> >

Squid squid installation. Initial Squid Proxy Configuration

Good time, dear readers and guests! With this article, I will begin the description of the work SQUID caching proxy. This article will mostly be introductory theoretical.

What is a proxy server and what is squid

I'll start with the basics. squid is caching proxy server for HTTP, FTP and other protocols. Proxy server for HTTP is a program that makes HTTP requests on behalf of a client program (be it a browser or other software). proxy can be caching or not caching. caching, accordingly, saves all requests to some kind of storage for faster return to clients, and not caching- simply translates HTTP, ftp or other requests. Previously, traffic caching made it possible to achieve quite significant traffic savings, but nowadays, with the growth of Internet speeds, this has lost its relevance a little. Proxy serverA can be built in hierarchy to process requests. At the same time, proxy servers A interact with each other via ICP protocol.

Squid designed and can run on most operating systems(both unix and windows). Licensed under the GNU GPL. Capable of processing and caching HTTP, FTP, gopher, SSL and WAIS (removed in 2.6) requests, as well as DNS. The most frequent requests are stored in random access memory. At the moment there are 2 stable versions of squid: 2.7 and 3.1 . The differences can be found in the links at the end of the article. All dependencies when installing from packages are the same. Configuration file version 2 is compatible with version 3, but version 3 adds new options. In the article I will consider squid3 version. It is also worth noting that if you install squid3 , then it will keep its configuration files in /etc/squid3, as well as the default logs in squid3 are in the directory /var/log/squid3/, but not /var/log/squid/, as many log analyzers "like to count".

A bunch of times the word " caching". And what is it, in fact, this - caching? it a way to store objects requested from the Internet on a server that is closer to the requesting computer than the original one. An Internet object is a file, document, or response to a call to some service provided on the Internet (such as FTP, HTTP, or gopher). The client requests an Internet object from the cache of the proxy; if the object is not cached yet, then the proxy server receives the object (either from the host specified at the requested URL, or from the parent or neighboring cache) and delivers it to the client.

Squid Proxy Modes

The Squid proxy can operate in the following three main modes:

transparent mode

In this HTTP mode, the connection made by clients is redirected to a proxy server without their knowledge or explicit configuration. In this mode, no client configuration is required. Flaws this method : NAT configuration and traffic redirection required, client authentication does not work, FTP and HTTPS requests are not redirected.

Authenticating mode

To work in this mode, clients must be configured to work with a proxy server (the proxy server address must be specified in the connection settings). Clients can be authenticated and authorized via Kerberos, Ldap, NTLM, IP and Radius. It is possible to build interaction with Microsoft servers Active Directory by authenticating clients - members of the domain using the Kerberos protocol, and then authorizing members of the domain groups using LDAP in transparent mode (the user enters his password only when registering in the domain). For authorized groups it is possible to use various settings access control and QoS (delay pools).

Reverse Proxy

The proxy server caches outgoing data. The Squid reverse proxy receives data from the HTTP server on behalf of the client and passes it back to the client (for example, to the Internet). This mode allows you to:

  • Using caching, which reduces the load on the HTTP server;
  • Load balancing between HTTP servers;
  • Masking HTTP servers and their characteristics;
  • Prevention of web attacks on servers.

SQUID Operating Mode Diagrams

transparent mode

reverse mode

authentication mode

In the above diagrams, green arrows indicate the flows of proxied traffic. The movement of these streams in Linux is most often controlled by the forces and settings of the browser. In addition, very often, the functions of the router and proxy are performed by one machine.

Installing SQUID

Before installing and configuring squid, you must also make sure that the machine on which squid will run has access to the external network and the clients that will use this proxy have access to this machine. Installing the squid proxy server, like other software on Linux, is possible in various ways, described in the article. I will touch on the way to install from the repository in Debian. So for squid installations you need to install the squid3 package, to do this, run the following command:

