by Noah Gift
Why Squid? Why only five minutes?
There are many great tools that Squid has to offer, but when I need to redirect http traffic to a caching server for performance increases or security, squid’s my pick. Squid has built in proxy and caching tools that are simple, yet effective.
I recently used Squid for a secure subnet that did not allow outgoing port 80 http access to external IP addresses. Many organizations will block external port 80 access at the router level. This is a great way to eliminate a huge security hole, but a headache when a systems administrator needs to reach the outside world temporarily to download a file. Another scenario: redirect all computers in a home network to a local caching server to increase website query performance and save on bandwidth.
The situations described above are when the five minute Squid configuration comes in very handy. All requests for external http access can be handled by squid through a simple proxy configuration on each client machine. Sounds complicated? It isn’t. Let’s get into the details next.
On a Red Hat® Enterprise Linux® or Fedora™ Core operating system, it is easy to check if Squid is installed using the rpm system. Type the command:
rpm -q squid
If Squid is already installed, you will get a response similar to:
If Squid isn’t installed, then you can use Yum to install it. Thanks to Yum the installation is quite easy.
Just type at a command line:
yum install squid
If you happen to have downloaded the rpm you can also type something like:
rpm -ivh squid-2.5.STABLE6-3.4E.12.i386.rpm
Squid’s main configuration file lives in /etc/squid/squid.conf. The 3,339 line configuration file is intimidating, but the good news is that it is very simple to setup a proxy server that forward http, https, and ftp requests to Squid on the default port of 3128 and caches the data.
Back up the configuration file
It is always good policy to backup a configuration file before you edit it. If you haven’t been burned yet, you haven’t edited enough configuration files. Make a backup from the command line or the gui and rename the original file something meaningful. I personally like to append a bck.datestamp. For example:
cp /etc/squid/squid.conf /etc/squid/squid.conf.bck.02052007
If it is the original configuration file you might choose to do:
cp /etc/squid/squid.conf /etc/squid/squid.conf.org.02052007
Edit the file
Open /etc/squid/squid.conf with your favorite text editor. I use vim, but nano is a good beginner’s command line text editor. If you do use nano, make sure you use the nano –nowrap option to turn off line wrapping when editing things like configuration files. A gui editor like Gedit will also work.
Five minute configuration
There are many fancy options for squid that we will not enable, specifically acls (access control lists) or authentication. We are going to set up a caching proxy server with no access control. This server would be suitable for a home network behind a firewall.
The default squid configuration is almost complete, but a few small changes should be made. You will need to either find and uncomment entries, or modify existing uncommented lines in the squid configuration file. Use your favorite text editor or a text find to quickly locate these lines:
visible_hostname machine-name http_port 3128 cache_dir ufs /var/spool/squid 1000 16 256 cache_access_log /var/log/squid/access.log
In the acl section near the bottom add:
acl intranet 192.168.0.0/24 http_access allow intranet
Let me explain what each of these six lines means:
visible_hostname – Create this entry and set this to the hostname of the machine. To find the hostname, use the command hostname. Not entering a value may cause squid to fail as it may not be able to automatically determine the fully qualified hostname of your machine.
http_port 3128 – Uncomment this line but there is no need to edit it unless you want to change the default port for http connections.
cache_dir ufs /var/spool/squid 1000 15 256 – Uncomment this line. You may want to append a zero to the value 100 which will make the cache size 1000MB instead of 100MB. The last two values stand for the default folder depth the cache will create on the top and subdirectories respectively. They do not need modification.
cache_access_log – Uncomment this line. This is where all requests to the proxy server will get logged.
acl intranet 192.168.0.0/24 – This entry needs to be added. It should correspond to whatever your local network range is. For example, if your Fedora server is 192.168.2.5 then the entry should be acl intranet 192.168.2.0/24
http_access allow intranet – This allows the acl named intranet to use the proxy server. Make sure to put allow directives above the last ‘http_access deny all’ entry, as it will overide any allow directives below it.
Turning on squid
Enable the proper run levels:
chkconfig squid on
Start the service:
service squid start
Verify that squid isrunning:
service squid status
Note, if you have problems starting squid, open a separate shell and run:
tail -f /var/log/messages
Then start the squid service in your original window:
service squid start
The tail command should show an error for squid that can help you solve the problem. One common error is that the swap (cache) directory doesn’t exist. To solve this problem, run squid with the -z option to automatically create the directories:
Make sure that squid has write permission to the swap directory or this command won’t work.
Configuring the clients
If you are using Firefox or Mozilla you will need to add the proxy server as follows:
Go to Preferences>Network>Settings
Add the name of your new proxy server and port 3128 to the http proxy field (under manual configuration).
Open a shell to your proxy server so you can observe the log file being written to. Use tail, as before:
tail -f /var/log/squid/access.log
Now surf the web through your proxy server. You should see entries flying by in real time as you surf different http addresses. Congratulations, you now have a caching proxy server setup!
Quick recap:You installed squid with a simple yum command. You backed up the default configuration file, then edited just 6 lines. You started the proper run level. You started the squid service. You configured a client to use the proxy server, and then you verified it was working properly by tailing the log. To top it all off, you did it in 5 minutes. Now who says Linux isn’t fun?