Installing and configuring Squid on CentOS. Initial configuration of the Squid proxy server SQUID Mode Schemes
Squid is a full featured caching proxy server application that provides caching and proxy services for HTTP, FTP and other popular network protocols. Squid can cache and proxy SSL requests and cache DNS lookup results, as well as perform transparent caching. Squid also supports a wide range of caching protocols such as ICP (Internet Caching Protocol), HTCP (Hypertext Caching Protocol), CARP (Routing Caching Protocol) and WCCP (Content Redirection Caching Protocol).
Squid Proxy Server is a great solution to broad caching and proxy server requirements that scales from regional office to corporate networks when it provides an extensible shared mechanism for access control and monitoring of critical parameters via SNMP. When choosing a computer system to use as a Squid proxy or caching server, make sure your system is equipped with plenty of RAM, as Squid maintains an in-memory cache to increase performance.
Installation
In a terminal, enter the following command to install the Squid server:
sudo apt-get install squid
Setting
Squid is configured by editing the directives contained in the configuration file /etc/squid/squid.conf. The following examples illustrate some of the directives that can be modified to affect the behavior of the Squid server. For more in-depth configuration of Squid, see the section.
Before editing a config file, you should make a copy of the original file and protect it from being overwritten so that you always have the original settings as a reference and to reuse when needed.
Copy the /etc/squid/squid.conf file and write-protect it with the following commands in the terminal:
sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.original sudo chmod a-w /etc/squid/squid.conf.original
1. To configure your Squid server to listen on port 8888 instead of the default 3128, change the directive http_port as shown here:
Http_port 8888
2. Change the directive visible_hostname to give the Squid server a specific hostname. This name does not have to be the hostname of the computer. In the example, it is defined as weezie:
Visible_hostname weezie
3. Using Squid's access control, you can configure the use of the Internet proxy service to be available only to users from certain IP addresses. For example, we will illustrate user access from the 192.168.42.0/24 subnet only:
ACL
Acl fortytwo_network src 192.168.42.0/24
http_access your /etc/squid/squid.conf file:
http_access allow fortytwo_network
4. Using the great access control capabilities of Squid, you can configure the Internet proxy service to be used only during regular business hours. For example, we will show how to set up access for employees who work from 9:00 to 17:00 from Monday to Friday from the 10.1.42.0/24 subnet:
Add the following to the end of the section ACL your /etc/squid/squid.conf file:
acl biz_network src 10.1.42.0/24 acl biz_hours time M T W T F 9:00-17:00
Then add the following to the beginning of the section http_access your /etc/squid/squid.conf file:
Http_access allow biz_network biz_hours
After making changes to the /etc/squid/squid.conf file, save it and restart the squid server application for the changes to take effect with the following command in the terminal: sudo /etc/init.d/squid restart
Squid is a popular proxy server that is mainly used to cache frequently requested web content in order to reduce page response times and also to filter network traffic. It supports many different protocols such as HTTP, FTP, TLS, SSL, Internet Gopher and HTTPS. And this thing can be very useful with a slow Internet connection. Squid was originally developed as a Unix daemon, but several ports have been released for Windows. Squid is distributed under the GNU General Public License.
In this tutorial, you will learn how to install Squid on Ubuntu 16.04. Just follow these instructions in sequence and installing squid ubuntu will not cause any problems. Squid is quite a feature-packed program, and we can't cover all of its features in this article, but we'll try to cover the basics so you can fully customize and use it. Let's start with the installation.
There are several ways to install Squid on Ubuntu, one of the most common is installing from the official repositories using the apt utility.
First, open a terminal with Ctrl+Alt+T and update the package index:
After updating the list of packages, you can proceed to install the proxy server by simply executing the command:
sudo apt install squid
Then the utility will ask if you need to continue the installation, enter Y and wait for the download and installation to complete:
Then you can proceed to the setting.
Setting up Squid
The server configuration file is located in the /etc/squid directory. Depending on the version of Squid, the name of the folder and the file itself may differ, for example, /etc/squid3/squid.conf or /etc/squid/squid.conf. All settings are in this file. Let's take a look at it.
vim /etc/squid3/squid.conf
When the file opens you will see something like this:
The file contains several settings options, as well as a lot of documentation on their use. We will not touch on many of them, but we will consider the main ones.
