Hardening guide for Squid 3.1.8 on CentOS 5.5
- Login to the server using Root account.
- Create a new account:
groupadd squid
useradd -g squid -d /var/spool/squid -s /sbin/nologin squid - Install the following RPM files from the CentOS DVD:
rpm -ivh kernel-headers-2.6.18-194.el5.i386.rpm
rpm -ivh glibc-headers-2.5-49.i386.rpm
rpm -ivh glibc-devel-2.5-49.i386.rpm
rpm -ivh gmp-4.1.4-10.el5.i386.rpm
rpm -ivh libgomp-4.4.0-6.el5.i386.rpm
rpm -ivh cpp-4.1.2-48.el5.i386.rpm
rpm -ivh gcc-4.1.2-48.el5.i386.rpm
rpm -ivh libstdc++-devel-4.1.2-48.el5.i386.rpm
rpm -ivh gcc-c++-4.1.2-48.el5.i386.rpm - Download the latest Squid source files from: http://www.squid-cache.org/Versions/
- Copy using SCP (or PSCP), Squid source files into /tmp
- Move to /tmp
cd /tmp
- Extract Squid source file:
tar zxvf squid-3.1.8.tar.gz
- Move to the Squid source folder:
cd /tmp/squid-3.1.8
- Run the commands bellow to compile Squid from source files:
./configure --bindir=/usr/sbin --sbindir=/usr/sbin --libexecdir=/usr/lib/squid --with-logdir=/var/log/squid --with-pidfile=/var/run/squid.pid --with-default-user=squid --sysconfdir=/etc/squid --datarootdir=/usr/share/squid --enable-http-violations
make all
make install
- Move one folder up and remove Squid source files and default content:
cd ..
rm -rf /tmp/squid-3.1.8
rm -f /tmp/squid-3.1.8.tar.gz
rm -rf /usr/share/squid/man
rm -f /etc/squid/cachemgr.conf.default
rm -f /etc/squid/errorpage.css.default
rm -f /etc/squid/mime.conf.default
rm -f /etc/squid/msntauth.conf.default
rm -f /etc/squid/squid.conf.default
rm -f /etc/squid/squid.conf.documented - Change ownership and permissions on the log folder:
chown squid:root /var/log/squid
chmod 770 /var/log/squid - Edit using VI, the file /etc/squid/squid.conf and add the following lines to the end of the file:
cache_access_log /var/log/squid/access.log
Note 1: Replace “server1” with the Squid server DNS name.
cache_store_log none
shutdown_lifetime 1 second
icp_port 0
htcp_port 0
icp_access deny all
htcp_access deny all
forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all
visible_hostname server1
maximum_object_size 4096 KB
minimum_object_size 1 KB
dns_nameservers DNS_value
client_lifetime 360 minutes
pconn_timeout 360 minutes
Note 2: Replace “DNS_value” with IP addresses of DNS servers - Run the command bellow to initialize the Squid:
/usr/sbin/squid -z
- In-order to manually start the Squid service, run the command bellow:
/usr/sbin/squid
- In-order to start the Squid service at server startup, add the command bellow to the /etc/rc.local file:
/usr/sbin/squid
- Uninstall the following RPM:
rpm -e gcc-c++-4.1.2-48.el5
rpm -e libstdc++-devel-4.1.2-48.el5
rpm -e gcc-4.1.2-48.el5
rpm -e cpp-4.1.2-48.el5
rpm -e libgomp-4.4.0-6.el5
rpm -e gmp-4.1.4-10.el5
rpm -e glibc-devel-2.5-49
rpm -e glibc-headers-2.5-49
rpm -e kernel-headers-2.6.18-194.el5
Hei blog owner, I have a tiny request. I was just googleing for some information on this topic you wrote and found this post. Some really nice stuff you got here. Can I please share this post on my new website I am currently workin’ on? It would be great:) . I will check back again later to see how you responded. Thanks, Mike Lopez .
No problem, as long as you put a link for the original post in this blog.
Please change:
–enable-http-violationsmake allmake install
to:
–enable-http-violations make allmake install
Yeah!! you have saved the day!!! well, my day. Thanks!. I was skipping the step of creating the group/user, and also (of course) changing the permission to the log folder.
For those people who are trying to compilate from source (as I did it), I left you here the ‘./configure line’ which worked for me on CentOS 5.6 and squid 3.1.15.
./configure –prefix=/usr –includedir=/usr/include –datadir=/usr/share –bindir=/usr/bin –sbindir=/usr/sbin –libexecdir=/usr/lib/squid –localstatedir=/var –sysconfdir=/etc/squid –mandir=/usr/share/man –infodir=/usr/share/info –with-logdir=/var/log/squid –with-pidfile=/var/run/squid.pid –with-default-user=squid –datarootdir=/usr/share/squid –enable-delay-pools –enable-snmp –enable-removal-policies=heap,lru –enable-storeio=aufs,diskd,ufs –enable-ssl –with-openssl=/usr/kerberos –enable-useragent-log –enable-referer-log –disable-dependency-tracking –enable-cachemgr-hostname=localhost –enable-cache-digests –enable-ident-lookups –with-large-files –enable-follow-x-forwarded-for –enable-linux-netfilter –enable-auth –enable-auth-basic –enable-external-acl-helpers=ip_user,ldap_group,unix_group.
By the way, give it try to gadmin-squid a GUI. Easy to use and install.
Again, thanks a lot for the post!!
Just Say.. Thank for your guide