3.3.1 Web Cache: Squid3

Objective

Install Squid3, an internet cache.

The squid3 package is a software proxy that acts as web cache: It caches web requests from clients and serves it locally in future requests. This speeds up internet browsing, by reducing access time as well as bandwidth consumption.

Installation

root@server:~# aptitude install squid3

Configuration

The squid3 configuration is stored in /etc/squid3/squid.conf.

By default squid3 listens to port 3128, but this can be changed (8080 is also a very popular port for web caching):

/etc/squid3/squid.conf

#[...]

# Squid normally listens to port 3128
http_port 3128

#[...]

For security reasons, squid3 will only accept connections from local network or from the server itself. This is achieved using an access control list (ACL) (acl home.lan src 192.168.1.0/24) and allowing access from only systems belonging to that list (*http_access allow home.lan**):

Local network definitions in acl tag block:

/etc/squid3/squid.conf

# [...]

#  TAG: acl
#       Defining an Access List

# [...]

#Default:
# acl all src all
#
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16        # RFC1918 possible internal network
#acl localnet src fc00::/7       # RFC 4193 local private network range
#acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl home.lan src 192.168.1.0/24

# [...]

Access control definitions in http_access tag block:

/etc/squid3/squid.conf

# [...]

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet

http_access allow home.lan

http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# [...]

The cache size can also be fine tuned:

/etc/squid3/squid.conf

# [...]

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid3 2048 16 256

# [...]

The proxy visible hostname can also be defined:

/etc/squid3/squid.conf

# [...]

#  TAG: visible_hostname
#       If you want to present a special hostname in error messages, etc,
#       define this.  Otherwise, the return value of gethostname()
#       will be used. If you have multiple caches in a cluster and
#       get errors about IP-forwarding you must set them to have individual
#       names with this setting.
#Default:
# visible_hostname localhost
visible_hostname proxy.home.lan

# [...]

Optionally, the maximum size of cacheable objects can also be fine tuned:

/etc/squid3/squid.conf

# [...]

#  TAG: maximum_object_size     (bytes)
#       Objects larger than this size will NOT be saved on disk.  The
#       value is specified in kilobytes, and the default is 4MB.  If
#       you wish to get a high BYTES hit ratio, you should probably
#       increase this (one 32 MB object hit counts for 3200 10KB
#       hits).  If you wish to increase speed more than your want to
#       save bandwidth you should leave this low.
#
#       NOTE: if using the LFUDA replacement policy you should increase
#       this value to maximize the byte hit rate improvement of LFUDA!
#       See replacement_policy below for a discussion of this policy.
#Default:
# maximum_object_size 4096 KB
maximum_object_size 20480 KB

# [...]

Restart squid3 service:

root@server:~# /etc/init.d/squid3 restart

Client Configuration

Web browsers

At customer side, just configure your browser to use you new proxy server.

In Firefox, go to the top menu, choose Tools → Options, then Advanced, select Network tab and hit the Settings button. Select Manual proxy configuration ant input the proxy address (192.168.1.100) and port number (3128).

Linux systems

With Linux systems, just export the http_proxy variable with the proxy's URL:

fribeiro@server:~$ export http_proxy="http://192.168.1.100:3128/"

Whoever, at the end of the session the variable definition will be lost.

A permanent method consists in defining the variable in the user personal profile:

fribeiro@server:~$ echo 'http_proxy="http://192.168.1.100:3128/"' >> ~/.profile

The http_proxy variable an also be defined system wide in the global profile /etc/profiles:

root@server:~# echo 'http_proxy="http://192.168.1.100:3128/"' >> /etc/profile

The same principles applies to ftp_proxy variable, used to define proxy for FTP connections.

References

Wikipedia: Proxy Server (http://en.wikipedia.org/wiki/Proxy_Server)
Wikipedia: Cache (http://en.wikipedia.org/wiki/Cache)
Squid Web Proxy Cache (http://www.squid-cache.org/)