Squid is the most popular high end web proxy used by both by small or big organizations and ISPs around the world. It improves web browsing performance and conserves bandwidth. It also has a very rich Access Control Lists (ACLs) which can be configured to act as superb filter and can also act as a firewall.

The Squid project, currently, is now being run entirely by volunteers. It has a small but very talented and professional group of developers. I request everybody using Squid to help this great project in their own respective ways. You can either participate directly in it’s development, or be a tester of it’s latest releases or you can simply submit articles.

Or best of all, if you have the resources, please donate to this great and wonderful project. Whatever you donate, no matter how much, will go towards it’s development and R&D which will benefit everybody and the internet community at large.

Please check the following URL for more details:

http://www.squid-cache.org/Intro/helping.dyn

This installation manual is for Squid-2.6.STABLE18 which is the latest as of today (23-Jan-2008). This How-To can be used either on Linux based Operating systems such as Debian and BSD based operating systems such as FreeBSD. For Solaris users, replace “make” with “gmake” and make sure that “/usr/sfw/bin” is in your PATH.

This guide below details the steps for creating a powerful Squid proxy server capable of serving thousands of users per second. Please refer to the graphs towards the end of this article for actual details.

Assumptions:

2 cache partitions /cache1 and /cache2 of size 20 GB each are created with OS installation
User squid and Group squid are created on OS
Incoming TCP connections are allowed on Port 3128
Local Bind caching name server is installed on OS
This How-To describes how to run a squid transparent proxy server in FreeBSD-6.x/Linux based operating systems in an enterprise/ISP environment serving thousands of users.

(1.) Download squid in /usr/local/src

cd /usr/local/src
wget http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE18.tar.gz

(2.) Unzip it’s contents

tar zxvf squid-2.6.STABLE18.tar.gz

(3.) Configure squid with the following parameters

–bindir=/usr/local/sbin \
–sysconfdir=/usr/local/etc/squid \
–datadir=/usr/local/etc/squid \
–libexecdir=/usr/local/libexec/squid \
–localstatedir=/usr/local/squid \
–enable-removal-policies=heap,lru \
–enable-storeio=diskd,aufs,coss,ufs,null \
–enable-time-hack \
–enable-snmp \
–with-large-files \
–enable-large-cache-files \
–prefix=/usr/local \
–disable-ident-lookups \
–enable-cache-digests \
–enable-underscores \
–enable-kill-parent-hack \
–enable-follow-x-forwarded-for

(4.) If all goes well, run

make all
make install

(5.) We need to tune squid.conf to suit our preferences

cd /usr/local/etc/squid
mv squid.conf squid.default.conf

(6.) Use the following squid.conf

############## Start of squid.conf ###########

cache_effective_user squid
cache_effective_group squid

#hosts_file /etc/hosts

#Only if you have other proxies running and want to use them as sibling peers
#Uncomment them
#cache_peer proxy1.example.com sibling 3128 3130 proxy-only
#cache_peer proxy2.example.com sibling 3128 3130 proxy-only
#cache_peer proxy6.example.com sibling 3128 3130 proxy-only

#Remove 127.0.0.1 if you don’t have a local caching name server
dns_nameservers 127.0.0.1 IP.OF.ISP.DNSSERVER

#debug_options ALL,1 33,2 28,9

acl all src 0.0.0.0/0.0.0.0

#offline_mode off

icp_query_timeout 1000

high_memory_warning 500 MB

#If you have 2 or more different links, use them for load-balancing
#tcp_outgoing_address IP.Address.2nd.Router

visible_hostname proxy.example.com

httpd_suppress_version_string on

cache_mem 64 MB

#cache_replacement_policy heap LFUDA
cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF

cache_swap_low 90
cache_swap_high 95

maximum_object_size 131072 KB

########New test — Default is 8
maximum_object_size_in_memory 64 KB

#minimum_object_size 1 KB
#store_avg_object_size 20 KB

tcp_recv_bufsize 65535 bytes

ipcache_size 8192

fqdncache_size 8192

##If this proxy is also your gateway and if you want to block MSN messenger
##Uncomment the ACLs below

#acl msn-type req_mime_type -i ^application/x-msn-messenger$
#acl msn-type req_mime_type -i ^application/x-msnmsgrp2p
#http_access deny msn-type

