Proxy Port Squid
The Squid Proxy Server | Administration Guide – SUSE …
Applies to SUSE Linux Enterprise Server 11 SP433 The Squid Proxy Server #
Squid is a widely-used proxy cache for Linux and UNIX platforms. This means
that it stores requested Internet objects, such as data on a Web or FTP
server, on a machine that is closer to the requesting workstation than the
server. It may be set up in multiple hierarchies to assure optimal response
times and low bandwidth usage, even in modes that are transparent for the
end user. Additional software like squidGuard may be used to filter Web
contents.
Squid acts as a proxy cache. It redirects object requests from clients (in
this case, from Web browsers) to the server. When the requested objects
arrive from the server, it delivers the objects to the client and keeps a
copy of them in the hard disk cache. One of the advantages of caching is that
several clients requesting the same object can be served from the hard disk
cache. This enables clients to receive the data much faster than from the
Internet. This procedure also reduces the network traffic.
Along with the actual caching, Squid offers a wide range of
features such as distributing the load over intercommunicating hierarchies of
proxy servers, defining strict access control lists for all clients accessing
the proxy, allowing or denying access to specific Web pages with the help of
other applications, and generating statistics about frequently-visited Web
pages for the assessment of the users’ surfing habits. Squid is not a generic
proxy. It normally proxies only HTTP connections. It supports the protocols
FTP, Gopher, SSL, and WAIS, but it does not support other Internet protocols,
such as Real Audio, news, or video conferencing. Because Squid only supports
the UDP protocol to provide communication between different caches, many
other multimedia programs are not supported.
33. 1 Some Facts about Proxy Caches #
As a proxy cache, Squid can be used in several ways. When combined with a
firewall, it can help with security. Multiple proxies can be used together.
It can also determine what types of objects should be cached and for how
long.
33. 1. 1 Squid and Security #
It is possible to use Squid together with a firewall to secure internal
networks from the outside using a proxy cache. The firewall denies all
clients access to external services except Squid. All Web connections must
be established by the proxy. With this configuration, Squid completely
controls Web access.
If the firewall configuration includes a DMZ, the proxy should
operate within this zone. Section 33. 5, “Configuring a Transparent Proxy”
describes how to implement a transparent proxy. This
simplifies the configuration of the clients, because in this case they do
not need any information about the proxy.
Several instances of Squid can be configured to exchange objects between
them. This reduces the total system load and increases the chances of
finding an object already existing in the local network. It is also
possible to configure cache hierarchies, so a cache is able to forward
object requests to sibling caches or to a parent cache—causing it to
get objects from another cache in the local network or directly from the
source.
Choosing the appropriate topology for the cache hierarchy is very
important, because it is not desirable to increase the overall traffic on
the network. For a very large network, it would make sense to configure a
proxy server for every subnetwork and connect them to a parent proxy, which
in turn is connected to the proxy cache of the ISP.
All this communication is handled by ICP (Internet cache protocol) running
on top of the UDP protocol. Data transfers between caches are handled using
HTTP (hypertext transmission protocol) based on TCP.
To find the most appropriate server from which to get the objects, one
cache sends an ICP request to all sibling proxies. These answer the
requests via ICP responses with a HIT code if the object was detected or a
MISS if it was not. If multiple HIT responses were found, the proxy server
decides from which server to download, depending on factors such as which
cache sent the fastest answer or which one is closer. If no satisfactory
responses are received, the request is sent to the parent cache.
Tip
To avoid duplication of objects in different caches in the network, other
ICP protocols are used, such as CARP (cache array routing protocol) or
HTCP (hypertext cache protocol). The more objects maintained in the
network, the greater the possibility of finding the desired one.
33. 3 Caching Internet Objects #
Not all objects available in the network are static. There are a lot of
dynamically generated CGI pages, visitor counters, and encrypted SSL
content documents. Objects like this are not cached because they change
each time they are accessed.
The question remains as to how long all the other objects stored in the
cache should stay there. To determine this, all objects in the cache are
assigned one of various possible states. Web and proxy servers find out the
status of an object by adding headers to these objects, such as “Last
modified” or “Expires” and the corresponding date.
Other headers specifying that objects must not be cached are used as well.
Objects in the cache are normally replaced, due to a lack of free hard disk
space, using algorithms such as LRU (last recently used). Basically this
means that the proxy expunges the objects that have not been requested for
the longest time.
33. 2 System Requirements #
The most important thing is to determine the maximum network load the system
must bear. Therefore, it is important to pay more attention to the load
peaks, because these might be more than four times the day’s average. When
in doubt, it would be better to overestimate the system’s requirements,
because having Squid working close to the limit of its capabilities could
lead to a severe loss in the quality of the service. The following sections
point to the system factors in order of significance.
