Squid 3.1 on Debian

Squid logo

Unlike Squid 3.0, Squid 3.1 supports IPv6!

Configuration

squid.conf

Cd to /etc/squid3/ and edit squid.conf;

Client ACLs

You probably don't want just anyone to access your proxy server. The default client ACL however is rather limited. Edit to suit your needs. EG; 

acl localnet src 192.168.1.0/24
acl localnet src 2001:0db8:1234::/48
Or whatever your local networks are.

You may also want to firewall the proxy port.

Allow localnet

localnet is commented out; Remove comment.

HTTP Port

The default port is 3128. You may want to change this; 

http_port 8080
Put this port in /etc/services if not already there; 

squid		3128/tcp			# Squid proxy
Or; 

http-alt	8080/tcp	webcache	# WWW caching service
http-alt	8080/udp			# WWW caching service

Don't cache local objects

There is no need to cache servers on your LAN; 

# Local servers
acl loc-serv dst 127.0.0.1 192.168.1.0/24 ::1 2001:0db8:1234::/48
# DSL modem
acl adsl dst 10.0.0.138

no_cache deny loc-serv
no_cache deny adsl
Edit to suit your needs.

Limit cache memory

You may want to limit this. EG; 

cache_mem 32 MB

Cache size

The default cache size is rather small. You may want to increase this; 

cache_dir ufs /var/spool/squid3 2048 16 256
This example sets the size to 2 GB.

Cache large objects

I want to be able to cache a kernel source; 

maximum_object_size 144 MB

Log FQDN

I like to log fully qualified domain names. The LAN's nameserver is also on the LAN, so this shouldn't be a problem. 

log_fqdn on

FTP User

Set to FQDN; 

ftp_user Squid@Your_Domain

Url rewrite program

If you have one, specify it here; 

url_rewrite_program /Path/Rewrite_Program

Refresh pattern

You may want to change these.

The following keeps Debian fresh; 


# Keep Debian fresh
refresh_pattern ^(ht|f)tp://.*debian.*/Packages\.(bz2|gz|diff/Index)$   0       0%      0
refresh_pattern ^(ht|f)tp://.*debian.*/Release(\.gpg)?$                 0       0%      0
refresh_pattern ^(ht|f)tp://.*debian.*/Sources\.(bz2|gz|diff/Index)$    0       0%      0
refresh_pattern ^(ht|f)tp://.*debian.*/Translation-en_GB\.bz2)$         0       0%      0

Cache manager address

Set the right address, EG; 

cache_mgr webmaster@Your_Domain

Host name

This defaults to localhost. Set to the right name; 

visible_hostname Your_FQDN
Or; 

visible_hostname Your_Domain

Always direct

If you are part of a cache hierarchy, you don't want to ask your parent cache(s) for objects from servers on your LAN; 

always_direct allow adsl
always_direct allow loc-serv

Cache manager

Disable this or set a password. 

cachemgr_passwd disable all
If you set a password rather then disabling the cache manager, make sure your squid.conf isn't world readable.

Encode whitespace

The default behaviour of Squid is to truncate URLs at whitespace;
  1. http://Some_host/Right%20Url
  2. http://Some_host/Wrong Url
So in the second case Squid will request 'http://Some_host/Wrong'.
Squid can however be made to replace the space (' ') with the right '%Hex_Value' for space; 

uri_whitespace encode
You could use a redirector to correct other mistakes, such as using back- instead of forward slashes in URLs;
  1. http://Some_host/Right/Url
  2. http:\\Some_host\Wrong\Url

errorpage.css

This CSS file uses http://www.squid-cache.org/Artwork/SN.png in error pages. This means that, whenever Squid reports an error, this file may be requested from http://www.squid-cache.org/, possibly logging the referer. You may want to change this;
Move errorpage.css to errorpage.css.orig and copy errorpage.css.orig to errorpage.css; 

mv errorpage.css errorpage.css.orig
cp errorpage.css.orig errorpage.css
Now edit errorpage.css. EG; 

background: url('http://www.example.com/images/SN.png') no-repeat left;
If you want to use he original image, just download it; 

wget http://www.squid-cache.org/Artwork/SN.png

Reload

Load the new config file; 

/etc/init.d/squid3 reload

Client autoconfig

If you want webbrowsers to discover the proxy automatically, have a look at Web Proxy Autodiscovery Protocol and Proxy auto-config.

Proxy enviroment variables

Some apps read enviroment variables like; 
http_proxy:http://some.server.dom:port/
https_proxy:http://some.server.dom:port/
ftp_proxy:http://some.server.dom:port/
gopher_proxy:http://some.server.dom:port/
news_proxy:http://some.server.dom:port/
newspost_proxy:http://some.server.dom:port/
newsreply_proxy:http://some.server.dom:port/
snews_proxy:http://some.server.dom:port/
snewspost_proxy:http://some.server.dom:port/
snewsreply_proxy:http://some.server.dom:port/
nntp_proxy:http://some.server.dom:port/
wais_proxy:http://some.server.dom:port/
finger_proxy:http://some.server.dom:port/
cso_proxy:http://some.server.dom:port/
no_proxy:domain.path1,path2
Some software insist on a trailing slash. Others get confused by a trailing slash. Chromium-browser wants proxy envirioment variables without a trailing slash.

Files where you might want to put them are; 

/etc/environment
/etc/profile
Some xdg config files

Have fun with IPv6!

IPv6 Ready