Squid
Squid is a web cache and a proxy server application used speed up web browsing.
Installation
USE flags
USE flags for net-proxy/squid Full-featured web proxy cache
caps
|
Use Linux capabilities library to control privilege |
ecap
|
Adds support for loadable content adaptation modules (http://www.e-cap.org) |
esi
|
Enable ESI for accelerators, will cause squid reverse proxies to be capable of the Edge Acceleration Specification (www.esi.org) |
gnutls
|
Prefer net-libs/gnutls as SSL/TLS provider (ineffective with USE=-ssl) |
htcp
|
Enable HTCP protocol |
kerberos
|
Add kerberos support |
ldap
|
Add LDAP support (Lightweight Directory Access Protocol) |
logrotate
|
Use app-admin/logrotate for rotating logs |
mysql
|
Add mySQL Database support |
nis
|
Support for NIS/YP services |
pam
|
Add support for PAM (Pluggable Authentication Modules) - DANGEROUS to arbitrarily flip |
perl
|
Add optional support/bindings for the Perl language |
postgres
|
Add support for the postgresql database |
qos
|
Adds support for Quality of Service using netfilter conntrack - see qos_flow directive for more info |
radius
|
Add support for RADIUS authentication |
samba
|
Add support for SAMBA (Windows File and Printer sharing) |
sasl
|
Add support for the Simple Authentication and Security Layer |
selinux
|
!!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur |
snmp
|
Add support for the Simple Network Management Protocol if available |
sqlite
|
Add support for sqlite - embedded sql database |
ssl
|
Add support for SSL/TLS connections (Secure Socket Layer / Transport Layer Security) |
ssl-crtd
|
Adds support for dynamic SSL certificate generation in SslBump environments |
systemd
|
Enable use of systemd-specific libraries and features like socket activation or session tracking |
test
|
Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently) |
tproxy
|
Enables real Transparent Proxy support for Linux Netfilter TPROXY |
valgrind
|
Enable annotations for accuracy. May slow down runtime slightly. Safe to use even if not currently using dev-debug/valgrind |
verify-sig
|
Verify upstream signatures on distfiles |
wccp
|
Enable Web Cache Coordination Protocol |
wccpv2
|
Enable Web Cache Coordination V2 Protocol |
Emerge
Install net-proxy/squid:
root #emerge --ask net-proxy/squidBoot services
OpenRC
To start squid on boot:
root #rc-update add squid defaultTo start squid immediately:
root #rc-service squid startSSL configuration
Make sure the ssl USE flag has been enabled. At the time of writing, Google Chrome, Chromium, and Firefox 30+ have support for SSL proxies. Unfortunately configuring them is not as straight forward as going into the options dialog of each respective browser.
Certificate generation
Generate a self-signed SSL certificate, or use a CA to sign the certificate so it is trusted by all clients.
user $openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -nodesConfigure Squid
Edit Squid's config file located at /etc/squid/squid.conf, replacing the http_port 3128 line with:
/etc/squid/squid.confModifying Squid configuration to use a SSL proxyhttps_port 3128 cert=/etc/squid/cert.pem key=/etc/squid/key.pem
Monitoring Configuration
The following configuration enables a HTTP endpoint on localhost only to retrieve statistics for monitoring.
/etc/squid/squid.confModifying Squid configuration for monitoring# use simple credential/ HTTP Basic auth and only for info-endpoint
cachemgr_passwd YourPasswordHere info
# deny all the other endpoints like configuration or restart
cachemgr_passwd disable all
# Restrict manager to localhost
http_access allow localhost manager
# deny all access from anywhere else
http_access deny manager
After a reload of the service the following command prints statistics. See the bottom of this page for tools shipped with Squid. Preferably use plain wget or cURL. Also never write passwords in plain text as part of commands. Use Bash's read or proper secrets management instead. (With the above settings and for info endpoint only this is not critical.)
user $wget --user 'manager' --password YourPasswordHere -O - http://localhost:3128/squid-internal-mgr/infoBrowser configuration
Firefox
Set Firefox to manual proxy, and point it at localhost port 3128 or 127.0.0.1 port 3128.
Custom error page icons
CSS controls the Squid icon on error pages. To insert a custom icon simply replace the link URL in /etc/squid/errorpage.css section #titles (as long as a 91x50 pixel image is used nothing else needs to be changed). To use a different size image make sure padding is .5 x height and padding left is exactly width of future image replacement.
Once modifications have been finished, restart the Squid service:
root #rc-service squid restartSee also
- https://bugs.squid-cache.org/show_bug.cgi?id=5283 – squidclient broken and queued for removal with 7.0.0