Proxy Server with Squid: Complete Setup Guide
Introduction
Proxy servers serve as intermediaries between clients and the internet, providing critical functionality for organizations and individuals seeking to control, monitor, cache, and secure network traffic. Squid, the industry-leading open-source proxy server, has powered enterprise networks, ISPs, and content delivery infrastructures for over two decades, offering unmatched flexibility, performance, and feature richness.
Originally developed in 1996, Squid has evolved into a sophisticated caching proxy supporting HTTP, HTTPS, FTP, and other protocols. Deployed by organizations ranging from small businesses to Fortune 500 companies, Squid handles everything from simple web caching to complex authentication systems, content filtering, bandwidth management, and multi-tier hierarchical caching architectures.
This comprehensive guide walks you through deploying a production-ready Squid proxy server on Linux. You'll learn installation procedures, authentication configuration, access control implementation, SSL/TLS interception (SSL bumping), caching optimization, bandwidth limiting, logging and monitoring, and troubleshooting techniques.
Whether implementing corporate internet access control, improving network performance through caching, anonymizing web traffic, bypassing geo-restrictions, filtering content, or building a forward or reverse proxy infrastructure, this guide provides the foundation for professional Squid proxy deployment.
Use Case Overview
Why Deploy a Proxy Server?
Proxy servers provide numerous benefits for network management and security:
Content Caching: Cache frequently accessed web content locally, dramatically reducing bandwidth consumption and improving page load times. Large organizations save significant money on internet connectivity by caching common resources.
Access Control: Implement granular internet access policies, blocking inappropriate content, restricting access to specific sites, or limiting internet usage to business hours. Essential for educational institutions, libraries, and corporate networks.
Bandwidth Management: Control and prioritize bandwidth allocation, preventing bandwidth-intensive applications from degrading network performance. Limit download speeds, restrict large file transfers, or implement quality of service policies.
Security and Filtering: Block malicious websites, filter advertisements, prevent malware downloads, and scan content for threats. Act as first line of defense against web-based attacks.
Anonymity and Privacy: Hide client IP addresses from destination servers, providing privacy for users and protecting internal network topology from external observation.
Logging and Monitoring: Comprehensive logging of all internet activity for compliance, security analysis, or productivity monitoring. Track bandwidth usage per user, identify security incidents, or generate usage reports.
SSL/TLS Inspection: Decrypt and inspect HTTPS traffic for malware, data loss prevention, or policy compliance while maintaining encrypted connections to destination servers.
Geographic Content Access: Route traffic through proxies in different locations to access geo-restricted content or test localization implementations.
Load Balancing: Distribute traffic across multiple upstream proxies or parent caches, improving performance and reliability.
Common Deployment Scenarios
Corporate Internet Gateway: Central proxy for employee internet access with authentication, content filtering, usage logging, and bandwidth management. Enforce acceptable use policies and protect against web threats.
Educational Institution Proxy: Schools and universities filtering inappropriate content, preventing bandwidth abuse, and monitoring student internet usage for safety and compliance.
ISP Caching Infrastructure: Internet service providers deploying Squid to cache popular content, reducing upstream bandwidth costs and improving subscriber experience.
Development and Testing: Developers using proxies to test applications under various network conditions, intercept API calls, or debug HTTPS traffic.
Content Delivery Network (CDN): Reverse proxy caches serving static content, offloading origin servers, and accelerating content delivery globally.
Privacy-Focused Browsing: Individuals routing traffic through personal proxy servers to hide IP addresses, bypass censorship, or avoid tracking.
API Gateway: Proxy serving as API gateway, providing authentication, rate limiting, caching, and request/response transformation for backend services.
