Table of Contents

Overview

Home tmade.de

Home Wiki

Squid

Commands

/usr/local/squid/sbin/squid -k parse                                      #Check Configuration
/usr/local/squid/sbin/squid -k reconfigure                                #Reload config
/usr/local/squid/sbin/squid -f /etc/squid/squid.conf -k parse             #Check Configuration
/usr/local/squid2/sbin/squid -f /etc/squid2/squid.conf -k parse           #Check specified config file
/usr/local/squid/sbin/squid -f /etc/squid/squid.conf -k parse             #Check specified config file
/share/MD0_DATA/.qpkg/Squid/opt/sbin/squid -f /share/MD0_DATA/.qpkg/Squid/opt/etc/squid/squid.conf -k parse

Autoconfig:

https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_o_web_proxy_auto-detection_configuration

Config

Example1

/etc/squid/squid.conf
#
# Recommended minimum configuration:
#
#acl manager proto cache_object
#acl localhost src 127.0.0.1/32 ::1
#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

error_directory /etc/squid/error

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl clients src 10.5.1.0/24     # Client-Netzwerk
acl mgmt-server src 192.168.05.12/32  # Management-Server
acl extern src all              # Externe Zugriffe
#acl localnet src fc00::/7       # RFC 4193 local private network range
#acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
#acl all src all

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl SSH_ports port 22           # ssh
acl IMAP_ports port 143         # imap
acl CONNECT method CONNECT

acl HTTPS proto HTTPS

acl ftp proto FTP
acl high_ports port 1025-65535
acl ftp_port port 21
http_access allow ftp_port CONNECT
http_access allow ftp
always_direct allow ftp
http_access allow high_ports

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
http_access allow SSH_ports clients
http_access allow SSH_ports lydon
http_access allow IMAP_ports

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
#ignore_expect_100 on

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
#http_access allow extern



# And finally deny all other access to this proxy
#http_access deny all

# Squid normally listens to port 3128
# http_port 8080
http_port 10.6.3.25:8080
http_port 10.6.3.25:80 accel vhost
http_port 10.6.3.26:80 accel vhost

https_port 10.6.3.26:443 accel vhost cert=/root/certs/another-domain/another-domain.crt key=/root/certs/another-domain/another-domain.key cafile=/root/certs/another-domain/intermediate.crt options=ALL:NO_SSLv2:NO_SSLv3 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:!MEDIUM:!3DES

https_port 10.6.3.32:443 accel vhost cert=/root/certs/wildcard.local/wildcard.local.crt key=/root/certs/wildcard.local/wildcard.local.key cafile=/root/certs/wildcard.local/cabundle.crt options=ALL:NO_SSLv2:NO_SSLv3 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:!MEDIUM:!3DES

https_port 10.6.3.33:443 accel vhost cert=/root/certs/wildcard.local/wildcard.local.crt key=/root/certs/wildcard.local/wildcard.local.key cafile=/root/certs/wildcard.local/cabundle.crt options=ALL:NO_SSLv2:NO_SSLv3 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:!MEDIUM:!3DES

https_port 10.6.3.34:443 accel vhost cert=/root/certs/wildcard.local/wildcard.local.crt key=/root/certs/wildcard.local/wildcard.local.key cafile=/root/certs/wildcard.local/cabundle.crt options=ALL:NO_SSLv2:NO_SSLv3 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:!MEDIUM:!3DES

# not in use: 10.6.3.34-36

# We recommend you to use at least the following line.
#hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/log/squid/cache 100 16 256

# Leave coredumps in the first cache dir
#coredump_dir /var/log/squid/cache

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

# Configuration by tmade

#cache_peer 192.168.63.94 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER login=PASS name=sdtcc
#manitu2:
cache_peer 10.124.32.7 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER login=PASS name=sdtcc
acl sites_sdtcc dstdomain another-domain
cache_peer_access sdtcc allow sites_sdtcc
http_access deny !HTTPS sites_sdtcc
deny_info 307:https://%H%R sites_sdtcc
http_access allow extern sites_sdtcc

cache_peer 192.168.64.94 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER login=PASS name=testhost
acl sites_testhost dstdomain test-domain.local
cache_peer_access testhost allow sites_testhost
http_access allow extern sites_testhost

cache_peer 192.168.64.94 parent 8444 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER login=PASS name=testhost-chesar
acl sites_testhost-chesar dstdomain chesar-domain.local
cache_peer_access testhost-chesar allow sites_testhost-chesar
http_access allow extern sites_testhost-chesar

