SQUID Server:: The Best Proxy Server

SQUID Server:: The Best Proxy Server

by -
1 3618

The main feature or duty of a proxy server could be a gateway that receives HTTP requests from clients and forwards the request to the destination and relays the answer back to the requestor.

Squid is most popular open-source software that brings this to us. It also has some excellent features for doing something else such as

  • Web access controlling,
  • Bandwidth controlling,
  • Restriction policies, and
  • Content caching and filtering

Actually people install SQUID to pursuit 2 goals:

  1. Reduce the bandwidth charges by content caching
  2. Second for restricting access to particular contents.

The following guide explains advantages of using Squid and will show you how to install, configure, control, and maintain the Squid Proxy Server on CentOS 5.4 Linux.

How to Configure SQUID Proxy Server ?

Step 1: Installation

# yum install squid

Step 2: Configure Squid

Squid configuration file located at /etc/squid/squid.conf. Open file using a text editor:
# vi /etc/squid/squid.conf

And search for content CONNECT, one line shows like this

acl CONNECT method CONNECT

write a proxy rule here:

 acl myLAN src 192.168.0.0/24

where

myLAN is acl name and 192.168.0.0/24 is network

syntax:

acl <aclname> <type> <value>

 Step 3:  

Search for Content INSERT in squid.conf, will show you

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks. Adapt

# to list your (internal) IP networks from where browsing should

# be allowed

#http_access allow our_networks

# And finally deny all other access to this proxy

http_access allow localhost

http_access deny all

put your access rule between this two line

http_access allow localhost

http_access allow myLAN

http_access deny all

Step 4:

Save and restart squid service

Service squid restart       or

/etc/init.d/squid restart

Step 5:

Configure your browser for proxy ( consider your proxy server Ipaddress is 192.168.0.45) and proxy port is 3128 ( default port for proxy)

proxy

Then Surf the internet without any restriction

NEED MORE ?   for detail of proxy go through this document

 

Port 3128
Config File /etc/squid/squid.conf
Cache Dir /var/spool/squid
Log file /var/log/squid/access.log

 

About ACL ( Access control list) : popular acl types are given here

 

  • src: source (client) IP addresses
  • dst: destination (server) IP addresses
  • myip: the local IP address of a client’s connection
  • arp: Ethernet (MAC) address matching
  • srcdomain: source (client) domain name
  • dstdomain: destination (server) domain name
  • time: time of day, and day of week
  • url_regex: URL regular expression pattern matching
  • urlpath_regex: URL-path regular expression pattern matching,leaves out the protocol and hostname
  • port: destination (server) port number
  • myport: local port number that client connected to
  • proto: transfer protocol (http, ftp, etc)
  • method: HTTP request method (get, post, etc)
  • browser: regular expression pattern matching on the request user-agent header
  • proxy_auth: user authentication via external processes
  • maxconn: a limit on the maximum number of connections from a single client IP address
  • max_user_ip: a limit on the maximum number of IP addresses one user can login from

 

An access list rule consists of an allow or deny keyword, followed by a list of ACL element names.

An access list consists of one or more access list rules.

Access list rules are checked in the order they are written. List searching terminates as soon as one of the rules is a match.

If a rule has multiple ACL elements, it uses AND logic. In other words, all ACL elements of the rule must be a match in order for the rule to be a match. This means that it is possible to write a rule that can never be matched. For example, a port number can never be equal to both 80 AND 8000 at the same time.

To summarize the ACL logics can be described as: (note: AND/OR below is just for illustartion, not part of the syntax)

 http_access allow|deny acl AND acl AND …       OR

 http_access allow|deny acl AND acl AND …       OR

If none of the rules are matched, then the default action is the opposite of the last rule in the list. Its a good idea to be explicit with the default action. The best way is to use the all ACL. For example:

http_access deny all

[/vc_column]

Access Control Lists (ACL)

ACLs are used to restrict usage, limit web access of host(s); each ACL line defines a particular type of activity, such as an access time or source network, after that we need to link the ACL to an http_access statement that tells Squid whether or not to deny or allow traffic that matches the ACL.

