Chapter

Squid Proxy Server

9.1 Squid

Squid is a full-featured web proxy cache server application which provides proxy and cache services for Hyper Text Transport Protocol (HTTP), File Transfer Protocol (FTP), and other popular network protocols. Squid can implement caching and proxying of Secure Sockets Layer (SSL) requests and caching of Domain Name Server (DNS) lookups, and perform transparent caching. Squid also supports a wide variety of caching protocols, such as Internet Cache Protocol (ICP), the Hyper Text Caching Protocol (HTCP), the Cache Array Routing Protocol (CARP), and the Web Cache Coordination Protocol (WCCP). The Squid proxy cache server is an excellent solution to a variety of proxy and caching server needs, and scales from the branch ofce to enterprise level networks while providing extensive, granular access control mechanisms and monitoring of critical parameters via the Simple Network Management Protocol (SNMP). When selecting a computer system for use as a dedicated Squid proxy, or caching servers, ensure your system is congured with a large amount of physical memory, as Squid maintains an inmemory cache for increased performance. Details of Squid can be found at http://www.squid-cache.org/.

9.2
9.2.1

Installation and Conguration

Installation

At a terminal prompt, enter the following command to install the Squid server: sudo apt-get install squid3

9.2.2

Conguration

The complete conguration le is found at /etc/squid3/squid.conf. However, since the Squid conguration le has over 4960 lines it is not the easiest to work with. A basic conguration of Squid only needs one modication, if you are using private networks. Squid is congured by editing the directives contained within the /etc/squid3/squid.conf conguration le. The following examples illustrate some of the directives which may be modied to affect the behavior of the Squid server. 49

50 Naming the Proxy

Chapter 9. Squid Proxy Server

Its important that Squid knows the name of the machine. To do this, locate the line visible_hostname. For example, if the machine called iaclsasc insert: visible_hostname iaclsasc Choosing the Port By default, the proxy server will use port 3128. To choose another port, locate the line: http_port 3128 and change the port number, for example: http_port 3177 Choosing the Interface By default the proxy server will listen on all interfaces. For security reasons, its better to put in on your local network only. For example, if the network card connected to your LAN, has IP 10.0.0.1, change the line: http_port 10.0.0.1:3177 Setting Access Rights and Priorities By default, nobody is allowed to connect to the proxy server. (Only from your machine itself). A list of permissions must be created. Squid can be congured to allow/disallow hosts based on certain rules. This is called ACL (Access Control List). An ACL is a space separeted collection of rules. An ACL is a logical AND of the rules it contains. Squid matches each Web access request it receives by checking the http_access list from top to bottom. If it nds a match, it enforces the allow or deny statement and stops reading further. You have to be careful not to place a deny statement in the list that blocks a similar allow statement below it. The nal http_access statement denies everything, so it is best to place new http_access statements above it. Allow all hosts: http_access allow all Deny all hosts:
Prior to editing the conguration le, you should make a copy of the original le and protect it from writing so you will have the original settings as a reference, and to re-use as necessary. Copy the /etc/squid3/squid.conf le and protect it from writing with the following commands entered at a terminal prompt: sudo cp /etc/squid3/squid.conf /etc/squid3/squid.conf.original sudo chmod a-w /etc/squid3/squid.conf.original

9.3. Restart Squid http_access deny all For example, we will dene a group encompassing the local network. Find the line beginning with acl localhost... At the end of the section, add: acl lanhome src 10.0.0.0/8 Now that the group is dened, we will authorize to use the proxy. Locate the line http_access allow ... and add below (before the line http_access deny all): http_access allow lanhome Changing where to Store the Cache Files Do a search for cache_dir ufs. You will nd a line similar to this cache_dir ufs /var/spool/squid3 10000 16 256 In my example the rst part is the squid lesystem type and location. 10000 is the storage in MBytes, the default is 100. 16 and 256 are the number of Level1 and Level2 directories.

51

9.3

Restart Squid

Restart the proxy to take apply the modications you made, sudo /etc/init.d/squid3 restart Or, go for the quicker method, sudo /etc/init.d/squid3 reload

9.4

Important Locations

Once you install Squid, you will need to be familiar with these locations that are important for Squid. /etc/squid cong directory /etc/squid3/squid.conf squid conguration le /usr/share/doc/squid documentation and examples /usr/lib/squid support les /usr/sbin/squid squid daemon /var/log/squid3 log directory /var/spool/squid3 cache directory

9.5
9.5.1

Further Congurations
Restricting Web Access by Time

You can create access control lists with time parameters. For example, you can allow only business hour access from the home network, while always restricting access to host 192.168.1.23.

52

Chapter 9. Squid Proxy Server # # Add this to the bottom of the ACL section of squid.conf # acl home_network src 192.168.1.0/24 acl business_hours time M T W H F 9:00-17:00 acl RestrictedHost src 192.168.1.23 # # Add this at the top of the http_access section of squid.conf # http_access deny RestrictedHost http_access allow home_network business_hours Or, you can allow morning access only: # # Add this to the bottom of the ACL section of squid.conf # acl mornings time 08:00-12:00 # # Add this at the top of the http_access section of squid.conf # http_access allow mornings home_network business_hours Here S - Sunday, M - Monday, T - Tuesday, W - Wednesday, H - Thursday, F - Friday, A - Saturday.

