book

Squid: The Definitive Guide

Name: Squid: The Definitive Guide
Author: Duane Wessels
ISBN: 9780596001629

by Duane Wessels

January 2004

Intermediate to advanced

464 pages

14h 47m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Dedication
Preface
About This BookTopics Not CoveredRecommended ReadingConventions Used in This BookComments and QuestionsAcknowledgments
1. Introduction
1.1. Web Caching1.2. A Brief History of Squid1.3. Hardware and Operating System Requirements1.4. Squid Is Open Source1.5. Squid’s Home on the Web1.6. Getting Help1.6.1. Frequently Asked Questions1.6.2. Mailing Lists1.6.2.1. squid-users1.6.2.2. squid-announce1.6.2.3. squid-dev1.6.3. Professional Support1.7. Getting Started with Squid1.8. Exercises
2. Getting Squid
2.1. Versions and Releases2.2. Use the Source, Luke2.3. Precompiled Binaries2.4. Anonymous CVS2.5. devel.squid-cache.org2.6. Exercises
3. Compiling and Installing
3.1. Before You Start3.2. Unpacking the Source3.3. Pretuning Your Kernel3.3.1. File Descriptors3.3.1.1. FreeBSD, NetBSD, OpenBSD3.3.1.2. Linux3.3.1.3. Solaris3.3.2. Mbuf Clusters3.3.3. Ephemeral Port Range3.4. The configure Script3.4.1. configure Options3.4.2. Running configure3.5. make3.6. make Install3.7. Applying a Patch3.8. Running configure Later3.9. Exercises
4. Configuration Guide for the Eager
4.1. The squid.conf Syntax4.2. User IDs4.3. Port Numbers4.4. Log File Pathnames4.5. Access Controls4.6. Visible Hostname4.7. Administrative Contact Information4.8. Next Steps4.9. Exercises
5. Running Squid
5.1. Squid Command-Line Options5.2. Check Your Configuration File for Errors5.3. Initializing Cache Directories5.4. Testing Squid in a Terminal Window5.5. Running Squid as a Daemon Process5.5.1. The squid_start Script5.6. Boot Scripts5.6.1. /etc/rc.local5.6.2. init.d and rc.d5.6.3. /etc/inittab5.7. A chroot Environment5.8. Stopping Squid5.9. Reconfiguring a Running Squid Process5.10. Rotating the Log Files5.11. Exercises
6. All About Access Controls
6.1. Access Control Elements6.1.1. A Few Base ACL Types6.1.1.1. IP addresses6.1.1.2. Domain names6.1.1.3. Usernames6.1.1.4. Regular expressions6.1.1.5. TCP port numbers6.1.1.6. Autonomous system numbers6.1.2. ACL Types6.1.2.1. src6.1.2.2. dst6.1.2.3. myip6.1.2.4. dstdomain6.1.2.5. srcdomain6.1.2.6. port6.1.2.7. myport6.1.2.8. method6.1.2.9. proto6.1.2.10. time6.1.2.11. ident6.1.2.12. proxy_auth6.1.2.13. src_as6.1.2.14. dst_as6.1.2.15. snmp_community6.1.2.16. maxconn6.1.2.17. arp6.1.2.18. srcdom_regex6.1.2.19. dstdom_regex6.1.2.20. url_regex6.1.2.21. urlpath_regex6.1.2.22. browser6.1.2.23. req_mime_type6.1.2.24. rep_mime_type6.1.2.25. ident_regex6.1.2.26. proxy_auth_regex6.1.3. External ACLs6.1.4. Dealing with Long ACL Lists6.1.5. How Squid Matches Access Control Elements6.2. Access Control Rules6.2.1. Access Rule Syntax6.2.2. How Squid Matches Access Rules6.2.3. Access List Style6.2.4. Delayed Checks6.2.5. Slow and Fast Rule Checks6.3. Common Scenarios6.3.1. Allowing Local Clients Only6.3.2. Blocking a Few Misbehaving Clients6.3.3. Denying Pornography6.3.4. Restricting Usage During Working Hours6.3.5. Preventing Squid from Talking to Non-HTTP Servers6.3.6. Giving Certain Users Special Access6.3.7. Preventing Abuse from Siblings6.3.8. Denying Requests with IP Addresses6.3.9. An http_reply_access Example6.3.10. Preventing Cache Hits for Local Sites6.4. Testing Access Controls6.5. Exercises
7. Disk Cache Basics
7.1. The cache_dir Directive7.1.1. Scheme7.1.2. Directory7.1.3. Size7.1.3.1. Inodes7.1.3.2. The relationship between disk space and process size7.1.4. L1 and L27.1.5. Options7.1.5.1. read-only7.1.5.2. max-size7.2. Disk Space Watermarks7.3. Object Size Limits7.4. Allocating Objects to Cache Directories7.5. Replacement Policies7.6. Removing Cached Objects7.6.1. Removing Individual Objects7.6.2. Removing a Group of Objects7.6.3. Removing All Objects7.7. refresh_pattern7.8. Exercises
8. Advanced Disk Cache Topics
8.1. Do I Have a Disk I/O Bottleneck?8.2. Filesystem Tuning Options8.3. Alternative Filesystems8.4. The aufs Storage Scheme8.4.1. How aufs Works8.4.2. aufs Issues8.4.3. Monitoring aufs Operation8.5. The diskd Storage Scheme8.5.1. How diskd Works8.5.2. Compiling and Configuring diskd8.5.3. Monitoring diskd8.6. The coss Storage Scheme8.6.1. How coss Works8.6.2. Compiling and Configuring coss8.6.3. coss Issues8.7. The null Storage Scheme8.8. Which Is Best for Me?8.9. Exercises

