Squid Proxy on pfSense for Home Web Cache and Security

Squid 3 Proxy on pfSense for Home Web Cache and Security. Note: Here I show Squid3 refresh_patterns rules that can be used in squid, and these rules do not require pfSense.

Squid (squid3) can make your home internet faster (great for multiple web users under the same roof) by caching web content locally via a proxy, so static content is served more quickly without as many requests to the external web. It is also more secure (great for protecting the family) as you can optionally filter web URLs and scan web request for viruses before they make it to you computer.

However, I found the default Squid3 settings in pfSense cached some things but not others. Thus I decided to research some custom commands to make my home web Squid proxy cache a little more aggressive, so it can cache more static content. I am adding my experience here in hopes I can get feedback from you, the pros and beginners, and hopefully help some people along the way. In terms of Squid performance and optimization, my goal is to achieve a decent hit rate on static content while leaving dynamic content functional.  Cheers!

Subscribe to Psynaps YouTube Watch Psynaps Live on Twitch

About my setup

I have a pfSense box running 2.2.5-RELEASE (amd64), Squid 3.4 branch, and SquidGuard.

To customize the refresh rules, go to Services menu, select Squid proxy. Select the Local cache tab.

2015-12-09_11-32-58

At the bottom, enter the custom code in the”Custom refresh_patterns” box.

Download config

psynaps-pfsense-squid3-example.txt

Config

(updated 12-09-15)

# 1 year = 525600 mins, 1 month = 43800 mins, 1 week = 10080 min, 1 day = 1440 min

#Optional: dont cache wordpress admin panel
refresh_pattern (wp-admin)  0 0% 0

# specific cache
# live_user: twitch preview thumbs
refresh_pattern -i (live_user) 30 60% 300 override-lastmod reload-into-ims
# for malwarebytes update checking
refresh_pattern -i (mbamupdates.com) 1440 60% 10080 override-lastmod reload-into-ims

#All File
refresh_pattern -i \.(3gp|7z|ace|asx|avi|bin|cab|dat|deb|rpm|divx|dvr-ms)(\?|$) 43800 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.(rar|jar|gz|tgz|tar|bz2|iso)(\?|$)                         43800 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.(m1v|m2(v|p)|mo(d|v)|(x-|)flv)(\?|$)                       43800 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf)(\?|$)           43800 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.(mp(e?g|a|e|1|2|3|4)|mk(a|v)|ms(i|u|p))(\?|$)              43800 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.(og(x|v|a|g)|rar|rm|r(a|p)m|snd|vob|wav)(\?|$)             43800 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.(pp(s|t)|wax|wm(a|v)|wmx|wpl|zip|cb(r|z|t))(\?|$)          43800 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.(woff|txt|exe|dmg|webm)(\?|$)                              43800 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.(css)(\?|$)                                                10080  60% 43800  ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.(js)(\?|$)                                                 10080  60% 10080  ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload

refresh_pattern -i \.(html|htm)(\?|$) 1440  60% 10080 ignore-no-cache ignore-no-store ignore-private override-expire reload-into-ims
refresh_pattern -i \.(doc|pdf)(\?|$)  10080 90% 43200 ignore-no-cache ignore-no-store ignore-private override-expire reload-into-ims

refresh_pattern -i \.(cdn) 10800 100% 43800 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private
refresh_pattern -i (cdn)   10800 100% 43800 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private

refresh_pattern \.ytimg\? 10800 90% 10800 override-expire ignore-reload ignore-no-cache
refresh_pattern ^http://*.facebook.com/* 720 100% 4320
refresh_pattern ^http://mail.yahoo.com/.* 720 100% 4320
refresh_pattern ^http://*.yahoo.*/.* 720 100% 4320
refresh_pattern ^http://*.yimg.*/.* 720 100% 4320
refresh_pattern ^http://*.gmail.*/.* 720 100% 4320
refresh_pattern ^http://*.google.*/.* 720 100% 4320
refresh_pattern ^http://*.kaskus.*/.* 720 100% 4320
refresh_pattern ^http://*.googlesyndication.*/.* 720 100% 4320
refresh_pattern ^http://*.plasa.*/.* 720 100% 4320
refresh_pattern ^http://*.telkom.*/.* 720 100% 4320

#catch all
refresh_pattern . 360 90% 1440 override-lastmod reload-into-ims

More details

To make the cache more aggressive, i used (\?|$). by adding /?, this caches objects when the URL ends in ? (example abc.css?). Typically a ? is used to indicate dynamic content, and is also used to instruct caches to NOT cache those objects, so be careful using this. However, I found it is OK to ignore the ? after objects like jpgs and css, and many times js. These objects are static content, and most of the time they do not change and can be cached for long periods of time. Caching these kinds of objects is great, because it reduces the number of requests you make to the web. I also use the $ option above. This means its the end of the string, so \.jpg$ just matches an object with .jpg at the end of the URL.

I use a catch all. The function of this rule is to match any requests that have not already matched the rules above. Be careful here, because this rule can/will cache dynamic content. The default pfsense Squid catchall exists in the default config already, however, the built-in config is not editable (as far as I understand). It will always revert to default (let me know if you know how to change that). Thus, to work-around I can simply add and customize the catch all at the bottom of my “Custom refresh_patterns”.

Good luck, and let me know if you have anything to add here!

Cheers!