Rate this page del.icio.us  Digg slashdot StumbleUpon

Squid in 5 minutes

by

Why Squid? Why only five minutes?

There are many great tools that Squid has to offer, but when I need to redirect http traffic to a caching server for performance increases or security, squid’s my pick. Squid has built in proxy and caching tools that are simple, yet effective.

I recently used Squid for a secure subnet that did not allow outgoing port 80 http access to external IP addresses. Many organizations will block external port 80 access at the router level. This is a great way to eliminate a huge security hole, but a headache when a systems administrator needs to reach the outside world temporarily to download a file. Another scenario: redirect all computers in a home network to a local caching server to increase website query performance and save on bandwidth.

The situations described above are when the five minute Squid configuration comes in very handy. All requests for external http access can be handled by squid through a simple proxy configuration on each client machine. Sounds complicated? It isn’t. Let’s get into the details next.

Install

On a Red Hat® Enterprise Linux® or Fedora™ Core operating system, it is easy to check if Squid is installed using the rpm system. Type the command:

rpm -q squid

If Squid is already installed, you will get a response similar to:

squid-2.5.STABLE6-3.4E.12

If Squid isn’t installed, then you can use Yum to install it. Thanks to Yum the installation is quite easy.

Just type at a command line:

yum install squid

If you happen to have downloaded the rpm you can also type something like:

rpm -ivh squid-2.5.STABLE6-3.4E.12.i386.rpm

Configure

Squid’s main configuration file lives in /etc/squid/squid.conf. The 3,339 line configuration file is intimidating, but the good news is that it is very simple to setup a proxy server that forward http, https, and ftp requests to Squid on the default port of 3128 and caches the data.

Back up the configuration file

It is always good policy to backup a configuration file before you edit it. If you haven’t been burned yet, you haven’t edited enough configuration files. Make a backup from the command line or the gui and rename the original file something meaningful. I personally like to append a bck.datestamp. For example:

cp /etc/squid/squid.conf /etc/squid/squid.conf.bck.02052007

If it is the original configuration file you might choose to do:

cp /etc/squid/squid.conf /etc/squid/squid.conf.org.02052007

Edit the file

Open /etc/squid/squid.conf with your favorite text editor. I use vim, but nano is a good beginner’s command line text editor. If you do use nano, make sure you use the nano –nowrap option to turn off line wrapping when editing things like configuration files. A gui editor like Gedit will also work.

Five minute configuration

There are many fancy options for squid that we will not enable, specifically acls (access control lists) or authentication. We are going to set up a caching proxy server with no access control. This server would be suitable for a home network behind a firewall.

The default squid configuration is almost complete, but a few small changes should be made. You will need to either find and uncomment entries, or modify existing uncommented lines in the squid configuration file. Use your favorite text editor or a text find to quickly locate these lines:

visible_hostname machine-name
http_port 3128
cache_dir ufs /var/spool/squid 1000 16 256
cache_access_log /var/log/squid/access.log

In the acl section near the bottom add:

acl intranet 192.168.0.0/24
http_access allow intranet

Let me explain what each of these six lines means:

visible_hostname – Create this entry and set this to the hostname of the machine. To find the hostname, use the command hostname. Not entering a value may cause squid to fail as it may not be able to automatically determine the fully qualified hostname of your machine.

http_port 3128 – Uncomment this line but there is no need to edit it unless you want to change the default port for http connections.

cache_dir ufs /var/spool/squid 1000 15 256 – Uncomment this line. You may want to append a zero to the value 100 which will make the cache size 1000MB instead of 100MB. The last two values stand for the default folder depth the cache will create on the top and subdirectories respectively. They do not need modification.

cache_access_log – Uncomment this line. This is where all requests to the proxy server will get logged.

acl intranet 192.168.0.0/24 – This entry needs to be added. It should correspond to whatever your local network range is. For example, if your Fedora server is 192.168.2.5 then the entry should be acl intranet 192.168.2.0/24

http_access allow intranet – This allows the acl named intranet to use the proxy server. Make sure to put allow directives above the last ‘http_access deny all’ entry, as it will overide any allow directives below it.

Turning on squid

Enable the proper run levels:

chkconfig squid on

Start the service:

service squid start

Verify that squid isrunning:

service squid status

Note, if you have problems starting squid, open a separate shell and run:

tail -f /var/log/messages

Then start the squid service in your original window:

service squid start

The tail command should show an error for squid that can help you solve the problem. One common error is that the swap (cache) directory doesn’t exist. To solve this problem, run squid with the -z option to automatically create the directories:

/usr/sbin/squid -z

Make sure that squid has write permission to the swap directory or this command won’t work.

