Squid Proxy Server Configuration

Squid Proxy Server Configuration

Overview

The Pimeleon router implements Squid as a comprehensive HTTP/HTTPS caching and filtering proxy server, providing both transparent interception and explicit proxy capabilities. Squid operates on multiple ports (3128, 3129, 31443) and integrates with Privoxy for advanced content filtering, while offering SSL bumping for HTTPS traffic inspection and caching for improved performance.

Architecture & Design Philosophy

Multi-Port Proxy Strategy

Squid operates across different ports for various proxy modes:

  • Port 3128: Standard HTTP proxy for explicit client configuration
  • Port 3129: Transparent HTTP proxy for intercepted traffic
  • Port 31443: Transparent HTTPS proxy with SSL bumping for traffic inspection
  • Dual Interface: Serves both LAN (192.168.76.x) and WiFi (192.168.77.x) networks

Transparent Proxy Integration

Seamless traffic interception through Shorewall redirection:

  • HTTP Interception: All HTTP traffic automatically redirected to Squid
  • HTTPS Interception: HTTPS traffic intercepted for content analysis
  • Client Transparency: Clients unaware of proxy interception
  • Network-Level Control: Cannot be bypassed by individual devices

SSL Bumping for HTTPS Inspection

Advanced HTTPS traffic analysis and filtering:

  • Certificate Authority: Custom CA certificate for SSL certificate generation
  • Dynamic Certificates: On-the-fly certificate generation for intercepted sites
  • Content Inspection: HTTPS content accessible for filtering and caching
  • Privacy Balance: Selective bumping with site-specific bypass options

Service Configuration

Core Squid Settings

Foundation configuration for proxy operation:

  • Cache Directory: /var/spool/squid (2GB cache with 50 subdirectories)
  • Process User: proxy (dedicated user for security isolation)
  • DNS Configuration: Uses Pimeleon router DNS (192.168.77.1) for resolution
  • Privacy Protection: X-Forwarded-For headers removed for anonymity

Access Control Lists (ACLs)

Comprehensive access control for security and functionality:

Network ACLs

  • Localhost: 127.0.0.0/8 and ::1 for local access
  • Local Networks: RFC 1918 private networks (10.x, 172.16-31.x, 192.168.x)
  • Safe Ports: Standard web ports (80, 443) plus common protocols
  • SSL Ports: HTTPS port 443 for secure connections

Protocol ACLs

  • FTP Protocol: Special handling for File Transfer Protocol
  • CONNECT Method: SSL tunneling support for HTTPS
  • Safe Port Enforcement: Only approved ports accessible through proxy

HTTP Port Configuration

Multiple listening ports for different proxy modes:

Standard HTTP Proxy (Port 3128)

  • Listen Address: 127.0.0.1:3128, 192.168.76.1:3128
  • Purpose: Explicit proxy configuration for client applications
  • Access: Direct client configuration with proxy settings
  • Use Case: Applications that support proxy configuration

Transparent HTTP Proxy (Port 3129)

  • Listen Address: 127.0.0.1:3129, 192.168.77.1:3129
  • Mode: Transparent interception mode
  • Purpose: Automatic HTTP traffic interception via Shorewall
  • Client Impact: Zero client configuration required

HTTPS SSL Bumping Configuration

Advanced HTTPS interception and inspection:

SSL Bumping Ports (Port 31443)

  • Listen Address: 127.0.0.1:31443, 192.168.77.1:31443
  • Mode: Transparent SSL bumping with certificate generation
  • Certificate: /etc/squid/ssl_cert/myCA.pem (custom CA)
  • Memory Cache: 4MB dynamic certificate cache
  • Connection Auth: Disabled for transparent operation

SSL Bumping Process

Multi-step HTTPS interception process:

  1. Step 1 (Peek): Initial TLS handshake inspection
  2. Step 2 (Splice/Bump Decision): Decide whether to inspect or pass through
  3. Step 3 (Bump): Full SSL interception with certificate generation

Bypass Configuration

Selective HTTPS bypass for privacy and functionality:

  • No-Bump Sites: /etc/squid/nobump_sites.txt for bypass list
  • Splice Action: Pass through specified sites without inspection
  • Default Bump: All other HTTPS traffic subject to inspection

Privoxy Integration

Content Filtering Chain

Squid forwards traffic to Privoxy for advanced filtering:

