Get a Free iPhone 4 from Xpango - click here

Monday, November 22, 2010

Steps to setup proxy server with Squid on linux

Put Squid between the users and the Internet to cache your web pages. Users surf faster, HTTP traffic uses less bandwidth, and you can save on bandwidth fees -- or use the saved bandwidth for other traffic.
You can install squid from source or using rmp package.
On Fedora,if you are online,as root user type:
#yum install squid
This will install squid on your system.
Using the above step you will find config file at /etc/squid/squid.conf.
Edit squid.conf file to suit your requirement.
Basic configuration
  • Check http_porticp_port, and htcp_port. 3128 is a good default, 8080 is a reasonable alternative for HTTP. Port 80, or any port normally used by some other service, should be avoided if at all possible.
  • Leave cache_mem at 8 Mbytes at first, unless you have between 0.5 Gbytes and 1 Gbyte of RAM free routinely. If so, set cache-mem to 128 Mbytes. Adjustcache_mem once local cache patterns are known.
  • Increase the maximum_object_size to 40 Mbytes. If larger files are routinely downloaded, increase it to 250 Mbytes or even 700 Mbytes.
  • Set cache_dir to an area that has a large amount of space. Technically it belongs under /var, but you might not want it backed up. Don't set it to use more than 70 percent of the space, Squid uses this directory to store journal files as well. cache_dir ufs /var/cache/squid 80000 16 256 is common.
  • Turn the access_log and cache_log on. The former tells you who is doing what, and the latter tells you when things aren't quite right.
  • cache_swap_log is the location for the journal files mentioned in cache_dir. The default location is in the same directory as cache_dir.
  • pid_filename must be set. /var/log/squid/squid.pid is a good location. Squid uses this to shut down, rotate log files, or reread its configuration.
  • refresh_pattern affects how objects are evaluated for freshness. A reasonable default is refresh_pattern . 0 20% 10080.
  • cache_mgr is for people that use the cache to report problems. Be sure to use an email address that you will actually read.
  • cache_effective_user and cache_effective group should be set to a "proxy" user and group. Many distributions ship with this user and group pre-installed.
  • Recursively chown the log and cache directories to this user before you start Squid. This user must be able to read the configuration file and the directory that it's in.

    chown -R proxy.proxy /var/log/squid /var/cache/squid

  • Set visible_hostname to the fully qualified domain name. For example,gw.mybox.com
  • Uncomment dns_testnames. If it can't resolve names like "netscape.com", "internic.net", and "nlanr.net", your system needs fixing.
  • Turn memory_pools off unless there's a lot of free memory on the box.
  • Turn log_icp_queries on. ICP queries come from other proxies -- if you don't have sibling or parent proxies and you're getting them, you'll want to see these in the access.log.

Basic configuration ACLs

Access-control lists manage the access to your network. This basic example limits access to the proxy to the network 1.2.3.4/24. It matches successfully if a request comes from any of the addresses between 1.2.3.0 and 1.2.3.255 (inclusive).
acl our_network src 1.2.3.4/24
http_access allow our_network
http_access deny all
ACLs are checked from top to bottom. Clients with IPs in our_network are permitted, anyone else falls through to the "deny all" and gets a failure message. The format for the class definition is acl listname src network/netmask.
ACLs have an implicit last line that reverses the rule of the previous line. This protects against forgetting to add the http_access deny all, but explicitly adding that line makes the ACL more readable and helps ensure that it's not missed when the ACL is changed.

miss_access

If an object isn't in the cache and marked as fresh, Squid checks with the origin server to see if it is still current and requests a new copy if it isn't. This behavior serves local users well, but is undesirable if the requesting client is a neighboring proxy server. The following ACL lines allow the local network to be passed objects which aren't in the current cache, but deny this service to anyone outside the local network.
miss_access allow our_network
miss_access deny all

icp_access

Caches communicate with ICP messages to find out whether they have fresh content that satisfies a request. The icp_access ACL lines are used to control the caches Squid can communicate with.

Configuration for speed

To maximize speed, minimize the number of simultaneous requests Squid has to handle. The more requests Squid has to process in parallel, the longer each request takes. Every bit of latency you can reduce speed of the server.
  • Use a multiprocessor machine with asynchronous I/O enabled.
  • Run a version of Squid with internal DNS, or increase the number of DNS servers.
Aim to have 20 or 30 DNS servers. DNS lookups can be slow -- some continental backbones can take a minute and more to resolve a DNS request.
When you have Squid configured, run squid -z to create the cache directory structure. Then you can start Squid.
 To configure any application including a web browser to use squid, modify the proxy setting with the IP address of the squid server and the port number (default 3128).


Also read:
How to block websites using squid

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)