Squid cache proxy
The post will guide you to install a squid-cache server which supporting LDAP authentication and ready for virus scanning and URL filtering. Transparent proxying will be setup for internal network while external user require LDAP authentication to access the proxy.
OS: Slackware 13.37
Software: Squid 3.1.19
Installation
> ./configure --prefix=/usr/local/squid --enable-async-io=10 \ --enable-linux-netfilter --enable-auth=basic,digest \ --enable-basic-auth-helpers=LDAP,PAM \ --enable-digest-auth-helpers=ldap,password \ --enable-icap-client > make > make install
Configuration
You could take the installed /usr/local/squid/etc/squid.conf as a basic refernce.
- adding LDAP authentication support
auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -v 3 -b "dc=xyz,dc=xxx" -f "uid=%s" -D "squidCacheManager,ou=systemObject,dc=xyz,dc=xxx" -W <password file> 127.0.0.1 auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off
- adding extra ACL, for all user not in the localnet will need authenticate himself to access the proxy
acl validuser proxy_auth REQUIRED http_access allow validuser
- listen extra port, e.g. 8080 for internet user
http_port 3128 http_port 8080
- define a cache store
cache_dir aufs /usr/local/squid/var/cache 100 16 256
Sample LDAP configuration
dn: cn=squidCacheManager,ou=systemObject,dc=xyz,dc=xxx
objectClass: top
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: squidCacheManager
userPassword::xxyyzz
dn: olcDatabase={1}bdb,cn=config
olcAccess: to *
by self write
by dn="cn=libnssManager,ou=systemObject,dc=...." read
by dn="cn=pamManager,ou=systemObject,dc=...." read
by dn="cn=squidCacheManger,ou=systemObject,dc=xyz,dc=xxx" read
by users read
by anonymous auth
by * none
Pre-Running the proxy
- Initialize the swap space
> /usr/local/squid/sbin/squid -z
Running the proxy
You may place the following command in /etc/rc.d/rc.local to let system start the proxy when boot up.
/usr/local/squid/sbin/squid
Post installation
- Create /etc/logrotate.d/squid
/usr/local/squid/var/logs/access.log {
weekly
rotate 5
copytruncate
compress
notifempty
missingok
}
/usr/local/squid/var/logs/cache.log {
weekly
rotate 5
copytruncate
compress
notifempty
missingok
postrotate
/usr/local/squid/sbin/squid -k rotate
endscript
}
Network setting
TBA
Maintaince
- To invalidate an URL, you could
> squidclient -r <URL>
- Create /etc/logrotate.d/squid
/usr/local/squid/var/logs/access.log { weekly rotate 5 copytruncate compress notifempty missingok } /usr/local/squid/var/logs/cache.log { weekly rotate 5 copytruncate compress notifempty missingok postrotate /usr/local/squid/sbin/squid -k rotate endscript }
Network setting
TBA
Maintaince
- To invalidate an URL, you could
> squidclient -r <URL>
Maintaince
- To invalidate an URL, you could
> squidclient -r <URL>