KfWiki: Squid web cache and proxy

Squid web cache and proxy

Read: Squid-2.6 configuration manual http://www.visolve.com/squid/squid26/contents.php

Squid-3.0

Install on Ubuntu-9.10 - yea I hate IPv6, or any other half-ass bullshit.

./configure --with-aio --with-openssl=/usr --with-large-files \
--enable-stacktraces --enable-linux-netfilter --enable-ssl \
--enable-kill-parent-hack --enable-delay-pools \
--enable-storeio=ufs,aufs --enable-icmp \
--sysconfdir=/etc/squid3 --localstatedir=/var --disable-ipv6

Squid2.7

My install on FreeBSD:

./configure \
--localstatedir=/var \
--sysconfdir=/etc/squid \
--enable-icmp \
--enable-ssl \
--enable-large-cache-files \
--enable-storeio=ufs,aufs

Squid Redhat init script

#!/bin/bash
### BEGIN INIT INFO
# Provides: squid
# chkconfig: - 90 25
# pidfile: /var/run/squid.pid
# config: /etc/squid/squid.conf
# Short-Description: starting and stopping Squid Internet Object Cache
# Description: Squid - Internet Object Cache. Internet object caching is \
#       a way to store requested Internet objects (i.e., data available \
#       via the HTTP, FTP, and gopher protocols) on a system closer to the \
#       requesting site than to the source. Web browsers can then use the \
#       local Squid cache as a proxy HTTP server, reducing access time as \
#       well as bandwidth consumption.
### END INIT INFO

PATH=/usr/bin:/sbin:/bin:/usr/sbin
export PATH

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

if [ -f /etc/sysconfig/squid ]; then
	. /etc/sysconfig/squid
fi

# don't raise an error if the config file is incomplete
# set defaults instead:
SQUID_OPTS=${SQUID_OPTS:-"-D"}
SQUID_PIDFILE_TIMEOUT=${SQUID_PIDFILE_TIMEOUT:-20}
SQUID_SHUTDOWN_TIMEOUT=${SQUID_SHUTDOWN_TIMEOUT:-100}

# determine the name of the squid binary
[ -f /usr/sbin/squid ] && SQUID=squid

if [ "$1" == "status" ]; then
	[ -z "$SQUID" ] && exit 4
else
	[ -z "$SQUID" ] && exit 1
fi

prog="$SQUID"

# determine which one is the cache_swap directory
CACHE_SWAP=`sed -e 's/#.*//g' /etc/squid/squid.conf | \
	grep cache_dir | awk '{ print $3 }'`
[ -z "$CACHE_SWAP" ] && CACHE_SWAP=/var/spool/squid

RETVAL=0

probe() {
	# Check that networking is up.
	[ ${NETWORKING} = "no" ] && exit 1

# check if the squid conf file is present
	[ -f /etc/squid/squid.conf ] || exit 6
}

start() {
	probe

$SQUID -k parse
	RETVAL=$?
	if [ $RETVAL -ne 0 ]; then
		echo -n $"Starting $prog: "
		echo_failure
		echo
		return 1
	fi
	for adir in $CACHE_SWAP; do
		if [ ! -d $adir/00 ]; then
			echo -n "init_cache_dir $adir... "
			$SQUID -z -F -D >> /var/log/squid/squid.out 2>&1
		fi
	done
	echo -n $"Starting $prog: "
	$SQUID $SQUID_OPTS >> /var/log/squid/squid.out 2>&1
	RETVAL=$?
	if [ $RETVAL -eq 0 ]; then
		timeout=0;
		while : ; do
			[ ! -f /var/run/squid.pid ] || break
			if [ $timeout -ge $SQUID_PIDFILE_TIMEOUT ]; then
				RETVAL=1
				break
			fi
			sleep 1 && echo -n "."
			timeout=$((timeout+1))
		done
	fi
	[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$SQUID
	[ $RETVAL -eq 0 ] && echo_success
	[ $RETVAL -ne 0 ] && echo_failure
	echo
	return $RETVAL
}

stop() {
	echo -n $"Stopping $prog: "
	$SQUID -k check >> /var/log/squid/squid.out 2>&1
	RETVAL=$?
	if [ $RETVAL -eq 0 ] ; then
		$SQUID -k shutdown &
		rm -f /var/lock/subsys/$SQUID
		timeout=0
		while : ; do
			[ -f /var/run/squid.pid ] || break
			if [ $timeout -ge $SQUID_SHUTDOWN_TIMEOUT ]; then
				echo
				return 1
			fi
			sleep 2 && echo -n "."
			timeout=$((timeout+2))
		done
		echo_success
		echo
	else
		echo_failure
		echo
	fi
	return $RETVAL
}

