Squid Jon Larsen Omaha Linux User Group May 2nd, 2006
What is a proxy? proxy : the authority or power to act for another (source: Merriam-Webster Dictionary) A Web proxy provides a connection path for HTTP/HTTPS requests.
What is a cache? Cache : A hiding place esp. for preserving provisions (source: Merriam-Webster Dictionary) A cache stores objects from visited websites, such as images, PDF and HTML files.
What is Squid? ● Squid is a caching proxy ● Provide a single connection path for many client programs ● Can authenticate users to grant Internet access ● Provide time of day bandwidth allocation ● Monitor Usage ● Restrict Content
Installing Squid ● Generally, Squid is installed on your Gateway/Firewall box in which your internal LAN is connecting through ● Can be installed using apt-get, yum or yast or compiled from source ● Should be configured to run from init.d ● Requires a directory to store objects
Configuration ● The Squid configuration file is usually stored as /etc/squid/squid.conf ● On Fedora/CentOS/RedHat systems, the conf file is heavily annotated and self explanatory ● Items normally changed on a new installation: – http_port – dns_nameservers – cache_dir – http_access
Configuration http_port By default, Squid listens on port This can be changed or multiples can be specified. http_port 3128 http_port 8080 If you are on a firewall with multiple NICs, you may specify which ip address to listen http_port :3128
Configuration: dns_nameservers You can specify which DNS nameservers to use for your Squid proxy, overriding the system default. dns_nameservers
Configuration: cache_dir The cache_dir directive allows you to specify the directory in which to place your cached objects, and well as the maximum cache size to use to store cached objects. cache_dir ufs /var/spool/squid Cache size will be 100MB, 16 directories with 256 subdirectories – change as you see fit.
Configuration: http_access An acl and http_access controls who can connect to the proxy. For simplicity, we will allow all clients to connect from our lan. http_access allow all - or - acl our_networks src /24 http_access allow our_networks http_access allow localhost http_access deny all
Running Squid Before you can run Squid, you need to setup the cache_dir you specified in the squid.conf file. The directory must be writable by squid. You can create the directory by running: squid -z
Running Squid Cont. Simply run squid using the init script: /etc/rc.d/init.d/squid start - or - /etc/init.d/squid start
Configuring Clients For a client such as a web browser to access the Squid proxy, you must configure the Connection Options using the manual setting. Put in the IP address/FQDN of your proxy and the port you are connecting to
Configuring Clients Alt Method You can use your firewall to intercept incoming port 80 requests and redirect them to your Squid proxy, removing the need to configure the client with the proxy ip and port. Example: iptables -A PREROUTING -t nat -i eth1 -p tcp \ --dport 80 -j REDIRECT --to-port 3128
ACL Access Control Lists ACL lists can be created to do content filtering or preventing certain objects from being cached (ie. MPEG files) Prevent MPEG files from being cached: acl MPG url_regex.mpg$ no_cache deny MPG
ACL Access Control Lists Cont. Content filtering can be done using two methods. A redirector or with a regex expression. Squidguard is a well known redirector Our example will be a regex on a file of keywords or urls.
ACL Access Control Lists Cont. The regex works using files which can be downloaded and stored in /etc/squid. acl porn url_regex "/etc/squid/porn" acl noporn url_regex "/etc/squid/noporn" deny_info ERR_EXAMPLE_ACCESS_DENIED porn http_access allow noporn all http_access deny porn all
Reference ● Squid website – ● Squid Wiki – ● Squidguard – ● Squid: The Definitive Guide – O'Reilly, ISBN:
Omake From the Wireless Hacks book published by O'Reilly (ISBN: ) Hack #91 Using a squid cache remotely with SSH tunneling can allow you to use a squid running on your home firewall box to browse websites using wireless Internet access from your laptop – securely.
Omake Step 01 Configure and test Squid on your firewall Step 02 Create the tunnel from your laptop ssh -L3128:localhost:3128 mysquid.house -f -N Step 03 Configure your browser proxy