Configure Squid to forward traffic to ETP Proxy

Before you begin

  1. Make sure you install Squid on an operating system that supports SSL on Squid. For example, you can use Windows or Ubuntu 16 and later.
  2. Make sure that you upgrade Squid to version 3.5 or later. When preparing to compile the installation files, use these settings to enable SSL:
    ./configure --with-default-user=proxy --with-openssl --enable-ssl--crtd
  3. Make sure you generate a man-in-the-middle (MITM) CA TLS certificate in ETP and distribute this certificate to computers or TLS clients in your network. See ETP Proxy as a TLS intermediary and Certificate distribution.
  4. On the system where Squid is installed, create a copy of the squid.conf file to make sure that you keep the original configuration file as a reference. For example, on Linux, enter this command to copy the file:
    sudo cp /etc/squid/squid.conf /etc/squid/<NEWNAME>.conf
    sudo chmod a-w /etc/squid/<NEWNAME>.conf

    where <NEWNAME> is the name of the Squid configuration file.

  5. In ETP, make sure the IP address for Squid is added to a location configuration. To add or edit a location, see Create a location or Edit a location.
  6. If you configured proxy authorization in ETP, make sure you copy the username and remember the password that you configured for the proxy credential in ETP. For more information, see Proxy authorization and Create a proxy credential.

If your organization currently uses Squid as a caching and forward HTTP web proxy, you can configure it to forward traffic to ETP. This feature is supported on Squid version 3.5 or later.

How to

  1. Open the renamed configuration file.
  2. Confirm that the forwarded-for option is set on. This option should be enabled by default.
  3. At the end of the renamed configuration file, add this information:
    cache_peer nevada.proxy.akaetp.net parent 443 0 ssl sslcafile=/etc/ssl/certs
    dns nameservers <ETPDNS_IP_Primary> <ETPDNS_IP_Secondary>
    where:
    • <ETPDNS_IP_Primary> is the IP address of the primary ETP DNS server.
    • <ETPDNS_IP_Secondary> is the IP address of the secondary ETP DNS server.
  4. If you enabled proxy authorization in an ETP policy and configured proxy credentials in ETP, you must also configure these credentials in Squid. In the cache_peer configuration, add this authentication option:
    login=<username>:<password>
    where:
    • <username> is the username that you configured in ETP. You can copy this username from ETP. Make sure the username includes the ID number that’s associated with your organization.
    • <password> is the password that you configured in ETP for the proxy credential.

    For more information, see Enable proxy authorization and Create a proxy credential.

  5. (Optional) Configure user authentication. As part of this process, you must add proxy_auth ACL entries to the configuration file. For more information, see the Squid documentation.
  6. Review the configuration file and confirm that it looks like this:
    http_access allow localhost
    visible_hostname = localhost
    forwarded_for on
    cache_peer nevada.proxy.akaetp.net parent 443 0 ssl sslcafile=/etc/ssl/certs login=<username>:<password>
    dns_nameservers <ETPDNS_IP_Primary> <ETPDNS_IP_Secondary>
    
    acl all src all
    acl SSL_ports port 443
    acl CONNECT method CONNECT
    http_access allow all
    never_direct allow all
    prefer_direct off
    http_port 3128
    
    where:
    • <username> is the username that you configured in ETP as a proxy credential. Make sure the username includes the ID that’s associated with your organization. For more information on the credential in ETP, see Create a proxy credential.
    • <password> is the password that you configured in ETP as a proxy credential.
    • <ETPDNS_IP_Primary> is the IP address of the primary ETP DNS server.
    • <ETPDNS_IP_Secondary> is the IP address of the secondary ETP DNS server.
  7. To validate the configuration file, enter this command:
    squid -k parse
  8. Restart Squid. The command and process you use for this operation may vary depending on Squid version. For example, on version 3.5, you enter this command:
    sudo systemctl restart squid 

    For more information, see the Squid product documentation.

  9. To check Squid’s status, enter this command:
    service squid status
  10. Go to the Squid logs and confirm there are no errors. The path to log files varies depending on the Squid version. For example, on version 3.5, the path is var/log/squid/access.log, while in later versions the path is /usr/local/squid/var/logs.

Next steps

  1. On an end user’s machine or browser, manually configure Squid as a proxy server. You must specify the Squid IP address and 3128 as the port.

    See the documentation for the browser or the operating system that you need to configure.

  2. Test that requests in the network are handled by ETP proxy. For example, request a domain or URL that is blocked by the acceptable use policy (AUP). After verifying that the request is handled based on a policy configuration, you can return to the logs and confirm that you see logs entries for TCP_TUNNEL.