A Squid server is a proxy server capable of using FTP, HTTP, Gopher, and HTTPS protocols. Unlike conventional proxy servers, a Squid server handles all requests in a single, non-blocking input/output process.
It's free software distributed under the GNU GPL license.
Squid keeps metadata and especially the most frequently used data in memory. It also stores DNS requests in memory, as well as failed requests. DNS requests are non-blocking.
Cached data can be arranged in hierarchies or meshes to use less bandwidth.
Squid is inspired by the Harvest project. It is compatible with IPv6 from version 3 onwards.
#-------------------------------------------------------------------------------# Minimum configuration#-------------------------------------------------------------------------------aclallsrcall
aclmanagerprotocache_object
acllocalhostsrc127.0.0.1/32
aclto_localhostdst127.0.0.0/80.0.0.0/32
# Squid listening porthttp_port3128#-------------------------------------------------------------------------------# Security#-------------------------------------------------------------------------------#chroot on # Chroot Squid deamonforwarded_foroff# Hide source IPvisible_hostnameproxy.deimos.fr# Mask proxy namehttpd_suppress_version_stringon# Hide squid version#-------------------------------------------------------------------------------# ACL network definition#-------------------------------------------------------------------------------aclwifi_netsrcx.x.x.x/24# Wifi networkaclwan_netsrcx.x.x.x/24# Wan local network#-------------------------------------------------------------------------------# ACL Ports definition#-------------------------------------------------------------------------------aclSSL_portsport443aclSafe_portsport80# httpaclSafe_portsport21# ftpaclSafe_portsport443# httpsaclSafe_portsport70# gopheraclSafe_portsport210# waisaclSafe_portsport1025-65535# unregistered portsaclCONNECTmethodCONNECT
#-------------------------------------------------------------------------------# Specific ACL#-------------------------------------------------------------------------------# Apache mod_gzip and mod_deflate known to be broken so don't trust# Apache to signal ETag correctly on such responsesaclapacherep_headerServer^Apache
broken_vary_encodingallowapache
#We recommend you to use at least the following linehierarchy_stoplistcgi-bin?#-------------------------------------------------------------------------------# Allow/Deny access#-------------------------------------------------------------------------------# Minimal accesshttp_accessallowmanagerlocalhost
http_accessdenymanager
# Deny requests to unknown portshttp_accessdeny!Safe_ports
# Deny CONNECT to other than SSL portshttp_accessdenyCONNECT!SSL_ports
http_accessdenyto_localhost
# Custom accesshttp_accessallowwifi_net
# And finally deny all other access to this proxyhttp_accessdenyall
#-------------------------------------------------------------------------------# Internet Cache Protocol#-------------------------------------------------------------------------------icp_accessallowwifi_net
icp_accessdenyall
#-------------------------------------------------------------------------------# Cache properties#-------------------------------------------------------------------------------cache_mgrroot# Email contact in cache die case# cache_dir ufs Directory-Name Mbytes L1 L2 [options]cache_dirufs/var/squid/cache102416256maximum_object_size10240000KB# Set maximum file size to be cached# Cache expiration patternsrefresh_pattern^ftp:144020%10080refresh_pattern^gopher:14400%1440refresh_pattern-i(/cgi-bin/|\?)00%0refresh_pattern.020%4320#-------------------------------------------------------------------------------# Performances Tuning#-------------------------------------------------------------------------------pipeline_prefetchon# To boost the performance of pipelined requests#-------------------------------------------------------------------------------# Logs#-------------------------------------------------------------------------------access_log/var/squid/logs/access.logsquid
cache_log/var/squid/logs/cache.log
cache_store_log/var/squid/logs/store.log
coredump_dir/var/squid/cache
buffered_logson# Will speed up if there is not a lot of logsdebug_optionsALL,1# Set log level 1 -> 9
Example 2
For configuration, I won't go into details, but here's an overview of a working configuration that is quite restrictive:
You should limit CONNECT methods as much as possible and only allow the GET method. CONNECT is generally used by port 443 and is potentially dangerous because it allows tunneling. To exploit a tunnel, here's how:
WARNING! Your cache is running out of filedescriptors
This happens when squid hits the max ulimit. This manifests as major slowdowns on the Internet. To solve this problem, simply increase the size of the file descriptors (default is 1024):