Introduction to Squid and Its Simple Configuration

 Squid Introduction and Simple Configuration Guide

1. What Is Squid?
  Squid is a software used for caching Internet data. It functions by accepting requests for objects people need to download and processing those requests appropriately. In other words, if someone wants to download a web page, they request Squid to fetch that page for them. Squid then connects to the remote server (e.g., http://squid.nlanr.net/) and requests the page. Afterward, Squid explicitly aggregates the data and sends it to the client machine while also replicating a copy. The next time someone needs the same page, Squid can simply read it from disk, so the data is transmitted to the client almost instantly. Currently, Squid can handle protocols such as HTTP, FTP, GOPHER, SSL, and WAIS. However, it cannot handle things like POP, NNTP, RealAudio, and other types.

2. Roles of Squid Proxy:
 

3. Squid Proxy Types and Definitions

Forward Proxy

a. Standard Proxy Caching Server
  A standard proxy caching service is used to cache static web pages (e.g., HTML files and image files) on a host within the local network (i.e., the proxy server). When a cached page is accessed a second time, the browser retrieves the requested data directly from the local proxy server instead of requesting it from the original web site again. This saves valuable network bandwidth and improves access speed. However, to implement this method, you must explicitly specify the proxy server’s IP address and port number in the browser settings of each internal host. When clients go online, every request is sent to the proxy server for processing. The proxy server determines based on the request whether to connect to the remote web server to fetch data. If the target file exists in the local cache, it sends the file directly to the user. If not, it first retrieves the file, saves a copy in the local cache, and then delivers the file to the client browser.
 
 b. Transparent Proxy Caching Server
  A transparent proxy caching service has identical functionality to a standard proxy server. However, the proxy operation is transparent to the client’s browser (meaning you don’t need to specify the proxy’s IP and port). The transparent proxy server intercepts network communication and filters out traffic destined for external HTTP (port 80). If the client’s request is locally cached, the cached data is sent directly to the user. If there is no local cache, it sends a request to the remote web server. The remaining operations are exactly the same as a standard proxy server. For Linux operating systems, transparent proxies are implemented using Iptables or Ipchains. Because no browser configuration is required, transparent proxies are particularly useful for ISPs (Internet Service Providers).
 
Reverse Proxy:
 a. Reverse Proxy Caching Server
  A reverse proxy is a completely different type of proxy service compared to the previous two. It can be used to reduce the load on the origin web server. The reverse proxy server handles requests for static pages that would otherwise go to the origin web server, preventing the origin server from becoming overloaded. It sits between the local web server and the Internet, handling all requests to the web server and blocking direct communication between the web server and the Internet. If a page requested by an internet user is cached on the proxy server, the proxy sends the cached content directly to the user. If not cached, it first sends a request to the web server, retrieves the data, caches it locally, and then sends it to the user. This method reduces the load on the web server by decreasing the number of requests made to it.
 
4. Squid Main Components
   Service Name: squid
   Main Program: /usr/sbin/squid
   Configuration Directory: /etc/squid
   Main Configuration File: /etc/squid/squid.conf
   Listening TCP Port: 3128
Default Access Log File: /var/log/squid/access.log

5. Common Squid Configuration Options (/etc/squid/squid.conf)
     http_port 3128 (Can also listen on a single IP: http_port 192.168.0.1:3128)
         cache_mem 64MB         # Amount of memory used for caching
         maximum_object_size 4096KB            # Maximum cache object size
         reply_body_max_size  1024000 allow all  # Limit download file size
         access_log /var/log/squid/access.log   # Access log file location
         visible_hostname  proxy.test.xom  # Visible hostname
         cache_dir ufs /var/spool/squid 100 16 256
         ufs: Cache data storage format
                /var/spool/squid Cache directory
                100 : Disk space size (MB) for the cache directory
                16 : Number of first-level subdirectories in the cache space
                256 : Number of second-level subdirectories in the cache space
         cache_mgr  [email protected]   # Define administrator email
     http_access deny all   # Access control
 
6. Access Control in Squid
  Using access control features, you can control caching based on specific time intervals, access to specific sites or groups of sites, and more. Squid access control has two elements: ACL elements and access lists. Access lists can allow or deny access to this service for certain users.
  