Configuring the clients

If you are using Firefox or Mozilla you will need to add the proxy server as follows:

Go to Preferences>Network>Settings

Add the name of your new proxy server and port 3128 to the http proxy field (under manual configuration).

Open a shell to your proxy server so you can observe the log file being written to. Use tail, as before:

tail -f /var/log/squid/access.log

Now surf the web through your proxy server. You should see entries flying by in real time as you surf different http addresses. Congratulations, you now have a caching proxy server setup!

Summary

Quick recap:You installed squid with a simple yum command. You backed up the default configuration file, then edited just 6 lines. You started the proper run level. You started the squid service. You configured a client to use the proxy server, and then you verified it was working properly by tailing the log. To top it all off, you did it in 5 minutes. Now who says Linux isn’t fun?

61 responses to “Squid in 5 minutes”

  1. Arvind Rajan says:

    It was a nice lightweight Article with sufficient information to understand Squid. There is no room for any confusion.

  2. Terry says:

    Squid would not run using the line acl intranet 192.168.1.0/24

    I had to alter it to acl intranet src 192.168.1.0/24 192.168.2.0/24

  3. James Sandweiss says:

    I found this article to the point. I now understand Squid a little better.

  4. Pankaj Bajaj says:

    The skeleton level configuration of squid is here.

  5. Abhishek Singh says:

    This lightweight article on SQUID really provides a brief insight of how to configure SQUID proxy server. It pushes ahead the configuration a step ahead and encourages one to configure proxy with a message “Move on with it! It’s easy” !! I really appreciate it.

  6. Robert Reidenbach says:

    It should be:
    acl intranet src 192.168.0.0/24

    Great article though! :)

  7. Himanshu says:

    Its really Helpful to beginners !

  8. suman chakraborty says:

    good for beginning.
    further study needed to get in-depth knowledge.

  9. bhupesh karankar says:

    this is really belong to childhood.
    this is noting but just a basic,
    i thought redhat magazine will provice any advance configuration for squid.

    ok no prob,
    but will u provide a solution?
    problem is i have setup squid server, but my client not able to access mail on outlook via squid. (outlook over squid)
    wating for ur reply
    bhupesh karankar
    bkarankar@gmail.com

  10. Noah Gift says:

    Bhupesh,

    This article is definitely geared toward introducing people to Squid who have never used it before. I am glad your interested in more advance configurations of Squid, as another article will be published shortly about configuring ACLs. It may possible cover issues your experiencing with Squid.

    I would also be happy to write another article about configuring Squid to talk to ports other than just port 80. Perhaps this would help you with your problem as well.

    Please stay tuned,

    Noah

  11. Rishi kapur says:

    Well written for introduction.

  12. Mahesh Deshpande says:

    This is Clean consise, precise, and to the point GREAT WORK

  13. Ron says:

    Definitly short and simple,acl works for me by the way..

  14. Noah Gift says:

    Just a quick note on subnet notation. I often forget how many addresses are in a subnet and what the proper notation is. If you are a python programmer…your in luck, or even if your not it is very straightforward to use with ipython. If you download the IPy module: http://cheeseshop.python.org/pypi/IPy/0.51

    You can explore many concepts of subnet notation, IP ranges, etc, by interactively using this from the command line. Download and ipython interactively with the IPy module and you will never have to guess again.

    http://ipython.scipy.org/

  15. Shahzad Zafar says:

    I appreciate this effort, i would like give a suggestion to please include DNATing using IPtables as it is required to allow Messengers, most of the people migrating from ISA try to find it inside Cache :) to configure, as of the obvious reason that ISA is combined Cache and Firewall, Thanks

  16. Dinooz says:

    I agree with Shahzad, the article is good, but incomplete, strongly suggest to add the IPtables to the server to automatically redirect all the input to the port 3128 then let the proxy work. This is the way to go, since you don’t want to configure by hand let’s say more than 20 computers, in my case 1,200 ;-)

    The full reference is at:
    http://tldp.org/HOWTO/TransparentProxy.html

    In Particular the magic is done by IPTables for the transparent proxy:
    iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 3128

    Then just configure your router to send all the Internet traffic to the Proxy and voala your network must be up & running in no time.

    One of the cool features of this solutions is the quick response action in case of failover, for whatever reason if SQUID goes down you can re-configure the router to access the internet via the normal route and all the machines should be up & running.

