Setting up Squid for beginners. How to configure a Squid proxy server

Squid - a solution widely used in the environment of programmers, system administrators and computer networking enthusiasts to create an effective proxy server and manage it. The program is especially attractive in that it is cross-platform. That is, you can install and run it both in Linux and other OSs that conform to the Unix architecture, and in Windows. The capabilities of this tool are the most outstanding. How can they be used? Are there any features in configuring the program depending on the particular OS?

Introduction to Squid

What is Squid? Under this name is known a very productive proxy server, used most often with web clients. With its help, you can organize simultaneous Internet access for several users. Another notable property of Squid is that it can cache various queries. This allows you to speed up the receipt of files, because you do not need to download them again from the Internet. The Squid proxy server can also adjust the speed of the Internet channel when it relates to the actual load.

Squid is adapted for use on Unix platforms. However, there are versions of Squid for Windows and many other popular OS. This program, as well as many operating systems based on the Unix concept, is free. It supports HTTP, FTP, SSL, allows you to configure flexible control over access to files. Squid also writes DNS queries to the cache. Thus it is possible to adjust and transparent Squid-proxy, that is operation of the server in a format when the user does not know that addresses to the Network through it, instead of directly. Thus, Squid is a powerful tool in the hands of a system administrator or a provider of communication services.

Practical utility of Squid

When is Squid most useful? For example, this may be a task in which it is necessary to effectively integrate several computers into the network and provide access to the Internet for them. The expediency of using a proxy server in this case is that the requests between it and the browser of a particular PC are faster than in the case of user interaction with the Internet directly. Also, when using Squid cache in the browser itself, you can disable it altogether. This function is very popular among users.

Composition Squid

The solution in question consists of several components. In fact, this is a software package. In its structure - an application, with which the server is launched, as well as an additional program for working with DNS. Its interesting feature is that it starts processes, each of which functions independently of the others. This allows you to optimize server interaction with DNS.

Program installation

Installing Squid usually does not cause any difficulties. It's very easy to put a program on Linux: just type $ sudo apt-get install squid.

As for Squid for Windows, everything is a little more complicated here. The point is that this program does not have executables - the main elements of applications for the OS from Microsoft.

However, installing Squid on Windows is a task that can be solved quickly. It is necessary to find on the site squid-cache.org or the resources relevant to it, a distribution package containing .bat files that are somewhat similar to the traditional Windows executable. After that, copy them to a separate folder on the disk. Then you need to run Squid as a system service. After that, the program can be used as a proxy through a PC browser. We can say that the Squid installation is now complete.

The distribution of the proxy server almost always contains a configuration file of type .conf. It is the main tool for setting up Internet access from the user's computer and other devices connected to the local network when Squid is activated.

Nuances of customization

What nuances can include setting up Squid? Windows is an operating system in which work with the proxy server will be carried out by editing the configuration files.

In the case of Linux, you can use the command line for some procedures. But in general, in this operating system, as well as if the OS where Squid is being configured is Windows, squid.conf is most often used. It specifies certain expressions ("commands"), according to which the server manages connections to the network.

Consider, therefore, how to configure Squid, in more detail. The first step is to allow network users to access the server. To do this, put the corresponding values in http_port, as well as in http_access, in the squid.conf file. It will also be useful to create a list for access control, or ACL. The http_port settings are important to us, since our task is to prepare Squid only for the maintenance of a specific group of computers. In turn, such parameter as http_access is important, because with it we can regulate access to specific Web resources requested from certain addresses (other criteria are also possible - protocols, ports and other properties contained in the ACL).

How to set the necessary settings? It is very easy to do this.

Let's say we created a computer network with an address range starting with 192.168.0.1 and ending with 192.168.0.254. In this case, set the following parameter in the ACL settings: src 192.168.0.0/24. If we need to configure the port, then in the configuration file we need to make a record http_port 192.168.0.1 (just specify the correct IP address) and enter the port number.

In order to restrict access to the proxy created by Squid (not counting the computers entering the local network), it is necessary to make changes to http_access. This is done simply - with the help of expressions ("commands" - we agree to call them so, although, strictly speaking, they are not such in the text, but in the terminal line they would be consistent with them) allow LocalNet and deny all. It is very important to place the first parameter above the second one, since Squid recognizes them in turn.