#acl msnmessenger url_regex -i gateway.dll
#http_access deny msnmessenger
#acl msn req_mime_type -i ^application/x-msn-messenger
#http_access deny all msn

acl msnmess url_regex http://207.46.111.55/gateway/gateway.dll?
deny_info TCP_RESET msnmess
http_access deny msnmess

#forwarded_for on
#request_header_max_size 24 KB
#negative_dns_ttl 1 minutes
#positive_dns_ttl 1 hours
#negative_dns_ttl 60 seconds
#connect_timeout 60 seconds
#request_timeout 60 seconds
#pconn_timeout 30 seconds
high_page_fault_warning 10
high_response_time_warning 2000
client_persistent_connections off
server_persistent_connections on
half_closed_clients off

#If you need the high performace COSS storage scheme
#cache_dir coss /cache1/squid/coss 9216 max-size=131072 max-stripe-waste=16384 block-size=1024
#cache_dir coss /cache2/squid/coss 9216 max-size=131072 max-stripe-waste=16384 block-size=1024

#Diskd storage scehme
cache_dir diskd /cache1 6144 16 256 Q1=72 Q2=64
cache_dir diskd /cache2 6144 16 256 Q1=72 Q2=64

#Used for COSS only
#cache_swap_log /var/squid/%s

log_icp_queries off
cache_store_log none
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log

emulate_httpd_log on

acl spammers dstdomain .maxonlinejob.com .max-online.biz .maxjob.info
deny_info TCP_RESET spammers
http_access deny spammers

ftp_user [email protected]
cache_mgr [email protected]

#Block some comme Microsoft bugs
acl msnbug url_regex http://msgr.dlservice.microsoft.com/download/1/A/4/1A4FEB1A-18E0-423A-B898-F697402E4F7F/I nstall_Messenger.exe
deny_info TCP_RESET msnbug
http_access deny msnbug

acl msnbug2 url_regex http://msgr.dlservice.microsoft.com/download/4/b/c/4bc83bb2-18dd-486f-943f-332a9b3e01dc/Install_MSN_Messenger_DL.exe
deny_info TCP_RESET msnbug2
http_access deny msnbug2

#No cache for the following sites
acl newssites dstdomain .cnn.com .bbcnews.com
no_cache deny newssites

refresh_pattern windowsupdate.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims
refresh_pattern update.microsoft.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims
refresh_pattern download.microsoft.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims

#Try to cache some google Earth stuff
acl QUERY urlpath_regex cgi-bin \? intranet
acl forcecache url_regex -i kh.google keyhole.com
no_cache allow forcecache
no_cache deny QUERY

#Don’t cache dynamic content
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

refresh_pattern -i kh.google 1440 20% 10080 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i keyhole.com 1440 20% 10080 override-expire override-lastmod reload-into-ims ignore-reload

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

#Only if you want your Squid box to cache aggressively, not recommended

#refresh_pattern -i \.gif$ 600 50% 10080
#refresh_pattern -i \.jpe?g$ 600 50% 10080
#refresh_pattern -i \.tif?f$ 600 50% 10080
#refresh_pattern -i \.png$ 600 50% 10080
#refresh_pattern -i \.mov$ 600 50% 10080
#refresh_pattern -i \.qt$ 600 50% 10080
#refresh_pattern -i \.avi$ 600 50% 10080
#refresh_pattern -i \.mpe?g$ 600 50% 10080
#refresh_pattern -i \.wav$ 600 50% 10080
#refresh_pattern -i \.au$ 600 50% 10080
#refresh_pattern -i \.aif?f$ 600 50% 10080
#refresh_pattern -i \.ps$ 360 30% 10080
#refresh_pattern -i \.pdf$ 360 30% 10080
#refresh_pattern -i \.gz$ 360 30% 10080
#refresh_pattern -i \.Z$ 360 30% 10080
#refresh_pattern -i \.zip$ 360 30% 10080
#refresh_pattern . 180 50% 10180

