A Basic Squid web-cache 3.4.8 and Centos 6.6 setup

So as a part of the tutorial section of this blog ill be covering basic setups and minor advanced features of the best (atleast I think best) Linux based programs out there.
Mainly from a Centos side (and maybe some Fedora/PiDora) I will go over the install process and the configs. On-top of that some of the best features and ways of monitoring the system in question.

So Squid….this rather well known program began originally as a University project to speed the internet up. In 1996 squid forked from a University Project to a volunteer run, now GNU General Publicly licensed, project that has been evolving into the high performance multi-use “internet acceleration program” that it is today.
Squid on Wikipedia

INSTALL

The install process for this will be from a custom repository that is specific to Centos 5/6 and Squid 3.4.

(Please Note I only work in “sudo -i” prompts for tutorials)
To start get a running or clean installed Centos 6.6 working and run:

yum update

To be sure the system is up to date.

Add a new file:

#! /etc/yum.repos.d/squid.repo

[squid]
name=Squid repo for CentOS Linux 6 - $basearch
#IL mirror
baseurl=http://www1.ngtech.co.il/rpm/centos/6/$basearch
failovermethod=priority
enabled=1
gpgcheck=0

This has added this small custom repo to your yum repo list
To confirm type:

yum repolist
[root@centos ~]# yum repolist
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
squid                                                                                                                                                                                                                                                    | 2.9 kB     00:00     
repo id                                                                                                               repo name                                                                                                                                           status
base                                                                                                                  CentOS-6 - Base                                                                                                                                      6,518
epel                                                                                                                  Extra Packages for Enterprise Linux 6 - x86_64                                                                                                      11,186
extras                                                                                                                CentOS-6 - Extras                                                                                                                                       35
squid                                                                                                                 Squid repo for CentOS Linux 6 - x86_64                                                                                                                  55
updates                                                                                                               CentOS-6 - Updates                                                                                                                                     226
zabbix                                                                                                                Zabbix Official Repository - x86_64                                                                                                                    129
zabbix-non-supported                                                                                                  Zabbix Official Repository non-supported - x86_64                                                                                                       15
repolist: 18,164

With the repo added run the install and get squid(make sure that the program is downloading through the new “squid” Repo)

yum install squid 

CONFIGURE

Squid is a single config file type of program, all of the settings required originally are contained within

/etc/squid/squid.conf

Here is the full configuration I am using with info on what does what.

#! /etc/squid/squid.conf
#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

#####LEAVE EVERYTHING ABOVE HERE ALONE UNLESS YOU ARE LOOKING AT ADVANCED FEATURES#####

# Squid normally listens to port 3128
http_port 3128
#####This Defines the port that Squid will listen for incoming proxy requests on

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /u01/squid                8192 16 256
cache_dir ufs /SSD/squid                5120 16 256
cache_dir ufs /usbdisk/cache_dir        153600 32 256
#####As I am currently strapped for a large amount of space on a single HDD attached to my hypervisor server I took advantage of the options to define multiple cache_dir locations and have them combine into a single cache that is completely managed by squid.
#####Define a new cache_dir with:
#cache_dir ufs /folder/with/the/owner/and/group/set/to/squid      size_in_MB     number_of_folders       number_of_subfolders_bellow_them

cache_mem 256 MB
#####RAM to be allocated to the squid process. Note: Squid may use more then allocated if the queue for writing to disk is full and the RAM is available 

# Leave coredumps in the first cache dir
coredump_dir /u01/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
refresh_pattern -i \.jpg$       1440    20%     10080
refresh_pattern -i \.png$       1440    20%     10080
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-store ignore-private
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-store ignore-private
refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200 override-expire ignore-no-store ignore-private
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
#####refresh patterns are your way of controlling more of the content that squid caches
#####the refresh patterns listed here are good for a production network and will cache 
#####static content link images and CSS files longer reducing your load times and total bandwidth.
#####More info at http://www.squid-cache.org/Doc/config/refresh_pattern/


#####SNMP#####
snmp_port 3401
acl snmpaccess snmp_community ##Omitted SNMP Community String##
acl Zabbix src ##Omitted IP address##
snmp_access allow snmpaccess Zabbix
##### As I am a huge lover of the Zabbix Monitoring system I took advantage of the squid SNMP features(Will cover them and zabbix in a later post)

#include store.log file in logs
cache_store_log /var/log/squid/store.log
#####This creates more log files for you to stare at and is helpful as seeing which refresh_patterns are functions correctly

FIREWALL

As with all System’s I keep IP tables running so here is the firewall requirements for squid

#! /etc/sysconfig/iptables

##Ommitted iptables Config

-A INPUT -i lo -j ACCEPT

##Ommitted iptables Config

#squid
-I INPUT -m state --state NEW -m tcp -p tcp --dport 3128 -j ACCEPT
#squidSNMP
-I INPUT -m state --state NEW -m tcp -p tcp --dport 3401 -j ACCEPT
-I INPUT -m state --state NEW -m udp -p udp --dport 3401 -j ACCEPT

##Ommitted iptables Config

-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

After that run:

service iptables restart

START

The deamon is ready to start, the configure files are set and space is hopefully available on your system…or is it…the cache_dir directorys have got to be created before the service can start. Run:

squid -z

To force the creation of the cache dirs
After that just:

service squid start

To start caching downloads.

Enjoy and more to come soon,

EXTRAS (Update: Likely no additional links are to follow)

Monitoring Squid in a colourful way.
I will be covering the two simple ways to direct clients towards your caching server, and then a very force-full way of making sure they use it.
Then Dansguardian, squid younger cousin for controlling/limiting and monitor content of users.
Monitoring Squid through Zabbix and a pre-made Zabbix 2.4 item template especially for squid.
And then Using squid to cache Steam Game downloads and Maybe if I can get it functioning and testing the bulk of windows updates

Leave a Reply

Your email address will not be published.