Squid configuration

Squid config is present in the following files:
  1. /etc/squid.conf Squid configuration file
  2. /usr/share/squid/errors/* Error messages
Further doc is available at squid's site: http://www.squid-cache.org/.


This file is normally supplied by the SuSE .rpm, and only a handful of settings need to be changed manually. Other settings are maintained by webmin. The followin diff -u listing shows which one should change. In this listing, lines present in original SuSE config are marked with -, whereas lines in our config are marked with +. Lines with nothing are unchanged.

--- /etc/squid.conf.rpmnew	Sat Nov 20 17:13:55 1999
+++ /etc/squid.conf	Sat Mar  3 20:38:47 2001
@@ -294,8 +294,8 @@
 #	There is no default.  We recommend you uncomment the following
 #	two lines.
-#acl QUERY urlpath_regex cgi-bin \?
-#no_cache deny QUERY
+acl QUERY urlpath_regex cgi-bin \?
+no_cache deny QUERY
Modifications recommended by comments: do not cache pages whose URL contains a question mark (likely to be a dynamically generated page, which is pointless to cache)

@@ -434,6 +434,7 @@
 #	disable it.
 #cache_store_log /var/squid/logs/store.log
+cache_store_log none
 #  TAG: cache_swap_log
 #	Location for the cache "swap.log."  This log file holds the
Modifications recommended by comments: do not maintain this logfile, as there are no tools for exploiting it anyways

@@ -638,7 +639,7 @@
 #	authenticate_program /usr/bin/ncsa_auth /usr/etc/passwd
-#authenticate_program none
+authenticate_program /usr/bin/smb_auth -W keller
 #  TAG: authenticate_children
 #	The number of authenticator processes to spawn (default 5). If you
Authentication program used to connect to Samba server of the keller domain to verify user's passwords

@@ -889,7 +890,7 @@
 #	This option may be disabled by using --disable-ident with
 #	the configure script.
-#ident_timeout 10 seconds
+ident_timeout 10 seconds
 #  TAG: shutdown_lifetime	time-units
 #	When SIGTERM or SIGHUP is received, the cache is put into
Modifications recommended by comments: provide timeout for the case where ident is too slow to answer

@@ -996,6 +997,40 @@
 acl SSL_ports port 443 563
 acl Safe_ports port 80 21 443 563 70 210 1025-65535
+deny_info ERR_PASSWORD_FAILED password
+deny_info ERR_LOCKED_USER lockedUsers
+deny_info ERR_LOCKED_USER identLockedUsers
+deny_info ERR_IDENT_FAILED ident
+deny_info ERR_MSIE_SUCKS msie
+deny_info ERR_TRANSP_FAILED explicit 
+deny_info ERR_CENSORED_SITE censoredDomains
+deny_info ERR_CENSORED_SITE censoredIps
+deny_info ERR_LTNB_FAILED localNets
Error messages to be displayed when the corresponding access control list fails. deny_info file acl
Displays error message contained in /usr/share/squid/errors/file for requests failed because of acl. If the failing rule contained multiple ACL's, the last ACL in the rule is considered to be the reason of failure. For example, if a requests is rejected because of the rule http_access deny !surfServers !password, the message displayed is the one corresponding to password



The following changes are maintained by Webmin.

First come the acl lines. They define an access control list, which may later be used in a rule. An access control list by itself just defines a set of queries, without saying yet at this point whether these queries should fail or succeed. Acl have the following syntax:

acl name kind item1 item2 ... itemn

item explanation
name name used to refer to this acl in a deny_info or http_access clause
kind which kind of condition this acl describes:
browser browser used by client (matched as substring)
proxy_auth user as identified by proxy authentication dialog
ident user as identified by Unix ident
dstdom_regex domain part of URL, matched by regular expression
src client's ip
dst Requested web server's ip
myip Squid's ip (may vary, if squid server is multi-homed, or if transparent proxies are in use)
port Requested web server's port
data values that the given parameter can take. The acl is matched if (at least) one value of the list corresponds (logical or)

+acl explicit myip
Matches any request which is addressed to the proxy host (all requests should). Used to detect implicit proxy requests, which appear to be addressed to the Web server, rather than the proxy host.

