Simple Configuration Tips Put Squid on the Menu - Page 2

By  Carla Schroder | Jun 2, 2004
Page 2 of 3   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn
Continued From Page 1

squid.conf
Rather than navigating through squid.conf, which is several thousand lines, rename it squid.conf.bak, and create a new squid.conf from scratch. The original squid.conf is well-commented, and makes a good reference. We'll create a minimal squid.conf that contains only our new directives.

If you elect to edit the original squid.conf, do not uncomment the "default" lines when you want to keep the defaults. This can cause Squid to behave oddly.

For Squid to even start, the server must have a fully qualified domain name. Add this line to squid.conf:

visible_hostname squidserver

Add the name you want your Squid server to have. It can be different from the hostname, or the same, it doesn't matter.

The Squid User
Squid needs to run as an unprivileged user. By default, it gloms onto nobody. But it's better to create a dedicated Squid user, and not share nobody, which is overused, and a target for crackers. The usual convention is the "squid" user:

# adduser --system --disabled-password --disabled-login --no-create-home --group squid

Now add the squid user to squid.conf:

cache_effective_user squid squid

Access Controls
You really don't want your nice Squid proxy to be abused by spammers and other loathesome subhumans. Even when it's tucked away on your LAN behind a firewall, it doesn't hurt anything to use these rules:

acl all src 0.0.0.0/0.0.0.0
acl localnet src 192.168.1.0/255.255.255.0
http_access deny all
http_access allow localnet

Squid Port
The default is port 3128:

http_port 3128

If Squid is used on a firewall/gateway, with an internal-facing NIC, and an external NIC, be sure to tell Squid to listen only on the internal interface:

http_port 192.168.1.1:3128

Logging
Logging options range from minimal output to torrential output, numbered from 1-9. Trust me, it is better to start with minimal logging, then increase the verbosity only if it's needed:

debug_options ALL,1

You probably want users to have a contact email, to report problems. This address appears in error messages:

cache_mgr squid@tellmeyourtroubles.net

You can now save your changes, and run Squid's built-in configuration checker:

# squid -k parse

If it exits silently, you're in good shape. If it finds errors, it helpfully tells you where:

2004/05/31 13:07:13| parseConfigFile: line 12 unrecognized: 'squidserver'

Make a habit of running squid -k parse every time you make a change, because it will prevent many headaches.

Continued on Page 3: Running Squid

cschroder@internet.com

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter
Helpful Links

  • Yankee Group Mobile WAN Optimization Report

    Mobile work continues to evolve. Your organization must keep up with the demands of its mobile workforce. This report introduces the concept of mobile WAN optimization and provides three case studies including RCM, PRTM and Einstein that highlight how this emerging technology can help IT departments achieve what previously appeared to be conflicting goals. Read >

  • Network Security Resources

    More threats than ever before pose a danger to today's enterprise network. Get the latest tips and intel on the newest risks in our guide to network security resources. Read >

  • Extreme Savings: Cutting Costs with WAN Optimization

    Did you know it's possible to cut IT costs without impacting day-to-day IT operations? In fact, when you download this whitepaper from Riverbed on cost-savings through WAN optimization, you'll discover how businesses of all different sizes have realized a return on investment in just a few months through significant hard cost savings in areas such as bandwidth reduction and IT consolidation. It's called Extreme Savings and its only from Riverbed. Read >