How To: Install Squid Cache for Windows

Complete Guide on Installing and Configuring Squid Proxy Server for Windows

Here’s another guide again by me to configure / installing Squid Cache Proxy to be an Anonymous Proxy Server and filtering some ads / banners (on Windows not Linux since most Linux users already know about this) :)

• First download Squid 2.6 Stable 1 for Windows from Acme-Consulting and don’t forget to extract it into a directory of your choice, and Download JAP from here. And as a note, i wrote this tutorial using Squid 2.6 Stable 1 so if you’re using Squid 2.5 series there’s some parameters you’ll need to change first in order for it to work

Note: in this tutorial i’ll use G:\Squid as the Squid Directory

• After extracting it into G:\Squid, go into etc directory “G:\Squid\etc” and rename all the .default file into .conf file. For example squid.conf.default -> squid.conf, mime.conf.default -> mime.conf, etc
• Open squid.conf file using your favorite text editor such as Notepad, Ultraedit, etc. and configure it like this (you can change it later) :) but im not going into more detail here since most squid configuration are self explanatory and that’s depending on your hardware too (for example the memory size, cache size, etc). But you can always use this squid.conf directly in your squid configuration without changing any of its parameter as long as you extract squid into G:\Squid directory otherwise you’ll need to change every parameter that include G:\squid into your squid path

# HTTP Port (in this tutorial squid will run on localhost at port 3128)
http_port 127.0.0.1:3128

# ICP Port and HTCP Port (we’ll disable this since we are not going to use it)
icp_port 0
htcp_port 0

# Cache Peer (we’ll forward all request into parent proxy)
cache_peer 127.0.0.1 parent 4001 7 no-query

# Cache directory (in this example i was using 3000 MB / 3 GB space to store squid cache)
cache_dir awin32 g:/squid/var/cache 3000 16 256

# access_log
access_log g:/squid/var/logs/access.log squid

# cache_log
cache_log g:/squid/var/logs/cache.log

# cache_store_log
cache_store_log none

# mime_table
mime_table g:/squid/etc/mime.conf

# pid_filename
pid_filename g:/squid/var/logs/squid.pid

# unlinkd_program
unlinkd_program g:/squid/libexec/unlinkd.exe

# refresh_pattern (you can configure this as you like it, to get more hits from a website)
# note: if you change this parameter “refresh_pattern . 1 100% 20160 reload-into-ims ignore-reload” into something else for
# example like “refresh_pattern . 10 100% 20160 reload-into-ims ignore-reload”
# there’ll be some error on some page (Gamefaqs.com for an example) because the page didnt reload correctly after login into Gamefaqs
refresh_pattern ^http://.*\.gif$ 1440 50% 20160 reload-into-ims
refresh_pattern ^http://.*\.asis$ 1440 50% 20160
refresh_pattern -i \.png$ 10080 150% 40320 reload-into-ims
refresh_pattern -i \.jpg$ 10080 150% 40320 reload-into-ims
refresh_pattern -i \.bmp$ 10080 150% 40320 reload-into-ims
refresh_pattern -i \.gif$ 10080 300% 40320 reload-into-ims
refresh_pattern -i \.ico$ 10080 300% 40320 reload-into-ims
refresh_pattern -i \.swf$ 10080 300% 40320 reload-into-ims
refresh_pattern -i \.flv$ 10080 300% 40320 reload-into-ims
refresh_pattern -i \.rar$ 10080 150% 40320
refresh_pattern -i \.ram$ 10080 150% 40320
refresh_pattern -i \.txt$ 1440 100% 20160 reload-into-ims override-lastmod
refresh_pattern -i \.css$ 1440 60% 20160
refresh_pattern ^http:// 1 100% 20160 reload-into-ims ignore-reload
refresh_pattern ^ftp:// 240 50% 20160
refresh_pattern ^gopher:// 240 40% 20160
refresh_pattern /cgi-bin/ 0 0% 30
refresh_pattern . 0 100% 20160 reload-into-ims

# Deny requests to unknown ports
http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

# Block access to Malware & ads farm site
# Insert your own rule here by using
# acl blablabla url_regex -i “path to file”
# or
# acl blablabla url_regex “path to file”

http_access allow localhost
http_access deny all
cache_mgr Reaper-X
httpd_suppress_version_string on
visible_hostname Reaper
via off
forwarded_for off
log_icp_queries off
client_db off
never_direct allow all

#Some anonymizing
header_access From deny all
#there’s some website which use referer check
#so its better to disable this
#header_access Referer deny all
header_access WWW-Authenticate deny all
header_access Link deny all
header_access Warning deny all
header_access Via deny all
header_access User-Agent deny all
header_access Proxy-Connection deny all
header_access X-Forwarded-For deny all

Now the next step would be running JAP, configure browsers to use Squid Proxy and start squid and you’re finished …. ;)

http://www.reaper-x.com/2006/07/18/complete-guide-on-installing-and-configuring-squid-proxy-server-for-windows/

Installing Squid Cache for Windows

Linux users mostly already know Squid proxy server as the best and most used proxy server. As on my previous post “Bandwidth Shaping Using Squid Cache and WIPFW” I need a free proxy server for my windows server. I found SquidNT which is ported from its Linux version by Guido Serassio.

