44 Squid caching proxy server #
Squid is a widely used caching proxy server for Linux and Unix platforms. This means that it stores requested Internet objects, such as data on a Web or FTP server, on a machine that is closer to the requesting workstation than the server. It can be set up in multiple hierarchies to assure optimal response times and low bandwidth usage, even in modes that are transparent to end users.
Squid acts as a caching proxy server. It redirects object requests from clients (in this case, from Web browsers) to the server. When the requested objects arrive from the server, it delivers the objects to the client and keeps a copy of them in the hard disk cache. An advantage of caching is that several clients requesting the same object can be served from the hard disk cache. This enables clients to receive the data much faster than from the Internet. This procedure also reduces the network traffic.
Along with actual caching, Squid offers a wide range of features:
- Distributing load over intercommunicating hierarchies of proxy servers 
- Defining strict access control lists for all clients accessing the proxy server 
- Allowing or denying access to specific Web pages using other applications 
- Generating statistics about frequently visited Web pages for the assessment of surfing habits 
Squid is not a generic proxy server. It normally proxies only HTTP connections. It supports the protocols FTP, Gopher, SSL and WAIS, but it does not support other Internet protocols, such as the news protocol, or video conferencing protocols. Because Squid only supports the UDP protocol to provide communication between different caches, many multimedia programs are not supported.
44.1 Some facts about proxy servers #
As a caching proxy server, Squid can be used in several ways. When combined with a firewall, it can help with security. Multiple proxies can be used together. It can also determine what types of objects should be cached and for how long.
44.1.1 Squid and security #
It is possible to use Squid together with a firewall to secure internal networks from the outside. The firewall denies all clients access to external services except Squid. All Web connections must be established by the proxy server. With this configuration, Squid fully controls Web access.
If the firewall configuration includes a demilitarized zone (DMZ), the proxy server should operate within this zone. Section 44.6, “Configuring a transparent proxy” describes how to implement a transparent proxy. This simplifies the configuration of the clients, because in this case, they do not need any information about the proxy server.
44.1.2 Multiple caches #
Several instances of Squid can be configured to exchange objects between them. This reduces the total system load and increases the chances of retrieving an object from the local network. It is also possible to configure cache hierarchies, so a cache can forward object requests to sibling caches or to a parent cache—causing it to request objects from another cache in the local network, or directly from the source.
Choosing the appropriate topology for the cache hierarchy is important, because it is not desirable to increase the overall traffic on the network. For a very large network, it would make sense to configure a proxy server for every subnet and connect them to a parent proxy server, which in turn is connected to the caching proxy server of the ISP.
All this communication is handled by ICP (Internet cache protocol) running on top of the UDP protocol. Data transfers between caches are handled using HTTP (hypertext transmission protocol) based on TCP.
    To find the most appropriate server from which to request objects, a cache
    sends an ICP request to all sibling proxies. The sibling proxies answer
    these requests via ICP responses. If the object was detected, they use the
    code HIT, if not, they use MISS.
   
    If multiple HIT responses were found, the proxy server
    decides from which server to download, depending on factors such as which
    cache sent the fastest answer or which one is closer. If no satisfactory
    responses are received, the request is sent to the parent cache.
    
