Advanced Squid - Linux.com (2022)

Squid is a free caching proxy server that runs on Linux and many other operating systems. Many Linux users who have used Squid have taken advantage of its simple setup, and ignore or overlook its advanced features. Here’s an introduction to some of those features and how to use them.

I’ll assume that you have already set up a basic Squid system. If you need help on this, see the “Transparent Proxy with Linux and Squid mini-HOWTO” and the Squid quick start guide. Once you know the basics, you can move on to advanced topics such as access control lists (ACL), proxy authentication schemes, delay pools, and blocking pornography.

Squid has one primary configuration file, squid.conf. This file is generally located in /etc/squid/, or if you compiled Squid from source, the default location is /usr/local/squid/etc/. You’ll be editing this file, so it’s wise to make a backup copy of it before you make any changes.

Access control lists

The primary use of ACLs is to control access, but they can also be used to route requests through a hierarchy, control request rewriting, and manage quality of service.

Access controls are divided into two parts: elements and rules. ACL elements are things such as IP addresses, port numbers, hostnames, and URL patterns. Each ACL element has a name, which you refer to when writing the access list rules. The basic syntax of an ACL element is:

ACLname type value1 value2

Squid has more than 20 ACL types, including types for source and destination IP addresses, time, URLs, port numbers, and transfer protocols. See the Squid Configuration Manual for a full list of types.

After defining the ACL elements, the next step is to combine them with Access list rules. Rules combine elements to allow or deny certain actions. The syntax for an access control rule is:

access_list allow|deny [!]ACLname

For example, the rule:

http_access allow MyClients

tells Squid to allow access from the host or hosts defined under the name MyClients. The optional exclamation point is a standard negation operator, used to reverse the logic of the ACL. If this seems confusing, the following examples should help.

Restricting access to local network users

You should always limit access to your proxy server to local IP addresses, unless you have a specific need to allow external users. This can save you large bandwidth bills, from outsiders using your machine as a proxy. A simple way to do this is to write an ACL that contains your IP address space and then allow HTTP requests for that ACL and deny all others:


acl All src 0/0

acl PrivateNet src 192.168.0.0/24 192.168.1.0/24

(Video) Learn the basics of SQUID caching proxy server by examples in Ubuntu 20.04.3 step by step

http_access allow PrivateNet

http_access deny All

Squid makes one pass through the configuration file, reading the ACLs and rules in order. This means that you must define an ACL before you make a rule applying it, and the order of the http_access rules is important. Incoming requests are checked in the order in which the rules are written. If the first rule allows the request, the remaining requests are not read. If the first rule blocks the request, Squid passes on to the next one, and so on. Your last http_access line should always be a deny All, so that a request which is not permitted by any of the previous rules is blocked by default. If you change this to allow All, all your rules become meaningless, since Squid will allow the request at the end. The default squid.conf configuration file contains some important access controls. Try not to change these before you understand what they do. When you edit squid.conf for the first time, look for this comment:


#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#

Insert your new rules below this comment, and before the http_access deny All line.

Blocking specific computers

It is often necessary to block a particular IP address. At our university, for example, if a student uses excessive bandwidth, we block his computer for a few days. Until you can solve the problem at the source, you can block requests coming to Squid with this configuration:


acl All src 0/0

acl PrivateNet src 192.168.0.0/24 192.168.1.0/24

acl ProblemHost src 192.168.0.15

http_access deny ProblemHost

http_access allow PrivateNet

http_access deny All

This will block requests from the IP address 192.168.0.15. You can also block an IP range, such as 192.168.0.0/24.

Restricting usage to specified Web sites during working hours

(Video) How To Configure A Transparent Proxy Using PFSense

You can set up a simple ACL to restrict Internet usage to work-related sites during working hours. To do this, you need to make a list of allowed sites and save it as a file with the domain names on each line. For example:


#Allowed Sites

www.cnn.com

www.news.google.com

www.bbc.co.uk

www.newsforge.com

and other allowed sites...

Once you have your allow list ready, use the following ACL to restrict usage:


acl All src 0/0

acl PrivateNet src 192.168.0.0/24 192.168.1.0/24

acl AllowedSites dstdomain "/usr/local/squid/etc/allowed-sites"

acl WorkingHours time D 08:00-17:30

http_access allow WorkingHours AllowedSites

http_access deny All

Blocking pornography

Pornographic sites are quite a headache for many organizations. While many specialized free and commercial packages exist for filtering content, you can use Squid to block pornography as well.

The hardest part about using Squid to deny access to pornography is coming up with the list of sites that should be blocked. If you want a ready-made list, the Access Controls section of the Squid FAQ has links to freely available lists.

