[squid-users] Linux Noob - Squid Config
Amos Jeffries
squid3 at treenet.co.nz
Mon May 6 16:58:55 UTC 2024
[ please keep responses on-list to assist any others who encounter the
same issues in future ]
On 4/05/24 08:51, Piana, Josh wrote:
> Hey Amos,
>
> Thank you so much for getting back to me so quickly!
>
> To answer your question about NTLM, I meant to say NTLMv2. We're trying to become compliant with newer security standards and this old box in depersate need of some love and updating.
>
Hmm. My question was more aiming as a yes/no answer.
Squid can certainly still support NTLM. But if possible going to just
Negotiate/Kerberos auth would be a simpler config.
The /usr/bin/ntlm_auth authenticator you have been using is provided by
Samba. So you will need to have Samba installed (yum install samba) and
configured the same (or equivalent for its upgrade) as before Squid
authentication is usable.
FYI; Modern Squid start helpers only as-needed. Meaning Squid will
startup and run fine without a working auth helper ... until the point
where a helper lookup is needed. So you can test Squid with some trivial
requests before needing Samba fully working.
> --------------------------------------------------------------
> Current squid.conf file Output:
>
> max_filedesc 4096
I advise changing this to at least:
max_filedescriptors 65536
Why? Modern web pages can cause clients to open up to a hundred
connections to various servers to display a single web page. Each client
of those connection consumes 3-4 file descriptors.
You will also need to check the OS limitation to ensure
> cache_mgr itadmin at ...
> cache_effective_user squid
> cache_effective_group squid
> coredump_dir /opt/squid/var
> pid_filename /var/run/squid.pid
> shutdown_lifetime 5 seconds
> error_directory /usr/local/share/squid/errors/English_CUSTOM
Check what customizations have been done to the files inside that directory.
If it is just the new templates for the deny_info lines later in your
config; then you can copy those templates to the new machine.
And create symlnks from the
I suggest placing the custom error templates in a directory such as
/etc/squid/errors/ and a symlink from the
/usr/local/share/squid/errors/templates/ directory (or wherever the
templates are put by yum install).
[ This way upgrades that change the default templates will not erase
your ones. At worst you should only have to re-create the symlinks
manually. ]
(If you need it; to learn how to create symlinks type "man ln".)
> logfile_rotate 0
> debug_options ALL,1
You can remove the above line. It is a default setting.
> buffered_logs on > cache_log /var/log/squid/general> cache_access_log /var/log/squid/access
The above two lines should be more like:
cache_log /var/log/squid/cache.log
access_log daemon:/var/log/squid/access.log
> cache_store_log none
> log_mime_hdrs off
The above two lines can be removed. They are default settings.
> log_fqdn off
Remove this line. It is not supported in modern Squid.
> strip_query_terms off
> http_port 10.46.11.20:8080
> http_port 127.0.0.1:3128
> icp_port 0
The above line can be removed. It is a default setting.
> forwarded_for off
Change that "off" to;
* "delete" for complete removal of the header), or
* "transparent" for Squid to not add the header.
> ftp_user anonftpuser at ...
> ftp_list_width 32
> ftp_passive on
> connect_timeout 30 seconds
> peer_connect_timeout 20 seconds
> read_timeout 2 minutes
> request_timeout 2 minutes
> persistent_request_timeout 30 seconds
> cache_dir ufs /var/cache/squid/ufs/squid 16000 64 64
> cache_replacement_policy heap LFUDA
> memory_replacement_policy lru
> cache_mem 200 MB
> maximum_object_size 32 MB
> maximum_object_size_in_memory 128 KB
> quick_abort_min 16 KB
> quick_abort_max 1 MB
> quick_abort_pct 90
> range_offset_limit 64 KB
> acl no_cache_url url_regex -i "/etc/squid/no_cache_url"
> cache deny no_cache_url
Modern Squid define a set of "refresh_pattern" to fixup messages
cacheability inline with HTTP/1.1 caching requirements.
Please add these lines:
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
> acl blows_chunks dstdomain .blr.com
> header_access Accept-Encoding deny blows_chunks
This is something to look into. Be aware of how exactly that server is
broken when it receives "Accept-Encoding" headers.
The old Squid only supported HTTP/1.0. Your new Squid supports HTTP/1.1
which may work better with whatever that server was doing to be
considered bad.
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 30
> auth_param ntlm keep_alive on
> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm "..."
> auth_param basic credentialsttl 2 hours
> acl authenticated proxy_auth REQUIRED
> acl all src 0.0.0.0/0.0.0.0
Remove the above line. The "all" ACL is now built-in.
