BSD Guides :: Doing Stuff With FreeBSD, NetBSD, OpenBSD, & Mac OS X

Squid Proxy Server
Created: 12/05/2006


General Information

First posted on Overridersworld.

This document will describe how to get a Squid Proxy Server up and running for your LAN using FreeBSD and Squid.  The info on the configuration file is by no means comprehensive.  There is a lot that you might need to do differently, but I am running pretty much the same installation for around 100 users and it has served me very well so far in my situation. Also, I am not going into detail configuring the cache manager here.  Just plain Squid Proxy Caching for your LAN.

Requirements

  1. A freshly installed FreeBSD 6.1 RELEASE system.
  2. Updated ports tree.
  3. Your favorite text editor.

Installation

When installing the FreeBSD OS for use with Squid, I have used a partition layout like below:
512M    /
512M    /tmp
1024M   swap
5G      /var
15G     /usr
~58G    /squidcache
It would be better to run the cache off an extra disk.  It would be better to run it off a super high speed disk.  It would be even better to run the cache off multiple RAID configured fast SCSI disks.  All this would really add performance, but I had to work with what I had.
#
#		 cd /usr/ports/www/squid
make install clean
When installing Squid it will ask you to check a few options -- I checked SQUID_LARGEFILE additionally to what was checked by default.  I assume Squid is going to build and install correctly here.

Configuration

#
#		 cd /usr/local/etc/squid/
echo 'squid_enable="YES"' >> /etc/rc.conf

Note:  If there is no squid.conf file, copy ot over from the .default file
# cp squid.conf.default squid.conf

Now we need to configure the squid.conf file to suit our needs.  That file is really massive and a lot of configuration can be done.  Personally, I am living with just a few entries.

Open /usr/local/etc/squid/squid.conf as root and make sure that your config file contains these entries:
######CONFIG START
http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin ?
no_cache deny QUERY
cache_mem 8 MB
maximum_object_size 50960 KB
maximum_object_size_in_memory 16 KB
cache_dir diskd /squidcache/squid/cache 80000 16 256
cache_access_log /var/log/squid/access.log
cache_log none
cache_store_log none
pid_filename /var/run/squid.pid
hosts_file /etc/hosts
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 10080
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 8080 #also http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl blacklist dstdomain "/usr/local/etc/squid/blacklist.txt"
http_access deny blacklist
http_access allow manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#change below 10.0.1.0/24 to what matches your LAN IP address space
acl our_networks src 10.0.1.0/24
http_access allow our_networks
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
cache_mgr you@somedomain.com
cache_effective_user squid
visible_hostname proxy.yourdomain.com
cachemgr_passwd secret all
coredump_dir /squidcache/coredump
######CONFIG END

At this point, save the changes you made to the squid.conf file.  Then, create the directories we have defined in our squid.conf file
#
#
#
#
#
#
#
#
#
#
#
#
#
#		 mkdir /squidcache/squid
mkdir /squidcache/coredump/
mkdir /squidcache/coredump/cache
mkdir /var/log/squid
touch /usr/local/etc/squid/blacklist.txt
touch /var/run/squid.pid
echo '.123.com' >> /usr/local/etc/squid/blacklist.txt
chown -R squid:squid /usr/local/etc/squid/blacklist.txt
chown -R squid:squid /var/log/squid
chown -R squid:squid /var/run/squid.pid
chown -R squid:squid /squidcache

squid -z #needed once to create the cache directories
reboot #to reboot the machine
If everything has started up the way it should, you should now be able to point any browser (from within your LAN) to proxy.yourdomain.com:3128, and surf away.  You can take a peek at the access.log file by opening a second terminal and running the following as root:
# tail -f /var/log/squid/access.log

Note:  Remember you set hosts_file /etc/hosts in the squid.conf file?  Go and read this and fill your /etc/hosts with all types of ad-ware and spam-ware sites pointing to localhost.  This will really save some bandwidth as squid will block all kinds of bad stuff for your Users.

We also setup a simple acl entry to deny access to domains listed in /usr/local/squid/blacklist.txt.  The blacklist.txt file takes one domain per line.  After adding a domain to that file such as .microsoft.com, everybody will be denied access to .microsoft.com.  Of course you can get way more complicated than that, but for me it was enough until now.  I used to use a redirector called squid guard for a while, but it seems that project is no longer maintained and it's successor is commercial software.  You can test the acl entry by trying to point your browser to www.123.com.  You should get an access denied message from squid as we added .123.com into the blacklist.txt file.  After making changes to any configuration file, you must make squid reread its config files using
# squid -k reconfigure
One last thing:  After a few months of using the above installation, one morning I found squid core dumping on me under heavy load.  I saw numerous entries in dmesg like the following:
Aug 25 10:14:02 hugin kernel: pid 672 (squid), uid 100: exited on signal 6 (core dumped)
Aug 25 10:14:02 hugin squid[438]: Squid Parent: child process 672 exited due to signal 6
I added the following entries to /boot/loader.conf to correct the problem:
kern.ipc.msgmnb=8192
kern.ipc.msgmni=40
kern.ipc.msgseg=512
kern.ipc.msgssz=64
kern.ipc.msgtql=2048
After adding those, reboot the server, and everything should be just fine even under more heavy loads.

By now you should have a fully functional proxy server.  It is kind of cool to know what it is doing, so I installed Apache and Webalizer as well.

If you spot mistakes, or if you have good suggestions to the above config-file, please write me, or post the change in the comments.  I will then update the text accordingly.

Author: overrider