Chapter 33. The Proxy Server Squid / 33.4. The Configuration File /etc/squid/squid.conf | ||||
|---|---|---|---|---|
 | 33.3. Starting Squid | 33.5. Configuring a Transparent Proxy |  | |
Chapter 33. The Proxy Server Squid / 33.4. The Configuration File /etc/squid/squid.conf | ||||
|---|---|---|---|---|
| 33.3. Starting Squid | 33.5. Configuring a Transparent Proxy | | |
All Squid proxy server settings are made in the
/etc/squid/squid.conf file. To start
Squid for the first time, no changes are
necessary in this file, but external clients are initially denied
access. The proxy is available for the localhost. The default
port is 3128. The preinstalled
/etc/squid/squid.conf provides detailed
information about the options and many examples. Nearly all entries begin
with # (the lines are commented) and the
relevant specifications can be found at the end of the line. The given
values almost always correlate with the default values, so removing the
comment signs without changing any of the parameters actually has little
effect in most cases. If possible, leave the sample as it is and insert
the options along with the modified parameters in the line below. In this
way, easily interpret the default values and the changes.
![[Tip]](admon/tip.png) | Adapting the Configuration File after an Update |
|---|---|
If you have updated from an earlier Squid
version, it is recommended to edit the new
| |
This is the port on which Squid listens for
client requests. The default port is 3128, but
8080 is also common. If desired, specify several port
numbers separated by blank spaces.
hostname
type proxy-port
icp-port
Here, enter a parent proxy, for example, if you
want to use the proxy of your ISP. As hostname,
enter the name and IP address of the proxy to use and, as
type, enter parent. For
proxy-port, enter the port number that is
also set by the operator of the parent for use in the browser,
usually 8080. Set the
icp-port to 7 or
0 if the ICP port of the parent is not known and its
use is irrelevant to the provider. In addition,
default and no-query should be
specified after the port numbers to prohibit the use of the ICP
protocol. Squid then behaves like a
normal browser as far as the provider's proxy is concerned.
This entry defines the amount of memory Squid
can use for the caches. The default is 8 MB.
The entry cache_dir defines the directory where all
the objects are stored on disk. The numbers at the end indicate the
maximum disk space in MB to use and the number of
directories in the first and second level. The ufs
parameter should be left alone. The default is 100 MB
occupied disk space in the /var/cache/squid
directory and creation of 16 subdirectories inside it, each
containing 256 more subdirectories. When specifying the disk space to
use, leave sufficient reserve disk space. Values from a minimum of 50%
to a maximum of 80% of the available disk space make the most
sense here. The last two numbers for the directories should only be
increased with caution, because too many directories can also lead to
performance problems. If you have several disks that share the cache,
enter several cache_dir lines.
Path for log messages.
Path for log messages.
These three entries specify the paths where Squid logs all its actions. Normally, nothing is changed here. If Squid is experiencing a heavy usage burden, it might make sense to distribute the cache and the log files over several disks.
If the entry is set to on, obtain readable log files. Some evaluation programs cannot interpret this, however.
With this entry, mask IP addresses in the log files to hide
the clients' identity. The last digit of the IP address is set to
zero if you enter 255.255.255.0
here.
With this, set the password Squid should use for the anonymous FTP login. It can make sense to specify a valid e-mail address here, because some FTP servers check these for validity.
An e-mail address to which Squid sends a message if it unexpectedly crashes. The default is webmaster.
If you run squid -k rotate,
Squid can rotate secured log files. The files are
numbered in this process and, after reaching the specified value, the
oldest file is overwritten. The default value is
0 because archiving and deleting log files
in SUSE LINUX is carried out by a cron job set in the configuration
file /etc/logrotate/squid.
With append_domain, specify which domain to append automatically when none is given. Usually, your own domain is entered here, so entering www in the browser accesses your own Web server.
If you set the entry to off, Squid removes the IP address and the system name of the client from HTTP requests.
Normally, you do not need to change these values. If you have a dial-up connection, however, the Internet may, at times, not be accessible. Squid makes a note of the failed requests then refuses to issue new ones, although the Internet connection has been reestablished. In a case such as this, change the minutes to seconds then, after clicking Reload in the browser, the dial-up process should be reengaged after a few seconds.
acl_name
To prevent Squid from taking requests
directly from the Internet, use the above command to force connection to
another proxy. This must have previously been entered in
cache_peer. If all is
specified as the acl_name, force all
requests to be forwarded directly to the parent.
This might be necessary, for example, if you are using a provider that
strictly stipulates the use of its proxies or denies its firewall direct
Internet access.
Squid provides a detailed system for controlling the access to the proxy. By implementing ACLs, it can be configured easily and comprehensively. This involves lists with rules that are processed sequentially. ACLs must be defined before they can be used. Some default ACLs, such as all and localhost, already exist. However, the mere definition of an ACL does not mean that it is actually applied. This only happens in conjunction with http_access rules.
An ACL requires at least three specifications to define it.
The name <acl_name> can be chosen
arbitrarily. For <type>, select from a
variety of different options, which can be found in the ACCESS
CONTROLS section in the
/etc/squid/squid.conf file. The specification for
<data> depends on the individual ACL type and
can also be read from a file, for example, via hostnames, IP addresses,
or URLs. The following are some simple examples:
acl mysurfers srcdomain .my-domain.com acl teachers src 192.168.1.0/255.255.255.0 acl students src 192.168.7.0-192.168.9.0/255.255.255.0 acl lunch time MTWHF 12:00-15:00
http_access defines who is allowed to use the proxy and who can access what on the Internet. For this, ACLs must be given. localhost and all have already been defined above, which can deny or allow access via deny or allow. A list containing any number of http_access entries can be created, processed from top to bottom, and, depending on which occurs first, access is allowed or denied to the respective URL. The last entry should always be http_access deny all. In the following example, the localhost has free access to everything while all other hosts are denied access completely.
http_access allow localhost http_access deny all
In another example using these rules, the group
teachers always has access to
the Internet. The group students only gets access Monday to
Friday during lunch time.
http_access deny localhost http_access allow teachers http_access allow students lunch time http_access deny all
The list with the http_access entries should only
be entered, for the sake of readability, at the designated position in
the /etc/squid/squid.conf file. That is, between
the text
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR # CLIENTS
and the last
http_access deny all
With this option, specify a redirector such as squidGuard, which allows blocking unwanted URLs. Internet access can be individually controlled for various user groups with the help of proxy authentication and the appropriate ACLs. squidGuard is a separate package that can be installed and configured.
If users must be authenticated on the proxy, set a corresponding program, such as pam_auth. When accessing pam_auth for the first time, the user sees a login window in which to enter the username and password. In addition, an ACL is still required, so only clients with a valid login can use the Internet:
acl password proxy_auth REQUIRED http_access allow password http_access deny all
The REQUIRED after proxy_auth can be replaced with a list of permitted usernames or with the path to such a list.
With this, have an ident request run for all ACL-defined clients to find each user's identity. If you apply all to the <acl_name>, this is valid for all clients. Also, an ident daemon must be running on all clients. For Linux, install the pidentd package for this purpose. For Microsoft Windows, free software is available for download from the Internet. To ensure that only clients with a successful ident lookup are permitted, define a corresponding ACL here:
acl identhosts ident REQUIRED http_access allow identhosts http_access deny all
Here, too, replace REQUIRED with a list of permitted usernames. Using ident can slow down the access time quite a bit, because ident lookups are repeated for each request.
