/usr/local/squid/sbin/squid -k parse #Check Configuration /usr/local/squid/sbin/squid -k reconfigure #Reload config /usr/local/squid/sbin/squid -f /etc/squid/squid.conf -k parse #Check Configuration /usr/local/squid2/sbin/squid -f /etc/squid2/squid.conf -k parse #Check specified config file /usr/local/squid/sbin/squid -f /etc/squid/squid.conf -k parse #Check specified config file /share/MD0_DATA/.qpkg/Squid/opt/sbin/squid -f /share/MD0_DATA/.qpkg/Squid/opt/etc/squid/squid.conf -k parse
Autoconfig:
/etc/squid/squid.conf
# # Recommended minimum configuration: # #acl manager proto cache_object #acl localhost src 127.0.0.1/32 ::1 #acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 error_directory /etc/squid/error # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl clients src 10.5.1.0/24 # Client-Netzwerk acl mgmt-server src 192.168.05.12/32 # Management-Server acl extern src all # Externe Zugriffe #acl localnet src fc00::/7 # RFC 4193 local private network range #acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines #acl all src all acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl SSH_ports port 22 # ssh acl IMAP_ports port 143 # imap acl CONNECT method CONNECT acl HTTPS proto HTTPS acl ftp proto FTP acl high_ports port 1025-65535 acl ftp_port port 21 http_access allow ftp_port CONNECT http_access allow ftp always_direct allow ftp http_access allow high_ports # # Recommended minimum Access Permission configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager http_access allow SSH_ports clients http_access allow SSH_ports lydon http_access allow IMAP_ports # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # #ignore_expect_100 on # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost #http_access allow extern # And finally deny all other access to this proxy #http_access deny all # Squid normally listens to port 3128 # http_port 8080 http_port 10.6.3.25:8080 http_port 10.6.3.25:80 accel vhost http_port 10.6.3.26:80 accel vhost https_port 10.6.3.26:443 accel vhost cert=/root/certs/another-domain/another-domain.crt key=/root/certs/another-domain/another-domain.key cafile=/root/certs/another-domain/intermediate.crt options=ALL:NO_SSLv2:NO_SSLv3 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:!MEDIUM:!3DES https_port 10.6.3.32:443 accel vhost cert=/root/certs/wildcard.local/wildcard.local.crt key=/root/certs/wildcard.local/wildcard.local.key cafile=/root/certs/wildcard.local/cabundle.crt options=ALL:NO_SSLv2:NO_SSLv3 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:!MEDIUM:!3DES https_port 10.6.3.33:443 accel vhost cert=/root/certs/wildcard.local/wildcard.local.crt key=/root/certs/wildcard.local/wildcard.local.key cafile=/root/certs/wildcard.local/cabundle.crt options=ALL:NO_SSLv2:NO_SSLv3 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:!MEDIUM:!3DES https_port 10.6.3.34:443 accel vhost cert=/root/certs/wildcard.local/wildcard.local.crt key=/root/certs/wildcard.local/wildcard.local.key cafile=/root/certs/wildcard.local/cabundle.crt options=ALL:NO_SSLv2:NO_SSLv3 cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:!MEDIUM:!3DES # not in use: 10.6.3.34-36 # We recommend you to use at least the following line. #hierarchy_stoplist cgi-bin ? # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/log/squid/cache 100 16 256 # Leave coredumps in the first cache dir #coredump_dir /var/log/squid/cache # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 # Configuration by tmade #cache_peer 192.168.63.94 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER login=PASS name=sdtcc #manitu2: cache_peer 10.124.32.7 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER login=PASS name=sdtcc acl sites_sdtcc dstdomain another-domain cache_peer_access sdtcc allow sites_sdtcc http_access deny !HTTPS sites_sdtcc deny_info 307:https://%H%R sites_sdtcc http_access allow extern sites_sdtcc cache_peer 192.168.64.94 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER login=PASS name=testhost acl sites_testhost dstdomain test-domain.local cache_peer_access testhost allow sites_testhost http_access allow extern sites_testhost cache_peer 192.168.64.94 parent 8444 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER login=PASS name=testhost-chesar acl sites_testhost-chesar dstdomain chesar-domain.local cache_peer_access testhost-chesar allow sites_testhost-chesar http_access allow extern sites_testhost-chesar # squid parameter cache_dir diskd /var/log/squid/cache 3000 16 256 cache_mem 512 MB coredump_dir /var/log/squid/cache access_log /var/log/squid/logs/access.log common cache_log /var/log/squid/logs/cache.log cache_store_log /var/log/squid/logs/store.log logfile_rotate 7 pid_filename /var/log/squid/logs/squid.pid httpd_suppress_version_string on #extension_methods RPC_IN_DATA RPC_OUT_DATA cache_effective_user squid http_access deny all
Another config example (similar, but without reverse config):
# # Recommended minimum configuration: # cache_effective_user squid cache_effective_group squid #forwarded_for off forwarded_for on #forwarded_for delete #proxy_protocol_access allow localnet #follow_x_forwarded_for allow localhost #follow_x_forwarded_for allow localnet #cache_effective_group nogroup # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed #acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) acl localnet src 10.0.0.0/24 # RFC 1918 local private network (LAN) acl localnet src 172.17.0.0/16 acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) #acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) #acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines #acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) #acl localnet src fc00::/7 # RFC 4193 local private network range #acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 8080 #http_port 8080 require-proxy-header #http_port 3128 #http_port 192.168.30.33:3128 #http_port 443 # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/log/squid/cache/squid 100 16 256 #cache_dir diskd /var/log/squid/cache 3000 16 256 cache_dir ufs /var/log/squid/cache/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/log/squid/cache/squid # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 # Configuration by tmade # squid parameter cache_mem 512 MB access_log /var/log/squid/logs/access.log common cache_log /var/log/squid/logs/cache.log cache_store_log /var/log/squid/logs/store.log # Add logfile rotated mechanism logfile_rotate 7 debug_options rotate=1 pid_filename /var/log/squid/run/squid.pid httpd_suppress_version_string on #extension_methods RPC_IN_DATA RPC_OUT_DATA #If you want to present a special hostname in error messages, etc, define this name. visible_hostname squid-tmade #url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf #redirect_children 4 http_access deny all
Accessing vhost:
http_port 10.6.3.26:80 accel vhost
HTTPS:
https_port 10.6.3.24:443 accel vhost cert=/root/certs/test.crt key=/root/certs/test.key cafile=/root/certs/test.pem
Forwarding:
cache_peer 192.168.65.119 parent 80 0 no-query originserver login=PASS name=servernameXY acl sites_servernameXY dstdomain test.com cache_peer_access servernameXY allow sites_servernameXY http_access allow extern sites_servernameXY
1. To compile Squid run
./configure
Advanced options:
./configure --with-large-files --sysconfdir=/etc/squid --localstatedir=/var/log/squid --enable-ssl --with-openssl --with-filedescriptors=16384 --enable-storeio=diskd,ufs --prefix=/usr/local/squid --with-included-ltdl
Note: “libssl-dev” is required!