  Below are some important ACL element types:
  
  * src : Source address (i.e., client IP address)
  * dst : Destination address (i.e., server IP address)
  * srcdomain : Source domain name (i.e., client name)
  * dstdomain : Destination domain name (i.e., server name)
  * time : Time of day and day of the week
  * url_regex : URL regular expression matching
  * urlpath_regex: URL-path regular expression matching, omitting protocol and hostname
  * proxy_auth : User authentication via an external program
  * maxconn : Maximum number of connections from a single IP
  
  To use control features, you must first set up and apply ACL rules. The format for declaring an ACL is as follows:
  
  acl acl_element_name type_of_acl_element values_to_acl
  Note:
  1. acl_element_name can be any name defined in the ACL.
  2. No two ACL elements can have the same name.
  3. Each ACL consists of a list of values. When performing match detection, multiple values are connected by logical OR operations; in other words, if any value of an ACL element is matched, this ACL element is considered matched.
  4. Not all ACL element types can be used with every type in an access list.
  5. Different ACL elements are written on different lines; Squid will combine them into a single list.
  
  We can use many different access entries. Below are a few that we will be using:
  * http_access: Allows HTTP access. This is the primary access control entry.
  * no_cache: Defines responses to cache requests.
  
  The rules of an access list are composed of keywords like 'allow' or 'deny', used to permit or deny service to specific or sets of ACL elements.
  Note: 
  1. These rules are checked in the order they are listed. Once a matching rule is detected, the match check immediately ends.
  2. An access list can consist of multiple rules.
  3. If no rule matches the access request, the default action corresponds to the last rule in the list.
  4. All elements within a single access entry are linked with logical AND operations:
  http_access Action Statement1 AND Statement2 AND Statement OR.
  http_access Action Statement3
  Multiple http_access statements are linked by OR operations, but the elements within each access entry are linked by AND operations.
  5. Remember that the rules in the list always follow the order they are listed.top-down order.

7 Now that we’ve covered the introductions, let’s perform simple configurations for several squid proxy types:
     Standard Proxy Cache Server Configuration:
      a. Configuration on the squid server
         Prepare the environment: Package: squid (any version)
                Dual NICs: eth0:192.168.1.1 eth1:10.106.34.12
            
         vim /etc/squid/squid.conf
                http_port 192.168.1.12:3128 (multiple entries allowed)
             cache_mem 64MB        
             maximum_object_size 4096KB           
             reply_body_max_size  1024000 allow all
             access_log /var/log/squid/access.log 
             visible_hostname  proxy.test.xom
cache_mgr  [email protected]       
http_access allow all 

b.After all configurations are done:
            squid –z Initialize cache
                     squid –k parse Check syntax
                     service squid start Start squid
                     chkconfig squid on Enable on boot
                     netstat –nltp   Check if port 3128 is listening

c.Client-side configuration:
                     IP : 192.168.1.12 GW: 192.168.1.1
          Then open browseràToolsàOptionsàConnectionsàLAN SettingsàProxy Server
          Address: 192.168.1.1 Port: 3128
          After everything is set, enter http://www.google.cn in the browser to access the website. Easy, right!
 
Transparent Proxy Cache Server Configuration:

a. The configuration on the squid server is almost identical to the standard proxy cache server      
     The difference is: http_port 192.168.1.12:3128 transparent

b.Add iptables rules:
iptables -t nat -I PREROUTING  -s 192.168.1.0/24 -p tcp -dport 80 -j REDIRECT –to-ports 3128
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -p tcp –dport 53 -j SNAT -to-source 10.106.34.12
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -p udp –dport 53 -j SNAT -to-source 10.106.34.12
 
squid –k parse
              service squid reload
 
c.The client does not need to specify the proxy server address or port in the browser
But needs to set the DNS for internet access
After completing the above three steps, you can surf the internet
Reverse Proxy Cache Server Configuration
      Note: Reverse proxy and transparent proxy cannot be used simultaneously
       Steps:
a.       Squid server setup, modify /etc/squid/squid.conf
Similarly, the configuration on the reverse proxy squid server is almost identical to the standard proxy cache server 
 Differences: http_port 10.106.34.12:80 vhost
           Cache_peer 192.168.1.12 parent 80 0 originserver weight=5 max-conn=30
Explanation of the line above: Define web server web server address server type http port icp port  [options]
 
squid –k parse
                     service squid reload
 
b.      Client-side setup (Note: the client in this case is the web server)
               Start the web service
          After the above configuration, external networks can access your web server
               

Leave a Comment

Your email address will not be published.