Speed plays an important role in the caching process, so this factor
deserves special attention. For hard disks, this parameter is described as
random seek time, measured in milliseconds. Because
the data blocks that Squid reads from or writes to the hard disk tend to be
rather small, the seek time of the hard disk is more important than its
data throughput. For the purposes of a proxy, hard disks with high rotation
speeds are probably the better choice, because they allow the read-write
head to be positioned in the required spot more quickly. One possibility to
speed up the system is to use a number of disks concurrently or to employ
striping RAID arrays.
33. 2. 2 Size of the Disk Cache #
In a small cache, the probability of a HIT (finding the requested object
already located there) is small, because the cache is easily filled and the
less requested objects are replaced by newer ones. If, for example, one GB
is available for the cache and the users only surf ten MB per day, it would
take more than one hundred days to fill the cache.
The easiest way to determine the needed cache size is to consider the
maximum transfer rate of the connection. With a 1 Mbit/s connection, the
maximum transfer rate is 125 KB/s. If all this traffic ends up in the
cache, in one hour it would add up to 450 MB and, assuming that all this
traffic is generated in only eight working hours, it would reach
3. 6 GB in one day. Because the connection is normally not used to its
upper volume limit, it can be assumed that the total data volume handled by
the cache is approximately 2 GB. This is why 2 GB of disk space
is required in the example for Squid to keep one day’s worth of browsed
data cached.
The amount of memory (RAM) required by Squid directly correlates to the
number of objects in the cache. Squid also stores cache object references
and frequently requested objects in the main memory to speed up retrieval
of this data. Random access memory is much faster than a hard disk.
In addition to that, there is other data that Squid needs to keep in
memory, such as a table with all the IP addresses handled, an exact domain
name cache, the most frequently requested objects, access control lists,
buffers, and more.
It is very important to have sufficient memory for the Squid process,
because system performance is dramatically reduced if it must be swapped to
disk. The tool can be used for the cache memory management.
This tool is introduced in Section 33. 6, “”.
Squid is not a program that requires intensive CPU usage. The load of the
processor is only increased while the contents of the cache are loaded or
checked. Using a multiprocessor machine does not increase the performance
of the system. To increase efficiency, it is better to buy faster disks or
add more memory.
If not already installed, install the squid
package. squid does not belong to the default SUSE Linux Enterprise Server
installation scope.
Squid is already pre-configured in SUSE® Linux Enterprise Server, you can start it right after
the installation. To ensure a smooth start-up, the network should be
configured in a way that at least one name server and the Internet can be
reached. Problems can arise if a dial-up connection is used with a dynamic
DNS configuration. In this case, at least the name server should be entered,
because Squid does not start if it does not detect a DNS server in
/etc/
33. 3. 1 Commands for Starting and Stopping Squid #
To start Squid, enter rcsquid
start at the command line as
root. In the initial start-up,
the directory structure of the cache must first be defined in
/var/cache/squid. This is done automatically by the
start script /etc/init. d/squid and can take a few
seconds or even minutes. If done appears to the right in
green, Squid has been successfully loaded. To test the functionality of
Squid on the local system, enter localhost as the proxy
and 3128 as the port in the browser.
To allow users from the local system and other systems to access Squid and
the Internet, change the entry in the configuration files
/etc/squid/ from _access deny
all to _access allow all. However, in doing
so, consider that Squid is made completely accessible to anyone by this
action. Therefore, define ACLs that control access to the proxy. More
information about this is available in Section 33. 4. 2, “Options for Access Controls”.
After modifying the configuration file
/etc/squid/, Squid must reload the
configuration file. Do this with rcsquid
reload. Alternatively, completely restart Squid with
rcsquid restart.
The command rcsquid status can be
used to check if the proxy is running. The command
rcsquid stop causes Squid to shut
down. This can take a while, because Squid waits up to half a minute
(shutdown_lifetime option in
/etc/squid/) before dropping the connections
to the clients and writing its data to the disk.
Warning: Terminating Squid
Terminating Squid with kill or
killall can damage the cache. To be able to restart
Squid, a damaged cache must be deleted.
If Squid dies after a short period of time even though it was started
successfully, check whether there is a faulty name server entry or whether
the /etc/ file is missing. Squid logs the
cause of a start-up failure in the file
/var/log/squid/ If Squid should be loaded
automatically when the system boots, use the YaST runlevel editor to
activate Squid for the desired runlevels. See
Section 10. 3, “Configuring System Services (Runlevel) with YaST”.
An uninstall of Squid does not remove the cache hierarchy or the log files.
To remove these, delete the /var/cache/squid directory
manually.
33. 2 Local DNS Server #
Setting up a local DNS server makes sense even if it does not manage its
own domain. It then simply acts as a caching-only name server and is also
able to resolve DNS requests via the root name servers without requiring
any special configuration (see Section 25. 4, “Starting the BIND Name Server”). How this
can be done depends on whether or not you chose dynamic DNS during the
configuration of the Internet connection.