    /* Perhaps with the use of corporate Internet access would be really nice to integrate DANS-GUARDIAN as SQUID plugin to provide a good & reliable Web content Filtering to the corporate solution */
    ;-)

  17. Noah Gift says:

    Dinooz,

    Your absolutely correct, although I would argue ANY article on squid is incomplete. It is a big subject. A transparent proxy is the way to go for a big installation. That is a great tip. I wanted people to be able to follow this first article from home without getting too in the weeds of dealing with their router and iptables.

    I think transparent proxy is a good subject for a follow up article on squid. It almost sounds like there is enough material for a book on squid. We haven’t even talked about
    using Squid as Web Accelerator, which say Django or Turbogears Web Application framework.

  18. Rick says:

    Great simple article.

    I would have added just one other simple and common thing and that is to configure squid to point to an upstream proxy as many ISPs have an upstream proxy and some discount data charges when you access the proxy instead of the internet at large.

  19. Ramesh Annappa Shetty says:

    This is the simple quick start confuguration steps…i liked it more…Thanks for the same..

  20. Shahbaz says:

    plz put more advance squid configuration on magazine. for example customized for a CableNetwork or ISP

    Thanks

  21. Noman Khanzada says:

    This effort is really nice, newbie can easily understand the basic idea of squid with that guide.

    keep it up man

  22. Hashif says:

    Hi

    This is a great article which helped me in configuring squid.
    But I am stuck with one problem.We have a leased line and our ISP doesnt give transparent proxy option.Since we need to go through ISP proxy server for internet.I need to configure my squid to connect to ISP proxy.
    Could some one help in configuring my squid to connect to ISP proxy for HTTP request.

  23. kapardhi says:

    Nice tutorial but there are many other factors
    suppose your client side system is windows based then you have to add authentication methods
    and in my opinion this is very light weight article
    you can add few more lines to give clear idea
    ok /

  24. Tawanda says:

    Quite precise and easy to follow for beginners. Well done!

  25. Gaurav says:

    I have installed squid 2.5 on linux, I am new to squid i am trying to implement it in out setup. i have some queries, please help me out

    1) i want to block all website except some particular websites. when i making acl type dstdomain then its not working, but if i make on the base on ip address its working fine, please suggest me what should i do??

    2) can i make diff diff acl for diff users or computers.

    Please reply me and help out

  26. Kaboshia says:

    Dear,
    My problem is I have setup squid server, but my client not able to access mail on outlook via squid. (outlook over squid), if You have any sloution to solve this problem please reply,
    wating for ur reply
    Kaboshia,
    kaboshia@hotmail.com

  27. Zim says:

    Thanks, it was useful :)

  28. Abhijit Sharma says:

    Can u tell me how many client can squid proxy support to give quality performance. I am running RHEL4 in Xeon with 9GB memory. I have say around 3000 user in peak hour. My proxy perfomance becomes very slow. I am using Dansguardian for fiter the 8080 port(Configured at clients) but my proxy port is 3128 which is by default. During peak hours 8080 port becomes dead slow but if i use 3128 its gives a faster accesss. Is their is anyway out to provide user a faster internet connection at 8080 port. Pls also tell me the limitation of Squid. My backbone is 2mbps Lease line.

  29. Noah Gift says:

    Abhijit,

    You have an interesting problem to solve. I would recommend collecting data via SNMP and scripts for a week, and then I would plot the data and see if you can figure out a trend.

    I have not been in your exact situation, but I have been in similar situations, and the solution was turn to a scientific method of analysis instead of trial and error.

    Good luck!

  30. koray says:

    nice thank you

  31. ametul vass says:

    Nice tutorial but there are many other factors
    suppose your client side system is windows based then you have to add authentication methods
    and in my opinion this is very light weight article

  32. sweet says:

    dear sir,
    i can use squid -z command
    2007/11/18 11:23:35| Squid is already running! Process ID 2512

    thats mean this proxy is ok. but clint not browsing and this time close the proxy the client browse. after restar the proxy then again proxy running and 1 hourse running after proxy browsing again off. plzzzzzzzzzzz help

    tail -f /var/log/message
    Nov 18 06:49:10 proxy kernel: [] autoremove_wake_function+0x0/0x35
    Nov 18 06:49:10 proxy kernel: [] vfs_write+0xbc/0x154
    Nov 18 06:49:10 proxy kernel: [] sys_write+0x41/0x67
    Nov 18 06:49:10 proxy kernel: [] syscall_call+0x7/0xb
    Nov 18 06:49:10 proxy kernel: =======================
    Nov 18 10:55:16 proxy kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
    Nov 18 10:56:57 proxy squid[1718]: Squid Parent: child process 1720 exited with status 0
    Nov 18 10:56:57 proxy squid[2434]: Squid Parent: child process 2436 started
    Nov 18 11:11:34 proxy squid[2434]: Squid Parent: child process 2436 exited with status 0
    Nov 18 11:11:35 proxy squid[2510]: Squid Parent: child process 2512 started

  33. athlon_crazy says:

    Sweet,

    check your squid error in /var/log/syslog or squid /logs/debug.log

  34. vikram says:

    Sir,
    I am using squid at my home on RHEL3 server , for security resions I need to restrict some sites(urls), Please help me for resticting some sites OR allowing only few sites which are required.
    thanking you in advance

  35. derya ajans says:

    thank you so mach.

