Cryptography

Security is not a Product, its a Process

Install SQUID with Dellay Pool

 

Installing Squid with the delay pools feature

As I mentioned before, Squid has a feature called delay pools, which allows us to control download bandwidth. Unfortunately, in most distributions, Squid is shipped without that feature.

So if you have Squid already installed, I must disappoint you — you need to uninstall it and do it once again with delay pools enabled in the way I explain below.

  1. To get maximum performance from our Squid proxy, it’s best to create a separate partition for its cache, called /cache/. Its size should be about 300 megabytes, depending on our needs.If you don’t know how to make a separate partition, you can create the /cache/ directory on a main partition, but Squid performance can suffer a bit.
  2. We add a safe ‘squid’ user:# useradd -d /cache/ -r -s /dev/null squid >/dev/null 2>&1

    No one can log in as squid, including root.

  3. We download Squid sources from http://www.squid-cache.orgWhen I was writing this HOWTO, the latest version was Squid 2.4 stable 1:

    http://www.squid-cache.org/Versions/v2/2.4/squid-2.4.STABLE1-src.tar.gz

  4. We unpack everything to /var/tmp:
  5. # tar xzpf squid-2.4.STABLE1-src.tar.gz
  6. We compile and install Squid (everthing is in one line):# ./configure --prefix=/opt/squid --exec-prefix=/opt/squid --enable-delay-pools --enable-cache-digests --enable-poll --disable-ident-lookups --enable-truncate --enable-removal-policies

    # make all

    # make install

 

Configuring Squid to use the delay pools feature

  1. Configure our squid.conf file (located under /opt/squid/etc/squid.conf):
    #squid.conf
    #Every option in this file is very well documented in the original squid.conf file
    #and on http://www.visolve.com/squidman/Configuration%20Guide.html
    
    #
    #The ports our Squid will listen on
    http_port 8080
    icp_port 3130
    #cgi-bins will not be cached
    acl QUERY urlpath_regex cgi-bin ?
    no_cache deny QUERY
    #Memory the Squid will use. Well, Squid will use far more than that.
    cache_mem 16 MB
    #250 means that Squid will use 250 megabytes of disk space
    cache_dir ufs /proxy 250 16 256
    redirect_rewrites_host_header off
    cache_replacement_policy GDSF
    acl localnet src 192.168.1.0/255.255.255.0
    acl localhost src 127.0.0.1/255.255.255.255
    acl Safe_ports port 80 443 210 119 70 21 1025-65535
    acl CONNECT method CONNECT
    acl all src 0.0.0.0/0.0.0.0
    http_access allow localnet
    http_access allow localhost
    http_access deny !Safe_ports
    http_access deny CONNECT
    http_access deny all
    maximum_object_size 3000 KB
    store_avg_object_size 50 KB
    
    #all our LAN users will be seen by external servers
    #as if they all use Mozilla on Linux :)
    anonymize_headers deny User-Agent
    fake_user_agent Mozilla/5.0 (X11; U; Linux 2.4.4 i686)
    
    #To make our connection even faster, we put a line similar
    #to the one below. Don't forget to change the server to your closest!
    #Measure pings, traceroutes and so on.
    #Make sure that http and icp ports are correct
    #cache_peer w3cache.icm.edu.pl parent 8080 3130 no-digest default
    
    #This is useful when we want to use the Cache Manager
    #copy cachemgr.cgi to cgi-bin of your www server
    cache_mgr your@email
    cachemgr_passwd secret_password all
    
    #This is a name of a user our Squid will work as
    cache_effective_user squid
    cache_effective_group squid
    
    log_icp_queries off
    buffered_logs on
    
    #####DELAY POOLS
    #This is the most important part for shaping incoming traffic with Squid
    #For detailed description see squid.conf file or docs at 
    #http://www.squid-cache.org
    
    #We don't want to limit downloads on our local network
    acl magic_words1 url_regex -i 192.168
    
    #We want to limit downloads of these type of files
    #Put this all in one line
    acl magic_words2 url_regex -i ftp .exe .mp3 .vqf .tar.gz 
    .gz .rpm .zip .rar .avi .mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav
    #We don't block .html, .gif, .jpg and similar files, because they
    #generally don't consume much bandwidth
    
    #We have two different delay_pools
    delay_pools 2
    
    #First delay pool
    #W don't want to delay our local traffic
    #There are three pool classes; here we will deal only with the second
    delay_class 1 2
    
    #-1/-1 mean that there are no limits
    delay_parameters 1 -1/-1 -1/-1
    
    #magic_words1: 192.168
    delay_access 1 allow magic_words1
    
    #Second delay pool
    #we want to delay downloading files mentioned in magic_words2
    delay_class 2 2
    
    #The numbers here are values in bytes;
    #we must remember that Squid doesn't consider start/stop bits
    #6000/150000 are values for the whole network
    #5000/150000 are values for the single IP
    #after downloaded files exceed about 150000 bytes,
    #they will continue to download at about 5000 bytes/s
    
    delay_parameters 2 6000/150000 5000/150000
    delay_access 2 allow magic_words2
    
    #EOF

    OK, when we have configured everything, we must make sure everything under /opt/squid and /cache directories belongs to user ‘squid’.

    # chown -R squid:squid /opt/squid/

    # chown -R squid:squid /cache/

    or

    # chown -R squid.squid /opt/squid/

    # chown -R squid.squid /cache/

    Now everything is ready to run Squid. When we do it for the first time, we have to create its cache directories:

    # /opt/squid/usr/bin/squid -z

    We run Squid and check if everything is working. A good tool to do that is IPTraf; you can find it on http://freshmeat.net. Make sure you have set the appropriate proxy in your web browsers (192.168.1.1, port 8080 in our example):

    # /opt/squid/usr/bin/squid

    If everything is working, we add /opt/squid/usr/bin/squid line to the end of our initializing scripts. Usually, it can be /etc/rc.d/rc.local.

    Other helpful options in Squid may be:

    # /opt/squid/usr/bin/squid -k reconfigure (it reconfigures Squid if we made any changes in its squid.conf file)

    # /opt/squid/usr/bin/squid -help🙂 self-explanatory

    You can also copy cachemgr.cgi to the cgi-bin directory of your WWW server.

January 30, 2007 - Posted by | Linux

1 Comment »

  1. bagus tutorial anda ttg squid delay pool , apakah ini dari trial & error anda ? jika iya good work friend.
    maaf, tapi jika ini dari copy paste author lain .. mohon dicantumkan sourcenya darimana dan siapa authornya.

    Comment by Admin | April 2, 2007


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: