Monday, July 28, 2008

squid proxy server - mini howto

Squid proxy servers are a great way to control your inter browsing for your company. In a previous post I have mentioned all the good reasons why you should get one, and in this post I will try and show you and explain to you where and how to do this.

You need to edit the main configuration file located under /etc/squid/squid.conf. In this file the following options must / can be used:

http_port 8080 - This is where you specify what port the proxy server must listen on. If you go to your Internet explorer to set your proxy and proxy port, this is the port number.

cache_mem 64 MB - This line specify the amount of memory that squid can use for caching. There are many theories out there how to calculate, but a good understanding could be obtained from the following criteria: ( from http://www.devshed.com/ )

x=Size of cache dir in KB (i.e. 6GB=~6,000,000KB) y=Average object size
(just use 13KB z=Number of directories per first level directory
(((x / y) / 256) / 256) * 2 = # of directories
As an example, I use 6GB of each of my 13GB drives, so:
6,000,000 / 13 = 461538.5 / 256 = 1802.9 / 256 = 7 * 2 = 14
So my cache_dir line would look like this:
cache_dir 6000 14 256

cache_swap_low 80 - When you set your cache_dir to lets say 2048 Mb or 2 GB, then this value is the low mark for squid to stop rotating or clean out the cache.

cache_swap_high 90 - Same as explanation above, but this will tell squid when to start free up old cache when it gets to the set level, and stop when it gets to the percentage of disk size ( 80 percent ).

maximum_object_size 1024 KB - This will tell squid not to cache any objects or files larger than 1 MB. It depends on how big the squid server is and how fast you want your cache to be, but also the amount of disk space you have, because you might fill up the space before you know it !

minimum_object_size 0 KB - This specify what the minimum size of a file or object is allowed to be, set this to 0 if you don't want to specify anything.

maximum_object_size_in_memory 64 KB - This specify the size of an object or file that is allowed to be placed in cache_mem amount of memory, Normally used for fast accees type files for browsing, don't make too high, it will hog the memory pool.

cache_dir ufs /var/spool/squid 2048 256 256 - This is where you specify what the disk space or disk space usage is for squid cache on your server. The cache_swap_high and cache_swap_low will look at this value and know when to rotate the cache when it hits the 90 an 80 percent mark.

cache_access_log /var/log/squid/access.log - This will tell squid where to write the access details to. You will run your reporting software on this file to see who browsed where on the Internet, amount of bandwidth used etc. You can use the below script file to concatenate the log files each month, so you have a directory will monthly access.log files in them :

#!/bin/bash
############################################################################## #Copyright : LDS - http://www.lds.za.net/
#
# Variables : ARCHIVE - directory where the SQUID files are archived
# : LOGDIREC - location
# : SQUIDLOG - SQUID log file name
##############################################################################
ARCHIVE=/var/log/archive/squid
LOGDIREC=/var/log/squid
SQUIDLOG=access.logrm $ARCHIVE/$SQUIDLOG -f
cp -dp $LOGDIREC/$SQUIDLOG $ARCHIVE/$SQUIDLOG
cp /dev/null $LOGDIREC/$SQUIDLOG
cd $ARCHIVE
mv ./`date +'%Y%m'`.gz ./temp.gz
gunzip ./temp.gz
(cat ./temp $SQUIDLOG gzip > ./`date +'%Y%m'`.gz) && rm temp mv temp
failed-`date +'%Y%m%d'`
#
# END OF SCRIPT
##############

ftp_user squid@lds.za.net - This specify the default username to send to Anonymous FTP sites.

auth_param basic program /usr/lib/squid/smb_auth -W CORE -U
The above line to to send authentication to a Microsoft based authentication server ( normally a domain controller )

auth_param basic children 8
auth_param basic realm AOSL Proxy Server
auth_param basic credentialsttl 2 hours

The above line sets options for the Authentication module.

client_lifetime 1 hour - This option prevent open connections to hog the squid process ( Internet Explorer browser left open on a PC )

half_closed_clients off - This works in conjunction with the above line to kill inactive connections

shutdown_lifetime 3 seconds - This option is to speed up the shutdown time when you stop squid.

acl password proxy_auth REQUIRED - This option work with the authentication options you have set, this will force authentication when a request comes through.

The below options is to have control over which Internal IP's can do anything, which sites are blocked etc.

acl openip src "/etc/squid/openip.cfg"
acl badsites dstdomain "/etc/squid/badsites.cfg"
acl opensites dstdomain "/etc/squid/opensites.cfg"
acl restricted_sites dstdomain "/etc/squid/restricted_sites"
acl restricted_users proxy_auth "/etc/squid/restricted_users"
acl priv_sites dstdomain "/etc/squid/priv_sites"
acl priv_users proxy_auth "/etc/squid/priv_users"
acl BONYUSERS dst 160.254.119.0/24

From the file names at the end ( which you should create ) explains what the file contain and what it will do for you.

The below lines is to "activate" the above lines

http_access allow BONYUSERS
http_access allow openip
http_access allow opensites
http_access allow restricted_users restricted_sites
http_access deny restricted_users
http_access allow priv_users priv_sites
http_access deny badsites
http_access allow password

The rest of the configuration files is not much needed, but the short explanation for that config line is given inside the /etc/squid directory.

As stated earlier, please post a comment to get more help.

2 comments:

Jonathan said...

Thanks - a very helpful guide. I've now set up a caching proxy on my home LAN, primarily so that of my various computers (all Fedora 9) only the first has to fetch the updates externally and the others can update from the cache. But I noticed the box the squid server is on will not use the cache.

I've inserted iptables rules to redirect traffic from 127.0.0.1, 192.168.0.1 and its public IP address to port 3128, but this doesn't seem to work. Any clues?

Thanks,
Jonathan

Linux Guru said...

Hi There! Sorry about the LATE response !!

You should set your CACHE_PARENT to the main squid proxy server. This will tell each linux box to fetch the cache from the main proxy server