   
To avoid duplication of objects in different caches in the network, other ICP protocols are used, such as CARP (cache array routing protocol) or HTCP (hypertext cache protocol). The more objects maintained in the network, the greater the possibility of finding the desired object.
44.1.3 Caching Internet objects #
Many objects available in the network are not static, such as dynamically generated pages and TLS/SSL-encrypted content. Objects like these are not cached because they change each time they are accessed.
To determine how long objects should remain in the cache, objects are assigned one of several states. Web and proxy servers find out the status of an object by adding headers to these objects, such as “Last modified” or “Expires” and the corresponding date. Other headers specifying that objects must not be cached can be used as well.
Objects in the cache are normally replaced, because of a lack of free disk space, using algorithms such as LRU (last recently used). This means that the proxy expunges those objects that have not been requested for the longest time.
44.2 System requirements #
System requirements largely depend on the maximum network load that the system must bear. Therefore, examine load peaks, as during those times, load might be more than four times the day's average. When in doubt, slightly overestimate the system's requirements. Having Squid working close to the limit of its capabilities can lead to a severe loss in quality of service. The following sections point to system factors in order of significance:
- RAM size 
- CPU speed/physical CPU cores 
- Size of the disk cache 
- Hard disks/SSDs and their architecture 
44.2.1 RAM #
The amount of memory (RAM) required by Squid directly correlates with the number of objects in the cache. Random access memory is much faster than a hard disk/SSD. Therefore, it is important to have sufficient memory for the Squid process, because system performance is dramatically reduced if the swap disk is used.
Squid also stores cache object references and frequently requested objects in the main memory to speed up retrieval of this data. In addition to that, there is other data that Squid needs to keep in memory, such as a table with all the IP addresses handled, an exact domain name cache, the most frequently requested objects, access control lists, buffers and more.
44.2.2 CPU #
Squid is tuned to work best with lower processor core counts (4–8 physical cores), with each providing high performance. Technologies providing virtual cores such as hyperthreading can hurt performance.
To make the best use of multiple CPU cores, it is necessary to set up multiple worker threads writing to different caching devices. By default, multi-core support is mostly disabled.
44.2.3 Size of the disk cache #
    In a small cache, the probability of a HIT (finding the
    requested object already located there) is small, because the cache is
    easily filled and less requested objects are replaced by newer ones. If,
    for example, 1 GB is available for the cache and the users use up only
    10 MB per day surfing, it would take more than one hundred days to
    fill the cache.
   
The easiest way to determine the necessary cache size is to consider the maximum transfer rate of the connection. With a 1 Mbit/s connection, the maximum transfer rate is 128 KB/s. If all this traffic ended up in the cache, in one hour it would add up to 460 MB. Assuming that all this traffic is generated in only eight working hours, it would reach 3.6 GB in one day. Because the connection is normally not used to its upper volume limit, it can be assumed that the total data volume handled by the cache is approximately 2 GB. Hence, in this example, 2 GB of disk space is required for Squid to keep one day's worth of browsing data cached.
44.2.4 Hard disk/SSD architecture #
Speed plays an important role in the caching process, so this factor deserves special attention. For hard disks/SSDs, this parameter is described as random seek time or random read performance, measured in milliseconds. Because the data blocks that Squid reads from or writes to the hard disk/SSD tend to be small, the seek time/read performance of the hard disk/SSD is more important than its data throughput.
For use as a proxy server, hard disks with high rotation speeds or SSDs are the best choice. When using hard disks, it can be better to use multiple smaller hard disks, each with a single cache directory to avoid excessive read times.
Using a RAID system allows increasing reliability at expense of speed. However, for performance reasons, avoid (software) RAID5 and similar settings.
    In most cases, the choice of file system choice does not matter. However,
    using the mount option
    noatime can improve performance—Squid provides its
    own time stamps, so it does not need the file system to track access
    times.
   
44.3 Basic usage of Squid #
   Since squid is not installed by default on
   SUSE® Linux Enterprise Server, make sure the package is installed on your system.
  
   As Squid is preconfigured in SUSE Linux Enterprise Server, you can start it immediately
   after the installation. To avoid problems during the start-up, make sure that
   the network is connected to the Internet connection and has at least one
   name server. Using a dial-up connection with a dynamic DNS configuration may
   cause problems. In this case, specify at least the name server, as Squid does
   not start if it does not detect a DNS server in
   /var/run/netconfig/resolv.conf.
  
44.3.1 Starting Squid #
To start Squid, run the following command:
>sudosystemctl start squid
    To start Squid on system boot, enable the service
    with systemctl enable squid.
   