Dynamic DNS
Normally, with dynamic DNS, the DNS server is set by the provider during
the establishment of the Internet connection and the local
/etc/ file is adjusted automatically.
This behavior is controlled in the
/etc/sysconfig/network/config file with the
NETCONFIG_DNS_POLICY sysconfig variable. Set
NETCONFIG_DNS_POLICY to “”
with the YaST sysconfig editor (see
Section 10. 1, “Changing the System Configuration Using the YaST sysconfig Editor”). Then enter the local DNS
server in the /etc/ file with the IP
address 127. 0. 1 for
localhost. This way Squid
can always find the local name server when it starts.
To make the provider’s name server accessible, enter it in the
configuration file /etc/ under
forwarders along with its IP address. With
dynamic DNS, this can be achieved automatically during connection
establishment by setting the sysconfig variable
NETCONFIG_DNS_POLICY to auto.
Static DNS
With static DNS, no automatic DNS adjustments take place while
establishing a connection, so there is no need to change any sysconfig
variables. You must, however, enter the local DNS server in the file
/etc/ as described above. Additionally,
the providers static name server must be entered manually in the
/etc/ file under
forwarders along with its IP address.
Tip: DNS and Firewall
If you have a firewall running, make sure DNS requests can pass it.
33. 4 The /etc/squid/ Configuration File #
All Squid proxy server settings are made in the
/etc/squid/ file. To start Squid for the
first time, no changes are necessary in this file, but external clients are
initially denied access. The proxy is available for
localhost. The default port is
3128. The pre-installed configuration file
/etc/squid/ provides detailed information
about the options and many examples. Nearly all entries begin with
# (the lines are commented) and the relevant
specifications can be found at the end of the line. The given values almost
always correlate with the default values, so removing the comment signs
without changing any of the parameters actually has little effect in most
cases. If possible, leave the sample as it is and insert the options along
with the modified parameters in the line below. This way, the default values
may easily be recovered and compared with the changes.
Tip: Adapting the Configuration File after an Update
If you have updated from an earlier Squid version, it is recommended to
edit the new /etc/squid/ and only apply the
changes made in the previous file. If you try to use the old, you risk that the configuration no longer
works, because options are sometimes modified and new changes added.
33. 1 General Configuration Options (Selection) #_port 3128
This is the port on which Squid listens for client requests. The default
port is 3128, but 8080 is also common.
If desired, specify several port numbers separated by blank spaces.
cache_peer hostnametypeproxy-porticp-port
Here, enter a parent proxy, for example, if you want to use the proxy of
your ISP. As hostname, enter the name or IP
address of the proxy to use and, as type,
enter parent. For
proxy-port, enter the port number that is
also given by the operator of the parent for use in the browser (usually
8080). Set the icp-port to
7 or 0 if the ICP port of the parent
is not known and its use is irrelevant to the provider. In addition,
default and no-query may be specified
after the port numbers to prohibit the use of the ICP protocol. Squid
then behaves like a normal browser as far as the provider’s proxy is
concerned.
cache_mem 8 MB
This entry defines the amount of memory Squid can use for very popular
replies. The default is 8 MB. This does not specify the
memory usage of Squid and may be exceeded.
cache_dir ufs /var/cache/squid/ 100 16 256
The entry cache_dir defines the directory where all
the objects are stored on disk. The numbers at the end indicate the
maximum disk space in MB to use and the number of directories in the
first and second level. The ufs parameter should be
left alone. The default is 100 MB occupied disk space in the
/var/cache/squid directory and creation of 16
subdirectories inside it, each containing 256 more subdirectories. When
specifying the disk space to use, leave sufficient reserve disk space.
Values from a minimum of 50% to a maximum of 80% of the available disk
space make the most sense here. The last two numbers for the directories
should only be increased with caution, because too many directories can
also lead to performance problems. If you have several disks that share
the cache, enter several cache_dir lines.
cache_access_log /var/log/squid/, cache_log /var/log/squid/, cache_store_log /var/log/squid/
These three entries specify the paths where Squid logs all
its actions. Normally, nothing is changed here. If Squid is experiencing
a heavy usage burden, it might make sense to distribute the cache and
the log files over several disks.
emulate_d_log off
If the entry is set to on, obtain readable log
files. Some evaluation programs cannot interpret this, however.
client_netmask 255. 255. 255
With this entry, mask IP addresses of clients in the log files. The last
digit of the IP address is set to zero if you enter
255. 0 here. You may
protect the privacy of your clients this way.
ftp_user Squid@
With this, set the password Squid should use for the anonymous FTP
login. It can make sense to specify a valid e-mail address here, because
some FTP servers check these for validity.