Gw ~ # aptitude install squid3 The following NEW packages will be installed: libltdl7(a) squid-langpack(a) squid3 squid3-common(a) 0 packages upgraded, 4 newly installed, 0 packages marked for removal, and 0 packages not upgraded. You need to get 2 157 kB archives. After unpacking 10.3 MB will be used. Do you want to continue? y Get:1 http://ftp.ru.debian.org/debian/squeeze/main libltdl7 i386 2.2.6b-2 Get:2 http://ftp.ru.debian.org/debian/squeeze/main squid- langpack all 20100628-1 Get:3 http://ftp.ru.debian.org/debian/squeeze/main squid3-common all 3.1.6-1.2+squeeze2 Get:4 http://ftp.ru.debian.org /debian/ squeeze/main squid3 i386 3.1.6-1.2+squeeze2 Got 2,157 kB in 9s (238 kB/s) Selecting a previously unselected libltdl7 package. (Reading database... on this moment 41133 files and directories installed.) Unpacking libltdl7 package (from file.../libltdl7_2.2.6b-2_i386.deb)... Selecting previously unselected squid-langpack package. The squid-langpack package is unpacked (from the file.../squid-langpack_20100628-1_all.deb)... Selecting a previously unselected squid3-common package. The squid3-common package is unpacked (from file.../squid3-common_3.1.6-1.2+squeeze2_all.deb)... Selection of a previously unselected squid3 package. Unpacking squid3 package (from file.../squid3_3.1.6-1.2+squeeze2_i386.deb)... Processing man-db triggers... Setting up libltdl7 (2.2.6b-2) package... Setting up squid-langpack package (20100628-1) ... Configuring the squid3-common package (3.1.6-1.2+squeeze2) ... Configuring the squid3 package (3.1.6-1.2+squeeze2) ... Creating Squid HTTP proxy 3.x spool directory structure 2012/02/15 21:29:41| Creating Swap Directories Restarting Squid HTTP Proxy 3.x: squid3Creating Squid HTTP Proxy 3.x cache structure ... (warning). 2012/02/15 21:29:43| Creating Swap Directories .

As you can see, when installing the package, there was an attempt to create cache directory, but because it is not configured, the warning fell out. Same way, squid added to startup, running and accepting connections on all interfaces. But since it is not configured, access to Internet pages through the server is limited. Squid config located in /etc/squid3/squid.conf and consists of more than 5.5 thousand lines and its syntax is practically the same as the config of any other service. Rushing to change some settings in a cut is not worth it. Then do not rake. Let's look at the config that we are offered by default without comments and empty lines:

Gw ~ # grep -v ^# /etc/squid3/squid.conf | grep -v ^$ acl manager proto cache_object acl localhost src 127.0.0.1/32::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32::1 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all http_port 3128 hierarchy_stoplist cgi-bin ? coredump_dir /var/spool/squid3 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320

As you can see, in the default configuration, the proxy server works and only allows access from addresses 127.0.0.0/8. You should carefully review the entire list and comment out the lines with ports of services that are not needed or used. A more complete understanding of this config will be after reading the following sections. That. if we launch the lunx console browser pointing to our proxy, we can see the given page:

Gw ~ # # run browser with ya.ru page specified: gw ~ # http_proxy=http://127.0.0.1:3128 lynx ya.ru Searching for "ya.ru" first gw ~ # # in the log we see a reference to the given page : gw ~ # cat /var/log/squid3/access.log 1329527823.407 110 127.0.0.1 TCP_MISS/200 9125 GET http://ya.ru/ - DIRECT/93.158.134.203 text/html

Some options in the squid configuration file can be used multiple times (eg acl). Some parameters, especially those with a single value, can only be used once. In this case, when using this parameter 2 or more times, the last value will be used. For example:

Logfile_rotate 10 # Multiple values ​​- final will be 5 logfile_rotate 5

squid management

The parameters with which your distribution's squid was built can be viewed with the squid3 -v command. For example, on Debian squeezy, squid is built with the options below:

Prefix=/usr - prefix for other keys: --mandir=$(prefix)/share/man - man page storage directory --libexecdir=$(prefix)/lib/squid3 - directory with executable modules (including helpers) --sysconfdir=/etc/squid3 - directory for storing configuration --with-logdir=/var/log/squid3 - directory for storing logs and more. other...

Setting up squid

Description of squid3 settings I'll start with basic settings, which it is desirable to make when setting up any proxy server configuration. The squid config is located in /etc/squid3/squid.conf, this is the main configuration file, which contains all the settings. (In Debian and RedHat distributions, parameters from the startup configuration files are also viewed at startup /etc/default/squid3 and /etc/sysconfig/squid3, respectively). Also, I mentioned that there are more than 5 thousand lines and that it’s not worth it to immediately rush to set up something without understanding it. squid3 config syntax classic: lines with # are comments, parameters are lines " parameter value", you can use . The configuration file is divided into sections for convenience, but it is important to remember that the parameters are parsed "from top to bottom" in order of priority. Also, using include parameter you can include external configuration files.

