Squid proxy/cache with IPv6 on CentOS v5.x

Howto create a VM to act as a web proxy using Squid v3.1

Create a minimal CentOS v5.4 VM (ivory.lucidsolutions.co.nz), with all current updates, plus a couple of favourites. The VM has 512Mbytes of memory, a system disk, a swap disk, and a data disk for the squid cache data

At the time of writing, CentOS, EPEL and the usual suspects didn't have Squid v3.1 available as a binary RPM. Use Squid 3.1 from the Peter Pramberger repository.

Cache disk

The VM has a block of disk allocated for the squid cache. This block device (backed by LVM) is sized to be of sufficient capacity for the squid cache. Add an entry to '/etc/fstab' so that the cache is mounted when the machine starts:

LABEL=/var/cache/squid  /var/cache/squid        ext3    defaults        0 0

Ensure that the cache directory/device is owned by squid.

# chown squid.squid /var/cache/squid

Install the PP repo

# wget -q -O- "http://devel.pramberger.at/getrepo?release=5" >> /etc/yum.repos.d/pramberger.repo

Install Squid3

Install Squid v3.1 from the 'pp' repository

# yum install squid3

Configure Squid

The configuration that comes in the binary is trimmed down (without comments), and is easy to read and modify. The changes made were to change:

the local network numbers
the size of the cache

The local networks configured are:

acl localnet src 10.20.0.0/16        # RFC1918 possible internal network
acl localnet src fe80::/10           # RFC 4291 link-local (directly plugged) machines
acl localnet src 2001:4428:225::/48
acl localnet src fd0c:898b:471c::/48 # RFC 4193 local private network range

The cache directory directive

cache_dir ufs /var/cache/squid 12000 64 256

Firewall

Configure the iptables and ip6tables firewalls to allow:

clients on the local network access to the cache
the squid cache access to all internet hosts
local processes access to the squid proxy

/etc/sysconfig/iptables

# Squid
-A tcpIn  -p tcp -m tcp --source 10.20.0.0/16 --dport 3128 -m state --state NEW -j ACCEPT
-A tcpOut -m owner --uid-owner squid -m state --state NEW -j ACCEPT

# Outgoing squid (back to ourselves)
-A tcpOut -p tcp -m tcp --dport 3128 -m state --state NEW -j ACCEPT

/etc/sysconfig/ip6tables

# Squid
-A tcpIn  -p tcp -m tcp --source fd0c:898b:471c::/48 --dport 3128 -m state --state NEW -j ACCEPT
-A tcpIn  -p tcp -m tcp --source 2001:4428:225::/48  --dport 3128 -m state --state NEW -j ACCEPT
-A tcpIn  -p tcp -m tcp --source fe80::/10           --dport 3128 -m state --state NEW -j ACCEPT
-A tcpOut -m owner --uid-owner squid -m state --state NEW -j ACCEPT

# Outgoing squid (back to ourselves)
-A tcpOut -p tcp -m tcp --dport 3128 -m state --state NEW -j ACCEPT

Start squid

# chkconfig squid on
# service squid start

Appendices

RPM Install

Dependencies Resolved

=============================================================================
 Package             Arch       Version                 Repository      Size
=============================================================================
Installing:
 squid3              x86_64     3.1.0.15-1.el5.pp       pp-contrib     1.8 M
Installing for dependencies:
 perl                x86_64     4:5.8.8-27.el5          base            12 M
 perl-Authen-Smb     x86_64     0.91-4.el5.pp           pp-contrib      31 k
 perl-DBI            x86_64     1.607-1.el5.pp          pp-contrib     772 k
 perl-Net-Daemon     noarch     0.43-1.el5.pp           pp-contrib      45 k
 perl-PlRPC          noarch     0.2020-1.el5.pp         pp-contrib      32 k

Transaction Summary
=============================================================================
Install      6 Package(s)
Update       0 Package(s)
Remove       0 Package(s)

Total download size: 15 M

Key import

Importing GPG key 0x6971F6AC "Peter Pramberger (RPM Signing Key) <peterpramb@member.fsf.org>" 
  from ftp://ftp.pramberger.at/systems/linux/contrib/rhel5/RPM-GPG-KEY-6971f6ac

Sections

Personal tools