Working with ACL: prohibiting access to sites

Actually, access settings are possible in Squid in a very wide range. Let's look at examples of useful local network management practices.

The src element is quite useful. With it, you can fix the IP address of the computer that made the request to the proxy server. By combining the src element with http_access, you can, for example, allow access to a network for a specific user, but prohibit similar actions for all others. This is done very simply.

Write the ACL (the name of the user group) src (the interval of IP addresses that fall under the control). The line below is ACL (the name of the specific computer) src (IP address of the corresponding PC). After that we work with http_access. We set the permission to enter the network for a group of users and a separate PC using the http_access allow commands. The line below fix that access to the rest of the computers on the network is closed by the command deny all.

Setting up the Squid proxy also involves using another useful element provided by the access control system, dst. It allows you to fix the IP address of the server that the proxy user wants to connect to.

With the help of this element, we can, for example, restrict access to a particular subnet. To do this, you can use the ACL (network designation) command dst (the IP address of the subnet), the line below is http_access deny (the name of the particular computer on the network).

Another useful element is dstdomain. It will allow us to fix the domain to which the user wants to connect. By leveraging the element in question, we can restrict the access of a particular user, for example, to external Internet resources. To do this, you can use the command: ACL (site group) dstdomain (site addresses), line below - http_access deny (computer name on the network).

There are other noteworthy elements in the structure of the access control system. Among them are SitesRegex. With this expression, you can restrict users' access to Internet domains containing a specific word, for example mail (if the task is to prohibit employees from accessing third-party mail servers). To do this, you can use the ACL SitesRegexMail command dstdom_regex mail, then ACL SitesRegexComNet dstdom_regex \ .com $ (this means that access will be denied for the corresponding domain type). The line below - http_accesss deny with the indication of computers from which the output to external mail servers is undesirable.

In some expressions, the -i switch can be used. Using it, as well as an element such as, for example, url_regex, designed to create a template for web addresses, we can deny access to files with a given extension.

For example, using the ACL command NoSwfFromMail url_regex -i mail. * \. Swf $ we regulate the ability to access mail sites in the structure of which there are Flash movies. If you do not need to include domain name in the access algorithms, then you can use the expression urlpath_regex. For example, in the form of the ACL media command urlpath_regex -i \ .wma $ \ .mp3 $.

Prohibition of access to programs

Setting up Squid allows you to deny users access to certain programs when you use proxy server resources. For this purpose the command ACL (program name) port (port range) can be used, the line below is http_access deny all (program name).

Enabling Standards and Protocols

Setting up Squid also allows the system administrator to specify the preferred protocol for using the Internet channel. For example, if there is a need for a person from a particular PC to access the network via the FTP protocol, you can use the following command: ACL ftpproto proto ftp, the line below is http_access deny (computer name) ftpproto.

Using the method element, we can specify how the HTTP request should be executed. A total of 2 - GET and POST, but in some cases it is the first, and not the second, and vice versa. For example, it is possible that a particular employee should not view mail through mail.ru, but his employer will not object if a person wants to read news on the specified site. To do this, the system administrator can use the following command: ACL sitemailru dstdomain .mail.ru, line below - ACL methodpost method POST, then - http_access deny (computer name) methodpost sitemailru.

These are the nuances that include setting up Squid. Ubuntu is used, Windows, or other OS compatible with the proxy server, - the features of setting the necessary parameters considered by us are typical for any Squid software environment. Working with this software is an incredibly exciting process and at the same time simple because of the logic and transparency of the main algorithms for setting up the program.

Note some key points that are specific to setting up Squid.

What should I pay attention to when setting up?

If there are difficulties in finding the squid.conf file, which is the main tool for configuring the server, you can try to check the etc / squid directory.

Best of all, if you work with the file in question, you will use the simplest text editor: you do not need any formatting elements in the lines that are responsible for configuring the proxy server.

