Setting Up the Squid Proxy Server - Page 2
To start Squid, you'll need to run the following commands:
The first pass creates the cache directories, and the second starts the daemon. The first command only needs to be run the first time the proxy is used.
For initial testing, you can use the squid client program:
/usr/local/squid/bin/client -h www.squid-cache.org -p 80 /
/usr/local/squid/bin/client -h moe -p 3128 http://www.squid-cache.org/
The first command gets data directly from the Squid Web page, and the second goes through the proxy server, moe. The client program also has a number of options, which can be viewed with the -? command.
You'll probably want to add a startup script to start Squid with the rest of the system daemons. The method will vary, depending on your OS and/or distribution.
To set up your client browsers to use the proxy, set the HTTP and FTP proxy to point to the Squid proxy machine, port 3128. To force clients to use the proxy, you'll need to modify your firewall/masquerading setup. Under Linux, you'll need to enable an additional feature while compiling your kernel:
IP: transparent proxy support
This transparent proxy support will allow you to define a ruleset in ipchains to redirect all external HTTP requests to the proxy server's port:
ipchains -A input -p TCP -d 127.0.0.1/32 www -j ACCEPT
ipchains -A input -p TCP -d 192.168.192.1/32 www -j ACCEPT
ipchains -A input -p TCP -d any/0 www -j REDIRECT 3128
These lines enable access to the local Web server, but redirect all other HTTP requests through the proxy. You could also add an additional rule for FTP requests. These ipchains commands should be added to the end of the rest of your firewall script, typically /etc/rc.d/rc.firewall.
By using this procedure, you don't need to configure the client browsers to use the cache. Some additional squid.conf lines are needed to go with this setup:
httpd_accel_with_proxy on httpd_accel_uses_host_header on
Otherwise, the redirect will send the user to a Squid error page, noting the absence of the "http://" prefix on the request. You're still blocking direct access, but not as transparently or elegantly.
The User Guide goes into much more detail on additional options and how to retrieve logging information, but this article should give you a pretty good start. Happy proxying! //
Stew Benedict is a Systems Administrator for an automotive manufacturer in Cleveland, OH. He also is a freelance consultant, running AYS Enterprises, specializing in printed circuit design, MSAccess solutions for the Windows platforms, and utilizing Linux as a low cost alternative to commercial operating systems and software. He has been using and promoting Linux since about 1994. When not basking in the glow of a CRT, Stew enjoys time with his wife, daughter, and 2 dogs at his future (not too much longer!) retirement home overlooking Norris Lake in the foothills of the Smokies in Tennessee.