By default, resolution of the name of the host where Squid is running is done with gethostname(), depending on the DNS settings, it sometimes cannot unambiguously determine the name that will appear in the logs and error outputs “ Generated … by server.com (squid/3.0.STABLE2)". To correctly record the host name, you need to enter this name (FQDN??) into the parameter:

Visible_hostname myproxy

By default, squid accepts connections on all interfaces. If we have a server looking at one of the network interfaces external world, then it is desirable to restrict connections only on the interface local network(let's say 10.0.0.10/24). Responsible for this http_port parameter:

Http_port 10.0.0.10:3128

How these parameters work can be seen in the following listing:

Gw ~ # # test the daemon before setting it up: gw ~ # netstat -antp | grep squ tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN 25816/(squid) gw ~ # # changes made: gw ~ # grep ^http_port /etc/squid3/squid.conf http_port 10.0.0.10:3128 gw ~ # # reload modified gw config ~ # /etc/init.d/squid3 reload Reloading Squid HTTP Proxy 3.x configuration files. done. gw ~ # # check operation with changed config: gw ~ # netstat -antp | grep squ tcp 0 0 10.0.0.10:3128 0.0.0.0:* LISTEN 25816/(squid)

As you can see, now the daemon works only on the interface of the specified network. It is also worth noting that new versions of squid (<3.1) поддерживают задание нескольких параметров http_port. При этом, у разных параметров могут быть указанны дополнительные ключи такие как intercept, tproxy, accel и др., например:

Gw ~ # grep ^http_port /etc/squid3/squid.conf http_port 10.0.0.10:3128 http_port 10.0.0.10:3129 tproxy

These parameters set the proxy server operation modes. For example tproxy (old syntax is transparent) specifies the . These modes are worthy of separate articles and may be considered in the future.

Now you need to set up a client computer and use the Internet. But by default, access is allowed only from the localhost and when trying to access the web, the user will receive an "Access denied" error. The /var/log/squid3/access.log log will contain something like this:

1329649479.831 0 10.0.1.55 TCP_DENIED/403 3923 GET http://ya.ru/ - NONE/- text/html

In order for LAN clients to work, you must configure permissions with access control lists.

Setting up squid access

Actually access setting lies in object description access via acl parameter, and then resolution or work ban described acl object with "http_access" parameter. The simplest configuration data format is as follows:

Acl list_name selection_type characteristics_selection_type

where acl- parameter describing access control list, whose name is given by the value list_name. The name is case sensitive. selection_type specifies the type to which the given next selection_type characteristic. This characteristic can take such frequently used values ​​as src(from source) - the source of the request, dst- destination address, arp- MAC address, srcdomain and dstdomain- domain name of the source and destination, respectively, port- port, proto- protocol, time- time and a lot others. Accordingly, the value selection_type_characteristics will be formed depending on selection_type.

You can specify several acl strings with the same names and selection_types, in which case the acl data will be combined into one list with a logical OR operation. For example:

acl site dstdomain site.com acl site dstdomain site.org # same as: acl site dstdomain site.com site.org

In words, it sounds like this: the access list named site owns all requests sent to the site site.com OR site.org. Also, escape_names are case sensitive, meaning acl site and acl Site are 2 different access lists.

Once the access lists have been formed, using http_access parameter allow or deny access to the specified ACL. The general call format is:

Http_access allow|deny [!]list_name

where, http_access- parameter specifying the subsequent permission rule ( allow) or prohibitions ( deny) access specified below list_name. In this case, the optional exclamation mark inverts the value of the list name. That is, with an exclamation mark, the value list_name will sound like everyone except those who belong to this list. In addition, you can specify several lists separated by a space, then access will be allowed if it belongs to all the specified lists. In this case, all allowing rules must be specified before the denying ALL rules:

http_access deny all

A reasonable question may arise: why set this rule if, for example, we allow only selected acls to access the squid? After all, the rest, who do not fall into this acl, so "pass by" ... It's simple. By default, squid uses the opposite allow/deny rule. For example:

# we have a single allow rule for some acl user: http_access allow user # if the client is not in this acl when accessing squid, then the deny action will be applied to it. # And if we have two rules http_access allow user http_access deny user2 # and the client is not included in either acl user or acl user2, then allow will be applied to it. # That is, the opposite action of the last http_access deny user2

This, as they say - the foundations of the foundations. Let's look at a simple example. Suppose we have 2 networks 10.0.1.0/24 and 10.0.0.0/24, as well as a host 10.0.4.1, which need to be allowed access to the Internet. To allow access, you need to create a description of the new access list in the "ACCESS CONTROL" section of the squid.conf file:

acl lan src 10.0.1.0/24 10.0.0.0/24 acl lan src 10.0.4.1

For more convenience, you can set these rules in a separate file, specifying the path to it in place selection_type characteristics. Here:

Gw ~ # # create a separate directory for storing access lists gw ~ # mkdir /etc/squid3/acls/ gw ~ # # put our subnets and hosts in a separate file gw ~ # vim /etc/squid3/acls/lan.acl gw ~ # cat /etc/squid3/acls/lan.acl 10.0.1.0/24 10.0.0.0/24 10.0.4.1 gw ~ # # describe the created file in the config (the path must be enclosed in quotes) gw ~ # grep lan.acl /etc /squid3/squid.conf acl lan src "/etc/squid3/acls/lan.acl"

Allow the created lan access list access to the Internet and tell the squid to reread the configuration file:

Gw ~ # grep lan /etc/squid3/squid.conf | grep acce http_access allow lan gw ~ # service squid3 reload Reloading Squid HTTP Proxy 3.x configuration files. done.

