Mastering Squid Proxy: Installation, Configuration, and Transparent Proxy Setup

What is Squid

Squid is a caching proxy for Internet data. It receives requests for objects that users want to download, fetches them from remote servers (e.g., http://squid.nlanr.net), stores a copy locally, and serves subsequent requests from its disk cache, dramatically speeding up delivery. Squid supports HTTP, FTP, GOPHER, SSL, and WAIS protocols, but not POP, NNTP, RealAudio, and other protocols.

In my environment Squid is used as a unified outbound gateway: the Squid server is the only device allowed to access the public network, and all internal servers are configured to use it as a proxy, enabling them to reach public yum repositories and other external resources.

Basic Types of Squid

Traditional proxy – a normal proxy service that requires manual configuration of the proxy address and port in browsers, chat tools, download software, etc. DNS queries for web pages are also sent to the proxy.

Transparent proxy – provides the same functionality as a traditional proxy, but client machines do not need to specify the proxy address; traffic is redirected via routing or firewall rules, making the proxy usage invisible to the client.

Squid Deployment

Download URL: http://www.squid-cache.org/Versions/v4/squid-4.8.tar.gz. For Squid v3 any C++ compiler works; for v4 or newer a C++11‑compatible compiler is required.

yum install libtool-ltdl-devel libxml2-devel libcap-devel perl gcc autoconf automake make sudo wget

tar xf squid-4.8.tar.gz
cd squid-4.8
./configure --prefix=/usr/local --enable-arp-acl --enable-linux-netfilter --enable-linux-tproxy \
    --enable-async-io=100 --enable-err-language="Simplify_Chinese" --enable-underscore \
    --enable-poll --enable-gnuregex
make && make install

useradd -M -s /sbin/nologin squid
chown -R squid /usr/local/squid/var
ln -s /usr/local/squid/sbin/squid /usr/local/sbin/

Initialize and Start Squid

Add Squid runtime user and group

echo 'cache_effective_user squid' >> /usr/local/squid/etc/squid.conf
echo 'cache_effective_group squid' >> /usr/local/squid/etc/squid.conf

Initialize cache directory

squid -z
# Creates PID file at /usr/local/squid/var/run/squid.pid
# No cache_dir stores are configured yet
# Removes stale PID file

Start Squid

squid
ss -anplt | grep 3128   # shows LISTEN state for port 3128

Check running user

ps -ef | grep squid

Create Service Startup Script

#!/bin/bash
#chkconfig: 2345 90 25
PID="/usr/local/squid/var/run/squid.pid"
CONF="/usr/local/squid/etc/squid.conf"
CMD="/usr/local/squid/sbin/squid"
case "$1" in
  start)
    netstat -natp | grep squid &>/dev/null
    if [ $? -eq 0 ]; then
      echo "squid is running"
    else
      echo "Starting squid..."
      $CMD
    fi
    ;;
  stop)
    $CMD -k shutdown &>/dev/null
    rm -rf $PID &>/dev/null
    ;;
  status)
    if [ -f $PID ]; then
      netstat -natp | grep squid
    else
      echo "squid is not running"
    fi
    ;;
  restart)
    $0 stop &>/dev/null
    echo "Stopping squid..."
    $0 start &>/dev/null
    echo "Starting squid..."
    $CMD
    ;;
  reload)
    $CMD -k reconfigure
    ;;
  check)
    $CMD -k parse
    ;;
  *)
    echo "Usage: $0 {start|stop|status|reload|check|restart}"
    ;;
esac

Add to startup

chmod +x /etc/init.d/squid
chkconfig --add squid
chkconfig --level 35 squid on

Test script

service squid start
# Output: 正在启动 squid...
netstat -anplt | grep squid   # shows listening on port 3128
service squid stop
netstat -anplt | grep squid   # no output

Create Traditional Proxy Configuration

Modify the highlighted sections in the configuration file as shown below.

# And finally deny all other access to this proxy
http_access allow all   # add before deny all
http_access deny all
# Squid normally listens to port 3128
http_port 3128          # external port
cache_mem 128 MB        # memory for caching, suggested 1/4 of RAM
reply_body_max_size 10 MB   # max download size, 0 means unlimited
maximum_object_size 4096 KB # max object size stored in cache
#cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256
coredump_dir /usr/local/squid/var/cache/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_effective_user squid
cache_effective_group squid

Restart Squid

# Check configuration
/usr/local/squid/sbin/squid -k reconfigure
/usr/local/squid/sbin/squid -k check
# Restart
service squid restart
# Output shows stopping and starting messages and new LISTEN state

Set Linux Server Internal Network Access

Before configuring a proxy, a curl request to Baidu fails:

curl www.baidu.com -I
curl: (6) Could not resolve host: www.baidu.com; Unknown error

Temporary Proxy Settings

export proxy="http://10.200.86.163:3128"
export http_proxy="http://10.200.86.163:3128"
export https_proxy="http://10.200.86.163:3128"   # for HTTPS

After setting the proxy, curl succeeds and returns HTTP headers such as:

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Content-Length: 277
Content-Type: text/html
Date: Thu, 08 Aug 2019 12:40:01 GMT
ETag: "575e1f60-115"
Last-Modified: Mon, 13 Jun 2016 02:50:08 GMT
Pragma: no-cache
Server: bfe/1.0.8.18
X-Cache: MISS from host-10-200-86-163
Via: 1.1 host-10-200-86-163 (squid/4.8)
Connection: keep-alive

Permanent Proxy Settings

Add the following lines to /etc/profile and source the file:

export proxy="http://10.200.86.163:3128"
export http_proxy="http://10.200.86.163:3128"
export https_proxy="http://10.200.86.163:3128"
export ftp_proxy="http://10.200.86.163:3128"

source /etc/profile
curl www.baidu.com -I   # now works with the same headers as above

Note: When using yum, copy the Squid server’s yum repository into the internal Linux device and run yum makecache to generate the cache.

Transparent Proxy

A transparent proxy requires the Squid server to have two network interfaces; the example server has only one, so this part is not demonstrated.