Installing Squid Cache for Windows
Linux users mostly already know Squid proxy server as the best and most used proxy server. As on my previous post “Bandwidth Shaping Using Squid Cache and WIPFW” I need a free proxy server for my windows server. I found SquidNT which is ported from its Linux version by Guido Serassio.
You can download SquidNT from Acme Consulting’s website or here. If you want to do bandwidth shaping then you must download SquidNT with Delay Pool version. On this installation guide, I use the Delay Pool version as I want to do bandwidth shaping.
Step 1: download SquidNT Delay Pool version here
Step 2: extract the zip file and put it on C: drive
Step 3: configure the squid.conf file on /etc folder. There is squid.conf.default you can rename it to squid.conf and edit it.
Step 4: configure the DNS nameserver. On squid.conf find:
# TAG: dns_nameservers
# Use this if you want to specify
# a list of DNS name servers (IP addresses)
# to use instead of those given in your
# /etc/resolv.conf file.
#
# Example: dns_nameservers 10.0.0.1 192.172.0.4
#
#Default:
# none
dns_nameservers 192.168.0.1
To find what is your nameserver is type: ipconfig on command prompt and find the IP number on Default Gateway field. Copy it to your squid.conf file like above.
Step 5: setup ACL
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from
# where browsing should be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
acl our_networks src 192.168.0.0/16
http_access allow our_networks
Here you can setup which network that allowed to use your proxy server. From ipconfig command you can find out what is your IP address, usually it have 192.168.0.x format so you can apply the configuration above.
Step 6: Setup the hostname
# TAG: visible_hostname
# If you want to present a special hostname ...
# then define this. Otherwise, the return ...
# will be used. If you have multiple caches ...
# get errors about IP-forwarding you must ...
# names with this setting.
#
#Default:
# none
visible_hostname localhost
Here you can define the name for your hostname, for example you can use “localhost” or “server.youdomain.com”
Step 7: Setup cache directory
Run this command from command prompt: c:\squid\sbin\squid -D -z
Step 8: On Windows XP/2000/2003 you can setup SquidNT as a service
Run this command from command prompt: c:\squid\sbin\squid -i
You can start/stop/restart the service called Squid from: Control Panel > Administrative Tools > Services
Step 9: Setup your browser to use proxy server
For Internet Explorer users, go to: Tools > Internet Options. Select Connection tab and click on LAN Settings
On the pop up window you’ll find proxy box, give a check on “Use a proxy server for your LAN…” and fill your server’s IP (where you install SquidNT) on the address field and fill “3128” on port field. 3128 is the default port for SquidNT.
Click Ok to save the configuration. Now try to open a web page and see if you can open it. If you can then the configuration is set correctly.
Step 10: Setup the Delay Pool.
As I want to do bandwidth shaping then I needs to setup the Delay Pool. Here is the configuration:
#
#Default:
# delay_pools 0
delay_pools 1
delay_class 1 1
Then create delay_access:
# delay_access 2 allow lotsa_little_clients
# delay_access 2 deny all
#
#Default:
# none
delay_access 1 allow our_networks
delay_access 1 deny all
Now we setup how much bandwidth we want to allocate. For example, you have 384 Kbps ADSL connection which means you can download at around 40KB/s. Now you want to shape the maximum to around 30KB/s download rate, here is the configuration:
#
#delay_parameters 2 32000/32000 8000/8000 600/8000
#
# There must be one delay_parameters line for each delay pool.
#
#Default:
# none
delay_parameters 1 30000/30000
Step 11: Restart the Squid service from: Control Panel > Administrative Tools > Services
Done! Now you have 30KB/s for browsing and another 10KB/s reserved for other internet connection like chatting or streaming radio 
November 20th, 2008 - 11:37
@dblog
i think http://www.LiveConnector.com/chat/ is broken i can’t open it even without proxy, firefox says it’s an infinite loop url
i haven’t test to run squid on d: drive, but you can change the directory where squid NT store its cache if i’m not mistaken
January 30th, 2009 - 21:50
Hi Markus,
.I use ntlm authentication method for user adn group.
thanks for this manula, i have problem with autentication.
I install squidnt 2.7 (5) on WINXP SP3, all works almost fine
I have Windows AD domain.
In my localnetwork I have some website on Oracle, my user need access to this server. We use some apliacation based Oracle,Oracle server WEB and JAVA,
I can see the fist webpages wher is some link to start application but when I try “klick” next webpages is no opened and I see time limit etc. in access.lod I find
error: TCP_DENIED/407 etc. How to fix.???