reload() {
	$SQUID $SQUID_OPTS -k reconfigure
}

restart() {
	stop
	start
}

condrestart() {
	[ -e /var/lock/subsys/squid ] && restart || :
}

rhstatus() {
	status $SQUID && $SQUID -k check
}

case "$1" in
start)
	start
	;;

stop)
	stop
	;;

reload)
	reload
	;;

restart)
	restart
	;;

condrestart)
	condrestart
	;;

status)
	rhstatus
	;;

probe)
	probe
		return 0
	;;

*)
	echo $"Usage: $0 {start|stop|status|reload|restart|condrestart|probe}"
	exit 2
esac

exit $?

Squid logs in UTC

Easy.

convert_utc.pl

#! /usr/bin/perl -p

s/^\d+\.\d+/localtime $&/e;

Setting up squid-2.6 as reverse proxy

I'm not gonna bore you with the details. Just add these in additional to the stock config file.

http_port SQUID_EXTERNAL_IP:80 vhost vport

cache_peer REAL_WEB_IP parent 80 0 originserver default

httpd_accel_uses_host_header  on

acl valid_dst dstdomain .accelerated.com

http_access allow valid_dst

http_access deny all

Setting up Squid 2.4/2.5 as reversed proxy

Edit your squid.conf with the followings:
Some basic tuning

cache_mem 256 MB

minimum_object_size 0 KB

maximum_object_size 2048 KB

maximum_object_size_in_memory 128 KB

ident_timeout 1 seconds

cache_dir aufs /var/spool/squid 1024 16 256 #1G cache, 16 level1, 256 level2

buffered_logs on

redirect_rewrites_host_header off

emulate_httpd_log on

Reverse-proxy (accelerator) settings

# Squid 2.5 reverse proxy settings

http_port 1.2.3.4:80

httpd_accel_host 10.1.1.1

httpd_accel_port 80

httpd_accel_single_host on

httpd_accel_with_proxy on

httpd_accel_uses_host_header on

Now edit the ACL so access is granted

# ACL settings

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl to_local dst 10.1.1.0/255.255.255.0

acl to_web dst 1.2.3.4/255.255.255.255

acl safe_ports port 80

acl SSL_ports port 443

acl CONNECT method CONNECT

http_access allow manager localhost

http_access deny !safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost

http_access allow to_local

http_access allow to_web

http_access deny all

URL filter

acl allowed_url url_regex ^.*/photos/.*

acl allowed_url url_regex ^.*/jacked/.*

http_access allow allowed_url 

http_access deny all

Now change your web server to listen on 127.0.0.1:80, start your web server and squid!

Squid URL acl

Set up the acl the http_access list

acl whitelist_domains dstdomain "/etc/squid/whitelist.domains"
acl blacklist_domains dstdomain "/etc/squid/blacklist.domains"
http_access deny blacklist_domains
http_access allow trusted_net whitelist_domains

Then create the .domains files

.blah.com
.foo.com

Squid authentication (for forward proxies)

From squid's source

cd helpers/basic_auth/NCSA/
make
make install

Then add these into squid.conf

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm My Proxy Server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive on

acl authusers proxy_auth REQUIRED
http_access allow authusers
http_access deny all

tcp_outgoing_address 1.2.3.4 # if you want to mask your outgoing address

Then just create the passwd file with htpasswd

cache_peer

One can configure squid to pass request to another squid based on the dst domain:

# define cache_peer
cache_peer 10.8.0.6	parent 3128 3130 proxy-only name=xxx-squid

# define list of domains
acl dp-domains dstdomain .xxx.net
acl dp-domains dstdomain .xxx.com

# tell squid to use xxx-squid for xxx-domains
cache_peer_access xxx-squid allow xxx-domains

# Stop squid from trying to DIRECT ssl requests for xxx-domains
never_direct allow xxx-domains

Reference:
http://www.midgard-project.org/documentation/setting-up-squid-reverse-proxy/#82a98852b0640fad5d6810758b8d5c3f
http://squid.visolve.com/

KfWiki : Squid