Table of Contents for
Squid: The Definitive Guide

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Squid: The Definitive Guide by Duane Wessels Published by O'Reilly Media, Inc., 2004
  1. Cover
  2. Squid: The Definitive Guide
  3. Squid: The Definitive Guide
  4. Dedication
  5. Preface
  6. 1. Introduction
  7. 2. Getting Squid
  8. 3. Compiling and Installing
  9. 4. Configuration Guide for the Eager
  10. 5. Running Squid
  11. 6. All About Access Controls
  12. 7. Disk Cache Basics
  13. 8. Advanced Disk Cache Topics
  14. 9. Interception Caching
  15. 10. Talking to Other Squids
  16. 11. Redirectors
  17. 12. Authentication Helpers
  18. 13. Log Files
  19. 14. Monitoring Squid
  20. 15. Server Accelerator Mode
  21. 16. Debugging and Troubleshooting
  22. A. Config File Reference
  23. http_port
  24. https_port
  25. ssl_unclean_shutdown
  26. icp_port
  27. htcp_port
  28. mcast_groups
  29. udp_incoming_address
  30. udp_outgoing_address
  31. cache_peer
  32. cache_peer_domain
  33. neighbor_type_domain
  34. icp_query_timeout
  35. maximum_icp_query_timeout
  36. mcast_icp_query_timeout
  37. dead_peer_timeout
  38. hierarchy_stoplist
  39. no_cache
  40. cache_access_log
  41. cache_log
  42. cache_store_log
  43. cache_swap_log
  44. emulate_httpd_log
  45. log_ip_on_direct
  46. cache_dir
  47. cache_mem
  48. cache_swap_low
  49. cache_swap_high
  50. maximum_object_size
  51. minimum_object_size
  52. maximum_object_size_in_memory
  53. cache_replacement_policy
  54. memory_replacement_policy
  55. store_dir_select_algorithm
  56. mime_table
  57. ipcache_size
  58. ipcache_low
  59. ipcache_high
  60. fqdncache_size
  61. log_mime_hdrs
  62. useragent_log
  63. referer_log
  64. pid_filename
  65. debug_options
  66. log_fqdn
  67. client_netmask
  68. ftp_user
  69. ftp_list_width
  70. ftp_passive
  71. ftp_sanitycheck
  72. cache_dns_program
  73. dns_children
  74. dns_retransmit_interval
  75. dns_timeout
  76. dns_defnames
  77. dns_nameservers
  78. hosts_file
  79. diskd_program
  80. unlinkd_program
  81. pinger_program
  82. redirect_program
  83. redirect_children
  84. redirect_rewrites_host_header
  85. redirector_access
  86. redirector_bypass
  87. auth_param
  88. authenticate_ttl
  89. authenticate_cache_garbage_interval
  90. authenticate_ip_ttl
  91. external_acl_type
  92. wais_relay_host
  93. wais_relay_port
  94. request_header_max_size
  95. request_body_max_size
  96. refresh_pattern
  97. quick_abort_min
  98. quick_abort_max
  99. quick_abort_pct
  100. negative_ttl
  101. positive_dns_ttl
  102. negative_dns_ttl
  103. range_offset_limit
  104. connect_timeout
  105. peer_connect_timeout
  106. read_timeout
  107. request_timeout
  108. persistent_request_timeout
  109. client_lifetime
  110. half_closed_clients
  111. pconn_timeout
  112. ident_timeout
  113. shutdown_lifetime
  114. acl
  115. http_access
  116. http_reply_access
  117. icp_access
  118. miss_access
  119. cache_peer_access
  120. ident_lookup_access
  121. tcp_outgoing_tos
  122. tcp_outgoing_address
  123. reply_body_max_size
  124. cache_mgr
  125. cache_effective_user
  126. cache_effective_group
  127. visible_hostname
  128. unique_hostname
  129. hostname_aliases
  130. announce_period
  131. announce_host
  132. announce_file
  133. announce_port
  134. httpd_accel_host
  135. httpd_accel_port
  136. httpd_accel_single_host
  137. httpd_accel_with_proxy
  138. httpd_accel_uses_host_header
  139. dns_testnames
  140. logfile_rotate
  141. append_domain
  142. tcp_recv_bufsize
  143. err_html_text
  144. deny_info
  145. memory_pools
  146. memory_pools_limit
  147. forwarded_for
  148. log_icp_queries
  149. icp_hit_stale
  150. minimum_direct_hops
  151. minimum_direct_rtt
  152. cachemgr_passwd
  153. store_avg_object_size
  154. store_objects_per_bucket
  155. client_db
  156. netdb_low
  157. netdb_high
  158. netdb_ping_period
  159. query_icmp
  160. test_reachability
  161. buffered_logs
  162. reload_into_ims
  163. always_direct
  164. never_direct
  165. header_access
  166. header_replace
  167. icon_directory
  168. error_directory
  169. maximum_single_addr_tries
  170. snmp_port
  171. snmp_access
  172. snmp_incoming_address
  173. snmp_outgoing_address
  174. as_whois_server
  175. wccp_router
  176. wccp_version
  177. wccp_incoming_address
  178. wccp_outgoing_address
  179. delay_pools
  180. delay_class
  181. delay_access
  182. delay_parameters
  183. delay_initial_bucket_level
  184. incoming_icp_average
  185. incoming_http_average
  186. incoming_dns_average
  187. min_icp_poll_cnt
  188. min_dns_poll_cnt
  189. min_http_poll_cnt
  190. max_open_disk_fds
  191. offline_mode
  192. uri_whitespace
  193. broken_posts
  194. mcast_miss_addr
  195. mcast_miss_ttl
  196. mcast_miss_port
  197. mcast_miss_encode_key
  198. nonhierarchical_direct
  199. prefer_direct
  200. strip_query_terms
  201. coredump_dir
  202. ignore_unknown_nameservers
  203. digest_generation
  204. digest_bits_per_entry
  205. digest_rebuild_period
  206. digest_rewrite_period
  207. digest_swapout_chunk_size
  208. digest_rebuild_chunk_percentage
  209. chroot
  210. client_persistent_connections
  211. server_persistent_connections
  212. pipeline_prefetch
  213. extension_methods
  214. request_entities
  215. high_response_time_warning
  216. high_page_fault_warning
  217. high_memory_warning
  218. ie_refresh
  219. vary_ignore_expire
  220. sleep_after_fork
  221. B. The Memory Cache
  222. C. Delay Pools
  223. D. Filesystem Performance Benchmarks
  224. E. Squid on Windows
  225. F. Configuring Squid Clients
  226. About the Author
  227. Colophon
  228. Copyright

