How to Set Up Transparent and Reverse Proxy with Squid on Linux

Squid is a popular high‑performance proxy service on Linux, commonly used as a front‑cache for web sites. It intercepts user requests, fetches data from origin servers, caches it locally, and serves cached content to reduce latency and server load.

Configure Transparent Proxy

Transparent proxy lets users access the proxy without manual configuration, lowering the usage barrier and allowing covert monitoring of employee web activity. In this experiment we set up a Squid transparent proxy using 10.10.10.20 as the external network and a Windows 10 machine as the internal client.

<code>[Host Type]            [IP Address]          [NIC]          [Mode]          [Role]
Windows                10.192.168.1.8        eth0           Bridge          Internal client
Squid                  192.168.1.10          eth0           Bridge          Internal gateway
10.10.10.10            eth1                  Host‑only      External network
Apache                 10.10.10.20          eth0           Host‑only      Simulated web server</code>

Configure Squid Gateway

1. Install Squid via yum.

<code># yum install -y squid
Package 7:squid-3.5.20-12.el7.x86_64 already installed and latest version</code>

2. Edit

/etc/squid/squid.conf

to enable transparent mode.

<code>55 # And finally deny all other access to this proxy
56 http_access deny all
59 http_port 192.168.1.10:3128 transparent
60 visible_hostname www.lyshark.com</code>

3. Enable IP forwarding and apply kernel parameters.

<code># echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
# sysctl -p
# echo "1" > /proc/sys/net/ipv4/ip_forward</code>

4. Add an iptables SNAT rule to forward all internal requests to the proxy.

<code>iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.0/24 -p tcp --dport 80 -j REDIRECT --to-ports 3128</code>

5. Start Squid and enable it at boot.

<code># systemctl restart squid
# systemctl enable squid</code>

Configure Internal Client

<code>route add default gw 192.168.1.10 # add default gateway pointing to Squid gateway</code>

Configure External Web (Reverse Proxy)

Install and start Apache to simulate the external web.

<code># yum install -y httpd
# systemctl restart httpd</code>

Configure Two Internal Web Servers

Install Apache on each server and set a simple index page.

<code># yum install -y httpd
# echo "web *" > /var/www/html/index.html
# systemctl restart httpd</code>

Add default gateway pointing to the external network interface (10.10.10.10).

<code># route add default gw 10.10.10.10</code>

Configure Squid Reverse Proxy

1. Install Squid (same as above).

2. Enable IP forwarding (same commands as above).

3. Edit

/etc/squid/squid.conf

to listen on port 80 and define cache peers.

<code>60 http_access allow all
62 http_port 192.168.1.10:80 vhost
64 cache_peer 10.10.10.20 parent 80 0 originserver round-robin weight=1
65 cache_peer 10.10.10.30 parent 80 0 originserver round-robin weight=1</code>

4. Restart and enable Squid.

<code># systemctl restart squid
# systemctl enable squid</code>

Common ACL Parameters

<code>http_port 3128
http_port 192.168.1.1:80   # listen only on internal interface
cache_mem 512MB
cache_dir ufs /var/spool/squid 4096 16 256
dns_nameservers 8.8.8.8
visible_hostname www.lyshark.com
acl all src 0.0.0.0/0.0.0.0
http_access deny all
acl client src 192.168.1.0/255.255.255.0
http_access deny client
acl baidu dstdomain www.baidu.com
http_access deny baidu
acl badtime time MTWHF 9:00-13:00
http_access deny client badtime
acl badfile urlpath_regex -i \.mp3$ \.exe$ \.zip$ \.rar$
http_access deny badfile
acl badsite dstdomain -i www.baidu.com
http_access deny badsite
acl sex url_regex -i SEX
http_access deny sex
acl deny_port port 22 23 25 53 110 119
http_access deny deny_port</code>