Step 7. Integrate and Configure Squid

Now we need to integrate Squid with Web Safety. In order to do that, run the bash 07_integrate.sh script. The script looks like the following.

#!/bin/bash

# integration should be done as root
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# adjust the squid.conf
if [ ! -f /etc/squid/squid.conf.original ]; then
    mv /etc/squid/squid.conf /etc/squid/squid.conf.original
fi

# copy new config
cp squid.conf /etc/squid/squid.conf

# allow web ui read-only access to squid configuration file
chmod o+r /etc/squid/squid.conf

# create storage for generated ssl certificates
SSL_DB=/var/spool/squid_ssldb
if [ -d $SSL_DB ]; then
    rm -Rf $SSL_DB
fi

/usr/lib64/squid/ssl_crtd -c -s $SSL_DB

# and change its ownership
chown -R squid:squid $SSL_DB

# parse the resulting config just to be sure
/usr/sbin/squid -k parse

# restart squid to load all config
systemctl restart squid.service

The default squid configuration file is pretty simple and contains the following settings.

#
# squid.conf - fully managed by Web Safety Admin UI (Web UI)
#

#
# the conf files in /opt/websafety/etc/squid/* folder are generated based on templates
# stored in /opt/websafety/var/console/squid/templates/squid/conf/* folder. For now,
# not all settings of Squid can be managed from Web UI; sometimes it is necessary
# to edit the templates manually and then click Save and Restart from Web UI
# to actually regenerate configuration files from these templates.
#
# We are adding more and more Squid management into Web UI but the work is not yet
# over. Hopefully in several releases you will seldom need to manually change the
# templates.
#
#
include "/opt/websafety/etc/squid/squid.conf"

We also need to integrate Apache and Admin UI of Web Safety. Please note we run Admin UI on non standard port 8000 because default ports 80 and 443 are used by transparent redirection. To switch the Admin UI to port 8000 follow these steps:

  1. Ensure you do not have file /etc/httpd/conf.d/welcome.conf. It is default page of non configured Apache that may interfere with Admin UI.
  2. Change Listen 80 in file /etc/httpd/conf/httpd.conf on line 42 to Listen 8000. Save the file.
  3. Change <Virtual Host *:80> in file /etc/httpd/conf.d/websafety.conf to <Virtual Host *:8000>. Save the file.
  4. Restart Apache web server by running systemctl restart httpd .

To make Squid listen on transparently redirected ports 3126 and 3127 as described on the previous step, login into Admin UI of Web Safety at http://10.0.0.1:8000 , click Squid / Settings / Network and select Default Gateway Proxy transparent mode as shown on the screenshot below. Do not forget to click Save and Restart afterwards.

../../_images/transparent_mode3.png

Note

After clicking Save and Restart, Admin UI will generate required http_port and https_port directives in /opt/websafety/etc/squid folder. These will look something like

# port configuration
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/websafety/etc/myca.pem
http_port 3126 intercept
https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/websafety/etc/myca.pem

IMPORTANT: please note, ports 3126 and 3128 are prefixed with http_port directive and port 3127 is prefixed with https_port directive.