???

Tutorial for Squid Server Ministry of Environment

Setting up Squid on the Ubuntu server done 26th August 2009 CONFIGURING SQUID Squids main configuration file is found on this location /etc/squid/squid.conf. Squid has a default port of 3128 and caches the data. Always the Squid file should be backed up and this can be done on the simple code of cp /etc/squid/squid.conf /etc/squid/squid.conf.backup If it is the original configuration file you might choose to do: cp /etc/squid/squid.conf /etc/squid/squid.conf.orginal CONFIGURING SQUID FILE Open /etc/squid/squid.conf with any text editor. A gui editor like Gedit will also work especially on Ubuntu as installed on the ministries Server Six important lines on the Squid configuration file visible_hostname Create this entry and set this to the hostname of the machine. To find the hostname, use the command hostname. Not entering a value may cause squid to fail as it may not be able to automatically determine the fully qualified hostname of your machine. http_port 3128 Uncomment this line but there is no need to edit it unless you want to change the default port for http connections. cache_dir ufs /var/spool/squid 1000 15 256 Uncomment this line. You may want to append a zero to the value 100 which will make the cache size 1000MB instead of 100MB. The last two values stand for the default folder depth the cache will create on the top and subdirectories respectively. They do not need modification. cache_access_log Uncomment this line. This is where all requests to the proxy server will get logged. acl intranet 192.168.0.0/24 This entry needs to be added. It should correspond to whatever your local network range is. For example, if your server is 192.168.2.5 then the entry should be acl intranet 192.168.2.0/24 http_access allow intranet This allows the acl named intranet to use the proxy server. Make sure to put allow directives above the last http_access deny all entry, as it will overide any allow directives below it. A few small changes should be made. You will need to either find and uncomment entries or modify existing uncommented lines in the squid configuration file. Use the text editor to locate these lines:
visible_hostname machine-name http_port 3128 cache_dir ufs /var/spool/squid 1000 16 256 cache_access_log /var/log/squid/access.log

In the acl section near the bottom add:

acl intranet 192.168.0.0/24 http_access allow intranet

Output of Squid file depending on your network architecture :

hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \?

no_cache deny QUERY hosts_file /etc/hosts refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl purge method PURGE acl CONNECT method CONNECT cache_mem 1024 MB http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl lan src 192.168.1.1 192.168.2.0/24 http_access allow localhost http_access allow lan http_access deny all http_reply_access allow all icp_access allow all visible_hostname myclient.hostname.com httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on coredump_dir /var/spool/squid

SETTING UP ACCESS CONTROLS The initial access controls for the Squid server are fairly restrictive, with good reason too. Before anyone can use the server, the access controls must be written to allow access. Rules can be written for almost any type of requirement and can be very complex for large organizations The following iptables rule lists all of the Safe_ports (and common ports) that Squid allows, and blocks them if they came directly from any of the internal workstations. So the only outgoing requests could have come from the proxy running on the gateway. The computers on the internal network are still allowed to send requests to the gateway proxy. You may need to change this rule depending on your network topology. iptables -I FORWARD -o ppp0 -s 192.168.1.0/24 -p tcp -m multiport \ --dports 21,23,70,80,81,82,210,280,443,488,563,591,777,3128,8080 -j DROP **A iptables multiport rule can only list up to 15 port numbers for each rule. Please note that there should be two Ethernet Cards on your server eth0 and eth1 SWITCHING ON SQUID (Making it go Live) Enable the proper run levels:
chkconfig squid on

Start the service:

service squid start

Verify that squid is running:

service squid status

Note, if you have problems starting squid, open a separate shell and run:
tail -f /var/log/messages

Then start the squid service in your original window:

service squid start

The tail command should show an error for squid that can help you solve the problem. One common error is that the swap (cache) directory doesnt exist. To solve this problem, run squid with the -z option to automatically create the directories:
/usr/sbin/squid -z

Make sure that squid has write permission to the swap directory or this command wont work. Configuring the Clients If you are using Firefox or Mozilla you will need to add the proxy server as follows: Go to Preferences>Network>Settings Add the name of your new proxy server and port 3128 to the http proxy field (under manual configuration). Open a shell to your proxy server so you can observe the log file being written to. Use tail, as before:
tail -f /var/log/squid/access.log

Now surf the web through your proxy server. You should see entries flying by in real time as you surf different http addresses. Congratulations, you now have a caching proxy server setup! How do I test my squid proxy is working correctly? See access log file /var/log/squid/access.log:
# tail -f /var/log/squid/access.log

Above command will monitor all incoming request and log them to /var/log/squid/access_log file. Now if somebody accessing a website through browser, squid will log information.