cache_mgr webmaster
An e-mail address to which Squid sends a message if it unexpectedly
crashes. The default is webmaster.
logfile_rotate 0
If you run squid -k rotate,
Squid can rotate secured log files. The files are
numbered in this process and, after reaching the specified value, the
oldest file is overwritten. The default value is 0
because archiving and deleting log files in SUSE Linux Enterprise Server is carried out by a
cron job set in the configuration file
/etc/logrotate/squid.
append_domain
With append_domain, specify which domain to append
automatically when none is given. Usually, your own domain is entered
here, so entering www in the browser accesses your
own Web server.
forwarded_for on
If you set the entry to off, Squid removes the IP
address and the system name of the client from HTTP requests. Otherwise
it adds a line to the header like
X-Forwarded-For: 192. 168. 1negative_ttl 5 minutes; negative_dns_ttl 5 minutes
Normally, you do not need to change these values. If you have a dial-up
connection, however, the Internet may, at times, not be accessible.
Squid makes a note of the failed requests then refuses to issue new
ones, although the Internet connection has been reestablished. In a case
such as this, change the minutes to
seconds. Then, after clicking
Reload in the browser, the dial-up process should
be reengaged after a few seconds.
never_direct allow acl_name
To prevent Squid from taking requests directly from the Internet, use
the above command to force connection to another proxy. This must have
previously been entered in cache_peer. If
all is specified as the
acl_name, force all requests to be forwarded
directly to the parent. This might be necessary,
for example, if you are using a provider that strictly stipulates the
use of its proxies or denies its firewall direct Internet access.
33. 2 Options for Access Controls #
Squid provides a detailed system for controlling the access to the proxy.
By implementing ACLs, it can be configured easily and comprehensively. This
involves lists with rules that are processed sequentially. ACLs must be
defined before they can be used. Some default ACLs, such as
all and localhost, already exist.
However, the mere definition of an ACL does not mean that it is actually
applied. This only happens in conjunction with
_access rules.
acl
An ACL requires at least three specifications to define it.
The name
arbitrarily. For
variety of different options, which can be found in the ACCESS
CONTROLS section in the
/etc/squid/ file. The specification for
depends on the individual ACL type and
can also be read from a file, for example, via hostnames, IP addresses,
or URLs. The following are some simple examples:
acl mysurfers srcdomain
acl teachers src 192. 0/255. 0
acl students src 192. 7. 0-192. 9. 0
acl lunch time MTWHF 12:00-15:00_access allow
_access defines who is allowed to use the proxy
and who can access what on the Internet. For this, ACLs must be given.
localhost and all have already
been defined above, which can deny or allow access via
deny or allow. A list
containing any number of _access entries can be
created, processed from top to bottom, and, depending on which occurs
first, access is allowed or denied to the respective URL. The last entry
should always be _access deny all. In the
following example, the localhost has free access to
everything while all other hosts are denied access completely.
_access allow localhost
_access deny all
In another example using these rules, the group
teachers always has access to
the Internet. The group
students only gets access
Monday to Friday during lunch time.
_access deny localhost
_access allow teachers
_access allow students lunch time
The list with the _access entries should only
be entered, for the sake of readability, at the designated position in
the /etc/squid/ file. That is, between
the text
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR
# CLIENTS
and the last
redirect_program /usr/bin/squidGuard
With this option, specify a redirector such as squidGuard, which allows
the blocking of unwanted URLs. Internet access can be individually
controlled for various user groups with the help of proxy authentication
and the appropriate ACLs. squidGuard is a separate package that can be
installed and configured.
auth_param basic program /usr/sbin/pam_auth
If users must be authenticated on the proxy, set a corresponding
program, such as pam_auth. When accessing pam_auth for the first time,
the user sees a login window in which to enter the username and
password. In addition, an ACL is still required, so only clients with a
valid login can use the Internet:
acl password proxy_auth REQUIRED
_access allow password
The REQUIRED after proxy_auth
can be replaced with a list of permitted usernames or with the path to
such a list.
ident_lookup_access allow
With this, have an ident request run for all ACL-defined clients to find
each user’s identity. If you apply all to the
Also, an ident daemon must be running on all clients. For Linux, install
the pidentd package for this purpose. For Microsoft Windows, free
software is available for download from the Internet. To ensure that
only clients with a successful ident lookup are permitted, define a
corresponding ACL here:
acl identhosts ident REQUIRED
_access allow identhosts
Here, too, replace REQUIRED with a list of
permitted usernames. Using ident can slow down the
access time quite a bit, because ident lookups are repeated for each
request.