Technical Capabilities
A properly configured Squid proxy provides:
- HTTP/HTTPS Proxying: Forward proxy for web traffic with SSL/TLS support
- FTP Proxying: Transparent FTP protocol support
- Authentication: Integration with LDAP, Active Directory, RADIUS, NCSA, or custom authentication backends
- Access Control Lists (ACLs): Granular traffic control based on IP, domain, URL, time, user, content type, or custom patterns
- Content Caching: Intelligent caching with memory and disk storage, cache hierarchies, and parent proxy support
- SSL Bumping: HTTPS interception and inspection with dynamic certificate generation
- Bandwidth Limiting: Traffic shaping and bandwidth control per user, network, or content type
- Logging: Detailed access logs in multiple formats for analysis and compliance
- ICAP Integration: Content adaptation and virus scanning via ICAP protocol
- High Availability: Support for failover, load balancing, and redundant configurations
Requirements
System Requirements
Minimum Requirements (Small Office, 10-50 users):
- CPU: 2 cores at 2.0+ GHz
- RAM: 2GB (1GB for Squid + 1GB for OS)
- Storage: 20GB (10GB for cache + 10GB for OS and logs)
- Network: 100 Mbps network interface
- OS: Ubuntu 20.04/22.04, Debian 11/12, CentOS 8, Rocky Linux 8/9
Recommended Requirements (Medium Business, 100-500 users):
- CPU: 4 cores at 2.5+ GHz
- RAM: 8GB (4GB for Squid cache + 4GB for OS)
- Storage: 100GB SSD (50GB cache + 50GB logs/OS)
- Network: 1 Gbps network interface
- OS: Ubuntu 22.04 LTS
High-Performance Requirements (Large Organization, 1000+ users or high traffic):
- CPU: 8+ cores at 3.0+ GHz
- RAM: 16-32GB
- Storage: 500GB+ SSD or NVMe for cache, separate disk for logs
- Network: 10 Gbps network interface or multiple 1 Gbps interfaces
- OS: Ubuntu 22.04 LTS with kernel tuning
Cache Storage Considerations
Cache Size Planning:
- Small office (10-50 users): 10-20GB cache
- Medium business (100-500 users): 50-200GB cache
- Large organization (1000+ users): 500GB-2TB+ cache
Storage Performance:
- HDD: Acceptable for small deployments, limited IOPS
- SSD: Recommended for medium to large deployments, 10x+ performance improvement
- NVMe: Ideal for high-traffic environments, maximum IOPS and throughput
- RAM Cache: Critical for frequently accessed objects, allocate 10-20% of cache to RAM
Network Requirements
Network Positioning: Squid typically sits between client network and internet gateway, intercepting all outbound HTTP/HTTPS traffic.
Port Configuration:
- 3128/TCP: Default Squid proxy port (configurable)
- 3129/TCP: HTTPS/SSL intercept port (if using SSL bumping)
- 80/TCP: Optional transparent proxy redirection
- 443/TCP: Optional transparent HTTPS redirection
Bandwidth Considerations: Proxy server should have sufficient bandwidth to handle aggregate client traffic plus overhead for cache misses.
Software Requirements
Squid Version: Squid 4.x or 5.x recommended (latest stable version).
SSL/TLS Support: OpenSSL or GnuTLS for HTTPS proxying and SSL bumping.
Authentication Backends:
- NCSA: Basic username/password authentication
- LDAP: Integration with LDAP directories
- Samba: Active Directory authentication via Samba/Winbind
- RADIUS: RADIUS server authentication
- External: Custom authentication scripts
Optional Components:
- SquidAnalyzer or SARG: Log analysis and reporting tools
- ClamAV: Antivirus scanning via ICAP
- c-icap: ICAP server for content adaptation
Prerequisites Knowledge
- Linux system administration fundamentals
- Basic networking concepts (TCP/IP, DNS, routing)
- Understanding of HTTP/HTTPS protocols
- Firewall configuration experience
- Text editor proficiency (nano, vim)
Step-by-Step Setup
Step 1: System Preparation
Update system packages:
# Ubuntu/Debian
sudo apt update && sudo apt upgrade -y
# CentOS/Rocky Linux
sudo dnf update -y
Install essential tools:
# Ubuntu/Debian
sudo apt install -y curl wget net-tools
# CentOS/Rocky Linux
sudo dnf install -y curl wget net-tools
Step 2: Install Squid
Ubuntu/Debian:
sudo apt install squid -y
CentOS/Rocky Linux:
sudo dnf install squid -y
Verify installation:
squid -v
Should display Squid version and compile options.