44.3.2 Checking whether Squid is working #
There are several ways to check whether Squid is running:
- Using - systemctl:- >- systemctl status squid- The output should indicate that Squid is - loadedand- active (running).
- Using Squid itself: - >- sudo- squid -k check | echo $?- The output should be - 0, but it can also contain additional messages, such as warnings.
To test the functionality of Squid on the local system, choose one of the following options:
- Use - squidclient, a command-line tool that outputs the response to a Web request, similar to- wgetor- curl.- Unlike - wgetor- curl,- squidclientautomatically connects to the default proxy setup of Squid,- localhost:3128. However, if you modified the configuration of Squid, you must configure- squidclientaccordingly. For more information, see- squidclient --help.Example 44.1: A request with- squidclient#- >- squidclient http://www.example.orgHTTP/1.1 200 OK Cache-Control: max-age=604800 Content-Type: text/html Date: Fri, 22 Jun 2016 12:00:00 GMT Expires: Fri, 29 Jun 2016 12:00:00 GMT Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT Server: ECS (iad/182A) Vary: Accept-Encoding X-Cache: HIT x-ec-custom-error: 1 Content-Length: 1270 X-Cache: MISS from moon1 X-Cache-Lookup: MISS from moon:3128 Via: 1.1 moon (squid/3.5.16)2 Connection: close <!doctype html> <html> <head> <title>Example domain</title> [...] </body> </html>- The output shown in Example 44.1, “A request with - squidclient” consists of two parts:- The protocol headers of the response (the lines before the blank line). 
- The actual content of the response (the lines after the blank line). 
 - To verify that Squid is used, refer to the selected header lines: - The value of the header - X-Cacheshows that the requested document was not in the Squid cache (- MISS) of the computer- moon.- The example above contains two - X-Cachelines. The first- X-Cacheheader can be safely ignored, as it is produced by the internal caching software of the originating Web server.- The value of the header - Viashows the HTTP version, the name of the computer, and the version of Squid in use.
- Using a browser: Set up - localhostas the proxy and- 3128as the port. Then load a page and check the response headers in the panel of the browser's Inspector or Developer Tools. The headers should be reproduced similarly to the way shown in Example 44.1, “A request with- squidclient”.
    To allow users from the local system and other systems to access Squid and
    the Internet, change the entry in the configuration files
    /etc/squid/squid.conf from http_access deny
    all to http_access allow all. However, keep in
    mind that this makes Squid fully accessible to anyone. Therefore, define
    ACLs (access control lists) that control access to the proxy server. After
    modifying the configuration file, Squid must be reloaded or restarted. For
    more information on ACLs, see
    Section 44.5.2, “Options for access controls”.
   
    If Squid stops working after a short period of time, check whether there is
    an incorrect name server entry or whether the
    /var/run/netconfig/resolv.conf file is missing. Squid
    logs the cause of a start-up failure in the file
    /var/log/squid/cache.log.
   
44.3.3 Stopping, reloading, and restarting Squid #
There are two ways to reload Squid:
- Using - systemctl:- >- sudo- systemctlreload squid- or - >- sudo- systemctlrestart squid
- Using YaST: - In the Squid module, click the button. 
To stop Squid, use one of the following options:
- Using - systemctl:- >- sudo- systemctlstop squid
- Using YaST - In the Squid module click the . button. 
    Shutting down Squid can take a while, because Squid waits up to half a
    minute before dropping the connections to the clients and writing its data
    to the disk (see shutdown_lifetime option in
    /etc/squid/squid.conf),
   
     Terminating Squid with kill or
     killall can damage the cache. To be able to restart
     Squid, damaged caches must be deleted.
    
44.3.4 Removing Squid #
    Removing Squid from the system does not remove the cache hierarchy and log
    files. To remove them, delete the /var/cache/squid
    directory manually.
   
