Mastering Squid: Deep Dive into Squid Proxy Configuration

1. 🌍 Understanding the Role of Squid

Squid is a forward proxy, primarily used to:

Cache web content to improve speed and save bandwidth
Filter traffic (by IP, domain, MIME type, etc.)
Secure and monitor access to the internet
Serve as an anonymous gateway

It supports protocols such as HTTP, HTTPS, FTP, and even SSL-bumping (man-in-the-middle HTTPS proxying with CA).

2. 🧩 The Anatomy of squid.conf

The main configuration file is located at:

/etc/squid/squid.conf

It's read from top to bottom, and the order of rules matters.

Key sections include:

http_port: ports Squid listens on
acl: access control list definitions
http_access: allow/deny logic
auth_param: auth settings
cache_*: caching behavior
refresh_pattern: cache control per content type

Example (basic structure):

http_port 3128
acl allowed_users proxy_auth REQUIRED
http_access allow allowed_users
http_access deny all

3. 🧠 ACLs – Access Control Lists

ACLs define conditions like user, IP, method, port, time, or domains.

Syntax:

acl <name> <type> <value>

Examples:

acl localnet src 192.168.1.0/24
acl blocked_sites dstdomain .facebook.com .youtube.com
acl office_hours time MTWHF 09:00-17:00
acl secure_ports port 443

You can reference ACLs later using http_access, tcp_outgoing_address, etc.

4. 🎯 Mastering http_access

This directive controls whether a request is permitted.

Example:

http_access allow localnet
http_access deny blocked_sites
http_access deny all

Important Notes:

Order matters: First match applies
You can combine ACLs with AND logic:

http_access allow localnet office_hours

This allows only during office hours from the local network.

5. 🔐 Authentication Options

Squid supports multiple authentication schemes:

basic_ncsa_auth: Simple file-based
digest_auth: More secure but less supported
ntlm_auth: For Windows/AD integration
External programs: LDAP, RADIUS, etc.

Example with htpasswd:

auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic realm MySecureProxy
acl auth_users proxy_auth REQUIRED
http_access allow auth_users

Create credentials:

sudo htpasswd -c /etc/squid/passwd username

6. 💾 Caching Behavior and Optimization

Squid caches HTTP objects to save bandwidth and improve latency.

Key directives:

cache_mem 256 MB
maximum_object_size 4 MB
cache_dir ufs /var/spool/squid 1000 16 256
refresh_pattern ^ftp:  1440 20% 10080
refresh_pattern .      0     20% 4320

cache_mem: RAM cache
cache_dir: Disk cache
refresh_pattern: Defines how long objects are valid

Useful tool:

squidclient -h localhost -p 3128 mgr:info

Shows internal stats.

7. 📝 Logging and Monitoring

Log files are stored in /var/log/squid/:

access.log: All HTTP requests
cache.log: Squid's runtime info
store.log: Cache activity

Watch live logs:

sudo tail -f /var/log/squid/access.log

Filter logs by IP, user, or URL using grep.

8. ⚙️ Performance Tuning Tips

Increase cache_mem if you have enough RAM.
Use ufs or aufs for cache_dir (aufs uses threads, better for Linux).
Turn off caching of dynamic content:

refresh_pattern -i \? 0 0% 0

Limit logs if I/O is bottleneck:

buffered_logs on

Enable memory pools:

memory_pools on

9. 📉 Bandwidth Management (Delay Pools)

Delay pools let you throttle speed for specific users or networks.

Enable it:

delay_pools 1
delay_class 1 2
delay_parameters 1 64000/64000 16000/16000
acl limited_users src 192.168.1.0/24
delay_access 1 allow limited_users

Pool 1: 64KB max, 16KB/s speed for subnet
Classes:
- 1: Aggregate
- 2: Aggregate + individual
- 3: Aggregate + network + individual

10. 🚫 Content Filtering and Blocking

Block by domain:

acl bad_sites dstdomain .example.com .facebook.com
http_access deny bad_sites

Block by keyword:

acl forbidden_words url_regex -i sex porn adult
http_access deny forbidden_words

Block file types:

acl bad_files urlpath_regex \.mp3$ \.mp4$ \.exe$
http_access deny bad_files

11. 🕵️ Transparent Proxying (Brief Overview)

A transparent proxy intercepts traffic without client configuration.

Requires router or firewall rules (e.g., iptables)
Squid must be compiled with --enable-linux-netfilter
Port 3128 is replaced with 3129 or 8080 for intercepted traffic

iptables rule:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3129

Squid config:

http_port 3129 intercept

Note:

Full guide needs separate post due to complexity.

12. 🧪 Real-World Configuration Examples

A. Proxy with User Auth & IP Filtering

http_port 3128

auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic realm AuthProxy

acl good_users proxy_auth REQUIRED
acl mynetwork src 10.10.10.0/24

http_access allow good_users mynetwork
http_access deny all

B. Block Social Media + Log Everything

acl block_social dstdomain .facebook.com .instagram.com .tiktok.com
http_access deny block_social

access_log /var/log/squid/social_block.log squid

13. 🔐 Security Best Practices

Critical Security Notes:

Don't leave your proxy open to the public internet!
Require auth and/or IP filtering.
Disable HTTP CONNECT on unsafe ports:

http_access deny CONNECT !SSL_ports

Hide identifying headers:

forwarded_for off
request_header_access Via deny all

Regularly rotate passwords.

14. ✅ Summary

Squid is not a "set and forget" tool — it's a highly customizable engine with powerful capabilities. Mastering it means:

Key Mastery Areas:

Understanding ACL logic and structure
Designing flexible, layered http_access rules
Tuning caching and performance
Enforcing security and control
Logging, monitoring, and bandwidth shaping

With the right configuration, Squid becomes more than just a proxy — it becomes a control point for all outbound web traffic in your network.

➕ Resources & Next Topics

Want more?

Squid with SSL Bump (decrypt HTTPS traffic)
Dynamic ACLs via external scripts
Integrating Squid with LDAP or Active Directory
Building custom dashboards using logs

Table of Contents