Access control
First we need to set up client access rules for our proxy server. Squid was designed to be an enterprise program, and even if you use it at home, the squid 3 configuration must also be done.
The acl list is used for this. this is a normal list of objects, now it does not mean anything at all. These can be ip addresses, ports, etc. Then we will tell the program what to do with this list, to allow or deny access. The syntax for creating an acl list is:
acl list_name list_type list_item
There can be several such strings with the same name and type, and a list is obtained from them. The name of the list can be arbitrary, we will use it later. The list type is much more interesting. Can be one of:
- src- ip address where the connection comes from, client address;
- dst- ip address of the destination of the connection, the address of the server that the client wants to access;
- dstdomain- connection destination domain;
- srcdomain- client domain;
- arp- MAC address of the client's network card;
- time- the time when the connection is made;
- port- the port the client is trying to access;
- proto- the protocol by which the connection is established;
- method- data transfer method, for example, GET - HTTP data transfer, POST - form data transfer in HTTP, CONNECT - server connection request;
- http_status- server response;
- browser- client browser;
- url_regex- url address that is being accessed.
These are not all types of lists, but that's enough for a start, and more detailed information is in the same configuration file.
Let's add a list to access the server from the local network:
acl localnet src 192.168.0.0/16
Let's create a list of Safe_ports to allow traffic on the ports of the main network services, as well as unregistered ports above 1024:
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 #wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
Let's create two more lists - SSL_ports and connect, to allow using the connect method only for ssl connections. This will prevent the client from using other proxies on top of ours:
acl SSL_ports port 443
acl connect method CONNECT
As I said, these lists by themselves do not mean anything and do not affect the operation of the server in any way. To apply the list, you need to use the http_access directive. Its syntax is:
http_access action list_name
The action can be allow (allow) or deny (prohibit). now let's deny access to all ports except those specified in Safe_ports:
http_access deny Connect !SSL_ports
Now let's allow access from this computer (acl list localhos is predefined):
http_access allow localhost
Let's allow access from the local network:
http_access allow localnet
And ban everything else:
http_access deny all
Other settings
Access control is one of the most important components, but configuring squid ubuntu is not finished yet. There are many more interesting parameters, we will consider only a few of them:
http_port- sets the ip address and port on which the program will run. You can run the proxy only on this computer with the following construction:
http_port localhost:3218
Or on the local network:
https_port- sets the ip address and port on which https connections will be accepted. We do not cover working with https in this article.
cache_mem- the amount of memory that is allocated for caching objects.
cache_dir - allows you to set the folder for storing the cache. By default, the entire cache is stored in RAM. Syntax:
cache_dir file system folder size_in_mb L1 L2
L1 and L2 - the number of subfolders of the first and second levels. The file system determines how data will be written to disk. For example:
cache_dir aufs /var/spool/squid 100 16 256
coredump_dir- directory where the memory dump will be saved in case of an error.
refresh_pattern- a very interesting parameter that allows you to extend the lifetime of objects in the cache. The syntax is:
refresh_pattern -i regular expression min_time percent max_time parameters
- regular expression- specifies the objects to which the parameter should be applied;
- min_time- time in minutes until the object is considered fresh;
- max_time- the maximum time in minutes until the object is fresh;
parameters can be:
- override-expire- ignore the expire header;
- override-lastmod- ignore the last modification date of the file;
- reload-into-ims- instead of not caching send an If-Modified-Since request;
- ignore-reload- ignore client requests do not cache.
For example:
refresh_pattern -i \.gif$ 43200 100% 43200 override-lastmod override-expire
You may need other settings after the installation of squid ubuntu is complete. But they are beyond the scope of this article. Now save your changes, close the file and reload Squid:
sudo service squid3 restart
If this command returns an error, try another one:
sudo service squid restart
It remains to check the operation of our proxy server. This can be done using any browser. Open your browser settings and configure the proxy. I'll show you how to do it in Mozilla Firefox. If you have a different browser, for example, Google Chrome, I think you will figure out how the proxy is configured there.
Client side setup
Open a browser, go to Setting --> Additionally --> Net. Then click Settings in section Connection and select configure proxy manually:
In field HTTP proxy specify the IP address of the machine on which the Squid server was installed, and in the port field - the port number 3128. This port is used by default in Squid, but you can change the port number using /etc/squid/squid.conf
We continue the series of articles with setting up the ubuntu 14.04.1 server, today the next step is to install and configure squid3 - a server proxy for ubuntu server. If you still don't know what a proxy server is, I'll try to describe it in one sentence. A proxy server is a computer that processes requests from client computers when accessing the Internet.