  36. obarhleam says:

    it excellent info, i truly appreciate. keep positive about squid or any other proxies in existance

  37. Shekehr says:

    Good article for a starter.

  38. BoB Anderson says:

    i came newly to a company that is using Squid .

    and i want to block everything in addition to the messengers like msn, yahoo, aol and so on except few website like 2 or 3 maybe ??? how can this be done..

    Thanks in advanced for the help.

  39. Sanjeev Kumar says:

    Sir
    This is very good article on Squid in Linux. Sir, Can you suggest any book for custmization of squid and firewall in Linux.
    Sanjeev Kumar
    Kanpur, (UP)
    India

  40. fırat çöloğlu says:

    thank you for share

  41. Increase Search Engine Ranking says:

    Great Article, exactly what someone who has never tried squid before might want to read. Keep up the good work!

  42. Increase Search Engine Ranking says:

    Also, I did exactly as your instructions said, and it worked perfectly. Forgot to mention that.

  43. kapardhi says:

    This is nice article
    someone is asking about book
    orelly published definitive guide to squid
    this book is a wonder full piece of squid guides
    take loook at it

  44. binhmetal says:

    Thank you for your instruction. I think we should make alot of short instruction like this for advance function of
    Squid.
    Binh

  45. Arun says:

    Dude…you Rock, its a real great start!, waitin for your advance CONFIG…hope its as simple as this is…Cheers bud

  46. ali says:

    This was a nice tutorial and very simple to understand. continue it.

  47. Abhay Naik says:

    Thank you for your instruction. Kindly guid me to resolve 443 error while accessing gmail.com.

    Thanks

  48. Leida says:

    You don’t need authentication, dummy.

    This is absolutely ‘Squid in 5 minutes’. Everything you need to get up and running.

    Head over to Squid’s website (http://www.squid-cache.org) to get more information about fine-tuning Squid for your environment!

  49. Abu Sufian says:

    Thanks..for Instruction..

    Its quite Helpful

  50. Jyothi says:

    hi,

    as i am new to linux i am not getting exactly where the changes to be done and where not to be done.
    i am totally confused!!!!
    could you make it further simple.
    as you know the squid.conf file is very lengthy, and it is confusing one
    kindly help me regarding the same.

    Thank You in advance

  51. Debapriya Biswas says:

    Squid is not logging any HTTPS connection requests while running in a Dual Homed Gateway (2 lan cards). How can i solve it?

  52. müzik dinle says:

    Thank you very Much .

    I think we should make alot of short instruction like this for advance function of

  53. Fate says:

    Sir,

    I’m using squid and everything look exactly the setup above, but my problem when i browse the internet there’s any error on the page saying Access Denied.

    Appriciate your help.

  54. red says:

    how to block a mac address with squid acl’s !!!

    thanks

  55. Raj says:

    Hi

    When the squid will ready to filter https traffic ?

    Squid is very flexible and cool application to handle http traffic. I hope the next squid release definitely filtering the https traffic.

    thanks

  56. Victim says:

    Victimise the Red Hat… Yeahhhhhh do it..

  57. Grant Ingram says:

    Awesome article – I found it very useful. minutes was allmost exactly as long as it took me and I’m not even using Red Hat!! Thank you very much.

  58. Anbuselvan says:

    Hi sir,
    This s article s very user friendly..I configured squid n running successfully in firefox browser,but its not working in Konqueror browser(KDE).i need help to over come this prob…

  59. vijay says:

    i have one proxy server (132.12.46.8) & have one redhat5.3 server (132.22.32.2).
    I wanted to use internet from 132.12.46.8 & create new proxy server on redhat 5.3(132.22.32.2)
    Then how can i create a new proxy server using another proxy server as internet provider?

  60. jamie d says:

    you have a lot of indian dudes reading your posts

  61. costa says:

    Have been confronted with an configuration file, that seemed bigger then the encyclopedia Britannica, your tutorial helped me to succeed to install and run a squid caching proxy server.
    Thanks a lot