elmore
November 19th, 2002, 21:50
Anyone have a good squid config they'd be willing to share?

Anyone done any work with squid?

|MiNi0n|
November 20th, 2002, 02:28
Squid eh?

d00d, squid is really easy to set up, I've been running it @ home for a while for various purposes. I can't say I even recall setting most params in my squid.conf, mine is very generic and plain vanilla... I've been meaning to add some auth to it but haven't got around to it yet. Anyway... if you wanna see it, here it is:

aurora# cat squid.conf | grep -v #

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl CONNECT method CONNECT
http_access allow all
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
http_reply_access allow all
icp_access allow all
coredump_dir /var/squid/cache

Let it be known that I'm quite sure there are much better configs out there then my half-assed kludged i-just-want-this-to-work-asap conf file. Perhaps others might share!

Punk Walrus
August 6th, 2003, 10:20
I just took the RHCE class, and never worked with Squid until last week (it was part of the exam). In most cases, it works almost right "out of the box" as it were. The only parameter we had to change was allowing others to be able to use YOUR squid cache, and I think that's the only change from |MiNi0n|'s "acl all src 0.0.0.0/0.0.0.0" entry above, and a line like "default port = 8080" (where the default is usually 3128).

soup4you2
August 6th, 2003, 11:15
configure args:
--enable-delay-pools --enable-ipf-transparent \
--enable-storeio=diskd,ufs --enable-storeio=diskd,ufs \
--disable-ident-lookups --enable-snmp --enable-removal-policies

--enable-delay-pools - Enable delay pools to limit bandwidth usage.
--enable-ipf-transparent - Enable Transparent Proxy support for systems using IP Filter network address redirection.
--enable-storeio=diskd,ufs - Enable diskd
--enable-removal-policies - Build support for the list of removal policies.
--disable-ident-lookups - This allows you to remove code that performs Ident (RFC 931) lookups.
--enable-snmp

# Need for transparent proxy
# You need to --enable-ipf-transparent
http_port 3128
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
cache_mem 128 MB
cache_dir diskd /usr/local/squid/cache 15360 16 256 Q1=72 Q2=64
# You can use normal ufs instead
#cache_dir ufs /usr/local/squid/cache 15360 16 256
# I dont want to log anything
# The reason is to save some expensive I/O operation.
cache_access_log /dev/null
cache_store_log none
cache_log /dev/null
cache_replacement_policy GDSF
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl outgoing src 192.168.10.2/255.255.255.255
acl student src 192.168.0.0/255.255.255.0
acl admin src 192.168.1.0/255.255.255.0
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 1025-65535 # unregistered ports
acl CONNECT method CONNECT

http_access allow manager
http_access allow localhost
http_access allow outgoing
http_access allow student
http_access allow admin
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all

icp_access allow localhost
icp_access allow student
icp_access allow admin
icp_access deny all

# Avoid caching cgi scripts
acl QUERY urlpath_regex cgi-bin
no_cache deny QUERY

acl magic_words1 url_regex -i 192.168
acl magic_words2 url_regex -i ftp .exe .mp3 .vqf .tar.gz .gz .rpm .zip .rar .avi .mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav .mov

# Delay Pool
# For delay pool, you need to --enable-delay-pools
delay_pools 2

# 2 mbits == 256 kbytes per second
# 256 KB/s, 5 KB/s
# It means 256 KB/s bandwith for the whole network, but 5 KB/s for each node, which is fair for everybody
delay_class 1 2
delay_parameters 1 256000/256000 5000/256000
delay_access 1 allow magic_words2
delay_access 1 allow student
delay_access 1 allow admin

# -1/-1 means that there are no limits for local traffic.
delay_class 2 2
delay_parameters 2 -1/-1 -1/-1
delay_access 2 allow magic_words1

# Cancel download if file is bigger than 1MB
reply_body_max_size 1024 KB

# snmp stuff
acl snmppublic snmp_community public
snmp_access allow snmppublic localhost
snmp_access deny all

# Change to your domain
# visible_hostname yourdomain.domain.com
# cache_mgr yourname@youremail.com

Create cache dir and create swap

# mkdir /usr/local/squid/cache
# chown nobody:nogroup cache
# /usr/local/squid/bin/squid -k parse
# /usr/local/squid/bin/squid -z

Configure transparent proxy with ipfilter

Edit /etc/rc.conf

# add these lines to enable ipfilter
ipfilter_enable="YES"
ipnat_enable="YES"
ipmon_enable="YES"
ipfs_enable="YES"

Edit /etc/ipnat.rules

# add this line
# I assume rl0 is your internal nic
# Redirect everything else to squid on port 3128
rdr rl0 0/0 port 80 -> 127.0.0.1 port 3128 tcp

Reconfigure kernel for squid diskd support

options SYSVMSG

or something like that... this was based on freebsd 4x

Loop
November 17th, 2003, 19:16
With regards to the configure args, are they put in like [code:1:e9e914dbea]make -D --enable-delay-pools --enable-ipf-transparent [/code:1:e9e914dbea] or some other way? I'm having trouble figuring it out.

optyk
November 17th, 2003, 19:40
If you are building from ports then you can read the Makefile to find available options and how to enable them - usually like
[code:1:f7c330c707]
make WITH_MY_OPTION=yes install
[/code:1:f7c330c707]
or, alternately
[code:1:f7c330c707]
make -DWITH_MY_OPTION install
[/code:1:f7c330c707]
Once again, check the Makefile for what the port maintainers have to say. It isn't a bad idea to peruse everything before installing.

If you are installing from source not in ports, then the included README and INSTALL files are you best friends, along with ./configure --help.

Loop
November 17th, 2003, 19:57
That's what I figured, but the Makefile is different to most of the others that have configurable options.

eg: Postfix has stuff like this in the Makefile[code:1:90f2615a57].if defined(WITHOUT_PCRE)
POSTFIX_CCARGS+= -DNO_PCRE
[/code:1:90f2615a57]
Whereas Squid has no .if defined sections at all

I'm beginning to wonder if you just manually edit the Makefile and uncomment the args you want ......

elmore
November 17th, 2003, 20:59
I'm beginning to wonder if you just manually edit the Makefile and uncomment the args you want ......

I've done that before. There have always been a few ports I've struggled with on FreeBSD, when all else fails I just go in and edit the Makefile by hand.