squid
DESCRIPTION
Squid ConfiugurationTRANSCRIPT
-
Chapter 9Squid Proxy Server
9.1 Squid
Squid is a full-featured web proxy cache server application which provides proxy and cache servicesfor Hyper Text Transport Protocol (HTTP), File Transfer Protocol (FTP), and other popular networkprotocols. Squid can implement caching and proxying of Secure Sockets Layer (SSL) requests andcaching of Domain Name Server (DNS) lookups, and perform transparent caching. Squid also supportsa wide variety of caching protocols, such as Internet Cache Protocol (ICP), the Hyper Text CachingProtocol (HTCP), the Cache Array Routing Protocol (CARP), and the Web Cache Coordination Protocol(WCCP).The Squid proxy cache server is an excellent solution to a variety of proxy and caching server needs,and scales from the branch office to enterprise level networks while providing extensive, granular accesscontrol mechanisms and monitoring of critical parameters via the Simple Network Management Protocol(SNMP). When selecting a computer system for use as a dedicated Squid proxy, or caching servers,ensure your system is configured with a large amount of physical memory, as Squid maintains an in-memory cache for increased performance.
Details of Squid can be found at http://www.squid-cache.org/.
9.2 Installation and Configuration
9.2.1 Installation
At a terminal prompt, enter the following command to install the Squid server:
sudo apt-get install squid3
9.2.2 Configuration
The complete configuration file is found at /etc/squid3/squid.conf. However, since the Squidconfiguration file has over 4960 lines it is not the easiest to work with. A basic configuration of Squidonly needs one modification, if you are using private networks.Squid is configured by editing the directives contained within the /etc/squid3/squid.confconfiguration file. The following examples illustrate some of the directives which may be modifiedto affect the behavior of the Squid server.
49
-
50 Chapter 9. Squid Proxy Server
Naming the Proxy
Its important that Squid knows the name of the machine. To do this, locate the linevisible_hostname. For example, if the machine called iaclsasc insert:
visible_hostname iaclsasc
Choosing the Port
By default, the proxy server will use port 3128. To choose another port, locate the line:
http_port 3128
and change the port number, for example:
http_port 3177
Choosing the Interface
By default the proxy server will listen on all interfaces. For security reasons, its better to put in on yourlocal network only. For example, if the network card connected to your LAN, has IP 10.0.0.1, changethe line:
http_port 10.0.0.1:3177
Setting Access Rights and Priorities
By default, nobody is allowed to connect to the proxy server. (Only from your machine itself). A list ofpermissions must be created.Squid can be configured to allow/disallow hosts based on certain rules. This is called ACL (AccessControl List). An ACL is a space separeted collection of rules. An ACL is a logical AND of the rules itcontains.Squid matches each Web access request it receives by checking the http_access list from top tobottom. If it finds a match, it enforces the allow or deny statement and stops reading further. You haveto be careful not to place a deny statement in the list that blocks a similar allow statement below it. Thefinal http_access statement denies everything, so it is best to place new http_access statementsabove it.Allow all hosts:
http_access allow all
Deny all hosts:
Prior to editing the configuration file, you should make a copy of the original file and protect it fromwriting so you will have the original settings as a reference, and to re-use as necessary.Copy the /etc/squid3/squid.conf file and protect it from writing with the following commandsentered at a terminal prompt:
sudo cp /etc/squid3/squid.conf /etc/squid3/squid.conf.originalsudo chmod a-w /etc/squid3/squid.conf.original
-
9.3. Restart Squid 51
http_access deny all
For example, we will define a group encompassing the local network.Find the line beginning with acl localhost...At the end of the section, add:
acl lanhome src 10.0.0.0/8
Now that the group is defined, we will authorize to use the proxy. Locate the linehttp_access allow ... and add below (before the line http_access deny all):
http_access allow lanhome
Changing where to Store the Cache Files
Do a search for cache_dir ufs. You will find a line similar to this
cache_dir ufs /var/spool/squid3 10000 16 256
In my example the first part is the squid filesystem type and location. 10000 is the storage in MBytes,the default is 100. 16 and 256 are the number of Level1 and Level2 directories.
9.3 Restart Squid
Restart the proxy to take apply the modifications you made,
sudo /etc/init.d/squid3 restart
Or, go for the quicker method,
sudo /etc/init.d/squid3 reload
9.4 Important Locations
Once you install Squid, you will need to be familiar with these locations that are important for Squid./etc/squid config directory/etc/squid3/squid.conf squid configuration file/usr/share/doc/squid documentation and examples/usr/lib/squid support files/usr/sbin/squid squid daemon/var/log/squid3 log directory/var/spool/squid3 cache directory
9.5 Further Configurations
9.5.1 Restricting Web Access by Time
You can create access control lists with time parameters. For example, you can allow only business houraccess from the home network, while always restricting access to host 192.168.1.23.
