Back to the proxy main page

IPFire uses the famous Squid-web-proxy, which is published under the General Public License.

In administrative environments, proxy-servers are often used for logging or access controlling purposes with black-/whitelists or regular expressions. They also act as an additional protective mechanism or for optimization of bandwidth and speed. Squid handles HTTP as well as HTTPS and FTP-over-HTTP, which makes it an all-purpose all-singing-all-dancing tool for the use of the web.

In IPFire, Squid has been optimized to be as secure as possible, therefore the SSL support has been removed (core update 90) as it is not necessary for the proxy functionalities offered by IPFire, while opening a surface of attack that has already generated several serious exploits. Squid can still handle HTTPS connections, however it will just forward the bits between client and server without attempting to decrypt them.

This will have an impact in just few corner cases, including setting up a transparent SSL connection (SSLBump) and the use of Squid as a reverse proxy. In the former case, the security risk imposed by the use of SSLBump, which at its core it is a man in the middle attack, simply is not worth saving the inconvenience of manually setting all the clients to use the proxy. You can always set up a rule on the firewall to block any outgoing SSL connection. In the latter case, you can use several alternatives to Squid available in IPFire, including Pound, Nginx or Apache.

Caching

A proxy is also often used for minimization of web-traffic in a network consisting of several computers. In a common setup without web-proxy every computer loads a retrieved page for itself and therefore causes unnecessary load of bandwidth. With the use of a Proxy-cache Squid caches every page and thereby can deliver that pages through the whole local network, if the page has been loaded before on the same or another computer in the network. This decreases the access time a lot and also saves bandwidth.
The Update Accelerator should be named as well, as it helps distributing updates (e.g. Windows or Linux Packet Update) centrally to all clients on the local network, which saves bandwidth as well.

Note: Caching will only occur for HTTP traffic. HTTPS traffic can not be cached as it is encrypted. As the amount of HTTP sites continues to decrease then the level of caching that will be achieved will continue to reduce.

Security

Furthermore the security aspect is also an important point, because the proxy serves as a surrogate for the clients in the local network and handles all requests and replies from and to the web. Thus the client is never directly connected to the WAN.

Access control

Squid’s access control is expandable with add-ons. One example is the URL filter. There you can configure access control lists for users/computers via IP- or MAC-address, also time-controlled. An often discussed topic is child protection in families or the child protection in companies, which is statutory in eg. Germany.

Also the Authentication Methods offered by Squid are relevant.

Logging

Squid provides loads of Log settings (for proxy) features. This makes it possible to log and store every request to the web in very different levels of detail.

The resulting proxy reports can be viewed via the IPFire webinterface and gives a lot of information about usage patterns.

A quick compendium can be viewed with the proxy log in the web interface, filtering by time, as well by user or IP-address is possible.

Responsibility

As an operator of a proxy server you have responsibilities concerning data protection as well as data security. In different countries there are various laws so we won’t give any legal advice here. For Germany the respective laws and paragraphs can be found here: TKÜMV, BDSG, LDSG, TKG, TMG, DSGVO.

Back to the proxy main page