# pkg update # pkg search squid squid-4.9 HTTP Caching Proxy # pkg install squid-4.9 # sysrc squid_enable=YES # squid -z
It should not be necessary to compile squid from ports as the required options ‘
--with-openssl‘ and ‘
--enable-ssl-crtd‘ are already present. This can be confirmed by checking the output of:
# squid -v
Next edit the openssl configuration, adding a single line under the
[v3_ca] is merely a section header for a X.509 version 3 Certificate Authority certificate where we will list particular extensions we want present. In our use case we need to add the
keyUsage and specify two usage types which are typical for the CA public key.
# /etc/ssl/openssl.cnf [v3_ca] keyUsage = cRLSign, keyCertSign
Create the folder structure and assign the correct permissions for holding the Squid proxy self-signed root CA:
# mkdir /usr/local/etc/squid/ssl_cert -p # chown -R squid:squid /usr/local/etc/squid/ssl_cert # chmod -R 700 /usr/local/etc/squid/ssl_cert # cd /usr/local/etc/squid/ssl_cert # openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout cs7_squid_ca.pem -out cs7_squid_ca.pem
Generating a RSA private key ............................................+++++ ................................................................................................................................+++++ writing new private key to 'cs7_squid_ca.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:GB State or Province Name (full name) [Some-State]:Hampshire Locality Name (eg, city) :Southampton Organization Name (eg, company) [Internet Widgits Pty Ltd]:CS7 Networks Ltd Organizational Unit Name (eg, section) :Networks Common Name (e.g. server FQDN or YOUR name) :bsdsquid.cs7networks.co.uk Email Address :
Export the self-signed CA certificate ready to be installed on client machines.
# openssl x509 -in cs7_squid_ca.pem -outform DER -out cs7_squid_ca.der
As and when Squid requires the generation of new certificates this task is handled by
security_file_certgen. Any certificate generated is signed by the Squid CA and then stored in the certificate cache. But first we need to create this certificate cache and set its permissions:
# /usr/local/libexec/squid/security_file_certgen -c -s /var/log/squid/ssl_db -M 8MB # chown -R squid:squid /var/log/squid/ssl_db/
# /usr/local/etc/squid/squid.conf acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=8MB cert=/usr/local/etc/squid/ssl_cert/cs7_squid_ca.pem sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/log/squid/ssl_db -M 8MB
# service squid start
Once it is up and running we can access the squid manager page at the following URL http://<squid_cache>/squid-internal-mgr/info
A full list of squid statistic pages can be found at ‘http://<squid_cache>/squid-internal-mgr/menu’
Now lets configured some monitoring to see what the cache is doing.
# pkg install monitorix
By default monitorix comes with a lightweight HTTP server, this mean all we need to is enable the graphs for squid:
# /usr/local/etc/monitorix.conf squid =y
# echo monitorix_enable=\"YES\" >> /etc/rc.conf # /usr/local/etc/rc.d/monitorix start
Navigate to http://<squid_server_ip>:8080/monitorix
Note: I also tried Munin and squidanalyzer but was unable to get any stats graphed. Certainly the log paths were incorrect with the Munin Perl files, but even correcting them didn’t yield any results. Monitorix was the only solution to work straight away albeit with graphs on the right not working!
Squid does offer a SNMP agent so in the next post I’ll look at leveraging those OIDs: https://wiki.squid-cache.org/Features/Snmp