9. Interception Caching
9.1. How It Works9.2. Why (Not) Intercept?9.3. The Network Device9.3.1. Inline Squid9.3.2. Layer Four Switches9.3.2.1. Alteon/Nortel9.3.2.2. Foundry9.3.2.3. Extreme Networks9.3.2.4. Cisco Arrowpoint9.3.2.5. A comment on HTTP servers and health checks9.3.3. Cisco Policy Routing9.3.4. Web Cache Coordination Protocol9.3.4.1. WCCPv19.3.4.2. WCCPv29.3.4.3. Debugging9.4. Operating System Tweaks9.4.1. Linux9.4.1.1. Linux and WCCP9.4.2. FreeBSD9.4.2.1. FreeBSD and WCCP9.4.3. OpenBSD9.4.3.1. OpenBSD and WCCP9.4.4. IPFilter on NetBSD and Others9.4.4.1. NetBSD and WCCP9.5. Configure Squid9.5.1. Configuring WCCPv19.6. Debugging Problems9.7. Exercises
10. Talking to Other Squids
10.1. Some Terminology10.2. Why (Not) Use a Hierarchy?10.3. Telling Squid About Your Neighbors10.3.1. cache_peer Options10.3.2. Neighbor State10.3.3. Altering the Relationship10.4. Restricting Requests to Neighbors10.4.1. cache_peer_access10.4.2. cache_peer_domain10.4.3. never_direct10.4.4. always_direct10.4.5. hierarchy_stoplist10.4.6. nonhierarchical_direct10.4.7. prefer_direct10.5. The Network Measurement Database10.6. Internet Cache Protocol10.6.1. Being an ICP Server10.6.1.1. The icp_hit_stale directive10.6.1.2. The ICP_MISS_NOFETCH feature10.6.1.3. The test_reachability directive10.6.2. Being an ICP Client10.6.2.1. cache_peer options for ICP clients10.6.2.2. ICP and netdb10.6.3. Multicast ICP10.6.3.1. Multicast ICP server10.6.3.2. Multicast ICP client10.6.3.3. Multicast ICP example10.7. Cache Digests10.7.1. Configuring Squid for Cache Digests10.8. Hypertext Caching Protocol10.8.1. Configuring Squid for HTCP10.9. Cache Array Routing Protocol10.9.1. Configuring Squid for CARP10.10. Putting It All Together10.10.1. Step 1: Determine Direct Options10.10.2. Step 2: Neighbor Selection Protocols10.10.3. Step 2a: ICP/HTCP Reply Processing10.10.4. Step 3: Secondary Parent Selection10.10.5. Retrying10.11. How Do I ...10.11.1. Send All Requests Through Another Proxy?10.11.2. Send All Requests Through Another Proxy Unless It’s Down?10.11.3. Make Sure Squid Doesn’t Use Neighbors for Some Requests?10.11.4. Send Some Requests Through a Parent to Bypass Local Filters?10.12. Exercises
11. Redirectors
11.1. The Redirector Interface11.1.1. Handling URIs That Contain Whitespace11.1.2. Generating HTTP Redirect Messages11.2. Some Sample Redirectors11.3. The Redirector Pool11.4. Configuring Squid11.4.1. redirect_program11.4.2. redirect_children11.4.3. redirect_rewrites_host_header11.4.4. redirector_access11.4.5. redirector_bypass11.5. Popular Redirectors11.5.1. Squirm11.5.2. Jesred11.5.3. squidGuard11.5.4. AdZapper11.6. Exercises
12. Authentication Helpers
12.1. Configuring Squid12.2. HTTP Basic Authentication12.2.1. NCSA12.2.2. LDAP12.2.3. MSNT12.2.4. Multi-domain-NTLM12.2.5. PAM12.2.6. SASL12.2.7. SMB12.2.8. YP12.2.9. getpwnam12.2.10. winbind12.2.11. The Basic Auth API12.3. HTTP Digest Authentication12.3.1. password12.3.2. Digest Authentication API12.4. Microsoft NTLM Authentication12.4.1. SMB12.4.2. winbind12.4.3. NTLM Authentication API12.5. External ACLs12.5.1. ip_user12.5.2. ldap_group12.5.3. unix_group12.5.4. wbinfo_group12.5.5. winbind_group12.5.6. Write Your Own12.6. Exercises
