Read more about this book |
In this article by Kulbir Saini, author of Squid Proxy Server 3 Beginners Guide, we are going to learn to configure Squid according to the requirements of a given network. We will learn about the general syntax used for a Squid configuration file.
Specifically, we will cover the following:
(For more resources on Proxy Servers, see here.)
Let's have a look at the minimal configuration that you will need to get started. Get ready with the configuration file located at /opt/squid/etc/squid.conf, as we are going to make the changes and additions necessary to quickly set up a minimal proxy server.
cache_dir ufs /opt/squid/var/cache/ 500 16 256
acl my_machine src 192.0.2.21 # Replace with your IP address
http_access allow my_machine
We should add the previous lines at the top of our current configuration file (ensuring that we change the IP address accordingly). Now, we need to create the cache directories. We can do that by using the following command:
$ /opt/squid/sbin/squid -z
We are now ready to run our proxy server, and this can be done by running the following command:
$ /opt/squid/sbin/squid
Squid will start listening on port 3128 (default) on all network interfaces on our machine. Now we can configure our browser to use Squid as an HTTP proxy server with the host as the IP address of our machine and port 3128.
Once the browser is configured, try browsing to http://www.example.com/. That's it! We have configured Squid as an HTTP proxy server! Now try to browse to http://www.example.com:897/ and observe the message you receive. The message shown is an access denied message sent to you by Squid.
Now, let's move on to understanding the configuration file in detail.
Squid's configuration file can normally be found at /etc/squid/squid.conf, /usr/local/squid/etc/squid.conf, or ${prefix}/etc/squid.conf where ${prefix} is the value passed to the --prefix option, which is passed to the configure command before compiling Squid.
In the newer versions of Squid, a documented version of squid.conf, known as squid.conf.documented, can be found along side squid.conf. In this article, we'll cover some of the import directives available in the configuration file. For a detailed description of all the directives used in the configuration file, please check http://www.squid-cache.org/Doc/config/.
The syntax for Squid's documented configuration file is similar to many other programs for Linux/Unix. Generally, there are a few lines of comments containing useful related documentation before every directive used in the configuration file. This makes it easier to understand and configure directives, even for people who are not familiar with configuring applications using configuration files. Normally, we just need to read the comments and use the appropriate options available for a particular directive.
The lines beginning with the character # are treated as comments and are completely ignored by Squid while parsing the configuration file. Additionally, any blank lines are also ignored.
# Test comment. This and the above blank line will be ignored by Squid.
Let's see a snippet from the documented configuration file (squid.conf.documented)
# TAG: cache_effective_user
# If you start Squid as root, it will change its effective/real
# UID/GID to the user specified below. The default is to change
# to UID of nobody.
# see also; cache_effective_group
#Default:
# cache_effective_user nobody
In the previous snippet, the first line mentions the name of the directive, that is in this case, cache_effective_user. The lines following the tag line provide brief information about the usage of a directive. The last line shows the default value for the directive, if none is specified.
Now, let's have a brief look at the different types of directives and the values that can be specified.
These are directives which take only one value. These directives should not be used multiple times in the configuration file because the last occurrence of the directive will override all the previous declarations. For example, logfile_rotate should be specified only once.
logfile_rotate 10
# Few lines containing other configuration directives
logfile_rotate 5
In this case, five logfile rotations will be made when we trigger Squid to rotate logfiles.
These are also single valued directives, but these directives are generally used to toggle features on or off.
query_icmp on
log_icp_queries off
url_rewrite_bypass off
We use these directives when we need to change the default behavior.
Directives of this type generally take one or more than one value. We can either specify all the values on a single line after the directive or we can write them on multiple lines with a directive repeated every time. All the values for a directive are aggregated from different lines:
hostname_aliases proxy.exmaple.com squid.example.com
Optionally, we can pass them on separate lines as follows:
dns_nameservers proxy.example.com
dns_nameservers squid.example.com
Both the previous code snippets will instruct Squid to use proxy.example.com and squid.example.com as aliases for the hostname of our proxy server.
There are a few directives which take values with time as the unit. Squid understands the words seconds, minutes, hours, and so on, and these can be suffixed to numerical values to specify actual values. For example:
request_timeout 3 hours
persistent_request_timeout 2 minutes
The values passed to these directives are generally suffixed with file or memory size units like bytes, KB, MB, or GB. For example:
reply_body_max_size 10 MB
cache_mem 512 MB
maximum_object_in_memory 8192 KB
As we are familiar with the configuration file syntax now, let's open the squid.conf file and learn about the frequently used directives.
Open the documented Squid configuration file and find out at least three directives of each type that we discussed before. Don't use the directives already used in the examples.
This directive is used to specify the port where Squid will listen for client connections. The default behavior is to listen on port 3128 on all the available interfaces on a machine.
Now, we'll see the various ways to set the HTTP port in the squid.conf file:
http_port 8080
http_port 192.0.2.25:3128
This will instruct Squid to listen on port 3128 on the interface with the IP address as 192.0.2.25.
http_port myproxy.example.com:8080
The hostname will be translated to an IP address by Squid and then Squid will listen on port 8080 on that particular IP address.
http_port 192.0.2.25:8080
http_port lan1.example.com:3128
http_port lan2.example.com:8081
These lines will trigger Squid to listen on three different IP addresses and port combinations. This is generally helpful when we have clients in different LANs, which are configured to use different ports for the proxy server.
http_port 3128 intercept
tproxy mode is used to enable Linux Transparent Proxy support for spoofing outgoing connections using the client's IP address.
http_port 8080 tproxy
We should note that enabling intercept or tproxy mode disables any configured authentication mechanism. Also, IPv6 is supported for tproxy but requires very recent kernel versions. IPv6 is not supported in the intercept mode.
Accelerator mode is enabled using the mode accel. It's a good idea to listen on port 80, if we are configuring Squid in accelerator mode. This mode can't be used as it is. We must specify at least one website we want to accelerate.
http_port 80 accel defaultsite=website.example.com
We should set the HTTP port carefully as the standard ports like 3128 or 8080 can pose a security risk if we don't secure the port properly. If we don't want to spend time on securing the port, we can use any arbitrary port number above 10000.
In this section, we learned about the usage of one of the most important directives, namely, http_port. We have learned about the various ways in which we can specify HTTP port, depending on the requirement. We can force Squid to listen on multiple interfaces and on different ports, on different interfaces.