Unlike Squid 3.0, Squid 3.1 supports IPv6!
Squid 3.3 supports a RFC 6555 Happy eyeballs algorithm inspired way of dealing with broken IPv6 implementations.
AFAIK Debian's version of Squid 3.x is not patched for security bug SQUID-2014:1. AFAIK SSL-Bump is default off, so you should be OK as long as you don't enable this feature.
Cd to /etc/squid3/ and edit squid.conf;
You probably don't want just anyone to access your proxy server. The default client ACL however is rather limited. Edit to suit your needs. EG;
acl localnet src 192.168.1.0/24 acl localnet src 2001:db8:1234::/48
Or whatever your local networks are.
You may also want to firewall the proxy port.
localnet is commented out; Remove comment.
The default port is 3128. You may want to change this;
Put this port in /etc/services if not already there;
squid 3128/tcp # Squid proxy
http-alt 8080/tcp webcache # WWW caching service http-alt 8080/udp # WWW caching service
There is no need to cache servers on your LAN;
# Local servers acl loc-serv dst 127.0.0.1 192.168.1.0/24 ::1 2001:db8:1234::/48 # DSL modem acl adsl dst 10.0.0.138 no_cache deny loc-serv no_cache deny adsl
Edit to suit your needs.
You may want to limit this. EG;
cache_mem 32 MB
The default cache size is rather small. In Squid 3.3 the disk cache is disabled altogether. You may want to change this;
cache_dir ufs /var/spool/squid3 2048 16 256
This example sets the size to 2 GB.
You can also use the cache_dir stament to increase the maximum object size;
cache_dir ufs /var/spool/squid3 2048 16 256 max-size=100663296
This example sets the maximum object size to 96 MB (96 * 1024 * 1024 bytes)
I want to be able to cache a kernel source;
maximum_object_size 96 MB
With newer versions of Squid you need to set this BEFORE the 'cache_dir' statement!
I like to log fully qualified domain names. The LAN's nameserver is also on the LAN, so this shouldn't be a problem.
For Squid 3.3 you need to change the logfile statement: Change '%>a' to '%>A';
# log_fqdn on; logformat squid %ts.%03tu %6tr %>A %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
The default config file has six spaces between 'squid' and '%ts.%03tu'. Change this to one. Otherwise log file processors will get very confused.
Set to FQDN;
Both the pinger and SNMP have security issues;
There are patches, but these haven't been applied to Debian yet.
If you have one, specify it here;
I wrote my own;
You may want to change these.
The following keeps Debian fresh;
# Keep Debian fresh refresh_pattern ^(ht|f)tp(s)?://.*debian.*/Packages\.(bz2|gz|diff/Index)$ 0 0% 0 refresh_pattern ^(ht|f)tp(s)?://.*debian.*/Release(\.gpg)?$ 0 0% 0 refresh_pattern ^(ht|f)tp(s)?://.*debian.*/Sources\.(bz2|gz|diff/Index)$ 0 0% 0 refresh_pattern ^(ht|f)tp(s)?://.*debian.*/Translation-en_GB\.bz2)$ 0 0% 0
Squid 3.3 uses a large timeout to fallback to IPv4. It defaults to 60 seconds!
This means that that if an IPv6 connect fails and a IPv4 connect works,
it will take Squid 60 seconds to fallback from IPv6 to IPv4.
It's recommended that you reduce the connect timeout to twice the ping time
Broken DNS implementations may add a DNS lookup delay of 5 to 10 seconds. So I set the connect timeout a bit higher then that.
connect_timeout 15 seconds
Set the right address, EG;
This defaults to localhost. Set to the right name;
If you are part of a cache hierarchy, you don't want to ask your parent cache(s) for objects from servers on your LAN;
always_direct allow adsl always_direct allow loc-serv
Disable this or set a password.
cachemgr_passwd disable all
If you set a password rather then disabling the cache manager, make sure your squid.conf isn't world readable.
The default behaviour of Squid is to truncate URLs at whitespace;
So in the second case Squid will request 'http://Some_host/Wrong'.
Squid can however be made to replace the space (' ') with the right '%Hex_Value' for space ('%20');
This CSS file uses
in error pages. This means that, whenever Squid reports an error, this file may
be requested from
http://www.squid-cache.org/, possibly logging the
referer. You may want to change this;
Move errorpage.css to errorpage.css.orig and copy errorpage.css.orig to errorpage.css;
mv errorpage.css errorpage.css.orig cp errorpage.css.orig errorpage.css
Now edit errorpage.css. EG;
background: url('http://www.example.com/images/SN.png') no-repeat left;
If you want to use he original image, just download it;
Load the new config file;
If you want webbrowsers to discover the proxy automatically, have a look at Web Proxy Autodiscovery Protocol and Proxy auto-config.
Some apps read enviroment variables like;
http_proxy:http://some.server.dom:port/ https_proxy:http://some.server.dom:port/ ftp_proxy:http://some.server.dom:port/ gopher_proxy:http://some.server.dom:port/ news_proxy:http://some.server.dom:port/ newspost_proxy:http://some.server.dom:port/ newsreply_proxy:http://some.server.dom:port/ snews_proxy:http://some.server.dom:port/ snewspost_proxy:http://some.server.dom:port/ snewsreply_proxy:http://some.server.dom:port/ nntp_proxy:http://some.server.dom:port/ wais_proxy:http://some.server.dom:port/ finger_proxy:http://some.server.dom:port/ cso_proxy:http://some.server.dom:port/ no_proxy:domain.path1,path2
Some software insist on a trailing slash. Others get confused by a trailing slash.
Some versions of Chromium-browser want proxy envirioment variables without a trailing slash. You can also specify proxy variables on the chromium commandline or in /etc/chromium/default.
Some software want the envirioment variables upper case. EG: HTTP_PROXY=http://some.server.dom:port/
Files where you might want to put enviroment variables are;
The VLC that comes with Debian Wheezy doesn't like proxying. So I disabled them in /etc/environment
Have fun with IPv6!