Simple Configuration Tips Put Squid on the Menu - Page 2
Rather than navigating through squid.conf, which is several thousand lines, rename it squid.conf.bak, and create a new squid.conf from scratch. The original squid.conf is well-commented, and makes a good reference. We'll create a minimal squid.conf that contains only our new directives.
If you elect to edit the original squid.conf, do not uncomment the "default" lines when you want to keep the defaults. This can cause Squid to behave oddly.
For Squid to even start, the server must have a fully qualified domain name. Add this line to squid.conf:
Add the name you want your Squid server to have. It can be different from the hostname, or the same, it doesn't matter.
The Squid User
Squid needs to run as an unprivileged user. By default, it gloms onto nobody. But it's better to create a dedicated Squid user, and not share nobody, which is overused, and a target for crackers. The usual convention is the "squid" user:
# adduser --system --disabled-password --disabled-login --no-create-home --group squid
Now add the squid user to squid.conf:
cache_effective_user squid squid
You really don't want your nice Squid proxy to be abused by spammers and other loathesome subhumans. Even when it's tucked away on your LAN behind a firewall, it doesn't hurt anything to use these rules:
acl all src 0.0.0.0/0.0.0.0
acl localnet src 192.168.1.0/255.255.255.0
http_access deny all
http_access allow localnet
The default is port 3128:
If Squid is used on a firewall/gateway, with an internal-facing NIC, and an external NIC, be sure to tell Squid to listen only on the internal interface:
Logging options range from minimal output to torrential output, numbered from 1-9. Trust me, it is better to start with minimal logging, then increase the verbosity only if it's needed:
You probably want users to have a contact email, to report problems. This address appears in error messages:
You can now save your changes, and run Squid's built-in configuration checker:
# squid -k parse
If it exits silently, you're in good shape. If it finds errors, it helpfully tells you where:
2004/05/31 13:07:13| parseConfigFile: line 12 unrecognized: 'squidserver'
Make a habit of running squid -k parse every time you make a change, because it will prevent many headaches.