# squid parameter
cache_dir diskd /var/log/squid/cache 3000 16 256
cache_mem 512 MB
coredump_dir /var/log/squid/cache
access_log /var/log/squid/logs/access.log common
cache_log /var/log/squid/logs/cache.log
cache_store_log /var/log/squid/logs/store.log
logfile_rotate 7
pid_filename /var/log/squid/logs/squid.pid
httpd_suppress_version_string on
#extension_methods RPC_IN_DATA RPC_OUT_DATA

cache_effective_user squid

http_access deny all

Example2

Another config example (similar, but without reverse config):

#
# Recommended minimum configuration:
#
cache_effective_user squid
cache_effective_group squid
#forwarded_for off
forwarded_for on
#forwarded_for delete
#proxy_protocol_access allow localnet
#follow_x_forwarded_for allow localhost
#follow_x_forwarded_for allow localnet
#cache_effective_group nogroup

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/24            # RFC 1918 local private network (LAN)
acl localnet src 172.17.0.0/16
acl localnet src 192.168.0.0/16                # RFC 1918 local private network (LAN)
#acl localnet src 100.64.0.0/10         # RFC 6598 shared address space (CGN)
#acl localnet src 169.254.0.0/16        # RFC 3927 link-local (directly plugged) machines
#acl localnet src 172.16.0.0/12         # RFC 1918 local private network (LAN)
#acl localnet src fc00::/7              # RFC 4193 local private network range
#acl localnet src fe80::/10             # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 8080
#http_port 8080 require-proxy-header
#http_port 3128
#http_port 192.168.30.33:3128
#http_port 443

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/log/squid/cache/squid 100 16 256
#cache_dir diskd /var/log/squid/cache 3000 16 256
cache_dir ufs /var/log/squid/cache/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/log/squid/cache/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

# Configuration by tmade

# squid parameter
cache_mem 512 MB
access_log /var/log/squid/logs/access.log common
cache_log /var/log/squid/logs/cache.log
cache_store_log /var/log/squid/logs/store.log

# Add logfile rotated mechanism
logfile_rotate 7
debug_options rotate=1

pid_filename /var/log/squid/run/squid.pid

httpd_suppress_version_string on
#extension_methods RPC_IN_DATA RPC_OUT_DATA
#If you want to present a special hostname in error messages, etc, define this name.
visible_hostname squid-tmade

#url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
#redirect_children 4
http_access deny all

Reverse example

Accessing vhost:

http_port 10.6.3.26:80 accel vhost

HTTPS:

https_port 10.6.3.24:443 accel vhost cert=/root/certs/test.crt key=/root/certs/test.key cafile=/root/certs/test.pem

Forwarding:

cache_peer 192.168.65.119 parent 80 0 no-query originserver login=PASS name=servernameXY
acl sites_servernameXY dstdomain test.com
cache_peer_access servernameXY allow sites_servernameXY
http_access allow extern sites_servernameXY

Compile

1. To compile Squid run

./configure

Advanced options:

./configure --with-large-files --sysconfdir=/etc/squid --localstatedir=/var/log/squid --enable-ssl --with-openssl --with-filedescriptors=16384 --enable-storeio=diskd,ufs --prefix=/usr/local/squid --with-included-ltdl

Note: “libssl-dev” is required!

sudo apt-get install libssl-dev

Options:

SLES:
--prefix=/usr
--sysconfdir=/etc/squid
--bindir=/usr/sbin
--sbindir=/usr/sbin
--localstatedir=/var
--libexecdir=/usr/sbin
--datadir=/usr/share/squid
Ubuntu:
--prefix=/usr
--localstatedir=/var
--libexecdir=${prefix}/lib/squid
--srcdir=.
--datadir=${prefix}/share/squid
--sysconfdir=/etc/squid

2.

make

3.

make install

Check also: http://wiki.squid-cache.org/SquidFaq/CompilingSquid#How_do_I_compile_Squid.3F

Note: “libssl-dev” is required if you set “–enable-ssl –with-openssl”.

