Understanding Cache Server Fundamentals

A cache server acts as an intermediary storage mechanism (utilizing both RAM and disk storage) for frequently accessed web content such as images, documents, and pages. By serving data locally rather than fetching it from the origin every time, response times improve significantly, and upstream bandwidth consumption decreases. For end-users, this layer operates invisibly, making all requests appear as though they originate directly from the target website.

Common implementations in enterprise environments include Squid, Varnish, Nginx, and ATS (Apache Traffic Server).

Cache Performance Metrics

The efficiency of a caching system is measured primarily through:

• Cache Hit Ratio: The percentage of client HTTP requests successfully served from the local cache versus total requests. Typical successful ratios range betweeen 30% and 60%.
• Byte Hit Ratio: Measures the volume of data capacity provided by the cache relative to total transmitted data.

To maximize hit rates, administrators typically employ strategies such as enabling Expires and Cache-Control headers via Nginx/Apache, separating static and dynamic assets (offloading static content to CDNs), and optimizing database query caching.

Handling Cache Misses

A cache miss occurs when the requested resource is absent from the cache server. Causes include:

1. First-Time Requests: New resources naturally cause misses. Mitigation involves "warming" the cache by pre-fetching popular URLs before they are requested by users.
2. Space Constraints: If memory or disk limits are reached, older objects are evicted to make room. Solutions involve expanding hardware resources (RAM/Disk) or adjusting eviction policies.
3. Sourcing Restrictions: Origin servers may instruct proxies not to cache specific responses (HTTP status codes 4xx/5xx, or headers indicating private data).

Introducing Squid

Squid is a high-performance proxy and caching daemon supporting HTTP, HTTPS, FTP, and Gopher protocols. Unlike modular proxies, Squid uses a single I/O-driven event loop process. It caches data in memory or disk and maintains DNS results locally. Leveraging the Internet Cache Protocol (ICP), Squid supports hierarchical proxy arrays to optimize bandwidth usage across networks.

Deployment Scenarios

1. Reverse Proxy: Deployed in front of a web farm. It absorbs traffic, caches static content, and relays requests to backend servers, reducing load on origin infrastructure.
2. Forward Proxy (Transparent/Explicit): Used within corporate networks to manage outbound internet traffic. This improves user speed via local caching, restricts access to unauthorized sites, and conserves external bandwidth.
3. Security Gateway: Combined with tools like iptables, Squid can filter traffic, monitor browsing behavior, and enforce security policies.

System Preparation and Installation

Before compiling, prepare the build environment. Ensure system time is synchronized, SELinux is disabled or configured permissive, and firewall rules allow necessary traffic.

# Optimize file descriptors
ulimit -Hn 20480
echo "*   -   nofile   20480" >> /etc/security/limits.conf

# Adjust ephemeral port range
cat /proc/sys/net/ipv4/ip_local_port_range
echo "net.ipv4.ip_local_port_range = 4000   65000" >> /etc/sysctl.conf
sysctl -p

Compiling Squid

Download the source package and extract it. Configure the build with appropriate flags for your architecture (e.g., enabling SSL support, specific store backends like aufs or ufs, and disabling unused modules).

cd /opt/src/downloads
tar xf squid-3.0.STABLE20.tar.gz
cd squid-3.0.STABLE20

./configure \
--prefix=/opt/squid \
--enable-asyno-io=100 \
--with-pthreads \
--enable-storeio="aufs,diskd,ufs" \
--enable-removal-policies='heap,lru' \
--enable-ssl \
--disable-snmp \
--with-aio \
--enable-linux-netfilter \
--enable-linux-tproxy 

make && make install
ln -s /opt/squid /opt/squid3.0

If compilation fails due to missing SSL libraries, install OpenSSL development headers first (yum install openssl-devel).

Directory Structure

Standard installation yields:

• sbin/squid: Main daemon binary.
• bin/RunCache: Startup helper script (auto-recovery).
• etc/squid.conf: Primary configuration file.
• var/logs: Log files (access, cache, store).
• var/cache: Default storage directory for cached objects.

Configuration Tuning

Edit squid.conf carefully. Define the effective user to ensure security (do not run as root).

cache_effective_user squid
cache_effective_group squid
visible_hostname proxy01
cache_mgr webmaster@example.com

Access Control Lists (ACLs): Squid defaults to denying all traffic unless explicitly allowed. Define ACLs for trusted networks.

acl localnet src 10.0.10.0/24
acl Safe_ports port 80 21 443
http_access allow localnet
http_access deny !Safe_ports
http_access deny all

Logging Configuration: Enable and rotate logs to prevent disk saturation.

cache_store_log /opt/squid/var/logs/store.log
cache_log /opt/squid/var/logs/cache.log
access_log /opt/squid/var/logs/access.log

Caching Directories: Specify storage size and directory layout.

cache_dir ufs /opt/squid/var/cache 10000 16 256

Service Management

Initialize swap directories before starting the service. Check configuration syntax to catch errors.

# Initialize cache directories (run as squid user usually, or root with chown)
/opt/squid/sbin/squid -z

# Validate config
chown -R squid:squid /opt/squid/var/
/opt/squid/sbin/squid -k parse

# Start daemon
/opt/squid/sbin/squid -D

Create a systemd service or init script for boot persistence.

#!/bin/bash
case $1 in
  start) /opt/squid/sbin/squid -D ;;
  stop) /opt/squid/sbin/squid -k shutdown ;;
  restart) /opt/squid/sbin/squid -k shutdown; sleep 2; /opt/squid/sbin/squid -D ;;
esac

Proxy Types and Setup

Squid supports various operational modes depending on network topology requirements.

Transparent Proxy

In transparent mode, clients do not need browser proxy settings. Network traffic is redirected to Squid using firewall rules.

1. Enable IP forwarding: net.ipv4.ip_forward = 1.
2. Configure squid.conf: Add transparent flag to http_port.
3. Redirect traffic via iptables NAT table.

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

Reverse Proxy Acceleration

When deployed in front of a backend web server cluster, Squid acts as an accelerator. It inspects incoming requests and serves cached content, offloadign work from the backend.

http_port 80 accel vhost vport

# Point to backend origin server
cache_peer webserver01 parent 80 0 no-query no-digest originserver

Refresh Patterns: Control how long static assets stay in cache.

# Images stay cached longer
refresh_pattern -i \.(jpg|png|gif)$ 1440 90% 129600 reload-into-ims

# HTML updates frequently
refresh_pattern -i \.html$ 1440 50% 4320

Verification: Use curl to inspect cache responses.

curl -I -s http://your-squid-ip/page.jpg | grep X-Cache
# Output: X-Cache: HIT from proxy01

Log Rotation

Automate log rotation to manage storage usage.

/opt/squid/sbin/squid -k rotate
# Schedule via crontab
0 0 * * * /usr/bin/find /opt/squid/var/logs -name "*.log" -exec mv {} {}.archived \;
0 0 * * * /opt/squid/sbin/squid -k rotate