Friday, April 26, 2013

Upgrade Squid Proxy Server, 3.1.22 to 3.3.3

mikrotik router and squid proxy server

A few days ago, suddenly, my squid proxy server (squid version 3.1.22 as transparent proxy) does not work or hangs. Weird... I've checked everything, but no luck. These are I have done,
1. check with command, ps ax | grep squid, ... ok.
2. check in /var/log/error.log, error, running well.
3. check on the firewall, shorewall, normal.
4. check router mikrotik, good.

5. check directly to the browser by entering the IP address of squid proxy server in option browser, error
6. check in /var/log/squid/access.log,…no activity or no request.
7. weird ...

Then finally, I decided to upgrade the squid to version 3.3.3.
And this is the ways.
service squid stop.
cd /usr/local/squid 3.1.22
make uninstall
make clean.
cd /usr/local
tar zxvf squid-3.3.3.tar.gz
/configure --prefix=/usr   --exec-prefix=/usr   --bindir=/usr/sbin   --sbindir=/usr/sbin   --sysconfdir=/etc/squid   --datadir=/usr/share/squid   --includedir=/usr/include   --libdir=/usr/lib   --libexecdir=/usr/lib/squid   --localstatedir=/var   --sharedstatedir=/usr/com   --mandir=/usr/share/man   --infodir=/usr/share/info   --x-includes=/usr/include   --x-libraries=/usr/lib   --enable-shared=yes   --enable-static=no   --enable-carp    --enable-storeio=aufs,ufs   --enable-removal-policies=heap,lru   --disable-icmp   --disable-delay-pools   --disable-esi   --enable-icap-client   --enable-useragent-log   --enable-referer-log   --disable-wccp   --enable-wccpv2   --disable-kill-parent-hack   --enable-snmp   --enable-cachemgr-hostname=localhost   --enable-arp-acl   --disable-htcp  --disable-forw-via-db   --disable-follow-x-forwarded-for   --enable-cache-digests    --disable-poll   --enable-epoll   --enable-linux-netfilter   --disable-ident-lookups   --enable-default-hostsfile=/etc/hosts    --with-default-user=squid   --with-large-files  --enable-mit=/usr   --with-logdir=/var/log/squid   --enable-http-violations   --enable-zph-qos   --with-filedescriptors=65536   --enable-gnuregex --enable-async-io=64 --with-aufs-threads=64  --with-pthreads --with-aio  --enable-default-err-languages=English --enable-err-languages=English --disable-hostname-checks --enable-underscores
make; make install

I don’t need to create again ‘/cache’ or startup squid, or squid.conf, etc, because, command make uninstall didn’t delete or remove configuration that I have made. But if you are missing the configuration, look at, to get how to install squid  from the beginning.

Edit /etc/squid squid.conf. See my initial configuration for example, before the change, in I will just explain some of the changes...
Several variables that must be removed.
acl manager proto cache_object
acl localhost src
acl to_localhost dst
acl bamboe src
emulate_httpd_log off
log_fqdn off

Some variables that must be added.
acl bamboe src
http_port 3128

You can see the complete squid configuration after change. Next, check firewall. I use shorewall for make iptables easily. See some file in /etc/shorewall/, and make sure some variable is correct.
$ vim zones
          fw      firewall
          loc     ipv4

$ vim interfaces
          loc     eth0    -

$ vim policy
          loc     fw      ACCEPT
          fw      loc     ACCEPT
          loc     all     DROP
          all     all     REJECT

$ vim rules
          SECTION NEW
          # and this is rules for transparent proxy
          REDIRECT        loc     3127    tcp     80     -        !

$ vim shorewall.conf
See my full initial configuration mikrotik in,  and of course, I just explain some of the changes, ... and then I assume you know much about mikrotik,
Disable or delete some rules about  ‘redirect’. Remember, because I upgrade squid to 3.3.3 version, so I dont need "redirect' more.
/ ip firewall nat
chain=dstnat action=dst-nat to-addresses= to-ports=3127 protocol=tcp src-address-list=compbawah   dst-port=80,8080,3128

chain=dstnat action=dst-nat to-addresses= to-ports=3127 protocol=tcp src-address-list=compatas  dst-port=80,8080,3128

chain=dstnat action=dst-nat to-addresses= to-ports=3127 protocol=tcp dst-address=! src-address-list=op dst-port=80,8080,3128

And these are some rules, which must be added as a replacement the mikrotikredirect’. Create routing of client mark heading into port 80, and 8080, marked by the a name, such name ismark80’.
/Ip firewall mangle
chain=prerouting action=mark-routing new-routing-mark=80 passthrough=yes protocol=tcp src-address-list=compatas dst-port=80,8080

chain=prerouting action=mark-routing new-routing-mark=80 passthrough=yes protocol=tcp src-address-list=compbawah dst-port=80,8080

chain=prerouting action=mark-routing new-routing-mark=80 passthrough=yes protocol=tcp dst-address=! src-address-list=op dst-port=80,8080

And the last, mark80 routing to gateway add, this rules,
/ip route add routing-mark=mark80 gateway=

It's mean, Mikrotik has 2 gateway. First, gateway Request or packet to the destination port  80 or 8080, will be through gateway And the second, default gateway, all requests ( other than destination port 80 / 8080), will be through the gateway default. Done. At last, I have squid 3.3.3 version as transparent proxy.


  1. Get daily ideas and guides for making $1,000s per day ONLINE totally FREE.

  2. Hello!
    I think that Keep posting more informative articles like these one.
    These are very good articles to visit...

    gclub casino
    goldenslot casino

  3. BlueHost is definitely one of the best website hosting provider for any hosting services you require.

  4. The best facts about Clixsense's GPT PROGRAM/}GPT Program:
    1. SURVEYS: 50+ 5-40 minute surveys paying $0.50-$2.50 per survey.
    2. 12 OFFER WALLS - Get paid $0.5-$20 per offer.
    3. MICRO TASKS - Complete 1,000's of small tasks from lots companies.