Deploying Squid HTTP forward proxy in HA on SmartOS

Squid is an easy FTP, HTTP and HTTPS proxy to install and configure. SmartOS has easy support for VRRP allowing for a quick HA forward proxy solution.

  1. Log into a SmartOS GZ
    ssh smartosgz
  2. Create the SmartMachine. This will say Successfully created <UUID>:
    vmadm create <<EOF
    {
      "alias": "proxy",
      "max_physical_memory": 1024,
      "dataset_uuid": "84cb7edc-3f22-11e2-8a2a-3f2a7b148699",
      "nics": [
      {
        "nic_tag": "external",
        "vlan_id": 101,
        "ip": "10.0.0.4",
        "netmask": "255.255.255.0",
        "gateway": "10.0.0.1",
        "vrrp_vrid": 12,
        "vrrp_primary_ip": "10.0.0.5"
      },
      {
        "nic_tag": "external",
        "vlan_id": 101,
        "ip": "10.0.0.5",
        "netmask": "255.255.255.0",
        "gateway": "10.0.0.1",
        "primary": true,
        "allow_ip_spoofing": true
      }]
    }
    EOF
  3. Login to the SmartMachine:
    zlogin <UUID>
  4. Enable VRRP
    vrrpadm -V 12 -l net0 -A inet router0
  5. Replace /etc/resolv.conf(use your own domain and DNS servers or leave them at Google DNS):
    nameserver 10.0.0.2
    nameserver 10.0.0.3
    search example.com
  6. Install Squid
    pkgin update
    pkgin install squid
  7. Replace /opt/local/etc/squid/squid.conf:
    http_port 3128
    visible_hostname proxy.example.com
    
    cache_dir ufs /var/squid/cache 8192 16 256
    cache_mem 800 MB
    
    refresh_pattern ^ftp:           1440    20%     10080
    refresh_pattern ^gopher:        1440    0%      1440
    refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
    refresh_pattern .               0       20%     4320
    
    acl manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/
    
    acl localhost src 127.0.0.1/32 ::1
    acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
    
    acl localnet src 10.0.0.0/8     # RFC 1918 possible internal network
    acl localnet src 172.16.0.0/12  # RFC 1918 possible internal network
    acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network
    acl localnet src fc00::/7       # RFC 4193 local private network range
    acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
    
    acl SSL_ports port 443
    acl Safe_ports port 80          # http
    acl Safe_ports port 21          # ftp
    acl Safe_ports port 443         # https
    acl Safe_ports port 70          # gopher
    acl Safe_ports port 210         # wais
    acl Safe_ports port 1025-65535  # unregistered ports
    acl Safe_ports port 280         # http-mgmt
    acl Safe_ports port 488         # gss-http
    acl Safe_ports port 591         # filemaker
    acl Safe_ports port 777         # multiling http
    acl CONNECT method CONNECT
    
    acl allowed_sites dstdomain datasets.joyent.com
    acl allowed_sites dstdomain download.joyent.com
    acl allowed_sites dstdomain pkgsrc.joyent.com
    acl allowed_sites dstdomain registry.npmjs.org
    
    http_access allow manager localhost
    http_access deny manager
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access allow localhost
    #http_access allow localnet
    http_access allow allowed_sites
    http_access deny all
  8. Create the cache directories:
    squid -z
  9. Link the startup script
    ln -s /opt/local/share/examples/rc.d/squid /etc/rc.d/squid
  10. Start Squid
    /etc/rc.d/squid start