44.3.5 Local DNS server #
Setting up a local DNS server makes sense even if it does not manage its own domain. In that case, it acts as a caching-only name server, and it can also resolve DNS requests via the root name servers without requiring any special configuration (see Section 39.4, “Starting the BIND name server”). How this can be done depends on whether you chose dynamic DNS during the configuration of the Internet connection.
- Dynamic DNS
- Normally, with dynamic DNS, the DNS server is set by the provider when establishing the Internet connection and the local - /var/run/netconfig/resolv.conffile is adjusted automatically. This behavior is specified in the- /etc/sysconfig/network/configfile using the- NETCONFIG_DNS_POLICYsysconfig variable. Set- NETCONFIG_DNS_POLICYto- ""with the YaST sysconfig editor.- Then add the local DNS server in the - /var/run/netconfig/resolv.conffile with the IP address- 127.0.0.1for- localhost. This way, Squid can always find the local name server when it starts.- To make the provider's name server accessible, specify it in the configuration file - /etc/named.confunder- forwardersalong with its IP address. With dynamic DNS, this can be done automatically when establishing the connection by setting the sysconfig variable- NETCONFIG_DNS_POLICYto- auto.
- Static DNS
- With static DNS, no automatic DNS adjustments take place while establishing a connection, so there is no need to change any sysconfig variables. However, you must specify the local DNS server in the file - /var/run/netconfig/resolv.confas described in Dynamic DNS. Additionally, the provider's static name server must be specified manually in the- /etc/named.conffile under- forwardersalong with its IP address.
If you have a firewall running, make sure DNS requests can pass through it.
44.4 The YaST Squid module #
The YaST Squid module contains the following tabs:
- Specifies how Squid is started and which firewall port is open in which interfaces. 
- Define all ports for Squid to listen for HTTP requests from clients. 
- Defines how Squid treats objects in the cache. 
- Defines settings related to cache memory, maximum and minimum object size, and more. 
- Defines the top-level directory for Squid to store cache swap files. 
- Controls the access to the Squid server via ACL groups. 
- Define paths to access, cache, and cache store log files and connection timeouts and client lifetime. 
- Specifies language and mail address of administrator. 
44.5 The Squid configuration file #
   Squid proxy server settings are stored in the
   /etc/squid/squid.conf file. Although starting Squid for
   the first time does not require any changes to the file, external clients are
   initially denied access. The proxy is available for
   localhost. The default port is
   3128. The preinstalled configuration file
   /etc/squid/squid.conf provides detailed information
   about the options and many examples.
  
   Many entries are disabled using the comment character
   #. The relevant specifications can be found at the end of
   the line. The given values usually correlate with the default values, so
   removing the comment signs without changing any of the parameters usually
   has no effect. If possible, leave the commented lines as they are and insert
   the options along with the modified values in the line below. This way, the
   default values may easily be recovered and compared with the changes.
  
    If you have updated from an earlier Squid version, it is recommended to
    edit the new /etc/squid/squid.conf and only apply the
    changes made in the previous file.
   
    Sometimes, Squid options are added, removed or modified. Therefore, if you
    try to use the old squid.conf, Squid might stop
    working properly.
   
44.5.1 General configuration options #
    The following is a list of a selection of configuration options for Squid.
    It is not exhaustive. The Squid package contains a full, lightly documented
    list of options in /etc/squid/squid.conf.documented.
   