13. Log Files
13.1. cache.log13.1.1. Debugging Levels13.1.2. Forwarding cache.log Messages to the System Log13.1.3. Dumping cache.log Messages to Your Terminal13.2. access.log13.2.1. access.log Result Codes13.2.2. HTTP Response Status Codes13.2.3. access.log Peering Codes13.2.4. Configuration Directives That Affect access.log13.2.4.1. log_icp_queries13.2.4.2. emulate_httpd_log13.2.4.3. log_mime_hdrs13.2.4.4. log_fqdn13.2.4.5. ident_lookup_access13.2.4.6. log_ip_on_direct13.2.4.7. client_netmask13.2.4.8. strip_query_terms13.2.4.9. uri_whitespace13.2.4.10. buffered_logs13.2.5. access.log Analysis Tools13.3. store.log13.3.1. Mapping File Numbers to Pathnames13.4. referer.log13.5. useragent.log13.6. swap.state13.7. Rotating the Log Files13.8. Privacy and Security13.9. Exercises
14. Monitoring Squid
14.1. cache.log Warnings14.2. The Cache Manager14.2.1. Cache Manager Pages14.2.1.1. leaks: Memory Leak Tracking14.2.1.2. mem: Memory Utilization14.2.1.3. cbdata: Callback Data Registry Contents14.2.1.4. events: Event Queue14.2.1.5. squidaio_counts: Async IO Function Counters14.2.1.6. diskd: DISKD Stats14.2.1.7. config: Current Squid Configuration*14.2.1.8. comm_incoming: comm_incoming( ) Stats14.2.1.9. ipcache: IP Cache Stats and Contents14.2.1.10. fqdncache: FQDN Cache Stats and Contents14.2.1.11. idns: Internal DNS Statistics14.2.1.12. dns: Dnsserver Statistics14.2.1.13. redirector: URL Redirector Stats14.2.1.14. basicauthenticator: Basic User Authenticator Stats14.2.1.15. digestauthenticator: Digest User Authenticator Stats14.2.1.16. ntlmauthenticator: NTLM User Authenticator Stats14.2.1.17. external_acl: External ACL Stats14.2.1.18. http_headers: HTTP Header Statistics14.2.1.19. via_headers: Via Request Headers14.2.1.20. forw_headers: X-Forwarded-For Request Headers14.2.1.21. menu: This Cache Manager Menu14.2.1.22. shutdown: Shut Down the Squid Process*14.2.1.23. offline_toggle: Toggle offline_mode Setting*14.2.1.24. info: General Runtime Information14.2.1.25. filedescriptors: Process File Descriptor Allocation14.2.1.26. objects: All Cache Objects14.2.1.27. vm_objects: In-Memory and In-Transit Objects14.2.1.28. openfd_objects: Objects with Swapout Files Open14.2.1.29. io: Server-Side Network read( ) Size Histograms14.2.1.30. counters: Traffic and Resource Counters14.2.1.31. peer_select: Peer Selection Algorithms14.2.1.32. digest_stats: Cache Digest and ICP Blob14.2.1.33. 5min: 5 Minute Average of Counters14.2.1.34. 60min: 60 Minute Average of Counters14.2.1.35. utilization: Cache Utilization14.2.1.36. histograms: Full Histogram Counts14.2.1.37. active_requests: Client-Side Active Requests14.2.1.38. store_digest: Store Digest14.2.1.39. storedir: Store Directory Stats14.2.1.40. store_check_cachable_stats: storeCheckCachable( ) Stats14.2.1.41. store_io: Store IO Interface Stats14.2.1.42. pconn: Persistent Connection Utilization Histograms14.2.1.43. refresh: Refresh Algorithm Statistics14.2.1.44. delay: Delay Pool