Adding a Caching Server to Boost Performance and Save Bandwidth

Our Golden Hill installation is starting to keep our DSL line too busy and until we get more bandwidth, we thought we could add a caching proxy server for web browsing requests.

A plea to the user group for an old laptop resulted in several offers, including one with a broken screen which I decided to use. This article describes roughly the steps I went through to get it going on the network.

Configuring the Laptop with Debian

First step was to install Debian. I chose this because its package system makes it easy, plus Pebble is also a cut down Debian and thus it shares the same file layout and commands.

There are many guides to installing Debian, so I'll just highlight some of the strangeness I found and some decisions I made.

  • Three partitions: one for the OS, one for swap space, and then another for the squid proxy cache. Since the cache is the busy part of the system, I wanted to keep it separate in case it got currupted etc.
  • Because the laptop was using a Belkin PCMCIA network card that wasn't in the default distribution, this generated a little research and several installs. The end result was something like:
    • when prompted to install a 'net' device, choose 'dummy'. This will trigger the other network setup prompts. Alternatively you can hack the /etc/network/interfaces file directly if you prefer.
    • Immediately after booting the first time, use <alt><f2> to switch to another login. Login as root with no password required
    • follow these directions which amount to inserting the PCMCIA card info into /etc/pcmcia/config
    • edit /etc/network/interfaces and replace dummy0 with eth0. Issue the command ifdown dummy0
    • finally do a /etc/init.d/pcmcia restart
    • At this point, you should have a working network interface and be able to ping the outside world and be pinged by others. You can go back to the main console and continue with the rest of setup now that you have a working network connection.
  • There was still a problem with the network interface not coming up after reboot. A little googling found an answer which boiled down toremoving the 'auto' line from /etc/network/interfaces, and installing the 'hotplug' package.
  • Don't choose any options from task select. It just installs a bunch of stuff you won't need. I used dselect instead to install squid and just squid (none of the html config stuff).

Once you have it all installed and running, you can try to use it from another machine. For my subnet, I first tested by putting the laptop on the subnet and then logging in via ssh and making sure it could access the internet and generally work as expected.

When you're satisfied its working correctly, you're reading to configure squid.

Configuring Squid as a redirected transparent proxy server

Once you have the laptop running correctly, you're ready to get squid configured. We want to use squid as a 'transparent proxy'. This means that users won't have to do any configuration on their machine to use squid and benefit from the proxy. And, alternatively, users won't be able to avoid the proxy, and hence we get maximum benefit of the cache (more info, and HowTo).

The squid configuration file for debian is found at /etc/squid.conf. The vast majority of the values can be left as is, at least until you start tuning squid. Here are some settings we changed from the defaults:

httpd_accel_host virtual
httpd_accel_port 80

httpd_accel_with_proxy on

httpd_accel_uses_host_header on

These few lines should get squid going enough to test. Issue the command /etc/init.d/squid restart to force it to re-read its settings (though maybe a SIGHUP would do the same thing more elegantly?).

Now squid should be working. You can test basic functionality by setting the proxy settings of your web browser to point directly to the squid proxy. If you issue the command /tail -f /var/log/squid/access.log you should be able to see the pages you're visiting being logged. (Use Ctrl-C to break out of the tail).

Next up is how to change the firewall / gateway settings to force users to use the proxy.


We did some minor tuning with these settings:

maximum_object_size 8192 kb

Transparent Squid Proxying with MikroTik

Once you have squid working, you can now start forcing traffic to use it. If you have a single gateway box, this is most likely the easiest place to do this. In our network we run MikroTik's RouterOS which is in turn based on Linux and supplies all the hooks necessary to do what's needed.

The basic idea is to redirect all outbound traffic on port 80 to the squid server. The devil is the details!

more to come, but basic idea follows

  • Set up a rule for Destination Nat that sends all traffic on port 80 to the squid server, except traffic from the server itself, and, in our case where we have a captive portal, excepting traffic to the captive portal too (though maybe it works ok anyway?).

  • make sure the squid server is exempt from captive portal signon. The tricky part is making it exempt but not a client that signs on through it (hence exception above that the captive portal destination is exempt).

  • The squid box must send all replies back to the gateway, not to the requesting machine directly - its not expecting them! So in the squid box's file /etc/network/interfaces is the extra line:

    up "route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1"

    which adds a static route to force all traffic on the squid's subnet (10.0.0.x) back to the gateway which will in turn route back to the correct host.