Installing Squid
Popular Web Proxy/Cache Server (FreeBSD 5.4)
Posted 15.01.2007 | Updated 16.01.2007 | Contributed by Andy Mallett


Developed by the National Laboratory for Applied Networking Research, SQUID is an open source program that caches web and other internet content in a Unix-based proxy server.

In an enterprise that uses the internet, a proxy server is a server that acts as an intermediary between a workstation user and the internet so that the enterprise can ensure security, administrative control, and provide a caching service.

A proxy server is associated with or usually part of a gateway system that separates the enterprise network from the outside network and a firewall server that protects the enterprise network from outside intrusion.

A proxy server receives a request for an internet service (such as a web page request) from a user. If it passes filtering requirements, the proxy server, assuming it is also a cache server, looks in its local cache of previously downloaded web pages.

If it finds the page, it returns it to the user without needing to forward the request to the internet. If the page is not in the cache, the proxy server, acting as a client on behalf of the user, uses one of its own IP addresses to request the page from the server out on the internet.

When the page is returned, the proxy server relates it to the original request and forwards it on to the user.

Prerequisites

Squid requires PERL to be installed prior to starting. The Squid server must of couse be able to 'see' the internet..

Obtaining Squid

Download Squid from squid-cache.org or squid-2.6.STABLE7.tar.gz (current stable version at time of writing) from the rather generous NoBlueScreens archives (1.5MB).

Installation

In the following example, the squid tarball squid-2.6.STABLE7.tar.gz has been downloaded to the /src directory. Modify these instructions if your circumstances differ..

cd  /src
tar  -zxvf  squid-2.6.STABLE7.tar.gz
cd  squid-2.6.STABLE7
./configure
make
make  install

If an explanation of these steps is required, see Installing Stuff. The completed install will be nestling comfortably by default under /usr/local/squid.

Next create a user called squid. The user called squid is required to run the squid service.. 
adduser
Username: squid
Full name: Squid User
Uid (Leave empty for default):
Login group [squid]:
Login group is squid. Invite squid into other groups? []:
Login class [default]:
Shell (sh csh tcsh bash2 nologin) [sh]: nologin
Home directory [/home/squid]:
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]: yes
Lock out the account after creation? [no]:
Username   : squid
Password   : 
Full Name  : Squid User
Uid        : 1004
Class      :
Groups     : squid
Home       : /home/squid
Shell      : /usr/sbin/nologin
Locked     : no
OK? (yes/no): y

Configuration

As usual, prior to configuring the thing, back up the default config file just in case you make a complete pig's ear of it all..

cd  /usr/local/squid/etc
cp  squid.conf  squid.conf.bak

The astute player will note that the Squid designers have already made a default backup copy of this file, called squid.conf.default. Smart. It's always good practice to make a file backup when installing things, allowing you to quickly start again if necessary. You'll see why when you see what's contained in this file.

Basic configuration is achieved using your text editor of choice. I use vi for its friendly interface and ease of use..

vi  /usr/local/squid/etc/squid.conf

Squid is almost infinitely configurable. My version of the file kicks in at a weighty (for a text file) 150KB+ with over 4000 lines of config code to stuff around with. Don't be put off: much of it consists of the rather extensive explanations of the various config options. Fortunately for the uptight, near-instant gratification is at hand by plunging through with just a few basic configuration settings.

Note that nearly everything is remarked out with a hash #. These are the default settings. If you don't need to change the default, you shouldn't uncomment or otherwise alter the line.

Oh, and you can use the jolly handy :set num command in vi to view the line numbers..

Noteworthy entries..

At approx line 75:
http_port 3128 - port 3128 is the default and the usual port to use. Note this line is unhashed by default. Some people use port 8080 'cos it's easier to remember and also very common. Just change the number if required.

At approx line 1031:
# cache_dir ufs /usr/local/squid/var/cache 100 16 256 - the value 100 denotes 100MB cache size. This can be adjusted to a different size. Adjust as required and unhash the line. If you're happy with it as it is, leave it untouched and still hashed.

At approx line 2556:
# http_access deny all - by default, http_access is denied to everybody, so this area needs some modification, otherwise the whole thing's about as useless as an ashtray on a motorbike.

The Access Control rules should be modified to allow access only to the trusted clients. A typical example is to allow a certain IP Address range. The following two lines will allow workstations on the relevant subnet to access the proxy server..

2581  acl  localnet  src  192.168.0.0/255.255.255.0
2582  http_access  allow  localnet

Note that the approximate line numbers are included at the beginning. Modify the IP range to suit your circumstances.

At approx line 2864:
# cache_effective_user nobody Set this directive to cache_effective_user squid and unhash the line. As previously mentioned, the squid service will run as the user squid and this setting will make that happen. The user squid should also have permissions to create, read and write the cache directory:

chown  squid:squid  /usr/local/squid/var

Client Configuration

Configuring squid for proxy

By default, squid is configured as a direct proxy. In order to cache web traffic with squid, the browser on the users' workstations must be configured to use the squid proxy. This needs the following information:
  1. the proxy server's host name
  2. the port by which the proxy server accepts connections
So typically tell the workstation's web browser to point to the proxy's IP Address or Host Name and probably port 3128, as previously noted.

Starting Squid

After you've finished editing the configuration file, you can start Squid for the first time. First, you must create the swap directories. Do this by running Squid with the -z option:

/usr/local/squid/sbin/squid  -z

If all goes well, Squid will create a /usr/local/squid/var/cache directory, with a shitload of hexadecimally-named subdirectories inside it. Any problems here should be indicated on-screen. Make sure squid has permissions to create stuff inside /usr/local/squid/var (as enabled with the chown command previously).

Once that completes, you can start Squid. Best thing to do first time is run Squid from a terminal and watch the debugging output. Use this command:

/usr/local/squid/sbin/squid  -NCd1

If everything is working fine, then your console displays: "Ready to serve requests". Use CTRL C to break into the process. To run squid in the background as a daemon process, simply use:

/usr/local/squid/sbin/squid

Once in use, Squid should noticeably speed up the subjective experience of surfing regularly accessed websites, as pages will be grabbed from its cache rather than directly from the site. Additionally, internet use can be monitored and controlled. Nice..

Tweaking it

The basic setup is reasonably straightforward and further tweaking is recommended to tailor it to your own needs. If you run Squid on a LAMP Server, you can also use the popular SARG to convert the Squid logfiles to something more humanly readable.

Links & References

http://www.squid-cache.org
http://www.visolve.com/squid
http://www.deckle.co.za/squid-users-guide/Main_Page



- A.