Levels14.2.1.45. forward: Request Forwarding Statistics14.2.1.46. client_list: Cache Client List14.2.1.47. netdb: Network Measurement Database14.2.1.48. asndb: AS Number Database14.2.1.49. carp: CARP Information14.2.1.50. server_list: Peer Cache Statistics14.2.1.51. non_peers: List of Unknown Sites Sending ICP messages14.2.2. Cache Manager Access Controls14.2.2.1. http_access14.2.2.2. cachemgr_passwd14.2.2.3. cachemgr.cgi14.2.3. Reasons to Dislike the Cache Manager14.2.4. Squid-RRD14.3. Using SNMP14.3.1. Using snmpwalk and snmpget14.3.2. The Squid MIB14.4. Exercises
15. Server Accelerator Mode
15.1. Overview15.2. Configuring Squid15.2.1. http_port15.2.2. https_port15.2.3. httpd_accel_host15.2.4. httpd_accel_port15.2.5. httpd_accel_uses_host_header15.2.6. httpd_accel_single_host15.2.7. httpd_accel_with_proxy15.3. Gee, That Was Confusing!15.3.1. One Box, One Server Name15.3.2. One Box, Many Server Names15.3.3. Many Boxes, One Server Name15.3.4. Many Boxes, Many Server Names15.4. Access Controls15.5. Content Negotiation15.6. Gotchas15.6.1. Logging15.6.2. Ignoring Reloads15.6.3. Uncachable Content15.6.4. Errors15.6.5. Purging Objects15.6.6. Neighbors15.7. Exercises
16. Debugging and Troubleshooting
16.1. Some Common Problems16.1.1. “Failed to make swap directory”16.1.2. “Address already in use”16.1.3. “Could not determine fully qualified hostname”16.1.4. “DNS name lookup tests failed”16.1.5. “Illegal character in hostname”16.1.6. “Running out of filedescriptors”16.1.7. “icmpRecv: Connection refused”16.1.8. Squid Becomes Slow After Running for Some Time16.1.9. Debugging Access Controls16.2. Debugging via cache.log16.3. Core Dumps, Assertions, and Stack Traces16.3.1. Can’t Find the Core File?16.4. Replicating Problems16.5. Reporting a Bug16.6. Exercises
A. Config File Reference
http_port
https_port
ssl_unclean_shutdown
icp_port
htcp_port
mcast_groups
udp_incoming_address
udp_outgoing_address
cache_peer
cache_peer_domain
neighbor_type_domain
icp_query_timeout
maximum_icp_query_timeout
mcast_icp_query_timeout
dead_peer_timeout
hierarchy_stoplist
no_cache
cache_access_log
cache_log
cache_store_log
cache_swap_log
emulate_httpd_log
log_ip_on_direct
cache_dir
cache_mem
cache_swap_low
cache_swap_high
maximum_object_size
minimum_object_size
maximum_object_size_in_memory
cache_replacement_policy
memory_replacement_policy
store_dir_select_algorithm
mime_table
ipcache_size
ipcache_low
ipcache_high
fqdncache_size
log_mime_hdrs
useragent_log
referer_log
pid_filename
debug_options
log_fqdn
client_netmask
ftp_user
ftp_list_width
ftp_passive
ftp_sanitycheck
cache_dns_program
dns_children
dns_retransmit_interval
dns_timeout
dns_defnames
dns_nameservers
hosts_file
diskd_program
unlinkd_program
pinger_program
redirect_program
redirect_children
redirect_rewrites_host_header
redirector_access
redirector_bypass
auth_param
authenticate_ttl
authenticate_cache_garbage_interval
authenticate_ip_ttl
external_acl_type
wais_relay_host
wais_relay_port
request_header_max_size
request_body_max_size
refresh_pattern
quick_abort_min
quick_abort_max
quick_abort_pct
negative_ttl