To summarize this section, in a nutshell, acl identifies a Web request, and http_access allows or denies the identified request. Now our local customers are happy to use the Internet, having previously configured the browser!

Configuring squid cache settings

An important point in setting up squid is setting caching options in squid. The location of the cache is set cache_dir parameter in squid.conf. The parameter format is as follows:

Cache_dir type path size L1 L2

where, type of- this is the cache generation algorithm, maybe: ufs (unix file system), aufs (async ufs), diskd(external processes to avoid blocking squid on disk I/O). It is recommended to use ufs although some praise aufs. Path- specifies the location of the cache in the file system (must exist and have write access for the user under which squid is running - usually a proxy). The size- sets the maximum size after which the cache will start clearing. There are many holivars on the network for this parameter. The ideal cache size is 2GB to 10GB depending on the number of clients. Approximately 1 GB cache for every 100k requests/day. I stick with 5 GB. In Squid, each cached object is located in a separate file, the files themselves are not dumped into one place, but a two-level directory hierarchy is used. The number of catalogs of 1 and 2 levels and determine the parameters L1 and L2. These values ​​can be left as default. But for orientation in the situation, I will quote from bog.pp.ru:

The experiment showed that with a cache of 700 MB, only 2 directories of the first level are used. That is, for a standard cache directory structure, a million objects (9 GB) "comfortably" fit into it, if there are more of them, then you need to increase the number of top-level directories

You can use multiple cache_dir. This has a positive effect on performance, especially if you place the cache on different disks. You can further speed up the cache by placing the cache in tmpfs. For each parameter cache_dir possible in options section define the read-only (read-only) and max-size (maximum object size) options.

The maximum size of an object in the cache is determined by the maximum_object_size parameter, the default value is 4 MB. I increased this value to 60 MB, because. employees in the local network often have to download files of the same type up to the specified size:

Maximum_object_size 61440 KB

Likewise? have and minimum_object_size parameter responsible for the minimum size of the object, by default its value is “0”, that is, it is disabled. I recommend increasing the value of this parameter to 2-3 KB, which will reduce the load on the disk when searching for small objects.

RAM, used by the squid is set in cache_mem parameter, the default value is 256 MB (in version 3.1). I left this value as default. It is worth changing this value only if the squid asks you about it in the logs. After these changes, you need to restart squid, this will create the directory structure:

Gw ~ # service squid3 start Starting Squid HTTP Proxy 3.x: squid3Creating Squid HTTP Proxy 3.x cache structure ... (warning). 2012/02/19 22:58:21| Creating Swap Directories 2012/02/19 22:58:21| /var/spool/squid3 exists 2012/02/19 22:58:21| Making directories in /var/spool/squid3/00 2012/02/19 22:58:21| Making directories in /var/spool/squid3/01 2012/02/19 22:58:21| Making directories in /var/spool/squid3/02 2012/02/19 22:58:21| Making directories in /var/spool/squid3/03 2012/02/19 22:58:21| Making directories in /var/spool/squid3/04 2012/02/19 22:58:21| Making directories in /var/spool/squid3/05 2012/02/19 22:58:21| Making directories in /var/spool/squid3/06 2012/02/19 22:58:21| Making directories in /var/spool/squid3/07 2012/02/19 22:58:21| Making directories in /var/spool/squid3/08 2012/02/19 22:58:21| Making directories in /var/spool/squid3/09 2012/02/19 22:58:21| Making directories in /var/spool/squid3/0A 2012/02/19 22:58:21| Making directories in /var/spool/squid3/0B 2012/02/19 22:58:21| Making directories in /var/spool/squid3/0C 2012/02/19 22:58:21| Making directories in /var/spool/squid3/0D 2012/02/19 22:58:21| Making directories in /var/spool/squid3/0E 2012/02/19 22:58:21| Making directories in /var/spool/squid3/0F .

Many interesting questions and answers to them on the use of squid's cache and memory are described. On this, we can consider a typical solution for setting up a proxy server complete.

squid transparent proxy configuration example

What is transparent proxy? This is the mode of operation of the proxy server when the client not configurable to work through a proxy and sends requests to the network using the HTTP protocol, as if the browser client were working directly with the web server. At the same time, by forces (in linux - ) outgoing HTTP requests are directed to the port on which the proxy is running. The proxy server, in turn, converts HTTP requests into proxy server protocol requests and sends responses to the client like a web server. That. the client transparently interacts with the proxy server.

