« NAS: Display Squid cachemgrThe Friday Picture: Craftmanship »
Sep 19

NAS: Create your own caching proxy

Synology, Hot Stuff Add comments

There you are, with that 1TB NAS and you surf mostly the same websites and in the process waste plenty of time waiting on downloads. So why not install your own Squid-proxy server on your NAS?

With the Synology and the pre-requisite of having ipkg installed - this takes no more than 10 minutes.

Update (2008-12-22): I have adjusted the Squid-configuration to block websites for unlisted IP-addresses. If you don't require this (and want your kids to download several gigs of You Tube-videos) then delete the lines acl nonblockedip, acl blocksites and http_access deny blocksites.

In my example, my NAS IP is 172.16.0.97 and my IP range on my LAN is 172.16.0.0 - adjust this accordingly below:

  1. Install squid: ipkg install squid

  2. Adjust Squid's config-file located in /opt/etc/squid/squid.conf:

    Code:

    		## SQUID CONFIG
    		cache_mgr Gerd@Naschenweng.info
    		 
    		## Those are the ports the proxy is going to listen to
    		http_port 172.16.0.97:3128
    		http_port 172.16.0.97:8080
    		 
    		#  TAG: visible_hostname
    		#  The host-name of the proxy-server. Can really be anything
    		visible_hostname MuffinStationProxy
    		 
    		# DISK CACHE OPTIONS
    		# -----------------------------------------------------------------------------
    		# Disk-cache options. Just adjust the cache-siz (in my case 20GB)
    		cache_replacement_policy lru
    		cache_dir ufs /opt/var/squid/cache/ 20000 16 256
    		minimum_object_size 0 KB
    		maximum_object_size 2097152 KB
    		maximum_object_size_in_memory 1024 KB
    		 
    		# MEMORY CACHE OPTIONS
    		# -----------------------------------------------------------------------------
    		#  TAG: cache_mem  (bytes)
    		cache_mem 8 MB
    		memory_replacement_policy lru
    		 
    		# ACCESS CONTROLS
    		# -----------------------------------------------------------------------------
    		acl all src 0.0.0.0/0.0.0.0
    		acl manager proto cache_object
    		acl localhost src 127.0.0.1/255.255.255.255
    		acl our_networks src 172.16.0.0/24 172.16.1.0/24
    		acl to_localhost dst 127.0.0.0/8
    		acl nonblockedip src 172.16.0.3 172.16.0.5
    		 
    		# childblocks
    		acl blocksites dstdomain "/opt/etc/squid/restricted-sites.squid"
    		 
    		#Block childblocked sites                                                                                              
    		http_access deny blocksites !nonblockedip all
    		 
    		 
    		http_access allow manager localhost
    		http_access allow manager our_networks
    		http_access deny manager
    		 
    		# Allow all clients from my network
    		http_access allow our_networks
    		 
    		# And finally deny all other access to this proxy
    		http_access deny all
    		 
    		#Allow ICP queries from everyone
    		icp_access allow all
    		 
    		# LOG-FILES
    		# -----------------------------------------------------------------------------
    		access_log /opt/var/squid/logs/access.log squid
    		 
    		#cache_log none
    		#cache_log /opt/var/squid/logs/cache.log
    		 
    		#cache_access_log none
    		#cache_access_log /opt/var/squid/logs/access.log
    		 
    		#cache_store_log none
    		#cache_store_log /opt/var/squid/logs/store.log
    		 
    		 
    		# OPTIONS FOR TUNING THE CACHE
    		# -----------------------------------------------------------------------------
    		 
    		#  TAG: cache
    		#  A list of ACL elements which, if matched, cause the request to
    		#  not be satisfied from the cache and the reply to not be cached.
    		#  In other words, use this to force certain objects to never be cached.
    		#
    		#  You must use the word 'DENY' to indicate the ACL names which should
    		#  NOT be cached.
    		#
    		#  Default is to allow all to be cached
    		 
