Compiling Squid is a bit of a painful task compared to installing Squid from the binary package. However, we recommend compiling Squid from the source instead of using pre-compiled binaries. Let's walk through a few advantages of compiling Squid from the source:

Though compiling Squid from source has a lot of advantages over installing from the binary package, the binary package has its own advantages. For example, when we are in damage control mode or a crisis situation and we need to get the proxy server up and running really quickly, using a binary package for installation will provide a quicker installation.

The --prefix option is the most commonly used option. If we are testing a new version or if we wanted to test multiple Squid versions, we will have multiple Squid version installed on our system. To identify the different versions and to prevent interference or confusion between the versions, it's a good idea to install them in separate directories.

For example, for installing Squid version 3.1.10, we can use the directory /opt/squid/3.1.10/ and the corresponding configure command will be run as:

./configure --prefix=/opt/squid/3.1.10/

Similarly, for installing Squid version 3.1, we can use the directory /opt/squid/3.1/.

Squid provides even more control over the location of different types of files such as executables and documentation files. Their placement can be controlled with options such as --bindir, --sbindir, and so on. Please check the configure help page for further details on these options.

Now, let's check the optional features and packages. To enable any optional feature, we pass an option in the format --enable-FEATURE_NAME and to disable a feature, the option format is either --disable-FEATURE_NAME or --enable-FEATURE_NAME=no. For example, icmp is a feature name.

./configure --enable-FEATURE # FEATURE will be enabled
./configure --disable-FEATURE # FEATURE will be disabled
./configure --enable-FEATURE=no # FEATURE will be disabled

Similarly, to compile Squid with an available package, we pass an option in the format --with-PACKAGE_NAME and to compile Squid without a package, we pass the option --without-PACKAGE_NAME. openssl is an example package name.

Regular expressions are used for constructing Access Control Lists in Squid. If we are running a modern Linux/Unix-based operating system, we don't need to worry about this option. But if our system doesn't have built-in support for regular expressions, we should enable support for regular expressions using --enable-gnuregex.

Squid has a lot of code that can be inlined, which is good for production use. But inline code takes longer to compile and is useful when we need to compile a source only once for setting up Squid for production use. This option is intended to be used during development when we need to compile Squid time and again.

Squid is, by default, compiled with compiler optimizations that result in better performance. Again this option should be used while debugging a problem or testing different versions as it'll reduce compilation time. The --disable-inline option is automatically used if we use this option.

Squid's performance depends heavily on disk I/O performance when disk caching is enabled. The quicker Squid can read/write files from cache, the lesser time it'll take to satisfy a request, which in turn will result in smaller delays. Different storage techniques may lead to optimized performance, depending on the traffic type and usage. We can use this option to build Squid with support for various store I/O modules. Please check the src/fs/ directory in the Squid source code for available store I/O modules.

./configure --enable-storeio=ufs,aufs,coss,diskd,null

While using disk caching, we instruct Squid to use a specified disk space for caching web documents. Over a period of time, the space is consumed and Squid will still need more space to cache new documents. Squid then has to decide which old documents should be removed or purged from the cache to make space for storing the new ones. There are different policies for purging the documents to achieve maximum benefits from caching.

The policies are based on heap and list data structures. List data structure is enabled by default. Please check the src/repl/ directory in the Squid source code for available removal policies.

./configure --enable-removal-policies=heap,lru

This option is helpful in determining the distance from other cache peers and remote servers to estimate approximate latency. This is useful only if we have other cache peers in the network.

Squid uses delay pools to limit or control bandwidth that can be used by a client or a group of clients. Delay pools are like leaky buckets which leak data (web traffic) to clients and are refilled at a controlled rate. These come in handy when we need to control the bandwidth used by a group of users.

This option enables Squid to use Edge Side Includes (see http://www.esi.org for more information). If this is enabled, Squid completely ignores cache-control headers from clients. This option is only intended to be used when Squid is used in accelerator mode.

This provides the capability of logging user agent headers from HTTP requests by clients.

If we enable this option, Squid will be able to write a referer header field from HTTP requests.

This option disables support for Cisco's Web Cache Communication Protocol (WCCP). WCCP enables communication between caches, which in turn helps in localizing the traffic. By default, WCCP-support is enabled.

