4. squid.conf

4. squid.conf
Prev		Next

The four files to check for, which are the most important for us are:

/etc/squid/squid.conf — main configuration file
/var/log/access.log — for monitoring url activity
/var/log/cache.log — for checking that squid is caching
/usr/lib/squid/ncsa_auth — for password authentication

	Warning
	The `ncsa_auth` authentication program does not do md5 encryption by default, it uses CRYPT encryption. There are two other ways of supporting md5 encryption that I am aware of, but as we are quite happy without it, we will not use either. You can apply a patch that was written by Martin Houston of Smoothwall here in May 2003 for `ncsa_auth` Or download another authentication program called squidauth

squid.conf is pretty heavily commented so most options are pretty obvious. I will show the main ones changed or added in here. The squid.conf shown below does not have the squidGuard option added in yet. It will be added in the Section 6, “Installing and configuring SquidGuard” section.

		
#Changed by GH 24/09/03 - Default is off:
emulate_httpd_log on

# Added by GH 24/09/03 for user authentication
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Suretec Proxy Server - ALL ACCESS IS STRICTLY MONITORED
auth_param basic credentialsttl 2 hours

# Uncommented by GH 24/09/03 for password authentication and blocking exe zip gz bz2 mp3 mpg mpeg ram rpm avi plus more
acl password proxy_auth REQUIRED
acl download urlpath_regex -i "/etc/squid/denydownload.txt"
acl POST method POST

# GH 24/09/03
acl suretecsystems.private src 192.168.210.0
acl suretecsystems.test src 192.168.100.0
acl Safe_ports port 80
		
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
                                                                                                                            
# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
# acl our_networks src 192.168.1.0/24 192.168.2.0/24
# http_access allow our_networks                                    
# Used to block downloads and allow other users - GH 07/01/03
http_access deny download !POST                                                                                     
http_access allow suretecsystems.private
http_access allow suretecsystems.test password
                                                                                                                            
# And finally deny all other access to this proxy
http_access allow localhost
http_access deny all
                                                                                                                            
visible_hostname suretecsystemsproxy

Example 1. Changes in squid.conf

You will notice the acl download urlpath_regex -i "/etc/squid/denydownload.txt" line which points squid to a text file with file extensions we wish to block. The ownership of this file needs to be set to squid using the usual command: chown squid:squid /etc/squid/denydownload.txt and the general syntax required is:

\.exe$
\.zip$
\.gz$
\.bz2$
\.mp3$
\.avi$
\.mpg$
\.mpeg$
\.ram$
\.rpm$

	Tip
	Remember, if you do not add the word password to the end of your `http_access` line, then password authentication will not be called by `squid`.

Prev	Up	Next
3. Squid installation and configuration	Home	5. Password file