Squid Proxy Server

General Information

First posted on Overridersworld.

This document will describe how to get a Squid Proxy Server up and running for your LAN using FreeBSD and Squid. The info on the configuration file is by no means comprehensive. adidas zx flux asics gel pas cher chaussures timberland pas cher There is a lot that you might need to do differently, but I am running pretty much the same installation for around 100 users and it has served me very well so far in my situation. Also, I am not going into detail configuring the cache manager here. ugg pour homme pas cher Just plain Squid Proxy Caching for your LAN.


Requirements

  1. A freshly installed FreeBSD 6.1 RELEASE system.
  2. Updated ports tree.
  3. Your favorite text editor.

Installation

When installing the FreeBSD OS for use with Squid, I have used a partition layout like below:

 512M / 512M /tmp 1024M swap 5G /var 15G /usr ~58G /squidcache 

It would be better to run the cache off an extra disk. timberland discount It would be better to run it off a super high speed disk. nike air huarache It would be even better to run the cache off multiple RAID configured fast SCSI disks. new balance pas cher timberland homme All this would really add performance, but I had to work with what I had.

 # cd /usr/ports/www/squid # make install clean 

When installing Squid it will ask you to check a few options — I checked SQUID_LARGEFILE additionally to what was checked by default. adidas ultra boost I assume Squid is going to build and install correctly here.

Configuration

 # cd /usr/local/etc/squid/ # echo 'squid_enable="YES"' >> /etc/rc.conf 

Note: If there is no squid.conf file, copy ot over from the .default file
 # cp squid.conf.default squid.conf 

Now we need to configure the squid.conf file to suit our needs. That file is really massive and a lot of configuration can be done. asics gel pas cher adidas chaussures pas cher Personally, I am living with just a few entries.

Open /usr/local/etc/squid/squid.conf as root and make sure that your config file contains these entries:

 ######CONFIG START http_port 3128 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin ? no_cache deny QUERY cache_mem 8 MB maximum_object_size 50960 KB maximum_object_size_in_memory 16 KB cache_dir diskd /squidcache/squid/cache 80000 16 256 cache_access_log /var/log/squid/access.log cache_log none cache_store_log none pid_filename /var/run/squid.pid hosts_file /etc/hosts auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . nike air max 90 ugg soldes 0 20% 10080 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 8080 #also http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl blacklist dstdomain "/usr/local/etc/squid/blacklist.txt" http_access deny blacklist http_access allow manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports #change below 10.0.1.0/24 to what matches your LAN IP address space acl our_networks src 10.0.1.0/24 http_access allow our_networks http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all cache_mgr you@somedomain.com cache_effective_user squid visible_hostname proxy.yourdomain.com cachemgr_passwd secret all coredump_dir /squidcache/coredump ######CONFIG END 

At this point, save the changes you made to the squid.conf file. asics gel lyte bns gold Then, create the directories we have defined in our squid.conf file

 # mkdir /squidcache/squid # mkdir /squidcache/coredump/ # mkdir /squidcache/coredump/cache # mkdir /var/log/squid # touch /usr/local/etc/squid/blacklist.txt # touch /var/run/squid.pid # echo '.123.com' >> /usr/local/etc/squid/blacklist.txt # chown -R squid:squid /usr/local/etc/squid/blacklist.txt # chown -R squid:squid /var/log/squid # chown -R squid:squid /var/run/squid.pid # chown -R squid:squid /squidcache squid -z #needed once to create the cache directories reboot #to reboot the machine 

If everything has started up the way it should, you should now be able to point any browser (from within your LAN) to proxy.yourdomain.com:3128, and surf away. You can take a peek at the access.log file by opening a second terminal and running the following as root:

 # tail -f /var/log/squid/access.log 

Note: Remember you set hosts_file /etc/hosts in the squid.conf file? Go and read this and fill your /etc/hosts with all types of ad-ware and spam-ware sites pointing to localhost. This will really save some bandwidth as squid will block all kinds of bad stuff for your Users.

We also setup a simple acl entry to deny access to domains listed in /usr/local/squid/blacklist.txt. new balance soldes nike air max tn The blacklist.txt file takes one domain per line. nike air max 90 femme After adding a domain to that file such as .microsoft.com, everybody will be denied access to .microsoft.com. nike air max thea asics gel lyte v Of course you can get way more complicated than that, but for me it was enough until now. I used to use a redirector called squid guard for a while, but it seems that project is no longer maintained and it’s successor is commercial software. asics france nike air max 95 adidas messi blade and soul gold ugg bottes You can test the acl entry by trying to point your browser to www.123.com. nike air max tn soldes You should get an access denied message from squid as we added .123.com into the blacklist.txt file. nike sb After making changes to any configuration file, you must make squid reread its config files using

 # squid -k reconfigure 

One last thing: After a few months of using the above installation, one morning I found squid core dumping on me under heavy load. timberland soldes hommes I saw numerous entries in dmesg like the following:

 Aug 25 10:14:02 hugin kernel: pid 672 (squid), uid 100: exited on signal 6 (core dumped) Aug 25 10:14:02 hugin squid[438]: Squid Parent: child process 672 exited due to signal 6 

I added the following entries to /boot/loader.conf to correct the problem:

 kern.ipc.msgmnb=8192 kern.ipc.msgmni=40 kern.ipc.msgseg=512 kern.ipc.msgssz=64 kern.ipc.msgtql=2048 

After adding those, reboot the server, and everything should be just fine even under more heavy loads.

By now you should have a fully functional proxy server. ffxiv gold adidas ace bottes timberland nike free run It is kind of cool to know what it is doing, so I installed Apache and Webalizer as well.

If you spot mistakes, or if you have good suggestions to the above config-file, please write me, or post the change in the comments.

Speak Your Mind

*