Squid proxy/cache with IPv6 on CentOS v6.x
This VM replaces the CentOS v5.x VM. This is in support of a later version of Squid that will fail-back to IPv4 when an IPv6 site is unavailable (as well as an upgrade of the OS).
The VM is:
- CentOS v6.5
- 8G root
- swap
- squid cache device
- single NIC with IPv4 and IPv6
Install
Install the EPEL and CentALT repositories:
# rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm # rpm -Uvh http://centos.alt.ru/repository/centos/6/x86_64/centalt-release-6-1.noarch.rpm
Edit the CentALT report file 'etc/yum.repo.d/centalt.repo' and set it to disabled (enable it explicitly on the command line when install and updading, as it has newer version of openssh, postfix and mariadb that we don't need for this VM). Install Squid:
# yum install --enablerepo CentALT squid
Add cache device
Create the squid cache device :
# mkfs.ext4 /dev/xvdc1 -L /var/spool/squid
Add the device to '/etc/fstab':
LABEL=/var/spool/squid /var/spool/squid ext4 defaults 0 0
Mount the device and give ownership to squid
# mount -a # chown squid.squid /var/spool/squid
Configure Firewall
Configure the iptables and ip6tables firewalls to allow:
- clients on the local network access to the cache
- the squid cache access to all internet hosts
- local processes access to the squid proxy
Add to '/etc/sysconfig/iptables':
# Squid -A tcpIn -p tcp -m tcp --source 10.20.0.0/16 --dport 3128 -m state --state NEW -j ACCEPT -A tcpOut -m owner --uid-owner squid -m state --state NEW -j ACCEPT # Local proxy access -A tcpOut -p tcp -m tcp --dport 3128 -m state --state NEW -j ACCEPT
Add to '/etc/sysconfig/ip6tables':
# Squid -A tcpIn -p tcp -m tcp --source fd0c:898b:471c::/48 --dport 3128 -m state --state NEW -j ACCEPT -A tcpIn -p tcp -m tcp --source 2001:4428:225::/48 --dport 3128 -m state --state NEW -j ACCEPT -A tcpIn -p tcp -m tcp --source fe80::/10 --dport 3128 -m state --state NEW -j ACCEPT -A tcpOut -m owner --uid-owner squid -m state --state NEW -j ACCEPT # Local proxy access -A tcpOut -p tcp -m tcp --dport 3128 -m state --state NEW -j ACCEPT
Configure squid
Edit the main squid configuration file '/etc/squid/squid.conf'. The local networks configured are:
acl localnet src 10.20.0.0/16 # RFC1918 possible internal network acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl localnet src 2001:4428:225::/48 acl localnet src fd0c:898b:471c::/48 # RFC 4193 local private network range
Update the size of the cache directory directive to use approximately 80% of the 32Gbyte cache device:
cache_dir ufs /var/spool/squid 26000 64 256
Start squid
# chkconfig squid on # service squid start init_cache_dir /var/spool/squid... Starting squid: .... [ OK ]
Links
Appendices
yum install squid
# yum install --enablerepo CentALT squid Dependencies Resolved =========================================================================================== Package Arch Version Repository Size =========================================================================================== Installing: squid x86_64 9:3.4.4-1.el6 CentALT 2.6 M Installing for dependencies: libtool-ltdl x86_64 2.2.6-15.5.el6 base 44 k perl-Crypt-OpenSSL-X509 x86_64 1.800.2-1.el6 epel 37 k perl-DBI x86_64 1.609-4.el6 base 705 k Transaction Summary =========================================================================================== Install 4 Package(s) Total download size: 3.4 M Installed size: 10 M Is this ok [y/N]: y Downloading Packages: (1/4): libtool-ltdl-2.2.6-15.5.el6.x86_64.rpm | 44 kB 00:00 (2/4): perl-Crypt-OpenSSL-X509-1.800.2-1.el6.x86_64.rpm | 37 kB 00:00 (3/4): perl-DBI-1.609-4.el6.x86_64.rpm | 705 kB 00:01 (4/4): squid-3.4.4-1.el6.x86_64.rpm | 2.6 MB 00:12 ------------------------------------------------------------------------------------------- Total 229 kB/s | 3.4 MB 00:15 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : perl-DBI-1.609-4.el6.x86_64 1/4 Installing : libtool-ltdl-2.2.6-15.5.el6.x86_64 2/4 Installing : perl-Crypt-OpenSSL-X509-1.800.2-1.el6.x86_64 3/4 Installing : 9:squid-3.4.4-1.el6.x86_64 4/4 Verifying : 9:squid-3.4.4-1.el6.x86_64 1/4 Verifying : perl-Crypt-OpenSSL-X509-1.800.2-1.el6.x86_64 2/4 Verifying : libtool-ltdl-2.2.6-15.5.el6.x86_64 3/4 Verifying : perl-DBI-1.609-4.el6.x86_64 4/4 Installed: squid.x86_64 9:3.4.4-1.el6 Dependency Installed: libtool-ltdl.x86_64 0:2.2.6-15.5.el6 perl-Crypt-OpenSSL-X509.x86_64 0:1.800.2-1.el6 perl-DBI.x86_64 0:1.609-4.el6 Complete!