Datasheet
“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 600 — #626
i
i
i
i
i
i
i
i
25.3 Proxy Server: Squid
Squid is a widely-used proxy cache for Linux and UNIX platforms. This
section discusses its configuration, the settings required to get it running,
how to configure the system to do transparent proxying, how to gather
statistics about using the cache with the help of programs, like Calamaris
and cachemgr, and how to filter web contents with squidGuard.
25.3.1 Squid as Proxy Cache
Squid acts as a proxy cache. It redirects object requests from clients (in this
case from web browsers) to the server. When the requested objects arrive
from the server, it delivers the objects to the client and keeps a copy of
them in the hard disk cache. One of the advantages of caching is that sev-
eral clients requesting the same object can be served from the hard disk
cache. This enables clients to receive the data much faster than from the
Internet. This procedure also reduces the network traffic.
Apart from the actual caching, Squid offers a wide range of features such
as distributing the load over intercommunicating hierarchies of proxy
servers, defining strict access control lists for all clients accessing the proxy,
allowing or denying access to specific web pages with the help of other ap-
plications, and generating statistics about frequently-visited web pages for
the assessment of the users’ surfing habits. Squid is not a generic proxy. It
normally proxies only HTTP connections. It does also support the protocols
FTP, Gopher, SSL, and WAIS, but it does not support other Internet proto-
cols, such as Real Audio, news, or video conferencing. Because Squid only
supports the UDP protocol to provide communication between different
caches, many other multimedia programs are not supported.
25.3.2 Some Facts about Proxy Caches
Squid and Security
It is also possible to use Squid together with a firewall to secure internal
networks from the outside using a proxy cache. The firewall denies all
clients access to external services except Squid. All web connections must
be established by way of the proxy.
If the firewall configuration includes a DMZ, the proxy should operate
within this zone. In this case, it is important that all computers in the DMZ
send their log files to hosts inside the secure network. The possibility of im-
plementing a transparent proxy is covered in Section 25.3.6 on page 610.
600
25.3. Proxy Server: Squid