topic Re: squid server configuration in Operating System - Linux

squid server configuration

K.C. Chan — Thu, 30 Oct 2003 17:35:38 GMT

All,
I am running "squid-2.4.STABLE6-6.7.3" on redhat-7.3. Let say I wan users to go to "proxy.com", which in turns query our internal web server (abc.com) for pages and caches the web pages if necessary. Part of this is done. But when I check the access log file, I see people using our "proxy.com" to get to other websites. How do lock this down so that people can still point their url to proxy.com but not able to set their browser setting to use "proxy.com" as their proxy server? Thanks.

Re: squid server configuration

Stuart Browne — Thu, 30 Oct 2003 17:54:44 GMT

If you want them to force users to use a local proxy, then you'll need firewall rules.

Basically, redirect anything for a remote port (3128, or 8080, whatever you use for your cache) to your local cache instead.

You might also want to implement transparent proxying to make the whole suite complete.

Re: squid server configuration

Steven E. Protter — Thu, 30 Oct 2003 17:58:35 GMT

I personally stopped using proxy.

iptables can provide a stateless firewall eliminating the need to have a proxy. It has some logging features as well if thats why you use it.

SEP

Re: squid server configuration

K.C. Chan — Thu, 30 Oct 2003 20:06:38 GMT

Ok, I think I got this figured out, I used iptables on the squid server to allow outgoing traffic only to the internal webserver. This seems to work, I will check the access log later to find out if there are any footprint besides our internal web server.

FYI, I need to use squid for it's caching capabilities and reverse proxy. If any have any better suggestions or utils, please reference docs, I would like to learn more about it.

Now I need squid to cache a url or a domain, any idea? Thanks.

Re: squid server configuration

Murat SULUHAN — Fri, 31 Oct 2003 08:20:51 GMT

Hi

drop your connections from your trusted network to the internet, and try the squid redirector module

http://squirm.foote.com.au/

Best Regards
Murat

Re: squid server configuration

Jerome Henry — Fri, 31 Oct 2003 10:07:16 GMT

Hi,

If you want to cache some domains outside your company :
http://squid-docs.sourceforge.net/latest/book-full.html#AEN2075
Read this, it's about caching concepts and hierarchy.

If you want to cache your own server to sped the outside world browsing, then you need accelerator mode, which is also caching somehow :
http://squid-docs.sourceforge.net/latest/book-full.html#AEN2416

hth

J

Re: squid server configuration

K.C. Chan — Fri, 31 Oct 2003 11:44:31 GMT

Yes, I want to cache my own server to speed up access from the outside world. I have two server, one is running squid and the other is serving up my web page. Both are NATED, but the squid server can be access from outside via port 80. The outside world can get at my web server via the squid server. Besides using iptables to control traffic, how could I only allow access to my web site(e.g "abc.com) via squid? Thanks.

Re: squid server configuration

Jerome Henry — Fri, 31 Oct 2003 12:17:08 GMT

OK,
Say your we server is 10.0.0.1, your squid cache (accelerator) 10.0.0.2.
In squid.conf, you'll have :
httpd_accel_host 10.0.0.1
httpd_accel_port 80
If you use another port than port 80, replace 80 by the port used on your Web server.
Then, if you also want your proxy to act like a cache for the Internet content for the LAN, then add :
httpd_accel_with_proxy on
(if Squid just acts like an accelerator, forget about this line).

It should work...

J

Re: squid server configuration

K.C. Chan — Fri, 31 Oct 2003 13:28:21 GMT

Jerome, that's what I have done, but with this value set as well, http_port=80. All is working, but I noticed some scrupulous character is using the squid proxy to go to other website. I had shut them down via iptables. But I want to know if squid can do this, maybe block all web traffic going to all websites accept our webserver.

On another note, is there a way to check if it is caching properly and how do I make sure it is caching the right web pages? Is there a config parameter which I should be setting? Thanks.

Re: squid server configuration

Jerome Henry — Fri, 31 Oct 2003 14:39:31 GMT

Hi,

As for your last questions :

"maybe block all web traffic going to all websites accept our webserver" : yes, you can do that.
Define first an ACL, being kind of :
ACL all dst 0.0.0.0/0.0.0.0
ACL myserver dst 10.0.0.1/255.255.255.255
http_access allow myserver
http_access deny all

Thus, you allow destination to your webserver, and deny to any other machine. Of course, this example has to be modified according to your network complete config.

"with this value set as well, http_port=80" : yes, you use this to set up Squid to work on that port... 100% correct.

"is there a way to check if it is caching properly and how do I make sure it is caching the right web pages". Yes, there are many ways. One easy method is to look in your cache directory and check for the files (date, file list and so on).
You can also tail -f access.log in squid log directory, you'll have last connections, to which pages, and so on, it'll let you monitor it online. What I like to do is tail -f access.log > tty11, then Ctrl+Alt+F12 to switch at any time to the live log details...

hth

J

Re: squid server configuration

K.C. Chan — Fri, 31 Oct 2003 22:14:15 GMT

Jerome,
that ACL seems to help, I took iptables offline and so far the web traffic foot print looks great. I've checked the access.log file, I see some TCP_MISS and TCP_HIT, I take it the TCP_MISS are those pages that are not cache. How should I go about and make sure these get cache as well. What squid param should I be looking into? Thanks.