- http_port PORT
- This is the port on which Squid listens for client requests. The default port is - 3128, but- 8080is also common.
- cache_peer HOST_NAME TYPE PROXY_PORT ICP_PORT
- This option allows creating a network of caches that work together. The cache peer is a computer that also hosts a network cache and stands in a relationship to your own. The type of relationship is specified as the TYPE. The type can either be - parentor- sibling.- As the HOST_NAME, specify the name or IP address of the proxy server to use. For PROXY_PORT, specify the port number for use in a browser (usually - 8080). Set ICP_PORT to- 7or, if the ICP port of the parent is not known and its use is irrelevant to the provider, to- 0.- To make Squid behave like a Web browser instead of a proxy server, disable the use of the ICP protocol by appending the options - defaultand- no-query.
- cache_mem SIZE
- This option defines the amount of memory Squid can use for the most frequent replies. The default is - 8 MB. This does not specify the memory usage of Squid and may be exceeded.
- cache_dir STORAGE_TYPE CACHE_DIRECTORY CACHE_SIZE LEVEL_1_DIRECTORIES LEVEL_2_DIRECTORIES
- The option - cache_dirdefines the directory for the disk cache. In the default configuration on SUSE Linux Enterprise Server, Squid does not create a disk cache.- The placeholder STORAGE_TYPE can be one of the following: - Directory-based storage types: - ufs,- aufs(the default),- diskd. All three are variations of the storage format- ufs. However, while- ufsruns as part of the core Squid thread,- aufsruns in a separate thread, and- diskduses a separate process. This means that the latter two types avoid blocking Squid because of disk I/O.
- Database-based storage systems: - rock. This storage format relies on a single database file, in which each object takes up one or more memory units of a fixed size (“slots”).
 - In the following, only the parameters for storage types based on - ufswill be discussed.- rockhas different parameters.- The CACHE_DIRECTORY is the directory for the disk cache. By default, that is - /var/cache/squid. CACHE_SIZE is the maximum size of that directory in megabytes; by default, this is set to 100 MB. Set it to between 50% and a maximum of 80% of available disk space.- The LEVEL_1_DIRECTORIES and LEVEL_2_DIRECTORIES values specify how many subdirectories are created in the CACHE_DIRECTORY. By default, 16 subdirectories are created at the first level below CACHE_DIRECTORY and 256 within each of these. These values should only be increased with caution, because creating too many directories can lead to performance problems. - If you have several disks that share a cache, specify several - cache_dirlines.
- cache_access_log LOG_FILE,- cache_log LOG_FILE,- cache_store_log LOG_FILE
- These three options specify the paths where Squid logs all its actions. Normally, nothing needs to be changed here. If Squid is under heavy load, it might make sense to distribute the cache and the log files over several disks. 
- client_netmask NETMASK
- This option allows masking IP addresses of clients in the log files by applying a subnet mask. For example, to set the last digit of the IP address to - 0, specify- 255.255.255.0.
- ftp_user E-MAIL
- This option allows setting the password that Squid should use for anonymous FTP login. Specify a valid e-mail address here, as some FTP servers check these for validity. 
- cache_mgr E-MAIL
- When Squid crashes, it sends a message to the specified e-mail address. The default is webmaster. 
- logfile_rotate VALUE
- When used with - squid- -k rotate,- squidrotates log files. The files are numbered and, after reaching the specified value, the oldest file is overwritten. The default value is- 10which rotates log files with the numbers 0 to 9.- However, on SUSE Linux Enterprise Server, rotating log files is performed automatically using - logrotateand the configuration file- /etc/logrotate.d/squid.
- append_domain DOMAIN
- Use append_domain to specify which domain to append automatically when none is given. Usually, your own domain is specified here, so pointing the browser to www navigates to your own Web server. 
- forwarded_for STATE
- If this option is set to - on, it adds a line to the header similar to this:- X-Forwarded-For: 192.168.0.1 - If you set this option to - off, Squid removes the IP address and the system name of the client from HTTP requests.
- negative_ttl TIME,- negative_dns_ttl TIME
- If these options are configured, Squid caches certain types of failures, such as - 404responses. It then refuses to issue new requests, even if the resource becomes available.- By default, - negative_ttlis set to- 0,- negative_dns_ttlis set to- 1 minutes. This means that negative responses to Web requests are not cached by default, while negative responses to DNS requests are cached for 1 minute.
- never_direct allow ACL_NAME
- To prevent Squid from accepting requests directly from the Internet, use the option - never_directto force connection to another proxy server. This must have previously been specified in- cache_peer. If- allis specified as the ACL_NAME, all requests are forwarded directly to the- parent. This can be necessary, for example, if you are using a provider that dictates the use of its proxies or denies its firewall direct Internet access.
44.5.2 Options for access controls #
    Squid can control the access to the proxy server through Access Control
    Lists (ACL), lists with rules that are processed sequentially. ACLs must be
    defined before they can be used. Squid includes default ACLs, such as
    all and
    localhost. However, for an ACL to take effect, it must
    have a corresponding http_access rule.
   
    The syntax for the option acl is as follows:
   