> acl src_self src 127.0.0.0/255.0.0.0
> acl src_self src 10.46.11.20
Modern Squid provide these as a built-in "localhost" ACL.
To add the machines global IP address as part of localhost, replace the
above two lines with:
acl localhost src 10.46.11.20/32
Then replace all uses of "src_self" with "localhost".
> acl dst_self dst 127.0.0.0/255.0.0.0
> acl dst_self dst 10.46.11.20
Modern Squid provide these as a built-in "to_localhost" ACL.
To add the machines global IP address as part of localhost, replace the
above two lines with:
acl to_localhost dst 10.46.11.20/32
Then replace all uses of "dst_self" with "to_localhost".
> acl from_arc src 10.0.0.0/255.255.0.0
> acl from_arc src 10.46.0.0/255.254.0.0
> acl local_dst_addr dst 10.0.0.0/255.0.0.0
FYI; while the above is acceptible to Squid. Prefer writing those as
CIDR masks instead of NetMask syntax.
eg. 10.0.0.0/8
> acl local_dst_addr dst bldg3.*.com.
> acl local_dst_addr dst bldg5.*.com.
> acl local_dst_dom dstdomain arcgate
The above is not a domain name, nor wildcard domain.
FYI; Squid will attempt to apply a domain search using the "domain" or
"search" as configured in /etc/resolv.conf and resolve arcgate.* in DNS.
> acl proto_FTP proto FTP
> acl proto_HTTP proto HTTP
> acl http_ports port 80
> acl http_ports port 81
> acl http_ports port 82
> acl http_ports port 807
> acl http_ports port 8000
> acl http_ports port 8001
> acl http_ports port 8080
> acl http_ports port 8081
> acl http_ports port 9000
> acl ssl_ports port 443
> acl ssl_ports port 818
> acl ssl_ports port 4435
> acl ssl_ports port 9571
> acl ssl_ports port 9030
> acl ssl_ports port 4502
> acl ssl_ports port 8080
> acl ssl_ports port 8081
> acl ssh_ports port 22 1776 8217
> acl ftp_ports port 21
> acl method_CONNECT method CONNECT
The "CONNECT" ACL is provided as a built-in.
Replace all uses of "method_CONNECT" with just "CONNECT" and remove the
above line.
> acl methods_std method GET HEAD POST PUT DELETE
> acl methods_std method TRACE OPTIONS
> acl purge method PURGE
> http_access allow purge src_self
> http_access deny purge
This purge is something to consider carefully. You should not need to
ever use it on a properly working cache that obeys HTTP standard.
If possible prefer to remove the http_access and acl lines relating to
the curstom "PURGE" method. This allows modern Squid to improve
performance by not tracking a lot of things.
> acl cache_manager proto cache_object
The "manager" ACL is provided as built-in by modern Squids, and has a
different definition for the latest access mechanism(s).
Replace all uses of "cache_manager" with "manager" and remove the above
line.
> cachemgr_passwd disabled shutdown offline_toggle
> cachemgr_passwd none all
> http_access allow cache_manager src_self
> http_access deny cache_manager
Per earlier change requests this should become:
http_access allow manager localhost
http_access deny manager
> http_access deny dst_self
> http_access deny src_self
Per earlier change requests this should become:
http_access deny localhost
http_access deny to_localhost
> http_access deny !from_arc
> http_access allow local_dst_dom
> http_reply_access allow local_dst_dom
> http_access allow local_dst_addr
> http_reply_access allow local_dst_addr
> acl authless_src src "/etc/squid/authless_src"
> http_access allow authless_src
> http_reply_access allow authless_src
> acl authless_dst dstdomain "/etc/squid/authless_dst"
> http_access allow authless_dst
> http_reply_access allow authless_dst
> acl bad_domains_preauth dstdomain "/etc/squid/bad_domains_preauth"
> http_access deny bad_domains_preauth
> http_access deny !authenticated
> acl block_user proxy_auth_regex -i "/etc/squid/block_user"
> http_access deny block_user
> acl bad_exception_urls url_regex -i "/etc/squid/bad_exception_urls"
> acl exec_files url_regex -i "/etc/squid/exec_files"
