*NIX

Jan. 6, 2009, 10:01 a.m.
posted by void

Build a Caching Proxy Server




Build a Caching Proxy Server

If you have multiple computers on your network, you can save bandwidth and improve browser performance with a local proxy server.

A proxy server sits on your network; intercepts requests for HTML files, CSS files, and images; and keeps a local copy handy in case another user wants to access the same file. If multiple users visit the same site, a proxy server will save bandwidth by not downloading everything to your local network for each user individually, and performance will be improved because objects will come from the local network instead of the Internet.

The Squid Web Proxy Cache (http://www.squid-cache.org) is a full-featured proxy cache for Linux and Unix.

Basic Squid Setup

Install the Squid caching proxy:

$ sudo apt-get install squid

The installation process will automatically create a directory structure in /var/spool/squid where downloaded objects will be stored. Old objects will be cleaned out automatically, but if you run a busy proxy server, it can still use up a lot of disk space, so make sure you have plenty of room available.

Squid's default configuration file /etc/squid/squid.conf is one of the longest and most verbosely commented in the entire history of software: over 3,000 lines, with an extensive explanation for every possible config option. It's easy to get lost in it, so, to get started, here are some basic options you need to look for.

Around line 1,890 are some options that trip up most first-time Squid administrators. Squid implements ACLs (Access Control Lists) to determine who is allowed to connect through the proxy. By default, the only system allowed to connect is localhost:

#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
http_access allow localhost

To allow machines on your network to connect, you need to uncomment and edit the our_networks definition to include the IP address range of your local network, and uncomment the line that permits the our_networks ACL to use the proxy. The end result will probably be something like this:

acl our_networks src 192.168.0.0/24
http_access allow our_networks
http_access allow localhost

Then go to approximately line 53 to find the http-port option:

# http_port 3128

This option specifies the port that Squid will listen on. 3128 is a good default, but some proxies run on port 8080 or even port 80, so you may prefer to change the value and uncomment it.

Once you are satisfied with your changes, restart Squid:

$ sudo /etc/init.d/squid restart

Restarting Squid can take a while on an active proxy because it waits for existing connections from clients to close cleanly before restarting.

You can test your proxy by manually updating your Firefox configuration to connect through it. In Firefox, go to EditGeneralFigure.

Browser proxy settings


To see the activity passing through the proxy, put a tail on the Squid logfile and then try accessing a web site. Squid stores its access logs in /var/log/squid, so run:

$ sudo tail -f /var/log/squid/access.log

to have tail "follow" the end of the logfile. If the web page loads normally and you also see entries appear in the logfile, then congratulations, Squid is working!

Proxy Traffic Reports

The popular web-server-analysis program Webalizer can read Squid logfiles natively. Install Webalizer:

$ sudo apt-get install webalizer

Then use your favorite text editor to open /etc/webalizer.conf, and look around line 36 for an entry like this:

LogFile   /var/log/apache/access.log.0

Change it to reference Squid's rotated logfile:

LogFile   /var/log/squid/access.log.0

Around line 42, you will see the option to set the directory where the report will be created. If you have a default Apache installation on your proxy server, you shouldn't need to change the default setting, but if your web document root is in an alternative location or you already have a report being generated for your web server, you may need to change it:

OutputDir   /var/www/webalizer

If you've only just installed and tested Squid, you probably won't have a rotated logfile yet, so manually rotate the file:

$ sudo /etc/init.d/squid stop

The output directory is not created automatically, so you'll need to do it manually:

$ sudo mkdir /var/www/webalizer

Now run Webalizer:

$ sudo webalizer

When it's finished, you'll find a bunch of files in /var/www/webalizer, and you should be able to view the report by pointing your browser at http://yourcache.example.com/webalizer/.

Peering Proxies

If your ISP provides a proxy, you can chain it together with your Squid proxy. Your local clients will connect to your proxy, which in turn will use your ISP's proxy. In the Squid configuration file, go to about line 190 and add a line similar to:

cache_peer cache.example.com parent 3128 0 no-query

where cache.example.com is the address of your ISP's cache. The parent setting tells your proxy to treat this as an upstream source rather than a local peer. You may need to change the 3128 setting if your ISP uses a different proxy port. The 0 and no-query values tell your proxy not to use ICP (Internet Cache Protocol) to communicate with the cache. ICP is a protocol typically used when multiple proxies run in parallel as a load-sharing group, and allows them to communicate cache state to each other very rapidly.

Restart Squid, put a tail on the logfile again, and try accessing a popular site. If the upstream proxy already had some of the items in its cache, you should see this reported as PARENT_HIT in your proxy log.


 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows