Proxy Server Notes - Waikato Linux Users Group

Note: You are viewing an old revision of this page. View the current version.

Peer your proxy with MetaNet users!

Squid

Resolving name problems

Having problems that !http://brian/wherever/whatever doesn't resolve in Squid? This is caused by Squid running its own DNS resolver, instead of using gethostbyname(3). It pulls the IPs of the name servers out of resolv.conf(5). Add a line like this to your squid.conf: append_domain .yourdomain.tla

Any domain without a dot in it will get that domain prepended to it; everything works nicely all of a sudden.

Log Analysis (sarg)

sarg is a log file analyser for squid. It's partially useful. MattBrown is writing a better one for the WAND group which he is planning on releasing under a OpenSource license.

Sarg is a reasonably nice tool for generating nice reports for your squid logs. I have only two problems with it currently.

Dates on reports spanning weeks or months are often wrong - all the data is there but the title of the report says it only covers 2-5 days.
Only shows reports of the percentage of traffic that was/was not served from the cache. Does not give an actual byte count. Sure it is easy to calculate it from the total but it would be even easier if it did it for me.

To get around the above limitation with sarg not reporting the amount of traffic fetched you can enable SNMP on squid with the following config options

acl snmp_private snmp_community private snmp_port 3401 snmp_access allow snmp_public localhost snmp_access deny all

Note that squid listens on a non-standard SNMP port by default which means that things like PHP will refuse to talk to it. You can specify that squid should listen on 161? or whatever the standard SNMP port is and then proxy requests through to your normal SNMPD but that seems kinda icky to me.

So once you have squid giving out SNMP data you can use the following scripts to generate some summaries from it.

squid-current-users?
squid-snmp-get?
squid-traffic-stats?

To set things up so that your web browsers auto detect your proxy server, investigate WPAD, the Web Proxy Auto Detection script.

Filtering

ACLs in squid

When specifying ACLs, dont set more than one type of acl on a single acl line. Squid ignores them.

eg: acl lab proxy_auth labuser src 192.168.2.0/32 acl denylab proxy_auth labuser .... http_access allow lab http_access deny denylab

doesn't work. instead: acl labuser proxy_auth labuser acl labmachines proxy_auth 192.168.2.0/32 .... http_access allow labuser labmachines http_access deny labuser

will do the trick.

Content Blocking

Investigate the following blacklists:

SquidGuard (http://www.squidguard.org) (GPL but you can't sell it)
DansGuardian (http://dansguardian.org) (GPL for non-commercial use)

Funny how both have GPL with extra clauses...

More Info

Here are some other notes on Squid, SNMP and MRTG. This shows sample MRTG config options for graphing some of the info. Note that you can get MRTG to talk directly to Squid's nonstard SNMP port.

3 pages link to ProxyServerNotes:

Version 10, saved on Wednesday, February 26, 2003 9:33:39 pm by JohnMcPherson

Edit PageHistory Diff Info LikePages