When you install Squid for the first time, you need to add some acls to allow your network to use the internet because squid by default denies web access.

The syntax of an ACL is like this:

acl aclname acltype value

aclname = rulename (it could be some desire name like mynetwork)

acltype = type of acl like : src, dst (src:source ip | dst:destination ip)

value = it could be ip address, networks, URLs ,…

This example will allow localhost to access the internet:

acl localhost src 127.0.0.1/32
http_access allow localhost

We are allowing the computer that matches the ip address range contained in the localhost ACL to access the internet. There are other ACLs and ACL-operators available for Squid, but this is good for practice.

So with this syntax, you can now tell squid how to work. Suppose you want to allow your 192.168.0.0/24 network range to access the internet, you can do this but first open the config file and find these lines:

http_access allow localhost http_access deny all

Replace them with:

acl myLAN src 192.168.0.0/24 http_access allow localhost http_access allow myLAN http_access deny all

Note: Specify the rules before the line http_access deny all. After that change save your file and restart the squid service.

How do I implement an ACL ban list? :: ACL type (url_regex and dstdomain )

As an example, we will assume that you would lik

e to prevent users from accessing content having “sex” “xxx” like porn word

One way to implement this would be to deny access to any URLs that contain the words “sex” or “xxx” You would use these configuration lines:

acl porn1 url_regex sex

acl porn2 url_regex xxx

acl myLAN  src 192.168.0.0/24

http_access deny porn1

http_access deny porn2

http_access allow myLAN

shttp_access deny all

The url_regex means to search the entire URL for the regular expression you specify. Note that these regular expressions are case-sensitive, so a url containing “Sex” or “Xxx”  would not be denied.

Another way is to deny access to specific servers which are known to porn content. For example:

acl porn  dstdomain .playboy.com .xxx.com .sex.com

http_access deny  porn

http_access allow all

The dstdomain means to search the hostname in the URL for the string “.playboy.com” , “.xxx.com” and “.sex.com” Note that when IP addresses are used in URLs (instead of domain names), Squid implements relaxed access controls. If the a domain name for the IP address has been saved in Squid’s “FQDN cache”, then Squid can compare the destination domain against the access controls. However, if the domain is not immediately available, Squid allows the request and makes a lookup for the IP address so that it may be available for future requests.

note:  In case of Acl Type dstdomain , names should be started with “.” dot .  i.e.    .yahoo.com   .gmail.com

Easy way of banning all Destination addresses except one !!

acl vikas dst 192.168.0.55

http_access allow vikas

http_access deny all

How can I redirect acl content to external file ? Banning Pornographic

Often, the hardest part about using Squid to deny pornography is coming up with the list of sites that should be blocked. You may want to maintain such a list yourself, or get one from somewhere else (see below). Note that once you start blocking web content, users will try to use web proxies to circumvent the porn filter,

The ACL syntax for using such a list depends on its contents. If the list contains regular expressions, use this:

acl  PornContent  url_regex “/etc/squid/porn-content”

http_access deny PornContent

where

Where  file /etc/squid/porn-content should contain all objectionable content

# vi /etc/squid/porn-content

sex

xxx

porn

Note :  Data of pornographic content is available in some website,

  • The SquidGuard redirector folks have links to some lists.
  • The maintainer of the free ufdbGuard redirector has a commercial URL database.

Bill Stearns maintains the sa-blacklist of known spammers. By blocking the spammer web sites in squid, users can no longer use up bandwidth downloading spam images and html. Even more importantly, they can no longer send out

  • requests for things like scripts and gifs that have a unique identifer attached, showing that they opened the email and making their addresses more valuable to the spammer.
  • The SleezeBall site has a list of patterns that you can download.

