Squid proxy: How to add value to an already great service

Proxies are proxies and already a 90% of their usage goes that way. While so, I was wondering to hack the service to get it rolled for even better scenarios: apps and package updates through squid.
You may be thinking already that huh we have local repository for that case or WSUS for windows machines and perhaps couple of centralized administration for enterprise AV solutions. If you do the latter you would know the headaches accompanied. :)Now why not get something in a low level “to rule them all” if you get what I mean.

Sysadmins constantly try to minimize, simplify and ultimately optimize their set-up.Sometimes it comes out of necessity and as a requirements from the authorities. My case was the application zone servers that had no access to the Internet and while so per the security requirements the servers had to do regular updates… and to add to the mess had to have an anti-virus solution on them as well…

Scenario: we are involved: Servers OS: CentOS 7 + clamav AV in an environment where the servers are managed by puppet open source.
Target Packages: yum-cron, clamav
Here is the minimal recipe I went to meet this:
a. On the puppet server side, install yum_cron module from puppetforge and deploy it to the groups of nodes or default
b. On the puppet server side, install the clamav module form the puppetforge and deploy it to the groups of nodes or default
c. On the puppet server side, within the above classes declare the proxy server in the conf file of the apps.
Note: Obviously the above lines in absence of puppet service needs to be configured manually on each individual server. The beauty of both of these solutions is that there is a directive in their conf file to allow communication to the main servers through a proxy. That value needs to be pushed by puppet server.
This is the line in clamav config & yum to allow the update flow through a proxy:

/etc/freshclam.conf:HTTPProxyServer 192.168.10.57
/etc/freshclam.conf:HTTPProxyPort 3128
/etc/yum.conf:proxy=http://192.168.10.57:3128

d. Ready to roll? here is the excerpt of the squid proxy excerpt that needs your attention. I initially had a lot of headache in the IPV6 translation and MISS status of the packets. Anyway the conf file tells it all if you are already familiar with squid:

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.1.0/24 172.17.1.0/24 # RFC1918 possible internal network
acl localnet src 192.168.10.0/24 192.168.80.0/24 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
icp_port 0
htcp_port 0
icp_access deny all
shutdown_lifetime 1 second
dns_nameservers 192.168.10.1
cache_mem 2048 MB
memory_pools on
cache_store_log none
half_closed_clients off
maximum_object_size 30000 KB
dns_v4_first on #this saved a lot of hassles in tcp connections on the IPV6 where the partial networks are not supporting it...hence missing the HITs
# AV updates
#refresh_pattern -i \.kaspersky-labs\.(com|ru)\/.*\.(cab|zip|exe|ms[i|p]) 4320 100% 43200 reload-into-ims
#refresh_pattern -i \.kaspersky\.(com|ru)\/.*\.(cab|zip|exe|ms[i|p]|avc) 4320 100% 43200 reload-into-ims
#refresh_pattern -i .update\.geo\.drweb\.com 4320 100% 43200 reload-into-ims
#refresh_pattern -i \.avast.com\/.*\.(vp[u|aa]) 4320 100% 43200 reload-into-ims
#refresh_pattern -i \.avg.com\/.*\.(bin) 4320 100% 43200 reload-into-ims
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128
# Uncomment and adjust the following to add a disk cache directory.
#http_port 192.168.10.57:3128 transparent
cache_dir ufs /var/spool/squid 7000 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
refresh_pattern -i db\.[\w]*\.clamav\.net\/[\w]*\.cvd 4320 100% 43200 reload-into-ims
refresh_pattern -i db\.[\w]*.clamav\.net\/daily\-[\d]*.cdiff 4320 100% 43200 reload-into-ims
refresh_pattern -i .(deb|rpm|exe|zip|tar|tgz|bz2|ram|rar|bin)$ 129600 100% 129600 override-expire ignore-no-cache ignore-no-store
#logformat custom %{%Y-%m-%d %H:%M:%S}tl %6tr %>a %Ss/%03>Hs %

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.