[CentOS] Squid on CentOS 7: few questions

Les Mikesell lesmikesell at gmail.com
Fri Mar 6 20:08:48 UTC 2015 

2015-03-06 12:29 GMT-06:00 Niki Kovacs <info at microlinux.fr>:
>
> I recently migrated my office's server from Slackware64 14.1 to CentOS 7.
> Right now I'm in the process of configuring the Squid web proxy. I edited
> the default /etc/squid/squid.conf, and here's what I have so far:
>
> --8<--------------------------------------------------
> # /etc/squid/squid.conf
>
> # Nom d'hôte du serveur Squid
> visible_hostname amandine.microlinux.lan
>
> # Définitions
> acl localnet src 192.168.2.0/24 # RFC1918 possible internal network
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
>
> # Règles d'accès
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localnet
>
> # Port du proxy
> http_port 3128
>
> # Taille du cache dans la RAM
> cache_mem 256 MB
>
> # Vidage système
> coredump_dir /var/spool/squid
>
> # Durée de vie des fichiers sans date d'expiration
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0
> --8<--------------------------------------------------
>
> The proxy is working as expected. I have a few questions for fine-tuning
> though.
>
> 1. Squid's main logs are stored in /var/log/squid/access.log. I'd like to
> setup logfile rotation for that, since it can become quite big. How do you
> handle this? With Squid's intern 'logfile_rotate' directive or with
> logrotate? What I'd like to do is rotate this logfile about once a week.

The rpm should have configured logrotate:
rpm -q --list squid |grep logrotate
will show where the config file lands.

> 2. Which user is Squid supposed to run as under CentOS? On my Slackware
> server I had the following:
>
> cache_effective_user nobody
> cache_effective_group nobody
>
> What's an orthodox setting for CentOS?

The rpm should have created the squid user and group:
rpm -q --scripts squid
will show what it ran to do that.

> 3. The access rules are a bit minimal. Do they seem OK to you for a LAN? Any
> suggestions?

Unless you want to restrict outbound access, the main thing is the acl
to permit access from your local network source addresses (and no
others).   I'd recommend an external firewall or at least iptables
blocking inbound internet access to port 3128 also.

-- 
  Les Mikesell
    lesmikesell at gmail.com

More information about the CentOS mailing list