Note that once you start blocking web content, users will try to use web proxies to circumvent the filtering, hence you will also need to block all web proxies.

On the other hand, if the list contains origin server hostnames, simply change url_regex to dstdomain in this example.

Squid deny some port numbers !! How to allow and Deny Port No ?

It is dangerous to allow Squid to connect to certain port numbers. For example, it has been demonstrated that someone can use Squid as an SMTP (email) relay. As I’m sure you know, SMTP relays are one of the ways that spammers are able to flood our mailboxes. To prevent mail relaying, Squid denies requests when the URL port number is 25. Other ports should be blocked as well, as a precaution against other less common attacks.

There are two ways to filter by port number: either allow specific ports, or deny specific ports. By default, Squid does the first. This is the ACL entry that comes in the default squid.conf:

acl Safe_ports port 80 21 443 563 70 210 1025-65535

http_access deny !Safe_ports

The above configuration denies requests when the URL port number is not in the list. The list allows connections to the standard ports for HTTP, FTP, Gopher, SSL, WAIS, and all non-privileged ports.

Another approach is to deny dangerous ports. The dangerous port list should look something like:

acl Dangerous_ports port 7 9 19 22 23 25 53 109 110 119

http_access deny Dangerous_ports

…and probably many others.

Please consult the /etc/services file on your system for a list of known ports and protocols.

Customize own error messages :: deny_info

We can customize or create new error messages and use these in conjunction with the deny_info option.

For example, lets say you want your users to see a special message when they request something that matches your pornography list. First, create a file named ERR_NO_PORNO in the  “/etc/squid/error”  directory. That file might contain something like this:

Our company policy is to strongly deny requests  pornographic sites.  If you
feel you've received this message in error, please contact
the System Administrator (mail@xyz.com, Ph. 011-2312312312).

Next, set up your access controls as follows:

acl Porn url_regex "/etc/squid/porn-content" deny_info ERR_NO_PORNO Porn http_access deny Porn

Block / download of music MP3, mpg, mpeg, exec files :: Block ext. like .exe, .pdf, etc :: urlpath_regex

For security and to save bandwidth I would like to configure Squid proxy server such way that I do not want my users to download all of the following files:
MP3
MPEG
MPG
AVG
AVI
EXE

How do I configure squid content filtering?

You can use squid ACL (access control list) to block all these files easily

First open squid.conf file /etc/squid/squid.conf:

# vi /etc/squid/squid.conf
Now add following lines to your squid ACL section:

acl block-files urlpath_regex “/etc/squid/blockfiles”
http_access deny block-files

Save and close the file.

where  /etc/squid/blockfiles

# vi /etc/squid/blockfiles     ## for case sensitive  “EXE” and “exe” are different extension in Linux

\.[Ee][Xx][Ee]$
\.[Aa][Vv][Ii]$
\.[Mm][Pp][Gg]$
\.[Mm][Pp][Ee][Gg]$
\.[Mm][Pp]3$

or

# vi /etc/squid/blockfiles

\.exe$
\.avi$
\.mpg$
\.mpeg$
\.mp3$

ACL based on MAC address rather than IP

MAC address is only available for clients that are on the same subnet. If the client is on a different subnet, then Squid can not find out its MAC address as the MAC is replaced by the router MAC when a packet is router.

All Machines should be connected in a switch network with same subnet

If everything compiles, then you can add some ARP ACL lines to your squid.conf:

acl vikas-pc  arp  78:DD:08:D8:61:46

acl prabhat-pc  arp  FC:75:16:8E:55:23

http_access allow  vikas-pc

http_access allow  prabhat-pc

http_access deny all

Note:  we can obtained MAC address using following command. Try this option in squid 3.x, it is not supported by squid 2.6  by default

