Package:Squid

net-proxy/squid


Source Repository:Gentoo Portage Tree

Summary:

Use Flags

ecap
Adds support for loadable content adaptation modules (http://www.e-cap.org)
esi
Enable ESI for accelerators, will cause squid reverse proxies to be capable of the Edge Acceleration Specification (www.esi.org)
htcp
Enable HTCP protocol
icap-client
Adds ICAP client support
ipf-transparent
Adds transparent proxy support for systems using IP-Filter (only for *bsd)
logrotate
Use app-admin/logrotate for rotating logs
kqueue
Enables *BSD kqueue() support
pf-transparent
Adds transparent proxy support for systems using PF (only for *bsd)
qos
Adds support for Quality of Service using netfilter conntrack - see qos_flow directive for more info
ssl-crtd
Adds support for dynamic SSL certificate generation in SslBump environments
tproxy
Enables real Transparent Proxy support for Linux Netfilter TPROXY
wccp
Enable Web Cache Coordination Protocol
wccpv2
Enable Web Cache Coordination V2 Protocol

Squid

The Squid Proxy Server

This is a quick and dirty howto about getting Squid up und running in 5min...

What benefits one may get from using an anonymous proxy server? Well, I would say many things but the most important one is that you can browse the web anonymously without exposing your IP, location etc.. out there. Anyhow, even though I usually use OpenVPN or PPTP for safe browsing and such things, having a private anonymous proxy server in your toolbox is a nice thing. Furthermore, a cache is speeding up you daily internet connection with repeating objects getting out of the cache instead of downloading it again. Advanced filtering technics (Antivirus, Content, Ad-Blocks, etc) are also possible.

Please start always by refreshing your portage tree, like:

# emerge --sync

next, we search the portage tree for Squid:

# emerge --search squid
=> net-analyzer/squid-graph
=> net-analyzer/squidsites
=> net-analyzer/squidview
=> net-proxy/squid
=> net-proxy/squidclamav
=> net-proxy/squidguard
=> sec-policy/selinux-squid

Next, we emerge squid using:

# emerge net-proxy/squid

Once it is installed, since this squid proxy setup will be using authentication to authenticate users via the ‘ncsa_auth‘ helper, we need to know the location of this helper so we can use it in our squid.confconfiguration file. To find this I’ll be using a tool named as ‘qfile‘ which is shipped in ‘app-portage/portage-utils‘.

  1. qfile ncsa_auth

net-proxy/squid (/usr/libexec/squid/ncsa_auth)

Okay, so the auth helper is located in ‘/usr/libexec/squid/ncsa_auth’ so let’s setup Squid’s configuration file (/etc/squid/squid.conf). Make sure you change ‘XXX.XX.XX.XXX’ with your actual server’s IP address and edit anything else you want to suit your needs.


# cp /etc/squid/squid.conf{,_orig} && \cat > /etc/squid/squid.conf <<EOF
auth_param basic program /usr/libexec/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm please login?
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 10.0.0.0/8     
# RFC 1918 possible internal network
acl localnet src 172.16.0.0/12  
# RFC 1918 possible internal network
acl localnet src 192.168.0.0/16 
# RFC 1918 possible internal network
acl localnet src fc00::/7       
# RFC 4193 local private network range
acl localnet src fe80::/10      
# RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 901         # SWAT
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access allow localhost
http_access deny all
http_port 2222
coredump_dir /var/cache/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320 
icp_access allow localnet
icp_access deny all
acl ip1 myip XXX.XX.XX.XXX
tcp_outgoing_address XXX.XX.XX.XXX ip1
cache_mgr mail@maiwald.tk
cache_mem 128 MB
visible_hostname ViruSzZ
maximum_object_size 20 MB
cache_dir ufs /var/cache/squid 512 32 512

forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all
shutdown_lifetime 3 seconds
EOF

proceed with creating the ‘/etc/squid/passwd’ file and adding your user by executing:

 # htpasswd -c /etc/squid/passwd your_user 

Note

You need to omit the ‘-c’ switch when adding another user to the file.

Next, do a # squid -z to create the cache directory. Finally, restart your squid server and check if it’s actually listening using:

# /etc/init.d/squid restart
# netstat -tunlp | grep 2222
tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN      482/(squid)

If you would like Squid to start with your system, execute:

# rc-update add squid default

To test it, set your browser to use the proxy server that we just created.