Using a parent proxy with Squid

Using a parent proxy with Squid

January 23rd, 2007 | Tech

If you want Squid to be part of a hierarchy of proxies or you just want Squid to fetch content not directly from a web server but rather indirectly from another proxy then read on how to do that.
You can use the cache_peer directive to add parent proxies which Squid will ask for content. Furthermore you can control whether content will be fetched directly or indirectly with always_direct or never_direct respectively.

For example

cache_peer proxy.some-isp.com parent 8080 0 no-query no-digest
never_direct allow all
would tell Squid to always fetch content from the parent proxy, which is located at proxy.some-isp.com:8080. If we wouldn’t use the second directive there may be certain circumstances where Squid would ask directly for content and would ignore the parent proxy; this isn’t what we want.

There are a lot of options available which I don’t want to discuss here, because they are very well documented, but no-query and no-digest say that no ICP requests or cache digests should be send to the parent proxy (read: nagging should be turned off ).

Multiple parent proxies

If you would like to have more than one parent proxy you can add more cache_peer directives; one for each parent. Now you can define either weight or round-robin to control the way Squid will communicate with the proxies: while weight tells Squid to prefer one cache over another, round-robin tries to spread connections evenly among the defined caches.

First of all a simple example for two parent proxies:

cache_peer proxy.isp1.com parent 8080 0 no-query no-digest default
cache_peer proxy.isp2.com parent 8080 0 no-query no-digest

If you define more than one parent proxy you might want to set one as the default proxy, which is used as a last resort.

An example for weight:

cache_peer proxy.isp1.com parent 8080 0 no-query no-digest weight=1
cache_peer proxy.isp2.com parent 8080 0 no-query no-digest weight=2

In this example it is likely that the proxy from the second ISP will be favored over the first one.

And here an example for round-robin:

cache_peer proxy.isp1.com parent 8080 round-robin no-query
cache_peer proxy.isp2.com parent 8080 round-robin no-query
cache_peer proxy.isp3.com parent 8080 round-robin no-query

All connections to our proxy would be round-robined among these three caches. Because Squid treats all parents equally, it is currently not possible to define a weight here, e.g. to forward 50% of the requests to the first proxy and 25% to the second and third proxy respectively.

Conclusion
This post documents how to configure Squid to use a parent proxy or various parent proxies. Please have a look at the most recent documentation to learn more about the configuration details and features available in the latest version of Squid.

from:http://www.christianschenk.org/blog/using-a-parent-proxy-with-squid/

Squid Increase Processes WARNING: All redirector processes are busy.

11.4.2 redirect_children

The redirect_children directive specifies how many redirector processes Squid should start. For example:
redirect_children 20
Squid warns you (via cache.log) when all redirectors are simultaneously busy:
WARNING: All redirector processes are busy.

WARNING: 1 pending requests queued.
If you see this warning, you should increase the number of child processes and restart (or reconfigure) Squid. If the queue size becomes twice the number of redirectors, Squid aborts with a fatal message.
Don’t attempt to disable Squid’s use of the redirectors by setting redirect_children to 0. Instead, simply remove the redirect_program line from squid.conf.

squid+c-icap+clamav = gateway antivirus scanner

squid+c-icap+clamav = gateway antivirus scanner

建置簡單的網路代理閘道,代理內部網路 Http 協定的流量。系統使用 64 位元 CentOS 6.3 ,並安裝 squid3 代理伺服器與 c-icap 伺服器(實作 icap 的工具程式),利用 c-icap clamav modules 掃描代理下載 Http 的內容是否含有病毒。

1.安裝 centos 6.3 系統,選擇安裝為 Web Server 系列套件安裝。安裝CentOS6.3

FEDORA 專案所使用的 GPG 金鑰
https://fedoraproject.org/keys

2.安裝 EPEL 套件庫

#rpm –import http://mirror01.idc.hinet.net/EPEL/RPM-GPG-KEY-EPEL-6

#rpm -ivh http://mirror01.idc.hinet.net/EPEL/6/x86_64/epel-release-6-8.noarch.rpm

3.系統安裝完成後, 第一件事「系統更新」

#yum update

4.安裝 squid,clamav,clamav-devel 套件及更新病毒碼

#yum install squid clamav clamav-devel
#freshclam

5.下載 c-icap 和 c-icap-modules ,c-icap 專案位址 http://c-icap.sourceforge.net/

#wget http://sourceforge.net/projects/c-icap/files/c-icap/0.2.x/c_icap-0.2.5.tar.gz/download
#wget http://sourceforge.net/projects/c-icap/files/c-icap-modules/0.2.x/c_icap_modules-0.2.4.tar.gz/download

6.安裝程式開發工具套件及需要的函式庫

#yum groupinstall “Development Tools"

7.解壓縮及安裝 c-icap 和 c-icap-modules

#tar -xzvf c_icap-0.2.5.tar.gz
#cd c_icap-0.2.5
#./configure
#make install
#cd ..
#tar -xzvf c_icap_modules-0.2.4.tar.gz
#cd c_icap_modules-0.2.4
#./configure
#make install

7.允許squid啟用icap協定,參照 http://wiki.squid-cache.org/Features/ICAP 編輯設定 /etc/squid/squid.conf 。avscan 服務被定義在 /usr/local/etc/virus_scan.conf 設定檔中。proxy transparent mode is important for gateway proxy.

#vim /etc/squid/squid.conf

http_port 3128 transparent

icap_enable on

icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/avscan
adaptation_access service_req allow all

icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/avscan
adaptation_access service_resp allow all

8.設定 /usr/local/etc/c-icap.conf ,引入 virus_scan.conf 設定檔(由 /usr/local/etc/virus_scan.conf 內容得知)。

#vim /usr/local/etc/c-icap.conf

Include virus_scan.conf

9.啟動 c-icap daemon 並設定開機自動啟用服務

#c-icap -f /usr/local/etc/c-icap.conf
#echo /usr/local/bin/c-icap -f /usr/local/etc/c-icap.conf >> /etc/rc.local

10.允許 iptables 開啟 squid 服務端口 3128 ,將 http 協定導向 3128 port 並放行 https 直接 forward。

#iptables -I INPUT -p tcp –dport 3128 -j ACCEPT
#iptables -I FORWARD -p tcp –dport 443 -j ACCEPT
#iptables -A PREROUTING -t nat -p tcp –dport 80 -j REDIRECT –to-port 3128iptables_filter_listiptables_nat_list

11.允許 squid gateway ip_forward , set net.ipv4.ip_forward enabled

#echo 1 > /proc/sys/net/ipv4/ip_forward

#vim /etc/sysctl.conf
net.ipv4.ip_forward = 1

12.儲存 iptables 設定檔,並設定開機時自動載入設定。

#iptables-save > /etc/iptables.conf
#echo “iptables-restore < /etc/iptables.conf" >> /etc/rc.local

13.設定開機自動啟用 squid 服務,並啟動 squid daemon 。

#chkconfig squid on
#servie squid startsquid&c-icap_ports

14.連線至 http://www.eicar.org 下載病毒測試檔,測試病毒是否有被成功阻擋。test_download_eicar.com

# Gateway is squid Server and client ip is fall in 192.168.0.0/24 which default squid localnet setting range.client_ip_address_setting