So I finally gave up and went with two seperate instances of Squid, which inital testing seems to be doing exactly what I'd like: Cache data before HAVP, have all data going to clients get scanned each time, regardless of whether it was cached or not. Below are my two config files for Squid.
There are a couple of things:
1. This does split up the logs, (or gives you the option) so you have one log for client access logs, which should all be MISS but have correct internal IP's. The other will only have the loopback address, but will have accurate HIT/MISS entries. This will make using analysis tools such as Calamaris easier. (Note, I've choosen to turn off the client access logs. I'm not interested in tracing what a particular machine/user is doing.)
2. You'll have to manually start the second Squid (I call it squid-outer) with the alternate config file. I use:
squid -D -f /etc/squid/squid-outer.conf
You'll also have to stop it.
squid -f /etc/squid/squid-outer.conf -k shutdown
I'm sure there's a way to integrate that with the rc script, but I'm just not that motivated.
3. You'll have to modify your logrotate scripts
4. You'll want to disect the ACL's I've listed below. They're almost certainly looser than they need to be. This was just my first stab at things.
5. Adjust caching rules in the "outer" config file. Adjust client restrictions/authentications in the "inner".
Enjoy!
-Joe Rhodes
# WELCOME TO SQUID 2.6.STABLE6
# ----------------------------
# This is Squid-inner. It listesns for request from clients on port 3128, forwards
# those requests to HAVP, and doesn't cache the results. HAVP forwards request
# to a caching instance of Squid. This keeps you from serving potentionally
# infected cache files to clients. This is also where you would make any client
# ACL rules.
http_port 3128
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
# -----------------------------------------------------------------------------
cache_dir diskd /var/spool/squid-inner 1000 16 16
#access_log /var/log/squid/access-inner.log squid
# Turn off client logging
access_log none
# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
# -----------------------------------------------------------------------------
#HAVP on localhost port 8080
cache_peer 127.0.0.1 parent 8080 0 no-query no-digest no-netdb-exchange proxy-only default
# ACCESS CONTROLS
# -----------------------------------------------------------------------------
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#http_access deny to_localhost
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
acl local_network src 192.168.1.0/24
http_access allow local_network
# And finally deny all other access to this proxy
http_access allow localhost
http_access deny all
http_reply_access allow all
# MISCELLANEOUS
# -----------------------------------------------------------------------------
#Always use Squid2 (external) or HAVP
prefer_direct off
# Send HTTPS request out directly, don't send through HAVP
always_direct allow SSL_ports
# Send all other requests through HAVP
never_direct allow all
# Don't cache any results
cache deny all
#Suggested default:
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
# WELCOME TO SQUID 2.6.STABLE6
# ----------------------------
# This is Squid-outer for HAVP. It listens for requests from the HAVP daemon and
# caches the results. (Squid1 listes from clients, uses HAVP as a parent, and
# does NOT cache results.)
http_port 8081
# OPTIONS WHICH AFFECT THE CACHE SIZE
# -----------------------------------------------------------------------------
cache_mem 128 MB
maximum_object_size 300 MB
maximum_object_size_in_memory 64 KB
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
# -----------------------------------------------------------------------------
cache_dir diskd /var/spool/squid-outer 10000 256 256
access_log /var/log/squid/access-outer.log squid
#Default:
# debug_options ALL,1
pid_filename /var/run/squid-outer.pid
# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
# -----------------------------------------------------------------------------
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
# ACCESS CONTROLS
# -----------------------------------------------------------------------------
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# HTTPS traffic scanning not needed
#acl Proto_HTTPS proto HTTPS
#cache_peer_access 127.0.0.1 allow !Proto_HTTPS
#cache_peer_access 127.0.0.1 deny all
#cache_peer_access 127.0.0.2 allow all
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#http_access deny to_localhost
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
acl local_network src 192.168.1.0/24
http_access allow local_network
acl localhosts src 127.0.0.0/24
http_access allow localhosts
# And finally deny all other access to this proxy
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
# OPTIONS FOR TUNING THE CACHE
# -----------------------------------------------------------------------------
refresh_pattern ^http://.*\.apple\.com 3600 200% 43200 reload-into-ims
refresh_pattern windowsupdate.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims
refresh_pattern download.microsoft.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims
refresh_pattern ^http://.*\.cnn\.com 60 50% 4320 override-lastmod
refresh_pattern ^http://news\.bbc\.co\.uk 60 50% 4320 override-lastmod
refresh_pattern microsoft 60 150% 10080 override-lastmod
refresh_pattern msn\.com 4320 150% 10080 override-lastmod
refresh_pattern ^http://.*\.doubleclick\.net 10080 300% 40320 override-lastmod
refresh_pattern ^http://.*FIDO 360 1000% 480
refresh_pattern \.r[0-9][0-0]$ 10080 150% 40320
refresh_pattern ^http://.*\.gif$ 1440 50% 20160
refresh_pattern ^http://.*\.asis$ 1440 50% 20160
refresh_pattern -i \.pdf$ 10080 90% 43200
refresh_pattern -i \.art$ 10080 150% 43200
refresh_pattern -i \.avi$ 10080 150% 40320
refresh_pattern -i \.mov$ 10080 150% 40320
refresh_pattern -i \.wav$ 10080 150% 40320
refresh_pattern -i \.mp3$ 10080 150% 40320
refresh_pattern -i \.qtm$ 10080 150% 40320
refresh_pattern -i \.mid$ 10080 150% 40320
refresh_pattern -i \.viv$ 10080 150% 40320
refresh_pattern -i \.mpg$ 10080 150% 40320
refresh_pattern -i \.jpg$ 10080 150% 40320 reload-into-ims override-lastmod
refresh_pattern -i \.rar$ 10080 150% 40320
refresh_pattern -i \.ram$ 10080 150% 40320
refresh_pattern -i \.gif$ 10080 300% 40320
refresh_pattern -i \.txt$ 1440 100% 20160 reload-into-ims override-lastmod
refresh_pattern -i \.zip$ 2880 200% 40320
refresh_pattern -i \.arj$ 2880 200% 40320
refresh_pattern -i \.exe$ 2880 200% 40320
refresh_pattern -i \.tgz$ 10080 200% 40320
refresh_pattern -i \.gz$ 10080 200% 40320
refresh_pattern -i \.tgz$ 10080 200% 40320
refresh_pattern -i \.tar$ 10080 200% 40320
refresh_pattern -i \.Z$ 10080 200% 40320
refresh_pattern -i \.dmg$ 10080 200% 40320
#Suggested default:
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
|