So as a part of the tutorial section of this blog ill be covering basic setups and minor advanced features of the best (atleast I think best) Linux based programs out there.
Mainly from a Centos side (and maybe some Fedora/PiDora) I will go over the install process and the configs. On-top of that some of the best features and ways of monitoring the system in question.
So Squid….this rather well known program began originally as a University project to speed the internet up. In 1996 squid forked from a University Project to a volunteer run, now GNU General Publicly licensed, project that has been evolving into the high performance multi-use “internet acceleration program” that it is today.
Squid on Wikipedia
INSTALL
The install process for this will be from a custom repository that is specific to Centos 5/6 and Squid 3.4.
(Please Note I only work in “sudo -i” prompts for tutorials)
To start get a running or clean installed Centos 6.6 working and run:
yum update
To be sure the system is up to date.
Add a new file:
#! /etc/yum.repos.d/squid.repo [squid] name=Squid repo for CentOS Linux 6 - $basearch #IL mirror baseurl=http://www1.ngtech.co.il/rpm/centos/6/$basearch failovermethod=priority enabled=1 gpgcheck=0
This has added this small custom repo to your yum repo list
To confirm type:
yum repolist
[root@centos ~]# yum repolist Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile squid | 2.9 kB 00:00 repo id repo name status base CentOS-6 - Base 6,518 epel Extra Packages for Enterprise Linux 6 - x86_64 11,186 extras CentOS-6 - Extras 35 squid Squid repo for CentOS Linux 6 - x86_64 55 updates CentOS-6 - Updates 226 zabbix Zabbix Official Repository - x86_64 129 zabbix-non-supported Zabbix Official Repository non-supported - x86_64 15 repolist: 18,164
With the repo added run the install and get squid(make sure that the program is downloading through the new “squid” Repo)
yum install squid
CONFIGURE
Squid is a single config file type of program, all of the settings required originally are contained within
/etc/squid/squid.conf
Here is the full configuration I am using with info on what does what.
#! /etc/squid/squid.conf # # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all #####LEAVE EVERYTHING ABOVE HERE ALONE UNLESS YOU ARE LOOKING AT ADVANCED FEATURES##### # Squid normally listens to port 3128 http_port 3128 #####This Defines the port that Squid will listen for incoming proxy requests on # Uncomment and adjust the following to add a disk cache directory. cache_dir ufs /u01/squid 8192 16 256 cache_dir ufs /SSD/squid 5120 16 256 cache_dir ufs /usbdisk/cache_dir 153600 32 256 #####As I am currently strapped for a large amount of space on a single HDD attached to my hypervisor server I took advantage of the options to define multiple cache_dir locations and have them combine into a single cache that is completely managed by squid. #####Define a new cache_dir with: #cache_dir ufs /folder/with/the/owner/and/group/set/to/squid size_in_MB number_of_folders number_of_subfolders_bellow_them cache_mem 256 MB #####RAM to be allocated to the squid process. Note: Squid may use more then allocated if the queue for writing to disk is full and the RAM is available # Leave coredumps in the first cache dir coredump_dir /u01/squid # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 refresh_pattern -i \.jpg$ 1440 20% 10080 refresh_pattern -i \.png$ 1440 20% 10080 refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-store ignore-private refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-store ignore-private refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200 override-expire ignore-no-store ignore-private refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320 #####refresh patterns are your way of controlling more of the content that squid caches #####the refresh patterns listed here are good for a production network and will cache #####static content link images and CSS files longer reducing your load times and total bandwidth. #####More info at http://www.squid-cache.org/Doc/config/refresh_pattern/ #####SNMP##### snmp_port 3401 acl snmpaccess snmp_community ##Omitted SNMP Community String## acl Zabbix src ##Omitted IP address## snmp_access allow snmpaccess Zabbix ##### As I am a huge lover of the Zabbix Monitoring system I took advantage of the squid SNMP features(Will cover them and zabbix in a later post) #include store.log file in logs cache_store_log /var/log/squid/store.log #####This creates more log files for you to stare at and is helpful as seeing which refresh_patterns are functions correctly
FIREWALL
As with all System’s I keep IP tables running so here is the firewall requirements for squid
#! /etc/sysconfig/iptables ##Ommitted iptables Config -A INPUT -i lo -j ACCEPT ##Ommitted iptables Config #squid -I INPUT -m state --state NEW -m tcp -p tcp --dport 3128 -j ACCEPT #squidSNMP -I INPUT -m state --state NEW -m tcp -p tcp --dport 3401 -j ACCEPT -I INPUT -m state --state NEW -m udp -p udp --dport 3401 -j ACCEPT ##Ommitted iptables Config -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
After that run:
service iptables restart
START
The deamon is ready to start, the configure files are set and space is hopefully available on your system…or is it…the cache_dir directorys have got to be created before the service can start. Run:
squid -z
To force the creation of the cache dirs
After that just:
service squid start
To start caching downloads.
Enjoy and more to come soon,
EXTRAS (Update: Likely no additional links are to follow)
Monitoring Squid in a colourful way.
I will be covering the two simple ways to direct clients towards your caching server, and then a very force-full way of making sure they use it.
Then Dansguardian, squid younger cousin for controlling/limiting and monitor content of users.
Monitoring Squid through Zabbix and a pre-made Zabbix 2.4 item template especially for squid.
And then Using squid to cache Steam Game downloads and Maybe if I can get it functioning and testing the bulk of windows updates