Which version of squid should I use for CentOS5?
DO I use a RHL binary?

There is a a Squid in the CentOS repositories.

Type "yum list squid" - you may already have it installed.

If not then typing "yum install squid" ought to install it.

Oh...yes.
It appears to be 7:2.6.STABLE21-3.el5

Sound like the latest?

Any version of Squid later than 2.5 will do.

That's the one I have on my CentOS5 install.

In short the answer is:
1) Yes it is is the latest supported by the CentOS project.
2) There may be a newer unsupported version upstream (e.g. at Squid's project site).

However, "latest" is a broad question. Since the "yum list" didn't show any other versions it is certainly the "latest" from CentOS project. But CentOS typically lags behind RedHat (RHEL) which is where they get their source for the compile so it is possible there is a RHEL squid newer that hasn't made it to CentOS yet but should soon. Also RHEL tends to go with specific builds of some packages (BIND for example) then backport security fixes into those rather than going to the newest version of the original source tree. To use that you'd have to download the source from the Squid project itself and compile your own. Unless there is a specific feature you're looking for there's probably no reason to do that.

Hi,

The latest stable release from Squid is 3.0STABLE18 (released today) and can be very usefull if you will be proxy-ing https sites since it has some bugs fixed and clearly offers all the 'new' parameters. You can download it here Squid versions. Also keep in mind that if you want to proxy https sites you'll have to download the source code and compile it yourself because the standard package comes without ssl enabled.

Kind regards,

Eric

Does that involve using wget with a web address?

Hello,

With wget you can surely download it. Here's the url Squid 3.0STABLE18 source.I don't know if there is an option in yum that lets you download source. In Debian I got STABLE16 about two weeks ago using 'apt-get source'. Perhaps someone with more knowledge about CentOS can indicate if yum has an equivalent.

Kind regards,

Eric

Does the current CentOS have https?
Seems strange that you can't just turn on an option somewhere
If it does, can I turn it off and recompile it or dies it have to be uninstalled?

Hi,

I'm not familiar with CentOS but if you mean by 'having https' that if it supports https, I'm sure it will . HTTPS is just a protocol that gives you more security in communicating through secured tunnels and authenticating using certificates.

Standard Squid doesn't come with ssl enabled. SSL is SecureSocketLayer and you need that to get https to work with certificates (Sorry for not giving more detail, this is very basic, Google can help out more).

So if you're planning on putting your webserver online with https, you'll need OpenSSL or something like that, Squid compiled with ssl enabled and a webserver that supports https (which most do to my knowledge).

If you're not sure on if you would need it, but in doubt, I'd download the source and compile it with ssl support. When not configured it's not used but it saves you time and effort in compiling again after some time.

Practical example which I'm testing right now:

8 web applications, almost all of them running on Tomcat in our intranet needed to be accessible from the internet to our users.

I compiled Squid with ssl enabled, created a self signed certificate, configured squid to use LDAP authentication and got it up and running for 95%, meaning that https frontend with http backend is a bit tricky (still a work in progress with the help of the Squid guys through the Squid Users Mailing list).

So in my test environment a user has to connect to https. If he connects to http, a url_rewrite program redirects him permanently after which he has to accept the certificate and install it (accept a security exception). After that they get a popup to login with their domain credentials and after authentication they get the site login. In addition to that on the same server I plan to configure IPTABLES and Snort for security and intrusion detection.

Kind regards,

Eric

The httpd (apache) package has config files under /etc/httpd including /etc/httpd/conf.d/ssl.conf which deals with https.

I'm no web expert and don't use squid but as I noted earlier you can use the ones you get from CentOS repositories or you can go to the original source and roll your own. If you do the latter then you can't use yum to update things.

There are some extra yum repositories from CentOS that might provide things you don't have but they eliminate binary compatibility with RHEL. If that compatibility isn't important you can check those.

Also Dag Wieers keeps repositories for many RPMs so you may be able to add a repository by checking his site and see if it has newer httpd and squid than the ones CentOS provides.

I was planning on having my users connect to the proxy with just an IP address.
If they want to connect using https, will I also need to set up a web domain on the server?
Can't it just accept connections on the HTTPS port and the proxy then forwards the request?

If you have Squid configured with SSL enabled, have your certificate, then you can accept HTTPS request. You don't need a webserver on the same server. Squid is a proxy server which means that you can redirect any traffic to any backend webserver desired, be it IIS, Apache, Tomcat, ...

With Squid you basically only need one IP, and have multiple domains behind it. You only need your base domain.com, access to the DNS to create subdomains, and link all the subdomains in DNS to the same IP which, probably after being redirected by your firewall, should be offered to Squid. Squid 'reads' the HTTP header and redirects to the backend server listed in its configuration, reading static files from his cache first if so configured.

If you don't have access to the DNS then of course you could give your WAN IP to your users in order to let them connect but that way Squid will not now where to redirect traffic to if you have more than one server. If you only have one backend server of course then that's no problem, just redirect all traffic to that one and use Squid as cache proxy with or without acceleration to 'hide' your real backend server from the internet.

Kind regards,

Eric