Nazaretyan's blog blog about everthing ….

squid 2.6 – how to fast config

This post is about squid and how to configure it really fast, I’m putting here my config file of squid that works on core2duo 2 GB ram machine with 500GB hard drive.

First of all we need to install squid ( debian gnu linux)

apt-get install squid

Ok, after we need to go to /etc/squid and edit there few files.

First of all we need to create file flood.txt

touch flood.txt

flood.txt is used in our configuration to deny user access to site via regular exception

All your enterys in flood.txt must be like ^http://*.*chesshere.com*.* , and it can’t be empty.

now you need just to backup your config ( mv squid.conf squid.conf.orig)

create new squid.conf and paste configuration from me.

http_port 3128 transparent

icp_port 3130
htcp_port 4827
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?

cache_peer 192.168.1.240 parent 3128  0 no-query default

no_cache deny QUERY

cache_swap_low 256
cache_swap_high 756

maximum_object_size 2048 KB

cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
fqdncache_size 2048
ftp_passive on

cache_dir diskd /squid 10000 11 11 Q1=72 Q2=64
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /dev/null

hosts_file /etc/hosts
#dns_nameservers  192.168.112.112
dns_nameservers   212.18.0.5
dns_nameservers  212.18.3.5

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320

peer_connect_timeout 30 seconds

acl flood url_regex  "/etc/squid/flood.txt"

http_access deny flood
http_reply_access deny flood
icp_access deny flood
miss_access deny flood

acl all src 0.0.0.0/0.0.0.0

acl adm src 192.168.240.0/24

acl fexp2 urlpath_regex -i ftp  \.flv$   \.wav$ \.mp3$ \.wma$ \.vqf$ \.ogg$

\.avi$ \.mpeg$ \.mpe$ \.mpg$ \.qt$ \.ram$ \.rm$  \.raw$ \.mov$

acl users src 192.168.1.0/24
acl users src 10.0.0.0/8
acl users src 192.168.112.0/21

acl amzone dst 192.168.22.0/255.255.255.0

acl max_con maxconn 1500
never_direct deny amzone
always_direct allow amzone

http_access deny max_con all !adm

acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
http_access allow users
http_access allow localhost
acl CONNECT method CONNECT
http_access allow CONNECT SSL_ports

forwarded_for off

http_reply_access allow adm
http_reply_access allow users
http_reply_access deny all

icp_access allow adm
icp_access allow users
icp_access deny all

miss_access allow adm
miss_access allow users
miss_access deny all

cache_effective_user proxy
cache_effective_group proxy

visible_hostname  Proxy

cache_mgr moushegh@nazaretyan.com

#snmp_port 3401

#never_direct deny adm
#always_direct allow adm

always_direct allow adm
never_direct deny adm

always_direct allow users
never_direct deny users

always_direct allow SSL_ports
never_direct deny SSL_ports

always_direct allow Safe_ports
never_direct deny Safe_ports

delay_pools 2
delay_class 1 1    # pool 1 is a class 2 pool
delay_class 2 1    # pool 1 is a class 2 pool

delay_access 1 allow adm
delay_access 1 deny  flood
delay_access 1 deny  fexp2
delay_access 1 allow  users
delay_access 1 deny all

delay_access 2 deny flood
delay_access 2 deny adm
delay_access 2 allow  fexp2 users
delay_access 2 deny  all
delay_parameters 1 -1/-1
delay_parameters 2 52800/52800

Now just change the parent IP address to the server that you want, or if you’re using direct outgoing channel just keep never_direct option that I have.

Create directory /squid, make the proxy owner of it and run squid first time with command

squid -z

it will create the cache directorys, after it you can just run squid with usual /etc/inid.d/squid start

fill free to post comments and ask questions, if your squid is not working as it must .....

hope post is helpful ...

Moushegh