Hi,
I recently migrated my office's server from Slackware64 14.1 to CentOS 7. Right now I'm in the process of configuring the Squid web proxy. I edited the default /etc/squid/squid.conf, and here's what I have so far:
--8<-------------------------------------------------- # /etc/squid/squid.conf
# Nom d'hôte du serveur Squid visible_hostname amandine.microlinux.lan
# Définitions acl localnet src 192.168.2.0/24 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT
# Règles d'accès http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet
# Port du proxy http_port 3128
# Taille du cache dans la RAM cache_mem 256 MB
# Vidage système coredump_dir /var/spool/squid
# Durée de vie des fichiers sans date d'expiration refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|?) 0 0% 0 refresh_pattern . 0 --8<--------------------------------------------------
The proxy is working as expected. I have a few questions for fine-tuning though.
1. Squid's main logs are stored in /var/log/squid/access.log. I'd like to setup logfile rotation for that, since it can become quite big. How do you handle this? With Squid's intern 'logfile_rotate' directive or with logrotate? What I'd like to do is rotate this logfile about once a week.
2. Which user is Squid supposed to run as under CentOS? On my Slackware server I had the following:
cache_effective_user nobody cache_effective_group nobody
What's an orthodox setting for CentOS?
3. The access rules are a bit minimal. Do they seem OK to you for a LAN? Any suggestions?
Cheers,
Niki
2015-03-06 12:29 GMT-06:00 Niki Kovacs info@microlinux.fr:
I recently migrated my office's server from Slackware64 14.1 to CentOS 7. Right now I'm in the process of configuring the Squid web proxy. I edited the default /etc/squid/squid.conf, and here's what I have so far:
--8<-------------------------------------------------- # /etc/squid/squid.conf
# Nom d'hôte du serveur Squid visible_hostname amandine.microlinux.lan
# Définitions acl localnet src 192.168.2.0/24 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT
# Règles d'accès http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet
# Port du proxy http_port 3128
# Taille du cache dans la RAM cache_mem 256 MB
# Vidage système coredump_dir /var/spool/squid
# Durée de vie des fichiers sans date d'expiration refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|?) 0 0% 0 refresh_pattern . 0 --8<--------------------------------------------------
The proxy is working as expected. I have a few questions for fine-tuning though.
- Squid's main logs are stored in /var/log/squid/access.log. I'd like to
setup logfile rotation for that, since it can become quite big. How do you handle this? With Squid's intern 'logfile_rotate' directive or with logrotate? What I'd like to do is rotate this logfile about once a week.
The rpm should have configured logrotate: rpm -q --list squid |grep logrotate will show where the config file lands.
- Which user is Squid supposed to run as under CentOS? On my Slackware
server I had the following:
cache_effective_user nobody cache_effective_group nobody
What's an orthodox setting for CentOS?
The rpm should have created the squid user and group: rpm -q --scripts squid will show what it ran to do that.
- The access rules are a bit minimal. Do they seem OK to you for a LAN? Any
suggestions?
Unless you want to restrict outbound access, the main thing is the acl to permit access from your local network source addresses (and no others). I'd recommend an external firewall or at least iptables blocking inbound internet access to port 3128 also.
Le 06/03/2015 21:08, Les Mikesell a écrit :
The rpm should have configured logrotate: rpm -q --list squid |grep logrotate will show where the config file lands.
OK
The rpm should have created the squid user and group: rpm -q --scripts squid will show what it ran to do that.
OK
Unless you want to restrict outbound access, the main thing is the acl to permit access from your local network source addresses (and no others). I'd recommend an external firewall or at least iptables blocking inbound internet access to port 3128 also.
The LAN server here already has Iptables configured to redirect HTTP traffic to 3128 transparently.
Thanks for your detailed answer. That was very helpful!
Cheers,
Niki
Hey Niki,
On 07/03/2015 08:37, Niki Kovacs wrote:
The LAN server here already has Iptables configured to redirect HTTP traffic to 3128 transparently.
Which doesn't actually good. You should route traffic to the proxy and on the proxy redirect into a "intercept" port which should be defined. If it works for you on port 3128 somethings are very wrong in your setup.
All The Bests, Eliezer
-
Eliezer Croitoru -
Les Mikesell -
Niki Kovacs