The www/squid,krb5 port
squid-6.11v0-krb5 – WWW and FTP proxy cache and accelerator (cvsweb github mirror)
Description
Squid is a high-performance proxy caching server for web clients, supporting FTP, gopher, and HTTP data objects. Unlike traditional caching software, Squid handles all requests in a single, non-blocking, I/O-driven process. Squid keeps meta data and especially hot objects cached in RAM, caches DNS lookups, supports non-blocking DNS lookups, and implements negative caching of failed requests. Squid supports SSL, extensive access controls, and full request logging. By using the lightweight Internet Cache Protocol, Squid caches can be arranged in a hierarchy or mesh for additional bandwidth savings. Flavours: krb5 build with Kerberos 5 support (if you intend to use this for auth against Microsoft directory services, you may find the "msktutil" package useful).WWW: http://www.squid-cache.org/
Readme
+----------------------------------------------------------------------- | Running ${PKGSTEM} on OpenBSD +----------------------------------------------------------------------- General configuration ===================== The sample configuration in ${SYSCONFDIR}/squid.conf is a simple version with only the most essential options. By default, only RAM-based cache is used, un-comment the cache_dir line to enable a persistent disk cache ("swap"); this is normally kept in ${LOCALSTATEDIR}/cache and must be initialized with "squid -z" before starting the daemon. If you need to place it elsewhere, create the directory and make sure it is owned and writable by user _squid, group _squid. Logs are stored in ${LOCALSTATEDIR}/logs; access logs on a busy cache will grow rapidly so rotate them as necessary (use "squid -k rotate"). See ${TRUEPREFIX}/share/examples/squid/squid.conf.documented for a complete annotated file, similar to the standard squid.conf in previous versions of Squid, however in many cases the defaults will suffice. The HTML error pages can be easily themed by editing the style-sheet in ${SYSCONFDIR}/errorpage.css. System resource limits ====================== When started from rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from "${RCDIR}/squid start"), the Squid processes run in the login(1) class of "squid". On a busy server, you may need to adjust the limits in /etc/login.conf.d/squid. There is also a kernel limit on the number of open file descriptors, sysctl kern.maxfiles. In some circumstances you may also need to raise this; if this is required, pay particular attention to testing and monitoring your system. The "rock" disk storage backend has only been very lightly tested with OpenBSD; to use it you will need to raise sysctl net.unix.dgram.sendspace above the default to avoid "Message too long" (EMSGSIZE) errors. 8192 seems to work. The port maintainer has mostly been using either the "aufs" disk storage backend, or just using memory-based caching. Interception Proxying with PF ============================= To configure an interception (a.k.a. "transparent") proxy, Squid should be configured in ${SYSCONFDIR}/squid.conf to bind to a specific address, for example: http_port 127.0.0.1:3127 intercept On the machine running Squid, add a firewall rule similar to this: pass in quick log inet proto tcp to port 80 divert-to 127.0.0.1 port 3127 If the machine running Squid is already acting as a router/firewall for your client machines, there is no other special configuration. However if Squid is running on a separate machine, the router must be configured to pass HTTP traffic to Squid. You can use a rule like this on the router: pass in quick from 10.77.3.5 pass in quick inet proto tcp to port 80 route-to 10.77.3.5 (this example assumes Squid is running on 10.77.3.5). If the proxy server is running on the same subnet as the clients, the return traffic from the proxy will go directly back to them without ever hitting the firewall, which means the firewall states will never get updated and cause problems. This can possibly be avoided by NATting the relevant traffic, but on the whole it's simpler to place the proxy on another network interface or vlan.
Maintainer
Stuart Henderson
Multi-packages
squid-6.11v0-krb5 squid-ldap-6.11v0