Implementing Squid Web Cache in OpenBSD

Squid is a web caching proxy software, which is managed between a web browser and a server. Squid proxy fetches documents from the server on behalf of the browser, so it can speed up web access by saving frequently requested pages and serving them from its cache. Additionally, Squid proxy can also be used to filter pop-up ads and malware or to enforce access control (which clients can request what pages based on different authentication methods).

Traditionally, a proxy server is an optional component, and the browser is configured to use a proxy from a Squid server. A transparently configured Squid proxy means forcing all web traffic through the proxy without the client's cooperation (or knowledge). Once all browser connections pass through the proxy, outbound connections to external hosts can be restricted to the proxy, and direct connections from local clients can be blocked.

You can experience Squid's capabilities directly if you use the OpenBSD packet filter (pf), because OpenBSD PF can be used to redirect connections based on various criteria, including source and destination addresses and ports. For example, one could redirect all TCP connections with destination port 80 (HTTP) coming through an interface connected to a local workstation to a Squid proxy running on a different address and port.

Since the destination address is decoded for the connection, the Squid proxy needs some way to find the initial destination address of the web server to retrieve the document. If the client sends an HTTP 1.1-compliant Host: header in its HTTP request, then Squid will use the specified host. Legacy clients do not provide a Host: header, in which case Squid can ask the packet filter about the original destination address of the routed connection. The latter approach requires the proxy to run on the firewall itself, otherwise the proxy could run on a separate host.

This article will explain how to install and configure Squid proxy on OpenBSD 7.5.


1. Installing Squid Proxy

Squid is available in a PKG package and an OpenBSD port. You can choose from a standard build, or a build with Kerberos using Heimdal. In this article, we will install the Squid proxy from the standard build or by using the OpenBSD PKG package. Run the following command to start installing Squid proxy.

Update OpenBSD packages
ns3# pkg_add -uvi
Install Squid Proxy
ns3# pkg_add squid
quirks-7.14 signed on 2024-03-17T12:22:05Z
Ambiguous: choose package for squid
a	0: <None>
	1: squid-6.8v0
	2: squid-6.8v0-krb5
Your choice: 1
squid-6.8v0:gmp-6.3.0: ok
squid-6.8v0:libnettle-3.9.1: ok
squid-6.8v0:libtasn1-4.19.0: ok
squid-6.8v0:libffi-3.4.4p1: ok
squid-6.8v0:p11-kit-0.25.3: ok
squid-6.8v0:brotli-1.0.9p0: ok
squid-6.8v0:gnutls-3.8.3p0: ok
squid-6.8v0:tdb-1.4.9p1: ok
squid-6.8v0: ok
The following new rcscripts were installed: /etc/rc.d/squid
See rcctl(8) for details.
New and changed readme(s):
	/usr/local/share/doc/pkg-readmes/squid
To complete the Squid program so that it can run perfectly on OpenBSD, you should also install Squid dependencies, as in the following example.

Install Squid dependencies
ns3# pkg_add check_squid debug-squid
After that, you activate the Squid package with the rcctl command.

Activate Squid Proxy
ns3# rcctl enable squid


2. Configuring Squid Proxy

After the installation process is complete, all Squid files are stored in the /etc/squid directory. Before you continue configuring Squid proxy, you should first run the command below.

Create cache directory
ns3# squid -z -N
The main configuration file for Squid is located at /etc/squid/squid.conf, you will need to make at least the following changes from the default configuration.

Script /etc/squid/squid.conf
acl localnet src 0.0.0.1-0.255.255.255	# RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8		# RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10		# RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 	# RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12		# RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16		# RFC 1918 local private network (LAN)
acl localnet src fc00::/7       	# RFC 4193 local private network range
acl localnet src fe80::/10      	# RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet manager
http_access deny manager
http_access allow localnet
http_access deny to_localhost
http_access deny to_linklocal
http_access deny all

http_port 192.168.5.3:3128
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
cache_dir ufs /var/squid/cache 100 16 256
coredump_dir /var/squid/cache

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320
In the script "http_port 192.168.5.3:3128", you can replace the IP 192.168.5.3 with the private IP of your OpenBSD server. After that, you run Squid proxy.

Run Squid Proxy
ns3# rcctl restart squid
squid(ok)
squid(ok)
If the words "squid(ok)" appear, it means that your Squid proxy server is running and you can use it in the Google Chrome web browser or other web browser.
Iwan Setiawan

I Like Adventure: Mahameru Mount, Rinjani Mount I Like Writer FreeBSD

Post a Comment

Previous Post Next Post