Homelab webproxy using Squid on OpenBSD

 · Systeemkabouter

Right now I'm building my new homelab environment. On top of Proxmox I deployed an OpenBSD virtual machine that will act as an http egress for all homelab vlans. This is just a quick writeup of my recipe.

The virtual machine has two cores assigned and 2 GB of RAM.

After installing OpenBSD 7.4, I applied the baseline script described earlier. After that, it was installing the squid package:

pkg_add squid3

and configuring /etc/squid/squid.conf. The default file is rather terse and clean, but the very verbose and long one is also available if you need it. As I am somewhat familiar with running squid proxies, I welcomed the short and concise basis that I could extend.

What I wanted to do is have multiple vlan/source IP ranges getting access to http/https sites based on a vlan specific allow list. This resulted in two ACL statements per vlan and a single line to allow access. So three lines of config per vlan/lab.

I also needed to create the actual files that would serve as allow list per vlan/lab. This is just a text file listing domain names, one per line.

acl mylab-src src 10.11.12.0/24
acl mylab-dst dstdomain "/etc/squid/mylab_allowed.txt"

http_access allow mylab-src mylab-dst

domain allow list:

bash-5.2# cat /etc/squid/mylab_allowed.txt 
.lutra.it
.example.org

I also configured a disk based cache and raised the maximum size of objects to hold in the cache to 64 MB. This should allow for a lot of cache hits updating the same packages on different virtual machines within the homelab

cache_dir ufs /var/squid/cache 2048 16 256
maximum_object_size 64000000

After saving the changes, I needed to enable the service, initialize the cache directory structure and start the service

rcctl enable squid
squid -z 
rcctl start squid 

I did not bother configuring pf on the host, als it sits in a separate vlan behind an OpnSENSE firewall.

That was easy!