  • Cache Peer: 127.0.0.1:8118 (Privoxy listening port)
  • No-Delay: High priority forwarding to Privoxy
  • No-Digest: Simplified communication protocol
  • Default Route: All non-cached traffic sent through Privoxy

Filtering Benefits

Enhanced content filtering through Privoxy integration:

  • Ad Blocking: AdBlock Plus filter integration
  • Tracking Prevention: Advanced tracking pixel and script blocking
  • Content Modification: HTML/CSS modification and injection
  • Privacy Enhancement: Header modification and cookie filtering

Routing Strategy

Strategic traffic routing for optimal performance:

  • Never Direct: All traffic routed through upstream (Privoxy)
  • FTP Exception: FTP traffic goes direct for protocol compatibility
  • Caching Layer: Squid caches filtered content from Privoxy
  • Performance Balance: Caching reduces Privoxy load

Caching Strategy

Cache Configuration

High-performance caching optimized for Pi 3B+ hardware:

  • Cache Size: 2GB total cache storage
  • Directory Structure: 50 first-level, 100 second-level subdirectories
  • File System: UFS (Unix File System) for reliability
  • Cache Location: /var/spool/squid (dedicated cache directory)

Refresh Patterns

Intelligent cache management for different content types:

  • FTP Files: 1440 minutes minimum, 20% variance, 10080 minutes maximum
  • Dynamic Content: No caching for CGI and query string URLs
  • Media Files: No caching for MP3, MP4, TS files (streaming content)
  • General Content: 20% variance with 4320 minutes maximum age

Cache Performance Benefits

  • Bandwidth Reduction: Frequently accessed content served locally
  • Response Speed: Cached content delivered with minimal latency
  • Upstream Load: Reduced load on Privoxy and external servers
  • Network Efficiency: Less external traffic for repeated requests

Security Features

SSL Certificate Management

Comprehensive SSL certificate handling for HTTPS inspection:

  • Certificate Generation: /lib/squid/security_file_certgen for dynamic certs
  • Certificate Database: /var/lib/ssl_db for certificate storage
  • Worker Processes: 8 certificate generation workers for performance
  • Memory Management: 4MB certificate memory cache

Access Control Security

Multi-layered security through access controls:

  • Network Restrictions: Only internal networks allowed
  • Port Restrictions: Only safe ports accessible
  • SSL Error Handling: SSL certificate errors result in connection denial
  • Protocol Validation: Unsupported protocols handled securely

Privacy Protection

Enhanced privacy through header and connection management:

  • Header Stripping: X-Forwarded-For headers removed
  • Version Suppression: Squid version information hidden
  • Anonymous Browsing: Client IP addresses not forwarded upstream
  • Error Page Customization: Generic error pages prevent information leakage

Performance Optimization

Connection Management

Optimized connection handling for Pi 3B+ hardware:

  • Timeout Configuration: Balanced timeouts for reliability vs performance
  • Read Timeout: 30 seconds for active connections
  • Connect Timeout: 3 minutes for initial connections
  • Request Timeout: 3 minutes for complete request processing

Protocol Optimization

Advanced protocol handling for improved performance:

  • DNS IPv4 First: Prefer IPv4 for faster resolution
  • Prefer Direct Off: Force traffic through proxy chain
  • Shutdown Timeout: 5 seconds for graceful shutdown
  • Connection Reuse: Efficient connection pooling

Resource Management

Efficient resource utilization:

  • Process Limits: Controlled worker process counts
  • Memory Management: Dynamic memory allocation for certificates
  • Disk I/O: Optimized cache directory structure
  • CPU Usage: Balanced processing for SSL operations

Advanced Features

Protocol Tunneling

Intelligent handling of non-HTTP protocols:

  • Foreign Protocols: Tunnel unrecognized protocols transparently
  • Server-First Protocols: Handle protocols where server initiates communication
  • Fallback Behavior: Graceful handling of protocol mismatches
  • Compatibility: Support for various application protocols

Logging and Monitoring

Comprehensive logging for analysis and troubleshooting:

  • Debug Levels: Configurable debugging for different components
  • Log Rotation: Automatic log management to prevent disk space issues
  • Access Logging: Detailed request and response logging
  • Error Tracking: Comprehensive error logging and analysis

Load Balancing

Intelligent load distribution:

  • Multi-Interface Support: Balanced load across LAN and WiFi interfaces
  • Connection Distribution: Even distribution of client connections
  • Resource Allocation: Optimal resource allocation for different network segments
  • Performance Scaling: Adaptive performance based on load