9.5.2

Restricting Access to Specic Web Sites

Squid is also capable of reading les containing lists of web sites and/or domains for use in ACLs. To deploy the web-site blocking mechanism in Squid, add the following entries to your Squid conguration le: acl bad url_regex "/usr/local/etc/squid3/squid-block.acl" http_access deny bad The le /usr/local/etc/squid3/squid-block.acl contains web sites or words you want to block. You can name the le whatever you like. If a site has the URL or word listed in squid-block.acl le, it wont be accesible to your users. The entries can be like this: .noentry.com .badboy.com.br ugly With the squid-block.acl le in action, internet users cannot access the following sites: Sites that have addresses ending with .noentry.com Sites that have addresses ending with .badboy.com.br

9.6. Cache Hierarchies Sites containing the word ugly in its pages You should beware that by blocking sites containing the word sex, you will also block sites which have the word any where in the pages. To resolve this problem, you can put those sites in a special le called squid-noblock.acl: http://www.middlesex.ac.uk http://www.sussex.ac.uk

53

9.5.3

Squid Transparent Proxy Conguration

It is possible to limit HTTP Internet access to only the Squid server without having to modify the browser settings on your client PCs. This called a transparent proxy conguration. It is usually achieved by conguring a rewall between the client PCs and the Internet to redirect all HTTP (TCP port 80) trafc to the Squid server on TCP port 3128, which is the Squid servers default TCP port. Your rst step will be to modify your squid.conf to create a transparent proxy. Squid simply require you to add the word transparent to the default http_port 3128 statement. In this example, Squid not only listens on TCP port 3128 for proxy connections, but will also do so in transparent mode. http_port 3128 transparent

9.6

Cache Hierarchies

Squid is particularly good at communicating with other caches and proxies. Numerous inter-cache communication protocols are supported, including ICP (Inter-Cache Protocol), Cache-Digests, HTCP (Hyper-Text Cache Protocol) and CARP (Cache Array Routing Protocol). Each of these protocols has specic strengths and weaknesses; they are more suited to some circumstances than others.

9.6.1

Why Peer?

The primary function of an inter-cache protocol is to stop object duplication, increasing hit rates. If you have a large network with widely separated caches, you may wish to store objects in each cache even if one of your other caches has it: by keeping objects close to your users, you reduce their network latency (even if you end up wasting disk space in the process.) Inter-branch trafc can be reduced by placing a cache at each branch. Since caches can avoid duplicating objects between them, each disk you add to a cache adds space to the overall hierarchy, increasing your hierarchy hit-rate. This is a lot better than simply having caches at branches which do not communicate with one another, since with that setup you end up with multiple copies of each cache object; one per server. Clients can also be congured to query another branchs cache if their local one goes down, adding redundancy. If overloaded, a central cache machine can become a network bottleneck. Unlike one cache machine, caches in a hierarchy can be close to all parts of the network; they can also handle a much larger load (with a near-linear increase in performance with each added machine). Loaded caches can thus be replaced with clusters of low-load caches, without wasting disk space. Integrating your caches into a public cache hierarchy can increase your hit rate (since you increase your effective disk space by accessing other machines object stores.) By choosing peers carefully, you can reduce latency, or reduce costs by saving Internet bandwidth (if communicating with your peers is cheaper than going direct to the source.) On the other hand, communicating with peers via loaded (or high-latency) line can slow down your cache. Its best to check your peer response times periodically to check if the peering arrangement is benecial.

54

Chapter 9. Squid Proxy Server

9.6.2

Peer Conguration

You use the cache_peer option to congure the peers that Squid will communicate with. Other options are then used to select which peer to pass a request to. The cache_peer Option When communicating with a peer, Squid needs some basic information about how to talk to the machine; the hostname, what ports to send queries to, and so forth. The cache_peer cong line does this. Lets look at an example line: The cache_peer option is split into ve elds. The rst eld (cache.domain.example) is the hostname or IP of the cache that is to be queried. The second eld indicates the type of relationship, and must be set to either parent or sibling or multicast. The third eld sets the HTTP port of the destination server, while the fourth sets the ICP (UDP) query port. The fth eld can contain more than zero or more keywords, although we only use one in the example above; the keyword default sets that the cache will be used as the default path to the outside world. If you compiled Squid to support HTCP, your cache will automatically attempt to connect to TCP port 4827 (there is currently no option to change this port value). Cache digests are transferred via the HTTP port specied on the cache_peer line. So in most of the cases, you need to enter something like this (one or all), cache_peer proxy.visolve.com parent 3128 3130 default cache_peer 172.16.1.57 parent 3128 3130 proxy-only cache_peer 172.16.1.123 sibling 3129 5500 weight=2