Install Squid:
yum -y install squid
In httpd.conf, make sure the Apache server only listens to port 80 on the localhost interface:
Listen 127.0.0.1:80
If using Touchstone, then also add the following to the end of httpd.conf:
ProxyPass /Shibboleth.sso/ https://idp.mit.edu/Shibboleth.sso/ ProxyPassReverse /Shibboleth.sso/ https://idp.mit.edu/Shibboleth.sso/ ProxyPass /Touchstone/ https://idp.mit.edu/Touchstone/ ProxyPassReverse /Touchstone/ https://idp.mit.edu/Touchstone/
In squid.conf, make sure the following items are set as described:
http_port ist-prod-pubs1.mit.edu:80 defaultsite=ist.mit.edu vhost http_access allow all cache_peer 127.0.0.1 parent 80 0 no-query originserver name=Accelerator
Restart the Apache server:
/etc/init.d/web restart
If using Touchstone, then restart shibd:
/etc/init.d/shibd restart
I have an "http_access allow all" directive in my configuration, in this instance. In the case of a regular web proxy, for use with clients connecting to a proxy for outbound requests, this would be a very bad idea. However, in this case we are proxying inbound requests to our Apache server only. By specifying the parent server as our Apache server, we have restricted the connections our cache can make, so that it can only connect to our Apache server. Further, we didn't want to restrict inbound traffic, on the premise that our users could be from anywhere.
It should be possible to put a restriction in place that restricts, with ACLs, the outbound side of the request. Again, though, it would have no practical effect, as all requests are forced to our Apache server anyhow, through the parent directive. As our Apache server is not configured as an open proxy (or indeed, any form of proxy at all) the only sites users can access through our proxy are those served by our own Apache server, which is exactly the configuration we want.