AbacusHill

Squid

by

Rob Muggridge
in

How to install and configure Squid

Installation

sudo apt-get install squid squidclient

File locations

Location Description
/etc/squid config directory
/etc/squid/squid.conf squid configuration file
/usr/share/doc/squid documentation and examples
/usr/lib/squid support files
/usr/sbin/squid squid daemon
/var/log/squid log directory
/var/spool/squid cache directory

Configuration

Allow access to the proxy server for the local network

By default the squid only allows access to localhost. We need to either add a specific network, or allow access to the alias ”localnet”. ”localnet” is a set as the following networks:

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

To add a specific network, add the following line after the above section

acl internalnet src 10.0.0.0/24 # Internal network

To add access to the internalnet

sudo vi /etc/squid/squid.conf
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
# http_access allow localnet
http_access allow localhost
http_access allow internalnet
# And finally deny all other access to this proxy
http_access deny all

Change the default port number

The default port number is 3128. To change it edit the ”http_port” variable

sudo vi /etc/squid/squid.conf
# Squid normally listens to port 3128
http_port 3128

Testing

You can use the program squidclient to test the connections.

squidclient -h hostname -p port url
squidclient -h localhost -p 3128 http://www.bbc.co.uk/

Using cache_peer_access

Configure the internal hosts and ports

cache_peer myth.internal parent 8000 0 no-query originserver name=apache
cache_peer myth.internal parent 8080 0 no-query originserver name=tomcat
cache_peer myth.internal parent 6886 0 no-query originserver login=PASS name=azureus
cache_peer abacushill.internal parent 8000 0 no-query originserver name=abacushill.com
cache_peer lazygeek.internal parent 8000 0 no-query originserver name=lazygeek.co.uk
cache_peer muggridge.internal parent 8000 0 no-query originserver name=muggridge.org

Now configure the external names to respond with

cache_peer_access tomcat allow sites_roller
cache_peer_access tomcat allow sites_wiki
cache_peer_access tomcat deny all
cache_peer_access apache allow sites_mrtg
cache_peer_access apache allow sites_gallery
cache_peer_access apache deny all
cache_peer_access azureus allow sites_azureus
cache_peer_access azureus deny all
cache_peer_access abacushill.com allow sites_abacushill
cache_peer_access abacushill.com deny all
cache_peer_access lazygeek.co.uk allow sites_lazygeek
cache_peer_access lazygeek.co.uk deny all
cache_peer_access muggridge.org allow sites_muggridge
cache_peer_access muggridge.org deny all

Now configure the ACLs. First the allowed domains

acl sites_mrtg urlpath_regex ^/mrtg
acl sites_gallery urlpath_regex ^/gallery
acl sites_roller urlpath_regex ^/roller
acl sites_wiki urlpath_regex ^/jspwiki
acl sites_azureus dstdomain azureus.lazygeek.co.uk azureus.lazygeek.internal azureus.lazygeek
acl sites_abacushill dstdomain .abacushill.com .abacushill.internal .abacushill
acl sites_lazygeek dstdomain .lazygeek.co.uk .lazygeek.internal .lazygeek
acl sites_muggridge dstdomain .muggridge.org .muggridge.internal .muggridge

Now actually allow them access

http_access allow sites_mrtg
http_access allow sites_gallery
http_access allow sites_roller
http_access allow sites_wiki
http_access allow sites_azureus
http_access allow sites_abacushill
http_access allow sites_lazygeek
http_access allow sites_muggridge