sudo apt-get install libssl-dev
Options:
SLES:
--prefix=/usr
--sysconfdir=/etc/squid
--bindir=/usr/sbin
--sbindir=/usr/sbin
--localstatedir=/var
--libexecdir=/usr/sbin
--datadir=/usr/share/squid
Ubuntu:
--prefix=/usr
--localstatedir=/var
--libexecdir=${prefix}/lib/squid
--srcdir=.
--datadir=${prefix}/share/squid
--sysconfdir=/etc/squid
2.
make
3.
make install
Check also: http://wiki.squid-cache.org/SquidFaq/CompilingSquid#How_do_I_compile_Squid.3F
Note: “libssl-dev” is required if you set “–enable-ssl –with-openssl”.
To create cache:
/usr/local/squid/sbin/squid -z
#!/bin/sh
### BEGIN INIT INFO
# Provides: squid
# Required-Start: $network $remote_fs $syslog
# Required-Stop: $network $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop:
# Short-Description: Proxy Server
### END INIT INFO
set -e
test -x /usr/local/squid/sbin/squid || exit 0
umask 022
SQUID=/usr/local/squid/sbin/squid
case "$1" in
start)
#echo -n "Starting SQUID: "
$SQUID
;;
stop)
#echo -n "Shutdown SQUID: "
$SQUID -k shutdown
n=120
while $SQUID -k check && [ $n -gt 120 ]; do
sleep 1
echo -n .
n=`expr $n - 1`
done
;;
reload)
echo -n "Reload SQUID: "
$SQUID -k reconfigure
;;
restart)
#echo -n "Shutdown SQUID :"
$SQUID -k shutdown
n=120
while $SQUID -k check && [ $n -gt 120 ]; do
sleep 1
echo -n .
n=`expr $n - 1`
done
echo -n "Starting SQUID: "
$SQUID
;;
status)
#echo -n "Status SQUID: "
$SQUID -k check
;;
probe)
exit 0
;;
*)
echo "Usage: $0 {start|stop|status|reload|restart|probe}"
exit 1
esac
[Unit] # Description Description=Squid Proxy After=network.target network-online.target nss-lookup.target [Service] #Type=simple (without forking) #Type=oneshot (executing just once) #Type=forking (forking services like e. g. webserver) Type=forking User=nobody Group=root #Environment="JAVA_HOME=/usr/lib/jvm/default-java" #EnvironmentFile="path/to/file" ExecStart=/usr/local/squid/sbin/squid -f /usr/local/squid/etc/squid.conf -d1 #ExecStart=/usr/local/squid/sbin/squid ExecStop=/usr/local/squid/sbin/squid -k shutdown [Install] # Target WantedBy=multi-user.target
squid.exe -k reconfigure #Reload config squid.exe -k parse #Check config
Config and db:
/etc/squidguard/squidGuard.conf /var/lib/squidguard/db
Add to “/etc/squid/squid.conf”:
url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf redirect_children 4
Commands:
squidGuard -dC all #rebuild database: tail -f /var/log/squidguard/squidGuard.log
Update blacklists:
#!/bin/sh
#cd /var/lib/squidguard/db/temp
DBHOME='/var/lib/squidguard/db'
LOGFILE='/var/log/squidguard/squidGuard-update.log'
#Check if DBHOME path exists
if [ -d ${DBHOME} ]
then
echo "DBHOME=\"$DBHOME\""
else
echo "Path \"${DBHOME}\" doesn´t exist!" | tee -a $LOGFILE
exit 1
fi
cd $DBHOME
rm -r blacklists-dsi.ut-capitole.fr blacklists.squidguard shallalist
echo $DBHOME
#Download and extract lists
wget -O shallalist.tgz http://www.shallalist.de/Downloads/shallalist.tar.gz
wget http://squidguard.mesd.k12.or.us/blacklists.tgz
wget -O blacklists-dsi.ut-capitole.fr.tgz http://dsi.ut-capitole.fr/blacklists/download/blacklists.tar.gz
tar -xzf shallalist.tgz --one-top-level=shallalist
tar -xzf blacklists-dsi.ut-capitole.fr.tgz --one-top-level=blacklists-dsi.ut-capitole.fr
tar -xzf blacklists.tgz --one-top-level=blacklists.squidguard
rm *.tgz*
#Update db and restart squid
squidGuard -dC all
chown -R proxy:proxy $DBHOME
systemctl restart squid.service