We've expanded our Linux news coverage and improved our search! Search for all things Linux across O'Reilly!

Installing and Configuring Squid

by Jennifer Vesperman
07/26/2001

What can Squid do for your site?

Put Squid between the users and the Internet to cache your web pages. Users surf faster, HTTP traffic uses less bandwidth, and you can save on bandwidth fees -- or use the saved bandwidth for other traffic.

Finding Squid

Squid source code is available from squid-cache.org. There is also a list of mirror sites. Installation instructions are available in the ReadMe file in the source tar file.

There is also an RPM package for Red Hat Linux, and packages for FreeBSD and NetBSD. Instructions on installing the packages are available from the package sites. All three package sets come with Squid source code and additional instructions on installing from the source.

The ./configure script has several options. A recommended set is ./configure --enable-heap-replacement --enable-cache-digests --enable-dlmalloc.

Configuring Squid

The Squid configuration file is in the $SQUID-HOME/etc/squid.conf directory. The file has extensive comments about each option. This article is a quick reference to which options you are most likely to want to change. Your local network may require configurations not mentioned in this article.

When you have Squid configured, run squid -z to create the cache directory structure. Then you can start Squid.

Basic configuration

• Check http_port, icp_port, and htcp_port. 3128 is a good default, 8080 is a reasonable alternative for HTTP. Port 80, or any port normally used by some other service, should be avoided if at all possible.
• Leave cache_mem at 8 Mbytes at first, unless you have between 0.5 Gbytes and 1 Gbyte of RAM free routinely. If so, set cache-mem to 128 Mbytes. Adjust cache_mem once local cache patterns are known.

Related Reading Web Caching By Duane Wessels Table of Contents Index Sample Chapter Full Description Read Online -- Safari

• Increase the maximum_object_size to 40 Mbytes. If larger files are routinely downloaded, increase it to 250 Mbytes or even 700 Mbytes.
• Set cache_dir to an area that has a large amount of space. Technically it belongs under /var, but you might not want it backed up. Don't set it to use more than 70 percent of the space, Squid uses this directory to store journal files as well. cache_dir ufs /var/cache/squid 80000 16 256 is common.
• Turn the access_log and cache_log on. The former tells you who is doing what, and the latter tells you when things aren't quite right.
• cache_swap_log is the location for the journal files mentioned in cache_dir. The default location is in the same directory as cache_dir.
• pid_filename must be set. /var/log/squid/squid.pid is a good location. Squid uses this to shut down, rotate log files, or reread its configuration.
• refresh_pattern affects how objects are evaluated for freshness. A reasonable default is refresh_pattern . 0 20% 10080.
• cache_mgr is for people that use the cache to report problems. Be sure to use an email address that you will actually read.
• cache_effective_user and cache_effective group should be set to a "proxy" user and group. Many distributions ship with this user and group pre-installed.
• Recursively chown the log and cache directories to this user before you start Squid. This user must be able to read the configuration file and the directory that it's in.
  
  

  chown -R proxy.proxy /var/log/squid /var/cache/squid

• Set visible_hostname to the fully qualified domain name. For example, gw.mybox.com
• Uncomment dns_testnames. If it can't resolve names like "netscape.com", "internic.net", and "nlanr.net", your system needs fixing.
• Turn memory_pools off unless there's a lot of free memory on the box.
• Turn log_icp_queries on. ICP queries come from other proxies -- if you don't have sibling or parent proxies and you're getting them, you'll want to see these in the access.log.

Basic configuration ACLs

Access-control lists manage the access to your network. This basic example limits access to the proxy to the network 1.2.3.4/24. It matches successfully if a request comes from any of the addresses between 1.2.3.0 and 1.2.3.255 (inclusive).

acl our_network src 1.2.3.4/24
http_access allow our_network
http_access deny all

ACLs are checked from top to bottom. Clients with IPs in our_network are permitted, anyone else falls through to the "deny all" and gets a failure message. The format for the class definition is acl listname src network/netmask.

ACLs have an implicit last line that reverses the rule of the previous line. This protects against forgetting to add the http_access deny all, but explicitly adding that line makes the ACL more readable and helps ensure that it's not missed when the ACL is changed.

miss_access

If an object isn't in the cache and marked as fresh, Squid checks with the origin server to see if it is still current and requests a new copy if it isn't. This behavior serves local users well, but is undesirable if the requesting client is a neighboring proxy server. The following ACL lines allow the local network to be passed objects which aren't in the current cache, but deny this service to anyone outside the local network.

miss_access allow our_network
miss_access deny all

icp_access

Caches communicate with ICP messages to find out whether they have fresh content that satisfies a request. The icp_access ACL lines are used to control the caches Squid can communicate with.

Configuration for speed

To maximize speed, minimize the number of simultaneous requests Squid has to handle. The more requests Squid has to process in parallel, the longer each request takes. Every bit of latency you can reduce speed of the server.

• Use a multiprocessor machine with asynchronous I/O enabled.
• Run a version of Squid with internal DNS, or increase the number of DNS servers.

Aim to have 20 or 30 DNS servers. DNS lookups can be slow -- some continental backbones can take a minute and more to resolve a DNS request.

Pages: 1, 2

Next Page