Squid

From campisano.org
Jump to navigation Jump to search

Squid home server

Network

if is a separated machine, use a static ip and disable networkmanager, wicd or whatever:

  • conf /etc/network/interfaces like follows for eth0
# Static eth0 config
auto eth0
allow-hotplug eth0
iface eth0 inet static
    address 192.168.0.10
    netmask 255.255.255.0
    gateway 192.168.0.1

Squid install and config

  • this was done for squid 3.1.20
apt-get install squid3
service squid3 stop
rm -rf /var/spool/squid/*
mkdir -p /var/spool/squid3
chown -R proxy:proxy /var/spool/squid3
chmod 0755 /var/spool/squid3
cp -a /etc/squid3/squid.conf /etc/squid3/squid.conf_bkp
cat > /etc/squid3/squid.conf << EOF
# from http://thejimmahknows.com/network-adblocking-using-squid-squidguard-and-iptables/

# listening port
http_port 3128

# suppress squid version string info
httpd_suppress_version_string on

# coredump
coredump_dir /var/spool/squid3

# cache config
cache_dir aufs /var/spool/squid3 8192 16 256
cache_mem 512 MB
minimum_object_size 0 bytes
maximum_object_size 32 MB
maximum_object_size_in_memory 8192 KB

# configure the replacement policy
# from http://muliantophang.blogspot.com.br/2013/09/optimize-squid-caching-hit-rate.html
#      https://aacable.wordpress.com/tag/squid-maximum-cache-hit/
memory_replacement_policy heap GDSF
cache_replacement_policy heap GDSF

# squid logs
buffered_logs on
cache_access_log   /var/log/squid3/access.log
cache_log          /var/log/squid3/cache.log
cache_store_log    /var/log/squid3/store.log

# refresh_patterns
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

# specific refresh patterns
# from https://www.linux.com/news/speed-your-internet-access-using-squids-refresh-patterns
#      https://aacable.wordpress.com/tag/squid-maximum-cache-hit/
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000                refresh-ims reload-into-ims ignore-reload ignore-no-store ignore-private
refresh_pattern -i \.(deb|rpm|exe|dll|msi|zip|tar|gz|bz2|7z|tgz|tbz2|rar|arj)$ 10080 90% 43200 refresh-ims reload-into-ims ignore-reload ignore-no-store ignore-private
refresh_pattern -i \.(gif|png|jpg|jpeg|ico|tiff|svg)$ 10080 90% 43200                          refresh-ims reload-into-ims ignore-reload ignore-no-store ignore-private
refresh_pattern -i \.(ppt|pptx|doc|docx|xls|xlsx|pdf|ps|txt)$ 1440 75% 43200                   refresh-ims reload-into-ims ignore-private
refresh_pattern -i \.(css|js)$ 10089 40% 432000                                                refresh-ims reload-into-ims ignore-reload ignore-no-store ignore-private
refresh_pattern -i \.(xml|csv|json)$ 1440 40% 40320                                            refresh-ims reload-into-ims
refresh_pattern -i \.(html|htm)$ 1440 40% 40320                                                refresh-ims reload-into-ims

# acl lists
acl manager proto cache_object # to comment out for upgrade to 3.4
acl localhost src 127.0.0.1/32
acl localnet src 10.0.0.0/8     # RFC 1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC 1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

# port connections
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

# allow/deny manager
http_access allow manager localhost
http_access deny manager

# deny requests to certain unsafe ports
http_access deny !Safe_ports

# deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# allowing access from your local networks
http_access allow localhost
http_access allow localnet

# finally deny all other access to this proxy
http_access deny all

EOF
service squid3 start

Monitor squid use

  • usage menu
squidclient -h 127.0.0.1 mgr:menu
  • generic info
squidclient -h 127.0.0.1 mgr:info
  • disk usage
squidclient -h 127.0.0.1 mgr:storedir
  • monitor real time hit and miss objects

Open two terminals and run one of follow lines each 

tail -F /var/log/squid3/access.log | grep --line-buffere MISS | cat -n
tail -F /var/log/squid3/access.log | grep --line-buffered HIT | cat -n