Using a proxy server, you can not only provide centralized access to the Internet, but also limit it, block access to certain sites, open access only to allowed sites, cache static data (css, images, banners ...) and much more.
To install a proxy server, I will use ready-made and configured services and . And so, let's get started.
We open access to the Internet for computers in the local network
First, we need to open full access to the Internet for all computers in our local network. To do this, we will use NAT. NAT is a technology that allows all network traffic to pass through one address. That is, all requests to the Internet in the local network will be processed by the server.
Create a settings file
sudo touch /etc/nat
Let's add the following to this file:
#!/bin/sh #Enable packet forwarding echo 1 > /proc/sys/net/ipv4/ip_forward #Allow traffic to lo iptables -A INPUT -i lo -j ACCEPT #Allow access from the internal network to the outside iptables -A FORWARD - i eth1 -o eth0 -j ACCEPT #Enable NAT iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE #Allow responses from external network iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT #Deny outside access to the internal network iptables -A FORWARD -i eth0 -o eth1 -j REJECT
Save the file and give it execute permissions:
sudo chmod +x /etc/nat
Let's add NAT start (line post-up /etc/nat) to the network settings file:
sudo nano /etc/network/interfaces
your file should look like this:
Auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.1.104 netmask 255.255.255.0 gateway 192.168.1.1 auto eth1 iface eth1 inet static address 192.168.0.1 netmask 255.255.255.0 post-up /etc/nat
Save, close and restart the server:
In this form, everything is ready for distributing the Internet to computers on the network. If you now turn on the client computer, it will receive an IP address from the DHCP server, and also receive the gateway settings (192.168.0.1), respectively, the Internet should appear. If the Internet has appeared, we move on, if not, we check what we did wrong.
Installing and configuring Squid3
Now we need to install Squid3 - the proxy server itself. The article describes the basic settings, for more in-depth settings, I advise you to read the squid documentation.
Installing the squid3 package
sudo aptitude install squid3
After installation, open the file /etc/squid3/squid.conf
sudo nano /etc/squid3/squid.conf
First of all, let's find the line http_port 3128 and add value to it intercept and the IP address of the server, so it looks like this:
Http_port 192.168.0.1:3128 intercept
This is done so that in the future we do not have to configure a proxy server on all client machines (the proxy will be transparent).
Now, you need to specify the network in which our proxy server will work, for this we uncomment the line acl localnet src 192.168.0.0/16 # RFC1918 possible internal network and specify the netmask prefix 24 instead of 16 (since we have a mask of 255.255.255.0). The end time should look like this:
Acl localnet src 192.168.0.0/24 # RFC1918 possible internal network
allow access to the proxy from the internal network by uncommenting the line
http_access allow localnet
Now let's set up caching. Need to find a line cache_dir ufs /var/spool/squid3 100 16 256, uncomment it and change the values to the following:
Cache_dir ufs /var/spool/squid3 2048 16 256
Uncomment the line maximum_object_size_in_memory 512 KB, thereby specifying the maximum size of the cached object in memory.
Uncomment the line cache_mem 256 MB and replace the value with 256 on the 1024 , thereby specifying the allowable amount of memory.
So we set up caching, caching should reduce the load on the channel and increase the speed of opening pages. The cache is cleared when the server is restarted.
Now let's enable logging, for this we uncomment the line access_log daemon:/var/log/squid3/access.log squid and add below logfile_rotate 31(log files will be kept for 31 days, after which the oldest ones will be overwritten).