In some cases, it may be necessary for the proxy server of the provider to be specified during operation. For this, the cache_peer command exists. To enter it it is necessary so: cache_peer (the address of a proxy server of the provider).

In some cases it is useful to fix the amount of RAM that Squid will use. This can be done with the cache_mem command. It is also useful to specify the directory in which the cached data will be stored, using the cache_dir expression. In the first case, the entire command will look like cache_mem (the amount of RAM in bytes), in the second - as cache_dir (the directory address, the number of megabytes of disk space). It is desirable to place the cache on the most high-performance disks, if there is a choice.

You may need to specify the computers that have access to the proxy server. This can be done with the ACL allowed hosts src commands (the IP address range of computers) and the localhost src (local address) ACL.

If SSL ports are used in connections, they can also be secured using the ACL command ssl_ports port. At the same time, you can disallow the use of the CONNECT method for the rest of the ports except those specified in the secure SSL connection. This can be done using the expression http_access deny CONNECT! SSL_Ports.

Squid and pfSense

In some cases, along with the proxy server in question, the pfSense interface is used, which is used as an effective firewall. How to organize their joint work? The algorithm for solving this problem is not too complicated.

First we need to work in the pfSense interface. Squid, which has already been configured by us, will need to be installed via SSH commands. This is one of the most convenient and safe ways to work with proxy servers. To do this, activate Enable Secure Shell in the interface . To find it, you need to select the menu item System, then - Advanced, after - Admin Access.

After that, you need to download PuTTY - a handy application for working with SSH. Next, using the console, you need to install Squid. This is easily done with the -pkg install squid command. After this, you must also install the proxy through the web interface pfSense. Squid (you can not configure its parameters at this stage) can be installed by selecting the System menu item, then Packages, after - Available Packages. The Squid Stable package should be available in the corresponding window. We choose it. It is necessary to set the following settings: Proxy Interface: LAN. In front of the Transparent Proxy line, you can tick. We select the address for the log and mark the Russian language as the preferred one. Click Save.

Resource Optimization Tool

Setting up Squid allows system administrators to efficiently allocate server resources. That is, in this case, it is not about prohibiting access to any site, but the intensity of the channel's use by a user or a group of them can require control. This program allows you to solve this problem in several ways. First, it involves caching mechanisms: due to this, the repeated downloading of files from the Internet is not required, since the traffic load will decrease. Secondly, this restriction of access to the network in time. Thirdly, it is setting limit values for the speed of data exchange in the network in relation to the actions of certain users or specific types of downloaded files. Let's consider these mechanisms in more detail.

Optimizing network resources through caching

In the structure of network traffic, there are many types of files that are used unaltered. That is, once uploading them to a computer, the user may not repeat the corresponding operation. The program Squid allows you to configure a flexible mechanism for recognizing such files by the server.

A fairly useful option for the proxy server we are researching is checking the age of the file in the cache. Objects that are too long in the corresponding memory area should be updated. Enabling this option is possible by using the refresh_pattern command. So, the entire expression can look like refresh_pattern (the minimum length of time is in minutes, the maximum percentage of "fresh" files is in%, the maximum period). Accordingly, if the file is in the cache longer than the established criteria, then it may be necessary to download its new version.

Optimizing resources through time-based access restrictions

Another option that can be used due to the capabilities of Squid-Proxy is the restriction of users' access to network resources in time. It is installed using a very simple command: ACL (computer name) time (day, hour, minute). Access can be restricted for any day of the week, substituting for the "day" the first letter of the word corresponding to its name in the English alphabet. For example, if this is Monday, then M, if Tuesday, then T. If the command does not have the word "day", then the corresponding ban will be set for the whole week. It is interesting that it is also possible to regulate the schedule of entering the network, carried out by users with the help of certain programs.

Optimizing resources by limiting the speed

A fairly common option is the optimization of resources by adjusting the permissible speed of data exchange within a computer network. The proxy server we are studying is the most convenient tool for solving this problem. The speed of data exchange in the network is regulated by parameters such as delay_class, delay_parameters, delay_access, and also by the element delay_pools. All four components are of great importance for solving the problems that system administrators face in optimizing the resources of the local network.