Squid proxy/cache with IPv6 on CentOS v5.x
Howto create a VM to act as a web proxy using Squid v3.1
Create a minimal CentOS v5.4 VM (ivory.lucidsolutions.co.nz), with all current updates, plus a couple of favourites. The VM has 512Mbytes of memory, a system disk, a swap disk, and a data disk for the squid cache data
At the time of writing, CentOS, EPEL and the usual suspects didn't have Squid v3.1 available as a binary RPM. Use Squid 3.1 from the Peter Pramberger repository.
Cache disk
The VM has a block of disk allocated for the squid cache. This block device (backed by LVM) is sized to be of sufficient capacity for the squid cache. Add an entry to '/etc/fstab' so that the cache is mounted when the machine starts:
LABEL=/var/cache/squid /var/cache/squid ext3 defaults 0 0
Ensure that the cache directory/device is owned by squid.
# chown squid.squid /var/cache/squid
Install the PP repo
# wget -q -O- "http://devel.pramberger.at/getrepo?release=5" >> /etc/yum.repos.d/pramberger.repo
Install Squid3
Install Squid v3.1 from the 'pp' repository
# yum install squid3
Configure Squid
The configuration that comes in the binary is trimmed down (without comments), and is easy to read and modify. The changes made were to change:
- the local network numbers
- the size of the cache
The local networks configured are:
acl localnet src 10.20.0.0/16 # RFC1918 possible internal network acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl localnet src 2001:4428:225::/48 acl localnet src fd0c:898b:471c::/48 # RFC 4193 local private network range
The cache directory directive
cache_dir ufs /var/cache/squid 12000 64 256
Firewall
Configure the iptables and ip6tables firewalls to allow:
- clients on the local network access to the cache
- the squid cache access to all internet hosts
- local processes access to the squid proxy
/etc/sysconfig/iptables
# Squid -A tcpIn -p tcp -m tcp --source 10.20.0.0/16 --dport 3128 -m state --state NEW -j ACCEPT -A tcpOut -m owner --uid-owner squid -m state --state NEW -j ACCEPT # Outgoing squid (back to ourselves) -A tcpOut -p tcp -m tcp --dport 3128 -m state --state NEW -j ACCEPT
/etc/sysconfig/ip6tables
# Squid -A tcpIn -p tcp -m tcp --source fd0c:898b:471c::/48 --dport 3128 -m state --state NEW -j ACCEPT -A tcpIn -p tcp -m tcp --source 2001:4428:225::/48 --dport 3128 -m state --state NEW -j ACCEPT -A tcpIn -p tcp -m tcp --source fe80::/10 --dport 3128 -m state --state NEW -j ACCEPT -A tcpOut -m owner --uid-owner squid -m state --state NEW -j ACCEPT # Outgoing squid (back to ourselves) -A tcpOut -p tcp -m tcp --dport 3128 -m state --state NEW -j ACCEPT
Start squid
# chkconfig squid on # service squid start
Links
Appendices
RPM Install
Dependencies Resolved ============================================================================= Package Arch Version Repository Size ============================================================================= Installing: squid3 x86_64 3.1.0.15-1.el5.pp pp-contrib 1.8 M Installing for dependencies: perl x86_64 4:5.8.8-27.el5 base 12 M perl-Authen-Smb x86_64 0.91-4.el5.pp pp-contrib 31 k perl-DBI x86_64 1.607-1.el5.pp pp-contrib 772 k perl-Net-Daemon noarch 0.43-1.el5.pp pp-contrib 45 k perl-PlRPC noarch 0.2020-1.el5.pp pp-contrib 32 k Transaction Summary ============================================================================= Install 6 Package(s) Update 0 Package(s) Remove 0 Package(s) Total download size: 15 M
Key import
Importing GPG key 0x6971F6AC "Peter Pramberger (RPM Signing Key) <peterpramb@member.fsf.org>" from ftp://ftp.pramberger.at/systems/linux/contrib/rhel5/RPM-GPG-KEY-6971f6ac