(Video) Create a Linux Mint proxy server using Squid, SquidGuard, and a Blacklist - Part 1

The ACL you have to write for such a list depends on the content of the list. If the list contains regular expressions, you’ll need to use the following ACL:


acl PornSites url_regex "/usr/local/squid/etc/pornlist"

http_access deny PornSites

If the list contains hostnames, the url_regex will have to be changed to dstdomain, which tells Squid to match the entire hostname instead of the words in the hostname:


acl PornSites dstdomain "/usr/local/squid/etc/pornlist"

http_access deny PornSites

These methods are fine for casual use. If you are really serious about blocking such sites, you might want to look at specialized software, such as SquidGuard or Dansguardian.

Proxy authentication

Proxy authentication is a complex subject, due to the various types of proxy authentication schemes available. I describe a simple user authentication scheme below, but there are many more schemes available, and the best one will vary according to your specific needs.

Squid currently supports three techniques for receiving user credentials: HTTP Basic and Digest and NTLM. Basic authentication has been around for a long time. Though this is what I use in this example, you should know that it is a very insecure protocol, since the usernames and passwords are sent over the network in clear text. Anyone who runs a packet analyzer on your network can get the passwords. Still, it’s a good place to start, and for smaller networks, where security is not a major problem, it works well.

To use proxy authentication, Squid needs to be configured to spawn a number of external helper processes. The Squid source code includes some programs that authenticate against a number of standard databases. The auth_param directive controls the configuration of all helper programs.

The order of the auth_param directive and proxy_auth ACL is extremely important. Remember that Squid reads the config file in one pass, and in order. If you don’t put the proxy authentication ACLs in the proper order, you could end up allowing (or denying) all access. To use proxy authentication, you must define at least one authentication helper before any proxy_auth ACLs. If you don’t, Squid will print an error message to the logs and start up anyway, and all user requests may be denied. If you try to set up proxy authentication and find that it’s not working, look at the logs to make sure that the problem does not lie in the order of the ACLs.

HTTP Basic authentication supports the following auth_param parameters:


l auth_param basic program command

l auth_param basic children number

l auth_param basic realm string

l auth_param basic credentialsttl time-specification

(Video) Episode #341: Introduction to Using Squid Web Proxy Server

The program parameter specifies the command, including arguments, for the helper program. This is generally the pathname to one of the authentication helper programs. By default, the path is /usr/local/squid/libexec.

The children parameter tells Squid how many helper processes to use. The default value is 5, which is a good starting point if you don’t know how many helpers Squid needs to handle the load. For a 400-user network, I use a value of 25. You should check your cache.log to make sure that there are no warning messages about too few helper processes, and increase the number of helper processes if there are warnings.

The realm parameter is the authentication realm string that the proxy server should present to the user when prompting for a username and password. Use something simple, such as “Orgname Proxy Server.”

The credentialsttl parameter specifies the amount of time that Squid internally caches authentication results. A larger “time to live” value reduces the load on the external authenticator processes, but increases the amount of time until Squid detects changes to the authentication database. If you have a relatively fixed user base, set this high, but if the user base is transient, as in a public library, use a lower value. The default TTL value is two hours.

A complete setup would look like this:


auth_param basic program /usr/local/squid/libexec/ncsa_auth /usr/local/squid/etc/passwd

auth_param basic children 10

auth_param basic realm NLU Proxy Server

auth_param basic credentialsttl 3 hour

acl Students proxy_auth REQUIRED

http_access allow Students

For this example I have used the NCSA authentication helper, which is a simple authentication method that stores usernames and passwords in a single text file, similar to the /etc/passwd file. You pass the path to the password file as the program’s single command-line argument in Squid.conf:

auth_param basic program /usr/local/squid/libexec/ncsa_auth /usr/local/squid/etc/passwd

To create and update the file, you can use the htpasswd program. If you have the Apache Web server installed, htpasswd should also be installed; if not, download it from the Squid Web site. To create a file, the command is htpasswd -c passwdfile user.

To add users and change their passwords, the command is htpasswd passwdfile username.

htpasswd will prompt you for a password. If you want to allow users to change their own passwords, you can use the chpasswd CGI script, which is also available on the Squid Web site.

There are several other authentication helpers you can use with Basic authentication. For example, you can authenticate against a LDAP server, Windows Domain, or Samba domain.

(Video) Ubuntu Server 18.04 - Squid Proxy Authentication and Squid Guard to Block Sites

Conclusion

If you want to learn more about Squid, I recommend a book called Squid: The Definitive Guide, written by Duane Wessels and published by O’Reilly and Associates. Squid is a versatile and robust proxy server, and it can be used in very complex configurations. I hope that this introduction will help you in using some of Squid’s more advanced features.

