Squid Webcache/Proxy

Squid – webcache/proxy

Squid is a caching proxy for the web that supports HTTP, HTTPS, FTP and more. By caching frequently-requested pages it will speed up web page load times and reduce bandwidth It can also reverse proxy to accelerate web servers by serving up cached content.

Basic Squid is easy to install:

# yum install squid

Out-of-the-box, Squid will work as a web client proxy for the local host and local network. What you want to do is edit /etc/squid/squid.conf and look for the “localnet” entries, to comment out those networks that are not on your local network. For instance, if you use a 192.168 network at home, comment out the 10.0.0.0 and 172.16.0.0 lines:

#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network

#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network

acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

Next, start the Squid service. If you have a firewall enabled on the system, be sure to allow TCP access to port 3128.

At this point, you can test by using a command line browser on the local system by doing:

$ export http_proxy=" elinks

And then look at the /var/log/squid/access.log file. If the browser did not complain about not being able to connect, and the log files show activity, then you have successfully set up Squid.

The logs will look something like this:

1281203766.589 2626 ::1 TCP_MISS/200 18137 GET - DIRECT/1.1.1.1 text/html

1281203767.186 595 ::1 TCP_MISS/200 4867 GET

commonPrint.css? - DIRECT/1.1.1.1 text/css

If you were to execute the same browser command again, you would see the following:

1281204000.528 313 ::1 TCP_MISS/200 18137 GET - DIRECT/1.1.1.1 text/html

1281204000.591 60 ::1 TCP_REFRESH_UNMODIFIED/200 4873 GET

commonPrint.css? - DIRECT/1.1.1.1 text/css

This shows you the cache at work. The initial page is loaded again, but the CSS file is sent to the requesting browser using the cached copy. The next step is to try the same from another system that would also be using the cache (you can easily use the same command line browser command if available).

If you want to have a transparent proxy setup, so that no one will know the proxy is in use and cannot circumvent it, you can easily do so by adjusting iptables rules. If your firewall system is running Linux, this is easily accomplished. Note that if you do use a transparent proxy, you cannot use authentication on the proxy. If these aren’t important to you, setting up a transparent proxy is a fast and easy way to force everyone on the network to use it.

In /etc/squid/squid.conf you want to uncomment the “cache_dir” directive:

# Uncomment and adjust the following to add a disk cache directory.

cache_dir ufs /var/spool/squid 7000 16 256

and change

http_port 3128

to

http_port 3128 transparent

Restart and Squid service. You also need to change the firewall rules for your network’s firewall or gateway system by redirecting all output HTTP traffic to the proxy. This can be tricky, depending on whether or not your Squid install is on the firewall system or if it’s a separate system in the local network.

The Squid wiki has a section on Interception (i.e. transparent proxies) and how to set them up with Cisco devices, Linux, FreeBSD, and OpenBSD also has other example configurations and how to setup various forms of authentication.

Squid can be used for more than just web page caching, it can also function as a web filter with 3rd party add-ons to block “bad” Internet sites and and as a reverse proxy to cache web page requests for web servers