[root@kvit ~]# arp -a
? (192.168.0.87) at 78:DD:08:D8:61:46 [ether] on eth0
? (192.168.0.253) at FC:75:16:8E:55:23 [ether] on eth0

to enable this feature in squid 2.6

Process is here to enable MAC ARP in squid 2.6

wget http://rpm.pbone.net/index.php3/stat/3/srodzaj/2/search/squid-2.6.STABLE6-5.el5_1.3.src.rpm
rpm -ivh squid-2.6.STABLE6-5.el5_1.3.src.rpm


then

updatedb
vim /usr/src/redhat/SPECS/squid.spec

add two line as below at %configure section see last two lines

%configure \
** –exec_prefix=/usr \
** –bindir=%{_sbindir} \
** –libexecdir=%{_libdir}/squid \
** –localstatedir=/var \
** –datadir=%{_datadir} \
** –sysconfdir=/etc/squid \
** –enable-epoll \
** –enable-snmp \
** –enable-removal-policies=”heap,lru” \
** –enable-storeio=”aufs,coss,diskd,null,ufs” \
** –enable-ssl \
** –with-openssl=/usr/kerberos \
** –enable-delay-pools \
** –enable-linux-netfilter \
** –with-pthreads \
** –enable-ntlm-auth-helpers=”SMB,fakeauth” \
** –enable-external-acl-helpers=”ip_user,ldap_group,unix_group,wbinfo_group” \
** –enable-auth=”basic,digest,ntlm” \
** –enable-digest-auth-helpers=”password” \
** –with-winbind-auth-challenge \
** –enable-useragent-log \
** –enable-referer-log \
** –disable-dependency-tracking \
** –enable-cachemgr-hostname=localhost \
** –enable-underscores \
** –enable-basic-auth-helpers=”LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL” \
** –enable-cache-digests \
** –enable-ident-lookups \
** %ifnarch ppc64 ia64 x86_64 s390x
** –with-large-files \
** %endif
** –enable-follow-x-forwarded-for \
** –enable-wccpv2 \
** –enable-fd-config \
** –with-maxfd=16384 \
** –enable-arp \****** <==========added line 1
** –enable-arp-acl \** <==========added line 2

then run this command

# rpmbuild -ba /usr/src/redhat/SPECS/squid.spec

wait for process to be completed

# rpm -ivh /usr/src/redhat/RPMS/i386/squid-2.6.STABLE6-5.3.i386.rpm

now squid will compatible with ARP feature

Note:  Using MAC , we can register our devices like pcs,laptops and phones for content filtering

Time Based Restriction in squid

In  this ACL parameter , time based restriction is like this

Days of the Week
S Sunday
M Monday
T Tuesday
W Wednesday
H Thursday
F Friday
A Saturday
D All weekdays

Working hours :   9 AM  to 5 PM  ( Monday to Friday  can be defined as )

acl Working-hours  time M T W H F 9:00-17:00

rules like this ———

acl home_network src 192.168.1.0/24

acl business_hours time M T W H F 9:00-17:00

acl RestrictedHost src 192.168.1.23

#

# Add this at the top of the http_access section of squid.conf

#

http_access deny RestrictedHost

http_access allow home_network business_hours

———————————————————————————————–

# Add this to the bottom of the ACL section of squid.conf

acl mornings time 08:00-12:00

# Add this at the top of the http_access section of squid.conf

http_access allow mornings

———————————————————————————————–

# Add this to the bottom of the ACL section of squid.conf

acl home_network src 192.168.1.0/24

ac l business_hours time M T W H F 9:00-17:00

acl GoodSites dstdomain “/usr/local/etc/allowed-sites.squid”

acl BadSites dstdomain “/usr/local/etc/restricted-sites.squid”

# Add this at the top of the http_access section of squid.conf

http_access   deny   BadSites

http_access allow   home_network   business_hours   GoodSites

Surfing internet using username and Password :: proxy_auth

Step # 1: Create a username/password

First create a NCSA password file using htpasswd command. htpasswd is used to create and update the flat-files used to store usernames and password for basic authentication of squid users.

