English
Русский
Squid setup
| Billing | Statistics | WebServer |
Table of Contents
1. Squid
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator.
Being a CentOS geek, I am starting from the Squid RPM installation.
Edit squid.conf (FC8: conf, diff; RHEL4: conf, diff):
Create caches:
service squid stop squid -z
Start Squid:
chkconfig --add squid chkconfig squid on service squid restart
2. Transparent proxying
Command squid to emit packets only from the internet-wide address:
tcp_outgoing_address 172.16.162.57
Configure /etc/sysconfig/iptables (for every internal network but internet-wide address):
-A PREROUTING -s 172.16.162.57 -p tcp --dport 80 -j ACCEPT -A PREROUTING -s 10.20.0.0/16 -p tcp --dport 80 -j REDIRECT --to-port 3128 -A PREROUTING -s 172.16.112.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128 -A PREROUTING -s 172.16.113.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128 -A PREROUTING -s 127.0.0.1/32 -p tcp --dport 80 -j REDIRECT --to-port 3128
Restart iptables
/etc/init.d/iptables restart
3. Clients
Create proxy autodiscrovery script as explained here and configure browsers to use script at
http://www.ourdom.com/proxy.pac
As a fallback, you can manually instruct browsers to useunified proxy on host proxy.ourdom.com and port 3128 for all traffic but excluding:
localhost, localhost.localdomain, 127.0.0.1, 10.20.0.0/16, .ourdom.com
4. Wiki links
Edit /etc/httpd/conf.d/vhosts/admin.conf:
<VirtualHost *:443> ... ScriptAlias /Squid/cgi-bin/cachemgr.cgi /usr/lib/squid/cachemgr.cgi <Location /Squid> Order Allow,Deny Allow from 127.0.0.1 10.20 192.168 172.16 .ourdom.com </Location> ... </VirtualHost>
Create wiki links
5. Statistics
Google search returns quite a few tools which claim to parse and analyze Squid logs: sarg, squidalyser, mysar and many commercial tools. However, their quality varies. In the past I used SARG (see installation tips), but it provided to be buggy and inflexible. Currently I maintain SAWstats, an improved version of AWstats. AWstats is a great log parser and anlyzer with nice web interface, but after years it still lacks Squid support, so I decided to fork.
6. Squidguard
Dag's squidguard for EL 4 is 1.2, too old.
I created the squidguard-1.3-1.vit.el4.src.rpm package for 1.3 with patches from squidguard.org.
Install the package
rpm -ivh squidguard-1.3-1.vit.el4.x86_64.rpm
Download blacklists from: shallalist.de, rejik.ru, universite toulouse
I created complete configuration file squidguard-shalla.conf as a reference for shalla list.
Install new blacklists:
mkdir /var/lib/squidguard cd /var/lib/squidguard tar xzf shallalist.tar.gz tar xzf banlists-2.x.x.tar.gz tar xzf squidguard-localsite.tar.gz
Create squidguard config file /etc/squid/squidguard.conf
Adjust config file...
Verify config file paths:
squidGuard -c /etc/squid/squidguard.conf -d -C xxx < /dev/null
Note1: without /dev/null redirection squidguard will stop on errors
Note2: -C defines which databases to rebuild. when inexistant database xxx is provided, only checks will be performed. this way we avoid reindexing of huge pron lists
Index the blacklists:
find /var/lib/squidguard -name '*.db' -exec rm '{}' ';'
squidGuard -c /etc/squid/squidguard.conf -d -C all < /dev/null
Verify that squidguard really protects
echo "http://rose.ixbt.com/ 127.0.0.1 root GET" | squidGuard -d echo "http://www.sex.com/ 127.0.0.1 root GET" | squidGuard -d
Restore directory rights
chown -R squid:squid /var/lib/squidguard /var/log/squidguard /etc/squid/squidguard
Create redirection stubs in /var/www/squidguard
cd / tar xpzf squidguard-www.tar.gz
Edit /etc/httpd/conf.d/vhosts/www.inc and add the /guarded location to www.ourdom.com:
Alias /guarded /var/www/squidguard
Tell squid about squidguard via a line in /etc/squid/squid.conf:
redirect_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf
Restart squid
service squid restart
Create a script /etc/localsite/squid/update-guard-rules which should be invoked after each modification of squid guard rules:
#!/bin/sh
echo "Reindexing rules - Please be patient, it may take a while ..."
squidGuard -c /etc/squid/squidguard.conf -d -C all < /dev/null 2>&1
| grep -vF '.....' | grep -vF '100 % done'
echo "Fixing permissions ..."
chown -R squid.squid /var/lib/squidguard/
echo "Signaling squid ..."
squid -k reconfig
7. Hints
7.1. Transparency
Since http headers do not carry destination port information, redirecting several ports to a proxy port will loose destination port information. Therefore, only port 80 can be redirected transparently.
-A PREROUTING -s 192.168.92.128 -p tcp --dport 80 -j ACCEPT -A PREROUTING -s ! 192.168.92.128 -p tcp --dport 80 -j REDIRECT --to-port 3128
7.2. SSL traffic goes direct
There can be situations where squid works behind an upstream proxy, and all targets but local servers (listed in always_direct allow) should be sent through. However, for unknown reasons Squid decides that SSL traffic should be sent directly to incoming hosts. This can be helped by:
prefer_direct off
and (specially!)
nonhierarchical_direct off
7.3. Transparent SSL
Is not possible with current Squid. Port 443 should be routed around Squid.
7.4. Masquerading
Simplistically can be organized via this iptables line in the *nat section:
-A POSTROUTING -o eth0 -j MASQUERADE
For better security one can limit port use for masquerading:
-A POSTROUTING -s 192.168.117/24 -m multiport --dports 80,443 -o eth0 -j MASQUERADE -A POSTROUTING -s 10.20/16 -m multiport --dports 80,443 -o eth0 -j MASQUERADE
Other ports e.g. 8000, 8008, 8080, 8100, 8888 et cetera can be considered too.
7.5. Squid 2.6 syntax change
This
http_port 79 httpd_accel_host 161.3.50.16 httpd_accel_port 81 httpd_accel_with_proxy off httpd_accel_uses_host_header off
changed to
http_port 79 defaultsite=161.3.50.16 vhost vport=81
Attachments
Bookmark this post on:
- Visit Squid project page
- Visit Setting up squid with access restrictions
- Visit Squid FAQ russian
- Visit [guard] Squidguard
- Visit [guard] Squidguard 1.3 configuration reference (local)
- Visit [guard] Squidguard Ubuntu help
- Visit [guard] How to remove banners from web pages (linux.org.ru)
- Visit [guard] Rejik - remove pron and banners
- Visit [guard] Shallalist home
- Visit [guard] Removing banners by native squid features (lissyara)
- Visit [guard] Anti-banner (squid.opennet.ru)
- Visit [other] Direct support of mysql in squid
- Visit [traffic] Pretty rough technique (opennet.ru)
- Visit [transparent] Transparent proxy - better technique
- Visit [transparent] Transparent proxy with Squid
Comments
Post new comment