Appendix F. Configuring Squid Clients

This appendix contains information on setting up various browsers and user-agents to use Squid. Although it is more extensively covered in my O’Reilly book Web Caching, I’ll include some brief instructions here.

I have instructions for the following HTTP user-agents: Internet Explorer v6, Konqueror v3, Lynx v2.8, Netscape v7 a.k.a. Mozilla v5, Opera v7, libwww-perl v5, Python’s urllib/urllib2, and Wget v1.8. If you think this is all a huge hassle, consider using HTTP interception, as described in Chapter 9.

Manually

Web browsers and other HTTP-based user-agents have methods for explicitly setting a proxy address. For large organizations, this is a real hassle. You may simply have too many desktops to visit one at a time. Additionally, this approach isn’t as flexible as the others. For example, you can’t temporarily stop the flow of requests to the proxy or easily bypass the cache for certain troublesome sites.

Browsers usually give you the option to send HTTPS URLs to a proxy. Squid can handle HTTPS requests, although it can’t cache the responses. Squid simply tunnels the encrypted traffic. Thus, you should configure the browser to proxy HTTPS requests only if your firewall prevents direct connections to secure sites.

Netscape/Mozilla

To manually configure proxies with Netscape and Mozilla, follow this sequence of menus:

  • Edit

  • Preferences

  • Advanced

  • Proxies

  • Manual proxy configuration

  • Fill in the HTTP Proxy address and Port fields. Enter the same values for FTP Proxy if you like.

Explorer

To manually configure proxies in Internet Explorer, select the following sequence of menus:

  • View from the main window menu

  • Internet Options

  • Connections tab

  • LAN Settings

  • Enable Use a proxy server and enter its address in the Address and Port fields

The Advanced button opens a new window in which you can enter different proxy addresses for different protocols (HTTP, FTP, etc.).

Konqueror

You can manually configure proxies in Konqueror by clicking on the following sequence of menus:

  • Settings

  • Configure Konqueror

  • Proxies & Cache

  • Use Proxy

  • Fill in the address for HTTP Proxy, and Port. Use the same values for other protocols if you like.

Opera

Here’s how to find the proxy configuration screen in Opera browsers:

  • File

  • Preferences

  • Network

  • Proxy Servers

  • Enter an IP address (or hostname) and port number for HTTP, FTP, and other protocols as necessary.

Lynx

The Lynx browser uses a configuration file, typically /usr/local/etc/lynx.cfg. There you’ll find a number of settings for proxies. For example:

http_proxy:http://proxy.example.com:3128/
https_proxy:http://proxy.example.com:3128/
ftp_proxy:http://proxy.example.com:3128/

Lynx also accepts proxy configuration via environment variables, as described in the next section.

Environment Variables

Some browsers and other user-agents look for proxy settings in environment variables. Note that the variable names are lowercase, unlike most environment variable names:

csh% setenv http_proxy http://proxy.example.com:3128/
csh% setenv ftp_proxy http://proxy.example.com:3128/

sh$ http_proxy=http://proxy.example.com:3128/
sh$ ftp_proxy=http://proxy.example.com:3128/
export http_proxy ftp_proxy

I’ve convinced myself that the following products and packages check for these environment variables:

  • Opera

  • Lynx

  • Wget

  • Python’s urllib and urllib2

  • libwww-perl

Proxy Auto-Configuration

Proxy Auto-Configuration is a technique that allows more control over the way user-agents select a proxy. The configuration file is simply a text file containing a JavaScript function. Browsers download the configuration file when they start up and then evaluate the function before each request. The function’s return value determines where the request is sent.