# htpasswd -c  /etc/squid/passwd user1

Output:

New password: ****

Re-type new password:****

Adding password for user user1

Make sure squid can read passwd file:

Note: For next user we should not use “-c ” option otherwise previous file “/etc/squid/passwd” will be overwritten.

# chmod o+r /etc/squid/passwd

Step # 2: Locate nsca_auth authentication helper

Usually nsca_auth is located at /usr/lib/squid/ncsa_auth. You can find out location using rpm (Redhat,CentOS,Fedora)

# rpm -ql squid | grep ncsa_auth

Output:

/usr/lib/squid/ncsa_auth

Step # 3: Configure nsca_auth for squid proxy authentication

# vi /etc/squid/squid.conf

Append (or modify) following configration directive:

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd

auth_param basic children 5

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 2 hours

auth_param basic casesensitive off

Also find out your ACL section and append/modify

# Rule…

acl ncsa_users proxy_auth REQUIRED

# action

http_access allow ncsa_users

Tuning and hardening Squid

Tuning means making it a little bit faster and hardening means less vulnerable to malicious use. The default installation of Squid on a CentOS box has a lot of features enabled which most likely aren’t used: we want to turn these off. Then there might be situations where you probably want to use Squid but don’t want it to function as a cache:

Tuning

Tuning Squid will speed things up a little bit. So without further ado lets first take a look a the directives for the squid.conf:

pipeline_prefetch on

shutdown_lifetime 1 second

While pipeline_prefetch will boost the performance of pipelined requests to closer match that of a non-proxied environment, the second directive shutdown_lifetime saves you a lot of time waiting for Squid to shut down. The latter comes in very handy if you’re tweaking Squid and need to restart it a lot.

Even though Squid is meant as a cache there are reasons running it without a cache, i.e. as a pure forwarding proxy: you might want to use it as a load balancer with some parent proxies, simply as a transparent proxy or you don’t have particularly fast hardware. There are two methods to circumvent caching

Deny caching for all connections

acl all src 0.0.0.0/0.0.0.0

no_cache deny all

This way neither a request will be satisfied from the cache nor the reply will be cached. Note that the first line might already be in your configuration.

  1. If you use a parent proxy you can specify the proxy-only option to prevent that retrieved data from the remote cache is stored locally. An example:

cache_peer proxy.isp.com parent 8080 0 proxy-only

Finally you might want to turn off logging. On a Debian based system it’s sufficient to turn of cache_access_log and cache_store_log:

cache_access_log none

cache_store_log none

Hardening

When talking about hardening I think about turning off features that aren’t used and restricting access to the proxy. Features that aren’t used might be ICP and HTCP: they are used to communicate with other caches in a hierarchy. In most cases we don’t need this:

icp_port 0

htcp_port 0

icp_access deny all

htcp_access deny all

If you don’t wish to use SNMP we can disable this too.

snmp_port 0

snmp_access deny all

At last you definitely want to restrict access to your proxy: define an access control list (acl) and either allow or deny access with http_access. Lets say your LAN is 172.16.0.0/24 and 172.16.1.0/24. Then you would put the following into squid.conf:

acl LAN src 172.16.0.0/24 172.16.1.0/24

http_access allow LAN

If somebody outside your network tries to access your proxy he’ll get an error message that he isn’t allowed to do so.

Increasing squid cache directory size

Squid is a web proxy, but can be used as a reverse proxy and web accelerator.In this article however I’m going to explain an easy way to increase or create a cache directory for squid.

This is rather useful for caching web files on disk rather then always query the web server. The default installation of squid from yum or by RPM should have the cache directory size up to 100MB.

