GIT – This document will describe how to get a Squid up and running for your LAN using FreeBSD and Squid. The info on the configuration is by no means comprehensive.

There is a lot that you might need to do differently, but I am running pretty much the same installation for around 100 users and it has served me very well so far in my situation. Also, I am not going into detail configuring the manager here. Just plain Squid Proxy Caching for your LAN.


A freshly installed FreeBSD 6.1 RELEASE system.

Updated ports tree.

Your favorite text editor.


When installing the FreeBSD OS for use with Squid, I have used a partition layout like below:

512M /

512M /tmp

1024M swap

5G /var

15G /usr

~58G /squidcache

It would be better to run the cache off an extra . It would be better to run it off a super high speed . It would be even better to run the cache off multiple configured fast SCSI disks. All this would really add performance, but I had to work with what I had.

# cd /usr/ports/www/squid

# make install clean

When installing Squid it will ask you to check a few options — I checked SQUID_LARGEFILE additionally to what was checked by default. I assume Squid is going to build and install correctly here.


# cd /usr/local/etc/squid/

# echo ‘squid_enable=”YES”‘ >> /etc/rc.conf

Note: If there is no squid.conf file, copy ot over from the .default file

# cp squid.conf.default squid.conf

Now we need to configure the squid.conf file to suit our needs. That file is really massive and a lot of configuration can be done. Personally, I am living with just a few entries.

Open /usr/local/etc/squid/squid.conf as and make sure that your config file contains these entries:


http_port 3128

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin ?

no_cache deny QUERY

cache_mem 8 MB

maximum_object_size 50960 KB

maximum_object_size_in_memory 16 KB

cache_dir diskd /squidcache/squid/cache 80000 16 256

cache_access_log /var/log/squid/access.log

cache_log none

cache_store_log none

pid_filename /var/run/

hosts_file /etc/hosts

auth_param children 5

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 2 hours

auth_param basic casesensitive off

refresh_pattern ^: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern . 0 20% 10080

acl all src

acl manager proto cache_object

acl localhost src

acl to_localhost dst

acl SSL_ports port 443 563

acl Safe_ports port 80 # http

acl Safe_ports port 8080 #also http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 563 # https, snews

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http


acl blacklist dstdomain “/usr/local/etc/squid/blacklist.txt”

http_access deny blacklist

http_access allow manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

#change below to what matches your LAN address space

acl our_networks src

http_access allow our_networks

http_access allow localhost

http_access deny all

http_reply_access allow all

icp_access allow all

cache_mgr [email protected]

cache_effective_user squid


cachemgr_passwd secret all

coredump_dir /squidcache/coredump


At this point, save the changes you made to the squid.conf file. Then, create the directories we have defined in our squid.conf file

# mkdir /squidcache/squid

# mkdir /squidcache/coredump/

# mkdir /squidcache/coredump/cache

# mkdir /var/log/squid

# touch /usr/local/etc/squid/blacklist.txt

# touch /var/run/

# echo ‘’ >> /usr/local/etc/squid/blacklist.txt

# chown -R squid:squid /usr/local/etc/squid/blacklist.txt

# chown -R squid:squid /var/log/squid

# chown -R squid:squid /var/run/

# chown -R squid:squid /squidcache

# squid -z #needed once to create the cache directories

# reboot #to reboot the machine

If everything has started up the way it should, you should now be able to point any browser (from within your LAN) to, and surf away. You can take a peek at the access.log file by opening a second terminal and running the following as root:

# tail -f /var/log/squid/access.log

Note: Remember you set hosts_file /etc/hosts in the squid.conf file? Go and read this and fill your /etc/hosts with all types of ad-ware and spam-ware sites pointing to localhost. This will really save some bandwidth as squid will block all kinds of bad stuff for your Users.

We also setup a simple acl entry to deny access to domains listed in /usr/local/squid/blacklist.txt. The blacklist.txt file takes one domain per line. After adding a domain to that file such as, everybody will be denied access to Of course you can get way more complicated than that, but for me it was enough until now. I used to use a redirector called squid guard for a while, but it seems that project is no longer maintained and it’s successor is commercial software. You can test the acl entry by trying to point your browser to You should get an access denied message from squid as we added into the blacklist.txt file. After making changes to any configuration file, you must make squid reread its config files using

# squid -k reconfigure

One last thing: After a few months of using the above installation, one morning I found squid core dumping on me under heavy load. I saw numerous entries in dmesg like the following:

Aug 25 10:14:02 hugin kernel: pid 672 (squid), uid 100: exited on signal 6 (core dumped)

Aug 25 10:14:02 hugin squid[438]: Squid Parent: child process 672 exited due to signal 6

I added the following entries to /boot/loader.conf to correct the problem:






After adding those, reboot the server, and everything should be just fine even under more heavy loads.

By now you should have a fully functional proxy server. It is kind of cool to know what it is doing, so I installed Apache and Webalizer as well.

Print Friendly, PDF & Email



Bài viết liên quan