Squid Proxy Cache Advanced Configuration
Squid is a high-performance caching proxy that supports HTTP, HTTPS, and FTP, widely deployed for web traffic acceleration, content filtering, and access control on Linux servers. This guide covers advanced Squid configuration including cache hierarchies, SSL bumping for HTTPS inspection, transparent proxying, ACL rules, authentication, and performance tuning.
Prerequisites
- Ubuntu 20.04/22.04 or CentOS 8/Rocky Linux 8+
- Root or sudo access
- At least 4 GB RAM for a production deployment
- Fast storage for cache (SSD recommended)
- For SSL bumping: OpenSSL development libraries
Install Squid
Ubuntu/Debian:
sudo apt update
sudo apt install -y squid squid-openssl
# Verify installation
squid -v | head -5
# Enable and start
sudo systemctl enable squid
sudo systemctl start squid
CentOS/Rocky Linux:
sudo dnf install -y squid
# Install with SSL support (compile from source or use a repo with ssl enabled)
# Check if SSL is enabled
squid -v | grep -i ssl
sudo systemctl enable --now squid
Open the default proxy port:
sudo ufw allow 3128/tcp # Ubuntu
sudo firewall-cmd --permanent --add-port=3128/tcp && sudo firewall-cmd --reload # CentOS
Cache Configuration and Storage
Configure cache storage in /etc/squid/squid.conf:
sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.bak
sudo nano /etc/squid/squid.conf
Key cache configuration directives:
# Cache directory: ufs type, path, size (MB), L1 dirs, L2 dirs
cache_dir ufs /var/spool/squid 10000 16 256
# Object size limits
minimum_object_size 0 bytes
maximum_object_size 100 MB
# Memory cache
cache_mem 512 MB
memory_cache_mode always
# Maximum object size in memory cache
maximum_object_size_in_memory 512 KB
# Cache replacement policy (heap LFUDA outperforms LRU for web caches)
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
# Cache log
cache_log /var/log/squid/cache.log
access_log /var/log/squid/access.log squid
# Refresh patterns - control caching behavior
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern -i \.(gif|png|jpg|jpeg|ico|svg)$ 43200 50% 129600 override-expire
refresh_pattern -i \.(css|js|woff2|ttf)$ 1440 20% 10080
refresh_pattern -i \.(deb|rpm|exe|zip|tar\.gz)$ 43200 90% 432000 override-expire
refresh_pattern . 0 20% 4320
Initialize and test:
# Initialize cache directories
sudo squid -z
sudo systemctl restart squid
sudo systemctl status squid
# Test the proxy
curl -x http://localhost:3128 http://example.com -I
ACL Rules and Access Control
Squid's ACL system controls who can access what:
# Define ACLs
acl localnet src 10.0.0.0/8 # Private network
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl Safe_ports port 21 # ftp
acl Safe_ports port 8080 8443 # alternate ports
acl CONNECT method CONNECT
# Block requests to unsafe ports
http_access deny !Safe_ports
# Block CONNECT to non-SSL ports
http_access deny CONNECT !SSL_ports
# Allow local network
http_access allow localnet
# Domain blacklist - block social media during work hours
acl work_hours time MTWHF 08:00-18:00
acl social_media dstdomain .facebook.com .twitter.com .tiktok.com .instagram.com
http_access deny social_media work_hours
# URL regex blacklist
acl bad_content url_regex -i adult gambling torrent
http_access deny bad_content
# Whitelist specific sites only (for strict environments)
# acl allowed_sites dstdomain .example.com .company.com
# http_access allow allowed_sites
# http_access deny all
# Allow manager from localhost only
http_access allow localhost manager
http_access deny manager
# Deny everything else
http_access deny all
Load and reload ACLs:
sudo squid -k parse # Validate config
sudo squid -k reconfigure # Reload without restart
Authentication Setup
Basic authentication with a password file:
# Install htpasswd utility
sudo apt install -y apache2-utils # Ubuntu
sudo dnf install -y httpd-tools # CentOS
# Create a password file
sudo htpasswd -c /etc/squid/passwords proxyuser
# Enter password when prompted
# Add more users (without -c flag)
sudo htpasswd /etc/squid/passwords anotheruser
sudo chown squid:squid /etc/squid/passwords
sudo chmod 640 /etc/squid/passwords
Add to squid.conf:
# Basic authentication
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm Squid Proxy Authentication
auth_param basic credentialsttl 2 hours
# Require authentication
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_access deny all
LDAP authentication:
auth_param basic program /usr/lib/squid/basic_ldap_auth \
-R -b "dc=example,dc=com" \
-D "cn=squid,dc=example,dc=com" \
-w "ldappassword" \
-f "uid=%s" \
-h ldap.example.com
auth_param basic realm Corporate Proxy
acl authenticated proxy_auth REQUIRED
http_access allow localnet authenticated
Transparent Proxying
Transparent proxy intercepts traffic without client configuration:
# Enable IP forwarding
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
