81 lines
3.2 KiB
Plaintext
81 lines
3.2 KiB
Plaintext
$OpenBSD: README-main,v 1.7 2015/09/10 13:00:10 sthen Exp $
|
|
|
|
+-----------------------------------------------------------------------
|
|
| Running ${FULLPKGNAME} on OpenBSD
|
|
+-----------------------------------------------------------------------
|
|
|
|
General configuration
|
|
=====================
|
|
The sample configuration in ${SYSCONFDIR}/squid.conf is a simple version
|
|
with only the most essential options. By default, only RAM-based cache is
|
|
used, un-comment the cache_dir line to enable a persistent disk cache
|
|
("swap"); this is normally kept in ${LOCALSTATEDIR}/cache and must be
|
|
initialized with "squid -z" before starting the daemon. If you need to
|
|
place it elsewhere, create the directory and make sure it is owned and
|
|
writable by user _squid, group _squid.
|
|
|
|
Logs are stored in ${LOCALSTATEDIR}/logs; access logs on a busy cache will
|
|
grow rapidly so rotate them as necessary (use "squid -k rotate").
|
|
|
|
See ${TRUEPREFIX}/share/examples/squid/squid.conf.documented for a complete
|
|
annotated file, similar to the standard squid.conf in previous versions
|
|
of Squid, however in many cases the defaults will suffice.
|
|
|
|
The HTML error pages can be easily themed by editing the style-sheet in
|
|
${SYSCONFDIR}/errorpage.css.
|
|
|
|
System resource limits
|
|
======================
|
|
The default system resource limits for file-descriptors are insufficient
|
|
for a moderately busy proxy. It may also be necessary to increase the
|
|
memory limits. You can add a service-specific class to /etc/login.conf:
|
|
|
|
squid:\
|
|
:datasize=1500M:\
|
|
:openfiles=4096:\
|
|
:tc=daemon:
|
|
|
|
When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from
|
|
"${RCDIR}/squid start") the appropriately-named login class is used
|
|
automatically.
|
|
|
|
If you are using /etc/login.conf.db (not usually recommended) then be
|
|
sure to rebuild it.
|
|
|
|
There is also a kernel limit on the number of open file descriptors,
|
|
sysctl kern.maxfiles. In some circumstances you may also need to raise
|
|
this; if this is required, pay particular attention to testing and
|
|
monitoring your system.
|
|
|
|
Interception Proxying with PF
|
|
=============================
|
|
To configure an interception (a.k.a. "transparent") proxy, Squid should
|
|
be configured in ${SYSCONFDIR}/squid.conf to bind to a specific address,
|
|
for example:
|
|
|
|
http_port 127.0.0.1:3127 intercept
|
|
|
|
On the machine running Squid, add a firewall rule similar to this:
|
|
|
|
pass in quick log inet proto tcp to port 80 divert-to 127.0.0.1 port 3127
|
|
|
|
If the machine running Squid is already acting as a router/firewall
|
|
for your client machines, there is no other special configuration.
|
|
However if Squid is running on a separate machine, the router must be
|
|
configured to pass HTTP traffic to Squid. You can use a rule like this
|
|
on the router:
|
|
|
|
pass in quick from 10.77.3.5
|
|
pass in quick inet proto tcp to port 80 route-to (vr2 10.77.3.5)
|
|
|
|
(this example assumes Squid is running on 10.77.3.5 reachable over
|
|
the vr2 interface).
|
|
|
|
If the proxy server is running on the same subnet as the clients, the
|
|
return traffic from the proxy will go directly back to them without
|
|
ever hitting the firewall, which means the states will never get updated
|
|
and may fill-up your pflog(4) with blocked attempts. To circumvent this
|
|
the "no state" option needs to be specified for the route-to rule:
|
|
|
|
pass in quick inet proto tcp to port 80 route-to (vr2 10.77.3.5) no state
|