33. 5 Configuring a Transparent Proxy #
The usual way of working with proxy servers is the following: the Web
browser sends requests to a certain port in the proxy server and the proxy
provides these required objects, whether they are in its cache or not. When
working in a network, several situations may arise:
For security reasons, it is recommended that all clients use a proxy to
surf the Internet.
All clients must use a proxy, regardless of whether they are aware of it.
The proxy in a network is moved, but the existing clients need to retain
their old configuration.
In all these cases, a transparent proxy may be used. The principle is very
easy: the proxy intercepts and answers the requests of the Web browser, so
the Web browser receives the requested pages without knowing from where they
are coming. As the name indicates, the entire process is done transparently.
33. 5. 1 Configuration Options in /etc/squid/ #
To inform squid that it should act as a transparent proxy, use the option
transparent at the tag
_port in the main configuration file
/etc/squid/ After restarting squid, the
only other thing that must be done is to reconfigure the firewall to
redirect the port to the port given in
_port. In the following squid config line,
this would be the port 3128.
_port 3128 transparent33. 2 Firewall Configuration with SuSEfirewall2 #
Now redirect all incoming requests via the firewall with help of a port
forwarding rule to the Squid port. To do this, use the enclosed tool
SuSEFirewall2, described in Section 15. 1, “Configuring the Firewall with YaST”. Its
configuration file can be found in
/etc/sysconfig/SuSEfirewall2. The configuration file
consists of well-documented entries. To set a transparent proxy, you must
configure several firewall options:
Device pointing to the Internet:
FW_DEV_EXT=”eth1″
Device pointing to the network:
FW_DEV_INT=”eth0″
Define ports and services (see
/etc/services) on the firewall that are accessed from
untrusted (external) networks such as the Internet. In this example, only
Web services are offered to the outside:
FW_SERVICES_EXT_TCP=”www”
Define ports or services (see /etc/services) on the
firewall that are accessed from the secure (internal) network, both via TCP
and UDP:
FW_SERVICES_INT_TCP=”domain www 3128″
FW_SERVICES_INT_UDP=”domain”
This allows accessing Web services and Squid (whose default port is
3128).
The service “domain” stands for DNS (domain name service).
This service is commonly used. Otherwise, simply take it out of the above
entries and set the following option to no:
The most important option is option number 15:
Example 33. 1: Firewall Configuration: Option 15 ## 15. )
# Which accesses to services should be redirected to a local port on
# the firewall machine?
#
# This option can be used to force all internal users to surf via
# your squid proxy, or transparently redirect incoming webtraffic to
# a secure webserver.
# Format:
# list of
# Where protocol is either tcp or udp. dport is the original
# destination port and lport the port on the local machine to
# redirect the traffic to
# An exclamation mark in front of source or destination network
# means everything EXCEPT the specified network
# Example: “10. 0/8, 0/0, tcp, 80, 3128 0/0, 172. 20. 1, tcp, 80, 8080″
The comments above show the syntax to follow. First, enter the IP address
and the netmask of the internal networks accessing the proxy firewall.
Second, enter the IP address and the netmask to which these clients send
their requests. In the case of Web browsers, specify the networks
0/0, a wild card that means “to
everywhere. ” After that, enter the original port to which these
requests are sent and, finally, the port to which all these requests are
redirected. Because Squid supports protocols other than HTTP, redirect
requests from other ports to the proxy, such as FTP (port 21), HTTPS, or
SSL (port 443). In this example, Web services (port 80)
are redirected to the proxy port (port 3128). If there are
more networks or services to add, they must be separated by a blank space
in the respective entry.
FW_REDIRECT=”192. 0/16, 0/0, tcp, 80, 3128”
To start the firewall and the new configuration with it, change an entry in
the /etc/sysconfig/SuSEfirewall2 file. The entry
START_FW must be set to “yes”.
Start Squid as shown in Section 33. 3, “Starting Squid”. To
verify that everything is working properly, check the Squid logs in
/var/log/squid/ To verify that all ports are correctly configured, perform a
port scan on the machine from any computer outside your network. Only the
Web services (port 80) should be open. To scan the ports with nmap, the
command syntax is nmap -O
IP_address.
The cache manager () is a CGI utility for displaying statistics
about the memory usage of a running Squid process. It is also a more
convenient way to manage the cache and view statistics without logging the
server.
