Homelab webproxy using Squid on OpenBSD
Posted on vr 22 december 2023 in runbsd
Right now I'm building my new homelab environment. On top of Proxmox I deployed an OpenBSD virtual machine that will act as an http egress for all homelab vlans. This is just a quick writeup of my recipe.
The virtual machine has two cores assigned and 2 GB of RAM.
After installing OpenBSD 7.4, I applied the baseline script described earlier. After that, it was installing the squid package:
pkg_add squid3
and configuring /etc/squid/squid.conf. The default file is rather terse and clean, but the very verbose and long one is also available if you need it. As I am somewhat familiar with running squid proxies, I welcomed the short and concise basis that I could extend.
What I wanted to do is have multiple vlan/source IP ranges getting access to http/https sites based on a vlan specific allow list. This resulted in two ACL statements per vlan and a single line to allow access. So three lines of config per vlan/lab.
I also needed to create the actual files that would serve as allow list per vlan/lab. This is just a text file listing domain names, one per line.
acl mylab-src src 10.11.12.0/24
acl mylab-dst dstdomain "/etc/squid/mylab_allowed.txt"
http_access allow mylab-src mylab-dst
domain allow list:
bash-5.2# cat /etc/squid/mylab_allowed.txt
.lutra.it
.example.org
I also configured a disk based cache and raised the maximum size of objects to hold in the cache to 64 MB. This should allow for a lot of cache hits updating the same packages on different virtual machines within the homelab
cache_dir ufs /var/squid/cache 2048 16 256
maximum_object_size 64000000
After saving the changes, I needed to enable the service, initialize the cache directory structure and start the service
rcctl enable squid
squid -z
rcctl start squid
I did not bother configuring pf on the host, als it sits in a separate vlan behind an OpnSENSE firewall.
That was easy!