It is important to understand and know! This method supports only HTTP protocol, and does not support gopher, FTP, or other proxying. Also, Squid cannot work in transparent mode and in authentication mode at the same time.

To set up transparent mode, you need to:

1. Set transparent mode in proxy settings. This is done in http_port parameter, for example:

Http_port ip:port transparent

2. Wrap Users the corresponding rule to the desired port using iptables:

Iptables -t nat -A PREROUTING -i incoming_interface_name -s LAN_subnet -p tcp --dport 80 -j REDIRECT --to-port squid_port, example: iptables -t nat -A PREROUTING -i eth1 -s 10.0.0.0/24 - p tcp --dport 80 -j REDIRECT --to-port 3128

All. It is possible to enjoy wrapped and unsuspecting users on our proxy server.

Troubleshooting

First of all, diagnostics of squid operation lies in viewing logs located in /var/log/squid3. Most problems are solved in this way. If this did not help to solve the problem, then switching the daemon to debug mode with the command squid3 -k debug the problem will be easier to find. Actually, what is a squid log? The log files contain various information about the loading and performance of Squid. In addition to access information, /pre also writes to log system errors and information about the consumption of resources, such as, for example, memory or disk space.

Squid log file format is a string of values ​​separated by one or more spaces:

time.ms response_time ip_src Squid_req_status/HTTP_status byte_snd method URL user squid_her_status/ip_dst MIME

  • time- time in unix format (Number of seconds from 00:00 1970.01.01)
  • ms- milliseconds up to 3 digits
  • response time- response time, milliseconds
  • ip_src- source IP address
  • squid_req_status- squid request status (for example, TCP_HIT for previously cached objects, TCP_MISS if the requested object is not taken from the local cache, UDP_HIT and UDP_MISS the same for sibling requests)
  • HTTP_status- http protocol status (200 for success, 000 for UDP requests, 403 for redirects, 500 for errors)
  • byte_snd- transmitted, bytes in response including HTTP header
  • method- request method GET or POST
  • URL- requested url
  • user- authorized user name
  • squid_her_status- status of the squid hierarchy - Result of requests to sibling/parent caches
  • ip_dst- IP address of the requested node
  • MIME mime-type

Let's look at an example:

1329732295.053 374 10.0.1.55 TCP_MISS/200 1475 GET http://www.youtube.com/live_comments? - DIRECT/173.194.69.91text/xml

As you can see, the request was made at 1329732295.053, the response of the remote server was 374 ms, the host that requested the page has IP 10.0.1.55, the requested object was not transferred from the local cache (TCP_MISS), the server response code was 200, 1475 bytes were sent to the client using the GET method, the URL http://www.youtube.com/live_comments? was requested, the username was not defined, the object was received directly from the server with IP 173.194.69.91, the text was transmitted, because mime-text/xml. Here.

Some final points about squid3

In the article, I reviewed the basic principles of the proxy server, as well as the basic settings that allow you to implement the simplest caching server, as well as organize the operation of squid in a transparent (transparent) mode. Squid supports several authorization options (via IP, LDAP, MySQL, NTLM, etc.), the ability to limit the bandwidth of the channel and control access to Internet resources. I will consider the work of a squid with different authorization methods and examples of traffic control in the following articles.

Today we will talk about proxy servers.

A proxy server is such a thing that provides access for several computers from one network to another network (but not to be confused with routers - these are completely different things, a proxy server works at the application level). The most common task of a proxy server is to provide Internet access for PCs that do not have it through one PC that has access to the global network. Consider this task in the case of using a Windows computer as a gateway to the Internet.

To solve this problem, you can use proprietary solutions with a visual interface - for example, UserGate. But I couldn't get it to work correctly on a PC with Windows 7 and it's paid :) Therefore, I consider the best solution we got from * nix-s Squid. You can download this creation at: Squid 2.7 (latest version at the time of this writing)

Download and unpack preferably to the root of the disk. Don't try to run anything from there - this program has no GUI - and don't let that scare you :)
Next, open the console - Win + R / cmd / go to the folder with the installed squid (hereinafter I will write for the installation path c:\squid)

c:\
cd c:\squid\sbin

Now you need to install squid as a Windows service with the command:

squid -i -f c:/squid/etc/squid.conf -n Squid27

Where Squid27 is the name of the service, which in principle can be anything valid.

