kenjim/appa-net
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7c4c786e7b7bbc9353fc31701f1c058b69b38211
appa-net/zet.home.arpa/squid/README.md
Kenji M 7c4c786e7b zet.home.arpa: document all services and SSL/nginx setup 
- Server overview (README.md) with services, storage, and network summary
- Storage layout with disk/fstab/mount details (storage.md)
- Service docs: Samba, NFS, Squid, Pi-hole (with DHCP/split-DNS notes)
- Let's Encrypt cert via acme.sh + GoDaddy DNS-01 (ssl/)
- nginx SSL reverse proxy config and virtual host guide (nginx/)
- Pi-hole moved to port 8081; split DNS overrides documented for both
  Pi-hole and pfSense Unbound to avoid hairpin NAT issues

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-19 14:37:04 +00:00

117 lines
3.3 KiB
Markdown
Raw Blame History

# Squid Web Proxy — zet.home.arpa
Caching web proxy with content filtering for children's devices on the LAN.
## Overview
| Field | Value |
|-------|-------|
| **Package** | `squid` (Ubuntu) |
| **Version** | Squid 6.14 |
| **Config** | `/etc/squid/squid.conf` |
| **Port** | 3128/tcp |
| **Cache directory** | `/var/spool/squid` (2 GB, UFS) |
| **Access log** | `/var/log/squid/access.log` |
## How It Works
Squid runs as a standard forward proxy. pfSense intercepts HTTP traffic from children's device IPs and redirects port 80 to `172.27.0.35:3128` via NAT port-forward (see [../PROXY-SETUP.md](../PROXY-SETUP.md) for pfSense setup).
```
Child device → pfSense NAT (port 80 → 172.27.0.35:3128) → Squid → Internet
```
## Configuration (`/etc/squid/squid.conf`)
```
http_port 3128
# ACLs
acl children src "/etc/squid/children.txt"
acl blocked_sites dstdomain "/etc/squid/blocked_sites.txt"
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT
acl allowed_hosts src 172.27.0.0/24
# Access rules
http_access deny blocked_sites children
http_access deny !Safe_ports
http_access allow allowed_hosts
# Cache
cache_dir ufs /var/spool/squid 2048 16 256
cache_mem 512 MB
maximum_object_size_in_memory 1 MB
maximum_object_size 128 MB
minimum_object_size 0 KB
# Refresh patterns
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200
refresh_pattern -i \.(css|js)$ 1440 90% 10080
refresh_pattern . 0 20% 4320
pipeline_prefetch 1
collapsed_forwarding on
```
## ACL Files
### `/etc/squid/children.txt` — devices subject to content filtering
Contains one IP per line for children's devices on the `172.27.0.0/24` network.
### `/etc/squid/blocked_sites.txt` — blocked domains
Domains blocked for children (partial list):
```
.facebook.com / .fb.com / .instagram.com / .snapchat.com / .tiktok.com
.x.com / .twitter.com / .reddit.com / .redditmedia.com / .redditstatic.com
.pinterest.com / .youtube.com / .youtu.be / .googlevideo.com
.twitch.tv / .vimeo.com / .dailymotion.com
.netflix.com / .hulu.com / .disneyplus.com
```
## Service Management
```bash
sudo systemctl status squid
sudo systemctl restart squid
sudo systemctl reload squid # reload config without dropping connections
sudo squid -k parse # validate squid.conf syntax
# Watch live traffic
sudo tail -f /var/log/squid/access.log
# Check cache stats
sudo squidclient -h 127.0.0.1 mgr:info
```
## Adding/Removing Children's IPs
Edit `/etc/squid/children.txt` — one IP per line, then reload:
```bash
sudo nano /etc/squid/children.txt
sudo systemctl reload squid
```
## Limitations
- Only intercepts plain **HTTP (port 80)**. HTTPS (port 443) is not filtered.
- To filter HTTPS would require SSL bump (TLS interception) with a custom CA installed on every client device — significantly more complex.
- See [../PROXY-SETUP.md](../PROXY-SETUP.md) for pfSense NAT configuration.
## Migration Notes
To move Squid to a new server:
1. Install: `sudo apt install squid`
2. Copy `/etc/squid/squid.conf`, `children.txt`, `blocked_sites.txt`
3. Initialize cache: `sudo squid -z`
4. Start: `sudo systemctl enable --now squid`
5. Update pfSense NAT rule redirect target to the new server IP
Reference in New Issue View Git Blame Copy Permalink