To increase the cache directory size, simply edit the file /etc/squid/squid.conf and locate the directive:

cache_dir ufs /var/spool/squid 100 16 256

Syntax :: cache_dir  ufs  Directory-Name  Mbytes  L1  L2  [options]Where:ufs: “ufs” is the old well-known Squid storage format that has always been there’Mbytes’ is the amount of disk space (MB) to use under this directory. The default is 100 MB. Change this to suit your configuration. Do NOT put the size of your disk drive here.Instead, if you want Squid to use the entire disk drive,subtract 20% and use that value.’L1′ is the number of first-level subdirectories which will be created under the ‘Directory’. The default is 16.’L2′ is the number of second-level subdirectories which will be created under each first-level directory. The default is 256.

By default, the cache_dir directory may be commented.

  • /var/spool/squid – This is the directory folder where squid will use to swap cache your server web files
  • 100 – The amount of disk space to use in MB for your caching directory
  • 16 – the first-level subdirectories which will be created in your cache directory
  • 256 – The number of second-level subdirectories which will be created under each first level directory

Next you need to consider how much disk space you wish to allow for caching, for example, lets say we wish to allocate 3GB of space to squid cache. We would use the following directive:

cache_dir ufs /var/spool/squid 3000 16 256

This will allocate 3GB of disk space to your squid cache directory. Save the file and exit.

Then make sure squid is fully stopped

service squid stop

Run the following command to recreate the Squid Cache Directory:

squid –z

then

service squid restart

Squid go direct for some sites? :: always_direct

The always_direct access list.

For example, if you want Squid to connect directly to hotmail.com servers, you can use these lines in your config file:

acl linuxgateway dstdomain .linuxgateway.in .kvit.in .linuxsolutions.org.in
always_direct allow linuxgateway

Clear Squid Proxy Cache dir and re create this

You can delete/clear cache and re-create the cache directories on a server using the following procedure.

# service squid stop

#cd /var/spool/squid

# rm -rf  *

#  Squid -z

# service squid restart

Easy way of banning all Destination addresses except one !!

acl vikas dst 192.168.0.55

http_access allow vikas

http_access deny all

How can I redirect acl content to external file ? Banning Pornographic

Often, the hardest part about using Squid to deny pornography is coming up with the list of sites that should be blocked. You may want to maintain such a list yourself, or get one from somewhere else (see below). Note that once you start blocking web content, users will try to use web proxies to circumvent the porn filter,

The ACL syntax for using such a list depends on its contents. If the list contains regular expressions, use this:

acl  PornContent  url_regex “/etc/squid/porn-content”

http_access deny PornContent

where

Where  file /etc/squid/porn-content should contain all objectionable content

# vi /etc/squid/porn-content

sex

xxx

porn

Note :  Data of pornographic content is available in some website,

  • The SquidGuard redirector folks have links to some lists.
  • The maintainer of the free ufdbGuard redirector has a commercial URL database.

Bill Stearns maintains the sa-blacklist of known spammers. By blocking the spammer web sites in squid, users can no longer use up bandwidth downloading spam images and html. Even more importantly, they can no longer send out

  • requests for things like scripts and gifs that have a unique identifer attached, showing that they opened the email and making their addresses more valuable to the spammer.
  • The SleezeBall site has a list of patterns that you can download.

Note that once you start blocking web content, users will try to use web proxies to circumvent the filtering, hence you will also need to block all web proxies.

On the other hand, if the list contains origin server hostnames, simply change url_regex to dstdomain in this example.

Squid deny some port numbers !! How to allow and Deny Port No ?

It is dangerous to allow Squid to connect to certain port numbers. For example, it has been demonstrated that someone can use Squid as an SMTP (email) relay. As I’m sure you know, SMTP relays are one of the ways that spammers are able to flood our mailboxes. To prevent mail relaying, Squid denies requests when the URL port number is 25. Other ports should be blocked as well, as a precaution against other less common attacks.

There are two ways to filter by port number: either allow specific ports, or deny specific ports. By default, Squid does the first. This is the ACL entry that comes in the default squid.conf:

acl Safe_ports port 80 21 443 563 70 210 1025-65535

http_access deny !Safe_ports

The above configuration denies requests when the URL port number is not in the list. The list allows connections to the standard ports for HTTP, FTP, Gopher, SSL, WAIS, and all non-privileged ports.

