The www/squid,krb5 port
squid-6.12p0v0-krb5 – WWW and FTP proxy cache and accelerator (cvsweb github mirror)
Description
Squid is a high-performance proxy caching server for web clients, supporting FTP, gopher, and HTTP data objects. Unlike traditional caching software, Squid handles all requests in a single, non-blocking, I/O-driven process. Squid keeps meta data and especially hot objects cached in RAM, caches DNS lookups, supports non-blocking DNS lookups, and implements negative caching of failed requests. Squid supports SSL, extensive access controls, and full request logging. By using the lightweight Internet Cache Protocol, Squid caches can be arranged in a hierarchy or mesh for additional bandwidth savings. Flavours: krb5 build with Kerberos 5 support (if you intend to use this for auth against Microsoft directory services, you may find the "msktutil" package useful).WWW: http://www.squid-cache.org/
Readme
+-----------------------------------------------------------------------
| Running ${PKGSTEM} on OpenBSD
+-----------------------------------------------------------------------
General configuration
=====================
The sample configuration in ${SYSCONFDIR}/squid.conf is a simple version
with only the most essential options. By default, only RAM-based cache is
used, un-comment the cache_dir line to enable a persistent disk cache
("swap"); this is normally kept in ${LOCALSTATEDIR}/cache and must be
initialized with "squid -z" before starting the daemon. If you need to
place it elsewhere, create the directory and make sure it is owned and
writable by user _squid, group _squid.
Logs are stored in ${LOCALSTATEDIR}/logs; access logs on a busy cache will
grow rapidly so rotate them as necessary (use "squid -k rotate").
See ${TRUEPREFIX}/share/examples/squid/squid.conf.documented for a complete
annotated file, similar to the standard squid.conf in previous versions
of Squid, however in many cases the defaults will suffice.
The HTML error pages can be easily themed by editing the style-sheet in
${SYSCONFDIR}/errorpage.css.
System resource limits
======================
When started from rc.d(8) (i.e. via pkg_scripts in rc.conf.local or
from "${RCDIR}/squid start"), the Squid processes run in the login(1)
class of "squid". On a busy server, you may need to adjust the limits in
/etc/login.conf.d/squid.
There is also a kernel limit on the number of open file descriptors,
sysctl kern.maxfiles. In some circumstances you may also need to raise
this; if this is required, pay particular attention to testing and
monitoring your system.
The "rock" disk storage backend has only been very lightly tested with
OpenBSD; to use it you will need to raise sysctl net.unix.dgram.sendspace
above the default to avoid "Message too long" (EMSGSIZE) errors.
8192 seems to work. The port maintainer has mostly been using either
the "aufs" disk storage backend, or just using memory-based caching.
Interception Proxying with PF
=============================
To configure an interception (a.k.a. "transparent") proxy, Squid should
be configured in ${SYSCONFDIR}/squid.conf to bind to a specific address,
for example:
http_port 127.0.0.1:3127 intercept
On the machine running Squid, add a firewall rule similar to this:
pass in quick log inet proto tcp to port 80 divert-to 127.0.0.1 port 3127
If the machine running Squid is already acting as a router/firewall
for your client machines, there is no other special configuration.
However if Squid is running on a separate machine, the router must be
configured to pass HTTP traffic to Squid. You can use a rule like this
on the router:
pass in quick from 10.77.3.5
pass in quick inet proto tcp to port 80 route-to 10.77.3.5
(this example assumes Squid is running on 10.77.3.5).
If the proxy server is running on the same subnet as the clients, the
return traffic from the proxy will go directly back to them without
ever hitting the firewall, which means the firewall states will never
get updated and cause problems. This can possibly be avoided by NATting
the relevant traffic, but on the whole it's simpler to place the proxy
on another network interface or vlan.
Maintainer
Stuart Henderson
Multi-packages
squid-6.12p0v0-krb5 squid-ldap-6.12v0