Squidguard install and config [optional]

apt-get install squidguard
cp -a /etc/squidguard/squidGuard.conf /etc/squidguard/squidGuard.conf_bkp
wget -c http://squidguard.mesd.k12.or.us/blacklists.tgz -O /tmp/blacklists.tgz
tar -xzf /tmp/blacklists.tgz -C /var/lib/squidguard/db
chown proxy:proxy -R /var/lib/squidguard/db/*
sudo -u proxy squidGuard -C all
cat >> /etc/squid3/squid.conf << EOF
# rewrite program squidGuard
url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
url_rewrite_children 2 #threads
url_rewrite_concurrency 0 #jobs per threads
EOF
cat > /etc/squidguard/squidGuard.conf << EOF
# from https://wiki.debian.org/DebianEdu/HowTo/SquidGuard/SquidGuardConf
#
# CONFIG FILE FOR SQUIDGUARD
#
# Caution: do NOT use comments inside { }
#

dbhome /var/lib/squidguard/db/blacklists
logdir /var/log/squidguard

dest good {
}

dest local {
}

dest ads {
    domainlist      ads/domains
    urllist         ads/urls
}

dest aggressive {
    domainlist      aggressive/domains
    urllist         aggressive/urls
}

dest audio-video {
    domainlist      audio-video/domains
    urllist         audio-video/urls
}
dest drugs {
    domainlist      drugs/domains
    urllist         drugs/urls
}

dest gambling {
    domainlist      gambling/domains
    urllist         gambling/urls
}

dest hacking {
    domainlist      hacking/domains
    urllist         hacking/urls
}

dest mail {
    domainlist      mail/domains
}

dest porn {
    domainlist      porn/domains
    urllist         porn/urls
}

dest proxy {
    domainlist      proxy/domains
    urllist         proxy/urls
}

dest redirector {
    domainlist      redirector/domains
    urllist         redirector/urls
}

dest spyware {
    domainlist      spyware/domains
    urllist         spyware/urls
}

dest suspect {
    domainlist      suspect/domains
    urllist         suspect/urls
}

dest violence {
    domainlist      violence/domains
    urllist         violence/urls
}

dest warez{
    domainlist      warez/domains
    urllist         warez/urls
}

acl {
    default {
        pass !ads !aggressive !audio-video !drugs !gambling !hacking !mail !porn !proxy !redirector !spyware !suspect !violence !warez all
        redirect    http://www.squidguard.org/Logos/squidGuard.gif
    }
}
EOF
service squid3 restart

Squid caching TLS/SSL (https://) connections [TODO]

  • WARNING: TO COMPLETE

The follow infos are just notes 

#apt-get install squid3=3.4.8-6+deb8u2~bpo70+1 squid3-common=3.4.8-6+deb8u2~bpo70+1


apt-get install squid3-common=3.4.8-6+deb8u2~bpo70+1
apt-get source squid3=3.4.8-6+deb8u2~bpo70+1

# squid3 3.4.8-6+deb8u2~bpo70+1 configure options '--build=i486-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid3' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-build-info= linux' '--enable-linux-netfilter' 'build_alias=i486-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall' 'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security'
# remember to add --enable-ssl


* from http://thejimmahknows.com/squid-3-1-caching-proxy-with-ssl/
*      http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
*      

mkdir /etc/squid3/certs
#chown squid:squid /etc/squid3/certs
chmod 755 /etc/squid3/certs
cd /etc/squid3/certs
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout squid.pem -out squid.pem
chown proxy:proxy squid.pem

http_port 3128 ssl-bump ssl-bump cert=/etc/squid3/certs/squid.pem key=/etc/squid3/certs/squid.pem
# always_direct allow all


tail -F /var/log/squid3/access.log | grep --line-buffere MISS | cat -n
tail -F /var/log/squid3/access.log | grep --line-buffered HIT | cat -n
Retrieved from "https://www.campisano.org/mediawiki/index.php?title=Squid&oldid=523"