Another approach is to deny dangerous ports. The dangerous port list should look something like:

acl Dangerous_ports port 7 9 19 22 23 25 53 109 110 119

http_access deny Dangerous_ports

…and probably many others.

Please consult the /etc/services file on your system for a list of known ports and protocols.

Customize own error messages :: deny_info

We can customize or create new error messages and use these in conjunction with the deny_info option.

For example, lets say you want your users to see a special message when they request something that matches your pornography list. First, create a file named ERR_NO_PORNO in the  “/etc/squid/error”  directory. That file might contain something like this:

Our company policy is to strongly deny requests  pornographic sites.  If you
feel you've received this message in error, please contact
the System Administrator (mail@xyz.com, Ph. 011-2312312312).

Next, set up your access controls as follows:

acl Porn url_regex "/etc/squid/porn-content" deny_info ERR_NO_PORNO Porn http_access deny Porn

Surfing internet using username and Password :: proxy_auth

Step # 1: Create a username/password

First create a NCSA password file using htpasswd command. htpasswd is used to create and update the flat-files used to store usernames and password for basic authentication of squid users.

# htpasswd -c  /etc/squid/passwd user1

Output:

New password: ****

Re-type new password:****

Adding password for user user1

Make sure squid can read passwd file:

Note: For next user we should not use “-c ” option otherwise previous file “/etc/squid/passwd” will be overwritten.

# chmod o+r /etc/squid/passwd

Step # 2: Locate nsca_auth authentication helper

Usually nsca_auth is located at /usr/lib/squid/ncsa_auth. You can find out location using rpm (Redhat,CentOS,Fedora)

# rpm -ql squid | grep ncsa_auth

Output:

/usr/lib/squid/ncsa_auth

Step # 3: Configure nsca_auth for squid proxy authentication

# vi /etc/squid/squid.conf

Append (or modify) following configration directive:

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd

auth_param basic children 5

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 2 hours

auth_param basic casesensitive off

Also find out your ACL section and append/modify

# Rule…

acl ncsa_users proxy_auth REQUIRED

# action

http_access allow ncsa_users

Testing configuration file :: squid.conf

As we learned before, we can use the -k parse option to test our configuration file. Now, we are going to add a test line and see if Squid can catch the error.
1.    For example, let’s add the following line to our squid.conf file:
unknown_directive 1234
2.    Now we’ll run Squid with the -k parse option as follows:

squid -k parse


3.    As unknown_directive is not a valid directive for the Squid configuration file, we should get an error    similar to the following:

2015/03/21 21:28:40| cache_cf.cc(346) squid.conf:945 unrecognized: ‘unknown_directive’
So, if we find an error within our configuration file, we can go back and fix the errors and then parse the configuration file again

Setting the DNS name servers

By default, Squid picks up the name servers from the file /etc/resolv.conf. However, if we want to specify a list of different name servers, we can use the directive dns_nameservers.
Adding DNS name servers
A list of IP addresses can be passed to this directive or several IP addresses can be written on different lines like the following:

dns_nameservers 192.168.0.253 192.168.0.254
dns_nameservers 123.123.123.4


The previous configuration lines will set the name servers to 192.168.0.253 192.168.0.254, and 123.123.123.4,We added three DNS name servers to the Squid configuration file which will be used by Squid to resolve the domain names corresponding to the requests received from the clients.

Building a separate partition for Squid Cache

step1:

During Linux Install you can create a partition dedicated to your squid cache. Just make a partition as /cache, like you make /boot, and allot your /cache partition any size suited to your needs(example 15 GB) and format it as etx3 filesystem.

step2:

After your installation is complete… and you have installed squid from sources or binaries or added it during install….. just change the cache_dir tag to:

cache_dir ufs /cache 15000 35 256

step3:

Also dont forget to set permission for squid user to have access to /cache partition.

