Rotating log files frequently
Tip: For better performance, it is good practice to rotate log files frequently instead of going with large files.
Tip: It’s a good idea to use the –sysconfdir=/etc/squid/ option with configure, so that you can share the configuration across different Squid installations while testing.
Tip: We should note that enabling intercept or tproxy mode disables any configured authentication mechanism. Also, IPv6 is supported for tproxy but requires very recent kernel versions. IPv6 is not supported in the intercept mode.
Securing the port
Tip: We should set the HTTP port carefully as the standard ports like 3128 or 8080 can pose a security risk if we don’t secure the port properly. If we don’t want to spend time on securing the port, we can use any arbitrary port number above 10000.
Tip: We should carefully note that one ACL name can’t be used with more than one ACL type.
acl destination dstdomain example.com
acl destination dst 192.0.2.24
The above code is invalid as it uses ACL name destination across two different ACL types.
HTTP access control
Tip: The default behavior of HTTP access control is a bit tricky if access for a client can’t be identified by any of the access rules. In such cases, the default behavior is to do the opposite of the last access rule. If last access rule is deny, then the action will be to allow access and vice-versa. Therefore, to avoid any confusion or undesired behavior, it’s a good practice to add a deny all line after the access rules.
Using the http_reply_access directive
Tip: We should be really careful while using the http_reply_access directive. When a request is allowed by http_access, Squid will contact the original server, even if a rule with the http_reply_access directive denies the response. This may lead to serious security issues. For example, consider a client receiving a malicious URL, which can submit a client’s critical private information using the HTTP POST method. If the client’s request passes through http_access rules but the response is denied by an http_reply_access rule, then the client will be under the impression that nothing happened but a hacker will have cleverly stolen our client’s private information.
Tip: Using refresh_pattern to cache the non-cacheable responses or to alter the lifetime of the cached objects, may lead to unexpected behavior or responses from the web servers. We should use this directive very carefully.
Expires HTTP header
Tip: We should note that the Expires HTTP header overrides min and max values.
Tip: Please note that the directive never_direct overrides hierarchy_stoplist.
Path of the PID file
Tip: Setting the path of the PID file to none will prevent regular management operations like automatic log rotation or restarting Squid. The operating system will not be able to stop Squid at the time of a shutdown or restart.
Parsing the configuration file
Tip: It’s good practice to parse the configuration file for any errors or warning using the -k parse option before issuing the reconfigure signal.
Tip: Please note that shutdown, interrupt, and kill are Squid signals and not the system kill signals which are emulated.
Squid process in debug mode
Tip: The Squid process running in debug mode may write a log of debugging output to the cache.log file and may quickly consume a lot of disk space.
Access Control List (ACL) elements with dst
Tip: ACL elements configured with dst as a ACL type works slower compared to ACLs with the src ACL type, as Squid will have to resolve the destination domain name before evaluating the ACL, which will involve a DNS query.
ACL elements with srcdomain
Tip: ACL elements with srcdomain as ACL types works slower, compared to ACLs with the dstdomain ACL type because Squid will have to perform a reverse DNS lookup before evaluating ACL. This will introduce significant latency. Moreover, the reverse DNS lookup may not work properly with local IP addresses.
Adding port numbers
Tip: We should note that the port numbers we add to the SSL ports list should be added to the safe ports list as well.
Take care while using the ident protocol
Tip: The ident protocol is not really secure and it’s very easy to spoof an ident server. So, it should be used carefully.
Tip: Please note that the ident lookups are blocking calls and Squid will wait for the reply before it can proceed with processing the request, and that may increase the delays by a significant margin.
Denied access by the http_access
Tip: If a client is denied access by the http_access rule, it’ll never match an http_reply_access rule. This is because, if a client’s request is denied then Squid will not fetch a reply.
Tip: Configuring authentication helpers is of no use unless we use the proxy_auth ACL type to control access.
Tip: The basic_pop3_auth helper uses the Net::POP3 Perl package. So, we should make sure that we have this package installed before using the authentication helper.
Tip: : Please note that we should use the –enable-ssl option with the configure program before compiling, if we want Squid to accept HTTPS requests. Also note that several operating systems don’t provide packages capable of HTTPS reverse-proxy due to GPL and policy constraints.
URL redirector programs
Tip: We should be careful while using URL redirector programs because Squid passes the entire URL along with query parameters to the URL redirector program. This may lead to leakage of sensitive client information as some websites use HTTP GET methods for passing clients’ private information.
Using the url_rewrite_access directive to block request types
Tip: Please note that certain request types such as POST and CONNECT must not be rewritten as they may lead to errors and unexpected behavior. It’s a good idea to block them using the url_rewrite_access directive.
In this article we saw some tips and tricks on Squid Proxy server to enhance the performance of your network.
- Configuring Apache and Nginx [Article]
- Different Ways of Running Squid Proxy Server [Article]
- Lighttpd [Book]
- VirtualBox 3.1: Beginner’s Guide [Book]
- Squid Proxy Server 3.1: Beginner’s Guide [Book]