February 16, 2019

Do-It-Yourself Caching: Squid 2.3 - page 5

Why Caching is Essential

  • February 29, 2000
  • By Lisa Phifer

Many squid.conf options require use of Access Control Lists (ACLs). Each ACL consists of a name, type and value (a string or filename). ACL types include source or destination IP address, domain, or domain regular expression, hours, days, URL, port, protocol, method, username or type of browser. ACLs can also require user authentication, specify an SNMP read community string or set a TCP connection limit.

HTTP processing depends upon http_access config statements that allow or deny requests, filtered by ACL. The default config permits manager access by the localhost, blocks HTTP or SSL access to "unsafe" ports, and denies all other access. This default config must be relaxed to permit client access. We defined ACLs representing local subnets, and allowed access by any request originating from our subnets. We also blocked access from one local host, and permitted authenticated user access from anywhere else.

User authentication can be performed in two ways: authorized users can be enumerated in squid.conf, or a proxy authentication "helper" can be identified. Several proxy programs are supplied with Squid 2.3 source, including NCSA, LDAP, Windows NT and SMB. A RADIUS proxy can also be found on the Squid web site. When authentication is enabled, Squid prompts the client for login/password, relays client input to the proxy program and uses the result (ERR or OK) to accept or reject the client request. Proxies like this allow simple integration with existing authentication servers.

We tried NCSA authentication. Simply make, install and add the following statements to squid.conf:

acl password proxy_auth REQUIRED
http_access allow password
authenticate_program /usr/local/squid/bin/ncsa_auth

NCSA authentication requires an encrypted password file. Before reconfiguring Squid to use NCSA, we created the file /usr/local/etc/httpd/users by using Apache's htpasswd utility. We also tried MSNT authentication, but didn't have any luck getting the proxy to talk to our NT domain controller (probably a config error; we didn't debug the problem).

Squid ACLs are referenced in many config statements, including icp_access, miss_access and cache_peer_access (all provide hierarchy control), deny_info (customizes error messages) and always_direct (configures cache bypasses). For example:

acl bypassed-svr dst
always_direct allow bypassed-svr

These ACLs are very granular and provide lots of flexibility, but Squid lacks the group-level control you can find in other caching tools, such as the Network Appliance NetCache.

Squid also supports Redirectors that can be used to block access to "undesirable" sites. Just identify a redirect_program in your squid.conf. Squid will forward incoming requests to that program so that content filters can be applied. A few open source Redirectors like Squirm, SquidGuard and Ad Zapper can be downloaded by following links from the Squid home page.

Most Popular LinuxPlanet Stories