Simple Configuration Tips Put Squid on the Menu - Page 2

By Carla Schroder | Posted Jun 2, 2004
Page 2 of 3   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn
Continued From Page 1

squid.conf
Rather than navigating through squid.conf, which is several thousand lines, rename it squid.conf.bak, and create a new squid.conf from scratch. The original squid.conf is well-commented, and makes a good reference. We'll create a minimal squid.conf that contains only our new directives.

If you elect to edit the original squid.conf, do not uncomment the "default" lines when you want to keep the defaults. This can cause Squid to behave oddly.

For Squid to even start, the server must have a fully qualified domain name. Add this line to squid.conf:

visible_hostname squidserver

Add the name you want your Squid server to have. It can be different from the hostname, or the same, it doesn't matter.

The Squid User
Squid needs to run as an unprivileged user. By default, it gloms onto nobody. But it's better to create a dedicated Squid user, and not share nobody, which is overused, and a target for crackers. The usual convention is the "squid" user:

# adduser --system --disabled-password --disabled-login --no-create-home --group squid

Now add the squid user to squid.conf:

cache_effective_user squid squid

Access Controls
You really don't want your nice Squid proxy to be abused by spammers and other loathesome subhumans. Even when it's tucked away on your LAN behind a firewall, it doesn't hurt anything to use these rules:

acl all src 0.0.0.0/0.0.0.0
acl localnet src 192.168.1.0/255.255.255.0
http_access deny all
http_access allow localnet

Squid Port
The default is port 3128:

http_port 3128

If Squid is used on a firewall/gateway, with an internal-facing NIC, and an external NIC, be sure to tell Squid to listen only on the internal interface:

http_port 192.168.1.1:3128

Logging
Logging options range from minimal output to torrential output, numbered from 1-9. Trust me, it is better to start with minimal logging, then increase the verbosity only if it's needed:

debug_options ALL,1

You probably want users to have a contact email, to report problems. This address appears in error messages:

cache_mgr squid@tellmeyourtroubles.net

You can now save your changes, and run Squid's built-in configuration checker:

# squid -k parse

If it exits silently, you're in good shape. If it finds errors, it helpfully tells you where:

2004/05/31 13:07:13| parseConfigFile: line 12 unrecognized: 'squidserver'

Make a habit of running squid -k parse every time you make a change, because it will prevent many headaches.

Continued on Page 3: Running Squid

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter