How to Set Up Transparent and Reverse Squid Proxy on Linux
This guide walks through installing Squid on Linux, configuring it as a transparent and reverse proxy, setting up internal and external hosts, adjusting routing and firewall rules, and applying common ACL parameters to control access and improve performance.
Squid is a widely used high‑performance proxy service on Linux that caches web content, reduces client wait time, and eases backend server load.
Configure Transparent Proxy
A transparent proxy works without user configuration, automatically routing traffic through the proxy via DHCP‑assigned network settings.
The experiment uses 10.10.10.20 to simulate the external network and a Windows 10 machine as the internal client.
[主机类型] [IP地址] [网卡编号] [网卡模式] [作用]
Windows 10 192.168.1.8 eth0 桥接模式 模拟内网
Squid 192.168.1.10 eth0 桥接模式 内网网关
10.10.10.10 eth1 仅主机模式 模拟外网网口
Apache 10.10.10.20 eth0 仅主机模式 模拟web服务器Configure Squid Gateway
1. Install Squid via yum: # yum install -y squid 2. Edit /etc/squid/squid.conf to enable transparent mode:
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 192.168.1.10:3128 transparent
visible_hostname www.lyshark.com
# cache_dir ufs /var/spool/squid 100 16 2563. Enable IP forwarding:
# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
# sysctl -p
# echo "1" > /proc/sys/net/ipv4/ip_forward4. Add an SNAT rule to forward all internal requests to the proxy port:
iptables -t nat -A PREROUTING -i eth0 \
-s 192.168.1.0/24 -p tcp --dport 80 \
-j REDIRECT --to-ports 31285. Start Squid and enable it at boot:
# systemctl restart squid
# systemctl enable squidConfigure Internal Client
route add default gw 192.168.1.10Configure External Web Server
Install and start Apache to simulate the external site:
# yum install -y httpd
# systemctl restart httpdConfigure Reverse Proxy
A reverse proxy sits between the Internet and local web servers, handling all incoming requests and reducing load on the backend servers.
The experiment sets up Squid as a reverse proxy for two Apache web servers.
[主机类型] [IP地址] [网卡编号] [网卡模式] [作用]
Windows 10 192.168.1.8 eth0 桥接模式 模拟外网
Squid 192.168.1.10 eth0 桥接模式 外网网口
10.10.10.10 eth1 仅主机模式 内网网口
Apache 10.10.10.20 eth0 仅主机模式 模拟web_1
Apache 10.10.10.30 eth0 仅主机模式 模拟web_2Configure Two Web Servers
Install Apache on each internal server and set it to start on boot:
# yum install -y httpd
# echo "web *" >/var/www/html/index.html
# systemctl restart httpdAdd a default gateway pointing to the Squid interface (10.10.10.10):
# route add default gw 10.10.10.10Configure Squid Reverse Proxy
1. Install Squid (if not already installed). # yum install -y squid 2. Enable IP forwarding (same commands as above).
# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
# sysctl -p
# echo "1" > /proc/sys/net/ipv4/ip_forward3. Edit /etc/squid/squid.conf to allow all traffic and define the external interface and cache peers:
# Squid normally listens to port 3128
http_access allow all
http_port 192.168.1.10:80 vhost
cache_peer 10.10.10.20 parent 80 0 originserver round-robin weight=1
cache_peer 10.10.10.30 parent 80 0 originserver round-robin weight=1
# cache_dir ufs /var/spool/squid 100 16 2564. Restart and enable Squid:
# systemctl restart squid
# systemctl enable squidCommon ACL Parameters
# Squid configuration common parameters
http_port 3128
http_port 192.168.1.1:80 # listen on internal interface only
cache_mem 512MB
cache_dir ufs /var/spool/squid 4096 16 256
cache_effective_user squid
cache_effective_group squid
dns_nameservers 8.8.8.8
visible_hostname www.lyshark.com
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
cache_mgr [email protected]
http_access [allow|deny]
# Deny all clients
acl all src 0.0.0.0/0.0.0.0
http_access deny all
# Block 192.168.1.0/24 network
acl client src 192.168.1.0/255.255.255.0
http_access deny client
# Block access to www.baidu.com
acl baidu dstdomain www.baidu.com
http_access deny baidu
# Block 192.168.1.0/24 users Mon‑Fri 9:00‑13:00
acl badtime time MTWHF 9:00-13:00
http_access deny client badtime
# Block certain file types
acl badfile urlpath_regex -i \.mp3$ \.exe$ \.zip$ \.rar$
http_access deny badfile
# Block specific site
acl badsite dstdomain -i www.baidu.com
http_access deny badsite
# Block URLs containing "SEX"
acl sex url_regex -i SEX
http_access deny sex
# Deny dangerous ports
acl deny_port port 22 23 25 53 110 119
http_access deny deny_portSigned-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.