Squid Proxy Server: Tips and Tricks

Exclusive offer: get 50% off this eBook here
Squid Proxy Server 3.1: Beginner's Guide

Squid Proxy Server 3.1: Beginner's Guide — Save 50%

Improve the performance of your network using the caching and access control capabilities of Squid

$26.99    $13.50
by Kulbir Saini | March 2011 | Open Source

Squid proxy server enables you to cache your web content and return it quickly on subsequent requests. System administrators often struggle with delays and too much bandwidth being used, but Squid solves these problems by handling requests locally. By deploying Squid in accelerator mode, requests are handled faster than on normal web servers, thus making your site perform quicker than everyone else's!

Applying proxy servers to large networks can be a lot of work as you have to decide where to place restrictions and who to grant access. This article will provide you with some tips and tricks on Squid Proxy server to enhance the performance of your network.

 

Squid Proxy Server 3.1: Beginner's Guide

Squid Proxy Server 3.1: Beginner's Guide Improve the performance of your network using the caching and access control capabilities of Squid
        Read more about this book      

(For more resources on Proxy Servers, see here.)

Rotating log files frequently
Tip: For better performance, it is good practice to rotate log files frequently instead of going with large files.

 

--sysconfdir=/etc/squid/ option
Tip: It's a good idea to use the --sysconfdir=/etc/squid/ option with configure, so that you can share the configuration across different Squid installations while testing.

 

tproxy mode
Tip: We should note that enabling intercept or tproxy mode disables any configured authentication mechanism. Also, IPv6 is supported for tproxy but requires very recent kernel versions. IPv6 is not supported in the intercept mode.

 

Securing the port
Tip: We should set the HTTP port carefully as the standard ports like 3128 or 8080 can pose a security risk if we don't secure the port properly. If we don't want to spend time on securing the port, we can use any arbitrary port number above 10000.

 

ACL naming
Tip: We should carefully note that one ACL name can't be used with more than one ACL type.

acl destination dstdomain example.com
acl destination dst 192.0.2.24

The above code is invalid as it uses ACL name destination across two different ACL types.

 

HTTP access control
Tip: The default behavior of HTTP access control is a bit tricky if access for a client can't be identified by any of the access rules. In such cases, the default behavior is to do the opposite of the last access rule. If last access rule is deny, then the action will be to allow access and vice-versa. Therefore, to avoid any confusion or undesired behavior, it's a good practice to add a deny all line after the access rules.

 

Using the http_reply_access directive
Tip: We should be really careful while using the http_reply_access directive. When a request is allowed by http_access, Squid will contact the original server, even if a rule with the http_reply_access directive denies the response. This may lead to serious security issues. For example, consider a client receiving a malicious URL, which can submit a client's critical private information using the HTTP POST method. If the client's request passes through http_access rules but the response is denied by an http_reply_access rule, then the client will be under the impression that nothing happened but a hacker will have cleverly stolen our client's private information.

 

refresh_pattern directive
Tip: Using refresh_pattern to cache the non-cacheable responses or to alter the lifetime of the cached objects, may lead to unexpected behavior or responses from the web servers. We should use this directive very carefully.

 

Expires HTTP header
Tip: We should note that the Expires HTTP header overrides min and max values.

 

Overriding directives
Tip: Please note that the directive never_direct overrides hierarchy_stoplist.

 

Path of the PID file
Tip: Setting the path of the PID file to none will prevent regular management operations like automatic log rotation or restarting Squid. The operating system will not be able to stop Squid at the time of a shutdown or restart.

 

Parsing the configuration file
Tip: It's good practice to parse the configuration file for any errors or warning using the -k parse option before issuing the reconfigure signal.

 

Squid signals
Tip: Please note that shutdown, interrupt, and kill are Squid signals and not the system kill signals which are emulated.

 

Squid process in debug mode
Tip: The Squid process running in debug mode may write a log of debugging output to the cache.log file and may quickly consume a lot of disk space.

 

Access Control List (ACL) elements with dst
Tip: ACL elements configured with dst as a ACL type works slower compared to ACLs with the src ACL type, as Squid will have to resolve the destination domain name before evaluating the ACL, which will involve a DNS query.

 

ACL elements with srcdomain
Tip: ACL elements with srcdomain as ACL types works slower, compared to ACLs with the dstdomain ACL type because Squid will have to perform a reverse DNS lookup before evaluating ACL. This will introduce significant latency. Moreover, the reverse DNS lookup may not work properly with local IP addresses.

 

Adding port numbers
Tip: We should note that the port numbers we add to the SSL ports list should be added to the safe ports list as well.

 

Take care while using the ident protocol
Tip: The ident protocol is not really secure and it's very easy to spoof an ident server. So, it should be used carefully.

 

ident lookups
Tip: Please note that the ident lookups are blocking calls and Squid will wait for the reply before it can proceed with processing the request, and that may increase the delays by a significant margin.

 

Denied access by the http_access
Tip: If a client is denied access by the http_access rule, it'll never match an http_reply_access rule. This is because, if a client's request is denied then Squid will not fetch a reply.

 

Authentication helpers
Tip: Configuring authentication helpers is of no use unless we use the proxy_auth ACL type to control access.

 

basic_pop3_auth helper
Tip: The basic_pop3_auth helper uses the Net::POP3 Perl package. So, we should make sure that we have this package installed before using the authentication helper.

 

--enable-ssl option
Tip: : Please note that we should use the --enable-ssl option with the configure program before compiling, if we want Squid to accept HTTPS requests. Also note that several operating systems don't provide packages capable of HTTPS reverse-proxy due to GPL and policy constraints.

 

URL redirector programs
Tip: We should be careful while using URL redirector programs because Squid passes the entire URL along with query parameters to the URL redirector program. This may lead to leakage of sensitive client information as some websites use HTTP GET methods for passing clients' private information.

 

Using the url_rewrite_access directive to block request types
Tip: Please note that certain request types such as POST and CONNECT must not be rewritten as they may lead to errors and unexpected behavior. It's a good idea to block them using the url_rewrite_access directive.

 

Summary

In this article we saw some tips and tricks on Squid Proxy server to enhance the performance of your network.


Further resources on this subject:


Squid Proxy Server 3.1: Beginner's Guide Improve the performance of your network using the caching and access control capabilities of Squid
Published: February 2011
eBook Price: $26.99
Book Price: $44.99
See more
Select your format and quantity:

Resources for Article :


Squid Proxy Server 3 Beginners Guide by Kulbir Saini

Books From Packt


OpenVPN 2 Cookbook
OpenVPN 2 Cookbook

OpenX Ad Server: Beginner's Guide
OpenX Ad Server: Beginner's Guide

Scalix: Linux Administrator's Guide
Scalix: Linux Administrator's Guide

Hacking Vim 7.2
Hacking Vim 7.2

Building Telephony Systems with OpenSER
Building Telephony Systems with OpenSER

Linux Email
Linux Email

Nginx 1 Web Server Implementation Cookbook
Nginx 1 Web Server Implementation Cookbook

Cacti 0.8 Beginner's Guide: RAW
Cacti 0.8 Beginner's Guide: RAW


No votes yet

Post new comment

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
D
Z
G
Y
C
D
Enter the code without spaces and pay attention to upper/lower case.
Code Download and Errata
Packt Anytime, Anywhere
Register Books
Print Upgrades
eBook Downloads
Video Support
Contact Us
Awards Voting Nominations Previous Winners
Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
Resources
Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software