You can download SquidNT from Acme Consulting’s website, click here. If you want to do bandwidth shaping then you must download SquidNT with Delay Pool version. On this installation guide, I use the Delay Pool version as I want to do bandwidth shaping.

Step 1: download SquidNT Delay Pool version here: http://squid.acmeconsulting.it/download/squid-2.6.STABLE12-bin-DELAYP.zip

Step 2: extract the zip file and put it on C: drive

Step 3: configure the squid.conf file on /etc folder. There is squid.conf.default you can rename it to squid.conf and edit it.

Step 4: configure the DNS nameserver. On squid.conf find:

# TAG: dns_nameservers
# Use this if you want to specify
# a list of DNS name servers (IP addresses)
# to use instead of those given in your
# /etc/resolv.conf file.
#
# Example: dns_nameservers 10.0.0.1 192.172.0.4
#
#Default:
# none
dns_nameservers 192.168.0.1

To find what is your nameserver is type: ipconfig on command prompt and find the IP number on Default Gateway field. Copy it to your squid.conf file like above.

Step 5: setup ACL

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from
# where browsing should be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
acl our_networks src 192.168.0.0/16
http_access allow our_networks

Here you can setup which network that allowed to use your proxy server. From ipconfig command you can find out what is your IP address, usually it have 192.168.0.x format so you can apply the configuration above.

Step 6: Setup the hostname

# TAG: visible_hostname
# If you want to present a special hostname …
# then define this. Otherwise, the return …
# will be used. If you have multiple caches …
# get errors about IP-forwarding you must …
# names with this setting.
#
#Default:
# none
visible_hostname localhost

Here you can define the name for your hostname, for example you can use “localhost” or “server.youdomain.com”

Step 7: Setup cache directory

Run this command from command prompt: c:\squid\sbin\squid -D –z

Step 8: On Windows XP/2000/2003 you can setup SquidNT as a service

Run this command from command prompt: c:\squid\sbin\squid –i

You can start/stop/restart the service called Squid from: Control Panel > Administrative Tools > Services

Step 9: Setup your browser to use proxy server

For Internet Explorer users, go to: Tools > Internet Options. Select Connection tab and click on LAN Settings

On the pop up window you’ll find proxy box, give a check on “Use a proxy server for your LAN…” and fill your server’s IP (where you install SquidNT) on the address field and fill “3128” on port field. 3128 is the default port for SquidNT.

Click Ok to save the configuration. Now try to open a web page and see if you can open it. If you can then the configuration is set correctly.

Step 10: Setup the Delay Pool.

As I want to do bandwidth shaping then I needs to setup the Delay Pool. Here is the configuration:

#
#Default:
# delay_pools 0
delay_pools 1
delay_class 1 1

Then create delay_access:

# delay_access 2 allow lotsa_little_clients
# delay_access 2 deny all
#
#Default:
# none
delay_access 1 allow our_networks
delay_access 1 deny all

Now we setup how much bandwidth we want to allocate. For example, you have 384 Kbps ADSL connection which means you can download at around 40KB/s. Now you want to shape the maximum to around 30KB/s download rate, here is the configuration:

#
#delay_parameters 2 32000/32000 8000/8000 600/8000
#
# There must be one delay_parameters line for each delay pool.
#
#Default:
# none
delay_parameters 1 30000/30000

Step 11: Restart the Squid service from: Control Panel > Administrative Tools > Services

Done! Now you have 30KB/s for browsing and another 10KB/s reserved for other internet connection like chatting or streaming radio

Markus

http://markus.revti.com/index.php/2007/06/10/installing-squid-cache-for-windows/

Squid-setup for Windows NT/2K/XP

What is Squid?

· This is an easy setup for the Squid Proxyserver compiled on windows by Guido Serassio.

· full-featured Web proxy cache

· designed to run on Unix systems, this versions runs on WindowsNT -core

· free, open-source software

Do I need Squid?

· No! Nobody needs squid! Yo can get happy without it. But if you need an free web proxy that runs on Windows, this program is an little step to get happy in your life ;-).

