Hardening guide for Squid 3.1.8 on CentOS 5.5

  1. Login to the server using Root account.
  2. Create a new account:
    groupadd squid
    useradd -g squid -d /var/spool/squid -s /sbin/nologin squid
  3. Install the following RPM files from the CentOS DVD:
    rpm -ivh kernel-headers-2.6.18-194.el5.i386.rpm
    rpm -ivh glibc-headers-2.5-49.i386.rpm
    rpm -ivh glibc-devel-2.5-49.i386.rpm
    rpm -ivh gmp-4.1.4-10.el5.i386.rpm
    rpm -ivh libgomp-4.4.0-6.el5.i386.rpm
    rpm -ivh cpp-4.1.2-48.el5.i386.rpm
    rpm -ivh gcc-4.1.2-48.el5.i386.rpm
    rpm -ivh libstdc++-devel-4.1.2-48.el5.i386.rpm
    rpm -ivh gcc-c++-4.1.2-48.el5.i386.rpm
  4. Download the latest Squid source files from: http://www.squid-cache.org/Versions/
  5. Copy using SCP (or PSCP), Squid source files into /tmp
  6. Move to /tmp
    cd /tmp
  7. Extract Squid source file:
    tar zxvf squid-3.1.8.tar.gz
  8. Move to the Squid source folder:
    cd /tmp/squid-3.1.8
  9. Run the commands bellow to compile Squid from source files:
    ./configure --bindir=/usr/sbin --sbindir=/usr/sbin --libexecdir=/usr/lib/squid --with-logdir=/var/log/squid --with-pidfile=/var/run/squid.pid --with-default-user=squid --sysconfdir=/etc/squid --datarootdir=/usr/share/squid --enable-http-violations

    make all

    make install  

  10. Move one folder up and remove Squid source files and default content:
    cd ..
    rm -rf /tmp/squid-3.1.8
    rm -f /tmp/squid-3.1.8.tar.gz
    rm -rf /usr/share/squid/man
    rm -f /etc/squid/cachemgr.conf.default
    rm -f /etc/squid/errorpage.css.default
    rm -f /etc/squid/mime.conf.default
    rm -f /etc/squid/msntauth.conf.default
    rm -f /etc/squid/squid.conf.default
    rm -f /etc/squid/squid.conf.documented
  11. Change ownership and permissions on the log folder:
    chown squid:root /var/log/squid
    chmod 770 /var/log/squid
  12. Edit using VI, the file /etc/squid/squid.conf and add the following lines to the end of the file:
    cache_access_log /var/log/squid/access.log
    cache_store_log none
    shutdown_lifetime 1 second
    icp_port 0
    htcp_port 0
    icp_access deny all
    htcp_access deny all
    forwarded_for off
    request_header_access Allow allow all
    request_header_access Authorization allow all
    request_header_access WWW-Authenticate allow all
    request_header_access Proxy-Authorization allow all
    request_header_access Proxy-Authenticate allow all
    request_header_access Cache-Control allow all
    request_header_access Content-Encoding allow all
    request_header_access Content-Length allow all
    request_header_access Content-Type allow all
    request_header_access Date allow all
    request_header_access Expires allow all
    request_header_access Host allow all
    request_header_access If-Modified-Since allow all
    request_header_access Last-Modified allow all
    request_header_access Location allow all
    request_header_access Pragma allow all
    request_header_access Accept allow all
    request_header_access Accept-Charset allow all
    request_header_access Accept-Encoding allow all
    request_header_access Accept-Language allow all
    request_header_access Content-Language allow all
    request_header_access Mime-Version allow all
    request_header_access Retry-After allow all
    request_header_access Title allow all
    request_header_access Connection allow all
    request_header_access Proxy-Connection allow all
    request_header_access User-Agent allow all
    request_header_access Cookie allow all
    request_header_access All deny all
    visible_hostname server1
    maximum_object_size 4096 KB
    minimum_object_size 1 KB
    dns_nameservers DNS_value
    client_lifetime 360 minutes
    pconn_timeout 360 minutes
    Note 1: Replace “server1” with the Squid server DNS name.
    Note 2: Replace “DNS_value” with IP addresses of DNS servers
  13. Run the command bellow to initialize the Squid:
    /usr/sbin/squid -z
  14. In-order to manually start the Squid service, run the command bellow:
    /usr/sbin/squid
  15. In-order to start the Squid service at server startup, add the command bellow to the /etc/rc.local file:
    /usr/sbin/squid
  16. Uninstall the following RPM:
    rpm -e gcc-c++-4.1.2-48.el5
    rpm -e libstdc++-devel-4.1.2-48.el5
    rpm -e gcc-4.1.2-48.el5
    rpm -e cpp-4.1.2-48.el5
    rpm -e libgomp-4.4.0-6.el5
    rpm -e gmp-4.1.4-10.el5
    rpm -e glibc-devel-2.5-49
    rpm -e glibc-headers-2.5-49
    rpm -e kernel-headers-2.6.18-194.el5

7 Responses to “Hardening guide for Squid 3.1.8 on CentOS 5.5”

  • Hei blog owner, I have a tiny request. I was just googleing for some information on this topic you wrote and found this post. Some really nice stuff you got here. Can I please share this post on my new website I am currently workin’ on? It would be great:) . I will check back again later to see how you responded. Thanks, Mike Lopez .

  • IgorA100 says:

    Please change:
    –enable-http-violationsmake allmake install
    to:
    –enable-http-violations make allmake install

  • Reuel Soriano says:

    Yeah!! you have saved the day!!! well, my day. Thanks!. I was skipping the step of creating the group/user, and also (of course) changing the permission to the log folder.
    For those people who are trying to compilate from source (as I did it), I left you here the ‘./configure line’ which worked for me on CentOS 5.6 and squid 3.1.15.
    ./configure –prefix=/usr –includedir=/usr/include –datadir=/usr/share –bindir=/usr/bin –sbindir=/usr/sbin –libexecdir=/usr/lib/squid –localstatedir=/var –sysconfdir=/etc/squid –mandir=/usr/share/man –infodir=/usr/share/info –with-logdir=/var/log/squid –with-pidfile=/var/run/squid.pid –with-default-user=squid –datarootdir=/usr/share/squid –enable-delay-pools –enable-snmp –enable-removal-policies=heap,lru –enable-storeio=aufs,diskd,ufs –enable-ssl –with-openssl=/usr/kerberos –enable-useragent-log –enable-referer-log –disable-dependency-tracking –enable-cachemgr-hostname=localhost –enable-cache-digests –enable-ident-lookups –with-large-files –enable-follow-x-forwarded-for –enable-linux-netfilter –enable-auth –enable-auth-basic –enable-external-acl-helpers=ip_user,ldap_group,unix_group.

    By the way, give it try to gadmin-squid a GUI. Easy to use and install.

    Again, thanks a lot for the post!!

  • Mocha says:

    Just Say.. Thank for your guide

Leave a Reply

Search This Blog
Labels
NetworkedBlogs