# iptables rules to redirect HTTP traffic to Squid
# Redirect HTTP (port 80) to Squid's transparent port (3129)
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \
-j REDIRECT --to-port 3129
# Save iptables rules
sudo apt install -y iptables-persistent
sudo netfilter-persistent save
Add to squid.conf:
# Transparent HTTP proxy port
http_port 3128
http_port 3129 intercept
# Transparent HTTPS proxy port (with SSL bump)
https_port 3130 intercept ssl-bump \
cert=/etc/squid/ssl/myCA.crt \
key=/etc/squid/ssl/myCA.key
SSL Bumping (HTTPS Inspection)
SSL bumping allows Squid to inspect HTTPS traffic by acting as a man-in-the-middle with a trusted CA:
# Generate a local CA certificate for SSL bumping
sudo mkdir -p /etc/squid/ssl
cd /etc/squid/ssl
# Create the CA key and certificate (10-year validity)
sudo openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 \
-subj "/C=US/ST=State/L=City/O=MyOrg/CN=Squid CA" \
-keyout myCA.key -out myCA.crt
sudo chown -R squid:squid /etc/squid/ssl
sudo chmod 600 /etc/squid/ssl/myCA.key
# Initialize SSL certificate database
sudo mkdir -p /var/lib/squid/ssl_db
sudo /usr/lib/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 4MB
sudo chown -R squid:squid /var/lib/squid/ssl_db
Add to squid.conf:
# SSL bump configuration
http_port 3128 ssl-bump \
cert=/etc/squid/ssl/myCA.crt \
key=/etc/squid/ssl/myCA.key \
generate-host-certificates=on \
dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 4MB
# SSL bump ACLs
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
# Peek at the SNI in step 1
ssl_bump peek step1
# Splice (don't inspect) banking and health sites
acl no_bump_sites ssl::server_name .bank.com .healthcare.gov
ssl_bump splice no_bump_sites
# Bump (inspect) everything else
ssl_bump bump all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
Distribute the CA certificate to client machines for the SSL bump to work without browser warnings.
Cache Hierarchies
Link multiple Squid instances to share cache:
# Parent proxy configuration
# Specify a parent cache
cache_peer parent-proxy.example.com parent 3128 3130 \
default \
no-query \
login=PASSTHRU
# Sibling proxy configuration
cache_peer sibling-proxy.example.com sibling 3128 3130
# ICP port for peer communication
icp_port 3130
# Allow ICP queries from siblings
icp_access allow localnet
icp_access deny all
# Route specific domains to parent
acl upstream_domains dstdomain .example.com
cache_peer_access parent-proxy.example.com allow upstream_domains
cache_peer_access parent-proxy.example.com deny all
Performance Tuning
# Worker processes (set to number of CPU cores)
workers 4
# Increase file descriptor limits
max_filedescriptors 65536
# Connection timeout settings
connect_timeout 30 seconds
read_timeout 5 minutes
request_timeout 5 minutes
persistent_request_timeout 2 minutes
# Client request buffer
client_request_buffer_max_size 512 KB
# DNS settings - use fast resolvers
dns_nameservers 1.1.1.1 8.8.8.8
dns_retransmit_interval 5 seconds
dns_timeout 30 seconds
# Cache positive and negative DNS lookups
positive_dns_ttl 6 hours
negative_dns_ttl 1 minute
# Memory pools
memory_pools on
memory_pools_limit 100 MB
# Check cache statistics
squidclient -h localhost -p 3128 mgr:info
squidclient -h localhost -p 3128 mgr:counters
squidclient -h localhost -p 3128 mgr:utilization
# Check cache hit rate
squidclient -h localhost -p 3128 mgr:counters | grep -i hit
Troubleshooting
Squid fails to start - "permission denied":
# Check log files for errors
sudo journalctl -u squid -n 50
sudo tail -20 /var/log/squid/cache.log
# Fix ownership of cache directories
sudo chown -R squid:squid /var/spool/squid /var/log/squid
# Re-initialize cache
sudo squid -z
sudo systemctl restart squid
SSL bumping causes "SSL certificate error" in browsers:
# Ensure the CA cert is installed in browsers/OS
# Ubuntu client: copy cert and update
sudo cp /etc/squid/ssl/myCA.crt /usr/local/share/ca-certificates/squid-ca.crt
sudo update-ca-certificates
High memory usage:
# Reduce cache_mem
# cache_mem 256 MB
# Check memory usage
squidclient -h localhost -p 3128 mgr:mem | grep "Total accounted"
# Enable memory pooling limit
# memory_pools_limit 50 MB
Clients getting "Access Denied":
# Test with verbose curl
curl -x http://localhost:3128 -v http://example.com 2>&1 | grep -i "access\|deny\|acl"
# Check access.log for denial reason
sudo tail -f /var/log/squid/access.log | grep DENIED
# Test ACL matching
squidclient -h localhost -p 3128 mgr:acl
Conclusion
Advanced Squid configuration enables powerful proxy caching, access control, and traffic inspection for corporate networks and hosting environments. Use ACL rules and authentication to enforce usage policies, configure SSL bumping only where legally and ethically appropriate, and tune cache storage parameters based on available disk and RAM for maximum cache efficiency.