Squid Questions
-
Hi Folks,
I've bought an embedded system running pfsense 1.2.3 embedded which runs on the fantastic ALIX 2d3 board. It has a 4GB Compact Flash chip.
I have a few questions:
- Is it safe for the compact flash to run squid and squidguard on this system?
- I don't really need caching, so can I turn this off?
- is it generally safer to use a proxy server in a business environment, rather than allow direct port 80 and 443 access?
- Can the pfsense version of squidguard support user auth, where different users are given different levels of access?
- Will the 500Mhz ALIX board cope with this?
Thanks
-
- Is it safe for the compact flash to run squid and squidguard on this system?
- I don't really need caching, so can I turn this off?
I would not expect a CF to live long unless you turn off caching.
- is it generally safer to use a proxy server in a business environment, rather than allow direct port 80 and 443 access?
This will totally depend on your configuration, but I don't suppose it would be any less safe, and potentially more secure, as you can control content better.
- Will the 500Mhz ALIX board cope with this?
I run squid with caching, but not squidguard, on a 500MHz Geode and it runs great. Of course, other factors will increase your cpu usage, such as captive portal, throughput, vpn, traffic shaping, firewall rules, etc. I use traffic shaping, squid and freeswitch on a 5.5/0.7 pppoe connection and my CPU usage averages around 10% under light load, and 22% with torrents hogging both pipes.
-
- Can the pfsense version of squidguard support user auth, where different users are given different levels of access?
Yes. The squid installed via the package system in pfSense is a full blown install and should be capable of anything that a stand alone squid install will do. That said, a huge subset of the features and config flags are not written into the GUI and will require manual editing of the squid.inc file. If you're comfortable doing this, you can make it do whatever you want.
-
Thanks folks.
To turn off cacheing, do I just set the Dish Cache size to 0? Then that will be safe for the CF?
-
This will totally depend on your configuration, but I don't suppose it would be any less safe, and potentially more secure, as you can control content better.
Can you please tell me where it woudn't be safe? At the minute, the firewall is in default mode, except I've enabled traffic shaping, setup OpenVPN and installed/enabled squid. I havn't blocked ports 80 and 443 yet, as I just want to test that the users are happy with the proxy
-
run this
sed 's:^cache_dir\(.*\):cache_dir null \/tmp:g' /usr/local/pkg/squid.inc > squid.inc.tmp && mv squid.inc.tmp /usr/local/pkg/squid.inc
-
I get an error saying read-only filesystem :S
Any ideas?
THis is confusing, as I can edit my squid config in the web gui…
-
Any ideas on this?
I can't seem to write to any of the config files. It just says Read Only Filesystem
-
Ok folks,
I got the above command to work. I had to run it from the webGUI and not the shell.
Can someone pelase explain to me how to web gui can edit the squid.inc file when / is mount as read only?
Thanks
-
Either use the Diagnostics/Edit File command from the web GUI and load /usr/local/pkg/squid.inc or use something like WinSCP via SSH or Putty to get the job done. There are several options to manually edit the file.
-
What is the best way to improve the performance of my pfsense box while running squid? I don't need caching, I just need squid for network security (I intend to install SquidGuard).
The box I'm using is a wee ALIX 2D3 (500Mhz AMD Geode 256MB RAM), and VOIP packets are to go through this box (hence why I need the best performance possible)
Thanks
-
Are you seeing substantially degraded performance as compared with your non-proxied traffic? Squid tends to run at near full speed for most people without much (any) tinkering.
-
Now that you remind me, I had issues with my speed dropping out until I implemented this fix:
http://forum.pfsense.org/index.php/topic,7186.msg59302.html#lastPost