Squid Proxy Server

This document will describe how to get a Squid Proxy Server up and running for your LAN using FreeBSD and Squid. The info on the configuration file is by no means comprehensive. There is a lot that you might need to do differently, but I am running pretty much the same installation for around 100 users and it has served me very well so far in my situation. Also, I am not going into detail configuring the cache manager here. Just plain Squid Proxy Caching for your LAN.

Requirements

A freshly installed FreeBSD 6.1 RELEASE system.

Updated ports tree.

Your favorite text editor.

Installation

When installing the FreeBSD OS for use with Squid, I have used a partition layout like below:

512M /

512M /tmp

1024M swap

5G /var

15G /usr

~58G /squidcache

It would be better to run the cache off an extra disk. It would be better to run it off a super high speed disk. It would be even better to run the cache off multiple RAID configured fast SCSI disks. All this would really add performance, but I had to work with what I had.

cd /usr/ports/www/squid31/ && make install clean

When installing Squid it will ask you to check a few options -- I checked SQUID_LARGEFILE additionally to what was checked by default. I assume Squid is going to build and install correctly here.

Configuration

cd /usr/local/etc/squid/

echo 'squid_enable="YES"' >> /etc/rc.conf

Note: If there is no squid.conf file, copy ot over from the .default file

cp squid.conf.default squid.conf

Now we need to configure the squid.conf file to suit our needs. That file is really massive and a lot of configuration can be done. Personally, I am living with just a few entries.

Open /usr/local/etc/squid/squid.conf as root and make sure that your config file contains these entries:

ee /usr/local/etc/squid/squid.conf

######CONFIG START

http_port 3128

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin ?

no_cache deny QUERY

cache_mem 8 MB

maximum_object_size 50960 KB

maximum_object_size_in_memory 16 KB

cache_dir diskd /squidcache/squid/cache 80000 16 256

cache_access_log /var/log/squid/access.log

cache_log none

cache_store_log none

pid_filename /var/run/squid.pid

hosts_file /etc/hosts

auth_param basic children 5

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 2 hours

auth_param basic casesensitive off

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern . 0 20% 10080

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443 563

acl Safe_ports port 80 # http

acl Safe_ports port 8080 #also http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 563 # https, snews

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

acl blacklist dstdomain "/usr/local/etc/squid/blacklist.txt"

http_access deny blacklist

http_access allow manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

#change below 10.0.1.0/24 to what matches your LAN IP address space

acl our_networks src 10.0.1.0/24

http_access allow our_networks

http_access allow localhost

http_access deny all

http_reply_access allow all

icp_access allow all

cache_mgr you@somedomain.com

cache_effective_user squid

visible_hostname proxy.yourdomain.com

cachemgr_passwd secret all

coredump_dir /squidcache/coredump

######CONFIG END

At this point, save the changes you made to the squid.conf file. Then, create the directories we have defined in our squid.conf file

mkdir /squidcache/squid

mkdir /squidcache/coredump/

mkdir /squidcache/coredump/cache

mkdir /var/log/squid

touch /usr/local/etc/squid/blacklist.txt

touch /var/run/squid.pid

echo '.123.com' >> /usr/local/etc/squid/blacklist.txt

chown -R squid:squid /usr/local/etc/squid/blacklist.txt

chown -R squid:squid /var/log/squid

chown -R squid:squid /var/run/squid.pid

chown -R squid:squid /squidcache

squid -z #needed once to create the cache directories

reboot #to reboot the machine

If everything has started up the way it should, you should now be able to point any browser (from within your LAN) to proxy.yourdomain.com:3128, and surf away. You can take a peek at the access.log file by opening a second terminal and running the following as root:

tail -f /var/log/squid/access.log

Note: Remember you set hosts_file /etc/hosts in the squid.conf file? Go and read this and fill your /etc/hosts with all types of ad-ware and spam-ware sites pointing to localhost. This will really save some bandwidth as squid will block all kinds of bad stuff for your Users.

We also setup a simple acl entry to deny access to domains listed in /usr/local/squid/blacklist.txt. The blacklist.txt file takes one domain per line. After adding a domain to that file such as .microsoft.com, everybody will be denied access to .microsoft.com. Of course you can get way more complicated than that, but for me it was enough until now. I used to use a redirector called squid guard for a while, but it seems that project is no longer maintained and it's successor is commercial software. You can test the acl entry by trying to point your browser to . You should get an access denied message from squid as we added .123.com into the blacklist.txt file. After making changes to any configuration file, you must make squid reread its config files using

squid -k reconfigure

One last thing: After a few months of using the above installation, one morning I found squid core dumping on me under heavy load. I saw numerous entries in dmesg like the following:

Aug 25 10:14:02 hugin kernel: pid 672 (squid), uid 100: exited on signal 6 (core dumped)

Aug 25 10:14:02 hugin squid[438]: Squid Parent: child process 672 exited due to signal 6

I added the following entries to /boot/loader.conf to correct the problem:

ee /boot/loader.conf

kern.ipc.msgmnb=8192

kern.ipc.msgmni=40

kern.ipc.msgseg=512

kern.ipc.msgssz=64

kern.ipc.msgtql=2048

After adding those, reboot the server, and everything should be just fine even under more heavy loads.

By now you should have a fully functional proxy server. It is kind of cool to know what it is doing, so I installed Apache and Webalizer as well.

If you spot mistakes, or if you have good suggestions to the above config-file, please write me, or post the change in the comments. I will then update the text accordingly.