/squid/ssl_cert
  • openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout myCA.pem -out myCA.pem
  • openssl x509 -in myCA.pem -outform DER -out myCA.der

https://www.netways.de/en/blog/2020/10/15/squid-4-proxy-mit-ldap-mitm-ssl-bump/

https://support.kaspersky.com/KWTS/6.1/en-US/166244.htm

Transparent

• vi /etc/squid/squid.conf
  • http_port 3128 intercept
    http_port 80
    http_port 443
  • ^ why the second two lines?
• iptables -t nat -I PREROUTING -p tcp -s 10.10.46.0/24 --dport 80 -j REDIRECT --to-port 3128
• iptables -t nat -I PREROUTING -p tcp -s 10.10.46.0/24 --dport 443 -j REDIRECT --to-port 3128

Squidanalzer

• wget https://codeload.github.com/darold/squidanalyzer/zip/refs/heads/master
• unzip master
• perl Makefile.PL
• make && make install

  • 1. Modify your httpd.conf to allow access to HTML output like follow:
            Alias /squidreport /var/www/squidanalyzer
            <Directory /var/www/squidanalyzer>
                Options -Indexes FollowSymLinks MultiViews
            AllowOverride None
                Order deny,allow
                Deny from all
                Allow from 127.0.0.1
            </Directory>
    2. If necessary, give additional host access to SquidAnalyzer in httpd.conf.
       Restart and ensure that httpd is running.
    3. Browse to http://my.host.dom/squidreport/ to ensure that things are working
       properly.
    4. Setup a cronjob to run squid-analyzer daily:

         # SquidAnalyzer log reporting daily
         0 2 * * * /usr/local/bin/squid-analyzer > /dev/null 2>&1

    or run it manually. For more information, see /README file.

• vi /etc/apache2/sites-available/squidanalyzer.conf

  • <VirtualHost *:80>
            ServerName squidanalyzer
            ServerAdmin office@example.com
            DocumentRoot /var/www/squidanalyzer
    </VirtualHost>

• a2ensite squidanalyzer.conf

• service apache2 restart

• vi /etc/squidanalyzer/squidanalyzer.conf

  • WebUrl  /
    LogFile /var/log/squid/access.log

• /usr/local/bin/squid-analyzer
• ls -la /var/www/squidanalyzer
• @notebook: create hosts entry 10.10.46.135 squidanalyzer
• http://squidanalyzer/

Time Quota

http://www.squid-cache.org/mail-archive/squid-dev/201104/0009.html

https://www.gsp.com/cgi-bin/man.cgi?section=8&topic=ext_time_quota_acl
 

Possible alternative: dynamic Firewall rules (Shorewall?)
 

Analysing Tools

Squid Analyzer

Calamaris

Darold