January 30th, 2009 - 22:08
check whether your application using specific port, you’ll need to add that port on squid config.
on c:\squid\etc\squid.conf locate “acl Safe_ports port 80″
you’ll need to add your application’s port, for example the port is 8120 then add: “acl Safe_ports port 8120″
if the application is connected through SSL then you must add “acl SSL_ports port 8120″
another way is to skip local network servers to be accessed via proxy, for Internet Explorer users, go to: Tools > Internet Options. Select Connection tab and click on LAN Settings, give check on “Bypass proxy server for local addresses”
February 2nd, 2009 - 18:08
Hi Markus,
(
Thanks for your repaly but your instruction not helps me:
A send you logs form my squid and from apkucation:
SQUID ACCESS LOG:
1233327709.592 0 10.104.228.118 TCP_DENIED/407 1845 GET http://10.104.228.6/forms90/f90servlet? – NONE/- text/html
1233327713.607 0 10.104.228.118 TCP_DENIED/407 1821 GET http://10.104.228.6/favicon.ico – NONE/- text/html
1233327843.702 0 10.104.228.118 TCP_DENIED/407 1845 GET http://10.104.228.6/forms90/f90servlet? – NONE/- text/html
APLICATION JAVA LOG:
Oracle JInitiator: Version 1.3.1.18
Using JRE version 1.3.1.18-internal Java HotSpot(TM) Client VM
User home directory = C:\Documents and Settings\user
Proxy Configuration: Manual Configuration
Proxy: 10.104.228.139:3128
Proxy Overrides:
JAR cache enabled
Location: C:\Documents and Settings\user\Oracle Jar Cache
Maximum size: 50 MB
Compression level: 0
java.io.IOException: Connection failure with 407
at sun.plugin.protocol.jdk12.http.HttpURLConnection.getInputStream(Unknown Source)
at oracle.jre.protocol.jar.HttpUtils.followRedirects(Unknown Source)
at oracle.jre.protocol.jar.JarCache$CachedJarLoader.isUpToDate(Unknown Source)
at oracle.jre.protocol.jar.JarCache$CachedJarLoader.loadFromCache(Unknown Source)
at oracle.jre.protocol.jar.JarCache$CachedJarLoader.load(Unknown Source)
at oracle.jre.protocol.jar.JarCache.get(Unknown Source)
at oracle.jre.protocol.jar.CachedJarURLConnection.connect(Unknown Source)
at oracle.jre.protocol.jar.CachedJarURLConnection.getJarFile(Unknown Source)
at sun.misc.URLClassPath$JarLoader.getJarFile(Unknown Source)
at sun.misc.URLClassPath$JarLoader.(Unknown Source)
at sun.misc.URLClassPath$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.misc.URLClassPath.getLoader(Unknown Source)
at sun.misc.URLClassPath.getLoader(Unknown Source)
at sun.misc.URLClassPath.getResource(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at sun.applet.AppletClassLoader.findClass(Unknown Source)
at sun.plugin.security.PluginClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadCode(Unknown Source)
at sun.applet.AppletPanel.createApplet(Unknown Source)
at sun.plugin.AppletViewer.createApplet(Unknown Source)
at sun.applet.AppletPanel.runLoader(Unknown Source)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
WARNING: error reading http://10.104.228.6/forms90/java/f90all_jinit.jar from JAR cache.
Downloading http://10.104.228.6/forms90/java/f90all_jinit.jar to JAR cache
java.io.IOException: Connection failure with 407
at sun.plugin.protocol.jdk12.http.HttpURLConnection.getInputStream(Unknown Source)
February 2nd, 2009 - 18:30
what is your http_access’ ACL on your squid.conf?
look for http_access variable on your squid.conf
mine looks like this:
February 2nd, 2009 - 20:06
auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe
auth_param ntlm children 40
external_acl_type win_domain_group ttl=120 %LOGIN C:/squid/libexec/mswin_check_lm_group.exe -G
external_acl_type win_local_group ttl=120 %LOGIN C:/squid/libexec/mswin_check_lm_group.exe
#Recommended minimum configuration:
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl purge method PURGE
acl CONNECT method CONNECT
#acl localnet proxy_auth REQUIRED src 10.104.228.0/255.255.255.0
acl localnet proxy_auth src 10.104.228.0/255.255.255.0
acl Internet_allow external win_domain_group Internet_allow
acl Internet_deny external win_domain_group Internet_deny
acl BADUrl url_regex -i “C:/squid/etc/block_url.acl”
acl BADDomain dstdomain -i “C:/squid/etc/block_domain.acl”
acl BADFiles urlpath_regex -i “C:/squid/etc/block_files.acl”
acl killWebProxy urlpath_regex cgi-bin/nph-.*/
acl killWebProxy urlpath_regex nph-proxy\.cgi
acl killWebProxy urlpath_regex cgiproxy
acl killWebProxy urlpath_regex argh/nph-pwn\.pl
acl ipdomain url_regex ^[0-9\.:]*$
acl OnetWP_allow dstdomain
acl GOODIP dst -i “C:/squid/etc/allow_ip.acl”
acl GOODDomain dstdomain -i “C:/squid/etc/allow_domain.acl”
acl OperaAplet rep_mime_type -i ^application/x-jinit-applet*
acl OperaBrowser browser forms90/*
acl OperaSerwer urlpath_regex ^http://10.104.228.6/forms90/f90servlet?