Cache

To create cache:

/usr/local/squid/sbin/squid -z

Init-Script

#!/bin/sh

### BEGIN INIT INFO
# Provides:             squid
# Required-Start:       $network $remote_fs $syslog
# Required-Stop:        $network $remote_fs $syslog
# Default-Start:        2 3 4 5
# Default-Stop:
# Short-Description:    Proxy Server
### END INIT INFO

set -e

test -x /usr/local/squid/sbin/squid || exit 0

umask 022

SQUID=/usr/local/squid/sbin/squid

case "$1" in
 start)
   #echo -n "Starting SQUID: "
   $SQUID
;;

 stop)
   #echo -n "Shutdown SQUID: "
   $SQUID -k shutdown
   n=120
   while $SQUID -k check && [ $n -gt 120 ]; do
   sleep 1
   echo -n .
   n=`expr $n - 1`
   done
   ;;

 reload)
   echo -n "Reload SQUID: "
   $SQUID -k reconfigure
;;


 restart)
   #echo -n "Shutdown SQUID :"
   $SQUID -k shutdown
   n=120
   while $SQUID -k check && [ $n -gt 120 ]; do
   sleep 1
   echo -n .
   n=`expr $n - 1`
   done
   echo -n "Starting SQUID: "
   $SQUID
;;

 status)
   #echo -n "Status SQUID: "
   $SQUID -k check
   ;;

 probe)
   exit 0
   ;;

 *)
   echo "Usage: $0 {start|stop|status|reload|restart|probe}"
   exit 1
  esac

Unit File

[Unit]
# Description
Description=Squid Proxy
After=network.target network-online.target nss-lookup.target

[Service]
#Type=simple  (without forking)
#Type=oneshot (executing just once)
#Type=forking  (forking services like e. g. webserver)
Type=forking
User=nobody
Group=root

#Environment="JAVA_HOME=/usr/lib/jvm/default-java"
#EnvironmentFile="path/to/file"

ExecStart=/usr/local/squid/sbin/squid -f /usr/local/squid/etc/squid.conf -d1
#ExecStart=/usr/local/squid/sbin/squid
ExecStop=/usr/local/squid/sbin/squid -k shutdown

[Install]
# Target
WantedBy=multi-user.target

Windows

squid.exe -k reconfigure            #Reload config
squid.exe -k parse                  #Check config

squidGuard

Config and db:

/etc/squidguard/squidGuard.conf
/var/lib/squidguard/db

Add to “/etc/squid/squid.conf”:

url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
redirect_children 4

Commands:

squidGuard -dC all                                          #rebuild database:
tail -f /var/log/squidguard/squidGuard.log

Update blacklists:

#!/bin/sh

#cd /var/lib/squidguard/db/temp
DBHOME='/var/lib/squidguard/db'
LOGFILE='/var/log/squidguard/squidGuard-update.log'

#Check if DBHOME path exists
if [ -d ${DBHOME} ]
then
    echo "DBHOME=\"$DBHOME\""
else
    echo "Path \"${DBHOME}\" doesn´t exist!" | tee -a $LOGFILE
    exit 1
fi

cd $DBHOME
rm -r blacklists-dsi.ut-capitole.fr blacklists.squidguard shallalist
echo $DBHOME

#Download and extract lists
wget -O shallalist.tgz http://www.shallalist.de/Downloads/shallalist.tar.gz
wget http://squidguard.mesd.k12.or.us/blacklists.tgz
wget -O blacklists-dsi.ut-capitole.fr.tgz http://dsi.ut-capitole.fr/blacklists/download/blacklists.tar.gz
tar -xzf shallalist.tgz --one-top-level=shallalist
tar -xzf blacklists-dsi.ut-capitole.fr.tgz --one-top-level=blacklists-dsi.ut-capitole.fr
tar -xzf blacklists.tgz --one-top-level=blacklists.squidguard
rm *.tgz*

#Update db and restart squid
squidGuard -dC all
chown -R proxy:proxy $DBHOME
systemctl restart squid.service