Mastering Squid Proxy: Installation, Configuration, and Access Control on Linux

Squid is a popular high‑performance free application‑level proxy server for Linux/Unix, offering flexible permission management, high performance, and fast efficiency. It provides file caching, replication, address filtering, and can act as a firewall to isolate internal and external networks while monitoring traffic.

Working Principle

1. Client A sends an Internet request to the proxy server. 2. The proxy matches the request against ACL rules and checks the cache for the resource. 3. If cached, it returns the data; otherwise, it fetches the resource from the Internet. 4. The response is stored in the cache. 5. The proxy forwards the response to Client A. 6‑8. Subsequent requests (e.g., Client B) follow the same process, serving cached data when available.

Hardware Requirements

Insufficient memory severely impacts performance.

Ample disk space increases cache directories and hit rate.

Squid uses disk for cache, requiring fast storage; high‑speed SCSI disks or RAID are recommended.

Installation

<code>rpm -qa squid</code>

<code>yum -y install squid</code>

You can also compile from source (e.g.,

http://www.squid-cache.org/Versions/v3/3.4/squid-3.4.10.tar.gz

).

Configuration

Backup the original configuration:

<code>cd /etc/squid/
cp squid.conf squid.conf.bak</code>

Default configuration (trimmed for clarity):

<code>acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid
refresh_pattern ^ftp:               1440    20%     10080
refresh_pattern ^gopher:            1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0       0%      0
refresh_pattern .                 0       20%     4320</code>

Typical custom settings:

<code>http_port 192.168.1.88:3128
cache_mem 64 MB
cache_dir ufs /opt/squid_cache 4096 16 256
cache_effective_user squid
cache_effective_group squid
dns_nameservers 8.8.8.8
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
visible_hostname 192.168.1.88
cache_mgr [email protected]
acl all src 0.0.0.0/0.0.0.0
http_access allow all</code>

Initialization

<code>mkdir /opt/squid_cache
chown -R squid.squid /opt/squid_cache/</code>

<code>squid -k check</code>

Fix SELinux if needed:

<code>getenforce
setenforce 0</code>

<code>service squid start</code>

Testing

<code>curl -x 192.168.1.88:3128 www.sina.com</code>

Check cached files under

/opt/squid_cache

to verify caching.

Access Control Lists (ACL)

Examples of restricting access:

<code># Block a specific client IP
acl badclientip src 192.168.1.110
http_access deny badclientip

# Block an entire subnet
acl badclientnet src 192.168.1.0/24
http_access deny badclientnet

# Block a specific destination IP
acl badwebserver dst 61.135.169.121
http_access deny badwebserver

# Block a domain
acl badwebserver dstdomain .163.com
http_access deny badwebserver

# Block URLs containing a pattern (e.g., 163.com)
acl badwebserver url_regex 163.com
http_access deny badwebserver

# Block file types
acl badfile urlpath_regex -i \.mp3|\.mp4|\.exe|\.zip|\.rar
http_access deny badfile

# Limit concurrent connections for a client
acl clientip src 192.168.1.110
acl maxconn maxconn 10
http_access deny clientip maxconn

# Time‑based restriction for a subnet
acl clientnet src 192.168.1.0/24
acl worktime time MTWHF 9:00-18:00
http_access deny clientnet worktime</code>

Order of ACLs matters; place deny rules before allow rules.