Last Updated on September 30, 2010 by Dave Farquhar
I’ve talked about Squid before. Squid is a caching Web proxy, designed to improve network speed and conserve bandwidth by caching Web content locally. How much it helps you depends on how you use the Web in that particular environment, but it’s usually worthwhile, seeing as the software is either free or costs next to nothing (it comes with most Linux distributions) and it doesn’t take much hardware to run it. Don’t use your Pentium-75, but you can deploy a standard desktop PC as a Squid server and it’ll work fabulously, unless you’ve got thousands of PCs hitting it. For a thousand bucks, you can seriously reduce your traffic and chances are it’ll pay for itself fairly quickly.
And ironically, Squid integrates beautifully with Internet Explorer 5.0 and newer.
Here’s what you do. Build up a minimal Linux server. For this, I prefer TurboLinux 6.01–it’s more lightweight than the current version, and you can still get patches for it that keep it from being h4x0r h34v3n. Pick the minimum base install, then add Squid and Apache. Yes, you need Apache. We’ll talk about that in a minute. I don’t like to have anything else on a Squid box, because Squid tends to be a big memory, CPU, and disk hog. Keep your computing resources as free as possible to accomodate Squid. (For that reason it would probably be better under a 2.4 kernel using ReiserFS-formatted partitions but I didn’t have time to test that.)
Once Squid is installed, modify /etc/squid/squid.conf. You’ll find a pair of lines that read “allow localhost” and “deny all.” That allows Squid to work only for the local machine, which isn’t what we want. Assuming you’re behind a firewall (you should be, and if you’re not, I’ll help you make a really big banner that says, “Welcome, l337 h4x0r5!”), change the “deny all” line to read “allow all.”
Next, make sure Apache and Squid are running. Go to /etc/rc.d/rc3.d and make sure there are scripts present that start Apache (httpd) and Squid. If there aren’t, go to /etc/rc.d/init.d and make copies of the Apache and Squid scripts. Give them a name that starts with S and a number, e.g. S50httpd.
Next, let Squid build and configure the directories and logs it needs with the command squid -NCd1. No, I don’t know what the -NCd1 means. I found it in a forum somewhere.
Now, go to your DNS and add an entry called wpad.yourdomainname. How you do this depends on the DNS you use. Someone else handles those duties at my job, so I just had him do it. Point that to your squid server.
return “PROXY 192.168.10.50:3128”;
Substitute your Squid server’s IP address for 192.168.10.50.
What’s this do? Well, when IE is set to autodetect your Proxy settings, it goes looking for http://wpad.yourdomainname/wpad.dat, which tells it where to find the Proxy server. You could use any Web server you wanted; I just use the Squid server on the theory that if the Squid server is for whatever reason unavailable, a Web server running on the same machine is the most likely to also be unavailable, so IE won’t find it and won’t use a proxy, giving you a degree of failover.
The cool thing is, this combination of Apache and Squid works well, and can be quickly implemented with almost no work since Internet Explorer by default goes looking for a proxy and most people don’t uncheck that checkbox in the control panel.
We did this to reduce traffic on a T1 line for a short period of time (it saves us from needing to get multiple T1s) and so far we’re very impressed with the results. I recommend you try it.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.
4 thoughts on “Building a Squid server”
Wonderful article that explains how to set up wpad with squid and apache. I spent two hours looking for a complete how to. Thanks
Could modify the wpad.datas follows:
function FindProxyForURL(url, host)
if (dnsDomainIs( host,"accurate.co.uk"))
return "PROXY proxy:8080";
We use this to enable users to go direct to internal domain(accurate.co.uk )
Also because this then bypasses the squid, non standard ports can be used with out squid giving grief about not allowing access.
I need a tutorial of making a Squid-box based on Freesco, please. Thanks.
Packages are at http://www.cinas.mine.nu/freesco/ .
As far as I can tell, download Freesco 0.27 and download the squid.sh and squid.tgz packages, then execute squid.sh from within Freesco. Then re-write your configuration to disk so the change stays permanent. (I don’t remember how you do that–sorry. It’s been at least a year since I did much with Freesco.)
Unfortunately, I can’t test any of this without replacing my router with an experimental Freesco box, which means an outage, which I’m not willing to do (I’ve got enough outages as it is anyway). But if you’re fairly familiar with Linux, that’ll give you enough to get going.
Comments are closed.