From Gentoo Wiki
Jump to:navigation Jump to:search
This article is a stub. Please help out by expanding it - how to get started.

Squid is a web cache and a proxy server application used speed up web browsing.


USE flags

USE flags for net-proxy/squid Full-featured web proxy cache

caps Use Linux capabilities library to control privilege
ecap Adds support for loadable content adaptation modules (http://www.e-cap.org)
esi Enable ESI for accelerators, will cause squid reverse proxies to be capable of the Edge Acceleration Specification (www.esi.org)
gnutls Prefer net-libs/gnutls as SSL/TLS provider (ineffective with USE=-ssl)
htcp Enable HTCP protocol
kerberos Add kerberos support
ldap Add LDAP support (Lightweight Directory Access Protocol)
logrotate Use app-admin/logrotate for rotating logs
mysql Add mySQL Database support
nis Support for NIS/YP services
pam Add support for PAM (Pluggable Authentication Modules) - DANGEROUS to arbitrarily flip
perl Add optional support/bindings for the Perl language
postgres Add support for the postgresql database
qos Adds support for Quality of Service using netfilter conntrack - see qos_flow directive for more info
radius Add support for RADIUS authentication
samba Add support for SAMBA (Windows File and Printer sharing)
sasl Add support for the Simple Authentication and Security Layer
selinux !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur
snmp Add support for the Simple Network Management Protocol if available
sqlite Add support for sqlite - embedded sql database
ssl Add support for SSL/TLS connections (Secure Socket Layer / Transport Layer Security)
ssl-crtd Adds support for dynamic SSL certificate generation in SslBump environments
systemd Enable use of systemd-specific libraries and features like socket activation or session tracking
test Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently)
tproxy Enables real Transparent Proxy support for Linux Netfilter TPROXY
valgrind Enable annotations for accuracy. May slow down runtime slightly. Safe to use even if not currently using dev-debug/valgrind
verify-sig Verify upstream signatures on distfiles
wccp Enable Web Cache Coordination Protocol
wccpv2 Enable Web Cache Coordination V2 Protocol


Install net-proxy/squid:

root #emerge --ask net-proxy/squid

Boot services


To start squid on boot:

root #rc-update add squid default

To start squid immediately:

root #rc-service squid start

SSL configuration

Make sure the ssl USE flag has been enabled. At the time of writing, Google Chrome, Chromium, and Firefox 30+ have support for SSL proxies. Unfortunately configuring them is not as straight forward as going into the options dialog of each respective browser.

Certificate generation

Generate a self-signed SSL certificate, or use a CA to sign the certificate so it is trusted by all clients.

user $openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -nodes

Configure Squid

Edit Squid's config file located at /etc/squid/squid.conf, replacing the http_port 3128 line with:

FILE /etc/squid/squid.confModifying Squid configuration to use a SSL proxy
https_port 3128 cert=/etc/squid/cert.pem key=/etc/squid/key.pem

Monitoring Configuration

The following configuration enables a HTTP endpoint on localhost only to retrieve statistics for monitoring.

FILE /etc/squid/squid.confModifying Squid configuration for monitoring
# use simple credential/ HTTP Basic auth and only for info-endpoint
cachemgr_passwd YourPasswordHere info
# deny all the other endpoints like configuration or restart
cachemgr_passwd disable all

# Restrict manager to localhost
http_access allow localhost manager
# deny all access from anywhere else
http_access deny manager

After a reload of the service the following command prints statistics. See the bottom of this page for tools shipped with Squid. Preferably use plain wget or cURL. Also never write passwords in plain text as part of commands. Use Bash's read or proper secrets management instead. (With the above settings and for info endpoint only this is not critical.)

user $wget --user 'manager' --password YourPasswordHere -O - http://localhost:3128/squid-internal-mgr/info

Browser configuration


Set Firefox to manual proxy, and point it at localhost port 3128 or port 3128.

Custom error page icons

CSS controls the Squid icon on error pages. To insert a custom icon simply replace the link URL in /etc/squid/errorpage.css section #titles (as long as a 91x50 pixel image is used nothing else needs to be changed). To use a different size image make sure padding is .5 x height and padding left is exactly width of future image replacement.

Once modifications have been finished, restart the Squid service:

root #rc-service squid restart

See also