How to Install and Configure Squid Proxy on Linux – Step‑by‑Step Guide

Introduction

Squid is a popular high‑performance free application‑level proxy server for Linux/Unix, offering flexible access control, high performance, and efficiency. Proxy servers provide caching, replication, address filtering, bandwidth saving, and can act as firewalls and monitoring tools.

How a Proxy Server Works

Client A sends a request to the proxy.

The proxy matches the request against ACLs; if allowed, it checks the cache.

If the resource is cached, it returns it; otherwise the proxy fetches it from the Internet.

The remote host sends the response to the proxy, which stores it in the cache.

The proxy forwards the response to client A.

When client B requests the same resource, the proxy serves it from the cache.

Hardware Requirements

Insufficient memory severely degrades performance.

More disk space yields larger cache directories and higher hit rates.

Squid uses the disk for cache, so fast disks (e.g., high‑speed SCSI or RAID) are recommended.

Installation

rpm -qa squid
yum -y install squid

You can also compile from source (download URL omitted).

Configuration

cd /etc/squid/
cp squid.conf squid.conf.bak

Backup the original configuration file.

grep -P -v '#|^$' squid.conf
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

Example of a minimal configuration:

> > squid.conf      # clear default config
vim squid.conf      # rewrite configuration

http_port 192.168.1.88:3128
cache_mem 64 MB
cache_dir ufs /opt/squid_cache 4096 16 256
cache_effective_user squid
cache_effective_group squid
dns_nameservers 8.8.8.8
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
visible_hostname 192.168.1.88
cache_mgr [email protected]
http_access allow all

Initialization

mkdir /opt/squid_cache
chown -R squid.squid /opt/squid_cache/

squid -k check

Fix the ACL “all” issue and then run:

squid -k check
squid -z

Starting the Service

service squid start

If start fails, check /var/log/squid/cache.log for permission errors; disabling SELinux may help:

getenforce
setenforce 0
service squid start

Verify with netstat -anpt | grep 3128.

Testing

curl -x 192.168.1.88:3128 www.sina.com

Check cached files under /opt/squid_cache (e.g., 00000004 contains the homepage).

Access Control Lists (ACLs)

Examples:

# Block a specific client
acl badclientip src 192.168.1.110
http_access deny badclientip

# Block an entire subnet
acl badclientnet src 192.168.1.0/24
http_access deny badclientnet

# Block a destination IP
acl badwebserver dst 61.135.169.121
http_access deny badwebserver

# Block a domain
acl badwebserver dstdomain www.163.com
http_access deny badwebserver

# Block URLs containing a string
acl badwebserver url_regex 163.com
http_access deny badwebserver

# Block file types
acl badfile urlpath_regex -i .mp3 .mp4 .exe .zip .rar
http_access deny badfile

# Limit concurrent connections for an IP
acl clientip src 192.168.1.110
acl conn10 maxconn 10
http_access deny clientip conn10

# Time‑based restriction
acl clientnet src 192.168.1.0/24
acl worktime time MTWHF 9:00-18:00
http_access deny clientnet worktime