This completes the basic setup of squid3. Restart squid3
sudo service squid3 restart
Now the proxy server is configured and running, but in order for user traffic to go through it, you need to wrap all http traffic to squid. To do this, add to /etc/nat line:
# Wrap http on proxy iptables -t nat -A PREROUTING -i eth1 ! -d 192.168.0.0/24 -p tcp -m multiport --dport 80,8080 -j DNAT --to 192.168.0.1:3128
Actually now my file /etc/nat looks like this:
#!/bin/sh #Enable packet forwarding echo 1 > /proc/sys/net/ipv4/ip_forward #Allow traffic to lo iptables -A INPUT -i lo -j ACCEPT #Allow access from the internal network to the outside iptables -A FORWARD - i eth1 -o eth0 -j ACCEPT #Enable NAT iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE #Allow responses from external network iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Deny external access to the internal network iptables -A FORWARD -i eth0 -o eth1 -j REJECT # Wrap http on the proxy iptables -t nat -A PREROUTING -i eth1 ! -d 192.168.0.0/24 -p tcp -m multiport --dport 80,8080 -j DNAT --to 192.168.0.1:3128
If you did everything as written in the article, then you will have a fully working proxy server. In the following articles I will write how to install content - the Dansguardian filter and how to make a black list for adding prohibited sites.
If you have any questions, welcome to the comments.
Introduction
Many administrators are faced with the problem of reasonable use of time and channel for accessing the Internet, thinking about the possibility of saving time and money, about limiting the speed for certain types of files or personalities, in the end about saving everything related to certain aspects of accessing the Internet. global network.
I, with the help of this article, will try to clearly and intelligibly explain the settings of the most common proxy server - Squid.
Initial Squid settings for user access
We will not go into the process of installing the Squid proxy server, but will go straight to configuring it.
The most elementary thing that we should do after installation is to allow access to users of our local network. For this, the http_port, http_access parameters are used. In addition, we will set up an acl (access control list) for our local network.
And so, we need http_port insofar as our Squid proxy server should serve only computers on our local network and be invisible to the outside world in order to exclude the possibility for "bad people" on the external network to use our channel or traffic, and if they are detected " holes" in the Squid proxy code, use them.
The http_access parameter is used to allow or deny access to certain resources, certain addresses or from certain addresses, to certain sites, over certain protocols, ports, and everything that is directly specified using Acl (Access Control Lists).
Table N 1. Some subnets.
|
Address range |
Full form |
short form |
|
192.168.0.1-192.168.0.254 |
192.168.0.0/255.255.255.0 |
192.168.0.0/24 |
|
192.168.20.1-192.168.20.254 |
192.168.20.0/255.255.255.0 |
192.168.20.0/24 |
|
192.168.0.1-192.168.254.254 |
192.168.20.0/255.255.0.0 |
192.168.20.0/16 |
|
10.0.0.1-10.254.254.254 |
10.0.0.0/255.0.0.0 |
10.0.0.0/8 |
Suppose you have a network with addresses from 192.168.0.1 to 192.168.0.254, then add a new Acl (see table N1):
Acl LocalNet src 192.168.0.0/24
Suppose you have a Squid proxy server located at 192.168.0.200 on port 3128, then we write in the configuration file:
http_port 192.168.0.200:3128
Our next action will be to prohibit the use of our proxy server, except for users of our local network:
Http_access allow LocalNet
http_access deny all
In this case, the word allow is a permission, and the word deny is a prohibition, that is, we allow access to the Squid proxy server from our local network addresses and deny access to everyone else.
Be careful when specifying http_access, as Squid uses them in the order you specify them.
Learning ACLs (Access Control Lists)
The access control system in the Squid proxy server is very flexible and extensive. It consists of elements with values and access lists with the indication allow (permission) or deny (prohibition).
The ACL format is as follows:
acl element list name
Access list format:
Http_access specifying acl_name
We will look at some of the elements that the Squid proxy server allows, with examples of course:
* acl name src list
Using this element (src), we specify the source IP address, that is, the client from which the request came to our proxy server.
In the following example, we will allow Vasya Pupkin (Pupkin) and the programming department (Progs) access to our proxy server, and deny everyone else:
Acl Progs src 192.168.0.1-192.168.0.9
acl Pupkin src 192.168.0.10
http_access allow Progs
http_access allow Pupkin
http_access deny all
* acl name dst list
This element (dst) specifies the destination IP address, that is, the IP address of the server that the proxy server client wishes to access.
In the following example, we will deny Vasya access to the 194.67.0.0/16 subnet (for example, it contains the same aport.ru):
Acl Net194 dst 194.67.0.0/16
http_access deny Pupkin Net194
* acl dstdomain name list
With this element (dstdomain) we specify the domain that the proxy server client wants to access.
In the following example, we will deny Vasya access to warez sites nnm.ru and kpnemo.ru:
Acl SitesWarez dstdomain .nnm.ru .kpnemo.ru
http_access deny Pupkin SitesWarez
If it is necessary to specify the source domain, then use srcdomain.
