Paranoid Penguin - Building a Secure Squid Web Proxy, Part II

Get a Squid caching proxy up and running, securely.

With any luck, at this point, chances are that everything works! Your Squid proxy software is installed, configured to accept only client connections from itself and from hosts on your local network, and it's hard at work proxying your users' connections and caching commonly accessed content. Not a bad day's work!

Not difficult, was it? Like most server applications, Squid's default configuration file is designed to maximize your chances for success, while minimizing the odds of your shiny-new Squid server being hacked. But, also like other server applications, there's certainly more that you can and should do to secure your Squid proxy than the default settings will do for you.

That will be our starting point next month. Among other things, we'll delve much deeper into Squid's Access Control List features to further harden Squid. Until then, be safe!

Mick Bauer ( is Network Security Architect for one of the US's largest banks. He is the author of the O'Reilly book Linux Server Security, 2nd edition (formerly called Building Secure Servers With Linux), an occasional presenter at information security conferences and composer of the “Network Engineering Polka”.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

all is not a wildcard

Anonymous's picture

I first read this article back in late November 09. I took as gospel the statement that "all is a wild-card ACL object", particularly for it to mean that it was predefined inside the squid exe, so when I came across a line in squid.conf that appeared to redefine the all keyword I deleted it. Then nothing would work.

It was only after going to several other places on the 'net that it was pointed out to me that all needed to be defined at least once in the squid.conf for any other usage to be valid; i.e. your first acl should be:

acl all src

a better phrasing of your statement would be

"all is an ACL object that is defined in squid.conf and can be used as a wildcard meaning all sources, all ports, etc"