First, a running Web server on your system is required. Configure Apache as
described in Chapter 31, The Apache HTTP Server. To check if Apache is already
running, as root enter the
command rcapache status. If a
message like this appears:
Checking for service d: OK
Server uptime: 1 day 18 hours 29 minutes 39 seconds
Apache is running on the machine. Otherwise, enter
rcapache start to start Apache
with the SUSE Linux Enterprise Server default settings. The last step to set it up is to copy the
file to the Apache directory
cgi-bin. For 32-bit, this works as follows:
cp /usr/lib/squid/ /srv/www/cgi-bin/
In a 64-bit environment, the file is
located below /usr/lib64/squid/ and the command to
copy it to the Apache directory is the following:
cp /usr/lib64/squid/ /srv/www/cgi-bin/33. 6. 2 Cache Manager ACLs in /etc/squid/ #
There are some default settings in the original file required for the cache
manager. First, two ACLs are defined, then _access options use these
ACLs to grant access from the CGI script to Squid. The first ACL is the
most important, because the cache manager tries to communicate with Squid
over the cache_object protocol.
acl manager proto cache_object
acl localhost src 127. 1/255. 255
The following rules give Apache the access rights to Squid:
_access allow manager localhost
_access deny manager
These rules assume that the Web server and Squid are running on the same
machine. If the communication between the cache manager and Squid
originates at the Web server on another computer, include an extra ACL as
in Example 33. 2, “Access Rules”.
Example 33. 2: Access Rules #acl manager proto cache_object
acl webserver src 192. 7/255. 255 # webserver IP
Then add the rules in Example 33. 3, “Access Rules” to permit access from
the Web server.
Example 33. 3: Access Rules #_access allow manager localhost
_access allow manager webserver
Configure a password for the manager for access to more options, like
closing the cache remotely or viewing more information about the cache. For
this, configure the entry cachemgr_passwd with a
password for the manager and the list of options to view. This list appears
as a part of the entry comments in
/etc/squid/
Restart Squid every time the configuration file is changed. Do this easily
with rcsquid reload.
This section is not intended to explain an extensive configuration of
squidGuard, only to introduce it and give some advice for using it. For more
in-depth configuration issues, refer to the squidGuard Web site at
squidGuard is a free (GPL), flexible, and fast filter, redirector, and
access controller plug-in for Squid. It lets you define multiple access
rules with different restrictions for different user groups on a Squid
cache. squidGuard uses Squid’s standard redirector interface. squidGuard can
do the following:
Limit Web access for some users to a list of accepted or well-known Web
servers or URLs.
Block access to some listed or blacklisted Web servers or URLs for some
users.
Block access to URLs matching a list of regular expressions or words for
some users.
Redirect blocked URLs to an “intelligent” CGI-based
information page.
Redirect unregistered users to a registration form.
Redirect banners to an empty GIF.
Use different access rules based on time of day, day of the week, date,
etc.
Use different rules for different user groups.
squidGuard and Squid cannot be used to:
Edit, filter, or censor text inside documents.
Edit, filter, or censor HTML-embedded script languages, such as JavaScript
or VBscript.
Before it can be used, install
squidGuard. Provide a minimal
configuration file as /etc/ Find
configuration examples in. Experiment
later with more complicated configuration settings.
Next, create a dummy “access denied” page or a more or less
complex CGI page to redirect Squid if the client requests a blacklisted Web
site. Using Apache is strongly recommended.
Now, configure Squid to use squidGuard. Use the following entry in the
/etc/squid/ file:
Another option called redirect_children configures
the number of “redirect” (in this case squidGuard) processes
running on the machine. The more proce
Squid (software) – Wikipedia
SquidDeveloper(s)Duane Wessels, Henrik Nordström, Amos Jeffries, Alex Rousskov, Francesco Chemolli, Robert Collins, Guido Serassio and volunteers[1]Initial releaseJuly 1996Stable release4. 15[2]
/ 10 May 2021; 4 months agoRepository inC++Operating systemBSD, Linux, Unix, Windows[3]TypeProxy serverLicenseGNU GPLv2[4]Website
Squid is a caching and forwarding HTTP web proxy. It has a wide variety of uses, including speeding up a web server by caching repeated requests, caching web, DNS and other computer network lookups for a group of people sharing network resources, and aiding security by filtering traffic. Although primarily used for HTTP and FTP, Squid includes limited support for several other protocols including Internet Gopher, SSL, [6] TLS and HTTPS. Squid does not support the SOCKS protocol, unlike Privoxy, with which Squid can be used in order to provide SOCKS support.
Squid was originally designed to run as a daemon on Unix-like systems. A Windows port was maintained up to version 2. 7. New versions available on Windows use the Cygwin environment. [7] Squid is free software released under the GNU General Public License.
History[edit]
Squid was originally developed as the Harvest object cache, [8] part of the Harvest project at the University of Colorado Boulder. [9][10] Further work on the program was completed at the University of California, San Diego and funded via two grants from the National Science Foundation. [11] Duane Wessels forked the “last pre-commercial version of Harvest” and renamed it to Squid to avoid confusion with the commercial fork called Cached 2. 0, which became NetCache. [12][13] Squid version 1. 0. 0 was released in July 1996. [12]
Squid is now developed almost exclusively through volunteer efforts.
