You are on page 1of 4


/configure --prefix=/usr/local/squid --enable-wccpv2 --enable-ssl --enable-delay-pools --enable-

snmp --enable-err-language=Traditional_Chinese --enable-gnuregex --enable-cache-digests --
enable-async-io=40 --enable-poll --enable-kill-parent-hack --disable-ident-lookups --enable-removal-
policies='lru heap' --enable-storeio='ufs aufs diskd' --enable-auth --enable-basic-auth-helpers=LDAP
--enable-ntlm-auth-helpers=SMB --enable-useragent-log --enable-referer-log --enable-linux-netfilter -
-enable-ssl-crtd --with-default-user=squid

make all

make install

useradd squid

chown -R squid:squid /usr/local/squid/var/logs

/usr/local/squid/sbin/squid -z

cd /usr/local/squid

mkdir ssl_cert

cd ssl_cert

openssl req -new -newkey rsa:1024 -days 36500 -nodes -x509 -keyout proxyCA.pem -out

echo "1" into /proc/sys/net/ipv4/ip_forward

mkdir /usr/local/squid/var/lib

/usr/local/squid/libexec/ssl_crtd -c -s /usr/local/squid/var/lib/ssl_db -M 400MB

chown -R squid:squid /usr/local/squid/var/lib/ssl_db/

# in squid.conf - ACL

acl fileupload req_mime_type -i multipart/form-data

acl mailupload req_header Content-Disposition -i attachment
acl dropbox_webupload req_mime_type -i application/octet-stream

acl ssl_broken_sites dstdomain "/usr/local/squid/etc/sslbrokensites"

http_access deny fileupload

http_access deny dropbox_webupload

http_access deny mailupload

http_port 8128

https_port 3127 intercept ssl-bump generate-host-certificates=on

dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/proxyCA.pem

http_port 3128 intercept

sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_error allow ssl_broken_sites
sslproxy_cert_error deny all
ssl_bump none localhost
ssl_bump server-first all

sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 400MB

sslcrtd_children 25
sslproxy_cafile /etc/pki/tls/certs/ca-bundle.crt

wccp_version 4
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_assignment_method hash

wccp2_service standard 0
wccp2_service dynamic 70
wccp2_service_info 70 protocol=tcp flags=dst_ip_hash priority=240 ports=443,80
always_direct allow all

access_log stdio:/usr/local/squid/var/logs/access.log
cache_log /usr/local/squid/var/logs/cache.log
logfile_rotate 60
#debug_options ALL,2 ## for debug http traffic

debug_options ALL,1
url_rewrite_children 20

## 3.3+ need it for handle https proxy

## if you donot set it, you will see the re-direct loop error in the browser
request_header_access Via deny all

## squid.conf END

# Save following script to /etc/rc.local

killall -9 squid

/sbin/modprobe ip_gre
/sbin/iptunnel add wccp0 mode gre remote local dev eth0
/sbin/ifconfig wccp0 up
/sbin/iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp —dport 80 -j REDIRECT —to-ports
/sbin/iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp —dport 443 -j REDIRECT —to-ports
ulimit -n 10240
/usr/local/squid/sbin/squid &
# My router is Cisco 2811

conf t
ip wccp 70 redirect-list wccp
int f0/0

ip wccp 70 redirect out

ip access-list extended wccp
permit tcp any

deny tcp any any


# Router debug
sh ip wccp 70
show ip wccp 70 detail

# linux server debug

tcpdump -i wccp0
tail -f /usr/local/squid/var/logs/cache.log
tail -f /usr/local/squid/var/logs/access.log

iptables -nvL -t nat