8 min read

 

Squid Proxy Server 3.1: Beginner’s Guide

Squid Proxy Server 3.1: Beginner's Guide Improve the performance of your network using the caching and access control capabilities of Squid
        Read more about this book      

In this article by Kulbir Saini, author of Squid Proxy Server 3 Beginners Guide, we are going to learn to configure Squid according to the requirements of a given network. We will learn about the general syntax used for a Squid configuration file.

Specifically, we will cover the following:

  • Quick exposure to Squid
  • Syntax of the configuration file
  • HTTP port, the most important configuration directive
  • Access Control Lists (ACLs)
  • Controlling access to various components of Squid

(For more resources on Proxy Servers, see here.)

Quick start

Let’s have a look at the minimal configuration that you will need to get started. Get ready with the configuration file located at /opt/squid/etc/squid.conf, as we are going to make the changes and additions necessary to quickly set up a minimal proxy server.

cache_dir ufs /opt/squid/var/cache/ 500 16 256
acl my_machine src 192.0.2.21 # Replace with your IP address
http_access allow my_machine

We should add the previous lines at the top of our current configuration file (ensuring that we change the IP address accordingly). Now, we need to create the cache directories. We can do that by using the following command:

$ /opt/squid/sbin/squid -z

We are now ready to run our proxy server, and this can be done by running the following command:

$ /opt/squid/sbin/squid

Squid will start listening on port 3128 (default) on all network interfaces on our machine. Now we can configure our browser to use Squid as an HTTP proxy server with the host as the IP address of our machine and port 3128.

Once the browser is configured, try browsing to http://www.example.com/. That’s it! We have configured Squid as an HTTP proxy server! Now try to browse to http://www.example.com:897/ and observe the message you receive. The message shown is an access denied message sent to you by Squid.

Now, let’s move on to understanding the configuration file in detail.

Syntax of the configuration file

Squid’s configuration file can normally be found at /etc/squid/squid.conf, /usr/local/squid/etc/squid.conf, or ${prefix}/etc/squid.conf where ${prefix} is the value passed to the –prefix option, which is passed to the configure command before compiling Squid.

In the newer versions of Squid, a documented version of squid.conf, known as squid.conf.documented, can be found along side squid.conf. In this article, we’ll cover some of the import directives available in the configuration file. For a detailed description of all the directives used in the configuration file, please check http://www.squid-cache.org/Doc/config/.

The syntax for Squid’s documented configuration file is similar to many other programs for Linux/Unix. Generally, there are a few lines of comments containing useful related documentation before every directive used in the configuration file. This makes it easier to understand and configure directives, even for people who are not familiar with configuring applications using configuration files. Normally, we just need to read the comments and use the appropriate options available for a particular directive.

The lines beginning with the character # are treated as comments and are completely ignored by Squid while parsing the configuration file. Additionally, any blank lines are also ignored.

# Test comment. This and the above blank line will be ignored by Squid.

Let’s see a snippet from the documented configuration file (squid.conf.documented)

# TAG: cache_effective_user
# If you start Squid as root, it will change its effective/real
# UID/GID to the user specified below. The default is to change
# to UID of nobody.
# see also; cache_effective_group
#Default:
# cache_effective_user nobody

In the previous snippet, the first line mentions the name of the directive, that is in this case, cache_effective_user. The lines following the tag line provide brief information about the usage of a directive. The last line shows the default value for the directive, if none is specified.

Types of directives

Now, let’s have a brief look at the different types of directives and the values that can be specified.

Single valued directives

These are directives which take only one value. These directives should not be used multiple times in the configuration file because the last occurrence of the directive will override all the previous declarations. For example, logfile_rotate should be specified only once.

logfile_rotate 10
# Few lines containing other configuration directives
logfile_rotate 5

In this case, five logfile rotations will be made when we trigger Squid to rotate logfiles.

