All Squid proxy server settings are made in the
/etc/squid/squid.conf file. To start
Squid for the first time, no changes are
necessary in this file, but external clients are initially denied
access. The proxy is available for
localhost. The default
3128. The preinstalled configuration file
/etc/squid/squid.conf provides detailed
information about the options and many examples. Nearly all entries begin
# (the lines are commented) and the
relevant specifications can be found at the end of the line. The given
values almost always correlate with the default values, so removing the
comment signs without changing any of the parameters actually has little
effect in most cases. If possible, leave the sample as it is and insert
the options along with the modified parameters in the line below. This
way, the default values may easily be recovered and compared with the
|Adapting the Configuration File after an Update|
If you have updated from an earlier Squid
version, it is recommended to edit the new
This is the port on which Squid listens for
client requests. The default port is
8080 is also common. If desired, specify several port
numbers separated by blank spaces.
Here, enter a parent proxy, for example, if you want to use the
proxy of your ISP. As
enter the name and IP address of the proxy to use and, as
proxy-port, enter the port number that is
also given by the operator of the parent for use in the browser,
0 if the ICP port of the parent is not known and its
use is irrelevant to the provider. In addition,
no-query may be
specified after the port numbers to prohibit the use of the ICP
protocol. Squid then behaves like a
normal browser as far as the provider's proxy is concerned.
This entry defines the amount of memory Squid
can use for very popular replies. The default is
This does not specify the memory usage of Squid and may be
The entry cache_dir defines the directory where all
the objects are stored on disk. The numbers at the end indicate the
maximum disk space in MB to use and the number of
directories in the first and second level. The
parameter should be left alone. The default is 100 MB
occupied disk space in the
directory and creation of 16 subdirectories inside it, each
containing 256 more subdirectories. When specifying the disk space to
use, leave sufficient reserve disk space. Values from a minimum of 50%
to a maximum of 80% of the available disk space make the most
sense here. The last two numbers for the directories should only be
increased with caution, because too many directories can also lead to
performance problems. If you have several disks that share the cache,
enter several cache_dir lines.
These three entries specify the paths where Squid logs all its actions. Normally, nothing is changed here. If Squid is experiencing a heavy usage burden, it might make sense to distribute the cache and the log files over several disks.
If the entry is set to on, obtain readable log files. Some evaluation programs cannot interpret this, however.
With this entry, mask IP addresses of clients in the log files.
The last digit of the IP address is set to
zero if you enter
here. You may protect the privacy of your clients that way.
With this, set the password Squid should use for the anonymous FTP login. It can make sense to specify a valid e-mail address here, because some FTP servers check these for validity.
An e-mail address to which Squid sends a message if it unexpectedly crashes. The default is webmaster.
If you run squid
Squid can rotate secured log files. The files are
numbered in this process and, after reaching the specified value, the
oldest file is overwritten. The default value is
0 because archiving and deleting log files
in SUSE Linux is carried out by a cron job set in the configuration
With append_domain, specify which domain to append automatically when none is given. Usually, your own domain is entered here, so entering www in the browser accesses your own Web server.
If you set the entry to off, Squid removes the IP address and the system name of the client from HTTP requests. Otherwise it adds a line to the header like
Normally, you do not need to change these values. If you have a dial-up connection, however, the Internet may, at times, not be accessible. Squid makes a note of the failed requests then refuses to issue new ones, although the Internet connection has been reestablished. In a case such as this, change the minutes to seconds then, after clicking Reload in the browser, the dial-up process should be reengaged after a few seconds.
To prevent Squid from taking requests
directly from the Internet, use the above command to force connection to
another proxy. This must have previously been entered in
specified as the
acl_name, force all
requests to be forwarded directly to the parent.
This might be necessary, for example, if you are using a provider that
strictly stipulates the use of its proxies or denies its firewall direct
Squid provides a detailed system for controlling the access to the proxy. By implementing ACLs, it can be configured easily and comprehensively. This involves lists with rules that are processed sequentially. ACLs must be defined before they can be used. Some default ACLs, such as all and localhost, already exist. However, the mere definition of an ACL does not mean that it is actually applied. This only happens in conjunction with http_access rules.
An ACL requires at least three specifications to define it.
The name <acl_name> can be chosen
arbitrarily. For <type>, select from a
variety of different options, which can be found in the ACCESS
CONTROLS section in the
/etc/squid/squid.conf file. The specification for
<data> depends on the individual ACL type and
can also be read from a file, for example, via hostnames, IP addresses,
or URLs. The following are some simple examples:
acl mysurfers srcdomain .my-domain.com acl teachers src 192.168.1.0/255.255.255.0 acl students src 192.168.7.0-192.168.9.0/255.255.255.0 acl lunch time MTWHF 12:00-15:00
http_access defines who is allowed to use the proxy and who can access what on the Internet. For this, ACLs must be given. localhost and all have already been defined above, which can deny or allow access via deny or allow. A list containing any number of http_access entries can be created, processed from top to bottom, and, depending on which occurs first, access is allowed or denied to the respective URL. The last entry should always be http_access deny all. In the following example, the localhost has free access to everything while all other hosts are denied access completely.
http_access allow localhost http_access deny all
In another example using these rules, the group
teachers always has access to
the Internet. The group
students only gets access Monday to
Friday during lunch time.
http_access deny localhost http_access allow teachers http_access allow students lunch time http_access deny all
The list with the http_access entries should only
be entered, for the sake of readability, at the designated position in
/etc/squid/squid.conf file. That is, between
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR # CLIENTS
and the last
http_access deny all
With this option, specify a redirector such as squidGuard, which allows blocking unwanted URLs. Internet access can be individually controlled for various user groups with the help of proxy authentication and the appropriate ACLs. squidGuard is a separate package that can be installed and configured.
If users must be authenticated on the proxy, set a corresponding program, such as pam_auth. When accessing pam_auth for the first time, the user sees a login window in which to enter the username and password. In addition, an ACL is still required, so only clients with a valid login can use the Internet:
acl password proxy_auth REQUIRED http_access allow password http_access deny all
The REQUIRED after proxy_auth can be replaced with a list of permitted usernames or with the path to such a list.
With this, have an ident request run for all ACL-defined clients to find each user's identity. If you apply all to the <acl_name>, this is valid for all clients. Also, an ident daemon must be running on all clients. For Linux, install the pidentd package for this purpose. For Microsoft Windows, free software is available for download from the Internet. To ensure that only clients with a successful ident lookup are permitted, define a corresponding ACL here:
acl identhosts ident REQUIRED http_access allow identhosts http_access deny all
Here, too, replace REQUIRED with a list of permitted usernames. Using ident can slow down the access time quite a bit, because ident lookups are repeated for each request.