Integration with SQUID
As ICAP Server
The recommended way to integrate Content Security with Squid is to use ICAP protocol. In this case Squid redirects all incoming and outgoing HTTP traffic to qlproxy daemon acting as ICAP surrogate.
ICAP integration can be done for HTTP requests, HTTP responses and both. It is recommended to use both methods. The following table may prove helpful while deciding which filtering modules are active on various stages of HTTP transaction.
| Module Name | Request Modification (REQMOD) | Response Modification (RESPMOD) |
|---|---|---|
| Advertisement Blocking | + | - |
| URL Categorization | + | - |
| Parental Controls | + | + |
| Download Controls | - | + |
In order to integrate Content Security with Squid using ICAP protocol add the following lines to the /etc/squid/squid.conf configuration file.
icap_enable on icap_preview_enable on icap_preview_size 4096 icap_persistent_connections on icap_send_client_ip on icap_send_client_username on icap_client_username_header X-Client-Username icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod icap_service qlproxy2 respmod_precache bypass=0 icap://127.0.0.1:1344/respmod adaptation_access qlproxy1 allow all adaptation_access qlproxy2 allow all
NOTE: The instructions may slightly differ for various versions of Squid 3+ for more information see the wiki at http://wiki.squid-cache.org/Features/ICAP.
As URL Rewriter
The default deployment of Content Security in any Linux system supports the ICAP based integration and has the URL rewriter integration commented out. To re-enable the URL rewrite functionality do the following steps manually:
- open the /opt/quintolabs/qlproxy/etc/qlproxyd.conf file in your favorite text editor and uncomment lines starting with redirector_address and redirector_port
- comment the ICAP integration settings on lines starting with icap_address and icap_port
- set the action settings in filtering section of qlproxyd.conf configuration file to redirect instead of block, this step is required to properly handle the "301 Moved Permanently" response from the redirector to squid.
You would need to restart the qlproxy daemon for the settings to take effect. After restarting, in order to tell SQUID to use qlproxy as URL Rewriter module you need to change the squid.conf file. This file is typically located in system /etc/squid3 or /etc/squid directories (at least in Debian/Ubuntu/Redhat/CentOS operating systems).
Open it using your favorite text editor and find the line # url_rewrite_program, change it to (as one line):
url_rewrite_program /opt/quintolabs/qlproxy/sbin/qlproxyd_redirector --config_path=/etc/opt/quintolabs/qlproxy/qlproxyd.conf
Warning: if you have SELinux enabled on your server (typical for RedHat, CentOS and Fedora) then you need to give the qlproxyd_redirector running under squid credentials access to the qlproxyd TCP port to perform the filtering setsebool -P squid_connect_any=1. Another way of doing the same is to select some unused port as redirector_port (e.g. 1345) and label it as safe HTTP port, thus allowing connections to this port from squid process semanage port -a -t http_port_t -p tcp 1345.
Note: Squid 2.7 for Windows supports integration as URL rewriter only and MSI installation package does correct set up of qlproxy for URL rewriter mode automatically. Still you need to integrate Squid service with qlproxy by adding the following string to Squid configuration file url_rewrite_program C:/quintolabs/opt/quintolabs/qlproxy/sbin/qlproxyd_redirector.exe --config_path=C:/quintolabs/etc/opt/quintolabs/qlproxy/qlproxyd.conf.
Final Steps
Finally restart the squid daemon by typing the following in the terminal:
- sudo /etc/init.d/squid3 restart for Debian / Ubuntu (squid3) or
- sudo /etc/init.d/squid restart for RedHat, CentOS and Fedora (squid2)
After restarting, squid will start to pass all URLs requested by the proxy clients to qlproxyd daemon, allowing it to perform content analysis and categorization of the requested URLs.