A basic guide to Squid on Ubuntu(v1)

[Nuke]

Seeing the amount of people coming over to Linux I decided to make this little guide on setting up Squid proxy server. (DJV Ubuntu install guide has put me in the mood ) Even on a small home network it may save you some bandwidth and increase your speed. I use this config in an ISP environment for 700+ users. Some days I see a cache hit ratio of 20%+

For this guide using ubuntu 7.04 server, running Squid 2.6.STABLE5. But any newer version will work too.

We are going to use the CLI the whole way, so on a desktop you gonna do it all in the root terminal.

Start by installing Squid. First command will update your repositories, second will install squid.
root@dnsmail:~# apt-get update
root@dnsmail:~# apt-get install squid

Now to start configuring. Run the following command. I use Vim instead of Vi to edit, its easier to use. (If Vim doesn't work, first do a root@dnsmail:~# apt-get install vim)
root@dnsmail:~# vim /etc/squid/squid.conf

When you edit your file, leave out the #### I put in. Its just to make its easier to see what to edit. Press Insert on keyboard to start editing.
First to edit in the http listen port. The “transparent” means you can use Iptables to NAT ALL http into the proxy, if you only gonna point your web-browser to the proxy, you can leave it out.
#### http_port 8080 transparent

Next is the amount of RAM squid may use for caching On a dedicated server use about 80-90% of its total ram. On a desktop I would say 5-10%, but its everyone's own decision. I will use the value 900 MB.
####cache_mem 900 MB

Now for HDD space. 12000 is 12000MB change it to 80% of total HDD space on a dedicated server, on a desktop use as much as you want. The 16 and 256 is just the directory structure, leave that.
####cache_dir ufs /var/spool/squid 12000 16 256

These settings are just when Squid is going to log.
####access_log /var/log/squid/access.log
####cache_log /var/log/squid/cache.log

Here is the refresh patterns, this is what will tell Squid how to handle incoming opjects. You can copy it directly into your squid.conf file, I did it without the ####. Reload-into-ims means it will check the version in cache to see if its still the same file as on the website. The first 2 will cache Google Earth.

refresh_pattern -i kh.google 1440 20% 10080 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i keyhole.com 1440 20% 10080 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern windowsupdate.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims
refresh_pattern update.microsoft.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims
refresh_pattern download.microsoft.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims
refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims
refresh_pattern downloadfree.grisoft.com/.*\.(bin|exe) 4320 100% 43200 reload-into-ims
refresh_pattern guru.grisoft.com/.*\.(bin|exe) 4320 100% 43200 reload-into-ims
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i \.flv$ 10080 90% 999999 ignore-no-cache
refresh_pattern -i \.exe$ 10080 90% 999999 reload-into-ims
refresh_pattern -i \.zip$ 10080 90% 999999 reload-into-ims
refresh_pattern -i \.tar\.gz$ 10080 90% 999999 reload-into-ims
refresh_pattern -i \.tgz$ 10080 90% 999999 reload-into-ims
refresh_pattern -i \.mp3$ 10080 90% 999999 reload-into-ims
refresh_pattern -i \.ram$ 10080 90% 999999 reload-into-ims
refresh_pattern -i \.jpeg$ 10080 90% 999999 reload-into-ims
refresh_pattern -i \.gif$ 10080 90% 999999 reload-into-ims
refresh_pattern -i \.wav$ 10080 90% 999999 reload-into-ims
refresh_pattern -i \.avi$ 10080 90% 999999 reload-into-ims
refresh_pattern -i \.mpeg$ 10080 90% 999999 reload-into-ims
refresh_pattern -i \.mpg$ 10080 90% 999999 reload-into-ims
refresh_pattern -i \.pdf$ 10080 90% 999999 reload-into-ims
refresh_pattern -i \.ps$ 10080 90% 999999 reload-into-ims
refresh_pattern -i \.Z$ 10080 90% 999999 reload-into-ims
refresh_pattern -i \.doc$ 10080 90% 999999 reload-into-ims
refresh_pattern -i \.ppt$ 10080 90% 999999 reload-into-ims
refresh_pattern -i \.tiff$ 10080 90% 999999 reload-into-ims
refresh_pattern -i \.snd$ 10080 90% 999999 reload-into-ims
refresh_pattern -i \.jpe$ 10080 90% 999999 reload-into-ims
refresh_pattern -i \.midi$ 10080 90% 999999 reload-into-ims
refresh_pattern -i \.ico$ 10080 90% 999999 reload-into-ims
refresh_pattern -i \.mp3$ 10080 90% 999999 reload-into-ims
refresh_pattern -i \.bin$ 10080 90% 999999 reload-into-ims
refresh_pattern -i \.jpg$ 10080 90% 999999 reload-into-ims
refresh_pattern -i \.wmv$ 10080 90% 999999 reload-into-ims