Proxy Auto-Configuration is attractive because it gives the network administrator more control. For example, you can temporarily disable your caching service, implement load balancing, or migrate the service to new systems. Additionally, the function can return a list of proxy addresses, which the browser tries in sequence. If the first is unavailable, it tries the second, and so on.

The following browsers support Proxy Auto-Configuration:

  • Internet Explorer

  • Opera

  • Netscape

  • Konqueror

  • Mozilla

All these browsers have a place in which you can type in the Proxy Auto-Configuration URL. You’ll find it in the same place as the manual proxy settings, earlier described in Section F.1. Configuring hundreds or thousands of workstations is a real hassle, which is why a handful of companies came up with WPAD, described in the next section.

Writing a Proxy Auto-Configuration function is relatively straightforward. The function, named FindProxyForURL, takes two arguments and returns a list of proxy addresses, separated by semicolons. The word DIRECT instructs the browser to forward the request directly to the origin server, rather than to a proxy. Here is a simple example:

function FindProxyForURL(url, host) {
    if (isPlainHostName(host))
        return "DIRECT";
    if (!isResolvable(host))
        return "DIRECT";
    if (url.substring(0, 5) =  = "http:")
        return "PROXY 172.16.5.1:3128; DIRECT";
    if (url.substring(0, 4) =  = "ftp:")
        return "PROXY 172.16.5.1:3128; DIRECT";
    return "DIRECT";
}

The first if statement makes the browser connect directly to the origin server if the user types a single-component hostname, such as www. This is generally a good idea because the browser’s interpretation of the hostname might be different from the proxy’s. The second if statement ensures that the hostname exists in the DNS. If not, the user sees an error message from the browser itself, rather than from Squid. The next two if statements return a proxy address, followed by DIRECT for HTTP and FTP URLs. If the proxy doesn’t respond, the browser attempts to make a direct connection to the origin server.

Warning

If you have a firewall in place, the browser probably won’t be able to make a direct connection.

After writing the function, save it somewhere in your web server’s data directory. Next, you need to configure the server to return a specific content type for the file. The convention is to give the file a .pac extension, such as proxy.pac. Then, ensure that the HTTP server returns the content type application/x-ns-proxy-autoconfig. With Apache, you can add this line to your server config file:

AddType application/x-ns-proxy-autoconfig .pac

Refer to Section 4.3 of Web Caching (O’Reilly), for more information on Proxy Auto-Configuration files, including more complicated FindProxyForURL ideas and examples.

WPAD

The Web Proxy Auto Discovery (WPAD) protocol is a technique for user-agents to find a nearby caching proxy automatically. The idea is relatively simple. The protocol provides a number of methods for generating a URL that refers to a Proxy Auto-Configuration file. Those methods include DHCP, DNS lookups, and SLP (the Service Location Protocol).

DHCP is the first method the user-agent should try. It sends a query for “option 252” to a local DHCP server. The response is a string: the URL. Here’s how to configure ISC’s DHCP server for WPAD:

option wpad code 252 = text;
option wpad "http://172.16.1.1/proxy.pac";

The second method is SLP. However, its implementation is optional. I do not know if any user-agents actually support WPAD via SLP.

DNS is the last resort. The protocol specification outlines a number of DNS techniques a user-agent might use to find a wpad.dat URL. The most straightforward technique is to perform an address lookup for the hostname wpad in the local domain. For example, if the system’s hostname is orion.example.com, the agent requests the IP address of wpad.example.com. If the lookup is successful, the agent makes a TCP connect to that address on port 80 and requests /wpad.dat.

To make this work in Apache, you need to set the content type for the wpad.dat file like this:

AddType application/x-ns-proxy-autoconfig .dat

This may have negative side effects if your server has other files that end with .dat. One trick some people use is to redirect requests for wpad.dat to proxy.pac, with commands like this in httpd.conf:

Redirect /wpad.dat http://wpad.example.com/proxy.pac

Note that you probably won’t be able to set up a separate virtual host for the wpad name in your domain. This is because some user-agents set the Host header to the IP address, rather than the hostname. The following is an example.

GET /wpad.dat HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: 206.168.0.13

WPAD is enabled by default in Microsoft Internet Explorer. Konqueror also supports WPAD but disables it by default. You can enable WPAD in Konqueror by visiting the proxy configuration page (described in the Section F.1) and selecting Auto Configure Proxy. Although the current stable versions of Netscape (v7.02) and Mozilla (v5.0) don’t implement WPAD, future versions will.

Summary

Table F-1 summarizes the various proxy configuration options for the user-agents mentioned in this appendix.

Table F-1. Proxy configuration techniques for popular user-agents

User agent

Manual

Environment

PAC

WPAD

Explorer

Yes

No

Yes

Yes

Konqueror

Yes

No

Yes

Yes

libwww-perl

N/A

Yes

No

No

Lynx

Yes

Yes

No

No

Netscape/Mozilla

Yes

No

Yes

No

Opera

Yes

Yes

Yes

No

Wget

N/A

Yes

No

No