A Squid server is a proxy server capable of using FTP, HTTP, Gopher, and HTTPS protocols. Unlike conventional proxy servers, a Squid server handles all requests in a single, non-blocking input/output process.
It’s free software distributed under the GNU GPL license.
Squid keeps metadata and especially the most frequently used data in memory. It also stores DNS requests in memory, as well as failed requests. DNS requests are non-blocking.
Cached data can be arranged in hierarchies or meshes to use less bandwidth.
Squid is inspired by the Harvest project. It is compatible with IPv6 from version 3 onwards.
#-------------------------------------------------------------------------------# Minimum configuration#-------------------------------------------------------------------------------acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
# Squid listening porthttp_port 3128#-------------------------------------------------------------------------------# Security#-------------------------------------------------------------------------------#chroot on # Chroot Squid deamonforwarded_for off # Hide source IPvisible_hostname proxy.deimos.fr # Mask proxy namehttpd_suppress_version_string on # Hide squid version#-------------------------------------------------------------------------------# ACL network definition#-------------------------------------------------------------------------------acl wifi_net src x.x.x.x/24 # Wifi networkacl wan_net src x.x.x.x/24 # Wan local network#-------------------------------------------------------------------------------# ACL Ports definition#-------------------------------------------------------------------------------acl SSL_ports port 443acl Safe_ports port 80 # httpacl Safe_ports port 21 # ftpacl Safe_ports port 443 # httpsacl Safe_ports port 70 # gopheracl Safe_ports port 210 # waisacl Safe_ports port 1025-65535 # unregistered portsacl CONNECT method CONNECT
#-------------------------------------------------------------------------------# Specific ACL#-------------------------------------------------------------------------------# Apache mod_gzip and mod_deflate known to be broken so don't trust# Apache to signal ETag correctly on such responsesacl apache rep_header Server ^Apache
broken_vary_encoding allow apache
#We recommend you to use at least the following linehierarchy_stoplist cgi-bin ?
#-------------------------------------------------------------------------------# Allow/Deny access#-------------------------------------------------------------------------------# Minimal accesshttp_access allow manager localhost
http_access deny manager
# Deny requests to unknown portshttp_access deny !Safe_ports
# Deny CONNECT to other than SSL portshttp_access deny CONNECT !SSL_ports
http_access deny to_localhost
# Custom accesshttp_access allow wifi_net
# And finally deny all other access to this proxyhttp_access deny all
#-------------------------------------------------------------------------------# Internet Cache Protocol#-------------------------------------------------------------------------------icp_access allow wifi_net
icp_access deny all
#-------------------------------------------------------------------------------# Cache properties#-------------------------------------------------------------------------------cache_mgr root # Email contact in cache die case# cache_dir ufs Directory-Name Mbytes L1 L2 [options]cache_dir ufs /var/squid/cache 102416256maximum_object_size 10240000 KB # Set maximum file size to be cached# Cache expiration patternsrefresh_pattern ^ftp: 1440 20% 10080refresh_pattern ^gopher: 1440 0% 1440refresh_pattern -i (/cgi-bin/|\?) 0 0% 0refresh_pattern . 0 20% 4320#-------------------------------------------------------------------------------# Performances Tuning#-------------------------------------------------------------------------------pipeline_prefetch on # To boost the performance of pipelined requests#-------------------------------------------------------------------------------# Logs#-------------------------------------------------------------------------------access_log /var/squid/logs/access.log squid
cache_log /var/squid/logs/cache.log
cache_store_log /var/squid/logs/store.log
coredump_dir /var/squid/cache
buffered_logs on # Will speed up if there is not a lot of logsdebug_options ALL,1 # Set log level 1 -> 9
You should limit CONNECT methods as much as possible and only allow the GET method. CONNECT is generally used by port 443 and is potentially dangerous because it allows tunneling. To exploit a tunnel, here’s how:
WARNING! Your cache is running out of filedescriptors link
This happens when squid hits the max ulimit. This manifests as major slowdowns on the Internet. To solve this problem, simply increase the size of the file descriptors (default is 1024):