> acl exec_users proxy_auth_regex -i "/etc/squid/exec_users"
> http_access deny !bad_exception_urls !exec_users exec_files
> deny_info ERR_BLOCK_TYPE exec_files
> acl mmedia_users proxy_auth_regex -i "/etc/squid/mmedia_users"
> acl mmedia_sites dstdomain "/etc/squid/mmedia_sites"
> http_access allow methods_std proto_HTTP http_ports mmedia_sites mmedia_users
> http_reply_access allow methods_std proto_HTTP http_ports mmedia_sites mmedia_users
> http_access allow method_CONNECT ssl_ports mmedia_sites mmedia_users
> http_reply_access allow method_CONNECT ssl_ports mmedia_sites mmedia_users
> acl bad_domains dstdomain "/etc/squid/bad_domains"
> http_access deny !bad_exception_urls bad_domains
> deny_info ERR_BLOCK_DST bad_domains
> acl bad_domains_regex dstdom_regex -i "/etc/squid/bad_domains_regex"
> http_access deny !bad_exception_urls bad_domains_regex
> deny_info ERR_BLOCK_DST bad_domains_regex
> acl bad_urls url_regex -i "/etc/squid/bad_urls"
> http_access deny !bad_exception_urls bad_urls
> deny_info ERR_BLOCK_DST bad_urls
> acl bad_files urlpath_regex -i "/etc/squid/bad_files"
> http_access deny !bad_exception_urls bad_files
> deny_info ERR_BLOCK_TYPE bad_files
> acl bad_types rep_mime_type -i "/etc/squid/bad_types"
> http_reply_access deny bad_types !bad_exception_urls
> deny_info ERR_BLOCK_TYPE bad_types
> acl fsoguest_user proxy_auth_regex -i fsoguest
> acl fsoguest_dst dstdomain .opm.gov
> acl fsoguest_dst dstdomain .google-analytics.com
> acl fsoguest_dst dstdomain pki.google.com
> acl fsoguest_dst dstdomain ajax.googleapis.com
> acl fsoguest_dst dstdomain fonts.googleapis.com
> acl fsoguest_dst dstdomain html5shiv.googlecode.com
> acl fsoguest_dst dstdomain fonts.gstatic.com
> acl fsoguest_dst dstdomain clients1.google.com
> acl fsoguest_dst dstdomain ajax.microsoft.com
> acl fsoguest_dst dstdomain ajax.aspnetcdn.com
> acl fsoguest_dst dstdomain .geotrust.com
> acl fsoguest_dst dstdomain .akamaihd.net
> acl fsoguest_dst dstdomain symcd.com
> http_access allow methods_std proto_HTTP http_ports fsoguest_dst fsoguest_user
> http_access allow method_CONNECT ssl_ports fsoguest_dst fsoguest_user
> http_access deny fsoguest_user
> http_access allow http_ports proto_HTTP methods_std
> acl ssh_users proxy_auth -i PCADMIN
> acl ssh_users proxy_auth -i BSCOTT
> http_access allow method_CONNECT ssh_ports ssh_users
> acl ssh_dst dst vthm.com
> http_access allow method_CONNECT ssh_ports ssh_dst
> acl ftp_dst dst http://www.arc-tech.com/
I hoep that above line is a typo. A full URL is not valid for a "dst"
ACL type.
The "dst" ACL values can be;
* a raw-IP, or
* a CIDR range, or
* a NetMask range (eg A-B/mask), or
* a hostname which is resolvable in DNS at Squid startup/reconfigure time.
> acl ftp_dst dst ftp.telemeter.de
> acl ftp_dst dst ftp.lucasindustries.com
> acl ftp_dst dst ftp-upload.trendmicro.com
> http_access allow method_CONNECT ftp_dst
> http_access allow method_CONNECT ssl_ports
> http_access deny method_CONNECT
> http_access allow ftp_ports proto_FTP
> http_access deny all
> http_reply_access allow all
>
After making the above adjustments with Squid installed you should be
aboe to run the command "squid -k parse -f /etc/squid/squid.conf.old" to
see what the new Squid thinks of the old configuration.
Any "ERROR" lines that are displayed by by that command will need fixing
before you can use Squid.
Any "WARNING" or "NOTICE" or "UPGRADE" are things that should be looked
into fixing. But not urgent enough to make Squid unusable.
You may need to run "squid -z -f /etc/squid/squid.conf.old" to create
the cache directory.
When that is fine you can move the /etc/squid/squid.conf.old to replace
the /etc/squid/squid.conf and use the OS method for starting Squid.
Which for RHEL 9 I believe should be:
service squid start
... then start testing that what Squid does actually meets your
expectations.