-
52 Chapter 9. Squid Proxy Server
## Add this to the bottom of the ACL section of squid.conf#acl home_network src 192.168.1.0/24acl business_hours time M T W H F 9:00-17:00acl RestrictedHost src 192.168.1.23
## Add this at the top of the http_access section of squid.conf#http_access deny RestrictedHosthttp_access allow home_network business_hours
Or, you can allow morning access only:
## Add this to the bottom of the ACL section of squid.conf#acl mornings time 08:00-12:00
## Add this at the top of the http_access section of squid.conf#http_access allow mornings home_network business_hours
Here S - Sunday, M - Monday, T - Tuesday, W - Wednesday, H - Thursday, F - Friday, A - Saturday.
9.5.2 Restricting Access to Specific Web Sites
Squid is also capable of reading files containing lists of web sites and/or domains for use in ACLs.To deploy the web-site blocking mechanism in Squid, add the following entries to your Squid configura-tion file:
acl bad url_regex "/usr/local/etc/squid3/squid-block.acl"http_access deny bad
The file /usr/local/etc/squid3/squid-block.acl contains web sites or words you wantto block. You can name the file whatever you like. If a site has the URL or word listed insquid-block.acl file, it wont be accesible to your users.The entries can be like this:
.noentry.com
.badboy.com.brugly
With the squid-block.acl file in action, internet users cannot access the following sites:
Sites that have addresses ending with .noentry.com Sites that have addresses ending with .badboy.com.br
-
9.6. Cache Hierarchies 53
Sites containing the word ugly in its pagesYou should beware that by blocking sites containing the word sex, you will also block sites which havethe word any where in the pages. To resolve this problem, you can put those sites in a special file calledsquid-noblock.acl:
http://www.middlesex.ac.ukhttp://www.sussex.ac.uk
9.5.3 Squid Transparent Proxy Configuration
It is possible to limit HTTP Internet access to only the Squid server without having to modify the browsersettings on your client PCs. This called a transparent proxy configuration. It is usually achieved byconfiguring a firewall between the client PCs and the Internet to redirect all HTTP (TCP port 80) trafficto the Squid server on TCP port 3128, which is the Squid servers default TCP port.Your first step will be to modify your squid.conf to create a transparent proxy. Squid simply requireyou to add the word transparent to the default http_port 3128 statement. In this example, Squidnot only listens on TCP port 3128 for proxy connections, but will also do so in transparent mode.
http_port 3128 transparent
9.6 Cache Hierarchies
Squid is particularly good at communicating with other caches and proxies. Numerous inter-cachecommunication protocols are supported, including ICP (Inter-Cache Protocol), Cache-Digests, HTCP(Hyper-Text Cache Protocol) and CARP (Cache Array Routing Protocol). Each of these protocols hasspecific strengths and weaknesses; they are more suited to some circumstances than others.
9.6.1 Why Peer?
The primary function of an inter-cache protocol is to stop object duplication, increasing hit rates. If youhave a large network with widely separated caches, you may wish to store objects in each cache even ifone of your other caches has it: by keeping objects close to your users, you reduce their network latency(even if you end up wasting disk space in the process.)Inter-branch traffic can be reduced by placing a cache at each branch. Since caches can avoid duplicatingobjects between them, each disk you add to a cache adds space to the overall hierarchy, increasing yourhierarchy hit-rate. This is a lot better than simply having caches at branches which do not communicatewith one another, since with that setup you end up with multiple copies of each cache object; one perserver. Clients can also be configured to query another branchs cache if their local one goes down,adding redundancy.If overloaded, a central cache machine can become a network bottleneck. Unlike one cache machine,caches in a hierarchy can be close to all parts of the network; they can also handle a much larger load (witha near-linear increase in performance with each added machine). Loaded caches can thus be replacedwith clusters of low-load caches, without wasting disk space.Integrating your caches into a public cache hierarchy can increase your hit rate (since you increaseyour effective disk space by accessing other machines object stores.) By choosing peers carefully, youcan reduce latency, or reduce costs by saving Internet bandwidth (if communicating with your peers ischeaper than going direct to the source.) On the other hand, communicating with peers via loaded (orhigh-latency) line can slow down your cache. Its best to check your peer response times periodically tocheck if the peering arrangement is beneficial.
-
54 Chapter 9. Squid Proxy Server
9.6.2 Peer Configuration
You use the cache_peer option to configure the peers that Squid will communicate with. Otheroptions are then used to select which peer to pass a request to. The cache_peer OptionWhen communicating with a peer, Squid needs some basic information about how to talk to the machine;the hostname, what ports to send queries to, and so forth. The cache_peer config line does this. Letslook at an example line:The cache_peer option is split into five fields. The first field (cache.domain.example) is thehostname or IP of the cache that is to be queried. The second field indicates the type of relationship, andmust be set to either parent or sibling or multicast. The third field sets the HTTP port of the destinationserver, while the fourth sets the ICP (UDP) query port. The fifth field can contain more than zero ormore keywords, although we only use one in the example above; the keyword default sets that the cachewill be used as the default path to the outside world. If you compiled Squid to support HTCP, your cachewill automatically attempt to connect to TCP port 4827 (there is currently no option to change this portvalue). Cache digests are transferred via the HTTP port specified on the cache_peer line.So in most of the cases, you need to enter something like this (one or all),
cache_peer proxy.visolve.com parent 3128 3130 defaultcache_peer 172.16.1.57 parent 3128 3130 proxy-onlycache_peer 172.16.1.123 sibling 3129 5500 weight=2