* acl name [-i] srcdom_regex list
* acl name [-i] dstdom_regex list
These elements differ from srcdomain and dstdomain only in that they use regular expressions, which we do not consider in this article, but we will still give an example:
Acl SitesRegexSex dstdom_regex sex
Acl SitesRegexComNet dstdom_regex .com$ .net$
http_access deny Pupkin SitesRegexSex
http_access deny Pupkin SitesRegexComNet
In this example, we denied Vasily Pupkin access to all domains containing the word sex and to all domains in the .com and .net zones.
The -i switch is designed to ignore the case of characters in regular expressions.
* acl name [-i] url_regex list
With this element (url_regex) we specify the regular expression pattern for the URL.
An example of specifying files with the avi extension starting with the word sex:
Acl NoAviFromSex url_regex -i sex.*.avi$
In case you wish to specify a pattern for the URL path only, i.e. excluding protocol and host (domain) name, then use urlpath_regex.
Example for specifying music files:
* acl acl_name port list
Indication of the destination port number, that is, the port to which the client of our proxy server wants to connect.
As an example, we will prohibit everyone from using the Mirc program through our proxy server:
Acl Mirc port 6667-6669 7770-7776
http_access deny all Mirc
* acl acl_name proto list
Specify the transfer protocol.
As an example, let's prevent the above-mentioned Vasya from using the FTP protocol through our proxy server:
Acl ftpproto proto ftp
http_access deny Pupkin ftpproto
* acl acl_name method list
Specifying the http request method by the client (GET, POST).
Let's take a situation where you should prohibit Vasya Pupkin from viewing his mail on the mail.ru website, but at the same time allow him to walk around the site without restrictions, that is, prohibit Vasya from entering his mailbox through the login form on the site:
Acl SiteMailRu dstdomain .mail.ru
acl methodpost method POST
http_access deny Pupkin methodpost SiteMailRu
User restrictions
Quite often in our country there is a situation that there is not enough access channel to the global Internet for all users and there is a desire to give everyone the maximum, but at the same time not to let the channel "die" because of those who like to download files.
The Squid proxy tools allow this to be achieved in several ways:
the first way is to optimize object caching;
the second is the time limit for certain users, which is not entirely correct;
the third way is to limit the speed for certain types of files, users and everything that we have defined through Acl.
Time limits
You can limit users by time as follows:
Acl name time days hh:mm-hh:mm
Where the day is: M - Monday, T - Tuesday, W - Wednesday, H - Thursday, F - Friday, A - Saturday, S - Sunday.
In this case, hh:mm must be less than HH:MM, that is, you can specify from 00:00-23:59, but you cannot specify 20:00-09:00.
Let's forbid the same Vasya to have access to the Internet from 10 am to 3 pm every day:
ACL TimePupkin time 10:00-15:00
http_access deny Pupkin TimePupkin
If you want to allow Vasya to use the Mirc program from 13:00 to 14:00, then we write:
Acl TimePupkin time 13:00-14:00
http_access allow Pupkin TimePupkin Mirc
http_access deny Pupkin Mirc
But what if you need to prohibit or allow on certain days of the week? Squid also allows you to do this, for example from 13 to 14 on Monday and Sunday:
Acl TimePupkin time MS 13:00-14:00
As you can see, there is nothing complicated about this.
Speed limits
Speed control in the Squid proxy server is performed using pools. A pool is a kind of beer keg in which beer is constantly filled to the brim, and customers pour into their glasses or other containers for further internal consumption as needed through their personal taps.
Pools are regulated using three parameters: delay_class, delay_parameters, delay_access. The number of pools is specified using the delay_pools parameter.
Pools can be of three classes:
The entire flow of beer is limited to one tap (for the entire network).
The entire flow of beer is limited to one tap, but the tap is divided into taps (for each IP).
The entire flow of beer is limited to one tap, but the tap is divided into taps (into subnets), which are also divided into mini taps (for each IP).
Formats:
Delay_pools number_of_declared_pools
delay_access pool_number action acl_name
The action can be allow (allow) and deny (prohibit). At the same time, this pool acts on those to whom it is allowed and does not act on those to whom it is prohibited. If allow all is specified, and then deny Pupkin, then this class will still affect Pupkin, because. Pupkin's IP address declared in acl Pupkin is in the acl all address list. Keep this in mind.