HTH
Amos
> --------------------------------------------------------------
>
> Current Box squid -v Output:
>
> Squid Cache: Version 2.6.STABLE21
>
> configure options: '--build=i386-redhat-linux-gnu' '--host=i386-redhat-linux-gnu' '--target=i386-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--datadir=/usr/share' '--sysconfdir=/etc/squid' '--enable-arp-acl' '--enable-epoll' '--enable-snmp' '--enable-removal-policies=heap,lru' '--enable-storeio=aufs,coss,diskd,null,ufs' '--enable-ssl' '--with-openssl=/usr/kerberos' '--enable-delay-pools' '--enable-linux-netfilter' '--with-pthreads' '--enable-ntlm-auth-helpers=SMB,fakeauth' '--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-digest-auth-helpers=password' '--with-winbind-auth-challenge' '--enable-useragent-log' '--enable-referer-log' '--disable-dependency-tracking' '--enable-cachemgr-hostname=localhost' '--enable-underscores' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL' '--enable-cache-digests' '--enable-ident-lookups' '--with-large-files' '--enable-follow-x-forwarded-for' '--enable-wccpv2' '--enable-fd-config' '--with-maxfd=16384' 'build_alias=i386-redhat-linux-gnu' 'host_alias=i386-redhat-linux-gnu' 'target_alias=i386-redhat-linux-gnu' 'CFLAGS=-D_FORTIFY_SOURCE=2 -fPIE -Os -g -pipe -fsigned-char' 'LDFLAGS=-pie'
>
> --------------------------------------------------------------
>
> New Box squid -v Output:
>
> Squid Cache: Version 5.5
> Service Name: squid
>
> This binary uses OpenSSL 3.0.7 1 Nov 2022. For legal restrictions on distribution see https://www.openssl.org/source/license.html
>
> configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--libexecdir=/usr/lib64/squid' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,SMB_LM' '--enable-auth-ntlm=SMB_LM,fake' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group' '--enable-storeid-rewrite-helpers=file' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-diskio' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' '--disable-security-cert-validators' '--disable-strict-error-checking' '--with-swapdir=/var/spool/squid' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CC=gcc' 'CFLAGS=-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 ' 'CXX=g++' 'CXXFLAGS=-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' 'LT_SYS_LIBRARY_PATH=/usr/lib64:'
>
> --------------------------------------------------------------
>
> -----Original Message-----
> From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Amos Jeffries
> Sent: Friday, May 3, 2024 4:21 PM
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Linux Noob - Squid Config
>
> [You don't often get email from squid3 at treenet.co.nz. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
>
> Caution: This email originated from outside of Hexcel. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
>
> On 4/05/24 07:59, Piana, Josh wrote:
>> Hey Everyone.
>>
>> I apologize in advance for any lack of formality normally shared on
>> mailing lists such as these, it’s my first time seeking product
>> support in this manner.
>>
>
> NO need to apologize. Help and questions is most of what we do here :-)
>
>
>> I want to start by saying that I’m new to Linux, been using Windows
>> environments my entire life. Such is the reason for me reaching out to
>> you all.
>>
>> I have been tasked with modernizing a Squid box and feel very
>> overwhelmed, to say the least.
>>
>> Current Setup:
>>
>> èCentOS 5.0
>>
>> èSquid 2.3
>>
>> èApache 2.0.46
>>
>> èSamba 3.0.9
>>
>> Desired Setup:
>>
>> èRHEL 9.2 OS
>>
>> èNeeds to qualify for NTLM authentication
>>
>
> Hmm, does it *have* to be NTLM? that auth protocol was deprecated in 2006.
>
>
>> èWould like to remove legacy apps/services
>>
>> èContinue to authenticate outgoing communication via AD
>>
>> My question is, how do I get all of these services/apps to work
>> together? Do I just install the newest versions of each and migrate
>> the existing config files?
>>
>> I was hoping for a better understanding on how all of these work
>> together and exactly how to configure or edit these as needed. I’ve
>> gotten as far as installing RHEL 9.2 on a fresh VM Server and trying
>> as best as I can to learn the basics on Linux and just the general
>> operation of a Linux ran environment. It feels like trying to ride a
>> bike with box wheels.
>>
>
>
> The installation of a basic Squid service for RHEL is easy.
> Just open a terminal and enter this command:
>
> yum install squid
>
>
> The next part is going over your old Squid configuration to see how much of it remains necessary or can be updated. It would be useful for the next steps to copy it to the RHEL machine as /etc/squid/squid.conf.old .
>
> You can likely find it on the CentOS machine at /etc/squid/squid.conf or /usr/share/squid/etc/squid.conf depending on how that Squid was built.
>
>
> If you are able to paste the contents of that file (without the '#'
> comment or empty lines) here, we can assist with getting the new Squid doing the same or equivalent actions.
>
>
> Also please paste the output of "squid -v" run on both the old CentOS machine and on the new RHEL.
>
>
> Cheers
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list