Mastodon Mastodon Mastodon Systeemkabouter blog archive – Homelab webproxy using Squid on OpenBSD

Homelab webproxy using Squid on OpenBSD

Posted on vr 22 december 2023 in runbsd

Right now I'm building my new homelab environment. On top of Proxmox I deployed an OpenBSD virtual machine that will act as an http egress for all homelab vlans. This is just a quick writeup of my recipe.

The virtual machine has two cores assigned and 2 GB of RAM.

After installing OpenBSD 7.4, I applied the baseline script described earlier. After that, it was installing the squid package:

pkg_add squid3

and configuring /etc/squid/squid.conf. The default file is rather terse and clean, but the very verbose and long one is also available if you need it. As I am somewhat familiar with running squid proxies, I welcomed the short and concise basis that I could extend.

What I wanted to do is have multiple vlan/source IP ranges getting access to http/https sites based on a vlan specific allow list. This resulted in two ACL statements per vlan and a single line to allow access. So three lines of config per vlan/lab.

I also needed to create the actual files that would serve as allow list per vlan/lab. This is just a text file listing domain names, one per line.

acl mylab-src src 10.11.12.0/24
acl mylab-dst dstdomain "/etc/squid/mylab_allowed.txt"

http_access allow mylab-src mylab-dst

domain allow list:

bash-5.2# cat /etc/squid/mylab_allowed.txt 
.lutra.it
.example.org

I also configured a disk based cache and raised the maximum size of objects to hold in the cache to 64 MB. This should allow for a lot of cache hits updating the same packages on different virtual machines within the homelab

cache_dir ufs /var/squid/cache 2048 16 256
maximum_object_size 64000000

After saving the changes, I needed to enable the service, initialize the cache directory structure and start the service

rcctl enable squid
squid -z 
rcctl start squid 

I did not bother configuring pf on the host, als it sits in a separate vlan behind an OpnSENSE firewall.

That was easy!