Similar to the previous option, this disables support Cisco's WCCP version 2. WCCPv2 is an improved version of WCCP and has built-in support for load balancing, scaling, fault-tolerance, and service assurance mechanisms. By default, WCCPv2 support is enabled.

In Squid versions 3.x, SNMP (Simple Network Management Protocol) is enabled by default. SNMP is quite popular among system administrators for monitoring servers and network devices.

Cache Manager (cachemgr.cgi) is a CGI utility to manage Squid's cache and view cache statistics using a web interface. The host name for accessing cache manager can be set using this option. By default, we can access cache manager web interface using localhost or the IP address of the Squid server.

./configure --enable-cachemgr-hostname=squidproxy.example.com

Squid supports building Access Control Lists based on MAC (or Ethernet) addresses. This feature is disabled by default. If we want to control client access based on Ethernet addresses, we should enable this feature. Enabling this is a good idea while learning Squid.

Hypertext Caching Protocol (HTCP) can be used by Squid to send and receive cache digests to neighboring caches. This option disables HTCP support.

Squid can terminate SSL connections. When Squid is configured in reverse proxy mode, Squid can terminate the SSL connections initiated by clients and handle it on behalf of the web server in the backend. This essentially means that the backend web server will not have to do any SSL work, which means significant computation savings. In this case, the communication between Squid and the backend web server will be pure HTTP, but clients will still see it as a secure connection with the web server. This is useful only when Squid is configured to work in accelerator or reverse proxy mode.

Cache digests are Squid's way of sharing information with neighboring Squid servers about the cached web documents, in a compressed format.

Whenever Squid encounters an error (for example, a page not found, access denied, or network unreachable error) that should be conveyed to the client, Squid uses default pages for showing these errors. The error pages are available in local languages. This option can be used to specify the default language for all the error pages. The default language for error pages is English.

./configure --enable-default-err-language=Spanish

By default, Squid builds support for all available languages. If we only want to build Squid with languages which we are familiar with, we can use this option. Please check the errors/ directory in the Squid source code for available languages.

./configure --enable-err-languages='English French German'

Squid has configuration options, and by using them, we can force Squid to violate HTTP protocol standards by replacing header fields in HTTP requests or responses. Tinkering with HTTP headers is against standard HTTP norms. We can disable support for all sorts of HTTP violations by using this option.

IPFIREWALL (IPFW) is a firewall application for the FreeBSD system maintained by FreeBSD staff and volunteers. This option is useful while setting up Transparent Proxy Server on systems with IPFW. If our system doesn't have IPFW, we should avoid using this option, because Squid will fail to compile. The default behavior is auto-detect, which does the job quite well.

IPFilter (IPF) is also a stateful firewall for many Unix-like operating systems. It is provided by NetBSD, Solaris, and so on. If our system has IPF, then we should enable this option to be able to configure Squid in Transparent mode. Enabling this option in the absence of IPF on the system will result in compile errors.

Packet Filter (PF) is yet another stateful firewall application originally developed for OpenBSD. This option is useful on systems with PF installed to achieve Transparent Proxy mode. Do not enable this option if PF is not installed.

Netfilter is the packet filtering framework in Linux kernels in series 2.4.x and 2.6.x. This option is useful for enabling Transparent Proxy support on Linux-based operating systems.

When a HTTP request is forwarded by a proxy, the proxy writes essential information about itself and the client for which the request is being forwarded, in HTTP headers. This option enables Squid to try to lookup the IP address of the original client for which the request was forwarded through one or more proxy servers.

This prevents Squid from performing ident lookups or identifying a username for every connection. Disabling this may prevent our system from a possible Denial of Service attack by a malicious client requesting a large number of connections.

Squid has its own implementation of DNS protocol and is capable of building DNS queries. If we want to use Squid's internal DNS, then we should not disable it. Otherwise, we can disable support for Squid's internal DNS feature by using this option and can use external DNS servers.

Using this option, we can select the default location of the hosts file. On most operating systems, it's located in the /etc/hosts directory.

./configure --enable-default-hostsfile=/some/other/location/hosts

Squid supports various authentication mechanisms. This option enables support for authentication schemes. This configure option (and related enable auth options) are undergoing change.

