第 3 章 Configuring the Squid caching proxy server

Procedure

1. Install the squid package:

   # dnf install squid

2. Edit the /etc/squid/squid.conf file:

   1. Adapt the localnet access control lists (ACL) to match the IP ranges that should be allowed to use the proxy:

      acl localnet src 192.0.2.0/24
      acl localnet 2001:db8:1::/64

      By default, the /etc/squid/squid.conf file contains the http_access allow localnet rule that allows using the proxy from all IP ranges specified in localnet ACLs. Note that you must specify all localnet ACLs before the http_access allow localnet rule.

      重要

      Remove all existing acl localnet entries that do not match your environment.

   2. The following ACL exists in the default configuration and defines 443 as a port that uses the HTTPS protocol:

      acl SSL_ports port 443

      If users should be able to use the HTTPS protocol also on other ports, add an ACL for each of these port:

      acl SSL_ports port port_number

   3. Update the list of acl Safe_ports rules to configure to which ports Squid can establish a connection. For example, to configure that clients using the proxy can only access resources on port 21 (FTP), 80 (HTTP), and 443 (HTTPS), keep only the following acl Safe_ports statements in the configuration:

      acl Safe_ports port 21
      acl Safe_ports port 80
      acl Safe_ports port 443

      By default, the configuration contains the http_access deny !Safe_ports rule that defines access denial to ports that are not defined in Safe_ports ACLs.

   4. Configure the cache type, the path to the cache directory, the cache size, and further cache type-specific settings in the cache_dir parameter:

      cache_dir ufs /var/spool/squid 10000 16 256

      With these settings:

      • Squid uses the ufs cache type.
      • Squid stores its cache in the /var/spool/squid/ directory.
      • The cache grows up to 10000 MB.
      • Squid creates 16 level-1 sub-directories in the /var/spool/squid/ directory.

      • Squid creates 256 sub-directories in each level-1 directory.

        If you do not set a cache_dir directive, Squid stores the cache in memory.

3. If you set a different cache directory than /var/spool/squid/ in the cache_dir parameter:

   1. Create the cache directory:

      # mkdir -p path_to_cache_directory

   2. Configure the permissions for the cache directory:

      # chown squid:squid path_to_cache_directory

   3. If you run SELinux in enforcing mode, set the squid_cache_t context for the cache directory:

      # semanage fcontext -a -t squid_cache_t "path_to_cache_directory(/.*)?"
      # restorecon -Rv path_to_cache_directory

      If the semanage utility is not available on your system, install the policycoreutils-python-utils package.

4. Open the 3128 port in the firewall:

   # firewall-cmd --permanent --add-port=3128/tcp
   # firewall-cmd --reload

5. Enable and start the squid service:

   # systemctl enable --now squid