{"id":169,"date":"2012-02-27T22:44:03","date_gmt":"2012-02-27T14:44:03","guid":{"rendered":"http:\/\/www.q-station.net\/kb\/?p=169"},"modified":"2012-03-02T00:22:35","modified_gmt":"2012-03-01T16:22:35","slug":"squid-cache-proxy","status":"publish","type":"post","link":"https:\/\/kb.q-station.net\/index.php\/2012\/02\/27\/squid-cache-proxy\/","title":{"rendered":"Squid cache proxy"},"content":{"rendered":"

The post will guide you to install a squid-cache server which supporting LDAP authentication and ready for virus scanning and URL filtering. Transparent proxying will be setup for internal network while external user require LDAP authentication to access the proxy.
\n
\nOS: Slackware 13.37
\nSoftware: Squid 3.1.19<\/p>\n

Installation<\/h1>\n
\r\n> .\/configure --prefix=\/usr\/local\/squid --enable-async-io=10 \\\r\n--enable-linux-netfilter --enable-auth=basic,digest \\\r\n--enable-basic-auth-helpers=LDAP,PAM \\\r\n--enable-digest-auth-helpers=ldap,password \\\r\n--enable-icap-client\r\n> make\r\n> make install\r\n<\/pre>\n
Configuration<\/h1>\n
You could take the installed \/usr\/local\/squid\/etc\/squid.conf as a basic refernce.<\/p>\n
    \n
  • adding LDAP authentication support\n
    \r\nauth_param basic program \/usr\/local\/squid\/libexec\/squid_ldap_auth -v 3 -b \"dc=xyz,dc=xxx\" -f \"uid=%s\" -D \"squidCacheManager,ou=systemObject,dc=xyz,dc=xxx\" -W <password file> 127.0.0.1\r\nauth_param basic children 5\r\nauth_param basic realm Squid proxy-caching web server\r\nauth_param basic credentialsttl 2 hours\r\nauth_param basic casesensitive off\r\n<\/pre>\n<\/li>\n
  • adding extra ACL, for all user not in the localnet will need authenticate himself to access the proxy\n
    \r\nacl validuser proxy_auth REQUIRED\r\nhttp_access allow validuser\r\n<\/pre>\n<\/li>\n
  • listen extra port, e.g. 8080 for internet user\n
    \r\nhttp_port 3128\r\nhttp_port 8080\r\n<\/pre>\n<\/li>\n
  • define a cache store\n
    \r\ncache_dir aufs \/usr\/local\/squid\/var\/cache 100 16 256\r\n<\/pre>\n<\/li>\n
    Sample LDAP configuration<\/h1>\n
    \r\ndn: cn=squidCacheManager,ou=systemObject,dc=xyz,dc=xxx\r\nobjectClass: top\r\nobjectClass: simpleSecurityObject\r\nobjectClass: organizationalRole\r\ncn: squidCacheManager\r\nuserPassword::xxyyzz\r\n\r\ndn: olcDatabase={1}bdb,cn=config\r\nolcAccess: to * \r\n   by self write\r\n   by dn=\"cn=libnssManager,ou=systemObject,dc=....\" read\r\n   by dn=\"cn=pamManager,ou=systemObject,dc=....\" read\r\n   by dn=\"cn=squidCacheManger,ou=systemObject,dc=xyz,dc=xxx\" read\r\n   by users read\r\n   by anonymous auth\r\n   by * none\r\n<\/pre>\n
    Pre-Running the proxy<\/h1>\n
      \n
    • Initialize the swap space\n
      \r\n> \/usr\/local\/squid\/sbin\/squid -z\r\n<\/pre>\n<\/li>\n<\/ul>\n
      Running the proxy<\/h1>\n
      You may place the following command in \/etc\/rc.d\/rc.local to let system start the proxy when boot up.<\/p>\n
      \r\n\/usr\/local\/squid\/sbin\/squid\r\n<\/pre>\n
      Post installation<\/p>\n
      \n
        \n
      • Create \/etc\/logrotate.d\/squid\n
        \r\n\/usr\/local\/squid\/var\/logs\/access.log {\r\n  weekly\r\n  rotate 5\r\n  copytruncate\r\n  compress\r\n  notifempty\r\n  missingok\r\n}\r\n\/usr\/local\/squid\/var\/logs\/cache.log {\r\n  weekly\r\n  rotate 5\r\n  copytruncate\r\n  compress\r\n  notifempty\r\n  missingok\r\n  postrotate\r\n  \/usr\/local\/squid\/sbin\/squid -k rotate\r\n  endscript\r\n}\r\n<\/pre>\n<\/li>\n<\/ul>\n
        Network setting<\/p>\n
        \nTBA<\/p>\n
        Maintaince<\/h1>\n
          \n
        • To invalidate an URL, you could\n
          \r\n> squidclient -r <URL>\r\n<\/pre>\n<\/li>\n<\/ul>\n