Contributors: Glenn Chisholm.
True SNMP support is available in squid 2 and above. A significant change in the implimentation occured starting with the development 2.2 code. Therefore there are two sets of instructions on how to configure SNMP in squid, please make sure that you follow the correct one.
To use SNMP, it must first be enabled with the configure script, and squid rebuilt. To enable is first run the script:
./configure --enable-snmp [ ... other configure options ]
Next, recompile after cleaning the source tree :
make clean
make all
make install
Once the compile is completed and the new binary is installed the squid.conf file
needs to be configured to allow access; the default is to deny all requests. The
instructions on how to do this have been broken into two parts, the first for all versions
of Squid from 2.2 onwards and the second for 2.1 and below.
To configure SNMP first specify a list of communities that you would like to allow access by using a standard acl of the form:
acl aclname snmp_community string
For example:
acl snmppublic snmp_community public
acl snmpjoebloggs snmp_community joebloggs
This creates two acl's, with two different communities, public and joebloggs. You can
name the acl's and the community strings anything that you like.
To specify the port that the agent will listen on modify the "snmp_port" parameter, it is defaulted to 3401. The port that the agent will forward requests that can not be furfilled by this agent to is set by "forward_snmpd_port" it is defaulted to off. It must be configured for this to work. Remember that as the requests will be originating from this agent you will need to make sure that you configure your access accordingly.
To allow access to Squid's SNMP agent, define an snmp_access ACL with the community strings that you previously defined. For example:
snmp_access allow snmppublic localhost
snmp_access deny all
The above will allow anyone on the localhost who uses the community public to
access the agent. It will deny all others access.
If you do not define any snmp_access ACL's, then SNMP access is denied by default.
Finally squid allows to you to configure the address that the agent will bind to for incomming and outgoing traffic. These are defaulted to 0.0.0.0, changing these will cause the agent to bind to a specific address on the host, rather than the default which is all.
snmp_incoming_address 0.0.0.0
snmp_outgoing_address 0.0.0.0
Prior to Squid 2.1 the SNMP code had a number of issues with the ACL's. If you are a frequent user of SNMP with Squid, please upgrade to 2.2 or higher.
A sort of default, working configuration is:
snmp_port 3401
snmp_mib_path /local/squid/etc/mib.txt
snmp_agent_conf view all .1.3.6 included
snmp_agent_conf view squid .1.3.6 included
snmp_agent_conf user squid - all all public
snmp_agent_conf user all all all all squid
snmp_agent_conf community public squid squid
snmp_agent_conf community readwrite all all
Note that for security you are advised to restrict SNMP access to your caches. You can do this easily as follows:
acl snmpmanagementhosts 1.2.3.4/255.255.255.255 1.2.3.0/255.255.255.0
snmp_acl public deny all !snmpmanagementhosts
snmp_acl readwrite deny all
You must follow these instructions for 2.1 and below exactly or you are
likely to have problems. The parser has some issues which have been corrected
in 2.2.
You can test if your Squid supports SNMP with the snmpwalk program (snmpwalk is a part of the UCD-SNMP project). Note that you have to specify the SNMP port, which in Squid defaults to 3401.
snmpwalk -p 3401 hostname communitystring .1.3.6.1.4.1.3495.1.1
If it gives output like:
enterprises.nlanr.squid.cacheSystem.cacheSysVMsize = 7970816
enterprises.nlanr.squid.cacheSystem.cacheSysStorage = 2796142
enterprises.nlanr.squid.cacheSystem.cacheUptime = Timeticks: (766299) 2:07:42.99
then it is working ok, and you should be able to make nice statistics out of it.
For an explanation of what every string (OID) does, you should refer to the Cache SNMP web pages.
There are a lot of things you can do with SNMP and Squid. It can be useful in some extent for a longer term overview of how your proxy is doing. It can also be used as a problem solver. For example: how is it going with your filedescriptor usage? or how much does your LRU vary along a day. Things you can't monitor very well normally, aside from clicking at the cachemgr frequently. Why not let MRTG do it for you?
There are a number of tools that you can use to monitor Squid via SNMP. A very popular one is MRTG, there are however a number of others. To learn what they are and to get additional documentation, please visit the Cache SNMP web pages.
We use MRTG to query Squid through its SNMP interface.
To get instruction on using MRTG with Squid please visit these pages:
General Discussion: cache-snmp@ircache.net These messages are archived.
Subscriptions should be sent to: cache-snmp-request@ircache.net.