Delay_class pool_number pool_class
delay_parameters pool_number parameters
The parameters differ depending on the pool class:
for first class:
Delay_parameters 1 byte_to_whole_network
for the second class:
Delay_parameters 1 per_network per_client
for third grade:
Delay_parameters 1 per_whole_network per_subnet per_client
For example, we have a 128 Kb channel (on average 15 Kb per second) and we wish Vasya (Pupkin) to give only 4 Kb / s (one small glass for everything), to the programming department (Prog) to give only 10 Kb / sec and for each only 5 Kb / s (only two glasses), all others should be limited to 2 Kb / s for each and 10 Kb / s for everyone, and mp3 (media) files should be limited to 3 Kb per second for all (on the whole barrel of beer is such a small tap). Then we write:
Acl Prog src 192.168.0.1-192.168.0.9
acl Pupkin src 192.168.0.10
acl LocalNet src 192.168.0.0/255.255.255.0
acl media urlpath_regex -i .mp3$ .asf$ .wma$
Delay_pools 4
# first limit mp3
delay_class 1 1
delay_parameters 1 3000/3000
delay_access 1 allow media
delay_access 1 deny all
# limit poor Vasya
delay_class 2 1
delay_parameters 2 4000/4000
delay_access 2 allow Pupkin
delay_access 2 deny all
# limit the programming department
delay_class 3 2
delay_parameters 3 10000/10000 5000/5000
delay_access 3 allow Prog
delay_access 3 deny all
# and now we restrict the rest (the second class of the pool)
delay_class 4 2
delay_parameters 4 10000/10000 2000/2000
delay_access 4 deny media
delay_access 4 deny Pupkin
delay_access 4 deny Prog
delay_access 4 allow LocalNet
delay_access 4 deny all
The question often arises, what is the best way to use such a small channel so that it is automatically shared between all those who are currently downloading something? There is an unambiguous answer to this question - it is not possible to do this using the Squid proxy server, but still something can be done:
delay_class 1 2
delay_parameters 1 -1/-1 5000/15000
delay_access 1 allow LocalNet
delay_access 1 deny all
Thus, we allocate the maximum channel for our entire network and subnets (-1 means unlimited), and we give each user a maximum speed of 5 Kb / s after he downloads the first 15 Kb of the document at maximum speed.
Thus, the client will not eat the entire channel, but will quickly receive the first 15 KB.
Optimizing object caching in Squid
There are many types of files that are not updated often enough to allow the proxy server to respond to headers from web servers that this object is not cacheable or that it has surprisingly just changed. This is a fairly common situation.
To resolve such situations, the refresh_pattern parameter in the Squid proxy settings file is used, but completely with formulas and such. we will not consider it.
Refresh_pattern [-i] string MINV percent MAXV parameters
This parameter is used to determine the age of the object (read file) in the cache, whether it should be updated or not.
MINV (minimum time) - time in minutes when an object in the cache is considered fresh.
MAXV (maximum time) - the maximum time in minutes when the object is considered fresh.
Options are one or more of the following options:
override-expire - ignore object expiration information and use MINV.
override-lastmod - ignore file modification date information use minv.
reload-into-ims - instead of asking the client request "do not cache documents" (no-cache), send the request "If changed from" (If-Modified-Since)
ignore-reload - ignore client requests to "do not cache documents" (no-cache) or "reload document" (reload).
And so, we come to the most important thing. Well, what types of files are updated the least? As a rule, these are various music files and pictures.
