old-www/HOWTO/TransparentProxy-4.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
 <TITLE>Transparent Proxy with Linux and Squid mini-HOWTO: Setting up squid</TITLE>
 <LINK HREF="TransparentProxy-5.html" REL=next>
 <LINK HREF="TransparentProxy-3.html" REL=previous>
 <LINK HREF="TransparentProxy.html#toc4" REL=contents>
</HEAD>
<BODY>
<A HREF="TransparentProxy-5.html">Next</A>
<A HREF="TransparentProxy-3.html">Previous</A>
<A HREF="TransparentProxy.html#toc4">Contents</A>
<HR>
<H2><A NAME="s4">4. Setting up squid</A></H2>

<P>Now, we need to get squid up and running. Download the latest source tarball
from 
<A HREF="http://www.squid-cache.org">www.squid-cache.org</A>.
Make sure you get a STABLE version, not a DEVEL version.
The latest as of this writing was squid-2.4.STABLE4.tar.gz.  Note that AFAIK,
you must have squid-2.4 for linux kernel 2.4.  The reason is that the 
mechanism by which the process determines the original destination address
has changed from linux 2.2, and only squid-2.4 has this new code in it. (For those of you who are interested, previously the getsockname() call was hacked to provide the original destination address, but now the call is getsockopt() with a level of SOL_IP and an option of SO_ORIGINAL_DST).
<P>Now, untar and gunzip the archive (use ``tar -xzf &lt;filename&gt;'').
Run the autoconfiguration script and tell it to include netfilter code 
(``./configure --enable-linux-netfilter''), compile (``make'') and
then install (``make install''). 
<P>Now, we need to edit the default squid.conf file (installed to /usr/local/squid/etc/squid.conf, unless you changed the defaults). The squid.conf file is heavily
commented. In fact, some of the best documentation available for squid is in
the squid.conf file. After you get it all up and running, you should go back
and reread the whole thing. But for now, let's just get the minimum required.
Find the following directives, uncomment them, and change them to the 
appropriate values:
<P>
<UL>
<LI>httpd_accel_host virtual</LI>
<LI>httpd_accel_port 80</LI>
<LI>httpd_accel_with_proxy on </LI>
<LI>httpd_accel_uses_host_header on</LI>
</UL>
<P>Next, look at the cache_effective_user and cache_effective_group directives.
Unless the default nobody/nogroup has been created on your system (AFAIK, it
is not created out of the box on many popular distributions, including RH7.1),
you'll either need to create those, or create another username/group for
squid to run under.  I strongly recommend that you create a username/group of 
squid/squid and run under that, but you could use any existing user/group
if you want.  
<P>Finally, look at the http_access directive. The default is usually ``http_access
deny all''. This will prevent anyone from accessing squid. For now, you can
change this to ``http_access allow all'', but once it is working, you will
probably want to read the directions on ACLs (Access Control Lists), and setup
the cache such that only people on your local network (or whatever) can access
the cache. This may seem silly, but you should put some kind of restrictions
on access to your cache. People behind filtering firewalls (such as porn 
filters, or filters in nations where speech is not very free) often ``hijack'' onto
wide open proxies and eat up your bandwidth.
<P>Initialize the cache directories with ``squid -z'' (if this is a not a
new installation of squid, you should skip this step).
<P>Now, run squid using the RunCache script in the /usr/local/squid/bin/ directory.
If it works, you should be able to set your web browser's proxy settings to
the IP of the box and port 3128 (unless you changed the default port number)
and access squid as a normal proxy.
<P>For additional help configuring squid, see the squid FAQ at 
<A HREF="http://www.squid-cache.org">www.squid-cache.org</A><HR>
<A HREF="TransparentProxy-5.html">Next</A>
<A HREF="TransparentProxy-3.html">Previous</A>
<A HREF="TransparentProxy.html#toc4">Contents</A>
</BODY>
</HTML>