Basic functionality[edit]
After a Squid proxy server is installed, web browsers can be configured to use it as a proxy HTTP server, allowing Squid to retain copies of the documents returned, which, on repeated requests for the same documents, can reduce access time as well as bandwidth consumption. This is often useful for Internet service providers to increase speed to their customers, and LANs that share an Internet connection. Because the caching servers are controlled by the web service operator, caching proxies do not anonymize the user and should not be confused with anonymizing proxies.
A client program (e. g. browser) either has to specify explicitly the proxy server it wants to use (typical for ISP customers), or it could be using a proxy without any extra configuration: “transparent caching”, in which case all outgoing HTTP requests are intercepted by Squid and all responses are cached. The latter is typically a corporate set-up (all clients are on the same LAN) and often introduces the privacy concerns mentioned above.
Squid has some features that can help anonymize connections, such as disabling or changing specific header fields in a client’s HTTP requests. Whether these are set, and what they are set to do, is up to the person who controls the computer running Squid. People requesting pages through a network which transparently uses Squid may not know whether this information is being logged. [14] Within UK organisations at least, users should be informed if computers or internet connections are being monitored. [15]
Reverse proxy[edit]
The above setup—caching the contents of an unlimited number of webservers for a limited number of clients—is the classical one. Another setup is “reverse proxy” or “webserver acceleration” (using _port 80 accel vhost). In this mode, the cache serves an unlimited number of clients for a limited number of—or just one—web servers.
As an example, if is a “real” web server, and is the Squid cache server that “accelerates” it, the first time any page is requested from, the cache server would get the actual page from, but later requests would get the stored copy directly from the accelerator (for a configurable period, after which the stored copy would be discarded). The end result, without any action by the clients, is less traffic to the source server, meaning less CPU and memory usage, and less need for bandwidth. This does, however, mean that the source server cannot accurately report on its traffic numbers without additional configuration, as all requests would seem to have come from the reverse proxy. A way to adapt the reporting on the source server is to use the X-Forwarded-For HTTP header reported by the reverse proxy, to get the real client’s IP address.
It is possible for a single Squid server to serve both as a normal and a reverse proxy simultaneously. For example, a business might host its own website on a web server, with a Squid server acting as a reverse proxy between clients (customers accessing the website from outside the business) and the web server. The same Squid server could act as a classical web cache, caching HTTP requests from clients within the business (i. e., employees accessing the internet from their workstations), so accelerating web access and reducing bandwidth demands.
Media-range limitations[edit]
For example, a feature of the HTTP protocol is to limit a request to the range of data in the resource being referenced. This feature is used extensively by video streaming websites such as YouTube, so that if a user clicks to the middle of the video progress bar, the server can begin to send data from the middle of the file, rather than sending the entire file from the beginning and the user waiting for the preceding data to finish loading.
Partial downloads are also extensively used by Microsoft Windows Update so that extremely large update packages can download in the background and pause halfway through the download, if the user turns off their computer or disconnects from the Internet.
The Metalink download format enables clients to do segmented downloads by issuing partial requests and spreading these over a number of mirrors.
Squid can relay partial requests to the origin web server. In order for a partial request to be satisfied at a fast speed from cache, Squid requires a full copy of the same object to already exist in its storage.
If a proxy video user is watching a video stream and browses to a different page before the video completely downloads, Squid cannot keep the partial download for reuse and simply discards the data. Special configuration is required to force such downloads to continue and be cached. [16]
Supported operating systems[edit]
Squid can run on the following operating systems:
AIX
BSDI
Digital Unix
FreeBSD
HP-UX
IRIX
Linux
macOS
NetBSD
NeXTStep
OpenBSD
OS/2 (including ArcaOS and eComStation)[17]
SCO OpenServer
Solaris
UnixWare
Windows[18]
See also[edit]
Web accelerator which discusses host-based HTTP acceleration
Proxy server which discusses client-side proxies
Reverse proxy which discusses origin-side proxies
Comparison of web servers
References[edit]
^ “Who looks after the Squid project? “.
^ “Squid version 4”. Retrieved 5 June 2021.
^ “What is the Best OS for Squid? “.
^ “Squid License”.
^ “Squid Project Logo”. Retrieved 6 July 2014.
^ “Squid FAQ: About Squid”. 13 February 2007. Archived from the original on 29 December 2007. Retrieved 13 February 2007.
