Public domain
cd /usr/src
wget -c "http://www.squid-cache.org/Versions/v3/3.1/squid-3.1.12.tar.gz"
tar xf squid-3.1.12.tar.gz
cd squid-3.1.12
ulimit -HSn 16384
ulimit -HSd unlimited
./configure \
--prefix=/usr/local/squid \
--enable-forward-log \
--enable-follow-x-forwarded-for \
--enable-snmp \
--enable-linux-netfilter \
--enable-http-violations \
--enable-delay-pools \
--enable-storeio=diskd,aufs,ufs \
--with-large-files \
--enable-large-cache-files \
--with-filedescriptors=16384 \
--enable-async-io=128 \
--enable-removal-policies=lru,heap \
--enable-useragent-log \
--enable-referer-log \
--enable-err-languages=English \
--enable-default-err-language=English \
--enable-zph-qos \
&& make && make install
cp /usr/local/squid/etc/squid.conf{,.bak}
# Minimum ACL configuration
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Protect innocent web applications running on the
# proxy server who think the only one who can access
# services on "localhost" is a local user
http_access deny to_localhost
# Clients access rules
acl localnet src 192.168.93.0/24 192.168.168.0/24
http_access allow localnet
http_access allow localhost
# Finally deny all other access to this proxy
http_access deny all
# Deny all ICP requests to this proxy
icp_access deny all
# Deny all HTCP requests to this proxy
htcp_access deny all
# Squid normal transparent listener
http_port 3128 intercept
# Override /etc/resolv.conf
dns_nameservers 85.185.14.9
# Protect dynamic content
hierarchy_stoplist cgi-bin ? dll aspx
# Cache memory should be at most half of RAM size in MB
cache_mem 2048 MB
# These objects should be kept in memory
maximum_object_size_in_memory 20 KB
# Which objects are replaced when memory space is needed
cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA
# Disk swap directories
cache_dir aufs /cache/1 51200 256 1024
cache_dir aufs /cache/2 51200 256 1024
cache_dir aufs /cache/3 51200 256 1024
cache_dir aufs /cache/4 51200 256 1024
# These objects should be kept on hard disk
maximum_object_size 65536 KB
# Water marks for cache object replacement
cache_swap_high 95
cache_swap_low 93
# Logfile format
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
# Access log address
access_log /usr/local/squid/var/logs/access.log squid
# Number of old logfiles
logfile_rotate 0
# Watchdog configs
#acl watchdog src 192.168.93.1
#log_access deny watchdog
# Leave coredumps in the first cache dir
coredump_dir /cache/1
# Continues downloading abort
quick_abort_min 16 KB
quick_abort_max 16 KB
quick_abort_pct 98
# Time-to-Live for failed requests
negative_ttl 3 minutes
# How log shuold cache positive DNS responses
positive_dns_ttl 1 hours
# Maximum size for HTTP headers
request_header_max_size 100 KB
# Shutdown pending time
shutdown_lifetime 15 seconds
# Administrator
cache_mgr Pejman_Moghadam@yahoo.com
# Hostname
visible_hostname CacheServer
# Don't show version in error pages
httpd_suppress_version_string on
# Costume error pages
#error_directory /usr/local/squid/share/errors/mine/
# SNMP settings for MRTG access
acl mrtg src 172.16.20.1 127.0.0.1
