Install and Configure Squid3 Caching Proxy on Debian

Posted on by

Setting up a Squid caching proxy on a low-end 1GB RAM dual-core Debian Wheezy server. 

Software

Software used in this article:

  1. Debian Wheezy
  2. Squid 3.1.20

Installation

Installation is pretty straightforward:

# apt-get update && apt-get install squid3

Setup and Configure a Partition to Store Cached Data (Optional)

We will use a dedicated SSD for caching. As Squid creates many thousands of small and very small files, we’ll setup ReiserFS to deal with that. ReiserFS is know for being fast with small files, very space efficient and stable. Although it’s development might be dead and burried, Btrfs is on its way.

ReiserFS

Install user-level tools for ReiserFS filesystems:

# apt-get install reiserfsprogs

Create a /dev/sdb1 ReiserFS partition on SSD:

# mkfs.reiserfs -l squid_cache /dev/sdb1

Create a Squid directory to store cached files:

# mkdir /var/spool/squid3-ssd

Mount the partition:

# mount -o rw,noatime,notail /dev/sdb1 /var/spool/squid3-ssd/

The noatime option prevents inode access times from being updated thus boosting performance, where notail increases performance of ReiserFS.

# mount -l | grep sdb1
/dev/sdb1 on /var/spool/squid3-ssd type reiserfs (rw,noatime,notail) [squid_cache]

Make sure only Squid can read/write to the directory:

# chown proxy:proxy /var/spool/squid3-ssd
# chmod 0750 /var/spool/squid3-ssd

Add the following entry to /etc/fstab:

/dev/sdb1 /var/spool/squid3-ssd reiserfs rw,noatime,notail 0 0

Squid Configuration

The default configuration file /etc/squid3/squid.conf is probably right for majority of installations. We’ve tweaked some parameters to improve optimisation:

acl LAN src 10.10.1.0/24
http_access allow LAN
http_access deny all
icp_access allow LAN
icp_access deny all
acl SSL_ports port 8081 8443 8834
acl Safe_ports port 8081 8443 8834
http_access deny to_localhost
http_port 3128
cache_mem 128 MB
maximum_object_size_in_memory 128 KB
cache_replacement_policy heap GDSF
cache_dir ufs /var/spool/squid3-ssd 15360 16 256
maximum_object_size 4 MB
cache_swap_low 85
cache_swap_high 90
access_log /var/log/squid3/access.log squid
half_closed_clients off
cache_mgr [email protected]
hosts_file /etc/hosts
memory_pools off
client_db off

/etc/squid3/squid.conf

Backup the configuration file first:

# cp /etc/squid3/squid.conf /etc/squid3/squid.conf.$(date +%F)

Allow browsing from our LAN:

acl LAN src 10.10.1.0/24
http_access allow LAN
http_access deny all

Allow ICP queries from LAN only:

icp_access allow LAN
icp_access deny all

Other secure and safe SSL ports (for Apache, Plesk, Nessus etc):

acl SSL_ports port 8081 8443 8834
acl Safe_ports port 8081 8443 8834 # https

No access to any services on the Squid server by asking it silly questions:

http_access deny to_localhost

Listen on default port:

http_port 3128

128MB RAM limit of additional memory Squid can use as a memory cache of objects:

cache_mem 128 MB

Don’t serve any files larger than 128KB super fast from memory:

maximum_object_size_in_memory 128 KB

The heap GDSF policy optimises object hit rate by keeping smaller popular objects in cache so it has a better chance of getting a hit.

cache_replacement_policy heap GDSF

Cache directory path and storage size of 15GB:

cache_dir ufs /var/spool/squid3-ssd 15360 16 256

The ufs is the old well-known Squid storage format that has always been there.

Cache many small files rather than several big files:

maximum_object_size 4 MB

Start purging stuff from cache when disk usage reaches 87% (13GB). Aggressive purge of old cache at 90% (13.5GB).

cache_swap_low 87
cache_swap_high 90

Access log location:

access_log /var/log/squid3/access.log squid

Squid can not tell the difference between a half-closed and a fully-closed TCP connection. Therefore sends a connection-close to clients that leave a half open connection:

half_closed_clients off

Set email address of local cache manager who will receive mail if the cache dies:

cache_mgr [email protected]

Location of the host-local IP name-address associations database:

hosts_file /etc/host

Stop holding stuff onto RAM that is no longer actively in use:

memory_pools off

Disable collecting per-client statistics:

client_db off

Enable offline_mode if you want Squid to never try to validate cached objects.

offline_mode off

Restart Squid

# service squid3 restart

Configure Iptables

# iptables -A INPUT -s 10.10.1.0/24 -p tcp --dport 3128 -j ACCEPT

Using Squid Proxy with Chromium Browser

$ chromium --proxy-server=10.10.1.17:3128

Leave a Reply

Your email address will not be published. Required fields are marked *