· With this version of Squid you can limit access to the web by proxy authentication

· Squid saves bandwith by caching often used web sites.

· More secure: You can limit access to the proxy by ip-ranges etc and only 1 computer needs direct acess to the internet.

· You can filter web sites like xxx.com

Features of this setup

· Runs out of the box

· You can choose between External (dialup) and Internal (LAN) DNS handling good for dialup and LAN conections.

· You don´t need to install it manuall.

· The setup creates an cache with max 100 MB space, if you need more space you have to change this in the squid.conf and build an new cache.

· I have added som little cmd´s for easy controll of the squid service and you can install some at-jobs for automatic maintainance of squid. Rotating log-files before they get too big, this is very important for squid to work 24/7.

Download

Paths with spaces (like C:\Programs Files\Squid) are NOT supported by Squid !!!

HOWTO upgrade from older Squid 2.5 versions to STABLE 5

Howto make an NT-User auth

--!!! New Squid 2.5 Stable 3 Setup english beta !!!--

-!!! New Squid 2.5 Stable 3 Setup deutsch beta !!!--

Squid 2.5 Stable 2 Setup english beta

Squid 2.5 Stable 2 Setup deutsch beta

Squid 2.5 Stable 1 Setup english

Squid 2.5 Stable 1 Setup deutsch

Squid 2.3 Stable 5 Setup english

Squid 2.3 Stable 5 Setup deutsch

· All setups are made with Inno Setup Compiler, Scriptmaker and ISTool

Inno Setupscripts for all Squid versions

http://www.bofi.camelot.de/squid.htm

Installing and configuring SquidNT

Introduction

PaperCut Internet Charging and Quotas requires a proxy server to manage Internet connectivity and log internet usage by your users. Squid is one of the best known proxy servers, and typically is run on a Linux/Unix machine, however in some environments a proxy needs to be run on a Windows machine. Fortunately Squid is available for Windows, and is available for download as the SquidNT package.

(To setup Squid on a Linux/Unix machine and get configure it to authenticate with Windows, see our article Configuring Squid on Linux to authenticate with Active Directory.)

Installing SquidNT

Download the latest version of SquidNT from here.

This guide has been written for 2.5.STABLE14-NT (download). The guide has also been updated to work with Squid 2.6.

Unzip the Squid zip file (e.g. squid-2.5.STABLE14-NT-bin.zip) file to a temporary directory. This will create a folder called squid-2.5.STABLE14-NT-bin\squid. Move the squid subdirectory to a location where you want Squid to be installed. E.g. c:\squid. (NOTE: You cannot install Squid in a directory containing spaces, like C:\Program Files.)

Open a command line window (cmd.exe), and change to the directory you installed Squid to. E.g. cd \squid

Install the Squid service by running the following:

    C:\squid>sbin\squid.exe –i

Setup the default config files by copying the template configuration files in C:\squid. Copy the following three files to C:\squid\etc.

    squid.conf.default      to C:\squid\etc\squid.conf

    mime.conf.default       to C:\squid\etc\mime.conf

    cachemgr.conf.default   to C:\squid\etc\squid.conf

Then create the Squid cache directories by running the following:

    C:\squid>sbin\squid -z

Squid is now ready to start. Start the Squid NT service from the Services Control Panel applet. (Control Panel->Administrative Tools->Services). If Squid starts correctly you will not receive an error, and the cache log file will not contain any errors (C:\squid\var\logs\cache.log).

Configuring user authentication

In this configuration Squid is locked down to not allow any access, so the config file needs to be modified to allow connections to users on the network. Shutdown the Squid service.

Open the Squid config file (C:\squid\etc\squid.conf).

To enable authentication against your Windows domain or Active Directory, add the following to your config file around line 1290. This tells Squid to use NTLM authentication (i.e. automatically login users without prompting for a password).

For Squid 2.5:

    auth_param ntlm program c:/squid/libexec/win32_ntlm_auth.exe

    auth_param ntlm children 5

    auth_param ntlm max_challenge_reuses 0

    auth_param ntlm max_challenge_lifetime 2 minutes

    auth_param ntlm use_ntlm_negotiate on

For Squid 2.6:

    auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe

    auth_param ntlm children 5

Then define an ACL (access control list) entry that allows users on your network to use the proxy if authenticated. Go to approximately line 1830 of the file, and add the lines:

    acl localnet proxy_auth REQUIRED src 192.168.1.0/24

    http_access allow localnet

(But change the IP address mask as appropriate for your network. You can specify multiple network masks by separating them with spaces).