http_access allow manager localhost
http_access allow OperaAplet
http_access allow OperaBrowser
http_access allow OperaSerwer
http_access allow Internet_allow
http_access deny manager
http_access deny Internet_deny
http_access deny !Safe_ports
February 2nd, 2009 - 23:17
i didn’t use MSAD so i didn’t know how to configure squid with MSAD.
but, my first guest is that the webserver/oracle/java application (either one or all of them) doesn’t have the permission to access web proxy. 407 error means Proxy Authentication Required
per mswin_ntlm_auth.txt on docs directory, stated:
Users that are allowed to access the web proxy must have the Windows NT User Rights “logon from the network”.
so i guest you must check:
1. whether the application have username and password for accessing the web proxy set correctly.
2. whether the application have user rights “logon from the network”
sorry, i can’t help much, but try that first.
February 24th, 2009 - 15:12
Heey,
Great guide!!
Any chance any of you guys installed a Reverse Proxy?
Need some help on how to setup revers proxy on Squid.
Cheers
February 25th, 2009 - 18:03
Hi Markus,
I also having some problems when using IE not appear Authentication Window.
Squid.conf
==========
auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe
auth_param ntlm children 5
auth_param ntlm keep_alive on
authenticate_cache_garbage_interval 1 hour
authenticate_ttl 1 hour
authenticate_ip_ttl 3600 seconds
external_acl_type win_domain_group ttl=120 %LOGIN C:/squid/libexec/mswin_check_lm_group.exe -G
acl Internet_allow external win_domain_group “Web Surfer Group”
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 193.143.63.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow localhost
http_access deny all
http_access allow Internet_allow
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
icp_access allow localnet
icp_access deny all
htcp_access allow localnet
htcp_access deny all
http_port 8080
hierarchy_stoplist cgi-bin ?
access_log c:/squid/var/logs/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
icp_port 3130
coredump_dir c:/squid/var/cache
Cache.log
=========
2009/02/25 18:58:56| setMaxFD: Cannot increase: setrlimit() not supported on this system
2009/02/25 18:58:56| Starting Squid Cache version 3.0.STABLE11-RC1-BZR for i686-pc-mingw32…
2009/02/25 18:58:56| Running on Windows XP
2009/02/25 18:58:56| Process ID 2860
2009/02/25 18:58:56| With 2048 file descriptors available
2009/02/25 18:58:56| With 512 CRT stdio descriptors available
2009/02/25 18:58:56| Windows sockets initialized
2009/02/25 18:58:56| Performing DNS Tests…
2009/02/25 18:58:56| Successful DNS name lookup tests…
2009/02/25 18:58:56| DNS Socket created at 0.0.0.0, port 3402, FD 4
2009/02/25 18:58:56| Adding nameserver 202.188.0.133 from Registry
2009/02/25 18:58:56| Adding nameserver 202.188.1.5 from Registry
2009/02/25 18:58:56| Adding nameserver 202.188.0.133 from Registry
2009/02/25 18:58:56| Adding nameserver 202.188.1.5 from Registry
2009/02/25 18:58:56| Adding nameserver 193.143.63.20 from Registry
2009/02/25 18:58:56| Adding domain pta.com.my from Registry
2009/02/25 18:58:56| helperStatefulOpenServers: Starting 5 ‘mswin_ntlm_auth.exe’ processes
2009/02/25 18:58:56| helperOpenServers: Starting 5 ‘mswin_check_lm_group.exe’ processes
2009/02/25 18:58:56| User-Agent logging is disabled.
2009/02/25 18:58:56| Referer logging is disabled.
2009/02/25 18:58:56| Unlinkd pipe opened on FD 47
2009/02/25 18:58:56| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2009/02/25 18:58:56| Swap maxSize 102400 KB, estimated 7876 objects
2009/02/25 18:58:56| Target number of buckets: 393
2009/02/25 18:58:56| Using 8192 Store buckets
2009/02/25 18:58:56| Max Mem size: 8192 KB
2009/02/25 18:58:56| Max Swap size: 102400 KB
2009/02/25 18:58:56| Version 1 of swap file with LFS support detected…
2009/02/25 18:58:56| Rebuilding storage in c:/squid/var/cache (CLEAN)
2009/02/25 18:58:56| Using Least Load store dir selection
2009/02/25 18:58:56| Set Current Directory to c:/squid/var/cache
2009/02/25 18:58:56| Loaded Icons.
