Site map  

Squid 3.1 and higer

Squid logo

Unlike Squid 3.0, Squid 3.1 supports IPv6!
Squid 3.3 supports a RFC 6555 Happy eyeballs algorithm inspired way of dealing with broken IPv6 implementations.
In Squid 3.x and 4 this is implemented correctly. In Squid 5 and 6 the implementation is broken. Here a fix.

AFAIK Debian's version of Squid 3.x is not patched for security bug SQUID-2014:1. AFAIK SSL-Bump is default off, so you should be OK as long as you don't enable this feature.

Configuration

squid.conf

Cd to /etc/squid3/ and edit squid.conf;

Client ACLs

You probably don't want just anyone to access your proxy server. The default client ACL however is rather limited. Edit to suit your needs. EG; 

acl localnet src 192.168.1.0/24
acl localnet src 2001:db8:1234::/48

Or whatever your local networks are.

You may also want to firewall the proxy port.

Allow localnet

localnet is commented out; Remove comment.

HTTP Port

The default port is 3128. You may want to change this; 

http_port 8080

Put this port in /etc/services if not already there; 

squid		3128/tcp			# Squid proxy

Or; 

http-alt	8080/tcp	webcache	# WWW caching service
http-alt	8080/udp			# WWW caching service

Don't cache local objects

There is no need to cache servers on your LAN; 

# Local servers
acl loc-serv dst 127.0.0.1 192.168.1.0/24 ::1 2001:db8:1234::/48
# DSL modem
acl adsl dst 10.0.0.138

no_cache deny loc-serv
no_cache deny adsl

Edit to suit your needs.

Limit cache memory

You may want to limit this. EG; 

cache_mem 32 MB

Cache size

The default cache size is rather small. In Squid 3.3 the disk cache is disabled altogether. You may want to change this; 

cache_dir ufs /var/spool/squid3 2048 16 256

This example sets the size to 2 GB.

You can also use the cache_dir stament to increase the maximum object size; 

cache_dir ufs /var/spool/squid3 2048 16 256 max-size=100663296

This example sets the maximum object size to 96 MB (96 * 1024 * 1024 bytes)

Cache large objects

I want to be able to cache a kernel source; 

maximum_object_size 96 MB

With newer versions of Squid you need to set this BEFORE the 'cache_dir' statement!

Log FQDN

I like to log fully qualified domain names. The LAN's nameserver is also on the LAN, so this shouldn't be a problem.

Squid 3.1
log_fqdn on
Squid 3.3

For Squid 3.3 you need to change the logfile statement: Change '%>a' to '%>A'; 

# log_fqdn on;
logformat squid %ts.%03tu %6tr %>A %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt

The default config file has six spaces between 'squid' and '%ts.%03tu'. Change this to one. Otherwise log file processors will get very confused.

FTP User

Set to FQDN; 

ftp_user Squid@Your_Domain

Pinger off

Both the pinger and SNMP have security issues;

SQUID-2014:3
SQUID-2014:4

There are patches, but these haven't been applied to Debian yet. 

pinger_enable off

Url rewrite program

If you have one, specify it here; 

url_rewrite_program /Path/Rewrite_Program

I wrote my own; 

url_rewrite_program /usr/local/sbin/rblsredir

Refresh pattern

You may want to change these.

The following keeps Debian fresh; 

# Keep Debian fresh
refresh_pattern ^(ht|f)tp(s)?://.*debian.*/Packages\.(bz2|gz|diff/Index)$   0       0%      0
refresh_pattern ^(ht|f)tp(s)?://.*debian.*/Release(\.gpg)?$                 0       0%      0
refresh_pattern ^(ht|f)tp(s)?://.*debian.*/Sources\.(bz2|gz|diff/Index)$    0       0%      0
refresh_pattern ^(ht|f)tp(s)?://.*debian.*/Translation-en_GB\.bz2)$         0       0%      0

Connect timeout

Squid 3.3 uses a large timeout to fallback to IPv4. It defaults to 60 seconds! This means that that if an IPv6 connect fails and a IPv4 connect works, it will take Squid 60 seconds to fallback from IPv6 to IPv4. It's recommended that you reduce the connect timeout to twice the ping time (or more).
Broken DNS implementations may add a DNS lookup delay of 5 to 10 seconds. So I set the connect timeout a bit higher than that. 

connect_timeout 15 seconds

Cache manager address

Set the right address, EG; 

cache_mgr webmaster@Your_Domain

Host name

This defaults to localhost. Set to the right name; 

visible_hostname Your_FQDN

Or; 

visible_hostname Your_Domain

Always direct

If you are part of a cache hierarchy, you don't want to ask your parent cache(s) for objects from servers on your LAN; 

always_direct allow adsl
always_direct allow loc-serv

Cache manager

Disable this or set a password. 

cachemgr_passwd disable all

If you set a password rather than disabling the cache manager, make sure your squid.conf isn't world readable.

Encode whitespace

The default behaviour of Squid is to truncate URLs at whitespace;

  1. http://Some_host/Right%20Url
  2. http://Some_host/Wrong Url

So in the second case Squid will request 'http://Some_host/Wrong'.
Squid can however be made to replace the space (' ') with the right '%Hex_Value' for space ('%20'); 

uri_whitespace encode

errorpage.css

This CSS file uses http://www.squid-cache.org/Artwork/SN.png in error pages. This means that, whenever Squid reports an error, this file may be requested from http://www.squid-cache.org/, possibly logging the referer. You may want to change this;
Move errorpage.css to errorpage.css.orig and copy errorpage.css.orig to errorpage.css; 

  mv errorpage.css errorpage.css.orig
  cp errorpage.css.orig errorpage.css

Now edit errorpage.css. EG; 

background: url('http://www.example.com/images/SN.png') no-repeat left;

If you want to use he original image, just download it; 

  wget http://www.squid-cache.org/Artwork/SN.png

Reload

Load the new config file; 

  /etc/init.d/squid3 reload

Client config

Client autoconfig

If you want webbrowsers to discover the proxy automatically, have a look at Web Proxy Autodiscovery Protocol and Proxy auto-config.

Proxy enviroment variables

Some apps read enviroment variables like; 

http_proxy:http://some.server.dom:port/
https_proxy:http://some.server.dom:port/
ftp_proxy:http://some.server.dom:port/
gopher_proxy:http://some.server.dom:port/
news_proxy:http://some.server.dom:port/
newspost_proxy:http://some.server.dom:port/
newsreply_proxy:http://some.server.dom:port/
snews_proxy:http://some.server.dom:port/
snewspost_proxy:http://some.server.dom:port/
snewsreply_proxy:http://some.server.dom:port/
nntp_proxy:http://some.server.dom:port/
wais_proxy:http://some.server.dom:port/
finger_proxy:http://some.server.dom:port/
cso_proxy:http://some.server.dom:port/
no_proxy:domain.path1,path2

Some software insist on a trailing slash. Others get confused by a trailing slash.
Some versions of Chromium-browser want proxy envirioment variables without a trailing slash. You can also specify proxy variables on the chromium commandline or in /etc/chromium/default.
Some software want the envirioment variables upper case. EG: HTTP_PROXY=http://some.server.dom:port/

Files where you might want to put enviroment variables are;

VLC proxy problems

The VLC that comes with Debian Wheezy doesn't like proxying. So I disabled them in /etc/environment

Have fun with IPv6!