+acl msie browser MSIE
Block request from inferior browsers.

+acl password proxy_auth REQUIRED
Requires user to identity himself by password

+acl ident ident REQUIRED
Requires user to be identifies by Unix ident

+# WEBMIN: Users that are not allowed to surf
+acl lockedUsers proxy_auth root root2 testel51 xxxxxxxx xxxxxxxx xxxxxxxx xxxxxx
+acl identLockedUsers ident root root2 testel51 xxxxxxxx xxxxxxxx xxxxxxxx xxxxxx
Users who are not allowed to surf, either for technical reason (root, ...) or for disciplinary reasons (testel51)

+# WEBMIN: Censored domains
+acl censoredDomains dstdom_regex ^none$ rotten\.com freudin\.com whitehouse\.com area\.com rwx\.com he\.net is-europe\.net freevideochat\.com via\.net go\.to luxusbuerg\.lu www\.luxusbuerg\.lu
Censored domains

+# WEBMIN: Censored IP addresses
+acl censoredIps dst
Domains blocked by IP address

+# WEBMIN: Clients which may connect without a password, and without
+# WEBMIN: any other destination restriction
+acl unfilteredClients src
Clients which are not filtered (no need to enter username/password, no restriction on places to surf to)

+# WEBMIN: Linux "compute servers" which run netscape, and which may connect
+# WEBMIN: without a password but can only go to allowed destinations
+acl surfServers src
Unix hosts, on which users are identified by identd, rather than username/password.


Now come the actual access control lists, which say which actions are allowed or denied depending on the acls which the query is in.

http_access deny/allow lists
Denies/Allows access to all requests matching all ACL's in the list (logical AND). The http_access commands are "executed" in order. The action (deny or allow) corresponding to the first http_access which matches a given request is taken.

 #  TAG: http_access
 #	Allowing or Denying access based on defined access lists
@@ -1023,9 +1058,31 @@
 http_access deny manager
 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports
+http_access deny msie
Deny access from inferior browsers.

+http_access deny !localNets
Deny any access not coming from a local net. Indeed, we do not want our proxy to be used by people connecting from other sites, which might use it for "connection laundering".

+# WEBMIN: Hosts allowed to connect without restriction
+http_access allow unfilteredClients
Allow access from unfiltered clients without any further checks.

+# WEBMIN: Deny access for transparent proxy
+http_access deny !explicit
Deny any access which uses this as an implicit proxy. This is because any clients coming to this point are filtered clients, for which the user needs to be authenticated, and authentication does not work when operating as an implicit proxy.

+# WEBMIN: Deny access without password
+http_access deny !surfServers !password
Surf servers are Unix hosts such as those in the conference and in physics. If the connection does not come from one of those, and if no password is supplied, refuse. Basically, this rule says that for non-Unix hosts, we must check the password.

+http_access deny !surfServers lockedUsers
If the request came from a non-Unix host, and corresponds to a locked user, refuse access.

+http_access deny surfServers !ident
If the access came from a Unix host, and the user could not be identified, using identd refuse. Basically, this rule says that for Unix hosts, we must check identd.

+http_access deny surfServers identLockedUsers
If the request came from a Unix host, and corresponds to a locked user, refuse access.

This is similar to the rule above; the reason why there are two different rules rather than one for both cases is because the ACL contains the method how the user has been identified, which is different for both cases.

+# WEBMIN: More restrictions
+http_access deny censoredDomains
+http_access deny censoredIps
Refuse request to domains or IP addresses which are censored.

+# WEBMIN: Allow everything which is not forbidden
+http_access allow !surfServers password
If the request came from a non surf server, and a password has been supplied, allow it.

+http_access allow surfServers
 http_access deny all
 #  TAG: icp_access
If the request came from a surf server, allow it

Error message files

They are stored in /usr/share/squid/errors/* and are displayed whenever an ACL covered by a deny_info clause fails