./configure --enable-auth=basic,digest,ntlm

./configure --enable-auth

This option enables support for a Basic Authentication scheme and builds the list of helpers specified. If the list of helpers is not provided, this will enable all the possible helpers. A list of available helpers for this scheme can be found in the helpers/basic_auth/ directory in the Squid source code. To disable this authentication scheme, we can use --disable-auth-basic.

./configure --enable-auth-basic=PAM,NCSA,LDAP

If we want to enable this option but don't want to build any helpers, we should use "none" in place of a list of helpers.

./configure --enable-auth-basic=none

Previously, this option was known as --enable-basic-auth-helpers. The list of helpers is passed in a similar way.

./configure --enable-basic-auth-helpers=PAM,NCSA,LDAP

Squid support for the NTLM authentication scheme is enabled with this option. The available helpers for this scheme reside in the helpers/ntlm_auth/ directory in the Squid source code. To disable NTLM authentication scheme support, use the --disable-auth-ntlm option.

./configure --enable-auth-ntlm=smb_lm,no_check

This option enables the Negotiate Authentication scheme. Details and syntax are similar to the above authentication scheme option.

./configure --enable-auth-negotiate=kerberos

This option enables support for Digest Authentication scheme. Other details are similar to the above option.

If this option is enabled and a helper fails while authenticating a user, it can still allow Squid to authenticate the user. This option should be used with care as it may lead to security loopholes.

Squid supports external ACLs using helpers. If we are willing to use external ACLs, we should consider using this option. We can also use this option while learning. A list of external ACL helpers should be passed to build specific helpers. The default behavior is to build all the available helpers. A list of available external ACL helpers can be found in the helpers/external_acl/ directory in the Squid source code.

./configure --enable-external-acl-helpers=unix_group,ldap_group

By default, Squid tries to present error and manual pages in a local language. If we don't want this to happen, then we may use this option.

Based on a client's request headers, Squid tries to automatically provide localized error pages. We can use this option to disable the automatic localization. The error_directory tag in the Squid configuration file must be configured if we use this option.

unlinkd is an external process which is used to make unlink system calls. This option disables unlinkd support in Squid. Disabling unlinkd is not a good idea as the unlink system call can block a process for a considerable amount of time, which can cause a delay in responses.

We normally don't want to run Squid as the root user to omit any security risks. By default, Squid runs as the user nobody. However, if we have installed Squid from a pre-compiled binary, Squid may run as a 'squid' or 'proxy' user depending on the operating system we are using. Using this option, we can set the default user for running Squid. See the following example of how to use this option:

./configure --with-default-user=squid

By default, Squid writes all logs and error reports to designated files in ${prefix}/var/logs/. This location is different from the location used by all other processes and daemons to write their logs. In order to get quick access to the Squid logs, we may want to place them in the default system log directory, which is /var/log/ in most of the Linux-based operating systems. See the following example of the syntax to achieve this:

./configure --with-logdir=/var/log/squid/

The default location for storing the Squid PID file is ${prefix}/var/run/squid.pid, which is not the standard system location for storing PID files. On most Linux-based operating systems, the PID files are stored in /var/run/. So, we may want to change the default PIDfile location using the following option:

./configure --with-pidfile=/var/run/squid.pid

Using this option, we can specify the number of threads to use when the aufs storage system is used for managing the cache directories. If this option is not used, Squid automatically calculates the number of threads that should be used:

./configure --with-aufs-threads=12

Older versions of Squid were built without POSIX threads support. Now, Squid is built with pthreads support by default, therefore, if we don't want to enable pthreads support, we'll have to explicitly disable it.

If we want to build Squid with OpenSSL support, we can use this option to specify the OpenSSL installation path, if it's not installed in the default location:

./configure --with-openssl=/opt/openssl/ 

Under heavy traffic, Squid's log files (especially the access log) grow quickly and in the long run the file size may become quite large. We can use this option to enable support for large log files.

Operating systems use file descriptors (basically integers) to track the open files and sockets. By default, there is a limit on the number of file descriptors a user can use (normally 1024). Once Squid has accepted connections which have consumed all the available file descriptors to the Squid user, it can't accept more connections unless some of the file descriptors are released.

Under heavy load, Squid frequently runs out of file descriptors. We can use the following option to overcome the file descriptor shortage problem:

./configure --with-filedescriptors=8192