Now you need to edit the squid.conf settings file, which is located in the c:/squid/etc/ folder. I advise you to backup the original file. Next, delete all the text from this file and write the following:

http_port 3128
acl localnet src 192.168.3.0/255.255.255.0
acl localhost src 127.0.0.1/255.255.255.255
acl all src 0.0.0.0/0.0.0.0
http_access allow localnet
http_access allow localhost
http_access deny all
cache_log none
cache_store_log none

where

  • http_port 3128 - port number on the server through which squie works. That is, in the client settings we will specify the server address and this port;
  • acl localnet src 192.168.0.0/255.255.0.0- this line specifies the range of ip-addresses for which it is possible to connect to our proxy. The mask can be specified as /8, /16, /24 (for 255.0.0.0, 255.255.0.0, 255.255.255.0 respectively) and localnet is the name. In fact, with this line we declare a variable with which we will work further. the next line similarly declares the all variable, where all existing ips are indicated;
  • http_access allow localnet - with this line we allow access from the ip specified in the localnet variable to our proxy;
  • http_access deny all - Deny everyone else access to the proxy. These permissions work from top to bottom, so this line must be specified last! Otherwise, no one will reach the proxy :)
  • cache_log none - needed, like the next line so that the logs do not grow into gigabytes)
You can also enter the following options:
  • cache_mem 32 MB - determines the size of the additional squid cache in RAM;
  • cache_dir ufs c:/squid/var/cache 100 16 256- determines the path to the cache folder, its size in MB (100) and the number of subfolders (why the latter - I still don't understand :))
Now you need to remove ".default" in the name of the mime.conf file in the same folder or simply create an empty text file with that name. This is necessary for the formation of the cache. In the console we type the command (being in the sbin folder):

squid -z -f c:\squid\etc\squid.conf

So, in principle, we are ready to launch our proxy. We write on the command line (or you can go to Services and run with the mouse :)

net start Squid27

Stop:

net stop squid27

Reconfiguration:

squid -n Squid27 -f c:/squid/etc/squid.conf -k reconfigure

You can still do a lot of things in this proxy, for example, set restrictions for different users in terms of time, speed, deny access to certain sites, etc., etc. But the description of all this is not the task of this article - such material is easy find on the Internet.

We update the system:

Add a rule to firewalld:

firewall-cmd --permanent --add-port=3128/tcp

* where 3128 - the port on which our proxy server will be configured.

and restart firewalld:

firewall-cmd --reload

Installing and configuring Squid

Set the proxy server with the following command:

yum install squid

And open the configuration file for editing:

vi /etc/squid/squid.conf

If the network of client computers differs from the standard one (192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8), you need to add it to acl, for example:

acl localnet src 217.66.157.0/24

or via file:

acl localnet src "/etc/squid/acl_localnet"

* quotes are required
** after you need to create a file /etc/squid/acl_localnet and from each line list the allowed IP addresses.

To allow all traffic, add the following line:

http_access allow all

* it is important that it be higher than the prohibitive one - http_access deny all

Set up a directory for the cache:

cache_dir ufs /var/spool/squid 4096 32 256

* where ufs- file system (ufs for SQUID is the most appropriate); /var/spool/squid— cache storage directory; 4096 - the amount of space in megabytes that will be allocated for the cache; 32 - the number of first-level catalogs that will be created to host the cache; 256 — the number of second-level catalogs that will be created to host the cache.

Now we create the folder structure for the cache with the following command:

And you can already start squid:

systemctl start squid

Don't forget to enable autorun:

systemctl enable squid

Examination

We go into the browser settings and configure the use of a proxy server. For example, in Mozilla Firefox, the settings should be set as follows:

* where 192.168.163.166 — IP address of my proxy server.

Now we open the site 2ip.ru. After loading it, we will see the external IP address - it must correspond to the network from which the configured SQUID works.

Transparent proxy

Transparent Proxy allows you to automatically use a proxy server without having to configure your computer's browser. Users may not even be aware that traffic is going through squid.

vi /etc/squid/squid.conf

We find the line:

And we bring it to the following form:

http_port 3128 transparent

And restart squid:

systemctl restart squid

Squid + HTTPS

I did not have to specifically configure https for squid in CentOS 7 - everything worked by default.

