# pkg update
# pkg search squid
squid-4.9 HTTP Caching Proxy
# pkg install squid-4.9
# sysrc squid_enable=YES
# squid -zIt should not be necessary to compile squid from ports as the required options ‘--with-openssl‘ and ‘--enable-ssl-crtd‘ are already present. This can be confirmed by checking the output of:
# squid -vNext edit the openssl configuration, adding a single line under the [v3_ca] section. [v3_ca] is merely a section header for a X.509 version 3 Certificate Authority certificate where we will list particular extensions we want present. In our use case we need to add the keyUsage and specify two usage types which are typical for the CA public key.
# /etc/ssl/openssl.cnf
[v3_ca]
keyUsage = cRLSign, keyCertSign
Create the folder structure and assign the correct permissions for holding the Squid proxy self-signed root CA:
# mkdir /usr/local/etc/squid/ssl_cert -p
# chown -R squid:squid /usr/local/etc/squid/ssl_cert
# chmod -R 700 /usr/local/etc/squid/ssl_cert
# cd /usr/local/etc/squid/ssl_cert
# openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout cs7_squid_ca.pem -out cs7_squid_ca.pemGenerating a RSA private key
............................................+++++
................................................................................................................................+++++
writing new private key to 'cs7_squid_ca.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:Hampshire
Locality Name (eg, city) []:Southampton
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CS7 Networks Ltd
Organizational Unit Name (eg, section) []:Networks
Common Name (e.g. server FQDN or YOUR name) []:bsdsquid.cs7networks.co.uk
Email Address []:Export the self-signed CA certificate ready to be installed on client machines.
# openssl x509 -in cs7_squid_ca.pem -outform DER -out cs7_squid_ca.der
As and when Squid requires the generation of new certificates this task is handled by security_file_certgen. Any certificate generated is signed by the Squid CA and then stored in the certificate cache. But first we need to create this certificate cache and set its permissions:
# /usr/local/libexec/squid/security_file_certgen -c -s /var/log/squid/ssl_db -M 8MB
# chown -R squid:squid /var/log/squid/ssl_db/# /usr/local/etc/squid/squid.conf
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=8MB cert=/usr/local/etc/squid/ssl_cert/cs7_squid_ca.pem
sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/log/squid/ssl_db -M 8MB# service squid start
Once it is up and running we can access the squid manager page at the following URL http://<squid_cache>/squid-internal-mgr/info
A full list of squid statistic pages can be found at ‘http://<squid_cache>/squid-internal-mgr/menu’
Now lets configured some monitoring to see what the cache is doing.
# pkg install monitorixBy default monitorix comes with a lightweight HTTP server, this mean all we need to is enable the graphs for squid:
# /usr/local/etc/monitorix.conf
squid =y# echo monitorix_enable=\"YES\" >> /etc/rc.conf
# /usr/local/etc/rc.d/monitorix startNavigate to http://<squid_server_ip>:8080/monitorix
Note: I also tried Munin and squidanalyzer but was unable to get any stats graphed. Certainly the log paths were incorrect with the Munin Perl files, but even correcting them didn’t yield any results. Monitorix was the only solution to work straight away albeit with graphs on the right not working!
Squid does offer a SNMP agent so in the next post I’ll look at leveraging those OIDs: https://wiki.squid-cache.org/Features/Snmp
CS7 Networks 