Let's set the freshness of objects, for this, for pictures and music files, let's say for example, as many as 30 days (43200 minutes):
Refresh_pattern -i .gif$ 43200 100% 43200 override-lastmod override-expire
refresh_pattern -i .png$ 43200 100% 43200 override-lastmod override-expire
refresh_pattern -i .jpg$ 43200 100% 43200 override-lastmod override-expire
refresh_pattern -i .jpeg$ 43200 100% 43200 override-lastmod override-expire
refresh_pattern -i .pdf$ 43200 100% 43200 override-lastmod override-expire
refresh_pattern -i .zip$ 43200 100% 43200 override-lastmod override-expire
refresh_pattern -i .tar$ 43200 100% 43200 override-lastmod override-expire
refresh_pattern -i .gz$ 43200 100% 43200 override-lastmod override-expire
refresh_pattern -i .tgz$ 43200 100% 43200 override-lastmod override-expire
refresh_pattern -i .exe$ 43200 100% 43200 override-lastmod override-expire
refresh_pattern -i .prz$ 43200 100% 43200 override-lastmod override-expire
refresh_pattern -i .ppt$ 43200 100% 43200 override-lastmod override-expire
refresh_pattern -i .inf$ 43200 100% 43200 override-lastmod override-expire
refresh_pattern -i .swf$ 43200 100% 43200 override-lastmod override-expire
refresh_pattern -i .mid$ 43200 100% 43200 override-lastmod override-expire
refresh_pattern -i .wav$ 43200 100% 43200 override-lastmod override-expire
refresh_pattern -i .mp3$ 43200 100% 43200 override-lastmod override-expire
The settings shown above are just an example, in order to make the essence clear.
Now you can check the effectiveness of your proxy server, it will certainly increase.
Conclusion
The Squid proxy server is not the only popular proxy server, there are others. But as statistics show, most people use this particular proxy server, but at the same time, many beginners still have problems with the settings.
We update the system:
Add a rule to firewalld:
firewall-cmd --permanent --add-port=3128/tcp
* where 3128 - the port on which our proxy server will be configured.
and restart firewalld:
firewall-cmd --reload
Installing and configuring Squid
Set the proxy server with the following command:
yum install squid
And open the configuration file for editing:
vi /etc/squid/squid.conf
If the network of client computers differs from the standard one (192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8), you must add it to the acl, for example:
acl localnet src 217.66.157.0/24
or via file:
acl localnet src "/etc/squid/acl_localnet"
* quotes are required
** after you need to create a file /etc/squid/acl_localnet and from each line list the allowed IP addresses.
To allow all traffic, add the following line:
http_access allow all
* it is important that it be higher than the prohibitive one - http_access deny all
Set up a directory for the cache:
cache_dir ufs /var/spool/squid 4096 32 256
* where ufs- file system (ufs for SQUID is the most appropriate); /var/spool/squid— cache storage directory; 4096 - the amount of space in megabytes that will be allocated for the cache; 32 - the number of first-level catalogs that will be created to host the cache; 256 — the number of second-level catalogs that will be created to host the cache.
Now we create the folder structure for the cache with the following command:
And you can already start squid:
systemctl start squid
Don't forget to enable autorun:
systemctl enable squid
Examination
We go into the browser settings and configure the use of a proxy server. For example, in Mozilla Firefox, the settings should be set as follows:
* where 192.168.163.166 — IP address of my proxy server.
Now we open the site 2ip.ru. After loading it, we will see the external IP address - it must correspond to the network from which the configured SQUID works.
Transparent proxy
Transparent Proxy allows you to automatically use a proxy server without having to configure your computer's browser. Users may not even be aware that traffic is going through squid.
vi /etc/squid/squid.conf
We find the line:
And we bring it to the following form:
http_port 3128 transparent
And restart squid:
systemctl restart squid
Squid + HTTPS
I did not have to specifically configure https for squid in CentOS 7 - everything worked by default.
Login and password authorization
Open the configuration file:
vi /etc/squid/squid.conf
Insert the following:
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/auth_users
auth_param basic children 25
auth_param basic realm SQUID PROXY
auth_param basic credentialsttl 3 hours
acl auth_users proxy_auth REQUIRED
* where /usr/lib64/squid/basic_ncsa_auth- location of ncsa_auth (depending on the system, it may be located in a different directory); /etc/squid/auth_users— a file with logins and passwords; children 25 allows 25 simultaneous connections; SQUID PROXY— an arbitrary phrase for greeting; credentialsttl 3 hours will keep the session for 3 hours, after which you will need to re-enter your login and password.
http_access deny !Safe_ports
We add:
http_access allow auth_users
Create a file with users and create the first pair of login and password:
htpasswd -c /etc/squid/auth_users user1
* if the system returns an error " bash: htpasswd: command not found» install htpasswd with the command yum install httpd-tools
Create a second user:
htpasswd /etc/squid/auth_users user2
And restart squid:
systemctl restart squid
Outgoing network interface
Our server can have multiple external IP addresses. By default, all outgoing requests will go through the default gateway interface. To be able to work with squid through different interfaces, we add to the configuration.