Login and password authorization

Open the configuration file:

vi /etc/squid/squid.conf

Insert the following:

auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/auth_users
auth_param basic children 25
auth_param basic realm SQUID PROXY
auth_param basic credentialsttl 3 hours
acl auth_users proxy_auth REQUIRED

* where /usr/lib64/squid/basic_ncsa_auth- location of ncsa_auth (depending on the system, it may be located in a different directory); /etc/squid/auth_users— a file with logins and passwords; children 25 allows 25 simultaneous connections; SQUID PROXY— an arbitrary phrase for greeting; credentialsttl 3 hours will keep the session for 3 hours, after which you will need to re-enter your login and password.

http_access deny !Safe_ports

We add:

http_access allow auth_users

Create a file with users and create the first pair of login and password:

htpasswd -c /etc/squid/auth_users user1

* if the system returns an error " bash: htpasswd: command not found» install htpasswd with the command yum install httpd-tools

Create a second user:

htpasswd /etc/squid/auth_users user2

And restart squid:

systemctl restart squid

Outgoing network interface

Our server can have multiple external IP addresses. By default, all outgoing requests will go through the default gateway interface. To be able to work with squid through different interfaces, we add to the configuration.

Squid is a full featured caching proxy server application that provides caching and proxy services for HTTP, FTP and other popular network protocols. Squid can cache and proxy SSL requests and cache DNS lookup results, as well as perform transparent caching. Squid also supports a wide range of caching protocols such as ICP (Internet Caching Protocol), HTCP (Hypertext Caching Protocol), CARP (Routing Caching Protocol) and WCCP (Content Redirection Caching Protocol).

Squid Proxy Server is a great solution to broad caching and proxy server requirements that scales from regional office to corporate networks when it provides an extensible shared mechanism for access control and monitoring of critical parameters via SNMP. When choosing a computer system to use as a Squid proxy or caching server, make sure your system is equipped with plenty of RAM, as Squid maintains an in-memory cache to increase performance.

Installation

In a terminal, enter the following command to install the Squid server:

sudo apt-get install squid

Setting

Squid is configured by editing the directives contained in the configuration file /etc/squid/squid.conf. The following examples illustrate some of the directives that can be modified to affect the behavior of the Squid server. For more in-depth configuration of Squid, see the section.

Before editing a config file, you should make a copy of the original file and protect it from being overwritten so that you always have the original settings as a reference and to reuse when needed.

Copy the /etc/squid/squid.conf file and write-protect it with the following commands in the terminal:

sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.original sudo chmod a-w /etc/squid/squid.conf.original

1. To configure your Squid server to listen on port 8888 instead of the default 3128, change the directive http_port as shown here:

Http_port 8888

2. Change the directive visible_hostname to give the Squid server a specific hostname. This name does not have to be the hostname of the computer. In the example, it is defined as weezie:

Visible_hostname weezie

3. Using the Squid access control, you can configure that the use of the Internet proxy service is available only to users from certain IP addresses. For example, we will illustrate user access from the 192.168.42.0/24 subnet only:

ACL

Acl fortytwo_network src 192.168.42.0/24

http_access your /etc/squid/squid.conf file:

http_access allow fortytwo_network

4. Using the great access control capabilities of Squid, you can configure the Internet proxy service to be used only during regular business hours. For example, we will show how to set up access for employees who work from 9:00 to 17:00 from Monday to Friday from the 10.1.42.0/24 subnet:

Add the following to the end of the section ACL your /etc/squid/squid.conf file:

acl biz_network src 10.1.42.0/24 acl biz_hours time M T W T F 9:00-17:00

Then add the following to the beginning of the section http_access your /etc/squid/squid.conf file:

Http_access allow biz_network biz_hours

After making changes to the /etc/squid/squid.conf file, save it and restart the squid server application for the changes to take effect with the following command in the terminal: sudo /etc/init.d/squid restart

Squid is a popular proxy server that is mainly used to cache frequently requested web content in order to reduce page response times and also to filter network traffic. It supports many different protocols such as HTTP, FTP, TLS, SSL, Internet Gopher and HTTPS. And this thing can be very useful with a slow Internet connection. Squid was originally developed as a Unix daemon, but several ports have been released for Windows. Squid is distributed under the GNU General Public License.

In this tutorial, you will learn how to install Squid on Ubuntu 16.04. Just follow these instructions in sequence and installing squid ubuntu will not cause any problems. Squid is quite a feature-packed program, and we can't cover all of its features in this article, but we'll try to cover the basics so you can fully customize and use it. Let's start with the installation.

There are several ways to install Squid on Ubuntu, one of the most common is installing from the official repositories using the apt utility.

First, open a terminal with Ctrl+Alt+T and update the package index:

After updating the list of packages, you can proceed to install the proxy server by simply executing the command:

sudo apt install squid

Then the utility will ask if you need to continue the installation, enter Y and wait for the download and installation to complete:

Then you can proceed to the setting.

Setting up Squid

The server configuration file is located in the /etc/squid directory. Depending on the version of Squid, the name of the folder and the file itself may differ, for example, /etc/squid3/squid.conf or /etc/squid/squid.conf. All settings are in this file. Let's take a look at it.

vim /etc/squid3/squid.conf

When the file opens you will see something like this:

The file contains several settings options, as well as a lot of documentation on their use. We will not touch on many of them, but we will consider the main ones.

