ood-ports-lbsd-fork1/www/squid/pkg/README-main

$OpenBSD: README-main,v 1.7 2015/09/10 13:00:10 sthen Exp $

+-----------------------------------------------------------------------
| Running ${FULLPKGNAME} on OpenBSD
+-----------------------------------------------------------------------

General configuration
=====================
The sample configuration in ${SYSCONFDIR}/squid.conf is a simple version
with only the most essential options. By default, only RAM-based cache is
used, un-comment the cache_dir line to enable a persistent disk cache
("swap"); this is normally kept in ${LOCALSTATEDIR}/cache and must be
initialized with "squid -z" before starting the daemon. If you need to
place it elsewhere, create the directory and make sure it is owned and
writable by user _squid, group _squid.

Logs are stored in ${LOCALSTATEDIR}/logs; access logs on a busy cache will
grow rapidly so rotate them as necessary (use "squid -k rotate").

See ${TRUEPREFIX}/share/examples/squid/squid.conf.documented for a complete
annotated file, similar to the standard squid.conf in previous versions
of Squid, however in many cases the defaults will suffice.

The HTML error pages can be easily themed by editing the style-sheet in
${SYSCONFDIR}/errorpage.css.

System resource limits
======================
The default system resource limits for file-descriptors are insufficient
for a moderately busy proxy. It may also be necessary to increase the
memory limits. You can add a service-specific class to /etc/login.conf:

squid:\
	:datasize=1500M:\
	:openfiles=4096:\
	:tc=daemon:

When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from
"${RCDIR}/squid start") the appropriately-named login class is used
automatically.

If you are using /etc/login.conf.db (not usually recommended) then be
sure to rebuild it.

There is also a kernel limit on the number of open file descriptors,
sysctl kern.maxfiles. In some circumstances you may also need to raise
this; if this is required, pay particular attention to testing and
monitoring your system.

Interception Proxying with PF
=============================
To configure an interception (a.k.a. "transparent") proxy, Squid should
be configured in ${SYSCONFDIR}/squid.conf to bind to a specific address,
for example:

http_port 127.0.0.1:3127 intercept

On the machine running Squid, add a firewall rule similar to this:

pass in quick log inet proto tcp to port 80 divert-to 127.0.0.1 port 3127

If the machine running Squid is already acting as a router/firewall
for your client machines, there is no other special configuration.
However if Squid is running on a separate machine, the router must be
configured to pass HTTP traffic to Squid. You can use a rule like this
on the router:

pass in quick from 10.77.3.5
pass in quick inet proto tcp to port 80 route-to (vr2 10.77.3.5)

(this example assumes Squid is running on 10.77.3.5 reachable over
the vr2 interface).

If the proxy server is running on the same subnet as the clients, the
return traffic from the proxy will go directly back to them without
ever hitting the firewall, which means the states will never get updated
and may fill-up your pflog(4) with blocked attempts. To circumvent this
the "no state" option needs to be specified for the route-to rule:

pass in quick inet proto tcp to port 80 route-to (vr2 10.77.3.5) no state