#Configure downloading even after aborted requests.
quick_abort_min 0 KB
quick_abort_max 0 KB
#quick_abort_pct 99

negative_dns_ttl 2 minutes

acl mynetwork src 192.168.0.0/24 172.16.0.0/24 10.0.0.0/24

acl nimda urlpath_regex .*/winnt/system32/cmd.exe.* .*/MSADC/root.exe..c.dir$ .*/scripts/root.exe..c.dir$
acl Newvirus urlpath_regex .*/Cgi-bin/!Vip.exe.* .*/LE/isapitest.dll.*
acl BadURL urlpath_regex -i cmd.exe
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563 2082 2083 2086 2087 2093 2095 2096
acl Safe_ports port 80 21 443 563 70 210 8000 11999 2082 2083 2086 2087 2095 2096 8082 8090
acl CONNECT method CONNECT
acl worm dst 63.251.5.47 65.74.168.210
acl worm1 dstdomain kyamzaa.virtualave.net/com.exe
acl worm2 dstdomain kyamazza.virtualave.net/dos.exe

acl VIRUS urlpath_regex winnt/system32/cmd.exe?
acl VIRUS urlpath_regex ^/osa..gif
acl VIRUS urlpath_regex ^/./fils.php
acl VIRUS urlpath_regex ^/./999.jpg
acl VIRUS urlpath_regex ^/w.php
acl YAHOOATTACK urlpath_regex akamai.*yahoo.*config/login
acl INADDR_ANY dst 0.0.0.0/32
acl IpAddrProbeUA browser ^Mozilla/4.0.\(compatible;.MSIE.5.5;.Windows.98\)$
acl IpAddrProbeURL url_regex //[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/$

acl codered url_regex \/default\.ida$
http_access deny codered

acl gator_url url_regex \.gator.com
acl gator_domain_start dstdomain gator.com
http_access deny gator_url
http_access deny gator_domain_start

acl brazvir url_regex http://www.instituto.com.br/attackDoS.php
http_access deny brazvir

acl worm_url url_regex ^http://www.tradeexit.com/link1.html$
acl worm_url url_regex ^http://www.tradeexit.com/link2.html$
acl worm_url url_regex ^http://www.revistaprofashional.com.br/put?
acl worm_url url_regex ^http://www.putassp.com/put?
http_access deny worm_url

#Block uncessary microsoft updates
acl microsoft_url_1 urlpath_regex msdownload/update/v3-19990518/cabpool
http_access deny microsoft_url_1

###################
##virus
#acl mblock url_regex -i musicindiaonline.com

acl dangurl urlpath_regex -i \.id[aq]\?.{100,} # CodeRED
acl dangurl urlpath_regex -i /readme\.(eml|nws|exe) # NIMDA

#Remove transparent if you don’t want Squid to run transparently
http_port 3128 transparent

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny BadURL
http_access deny nimda
http_access deny Newvirus
deny_info TCP_RESET worm
http_access deny worm
http_access deny worm1
http_access deny worm2
http_access deny Codered
http_access allow mynetwork

http_access deny IpAddrProbeUA IpAddrProbeURL
deny_info TCP_RESET IpAddrProbeURL
acl OriginsThatComplainOfAbuse dstdomain .fencing101.com
http_access deny OriginsThatComplainOfAbuse
deny_info TCP_RESET OriginsThatComplainOfAbuse
acl soedirman dstdomain soedirman.gudangupload.com
http_access deny soedirman
http_access deny VIRUS
http_access deny YAHOOATTACK
http_access deny INADDR_ANY

acl PURGE method PURGE
http_access allow PURGE localhost
http_access deny PURGE

deny_info TCP_RESET all
http_access deny all

snmp_port 3001
acl queryme snmp_community SquidSnmpSecret

acl adminpc src 192.168.0.34/255.255.255.255
acl researchpc src 192.168.0.70/255.255.255.255
acl squidadminpc src 192.168.0.221/255.255.255.255
acl mgmtpc src 192.168.0.221/255.255.255.255

snmp_access allow queryme localhost
snmp_access allow queryme adminpc
snmp_access allow queryme researchpc
snmp_access allow queryme squidadminpc
snmp_access allow queryme mgmtpc
snmp_access deny all

icp_access allow mynetwork
icp_access deny all

miss_access allow all

append_domain .example.com

#Always direct allow to yahoo.com and hotmail.com
acl yahoo dstdomain login.yahoo.com
acl yahoo dstdomain mail.yahoo.com
acl hotmail dstdomain hotmail.com
always_direct allow yahoo
always_direct allow hotmail

ie_refresh on
######## End of squid.conf ###############

(6.) Initialize cache directories

/usr/local/sbin/squid -z

(7.) Run Squid Daemon

/usr/local/sbin/squid -D

(8.) Manually put the newly configured proxy server in your web browser and test web browsing.

Leave a Reply