UCSD Frontier Squid Configuration
Contents
Introduction
In order to support the CMS and other VO requirements for a Frontier (squid web cache) installation at our T2 site we have deployed a dedicated squid server and configured it according to the recommendations of the Frontier developers. The following document outlines the UCSD customizations to an existing RHEL4 squid installation.
As of this writing the most recent squid installation on RHEL4 (Centos 4.x) was squid-2.5.STABLE6-3.4E.12
Installation
Installation of the system squid was done using the yum tool which grabbed the latest squid package from the Centos Updates repository.
yum -y install squid
Configuration
To configure the squid cache the system squid conf was editing. Here is a redacted default system configuration. All of the original comments have been removed and comments re-added where changes were made from the defaults. See the package default configuration that comes with the squid RPM for the original.
# Disable connection from or to other caches
icp_port 0
# Allow caching of pages with ? in the URL
hierarchy_stoplist cgi-bin
acl QUERY urlpath_regex cgi-bin
no_cache deny QUERY
# Increase the cache memory footprint
cache_mem 512 MB
# Increase the object sizes and the squid cache directory to be
# inline with the requirements of frontier and caching database objects
maximum_object_size 1048576 KB
maximum_object_size_in_memory 8192 KB
# I changed this from the default to take advantage of a larger file system
cache_dir ufs /data/squid 40960 16 256
# These should be default
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
# Left at defaults
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
# Definitions of ACL lists for access to the squid cache as well as
# access to the SNMP agent.
# Additional SNMP agent access is controlled by firewalls
acl NET_LOCAL src 192.168.0.0/255.255.0.0 127.0.0.1/255.255.255.255
acl HOST_MONITOR src 131.225.209.5/255.255.255.255 131.225.84.252/255.255.255.255 127.0.0.1/255.255.255.255 192.168.0.0/255.255.0.0 137.110.141.0/255.255.255.128
acl snmppublic snmp_community public
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Application of the ACLs to control access.
# ie above the access is defined, here access is applied
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow NET_LOCAL
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
# SNMP port to listen to and access rule
snmp_port 3401
snmp_access allow snmppublic HOST_MONITOR
snmp_access deny all
# Default settings
strip_query_terms off
coredump_dir /var/spool/squid
- In the above config the networks 192.168.0.0/255.255.0.0 and 137.110.141.0/255.255.255.128 are specific to UCSD
Log Rotation
Log rotation is integrated into the standard system squid package. For customization of log rotation you can edit the file /etc/logrotate.d/squid
By using the system level log rotation you should be able to continue to have squid perform its own logging and not run into a problem if its logs grow too large. As well you can customize how long you want to keep a history of squid logs and whether or not archived logs should be compressed.
Firewall and Monitoring
The Frontier group can monitor the SNMP agent within squid from their main page at
http://cdfdbfrontier4.fnal.gov:8888/indexcms.
The following firewall rule modications were made to the existing iptables configuration from /etc/sysconfig/iptables.
# SNMP for Frontier Squid
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -s 131.225.209.5 --dport 3401 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -s 131.225.84.252 --dport 3401 -j ACCEPT
# End squid
These lines should be added before the lines
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
Testing the firewall rules and the SNMP Agent
You may wish to add a rule for a local system so that you can test the snmp agent yourself with snmpwalk.
~# snmpwalk -v1 -c public clarens-1.t2.ucsd.edu:3401 .1.3.6.1.4.1.3495
snmpwalk is available with the standard package net-snmp-utils-5.1.2-11.EL4.7
yum -y install net-snmp*
References
Main Frontier Site
Using a system install squid instead of frontiers
Authors
--
TerrenceMartin - 01 Nov 2006