SquidByDefault

Summary

This spec describes a method for deploying Squid by default.

Rationale

Squid reduces network bandwidth usage and overall improves rate of Web browsing. This is extremely useful on slow connections, but also on fast ones.

Use cases

Any user browsing HTTP will be using this.

Scope

The scope of this spec is deploying Squid for HTTP on port 80.

Design

Squid should be installed and running by default.

Squid should only bind to 127.0.0.1. It seems to bind to all world now.

We should probably tweak Squid's default configuration to use the heap GDSF cache replacement policy to maximize object hit rate and thus give the biggest perceived speed increase. Memory replacement is likely optimal with LRU.

We should probably build Squid with the diskd storage format, and use it. This fork()s a separate process to handle disk I/O so that it doesn't block Squid, allowing parallelism to not cause massive lag.

Squid does not need to run in a chroot jail; it's not visible by the outside world.

Implementation

Install Squid by default. Make the necessary changes to its config and the system config.

It is notable that you can configure iptables to pick up OUTGOING packets from Squid's UID on port 80 and ACCEPT them; and then in a following rule pick up OUTGOING packets going to port 80 and redirect them to port 3128. Squid can be configured to receive connections this way and handle them appropriately; the result is a system-wide HTTP transparent proxy, no configuration necessary. It is also a pain to disable.

Code

Data preservation and migration

Unresolved issues

Do we want to use the iptables method, or just set Firefox to use proxy on port 3128? Both have merits; although the iptables method can cause problems.

Squid seems to DIE if it can't get a proper hostname and visible_host isn't set in squid.conf.

BoF agenda and discussion

  • Intercepting proxies (what you're calling `transparent proxies') do not work properly. See RFC3143. So that option can be ruled out.
    • It most certainly didn't bother me when I did it; and I believe ShoreWall allows you to set up Squid using Dan's Guardian as a proxy with transparent proxying ("Intercepting proxies"). The issue with intercepting proxies is if you have a Web server behind the proxy and the proxy services requests to the server; in which case the source IP becomes the proxy server. The solution, of course, is to not enable this on servers.


CategorySpec

ImprovedNetworking/SquidByDefault (last edited 2008-08-06 16:31:47 by localhost)