^ “Squid 3. 5 for Windows”. February 2019. Current build is based on Squid 3. 5. 1 build for Cygwin Windows 64 bit
^ Bowman, Peter B. Danzig, Darren R. Hardy, Udi Manper, Michael F. Schwartz, The Harvest information discovery and access system, Computer Networks and ISDN Systems, Volume 28, Issues 1–2, December 1995, Pages 119–125. doi:10. 1016/0169-7552(95)00098-5
^ Squid intro, on the Squid website
^ Harvest cache now available as an “d accelerator”, by Mike Schwartz on the -wg mailing list, Tue, 4 April 1995, as forwarded by Brian Behlendorf to the Apache HTTP Server developers’ mailing list
^ “Squid Sponsors”. Archived from the original on 11 May 2007. Retrieved 13 February 2007. The NSF was the primary funding source for Squid development from 1996–2000. Two grants (#NCR-9616602, #NCR-9521745) received through the Advanced Networking Infrastructure and Research (ANIR) Division were administered by the University of California San Diego
^ a b Duane Wessels Squid and ICP: Past, Present, and Future, Proceedings of the Australian Unix Users Group. September 1997, Brisbane, Australia
^ “”. Archived from the original on 12 November 1996. Retrieved 7 August 2012.
^ See the documentation for header_access and header_replace for further details.
^ See, for example, Computer Monitoring In The Workplace and Your Privacy
^ “Squid Configuration Reference”. Retrieved 26 November 2012.
^ OS/2 Ports by Paul Smedley, OS/2 Ports
^
Further reading[edit]
Wessels, Duane (2004). Squid: The Definitive Guide. O’Reilly Media. ISBN 978-0-596-00162-9.
Saini, Kulbir (2011). Squid Proxy Server 3. 1: Beginner’s Guide. Packt Publishing. ISBN 978-1-849-51390-6.
External links[edit]
Official website
Squid Blog
Squid User’s Guide
Squid Transparent Proxy For DD-WRT
Squid reverse proxy — Create a reverse proxy with Squid
Configuration Manual — ViSolve Squid Configuration Manual Guide
Configuration Manual — Authoritative Squid Configuration Options
“Solaris Setup”. Archived from the original on 15 January 2008. — Setup squid on solaris
SQUID – Installation on CentOS, Fedora and Red Hat
What is a proxy ip address and port number?
What is a proxy IP address? When you connect to the Internet through proxies, the IP of the proxy server will be shown in place of your home IP address. Proxy IP addresses are designed to provide you with more privacy while you surf the web. A port number is part of the addressing information used to identify the receivers and senders of network messages. These numbers are also usually associated with TCP/IP network connections. Port numbers allow different applications on the same computer to share network resources. What’s more, port numbers can start from 0 and go up to 65535.
As seen in the image, the digits marked in red, comprise the IP address of a proxy IP address. The number marked in blue is the port number. 8080 is the default port number, and is commonly used for proxy and caching.
Understanding TCP / IP Protocol
TCP/IP is a suite of communications protocols used for interconnecting network devices on the Internet. Transmission Control Protocol/Internet Protocol uses two protocols – TCP and IP – and implements layers of protocol stacks. Each layer is designed to provide a well-defined network service to the upper layer protocol.
Understanding Application Layers
An application layer is one of the layers in the TCP/IP protocol suite and Open Systems Interconnection seven-layer model. Application layers comprise the protocols that facilitate process-to-process communication across an IP network. Some of the common application layer protocols include:
HTTP (Hypertext Transfer Protocol)
SMTP (Simple Text Transfer Protocol)
SNMP (Simple Network Management Protocol)
FTP (File Transfer Protocol)
Understanding Transport Layers
The transport layer protocol is the fourth layer of the OSI reference model. It enables transparent data transfer between two communicating systems or end systems that are using the services of a network layer, for e. g. an Internet Protocol layer. Since transport layers provide end-to-end information transfer and control, it is safe to say that it will provide reliable and cost effective data transfer as well as the quality of service needed by a particular application program.
Understanding Network Layers
Network layers are considered the backbone of the Open Systems Interconnection Model. It is also the third level of the model and provides data routing paths for smooth network communication. In a network layer, data will be transferred in the form of packets through one or more logical network paths in an organized format.
Understanding Data Link Layers
In computer networking, the data link layer is the second layer of the OSI model. The layer is also responsible for transferring data between nodes on a local area network or adjacent network nodes in a wide area network. Common data link protocols include Point-to-Point Protocol, Ethernet, Advanced Data Communication Control Procedures, and more.
Frequently Asked Questions about proxy port squid
What does Squid proxy do?
Squid is a caching and forwarding HTTP web proxy. It has a wide variety of uses, including speeding up a web server by caching repeated requests, caching web, DNS and other computer network lookups for a group of people sharing network resources, and aiding security by filtering traffic.
What port should I use for proxy?
8080 is the default port number, and is commonly used for proxy and caching.
What are safe ports in Squid?
¶ In default installation Squid does not allow HTTP or HTTPS connections to non standard ports (defaults for HTTP is port 80 and for HTTPS port 443). If you try to connect to URLs like http://www.example.com:8080 or https://www.exampe.com:8443 your browser will show the Access Denied Squid page.