This will edit the ACL's or access control lists. Mine is totally “unsafe”, thus I will think its a good idea to edit it to fit your network. If you use the network 192.168.0.1/24(192.168.0.1-192.168.0.254 or 192.168.0.1 with a subnet of 255.255.255.0), change “acl network src 0.0.0.0/0.0.0.0” to “acl network src 192.168.0.0/255.255.255.0”. “http_access deny all” will always be at the end of your acl.

acl network src 0.0.0.0/0.0.0.0
http_access allow network
acl QUERY urlpath_regex cgi-bin \? intranet
acl forcecache url_regex -i kh.google keyhole.com
no_cache allow forcecache
no_cache deny QUERY
http_access deny all


Now press ESC key and then Shift+zz to save and exit Vim. Run
root@dnsmail:~# /etc/init.d/squid restart

Your server should be up and running. Point your web-browser proxy setting to your servers IP. Do
root@dnsmail:~# tail -f /var/log/squid/access.log
and browse a little. You should see lines like these
1202634608.771 8 192.168.50.1 TCP_IMS_HIT/304 341 GET http://www.freeonlinegames.com/social/i ... wsvine.png - NONE/- image/png
1202634608.772 1 192.168.50.1 TCP_IMS_HIT/304 342 GET http://www.freeonlinegames.com/social/i ... tscape.png - NONE/- image/png
1202634608.782 8 192.168.50.1 TCP_IMS_HIT/304 342 GET http://www.freeonlinegames.com/social/images/reddit.gif - NONE/- image/gif

If it does, Congrats you have set up a Squid proxy.

Thanks to the http://www.squid-cache.org/ mail archive. I got most of my refresh patterns there. Please let me know how it work, or anything I can change. I gonna make it longer to include SARG install/etc if there is interest. Its also on PDF.
Feel free to post this guide anywhere, just link it back to the PCF forum.
PsiPyro/Nuke

[Vampyre_2099]

thanks for the tutorial. I use squid at home and its nice to finally understand what half the options mean. Only thing is... I set my pc to use http_port 8080 transparent and then it comes back saying proxy is refusing connections, its a firefox style error not squid. then i change it to use port 3128 and it says the same thing. If i set it to use squid thats sitting on my windows box (squidNT) then it works fine.

[Nuke]

What version of Squid is running on the linux box? Are you using IPtables to send all connections to your Squid or are you pointing your browser to the proxy server?

[Vampyre_2099]

using 2.6stable4... i think, either 4 or 14. I tried using IPTables as it makes it easier than pointing all browsers

[Nuke]

What doest your firewall Nat rule looks like?

[Vampyre_2099]

firewall? I don't have a firewall

[Nuke]

Umm IPtables is a firewall. Its accually 3 parts. Filter chains, NAT chains and Mangle chains. Filter is what you use for normal firewalling, dropping connections/packets. NAT is there to rewrite your packet headers, thus you can force changes to the destination IP/port and many other things. Mangle you use to mark packets/connections for other processes.


In your IPtables firewall there should be a rule that states: prerouting, dst-port 80; action=dst-nat to 'proxy ip' port 8080. Can't tell you the linux IPtables command though, will have to search that on google first.
The above rule means: On condition prerouting(any connection passing though the machine) on post 80 (thus web sites) Do the following, rewrite destination IP to the proxy IP(many times localhost) and rewrite port to 8080. That will force any connection to a website to go though the proxy, don't care what you do.


Here is my rule on a Mikrotik. Mikrotik is a bit diffrent from normal linux, but the basics are the same.
chain=dstnat action=dst-nat to-addresses=192.168.50.4 to-ports=8080
src-address=192.168.50.73 dst-port=80 protocol=tcp

[Vampyre_2099]

ok thanks, I think it'll be easier if I just carry on using the normal browser pointing. Thnaks anyway and good guide