FAQs

How much RAM does Squid need? ›

Because Squid uses a small amount of memory for every cached response, there is a relationship between disk space and memory requirements. As a rule of thumb, you need 32 MB of memory for each GB of disk space. Thus, a system with 512 MB of RAM can support a 16-GB disk cache. Your mileage may vary, of course.

How do I monitor my squid proxy server? ›

Monitoring Squid Proxy Server
  1. The default logs are in /var/log/squid/
  2. There are two log files. access.log = logs web requests and results. cache.log = logs error and debug message from squid.

What does squid do in Linux? ›

Squid is a Unix-based proxy server that caches Internet content closer to a requestor than its original point of origin. Squid supports caching of many different kinds of Web objects, including those accessed through HTTP and FTP.

How much RAM do I need for proxy server? ›

In the User Guide it is stated that proxy servers require 2 GB RAM + 500 MB per task. Please consider these values as minimum requirements. Using the above mentioned recommendations allow for growth and additional inline processing features or other special job settings that increase RAM consumption.

Do squids have good memory? ›

In a new study, researchers found the squid relative can recall the entire experience of its favorite meal—and, unlike in people, that ability gets better with age. In human brains, some memories have more staying power than others.

Is there a GUI for squid? ›

An easy to use graphical interface to configure commonly needed Squid ACLs. It allows for fine grained permission management based on users, hosts and groups. Protocols HTTP, HTTPS and FTP are currently supported.

What are the 3 modes of operation for Squid? ›

You can make Squid choose one of three methods of operation: Accelerate only one origin server. Set httpd_accel origin-host origin-port in the HTTPD-ACCELERATOR OPTIONS section. The origin-host can be any host, or even localhost if the origin web server is on the same machine.

Are squids still used? ›

Squid is commonly used to cache content from the outside world into your companies network. You wouldn't use it in a hosting or content delivery scenario. Many people use squid as an accelerator for web sites. Using it on your own network is probably the more common usage.

How do you know if Squid is working? ›

To check whether Squid is running, choose one of the following ways:
  1. Using systemctl : > systemctl status squid. The output of this command should indicate that Squid is loaded and active (running) .
  2. Using Squid itself: > sudo squid -k check | echo $?

How do I find my Squid IP address? ›

To verify it, open google.com , type “what is my ip” and you should see your Squid server IP address. To revert back to the default settings, go to Network Settings , select the Use system proxy settings radio button and save the settings.

What port does Squid use? ›

By default, the Squid proxy service listens on the 3128 port on all network interfaces.

How do I connect to a proxy server in Linux? ›

How to Set Up a Linux Proxy Server
  1. The first thing to do is to update to the latest package list. Use the “Sudo apt-get update”.
  2. Install Squid Proxy server.
  3. Start and enable the proxy server.
  4. To see the status use “systemctl status” command. ...
  5. To see which port the proxy is running use “netstat –tnlp”.

How much RAM do you need in 2022? ›

So if you can afford it, 16 GB of RAM is not an unreasonable baseline for your 2022 machine. You might not take advantage of all that power right now, especially if you don't use your computer for intensive tasks.

How much RAM does Nginx use? ›

The following minimum hardware specifications are required for each node running NGINX Controller: RAM: 8 GB RAM. CPU: 8-Core CPU @ 2.40 GHz or similar.

What is a hardware proxy? ›

Hardware proxies come in the form of a physical proxy server, which mediates all traffic going to and from your computer or mobile device. The main benefit of proxy servers is that they help keep your local IP address "hidden" from cyber attackers.

How smart is a squid? ›

It is believed that squids are slightly less intelligent than octopuses and cuttlefish; however, various species of squid are much more social and display greater social communications, etc., leading to some researchers concluding that squids are on par with dogs in terms of intelligence.

Why are squid smart? ›

They are actually able to count, solve problems, recognize patterns, and communicate through a number of signals. Though colorblind, they are also able to instantly change colors, using different colors on their upper and lower bodies to blend into different backgrounds and attract potential mates.

Do squid have brains? ›

“The modern cephalopods, a group including octopus, cuttlefish and squid, have famously complex brains, approaching that of a dog and surpassing mice and rats, at least in neuronal number.

What is squid transparent proxy? ›

Squid Transparent Proxy Server is a popular open source transparent proxy tool. For example, a user on a corporate network may be surfing the Internet. The user requests to view a news article on cnn.com, and views the same content as they would on their local connection at home.

Is SQUID a firewall? ›

Squid is a caching and forwarding HTTP web proxy. It has a wide variety of uses, including speeding up a web server by caching repeated requests, caching web, DNS and other computer network lookups for a group of people sharing network resources, and aiding security by filtering traffic.

Is SQUID a HTTP proxy? ›

Squid is a full-featured web proxy cache server application which provides proxy and cache services for Hyper Text Transport Protocol (HTTP), File Transfer Protocol (FTP), and other popular network protocols.