acl ACL_NAME TYPE DATA
The placeholders within this syntax stand for the following:
- ACL_NAME can be any name. 
- For TYPE, select from the options available in the - ACCESS CONTROLSsection of the- /etc/squid/squid.conffile.
- The specification for DATA depends on the individual ACL type, for example host names, IP addresses, or URLs. 
To add rules in the YaST Squid module, open the module and click the tab. Click under the ACL Groups list and enter the name of your rule, the type, and its parameters.
For more information on types of ACL rules, see the Squid documentation at http://www.squid-cache.org/Versions/v3/3.5/cfgman/acl.html.
acl mysurfers srcdomain .example.com 1 acl teachers src 192.168.1.0/255.255.255.0 2 acl students src 192.168.7.0-192.168.9.0/255.255.255.0 3 acl lunch time MTWHF 12:00-15:00 4
| 
       This ACL defines  | |
| 
       This ACL defines  | |
| 
       This ACL defines  | |
| 
       This ACL defines  | 
- http_access allow ACL_NAME
- http_accessdefines who is allowed to use the proxy server and who can access what on the Internet. You need to define ACLs for this. The- localhostand- allACLs have already been defined above, and you can deny or allow access to them via- denyor- allow. A list containing any number of- http_accessentries can be created, processed from top to bottom. Depending on which occurs first, access is allowed or denied to the respective URL. The last entry should always be- http_access deny all. In the following example,- localhosthas free access to everything, while all other hosts are denied access:- http_access allow localhost http_access deny all - In another example using these rules, the group - teachersalways has access to the Internet. The group- studentsonly has access between Monday and Friday during lunch time:- http_access deny localhost http_access allow teachers http_access allow students lunch time http_access deny all - For better readability, specify all - http_accessoptions as a block in the configuration file- /etc/squid/squid.conf.
- url_rewrite_program PATH
- Use this option to specify a URL rewriter. 
- auth_param basic program PATH
- If users must be authenticated on the proxy server, set a corresponding program, such as - /usr/sbin/pam_auth. When accessing- pam_authfor the first time, the user is prompted to provide a user name and a password. In addition to that, you need an ACL, so only clients with a valid login can use the Internet:- acl password proxy_auth REQUIRED http_access allow password http_access deny all - In the - acl proxy_authoption, using- REQUIREDmeans that all valid user names are accepted.- REQUIREDcan also be replaced with a list of permitted user names.
- ident_lookup_access allow ACL_NAME
- Use this option to enable an ident request action to find each user's identity for all clients defined by an ACL of the type - src. To enable this for all clients, apply the predefined ACL- allas the ACL_NAME.- All clients specified by - ident_lookup_accessmust run an ident daemon. On Linux, you can use- pidentd(package pidentd) as the ident daemon. To ensure that only clients with a successful ident lookup are permitted, define a corresponding ACL:- acl identhosts ident REQUIRED http_access allow identhosts http_access deny all - Setting the - acl identhosts identoption to- REQUIREDensures that all valid user names are accepted.- REQUIREDcan also be replaced with a list of permitted user names.- Using - identcan slow down access time, because ident lookups are repeated for each request.
44.6 Configuring a transparent proxy #
A transparent proxy intercepts and answers the requests of the Web browser, so the Web browser receives the requested pages without knowing where they are coming from. As the name indicates, the entire process is transparent to the user.
The standard way of working with proxy servers is as follows: the Web browser sends requests to a certain port of the proxy server and the proxy always provides these required objects, regardless of whether they are in its cache. However, in the following cases using the transparent proxy mode of Squid makes sense:
- When for security reasons it is desirable for all clients to use a proxy server to access the Internet. 
- When all clients must use a proxy server, regardless of whether they are aware of it. 
- When the proxy server in a network is moved, but the existing clients need to retain their old configuration. 
- In - /etc/squid/squid.conf, add the parameter- transparentto the line- http_port. You should then have 2 lines:- http_port 3128⎄ http_port 3128 transparent 
- Restart Squid: - >- sudo- systemctl restart squid
- Set up the firewall to redirect HTTP traffic to the port given in - http_proxy(in the example above, it is port 3128). Then reload the firewall configuration. This assumes that the zone- internalis assigned to your LAN interface.- >- sudo- firewall-cmd--permanent --zone=internal \ --add-forward-port=port=80:proto=tcp:toport=3128:toaddr=LAN_IP- >- sudo- firewall-cmd--permanent --zone=internal --add-port=3128/tcp- >- sudo- firewall-cmd--reload- Replace LAN_IP with the IP address of your LAN interface or the interface Squid is listening on. 
- To verify that everything is working properly, check the Squid log files in - /var/log/squid/access.log.
44.7 Using the Squid cache manager CGI interface (cachemgr.cgi) #
   The Squid cache manager CGI interface (cachemgr.cgi) is
   a CGI utility for displaying statistics about the memory usage of a running
   Squid process. It also provides a convenient way to manage the cache and view
   statistics without logging the server.
  