Boolean-valued or toggle directives

These are also single valued directives, but these directives are generally used to toggle features on or off.

query_icmp on
log_icp_queries off
url_rewrite_bypass off

We use these directives when we need to change the default behavior.

Multi-valued directives

Directives of this type generally take one or more than one value. We can either specify all the values on a single line after the directive or we can write them on multiple lines with a directive repeated every time. All the values for a directive are aggregated from different lines:

hostname_aliases proxy.exmaple.com squid.example.com

Optionally, we can pass them on separate lines as follows:

dns_nameservers proxy.example.com
dns_nameservers squid.example.com

Both the previous code snippets will instruct Squid to use proxy.example.com and squid.example.com as aliases for the hostname of our proxy server.

Directives with time as a value

There are a few directives which take values with time as the unit. Squid understands the words seconds, minutes, hours, and so on, and these can be suffixed to numerical values to specify actual values. For example:

request_timeout 3 hours
persistent_request_timeout 2 minutes

Directives with file or memory size as values

The values passed to these directives are generally suffixed with file or memory size units like bytes, KB, MB, or GB. For example:

reply_body_max_size 10 MB
cache_mem 512 MB
maximum_object_in_memory 8192 KB

As we are familiar with the configuration file syntax now, let’s open the squid.conf file and learn about the frequently used directives.

Have a go hero – categorize the directives

Open the documented Squid configuration file and find out at least three directives of each type that we discussed before. Don’t use the directives already used in the examples.

HTTP port

This directive is used to specify the port where Squid will listen for client connections. The default behavior is to listen on port 3128 on all the available interfaces on a machine.

Time for action – setting the HTTP port

Now, we’ll see the various ways to set the HTTP port in the squid.conf file:

  • In its simplest form, we just specify the port on which we want Squid to listen: 
    http_port 8080
  • We can also specify the IP address and port combination on which we want Squid to listen. We normally use this approach when we have multiple interfaces on our machine and we want Squid to listen only on the interface connected to local area network (LAN): 
    http_port 192.0.2.25:3128

    This will instruct Squid to listen on port 3128 on the interface with the IP address as 192.0.2.25.

  • Another form in which we can specify http_port is by using hostname and port combination: 
    http_port myproxy.example.com:8080

    The hostname will be translated to an IP address by Squid and then Squid will listen on port 8080 on that particular IP address.

  • Another aspect of this directive is that, it can take multiple values on separate lines. Let’s see what the following lines will do: 
    http_port 192.0.2.25:8080
    http_port lan1.example.com:3128
    http_port lan2.example.com:8081

    These lines will trigger Squid to listen on three different IP addresses and port combinations. This is generally helpful when we have clients in different LANs, which are configured to use different ports for the proxy server.

  • In the newer versions of Squid, we may also specify the mode of operation such as intercept, tproxy, accel, and so on.
    Intercept mode will support the interception of requests without needing to configure the client machines. 
    http_port 3128 intercept

    tproxy mode is used to enable Linux Transparent Proxy support for spoofing outgoing connections using the client’s IP address.

    http_port 8080 tproxy

    We should note that enabling intercept or tproxy mode disables any configured authentication mechanism. Also, IPv6 is supported for tproxy but requires very recent kernel versions. IPv6 is not supported in the intercept mode.

    Accelerator mode is enabled using the mode accel. It’s a good idea to listen on port 80, if we are configuring Squid in accelerator mode. This mode can’t be used as it is. We must specify at least one website we want to accelerate.

    http_port 80 accel defaultsite=website.example.com

    We should set the HTTP port carefully as the standard ports like 3128 or 8080 can pose a security risk if we don’t secure the port properly. If we don’t want to spend time on securing the port, we can use any arbitrary port number above 10000.

What just happened?

In this section, we learned about the usage of one of the most important directives, namely, http_port. We have learned about the various ways in which we can specify HTTP port, depending on the requirement. We can force Squid to listen on multiple interfaces and on different ports, on different interfaces.

 

Packt

LEAVE A REPLY

Please enter your comment!
Please enter your name here