Is SQUID a reverse proxy? ›

Squid as Reverse Proxy

Whereas a typical proxy generally provides internal clients with external web content, a reverse proxy functions in exactly the opposite manner: In this case, content from one or multiple internal web servers is loaded so as to be provided to external clients.

Does squid work with https? ›

Encrypted browser-Squid connection

Squid can accept regular proxy traffic using https_port in the same way Squid does it using an http_port directive. RFC 2818 defines the protocol requirements around this. Unfortunately, popular modern browsers do not yet permit configuration of TLS encrypted proxy connections.

What is squid code? ›

squid-cache.org

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator.

How do I know if my proxy is working? ›

Click the “Connections” tab in the Internet Options window. Click the “LAN Settings” button. If there is a check mark in the box next to the “Us a proxy server for your LAN” option, then your PC accesses the Web through a proxy server. If there is no check mark in the box, your computer does not use a proxy server.

Where does Squid store cache files? ›

Squid stores its cache in the /var/spool/squid/ directory. The cache grows up to 10000 MB. Squid creates 16 level-1 sub-directories in the /var/spool/squid/ directory. Squid creates 256 sub-directories in each level-1 directory.

How do I view Squid logs? ›

Check this path /var/log/squid/access. log. Also, you can use tail -f /var/log/squid/access. log | grep -i to view the current session logs.

What is my proxy server port? ›

Tip: To find your proxy address and port in Internet Explorer, go to Internet Explorer > Tools > Internet Options > > Connections > LAN Settings; or click Get proxy settings to retrieve available proxy settings.

What IP address is? ›

Here's how to find the IP address on the Android phone:

Go to your phone's settings. Select “About device.” Tap on “Status.” Here you can find information about your device, including the IP address.

How do I setup a proxy server? ›

Connecting to a proxy server
  1. Open Chrome.
  2. Open the Customize and control Google Chrome menu.
  3. Click Settings > System > Open proxy settings.
  4. Use Internet Properties to set up a connection for your type of network: ...
  5. Enter the address of your proxy server, and a proxy port number.
  6. Click OK to save your changes.

Does Squid cache by default? ›

In the default configuration on SUSE Linux Enterprise Server, Squid does not create a disk cache. The placeholder STORAGE_TYPE can be one of the following: Directory-based storage types: ufs , aufs (the default), diskd .

Where is Squid installed? ›

The default Squid configuration file is located in the '/etc/squid/ directory, and the main configuration file is called “squid. conf”. This file contains the bulk of the configuration directives that can be modified to change the behavior of Squid.

How do I clear my Squid proxy cache? ›

2.6.1 Clearing the Proxy Cache
  1. Stop the httpd and squid services: # service httpd stop # service squid stop.
  2. Delete the contents of the cache: # rm -Rf /var/cache/rhn/*
  3. Restart the squid and httpd services: # service squid start # service httpd start.

How do I flush squid cache? ›

How to clear Squid Proxy cache
  1. grep -i cache_dir /etc/squid/squid.conf. Check the squid directory size.
  2. du -sh /var/cache/squid. Open a terminal and login as root user. ...
  3. squid -k shutdown. Make sure, squid is not running anymore.
  4. ps aux | grep -i squ. Go to squid directory and remove it.
  5. cd /var/cache/rm -rf squid.
Feb 18, 2016

What is the default Cache_mem configuration for squid? ›

cache_mem. This entry determines how much memory Squid can use for particularly popular responses. The default value is 8 MB. This value does not indicate the real memory usage of Squid and can be exceeded.

Videos

1. SQUID Proxy Server on AWS - Setup | Demo | Usage
(knowledgeindia AWS Azure GCP tutorials)
2. Squid Proxy Server Part V Caching Server
(Linux King)
3. Configure pfSense as Proxy Server and url filtering
(NetSec)
4. UBUNTU: Basic time restrictions with Squid Web Proxy
(theurbanpenguin)
5. Squid Proxy Installation Full Configuration with Authentication
(Linux Operating System)
6. Advanced Git Tutorial - Interactive Rebase, Cherry-Picking, Reflog, Submodules and more
(freeCodeCamp.org)

Top Articles

Latest Posts

Article information

Author: Barbera Armstrong

Last Updated: 01/02/2023

Views: 5743

Rating: 4.9 / 5 (59 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Barbera Armstrong

Birthday: 1992-09-12

Address: Suite 993 99852 Daugherty Causeway, Ritchiehaven, VT 49630

Phone: +5026838435397

Job: National Engineer

Hobby: Listening to music, Board games, Photography, Ice skating, LARPing, Kite flying, Rugby

Introduction: My name is Barbera Armstrong, I am a lovely, delightful, cooperative, funny, enchanting, vivacious, tender person who loves writing and wants to share my knowledge and understanding with you.