[CentOS] Squid on CentOS 7: few questions

Fri Mar 6 18:29:02 UTC 2015
Niki Kovacs <info at microlinux.fr>

Hi,

I recently migrated my office's server from Slackware64 14.1 to CentOS 
7. Right now I'm in the process of configuring the Squid web proxy. I 
edited the default /etc/squid/squid.conf, and here's what I have so far:

--8<--------------------------------------------------
# /etc/squid/squid.conf

# Nom d'hôte du serveur Squid
visible_hostname amandine.microlinux.lan

# Définitions
acl localnet src 192.168.2.0/24	# RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT

# Règles d'accès
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet

# Port du proxy
http_port 3128

# Taille du cache dans la RAM
cache_mem 256 MB

# Vidage système
coredump_dir /var/spool/squid

# Durée de vie des fichiers sans date d'expiration
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0
--8<--------------------------------------------------

The proxy is working as expected. I have a few questions for fine-tuning 
though.

1. Squid's main logs are stored in /var/log/squid/access.log. I'd like 
to setup logfile rotation for that, since it can become quite big. How 
do you handle this? With Squid's intern 'logfile_rotate' directive or 
with logrotate? What I'd like to do is rotate this logfile about once a 
week.

2. Which user is Squid supposed to run as under CentOS? On my Slackware 
server I had the following:

cache_effective_user nobody
cache_effective_group nobody

What's an orthodox setting for CentOS?

3. The access rules are a bit minimal. Do they seem OK to you for a LAN? 
Any suggestions?

Cheers,

Niki

-- 
Microlinux - Solutions informatiques 100% Linux et logiciels libres
7, place de l'église - 30730 Montpezat
Web  : http://www.microlinux.fr
Mail : info at microlinux.fr
Tél. : 04 66 63 10 32