Squid 3.1 on Debian

Squid logo

Unlike Squid 3.0, Squid 3.1 supports IPv6!

Installation on Lenny

If you are using Lenny, the Debian-backport package is at; http://packages.debian.org/lenny-backports/squid3
You also need squid-common and squid-langpack.
Just download and install; 

dpkg -i squid-langpack_20090921-2~bpo50+1_all.deb squid3-common_3.1.3-2~bpo50+1_all.deb squid3_3.1.3-2~bpo50+1_i386.deb
Replace i386 with your architecture.

You can also use pinning to keep Squid 3.1 updated.
If not already there, add the following to the following files;

/etc/apt/apt.conf 

APT::Default-Release "lenny";
/etc/apt/preferences 
Package: *
Pin: release a=lenny-backports
Pin-Priority: -1

Package: squid3
Pin: release a=lenny-backports
Pin-Priority: 999

Package: squid3-common
Pin: release a=lenny-backports
Pin-Priority: 999

Package: squid-langpack
Pin: release a=lenny-backports
Pin-Priority: 999
This pinning setup may be a bit to strict.

/etc/apt/sources.list 

deb http://www.backports.org/debian lenny-backports main contrib non-free
deb-src http://www.backports.org/debian lenny-backports main contrib non-free
You may need to add the backports key; 
wget -O - http://backports.org/debian/archive.key | apt-key add -
Just update and install with your favorite tool (dselect, aptitude, etc).

Configuration

squid.conf

Cd to /etc/squid3/ and edit squid.conf;

Client ACLs

You probably don't want just anyone to access your proxy server. The default client ACL however is rather limited. Edit to suit your needs. EG; 

acl localnet src 192.168.1.0/24
acl localnet src 2001:0db8:1234::/48
Or whatever your local networks are.

You may also want to firewall the proxy port.

Allow localnet

localnet is commented out; Remove comment.

HTTP Port

The default port is 3128. You may want to change this; 

http_port 8080
Put this port in /etc/services if not already there; 

squid		3128/tcp			# Squid proxy
Or; 

http-alt	8080/tcp	webcache	# WWW caching service
http-alt	8080/udp			# WWW caching service

Don't cache local objects

There is no need to cache servers on your LAN; 

# Local servers
acl loc-serv dst 127.0.0.1 192.168.1.0/24 ::1 2001:0db8:1234::/48
# DSL modem
acl adsl dst 10.0.0.138

no_cache deny loc-serv
no_cache deny adsl
Edit to suit your needs.

Limit cache memory

You may want to limit this. EG; 

cache_mem 32 MB

Cache size

The default cache size is rather small. You may want to increase this; 

cache_dir ufs /var/spool/squid3 2048 16 256
This example sets the size to 2 GB.

Cache large objects

I want to be able to cache a kernel source; 

maximum_object_size 144 MB

Log FQDN

I like to log fully qualified domain names. The LAN's nameserver is also on the LAN, so this shouldn't be a problem. 

log_fqdn on

FTP User

Set to FQDN; 

ftp_user Squid@Your_Domain

Url rewrite program

If you have one, specify it here; 

url_rewrite_program /Path/Rewrite_Program

Refresh pattern

You may want to change these.

The following keeps Debian fresh; 


# Keep Debian fresh
refresh_pattern ^(ht|f)tp://.*debian.*/Packages\.(bz2|gz|diff/Index)$   0       0%      0
refresh_pattern ^(ht|f)tp://.*debian.*/Release(\.gpg)?$                 0       0%      0
refresh_pattern ^(ht|f)tp://.*debian.*/Sources\.(bz2|gz|diff/Index)$    0       0%      0
refresh_pattern ^(ht|f)tp://.*debian.*/Translation-en_GB\.bz2)$         0       0%      0

Cache manager address

Set the right address, EG; 

cache_mgr webmaster@Your_Domain

Host name

This defaults to localhost. Set to the right name; 

visible_hostname Your_FQDN
Or; 

visible_hostname Your_Domain

Always direct

If you are part of a cache hierarchy, you don't want to ask your parent cache(s) for objects from servers on your LAN; 

always_direct allow adsl
always_direct allow loc-serv

Cache manager

Disable this or set a password. 

cachemgr_passwd disable all
If you set a password rather then disabling the cache manager, make sure your squid.conf isn't world readable.

Encode whitespace

The default behaviour of Squid is to truncate URLs at whitespace;
  1. http://Some_host/Right%20Url
  2. http://Some_host/Wrong Url
So in the second case Squid will request 'http://Some_host/Wrong'.
Squid can however be made to replace the space (' ') with the right '%Hex_Value' for space; 

uri_whitespace encode
You could use a redirector to correct other mistakes, such as using back- instead of forward slashes in URLs;
  1. http://Some_host/Right/Url
  2. http:\\Some_host\Wrong\Url

errorpage.css

This CSS file uses http://www.squid-cache.org/Artwork/SN.png in error pages. This means that, whenever Squid reports an error, this file may be requested from http://www.squid-cache.org/, possibly logging the referer. You may want to change this;
Move errorpage.css to errorpage.css.orig and copy errorpage.css.orig to errorpage.css; 

mv errorpage.css errorpage.css.orig
cp errorpage.css.orig errorpage.css
Now edit errorpage.css. EG; 

background: url('http://www.example.com/images/SN.png') no-repeat left;
If you want to use he original image, just download it; 

wget http://www.squid-cache.org/Artwork/SN.png

Reload

Load the new config file; 

/etc/init.d/squid3 reload

Client autoconfig

If you want webbrowsers to discover the proxy automatically, have a look at Web Proxy Autodiscovery Protocol and Proxy auto-config.

Proxy enviroment variables

Some apps read enviroment variables like; 
http_proxy:http://some.server.dom:port/
https_proxy:http://some.server.dom:port/
ftp_proxy:http://some.server.dom:port/
gopher_proxy:http://some.server.dom:port/
news_proxy:http://some.server.dom:port/
newspost_proxy:http://some.server.dom:port/
newsreply_proxy:http://some.server.dom:port/
snews_proxy:http://some.server.dom:port/
snewspost_proxy:http://some.server.dom:port/
snewsreply_proxy:http://some.server.dom:port/
nntp_proxy:http://some.server.dom:port/
wais_proxy:http://some.server.dom:port/
finger_proxy:http://some.server.dom:port/
cso_proxy:http://some.server.dom:port/
no_proxy:domain.path1,path2
Files where you might want to put them are; 
/etc/environment
/etc/profile
Some xdg config files

Have fun with IPv6!

IPv6 Ready