squid3 – basic config and more

it’s been a while since i’ve set up any [non]caching proxy servers. i’ve mostly dealt with reverse proxies, apache2 in 90% of cases, nginx – in few. below few copy&paste configs.

apt-get install squid3

content of /etc/squid3/squid.conf – basic config:

#no_cache deny STOPLISTA
cache_mem 4 MB
cache_dir ufs /var/spool/squid3/ 4 16 256
redirect_rewrites_host_header off
cache_replacement_policy lru
acl localnet src 192.168.0.0/16
acl localnet src 10.0.0.0/8
acl localnet src 127.0.0.1
acl Safe_ports port 80          # http
acl CONNECT method CONNECT

acl gmail dst gmail.com


# authentication
auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/auth
acl passauth proxy_auth REQUIRED
acl ncsa_users proxy_auth REQUIRED

http_access allow localnet
#http_access deny gmail
#http_access allow localnet
http_access deny all

maximum_object_size 150000 KB
store_avg_object_size 50 KB

cache_effective_user proxy
cache_effective_group proxy

log_icp_queries off
buffered_logs off


cache_access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
cache_store_log /var/log/squid3/store.log
store_dir_select_algorithm least-load
forwarded_for on

# what not to cache:
acl QUERY urlpath_regex cgi-bin \?
acl url_htm     url_regex \.htm$
acl url_html    url_regex \.html$
acl url_pdf     url_regex \.pdf$
acl url_xls     url_regex \.xls$
acl SSL_ports port 443 563
no_cache deny QUERY
no_cache deny url_xls
no_cache deny url_pdf
no_cache deny url_html
no_cache deny url_htm
no_cache deny SSL_ports

http_port 3128

to run transparent proxy [ on your router ] change:

http_port 3128

into

http_port 3128 transparent

and redirect all outgoing http traffic to the proxy:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128

to introduce proxy authentication – remove transparent part, add at the top of acls:

# authentication
auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/auth
acl passauth proxy_auth REQUIRED
acl ncsa_users proxy_auth REQUIRED

http_access allow passauth
http_access deny all

you will need to create password with logins and hashes using apache2’s htpasswd:

htpasswd -c /etc/squid3/auth username0
htpasswd /etc/squid3/auth username1

if you want to block access to some domain:

acl gmail dst gmail.com
http_access deny gmail

Leave a Reply

Your email address will not be published. Required fields are marked *

 

(Spamcheck Enabled)