#chown squid:squid /cache
Here squid is the squid user name under group squid.
Remember the tags,
cache_effective_user squid
cache_effective_group squid

step4:

cache_dirs will  perform best with reiserfs filesystem,We will use a dedicated SSD for caching. As Squid creates many thousands of small and very small files, we’ll setup ReiserFS to deal with that. ReiserFS is know for being fast with small files, very space efficient and stable. EXT3 is another fine blend, the defaults filesystem creation parameters are just good for squid – watch out for the number of inodes – squid cached objects are usually about 12-16kb in size, make sure you have enough.

#   modprobe -l | grep reiserfs

if not present

# wget ftp://rpmfind.net/linux/fedora/core/2/i386/os/Fedora/RPMS/reiserfs-utils-3.6.13-1.i386.rpm

# rpm -ivh reiserfs-utils-3.6.13-1.i386.rpm

or

#  yum install install reiserfsprogs

Step5:

# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/hdc2 9.7G 8.8G 409M 96% /
/dev/hdc1 788M 23M 725M 4% /boot
none 125M 0 25M 0% /dev/shm
/dev/hdc6 3.9G 1.8G 1.9G 49% /home
/dev/hdc8 487M 11M 51M 3% /tmp
/dev/hdc5 4.9G 3.0G 1.6G 66% /usr/local
/dev/hdc7 2.0G 480M 1.4G 26% /var
/dev/hdc3 15G 1.5G 14G 10% /cache

——————————————————–

# umount /cache

# mkreiserfs /dev/hdc3

—————————————-

Add the following line to /etc/fstab

/dev/hdc3     /cache    reiserfs    notail,noatime   0   0

#  mount -a

————————————————————————————-

Note:- Your cache location and filesystem or partition may be different from the above example … so make sure u double-check your filesystem location, partition name etc.

Setting Maximum Download Size

Squid can be used to control the maximum downloadable file size. We want to restrict maximum download size to 50 MB for hosts 10.0.0.1 and 10.0.0.2. We have already created the ACL ‘custom-denied-list’ previously to isolate the traffic from these sources. Now we will use the same access list to restrict download size.

# vim /etc/squid/squid.conf

reply_body_max_size 50 MB custom-denied-list

# squid -k reconfigure

Optimize a High-Performance Squid Proxy

When deployed correctly, the Squid Proxy Server can drastically reduce the load times and bandwidth usage for commonly accessed web pages. On a small scale, Squid is easy to configure and control, but as the server’s usage expands, it can become necessary to implement a few optimization techniques. With a few tweaks in the Squid server’s configuration files, you can optimize your Squid server for high-performance requirements.

  • Open your /etc/squid/squid.conf file on your Web server in a text editor. You will need to be root.
  • Change the “cache_mem” option from 8MB, the default, to 32MB. If your machine has memory available, raising this cache memory option can really improve performance. Some people will set this as high as 100MB or more.
  • Add the “half_closed_clients” option and set it to “off” in the configuration file. Change the “maximum_object_size” option to “1024KB” for minor improvements.
  • Specify your DNS nameservers using the “dns_nameserves” option. This is important since Squid gets held up when doing DNS lookups.
  • Add both the “cache_swap_low” and “cache_swap_high” options that help determine when Squid will begin to prune the cache. This is important for keeping the cache within reasonable, quickly-accessible limits.
  • Set the “memory_pools” option to “Off.” This allows Squid to release unused RAM on the server.

Upgrading a Web server’s hard drive to one with a higher speed, measured in RPMs, and adding memory can also speed up loading times.

CEO, KV IT-Solutions Pvt. Ltd. | vikas@kvit.in | 9810028374|
Linux Professional and an Industrial Trainer | 20 + years Experience in IT Industry

” We are born free, No Gate and Windows can snatch our freedom “

Download PDF

SIMILAR ARTICLES

0 1122

0 789

1 COMMENT

Leave a Reply

Required Captcha *