Squid

A User's Guide

Oskar Pearson

Qualica Technologies (Pty) Ltd.

[email protected]

Copyright (c) 2003 Oskar Pearson c/o Qualica Technologies (Pty) Ltd, PO Box 783168, Sandton, JHB, Gauteng, 2184, South Africa

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with one Invariant Section: "History and Credits" , no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".

Table of Contents

1. History and Credits

History and Credits

2. Installing Squid

Hardware Requirements

Gathering statistics
Hard Disks
RAM requirements
CPU Power

Choosing an Operating System

Experience
Features
Compilers

Basic System Setup

Default Squid directory structure
User and Group IDs

Getting Squid

Getting the Squid source code
Getting Binary Versions of Squid

Compiling Squid

Compilation Tools
Unpacking the Source Archive
Compilation options
Running configure
Compiling the Squid Source
Installing the Squid binary

3. Squid Configuration Basics

Version Control Systems

The Configuration File

Setting Squid's HTTP Port

Using Port 80

Email for the Cache Administrator

Effective User and Group ID

FTP login information

Access Control Lists and Access Control Operators

Simple Access Control
Ensuring Direct Access to Internal Machines

Communicating with other proxy servers

Your ISP's cache
Firewall Interactions

4. Starting Squid

Before Running Squid

Subdirectory Permissions

Running Squid

Testing Squid

Testing a Cache or Proxy Server with Client

Addition to Startup Files

5. Browser Configuration

Basic Configuration
Advanced Configuration
Basic Configuration
Host name

Browser-cache Interaction

Testing the Cache

Cache Auto-config

Web server config changes for autoconfig files
Autoconfig Script Coding
Super Proxy Script

cgi generated autoconfig files

Future directions

Roaming
Browsers
Transparency

Ready to Go

6. Access Control and Access Control Operators

Uses of ACLs

Access Classes and Operators

A unique name
Type
Decision String
Types of acl

Acl-operator lines

The other Acl-operators

SNMP Configuration

Querying the Squid SNMP server on port 3401
Running multiple SNMP servers on a cache machine

Delay Classes

Slowing down access to specific URLs
The Second Pool Class
The Second Pool Class
The Third Pool Class
Using Delay Pools in Real Life

7. Cache Hierarchies

Introduction

Peer Configuration

The cache_peer Option

Peer Selection

Selecting by Destination Domain
Selecting with Acls
Other Peering Options

Multicast Cache Communication

Getting your machine ready for Multicast
Querying a Multicast Cache
Accepting Multicast Queries: The mcast_groups option
Other Multicast Cache Options

Cache Digests

Cache Hierarchy Structures

Two Peering Caches
Trees
Meshes
Load Balancing Servers

The Cache Array Routing Protocol (CARP)

8. Accelerator Mode

When to use Accelerator Mode

Acceleration of a slow server
Replacing a combination cache/web server with Squid
Transparent Caching
Security

Accelerator Configuration Options

The httpd_accel_host option
The httpd_accel_port option
The httpd_accel_with_proxy option
The httpd_accel_uses_host_header option

Related Configuration Options

The redirect_rewrites_host_header option
Refresh patterns
Access Control

Example Configurations

Replacing a Combination Web/Cache server
Accelerating Requests to a Slow Server

9. Transparent Caching

The Problem with Transparency

The Transparent Caching Process

Some Routing Basics
Packet Flow with Transparent Caches

Network Layout

Filtering Traffic

Unix machines
Routers (not done)
Layer-Four Switches (not done)

Kernel Redirection (not done)

Squid Settings (not done)

10. Not Yet Done: Squid Config files and options

11. Overall Layout (for writers)

12. GNU Free Documentation License

GNU Free Documentation License

List of Examples
3-1. Effective User and Group IDs
3-2. Theoretical Access List
3-3. Access Lists using Classes
3-4. CIDR vs Netmask Source-IP Notation
3-5. Example Complete ACL list
3-6. Using always and never_direct
4-1. Using the -h and -p client Options
4-2. Retrieving Pages directly from a remote site with client
4-3. Printing timing information for a page download
4-4. Accessing a site through the cache
4-5. Runcache command in the startup files
5-1. Restarting Apache
5-2. A very basic autoconfig file
5-3. Connecting to a cache server
5-4. Connecting to a cache server, with failover
5-5. dnsDomainIs
5-6. Using multiple dnsDomainIs calls
5-7. using the isInNet call
5-8. using isPlainHostName to decide if the connection should be direct
5-9. myIpAddress
5-10. shExpMatch
5-11. url.substring
5-12. A small organization's proxy config file
5-13. Dialup ISP autoconfig file
5-14.
6-1. Explicit allow, explicit deny (do not use this!, see later text for reasons)
6-2. Only an allow acl-operator
6-3. Corrected example 6-1, explicit deny all
6-4. Example 6-1 once the cache is considered stable
6-5. Using multiple acl Decision Strings per line
6-6.
6-7. Denying access to a small section of a larger block
6-8. Filtering out unwanted destination sites
6-9. Denying access to sites with the word sex in the URL
6-10.
6-11. Allowing Web access during the weekend only
6-12. Denying access to FTP sites
6-13. Breaking search site access
6-14.
6-15. Using ident usernames to deny cache access
6-16. Using Ident to classify users, and using Squid to deny classes
6-17. Using more than one acl operator on an http_access line
6-18. Specifying more than one acl per http_access line
6-19. Logging ident values from specific machines
6-20. Doing ident lookups for unknown machines
6-21. Allowing a subnet range to only get data we already have (hits)
6-22. Using the broken_posts acl-operator
6-23. Using the snmp_community acl type
6-24. Allowing SNMP access from only one machine
6-25. Using the snmp_community acl type
6-26. Limiting download speed by a word in the URL
6-27. Limiting both overall and per-user bandwidth usage
6-28. Using Class 3 Delay Pools
7-1. The cache_peer tag
7-2. The cache_peer_domain tag
7-3. Using acls to select peers
7-4. Passing suspect urls to a filtering cache
7-5. Ignoring Hierarchy Caches for a Local Top-Level Domain
7-6. Bypassing a parent for a local machine
7-7. Changing the Cache Type by Destination Domain
7-8.
7-9. Sending Queries to a Multicast Server
7-10. Listening for Multicast Queries
7-11. Using CARP Load Factor variables
8-1. Before Accelerator Configuration
8-2. After Accelerator Configuration
8-3. Forwarding Web Requests to a Server on the Same Machine
8-4. Accelerating a Slow Server

		Next
		History and Credits