2009/02/25 18:58:56| Accepting HTTP connections at 0.0.0.0, port 8080, FD 53.
2009/02/25 18:58:56| Accepting ICP messages at 0.0.0.0, port 3130, FD 54.
2009/02/25 18:58:56| HTCP Disabled.
2009/02/25 18:58:56| Ready to serve requests.
2009/02/25 18:58:56| Done reading c:/squid/var/cache swaplog (146 entries)
2009/02/25 18:58:56| Finished rebuilding storage from disk.
2009/02/25 18:58:56| 146 Entries scanned
2009/02/25 18:58:56| 0 Invalid entries.
2009/02/25 18:58:56| 0 With invalid flags.
2009/02/25 18:58:56| 146 Objects loaded.
2009/02/25 18:58:56| 0 Objects expired.
2009/02/25 18:58:56| 0 Objects cancelled.
2009/02/25 18:58:56| 0 Duplicate URLs purged.
2009/02/25 18:58:56| 0 Swapfile clashes avoided.
2009/02/25 18:58:56| Took 0.06 seconds (2336.00 objects/sec).
2009/02/25 18:58:56| Beginning Validation Procedure
2009/02/25 18:58:56| Completed Validation Procedure
2009/02/25 18:58:56| Validated 317 Entries
2009/02/25 18:58:56| store_swap_size = 1128
2009/02/25 18:58:57| storeLateRelease: released 0 objects
IE Error
========
ERROR
The requested URL could not be retrieved
——————————————————————————–
The following error was encountered while trying to retrieve the URL: http://api.mybrowserbar.com/cgi/errors.cgi?
Access Denied.
Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.
Your cache administrator is webmaster.
——————————————————————————–
Generated Wed, 25 Feb 2009 11:00:23 GMT by (squid/3.0.STABLE11-RC1-BZR)
February 25th, 2009 - 22:32
That’s nice and all that but, why would you take a stellar Open Source program like Squid, and cripple it by running it on any kind of windoze system?
I mean, come on guys, competent admins don’t tolerate windoze machines in their infrastructure!
March 2nd, 2009 - 20:10
Thanks for the steps. I always admired SQUID but I did squid on windows only for fun. Like home use and really simple setup (no business-like setup). I am happy, I have squid at home really quick.
March 2nd, 2009 - 20:27
@Sam, the Squid for Windows is a port from its Linux version and fully work, although missing some function because there is no open source/freeware driver to support such as transparent proxy, but i found a software that can supply this driver and squid transparent proxy runs well on Windows server.
April 2nd, 2009 - 07:06
Hi.. I have a win2k3 server and would like to install squidnt on it. i followed your procedure but have some questions. I will connect the Squidnt server to a web acceleration appliance. the acceleration appliance and the squidnt are in a private subnet they are then connected to a router which has a public address and connection to the internet. Do i need put the squid server directly on the internet or it can be on the private subnet as long as it can reach the internet?
thanks
April 2nd, 2009 - 16:00
what “web acceleration appliance” software do you use?
as long as the host server can connect to the internet, squid should be able to connect to.
April 2nd, 2009 - 20:42
great info… nice blog… keep up your benevolent work Markus… I would just like to ask a favor, perhaps you can send me a diagram of your topology, how your network looks like with squid… I have been trying to search for a simple, operational, and reliable network design with Squid proxy running.
Thanks and cheers…
April 12th, 2009 - 03:53
Markus thanks for the tutorial.
I still have a question
I am planning to install squid on a server to serve our clinic’s workstations but the server “pumps” internet through the hospital’s central proxy server.
Is there a way to configure it as “cascading proxy” ?
Thank you and keep up
April 12th, 2009 - 04:00
i don’t really know on how to configure it, but Squid NT is a full fork of Squid Unix version (with some limitation such as it doesn’t have a driver to do transparent proxy. transparent in squid nt can be achieved using the help of 3rd party software see my post here: http://markus.revti.com/2009/01/squid-transparent-proxy-server-on-windows-server-2003/)
AFAIK, squid can do multi tier of proxying meaning that the child proxy should connect to parent proxy to get to the internet. if you can find a howto on how to configure this on squid unix version, i’m sure you can apply the same configuration on squid nt.
April 13th, 2009 - 10:57
I’ve been trying to configure this on Server 2003 all morning, but I can’t it to cache file. Each time I do it just spits out this error at me:
FATAL: cache_dir c:/squid/var/cache: (2) no such file or directory
Anyone know what to do?
April 13th, 2009 - 16:35
did you run:
Step 7: Setup cache directory
Run this command from command prompt: c:\squid\sbin\squid -D –z
May 25th, 2009 - 16:32
I created an acl to allow only some of the ip address access to the proxy server and deny all. But it is not working. still all clients in my network can connect. I denied localnet http_access.Please help.