    		#We recommend you to use the following two lines.
    		acl QUERY urlpath_regex cgi-bin \?
    		cache deny QUERY
    		refresh_pattern ^ftp:    1440  20%  10080
    		refresh_pattern ^gopher:  1440  0%  1440
    		refresh_pattern .           0  20%  4320
    		refresh_pattern \.gif 1440 50% 40320 reload-into-ims
    		refresh_pattern \.jpg 1440 50% 40320 reload-into-ims
    		refresh_pattern \.tif 4320 50% 43200
    		refresh_pattern \.png 1440 50% 40320 reload-into-ims
    		refresh_pattern \.jpeg 1440 50% 40320 reload-into-ims
    		refresh_pattern ^http://*.google.*/.* 720 100% 4320
    		 
    		# refresh patterns to enable caching of MS windows update
    		refresh_pattern windowsupdate\.microsoft\.com/.*\.(cab|exe|psf) 4320 100% 120960 reload-into-ims
    		refresh_pattern update\.microsoft\.com/.*\.(cab|exe|psf) 4320 100% 120960 reload-into-ims
    		refresh_pattern office\.microsoft\.com/.*\.(cab|exe|psf) 4320 100% 120960
    		refresh_pattern windowsupdate\.com/.*\.(cab|exe|psf) 4320 100% 120960 reload-into-ims
    		refresh_pattern download\.microsoft\.com/.*\.(cab|exe|psf) 4320 100% 120960 reload-into-ims
    		refresh_pattern microsoft\.com 4320 100% 10080
    		 
    		 
    		pipeline_prefetch on
    		# Apache mod_gzip and mod_deflate known to be broken so don't trust
    		# Apache to signal ETag correctly on such responses
    		acl apache rep_header Server ^Apache
    		broken_vary_encoding allow apache
    		 
    		# Leave coredumps in the first cache dir
    		coredump_dir /opt/var/squid/cache
    		 
    		# Disable cachemgr password
    		cachemgr_passwd none all

  3. Take note from my above config, that I chose a cache-size of 20(!) GB (cache_dir).
  4. Validate your Squid configuration with squid -k parse
  5. Create the Squid cache-directories with squid -z
  6. Start Squid manually to check for errors: squid -NCd1
  7. Create a symbolic link so that Squid starts automatically: ln -s /opt/etc/init.d/S80squid /usr/syno/etc/rc.d/
  8. Once you restart the NAS, Squid should be started automatically (log files are in /opt/var/squid/logs)

Dummy error: Happened to me - if Squid starts and you don't notice any improvements in browsing speed, make sure that you have your browser's proxy settings adjusted :oops:

IMPORTANT: As I have the caching server within a DMZ/Firewall, security-concerns are secondary. All users having access to the LAN and fall within the IP-range will automatically have access to the caching-proxy. The implementation of Squid was for improving the browsing/web-experience (speed has improved by almost 200% and average bandwidth consumption dropped by 30%).

Follow up:


If you get everything running, you should familiarise yourself with the statuses in Squid's access-log:

  • TCP_HIT: A valid copy of the requested object was in the cache.
  • TCP_MEM_HIT: A valid copy of the requested object was in the cache, AND it was in memory so it did not have to be read from disk.
  • TCP_NEGATIVE_HIT: The request was for a negatively-cached object. Negative-caching refers to caching certain types of errors, such as "404 Not Found." The amount of time these errors are cached is controlled with the negative_ttl configuration parameter.
  • TCP_MISS: The requested object was not in the cache.
  • TCP_REFRESH_HIT: The object was in the cache, but STALE. An If-Modified-Since request was made and a "304 Not Modified" reply was received.
  • TCP_REF_FAIL_HIT: The object was in the cache, but STALE. The request to validate the object failed, so the old (stale) object was returned.
  • TCP_REFRESH_MISS: The object was in the cache, but STALE. An If-Modified-Since request was made and the reply contained new content.
  • TCP_CLIENT_REFRESH: The client issued a request with the "no-cache" pragma.
  • TCP_IMS_HIT: The client issued an If-Modified-Since request and the object was in thecache and still fresh.