Integration Benefits

Shorewall Firewall Integration

Seamless integration with network firewall:

  • Traffic Redirection: Automatic HTTP/HTTPS traffic redirection
  • Port Management: Coordinated port usage and access control
  • Zone-Based Security: Different rules for LAN vs WiFi networks
  • Transparent Operation: Network-level traffic interception

DNS Service Coordination

Integration with DNS infrastructure:

  • DNS Filtering Compatible: Proxy traffic works alongside DNS filtering
  • Local Resolution: Internal hostnames resolved correctly
  • Upstream DNS: Uses Pimeleon router DNS for external name resolution
  • Service Discovery: Network service discovery works through proxy

Network Service Integration

Coordination with other network services:

  • DHCP Compatibility: Works with automatic client configuration
  • Samba Integration: File sharing accessible through proxy
  • VPN Compatibility: Supports VPN client traffic proxying
  • Service Mesh: Integrated with overall network service architecture

Monitoring and Maintenance

Service Health Monitoring

Comprehensive monitoring for reliable operation:

  • Process Status: SystemD integration for service lifecycle
  • Cache Status: Cache utilization and performance monitoring
  • SSL Certificate Status: Certificate generation and validation monitoring
  • Connection Statistics: Active connection and throughput monitoring

Performance Metrics

Key performance indicators for optimization:

  • Cache Hit Ratio: Percentage of requests served from cache
  • Response Times: Average response times for different content types
  • Bandwidth Utilization: Upstream vs cached traffic ratios
  • SSL Bumping Performance: HTTPS interception success rates

Log Analysis

Detailed logging for troubleshooting and security analysis:

  • Access Logs: Detailed request logs with client and destination information
  • Error Logs: Comprehensive error tracking and analysis
  • Cache Logs: Cache performance and efficiency metrics
  • SSL Logs: SSL bumping and certificate generation logs

Security Considerations

HTTPS Inspection Ethics

Responsible HTTPS interception implementation:

  • Selective Bumping: Only inspect traffic when necessary
  • Privacy Bypass: Bypass for sensitive sites (banking, medical)
  • Certificate Trust: Proper CA certificate deployment and trust
  • User Awareness: Network users should be aware of traffic inspection

Certificate Security

Secure certificate management:

  • CA Protection: Custom CA certificate properly secured
  • Certificate Rotation: Regular certificate updates and rotation
  • Trust Store Management: Client certificate store updates
  • Revocation Handling: Certificate revocation and blacklist management

Data Protection

Comprehensive data protection measures:

  • Log Sanitization: Sensitive information removed from logs
  • Cache Encryption: Cached content properly protected
  • Memory Protection: Sensitive data cleared from memory
  • Access Controls: Strict file system permissions on configuration

Troubleshooting

Common Issues and Solutions

Frequent problems and resolution approaches:

SSL Bumping Issues

  1. Certificate Problems: Verify CA certificate installation on clients
  2. Bumping Failures: Check nobump_sites.txt for problematic domains
  3. Performance Issues: Adjust certificate cache size and worker count
  4. Compatibility: Add problematic sites to bypass list

Caching Problems

  1. Cache Full: Monitor cache directory size and clean if necessary
  2. Permission Issues: Verify proxy user has access to cache directory
  3. Performance Degradation: Review refresh patterns and cache settings
  4. Corruption: Clear cache directory and restart service

Integration Issues

  1. Privoxy Communication: Test connection to Privoxy on port 8118
  2. Firewall Redirection: Verify Shorewall redirect rules are active
  3. DNS Resolution: Check DNS configuration and resolution
  4. Network Routing: Verify traffic routing and interface binding

Diagnostic Commands

Useful commands for troubleshooting:

# Check Squid service status
systemctl status squid

# Test proxy connectivity
curl -x 127.0.0.1:3128 http://example.com

# Monitor Squid access logs
tail -f /var/log/squid/access.log

# Check cache status
squid -k check
squidclient mgr:storedir

# Test SSL bumping
openssl s_client -connect 127.0.0.1:31443

← Back to Dashboard

ON THIS PAGE
Overview
Architecture & Design Philosophy
Service Configuration
Privoxy Integration
Caching Strategy
Security Features
Performance Optimization
Advanced Features
Integration Benefits
Monitoring and Maintenance
Security Considerations
Troubleshooting
Related Documentation