Frontend to managaging ACLs for the Squid proxy.
Copyright 2016 Google Inc. All Rights Reserved. Apache 2.0 license.
This is NOT a Google product.
Contact: thomas@habets.se / habets@google.com https://github.com/ThomasHabets/squidwarden/
TODO: This procedure is untested.
$ sudo apt install squid3 sqlite3
$ go get github.com/google/squidwarden/...
$ go generate github.com/google/squidwarden/...
$ sudo mv /etc/squid3/squid.conf{,.dist}
$ sudo dd of=/etc/squid3/squid.conf <<EOF
# TODO: Not all of these settings may be needed.
http_port 3128
via off
forwarded_for delete
# error_directory /etc/squid3/myerrors
acl success_hier hier_code HIER_DIRECT
acl failure_hier hier_code HIER_NONE
access_log daemon:/var/log/squid3/access.log squid failure_hier
external_acl_type ext ttl=10 concurrency=2 %PROTO %SRC %METHOD %URI /usr/local/bin/proxyacl -db=/var/spool/squid3/proxyacl.sqlite -log=/var/log/squid3/proxyacl.log -block_log=/var/log/squid3/proxyacl.blocklog
acl ext_acl external ext
http_access allow ext_acl
visible_hostname my.proxy.hostname.here.example.com
# Default suffix.
http_access deny all
EOF
$ sudo mv bin/helper /usr/local/bin/proxyacl
$ sudo -u proxy sqlite3 /var/spool/squid3/proxyacl.sqlite < src/github.com/google/squidwarden/sqlite.schema
$ sudo systemctl restart squid3
$ sudo mv bin/ui /usr/local/bin/squidwarden
$ sudo -u proxy /usr/local/bin/squidwarden \
-addr=:8081 \
-squidlog=/var/log/squid3/proxyacl.blocklog \
-https_only=false \
-db=/var/spool/squid3/proxyacl.sqlite
Then point browser to the UI and get started.
It can be a good idea to run through a real web server such as nginx, so that you don't have to remember which port it runs on. It also makes it easier to set up TLS.
$ sudo apt-get install nginx
$ sudo dd of=/etc/nginx/conf.d/squidwarden.conf <<EOF
map \$http_upgrade \$connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
server_name squidwarden.example.com;
location / {
# Add any auth stuff here.
proxy_pass http://127.0.0.1:8081;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "\$connection_upgrade";
}
}
EOF
$ sudo systemctl restart nginx.service
$ sudo -u proxy /usr/local/bin/squidwarden \
-templates=src/github.com/google/squidwarden/cmd/ui/templates \
-static=src/github.com/google/squidwarden/cmd/ui/static \
-addr=127.0.0.1:8081 \
-https_only=false \
-squidlog=/var/log/squid3/proxyacl.blocklog \
-db=/var/spool/squid3/proxyacl.sqlite
$ echo -n 'admin:' | sudo tee of=/etc/nginx/htpasswd
$ openssl passwd -apr1 | sudo tee -a /etc/nginx/htpasswd
Password:
Verifying - Password:
Then add this to /etc/nginx/conf.d/squidwarden.conf inside the
location / section.
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/htpasswd;
FastCGI is nice, but doesn't support websockets. When -fcgi is
supplied, squidwarden will therefore not use websockets.
$ sudo apt-get install nginx
$ sudo dd of=/etc/nginx/conf.d/squidwarden.conf <<EOF
server {
listen 80;
listen [::]:80;
server_name squidwarden.example.com;
location / {
include fastcgi_params;
fastcgi_pass unix:/var/spool/squid3/squidwarden.sock;
}
}
EOF
$ sudo systemctl restart nginx.service
$ sudo -u proxy /usr/local/bin/squidwarden \
-addr=127.0.0.1:8081 \
-fcgi=/var/spool/squid3/squidwarden.sock \
-https_only=false \
-squidlog=/var/log/squid3/proxyacl.blocklog \
-db=/var/spool/squid3/proxyacl.sqlite