positive_dns_ttl
negative_dns_ttl
range_offset_limit
connect_timeout
peer_connect_timeout
read_timeout
request_timeout
persistent_request_timeout
client_lifetime
half_closed_clients
pconn_timeout
ident_timeout
shutdown_lifetime
acl
http_access
http_reply_access
icp_access
miss_access
cache_peer_access
ident_lookup_access
tcp_outgoing_tos
tcp_outgoing_address
reply_body_max_size
cache_mgr
cache_effective_user
cache_effective_group
visible_hostname
unique_hostname
hostname_aliases
announce_period
announce_host
announce_file
announce_port
httpd_accel_host
httpd_accel_port
httpd_accel_single_host
httpd_accel_with_proxy
httpd_accel_uses_host_header
dns_testnames
logfile_rotate
append_domain
tcp_recv_bufsize
err_html_text
deny_info
memory_pools
memory_pools_limit
forwarded_for
log_icp_queries
icp_hit_stale
minimum_direct_hops
minimum_direct_rtt
cachemgr_passwd
store_avg_object_size
store_objects_per_bucket
client_db
netdb_low
netdb_high
netdb_ping_period
query_icmp
test_reachability
buffered_logs
reload_into_ims
always_direct
never_direct
header_access
header_replace
icon_directory
error_directory
maximum_single_addr_tries
snmp_port
snmp_access
snmp_incoming_address
snmp_outgoing_address
as_whois_server
wccp_router
wccp_version
wccp_incoming_address
wccp_outgoing_address
delay_pools
delay_class
delay_access
delay_parameters
delay_initial_bucket_level
incoming_icp_average
incoming_http_average
incoming_dns_average
min_icp_poll_cnt
min_dns_poll_cnt
min_http_poll_cnt
max_open_disk_fds
offline_mode
uri_whitespace
broken_posts
mcast_miss_addr
mcast_miss_ttl
mcast_miss_port
mcast_miss_encode_key
nonhierarchical_direct
prefer_direct
strip_query_terms
coredump_dir
ignore_unknown_nameservers
digest_generation
digest_bits_per_entry
digest_rebuild_period
digest_rewrite_period
digest_swapout_chunk_size
digest_rebuild_chunk_percentage
chroot
client_persistent_connections
server_persistent_connections
pipeline_prefetch
extension_methods
request_entities
high_response_time_warning
high_page_fault_warning
high_memory_warning
ie_refresh
vary_ignore_expire
sleep_after_fork
B. The Memory Cache
C. Delay Pools
C.1. OverviewC.2. Configuring SquidC.2.1. delay_poolsC.2.2. delay_classC.2.3. delay_parametersC.2.4. delay_initial_bucket_levelC.2.5. delay_accessC.2.6. cache_peer no-delay OptionC.3. ExamplesC.4. IssuesC.4.1. FairnessC.4.2. Application Versus Transport LayerC.4.3. Fixed Subnetting SchemeC.5. Monitoring Delay Pools
D. Filesystem Performance Benchmarks
D.1. The Benchmark EnvironmentD.1.1. Hardware for SquidD.1.2. Squid Version and ConfigurationD.1.3. Web Polygraph WorkloadD.2. General CommentsD.3. LinuxD.4. FreeBSDD.5. OpenBSDD.6. NetBSDD.7. SolarisD.8. Number of Disk Spindles
E. Squid on Windows
E.1. CygwinE.1.1. Installing CygwinE.1.2. The Squid PackageE.1.3. Compiling SquidE.1.4. Configuring and RunningE.2. SquidNT
F. Configuring Squid Clients
F.1. ManuallyF.1.1. Netscape/MozillaF.1.2. ExplorerF.1.3. KonquerorF.1.4. OperaF.1.5. LynxF.1.6. Environment VariablesF.2. Proxy Auto-ConfigurationF.3. WPADF.4. Summary
About the Author
Colophon
Copyright

