7.7. Proxy Service: Squid


A Proxy server (PS) is used to save connection bandwidth, to improve security and to increase web-surfing speed.

Squid is one of the main PS, since it is OpenSource, it accepts ICP (characteristics that allow the exchange of hints with other PS), SSL (for secure connections between proxies) and supports FTP objects, Gopher, HTTP and HTTPS (secure). Its functioning is simple, it stores the most frequently requested objects in the RAM and the least requested objects in a database on the disk. Squid servers can also be configured hierarchically to form a tree of proxies according to requirements. There are two possible configurations:

1) As an httpd accelerator to achieve improved performance of the web service.

2) As a proxy-caching server to allow the users of a corporation to use the PS to exit towards the Internet.

In the first mode, it acts as an inverse proxy in other words, it accepts a client's request, serves the object if it has it, and if not, asks for it and passes it onto the client when it does, storing it for the next time. In the second option it can be used as a control to restrict the sites where a connection to the Internet can be obtained or to authorise access at specific times of day. Once installed (squid package in Debian, squid-cgi, squidguard or squidtaild can also be installed) three files are generated: /etc/squid.conf (configuration), /etc/init.d/squid (initialisation) and /etc/logrotate.d/squid (for log control).

7.7.1. Squid as an http accelerator

In this mode, if the web server is on the same machine as the PS, it will have to be reconfigured to attend to the requests of port 81 (in Apache, change Port 80 for Port 81 in httpd.conf). The configuration file (/etc/squid.conf) contains a large number of entries, but here we will only see the essential ones [Mou01]:

In this way, the option httpd_accel_host deactivates the possibility of it being executed as proxy-caching. For further information visit http://www.squid-cache.org/.

7.7.2. Squid as proxy-caching

This way, squid is enabled to control Internet access, when access will be given, the object that can be accessed. In this case, the configuration file will have to include the following modifications added in /etc/squid.conf:

acl localnet src
acl localhost src
acl Safe_ports port 80 443 210 70 21 102565535
acl all src
http_access allow localnet
http_access allow localhost
http_access deny
http_access deny CONNECT
http_access deny all

The main difference with the other mode are the acl lines, in which case C class clients C will be allowed access to the PS, also the localhost IP and other ports that will be able to access the Internet 80(http), 443(https), 210(whais), 70(gopher), and 21(ftp), also, the connect method is denied to avoid a connection from the outside to the PS and then all IP and ports over the PS are denied. [Mou01] More information at http://www.squid-cache.org/ and for a transparent-proxy at http://tldp.org/HOWTO/TransparentProxy-1.html.