Final squid.conf

##############################
#
# Basic parameters
#
# The hostname visible in error messages
visible_hostname lazygeek.co.uk
# Define the email address for the notification email of squid going down
cache_mgr cache@lazygeek.co.uk
# Squid normally listens to port 3128
http_port 3128
#http_port 80 accel defaultsite=lazygeek.co.uk vhost vport
http_port 80 accel vhost vport
# Where the cache files will be, memory and such
cache_dir ufs /mnt/apps/squid/cache 10000 16 256
cache_mem 256 MB
maximum_object_size_in_memory 128 KB
##############################
#
# ACL Configuration
#
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl internalnet src 10.0.0.0/24 # Internal network
#
acl SSL_ports port 443          # https
acl SSL_ports port 563          # snews
acl SSL_ports port 873          # rsync
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 631         # cups
acl Safe_ports port 873         # rsync
acl Safe_ports port 901         # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
# Reverse Proxy acls
acl sites_mrtg urlpath_regex ^/mrtg
acl sites_gallery urlpath_regex ^/gallery
acl sites_roller urlpath_regex ^/roller
acl sites_wiki urlpath_regex ^/jspwiki
acl sites_azureus dstdomain azureus.lazygeek.co.uk azureus.lazygeek.internal azureus.lazygeek
acl sites_abacushill dstdomain .abacushill.com .abacushill.internal .abacushill
acl sites_lazygeek dstdomain .lazygeek.co.uk .lazygeek.internal .lazygeek
acl sites_muggridge dstdomain .muggridge.org .muggridge.internal .muggridge
##############################
#
# http_access
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
http_access allow localhost
http_access allow internalnet
# Reverse Proxy sites
http_access allow sites_mrtg
http_access allow sites_gallery
http_access allow sites_roller
http_access allow sites_wiki
http_access allow sites_azureus
http_access allow sites_abacushill
http_access allow sites_lazygeek
http_access allow sites_muggridge
##############################
#
# Reverse Proxy Configuration
#
cache_peer myth.internal parent 8000 0 no-query originserver name=apache
cache_peer myth.internal parent 8080 0 no-query originserver name=tomcat
cache_peer myth.internal parent 6886 0 no-query originserver login=PASS name=azureus
cache_peer abacushill.internal parent 8000 0 no-query originserver name=abacushill.com
cache_peer lazygeek.internal parent 8000 0 no-query originserver name=lazygeek.co.uk
cache_peer muggridge.internal parent 8000 0 no-query originserver name=muggridge.org
cache_peer_access tomcat allow sites_roller
cache_peer_access tomcat allow sites_wiki
cache_peer_access tomcat deny all
cache_peer_access apache allow sites_mrtg
cache_peer_access apache allow sites_gallery
cache_peer_access apache deny all
cache_peer_access azureus allow sites_azureus
cache_peer_access azureus deny all
cache_peer_access abacushill.com allow sites_abacushill
cache_peer_access abacushill.com deny all
cache_peer_access lazygeek.co.uk allow sites_lazygeek
cache_peer_access lazygeek.co.uk deny all
cache_peer_access muggridge.org allow sites_muggridge
cache_peer_access muggridge.org deny all
# And finally deny all other access to this proxy
http_access deny all
#Allow ICP queries from local networks only
icp_access allow internalnet
icp_access deny all
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
#  TAG: debug_options
#       Logging options are set as section,level where each source file
#       is assigned a unique section.  Lower levels result in less
#       output,  Full debugging (level 9) can result in a very large
#       log file, so be careful.  The magic word "ALL" sets debugging
#       levels for all sections.  We recommend normally running with
#       "ALL,1".
#
#Default:
debug_options ALL,1
#Suggested default:
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Package(.gz)*)$        0       20%     2880
# example line deb packages
#refresh_pattern (\.deb|\.udeb)$   129600 100% 129600
refresh_pattern .               0       20%     4320
# Don't upgrade ShoutCast responses to HTTP
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
# Apache mod_gzip and mod_deflate known to be broken so don't trust
# Apache to signal ETag correctly on such responses
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
#  TAG: extension_methods
#       Squid only knows about standardized HTTP request methods.
#       You can add up to 20 additional "extension" methods here.
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts
#
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

References

sial – HowTo Squid
Begin Linux – Ubuntu 10.04 Squid proxy
Squid-Cache – Config examples