Content preview from Squid: The Definitive Guide

Name

deny_info

Synopsis

This directive allows you to show specific error messages to users when a request matches certain ACL elements. This is more informative than sending a generic “access denied” error message, as happens by default.

When Squid checks its access control rules to see whether or not a particular request is allowed or denied, it remembers the ACL element that causes the search to terminate. You can use these ACL element names in a deny_info line to correlate error messages with a specific request characteristic. Consider, for example, this configuration:

acl Unsafe_Ports 7 9 19 22 23 25 53 109 110 119
...
http_access deny Unsafe_Ports
...
deny_info ERR_PORT_IS_UNSAFE Unsafe_Ports

When a user makes a request to an origin server on one of the ports listed in the Unsafe_Ports ACL, Squid denies the request. Furthermore, Squid generates an error message from the ERR_PORT_IS_UNSAFE file, found in the error_directory directory.

Alternatively, you can specify a URI instead of an error message template. In this case, Squid sends an HTTP 302 (Moved Temporarily) redirect to the given URI.

Finally, if you specify TCP_RESET as the error message template, Squid closes the client’s connection in a way that generates a TCP reset.

Syntax	deny_info `error-page-name`\|`URI` `acl-name`
Default	No default
Example	deny_info ERR_PORT_IS_UNSAFE Unsafe_Ports
Related	error_directory, acl

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 0596001622Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Squid: The Definitive Guide

by Duane Wessels

Name

Synopsis

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

More than 5,000 organizations count on O’Reilly

Julian F.

Addison B.

Amir M.

Mark W.

You might also like

HTTP: The Definitive Guide

Kerberos: The Definitive Guide

gRPC: Up and Running

TCP/IP Guide

Publisher Resources