cachemgr.cgi #- Make sure the Apache Web server is running on your system. Configure Apache as described in Chapter 42, The Apache HTTP server. In particular, see Section 42.5, “Enabling CGI scripts”. To check whether Apache is already running, use: - >- sudo- systemctl status apache2- If the status is - inactive, start Apache with the SUSE Linux Enterprise Server default settings:- >- sudo- systemctl start apache2
- Now enable - cachemgr.cgiin Apache. To do this, create a configuration file for a- ScriptAlias.- Create the file in the directory - /etc/apache2/conf.dand name it- cachemgr.conf. Add the following to the file:- ScriptAlias /squid/cgi-bin/ /usr/lib64/squid/ <Directory "/usr/lib64/squid/"> Options +ExecCGI AddHandler cgi-script .cgi Require host HOST_NAME </Directory> - Replace HOST_NAME with the host name of the computer you want to access - cachemgr.cgifrom. This allows only your computer to access- cachemgr.cgi. To allow access from anywhere, use- Require all grantedinstead.
- If Squid and the Apache Web server run on the same computer, the - /etc/squid/squid.confconfiguration file requires no modifications. However, verify that the file contains the following lines:- http_access allow manager localhost http_access deny manager - This allows you to access the manager interface from your computer ( - localhost) only.
- If Squid and the Apache Web server run on different computers, you need to add extra rules to allow access from the CGI script to Squid. Define an ACL for the server (replace WEB_SERVER_IP with the IP address of the Web server): - acl webserver src WEB_SERVER_IP/255.255.255.255 - Make sure the following rules are in the configuration file. Keep in mind that the order is important. - http_access allow manager localhost http_access allow manager webserver http_access deny manager 
 
- (Optional) Optionally, you can configure one or more passwords for - cachemgr.cgi. This also gives you access to more actions such as closing the cache remotely or viewing more information about the cache. To enable access, configure the options- cache_mgrand- cachemgr_passwdwith one or more password for the manager and a list of allowed actions.- The following example configuration enables viewing the index page, the menu, and 60-minute average of counters without authentication. The configuration also enables toggling offline mode using the password - secretpasswordand to disable everything else.- cache_mgr user cachemgr_passwd none index menu 60min cachemgr_passwd secretpassword offline_toggle cachemgr_passwd disable all - cache_mgrdefines a user name.- cache_mgrdefines which actions are allowed using which password.- The keywords - noneand- disableare special:- noneremoves the need for a password,- disabledisables functionality outright.- The full list of actions can be best seen after logging in to - cachemgr.cgi. To find out how the operation needs to be referenced in the configuration file, see the string after- &operation=in the URL of the action page.- allis a special keyword meaning all actions.
- Reload Squid and Apache to enable the changes: - >- sudo- systemctl reload squid
- To view the statistics, go to the - cachemgr.cgipage that you set up before. For example, it could be- http://webserver.example.org/squid/cgi-bin/cachemgr.cgi.- Choose the right server. If a user name and password are configured, specify them. Click and browse through the available statistics. 
44.8 Cache report generation with Calamaris #
   Calamaris is a Perl script for generating reports of cache activity in ASCII
   or HTML format. It works with native Squid access log files. This tool does
   not belong to the SUSE Linux Enterprise Server default installation scope—to use it,
   install the
   calamaris package. Further info on Calamaris is
   available at https://cord.de/calamaris-english.
  
   Log in as root, then enter:
  
# cat access1.log [access2.log access3.log] | calamaris OPTIONS > reportfile
   When using more than one log file, make sure they are ordered
   chronologically, with older files listed first. This can be done either by
   listing the files one after the other as in the example above or by using
   access{1..3}.log.
  
   calamaris accepts the following options:
  
- -a
- output all available reports 
- -w
- output as HTML report 
- -l
- include a message or logo in report header 
   Further information about options can be found in the program's
   manual page with man calamaris.
  
A typical example is:
# cat access.log.{10..1} access.log | calamaris -a -w \
> /usr/local/httpd/htdocs/Squid/squidreport.htmlThis saves the report in the directory of the Web server. Apache is required to view the reports.
44.9 More Information #
Visit the home page of Squid at http://www.squid-cache.org/. Here, find the “Squid User Guide” and a very extensive collection of FAQs on Squid.
In addition, mailing lists are available for Squid at http://www.squid-cache.org/Support/mailing-lists.html.