Access control

First we need to set up client access rules for our proxy server. Squid was designed to be an enterprise program, and even if you use it at home, the squid 3 configuration must also be done.

The acl list is used for this. this is a normal list of objects, now it does not mean anything at all. These can be ip addresses, ports, etc. Then we will tell the program what to do with this list, to allow or deny access. The syntax for creating an acl list is:

acl list_name list_type list_item

There can be several such strings with the same name and type, and a list is obtained from them. The name of the list can be arbitrary, we will use it later. The list type is much more interesting. Can be one of:

  • src- ip address where the connection comes from, client address;
  • dst- ip address of the destination of the connection, the address of the server that the client wants to access;
  • dstdomain- connection destination domain;
  • srcdomain- client domain;
  • arp- MAC address of the client's network card;
  • time- the time when the connection is made;
  • port- the port the client is trying to access;
  • proto- the protocol by which the connection is established;
  • method- data transfer method, for example, GET - HTTP data transfer, POST - form data transfer in HTTP, CONNECT - server connection request;
  • http_status- server response;
  • browser- client browser;
  • url_regex- url address that is being accessed.

These are not all types of lists, but that's enough for a start, and more detailed information is in the same configuration file.

Let's add a list to access the server from the local network:

acl localnet src 192.168.0.0/16

Let's create a list of Safe_ports to allow traffic on the ports of the main network services, as well as unregistered ports above 1024:

acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 #wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

Let's create two more lists - SSL_ports and connect, to allow using the connect method only for ssl connections. This will prevent the client from using other proxies on top of ours:

acl SSL_ports port 443

acl connect method CONNECT

As I said, these lists by themselves do not mean anything and do not affect the operation of the server in any way. To apply the list, you need to use the http_access directive. Its syntax is:

http_access action list_name

The action can be allow (allow) or deny (prohibit). now let's deny access to all ports except those specified in Safe_ports:

http_access deny Connect !SSL_ports

Now let's allow access from this computer (acl list localhos is predefined):

http_access allow localhost

Let's allow access from the local network:

http_access allow localnet

And ban everything else:

http_access deny all

Other settings

Access control is one of the most important components, but configuring squid ubuntu is not finished yet. There are many more interesting parameters, we will consider only a few of them:

http_port- sets the ip address and port on which the program will run. You can run the proxy only on this computer with the following construction:

http_port localhost:3218

Or on the local network:

https_port- sets the ip address and port on which https connections will be accepted. We do not cover working with https in this article.

cache_mem- the amount of memory that is allocated for caching objects.

cache_dir - allows you to set the folder for storing the cache. By default, the entire cache is stored in RAM. Syntax:

cache_dir file system folder size_in_mb L1 L2

L1 and L2 - the number of subfolders of the first and second levels. The file system determines how data will be written to disk. For example:

cache_dir aufs /var/spool/squid 100 16 256

coredump_dir- directory where the memory dump will be saved in case of an error.

refresh_pattern- a very interesting parameter that allows you to extend the lifetime of objects in the cache. The syntax is:

refresh_pattern -i regular expression min_time percent max_time options

  • regular expression- specifies the objects to which the parameter should be applied;
  • min_time- time in minutes until the object is considered fresh;
  • max_time- the maximum time in minutes until the object is fresh;

parameters can be:

  • override-expire- ignore the expire header;
  • override-lastmod- ignore the last modification date of the file;
  • reload-into-ims- instead of not caching send an If-Modified-Since request;
  • ignore-reload- ignore client requests do not cache.

For example:

refresh_pattern -i \.gif$ 43200 100% 43200 override-lastmod override-expire

You may need other settings after the installation of squid ubuntu is complete. But they are beyond the scope of this article. Now save your changes, close the file and reload Squid:

sudo service squid3 restart

If this command returns an error, try another one:

sudo service squid restart

It remains to check the operation of our proxy server. This can be done using any browser. Open your browser settings and configure the proxy. I'll show you how to do it in Mozilla Firefox. If you have a different browser, for example, Google Chrome, I think you will figure out how the proxy is configured there.

Client side setup

Open a browser, go to Setting --> Additionally --> Net. Then click Settings In chapter Connection and select configure proxy manually:

In field HTTP proxy specify the IP address of the machine on which the Squid server was installed, and in the port field - the port number 3128. This port is used by default in Squid, but you can change the port number using /etc/squid/squid.conf

Internet
The most interesting:
How to connect the printer via LAN
Instagram self-promotion tools
How to make money on Glopart