This is a brief guide to install Squid and configure it to work as a transparent web cache.
This is a working configuration that has been used in production, but there are no explainations on each step.
The FreeBSD kernel is recompiled to activate the ipf firewall, and Squid is compiled with ipf support.
A router has to be configured to redirect web traffic (TCP port 80) to port 80 on the Squid box.
The steps how to configure the router are not included.
# Modify /etc/rc.conf
echo '# IPFILTER enabled' >> /etc/rc.conf
echo 'ipfilter_enable="YES"' >> /etc/rc.conf
echo 'ipfilter_program="/sbin/ipf"' >> /etc/rc.conf
echo 'ipfilter_rules="/etc/ipf.rules"' >> /etc/rc.conf
echo 'ipfilter_flags=""' >> /etc/rc.conf
echo '# IPNAT enabled' >> /etc/rc.conf
echo 'ipnat_enable="YES"' >> /etc/rc.conf
echo 'ipmon_enable="/sbin/ipf"' >> /etc/rc.conf
echo 'ipfs_enable="/sbin/ipf"' >> /etc/rc.conf
# ipfilter rules for transparent cache (change fxp0 to whatever NIC you use)
echo '## Allow ALL , loopback' > /etc/ipf.rules
echo 'pass in on lo0 all' >> /etc/ipf.rules
echo 'pass out on lo0 all' >> /etc/ipf.rules
echo '## Allow ALL, fxp0' >> /etc/ipf.rules
echo 'pass in on fxp0 all' >> /etc/ipf.rules
echo 'pass out on fxp0 all' >> /etc/ipf.rules
# ipnat rule for transparent cache (change fxp0 to whatever NIC you use)
echo '## Redirect incoming TCP traffic port 80 on fxp0 to port 3128 (Squid)' > /etc/ipnat.rules
echo 'rdr fxp0 0/0 port 80 -> 127.0.0.1 port 3128 tcp' >> /etc/ipnat.rules
# Recompile kernel with ipfilter support, increase the NMBCLUSTERS parameter
cd /sys/i386/conf
cp GENERIC IPFILTER
echo 'options IPFILTER #ipfilter support' >> IPFILTER
echo 'options IPFILTER_LOG #ipfilter logging' >> IPFILTER
echo 'options NMBCLUSTERS=32768 #set max mbufs, check with netstat -m' >> IPFILTER
/usr/sbin/config IPFILTER
cd ../../compile/IPFILTER
make depend
make
make install
reboot
# Squid as transparent cache
# Build
gunzip -c squid-2.5.STABLE6.tar.gz |tar -xf -
cd squid-2*
env CPPFLAGS="-I/usr/src/sys/contrib/ipfilter/netinet" ./configure --prefix=/usr/local/squid --enable-ipf-transparent
# Build with WCCP support:
env CPPFLAGS="-I/usr/src/sys/contrib/ipfilter/netinet" ./configure --prefix=/usr/local/squid --enable-ipf-transparent --enable-wccp
make all
make install
# Configure /usr/local/squid/etc/squid.conf:
http_port 3128
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
# Cache dir size (45000 = 45 GB in this example, don't use more than half the partition size)
cache_dir ufs /usr/local/squid/var/cache 45000 16 256
#Max object size in memory
cache_mem 64 MB
#Max object size on disk
maximum_object_size 200000 KB
maximum_object_size_in_memory 128 KB
# Disable store.log
cache_store_log none
# The following line requires WCCP on your router redirecting the web traffic to Squid
wccp_router YOUR.ROUTER.IP.HERE
# Startup script
cp squid.sh /usr/local/etc/rc.d/squid.sh
chmod 755 /usr/local/etc/rc.d/squid.sh
# Log file permissions
chown -R nobody:nobody /usr/local/squid/var/logs
# Create cache
mkdir /usr/local/squid/var/cache
chown -R nobody:nobody /usr/local/squid/var/cache
/usr/local/squid/sbin/squid -z
# If the following error:
# FATAL: Could not determine fully qualified hostname. Please set 'visible_hostname'
# then edit squid.conf:
visible_hostname squid.YOURDOMAINHERE.com
# Start Squid
/usr/local/etc/rc.d/squid.sh start
# Web tools
- Install Apache, configure to run on port 8080
- Install rrdtool from ports, /usr/ports/net/rrdtool
- Install webalizer from ports, /usr/ports/www/webalizer, configure to use squid.conf and incremental log
# Cron jobs
# Run webalizer a quarter to midnight only, as during the day it affects the traffic
45 23 * * * /usr/local/bin/webalizer
# Rotate squid log file at 0:00 AM (midnight)
0 0 * * * /usr/local/squid/sbin/squid -k rotate