acl snmppublic snmp_community public
snmp_access allow snmppublic mrtg
snmp_access deny all
snmp_port 3401
# Inter Cache Communication Protocol
icp_port 0
# Hyper Text Caching Protocol discovery
htcp_port 0
# Water marks for the IP cache
ipcache_size 40960
ipcache_high 95
ipcache_low 90
# Parallel requests from a pipeline.
pipeline_prefetch on
# Close immediately half-closed connections
half_closed_clients off
# Transparent Headers
forwarded_for transparent
via off
# Mark HIT packets
qos_flows local-hit=0x30
# Purge: squidclient -m PURGE http://www.google.com
acl purge method PURGE
http_access allow purge localhost
http_access deny purge
# Web Services workaround
ignore_expect_100 on
# Maximum connection limit of single client IP
#client_ip_max_connections -1
# Refresh patterns (refresh-ims)
# Image files
refresh_pattern -i \.png$ 10080 90% 43200
refresh_pattern -i \.gif$ 10080 90% 43200
refresh_pattern -i \.jpg$ 10080 90% 43200
refresh_pattern -i \.jpeg$ 10080 90% 43200
refresh_pattern -i \.bmp$ 10080 90% 43200
refresh_pattern -i \.tif$ 10080 90% 43200
refresh_pattern -i \.tiff$ 10080 90% 43200
# Compressed files
refresh_pattern -i \.zip$ 10080 90% 43200
refresh_pattern -i \.rar$ 10080 90% 43200
refresh_pattern -i \.tar$ 10080 90% 43200
refresh_pattern -i \.gz$ 10080 90% 43200
refresh_pattern -i \.tgz$ 10080 90% 43200
refresh_pattern -i \.z$ 10080 90% 43200
refresh_pattern -i \.arj$ 10080 90% 43200
refresh_pattern -i \.lha$ 10080 90% 43200
refresh_pattern -i \.lzh$ 10080 90% 43200
# Binary files
refresh_pattern -i \.exe$ 10080 90% 43200
refresh_pattern -i \.msi$ 10080 90% 43200
# Multimedia files
refresh_pattern -i \.mp3$ 10080 90% 43200
refresh_pattern -i \.wav$ 10080 90% 43200
refresh_pattern -i \.mid$ 10080 90% 43200
refresh_pattern -i \.midi$ 10080 90% 43200
refresh_pattern -i \.ram$ 10080 90% 43200
refresh_pattern -i \.ra$ 10080 90% 43200
refresh_pattern -i \.mov$ 10080 90% 43200
refresh_pattern -i \.avi$ 10080 90% 43200
refresh_pattern -i \.wmv$ 10080 90% 43200
refresh_pattern -i \.mpg$ 10080 90% 43200
refresh_pattern -i \.mpeg$ 10080 90% 43200
refresh_pattern -i \.swf$ 10080 90% 43200
# Document files
refresh_pattern -i \.pdf$ 10080 90% 43200
refresh_pattern -i \.ps$ 10080 90% 43200
refresh_pattern -i \.doc$ 10080 90% 43200
refresh_pattern -i \.ppt$ 10080 90% 43200
refresh_pattern -i \.pps$ 10080 90% 43200
# Default patterns
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
#!/bin/bash
#
# /etc/rc.d/rc.squid
#
PIDFILE="/usr/local/squid/var/run/squid.pid"
TIMEOUT=60
start()
{
echo -n 'Starting Squid . . . '
PROCESS=$(ps -A | egrep ' squid$')
if [ "$PROCESS" == "" ]; then
if [ -f ${PIDFILE} ] ; then
rm ${PIDFILE}
fi
fi
ulimit -HSn 16384
ulimit -HSd unlimited
/usr/local/squid/sbin/squid
echo "Ok"
}
stop()
{
echo 'Stoping Squid'
/usr/local/squid/sbin/squid -k shutdown
TIME=0
while [ "$TIME" != "$TIMEOUT" ] ; do
TIME=$(( $TIME + 1 ))
echo -n $TIME
if [ "$(pgrep '^squid$')" == "" ]; then
if [ -f ${PIDFILE} ] ; then
rm ${PIDFILE}
fi
break
else
echo -n "."
fi
sleep 1
done
echo ".Ok"
}
case "$1" in
'start')
start
;;
'stop')
stop
;;
'restart')
stop
start
;;
'rotate')
echo -n 'Rotating Squid log files . . . '
/usr/local/squid/sbin/squid -k rotate
echo "Ok"
;;
*)
echo "usage $0 start|stop|restart|rotate"
;;
esac
# use less swap memory
echo 50 > /proc/sys/vm/swappiness
# tcp keep alive tuning
#echo 60 > /proc/sys/net/ipv4/tcp_keepalive_time
#echo 10 > /proc/sys/net/ipv4/tcp_keepalive_intvl
#echo 6 > /proc/sys/net/ipv4/tcp_keepalive_probes
echo 65000 > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo 1024 65000 > /proc/sys/net/ipv4/ip_local_port_range
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 1 > /proc/sys/net/ipv4/tcp_timestamps
echo 33554432 > /proc/sys/net/core/rmem_max
echo 33554432 > /proc/sys/net/core/wmem_max
echo 4096 87380 33554432 > /proc/sys/net/ipv4/tcp_rmem
echo 4096 87380 33554432 > /proc/sys/net/ipv4/tcp_wmem
echo 1 > /proc/sys/net/ipv4/tcp_no_metrics_save
echo 3000 > /proc/sys/net/core/netdev_max_backlog
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 256960 > /proc/sys/net/core/rmem_default
echo 256960 > /proc/sys/net/core/wmem_default
echo 524288 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle
# Start Squid Cache Server:
if [ -x /etc/rc.d/rc.squid ]; then
/etc/rc.d/rc.squid start
fi
# Cache Redirect - module must be load
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to 3128
#!/bin/bash
# Stop Squid Cache server:
if [ -x /etc/rc.d/rc.squid ]; then
/etc/rc.d/rc.squid stop
fi
/usr/local/squid/var/logs/access.log {
daily
rotate 186
start 1
copytruncate
compress
compresscmd /usr/bin/bzip2
compressext .bz2
compressoptions -sq9
dateext
notifempty
missingok
}
/usr/local/squid/var/logs/cache.log /usr/local/squid/var/logs/store.log {
daily
rotate 31
start 1
copytruncate
compress
compresscmd /usr/bin/bzip2
compressext .bz2
compressoptions -sq9
dateext
notifempty
missingok
sharedscripts
postrotate
/usr/local/squid/sbin/squid -k rotate
endscript
}
# cat /etc/fstab
/dev/sda1 swap swap defaults 0 0
/dev/sda2 / reiserfs defaults 1 1
/dev/cdrom /mnt/cdrom auto noauto,owner,ro 0 0
/dev/fd0 /mnt/floppy auto noauto,owner 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
proc /proc proc defaults 0 0
tmpfs /dev/shm tmpfs defaults 0 0
/dev/sda3 /usr/local/squid/var/logs/ reiserfs noatime,notail 1 2
/dev/sda4 /cache/1 reiserfs noatime,notail 1 2
/dev/sdb1 /cache/2 reiserfs noatime,notail 1 2
/dev/sdc1 /cache/3 reiserfs noatime,notail 1 2
/dev/sdd1 /cache/4 reiserfs noatime,notail 1 2
# df -h
Filesystem Type Size Used Avail Use% Mounted on
/dev/root reiserfs 21G 4.5G 16G 23% /
tmpfs tmpfs 2.0G 0 2.0G 0% /dev/shm
/dev/sda3 reiserfs 101G 33M 100G 1% /usr/local/squid/var/logs
/dev/sda4 reiserfs 178G 33M 178G 1% /cache/1
/dev/sdb1 reiserfs 299G 33M 299G 1% /cache/2
/dev/sdc1 reiserfs 233G 33M 233G 1% /cache/3
/dev/sdd1 reiserfs 233G 33M 233G 1% /cache/4
# free -m
total used free shared buffers cached
Mem: 3910 186 3723 0 20 105
-/+ buffers/cache: 60 3849
Swap: 1035 0 1035
mkdir -p /cache/{1,2,3,4}
chown -R nobody:nobody /cache
chown -R nobody:nobody /usr/local/squid/var/logs
chmod +x /etc/rc.d/rc.local_shutdown
chmod +x /etc/rc.d/rc.squid
/usr/local/squid/sbin/squid -z
/etc/rc.d/rc.squid start
BY: Pejman Moghadam
TAG: squid, fstab
DATE: 2011-05-23 11:28:40