Squid Proxy Server: Configuration Checklist =========================================== Shanker Balan http://shankerbalan.com/ Changelog: Mon Jun 9 12:42:29 IST 2003 * Redoing the entire cfg, more structured now. Tue May 13 16:17:05 IST 2003 * Std squid cfg Fri Sept 14 2001 * Initial roll-out Overview: Squid configuration quicklist for a standard setup with delay pools, transparent proxy and SNMP support. - Squid is made to listen on prts 3128 and 8080. Port 80 redirects are made to 3128 and 8080 is to be used as the proxy port for users to connect to. Since 8080 is more "standard" that 3128, it also reduces "what is the proxy port?" support questions. - The aggregate delay pool threshhold is set to a lower value than the actual rated speed of the uplink so that HTTP does not drown other protocols. - "deny all" lines are used where ever possible to prevent proxy abuse. - Set the SNMP community to anything *other* other than "public". This is to prevent SNMP abuse. - Use the "diskd" backend to avoid blocking the squid process on disk IO. - Password protect the cachemgr interface. - Bypass proxy for webservers on the LAN using "always_direct". ### ### Compile Options (www/squid/Makefile) ### [godzilla] ~# portinstall www/squid # - Enable ICMP pinging for heirarchy stats and selection CONFIGURE_ARGS+= --enable-icmp # - Enable delay pools to limit bandwidth usage CONFIGURE_ARGS+= --enable-delay-pools # - Turn on SNMP server support CONFIGURE_ARGS+= --enable-snmp ### ### squid/squid.cfg ### # listen ports http_port 3128 http_port 8080 icp_port 3130 # cache defaults cache_mgr admin@mydomain.com cachemgr_passwd supersecret all ftp_user proxy@mydomain.com append_domain .mydomain.com visible_hostname proxy.mydomain.com # interception proxy httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on # bandwidth controls (128kb uplink) delay_pools 1 delay_class 1 1 delay_parameters 1 12000/12000 delay_access 1 allow lan delay_access 1 deny all delay_initial_bucket_level 50 # acl acl lan src 192.168.1.0/255.255.255.0 acl local-intranet dst 192.168.1.0/255.255.255.0 http_access allow localhost http_access allow lan http_access deny all always_direct allow local-intranet never_direct allow all # cache peering cache_peer proxy.mydomain.com parent 3128 3130 proxy-only icp_access allow lan icp_access deny all # SNMP snmp_port 3401 acl snmppublic snmp_community squid snmp_access allow snmppublic localhost snmp_access deny all # cache dir (500MB) cache_dir ufs /var/spool/squid 500 16 256 #cache_dir diskd /usr/local/squid/cache 500 16 256 ### ### ToDo ### - ACL with time restrictions - Add authentication (LDAP, PAM and SMB) - Aggregate and individual delay pools - Squid redirectors like squidGuard and squirm