Now restart Squid and ensure that it starts correctly. Configure a browser to use the Squid proxy (port 3128 by default), and try to access an external web site. You should be able to visit the site successfully. To check that the authentication is working correctly open the C:\squid\var\logs\access.log file, and you should see log entries for the web site you visited, and importantly your username in the log file. Below are sample logs from visiting google.com. Note the username vm-domain\administrator, where vm-domain is the name of the domain, and administrator is the name of the user.

    1118015367.061    703 127.0.0.1 TCP_MISS/302 405 GET http://google.com/ vm-domain\administrator DIRECT/216.239.57.99 text/html

    1118015367.749    688 127.0.0.1 TCP_MISS/302 411 GET http://www.google.com/ vm-domain\administrator DIRECT/66.102.7.104 text/html

Allowing access only to members of a Window Group

The next step is to only allow users access if they belong to a Windows security group. This can be used to enforce Internet access policy on your domain, and allow PaperCut to restrict access to users who have used their entire available quota. First we need to add the external ACL types to check for Windows group membership. Go to about line 1396 and add the following:

For Squid 2.5:

    external_acl_type win_domain_group ttl=120 %LOGIN c:/squid/libexec/win32_check_group.exe -G

    external_acl_type win_local_group ttl=120 %LOGIN c:/squid/libexec/win32_check_group.exe

For Squid 2.6:

    external_acl_type win_domain_group ttl=120 %LOGIN c:/squid/libexec/mswin_check_lm_group.exe -G

    external_acl_type win_local_group ttl=120 %LOGIN c:/squid/libexec/mswin_check_lm_group.exe

(The first entry is used to check domain group membership, the second is for local groups. You only have to add the lines you are going to use. Users of PaperCut typically use domain groups, so only the first line would be necessary).

Now we need to define the ACL to only allow access to members of a particular group ( e.g. a domain group called InternetUsers). Go to the line config file where the acl localnet entry was defined (approx line 1850), and replace the previsous ACL definitions with:

    acl localnet proxy_auth REQUIRED src 192.168.1.0/24

    acl InetAllow external win_domain_group InternetUsers

    http_access allow InetAllow

Ensure that you use the IP mask appropriate for your network. In the above example InternetUsers is a domain group. Change the group name as appropriate for your network. If your group is a local group, the use the win_local_group external ACL type instead.

(Make sure you remove the http_access allow localnet line that was defined earlier, otherwise all users on the network will have access, even if they do not belong to the group.)

Restart Squid, and now only members of the InternetUsers group will have access to the Internet via the proxy.

NOTE: If you have the need to deny Internet access for members of another Windows security group, you can set up a InternetDenyGroup the same way as above and then define an InetDeny ACL. You can then specify a http_access deny rule as follows:

    http_access deny InetDeny

Verifying the configuration

Restart Squid (if you have not done so already).

As a user that belongs to the InternetUsers group:

• Make sure the browser is setup to user the proxy (port 3128 by default)
• Browse the Internet for a few minutes (you should be allowed to view all pages).
• Check the C:\squid\var\logs\access.log, and make sure your username is being logged.

As a user that does not belong to the InternetUsers group:

• Make sure the browser is setup to user the proxy (port 3128 by default)
• Try to browse the Internet (you should be denied access by the Squid proxy).
• Check the C:\squid\var\logs\access.log, and make sure you see TCP_DENIED entries that contain the correct username.

If this all works, then you're ready to use PaperCut with SquidNT...

• In Options->Net Charging Options, point PaperCut to the C:\squid\var\logs log directory.
• Set the log file mask to access.log
• And then press the "Test and Apply Settings" button. You should see some summarized net access usage.
  

Log Rotation

Squid NT does not rotate its log files, so on large sites these files will grow very large. We recommend implementing a simple rotation policy which improves the performance of your system and allows easy archiving of old logs.

We have written a simple batch file that performs a log rotation by stopping squid, renaming access.log to access-YYYY-MM-DD.log, and then restarting Squid. Use the Windows Task Scheduler to schedule the following batch file to be run regularly (e.g. daily or weekly). NOTE: Make sure you setup the scheduled task to run as a user with permissions to stop/start the Squid service.

Squid 2.6 changed the name of the Squid service, so make sure you download the correct version of the script.

Download squid-2.5-log-rotate.bat

Download squid-2.6-log-rotate.bat

Troubleshooting

If Squid fails to start then it is best to check the following two log files. They will usually give you a hint about the cause of the problem (e.g. a syntax problem in the squid.conf file).

    C:\squid\sbin\squid.exe.log

    C:\squid\var\logs\cache.log

If you're looking for information about our print management application, please go here.

http://www.papercut.com/kb/Main/InstallingAndConfiguringSquidNTProxy