Tags: nas, synology

11 comments

  1. § Diseño web tarragona Email said on : 11/12/08 @ 05:36
    This error in my NAS:
    squid -k parse
    2008/12/11 03:36:00| WARNING: '0.0.0.0/0.0.0.0' is a subnetwork of '0.0.0.0/0.0.0.0'
    2008/12/11 03:36:00| WARNING: because of this '0.0.0.0/0.0.0.0' is ignored to keep splay tree searching predictable
    2008/12/11 03:36:00| WARNING: You should probably remove '0.0.0.0/0.0.0.0' from the ACL named 'all'
    2008/12/11 03:36:00| WARNING: '127.0.0.1' is a subnetwork of '127.0.0.1'
    2008/12/11 03:36:00| WARNING: because of this '127.0.0.1' is ignored to keep splay tree searching predictable
    2008/12/11 03:36:00| WARNING: You should probably remove '127.0.0.1' from the ACL named 'localhost'
    2008/12/11 03:36:00| WARNING: '127.0.0.0/255.0.0.0' is a subnetwork of '127.0.0.0/255.0.0.0'
    2008/12/11 03:36:00| WARNING: because of this '127.0.0.0/255.0.0.0' is ignored to keep splay tree searching predictable
    2008/12/11 03:36:00| WARNING: You should probably remove '127.0.0.0/255.0.0.0' from the ACL named 'to_localhost'

    PLease helpme
  2. § gnaschenweng® Email said on : 11/12/08 @ 07:28
    can you post your squid.conf as well as what version of squid you are running? Is this on a Synology via ipkg or another means?
  3. § Bougedela Email said on : 30/12/08 @ 00:39
    bit of a silly question no doubt... Using squid on my cs 407 will i be able to log in from work and use it to access my webmail (which the work network blocks)??
    Cheers
    P
  4. § gnaschenweng® Email said on : 30/12/08 @ 08:09
    You could potentially do this, however be careful - the Squid proxy's intention is to proxy/improve bandwidth utilization on your LAN. I would be very reluctant to open your proxy up to the internet (which you would have to do in your case). I have never attempted this, but would be greatly concerned about the security concerns.
  5. § fc Email said on : 06/01/09 @ 22:00
    for example:

    acl myschool src [wanip]/32
    http_access allow myschool

    Is this secure...?
  6. § steve Email said on : 02/03/09 @ 07:40
    Hi - I want to install squid on my DS209+ NAS from Synology - was wondering where I can find the latest package file - hopefully for SQUID 2.7 ?
  7. § gnaschenweng® Email said on : 02/03/09 @ 07:47
    I used IPKG - as far as I can remember this still came with Squid 2.6, but does it's job.
  8. § Mikado Email said on : 21/06/09 @ 20:06
    Thanks for the tutorial - after noticing that i have to change the .conf with my ip range (ups :-) it works perfectly out of the box.

    Additionally i added AddZap (http://librenix.com/?inode=4483).

    On my DS 207.128 : PERFECT.




  9. § stever Email said on : 26/08/09 @ 06:44
    Tried to install on a DS209 and got this message:
    FATAL: comm_select_init: epoll_create(): (38) Function not implemented

    I thought the latest optware version had been compiled w/o epoll
  10. § Fungo Email said on : 09/12/09 @ 00:06
    Hi,
    I want to create a transparent proxy with squid and netgear router.
    Tried some configuration but nothing works !
    Any ideas ?
    Thankyou

    Regards
  11. § Paul Email said on : 10/02/10 @ 02:12
    I got the same error as stever, can anyone help please? I'm running a ds210j.
    Thanks

Leave a comment


Your email address will not be revealed on this site.

Your URL will be displayed.
(Line breaks become <br />)
(Name, email & website)
(Allow users to contact you through a message form (your email will not be revealed.)
Contact. ©2010 by Gerd Naschenweng. blogging tool / UK hosting / fp.
Entries RSS Comments RSS Log in server monitor
Amatomu beacon