Check initial status:
sudo systemctl status squid
Step 3: Backup Default Configuration
Create backup of original configuration:
sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.original
View current configuration (remove comments and blank lines):
grep -v "^#" /etc/squid/squid.conf | grep -v "^$"
Step 4: Basic Squid Configuration
Create new simplified configuration:
sudo nano /etc/squid/squid.conf
Add the following basic configuration:
# Squid Proxy Server Configuration
# Network Settings
http_port 3128
# Cache Settings
cache_dir ufs /var/spool/squid 10000 16 256
cache_mem 256 MB
maximum_object_size 100 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 512 KB
# Cache replacement policy
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
# ACL Definitions
acl localnet src 10.0.0.0/8 # RFC 1918 local private network
acl localnet src 172.16.0.0/12 # RFC 1918 local private network
acl localnet src 192.168.0.0/16 # RFC 1918 local private network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local network range
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Access Control
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
# Logging
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
# Hostname
visible_hostname squid-proxy
# Administrative settings
coredump_dir /var/spool/squid
# Refresh patterns for caching
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
Save and exit (Ctrl+X, Y, Enter).
Configuration Breakdown:
- http_port 3128: Proxy listening port
- cache_dir: Disk cache location, size (10GB), and directory structure
- cache_mem: RAM allocated for hot objects
- maximum_object_size: Largest object to cache (100MB)
- ACLs: Access control lists defining network ranges, ports, and methods
- http_access: Rules determining who can use proxy
- refresh_pattern: Cache freshness rules for different content types
Step 5: Initialize Cache Directories
Create cache directory structure:
sudo squid -z
This initializes swap directories. Takes a few moments.
Set proper ownership:
sudo chown -R proxy:proxy /var/spool/squid
sudo chown -R proxy:proxy /var/log/squid
Step 6: Start and Enable Squid
Enable Squid to start on boot:
sudo systemctl enable squid
Start Squid:
sudo systemctl start squid
Check status:
sudo systemctl status squid
Should show "active (running)".
Check logs for errors:
sudo tail -f /var/log/squid/cache.log
Step 7: Configure Firewall
Allow proxy port:
# UFW (Ubuntu/Debian)
sudo ufw allow 3128/tcp
# Firewalld (CentOS/Rocky)
sudo firewall-cmd --permanent --add-port=3128/tcp
sudo firewall-cmd --reload
Step 8: Test Proxy Connection
From a client machine on the same network, test proxy:
Linux/macOS Client:
curl -x http://PROXY_SERVER_IP:3128 http://example.com
Should return HTML content from example.com.
Browser Configuration:
- Open browser settings
- Navigate to Network/Proxy settings
- Select "Manual proxy configuration"
- HTTP Proxy:
PROXY_SERVER_IP - Port:
3128 - Apply and test by visiting websites
Check access log to verify requests:
sudo tail -f /var/log/squid/access.log
Should show entries for web requests.
Configuration
Authentication Configuration
Basic NCSA Authentication
Create password file:
sudo apt install apache2-utils -y # For htpasswd utility
sudo htpasswd -c /etc/squid/passwords user1
Enter password when prompted. Add more users (without -c flag):
sudo htpasswd /etc/squid/passwords user2
Update squid.conf:
# Authentication configuration
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm Squid Proxy Server
auth_param basic credentialsttl 2 hours
# ACL for authenticated users
acl authenticated_users proxy_auth REQUIRED
# Allow authenticated access
http_access allow authenticated_users
http_access deny all
Restart Squid:
sudo systemctl restart squid
Test authentication:
curl -x http://user1:password@PROXY_SERVER_IP:3128 http://example.com
LDAP Authentication
Install LDAP helper:
sudo apt install squid-ldap-auth -y
Configure LDAP authentication in squid.conf:
auth_param basic program /usr/lib/squid/basic_ldap_auth \
-b "dc=example,dc=com" \
-D "cn=admin,dc=example,dc=com" \
-w "admin_password" \
-f "uid=%s" \
-h ldap.example.com
auth_param basic realm Squid LDAP Authentication
auth_param basic credentialsttl 2 hours
acl authenticated_users proxy_auth REQUIRED
http_access allow authenticated_users
http_access deny all
Replace placeholders:
dc=example,dc=com: Your LDAP base DNcn=admin,dc=example,dc=com: LDAP bind DNadmin_password: LDAP bind passwordldap.example.com: LDAP server hostname
Access Control Lists (ACLs)
Block Specific Websites
Create blocked sites list:
sudo nano /etc/squid/blocked_sites.txt
Add domains to block (one per line):
.facebook.com
.twitter.com
.youtube.com
.instagram.com
The leading dot blocks domain and all subdomains.
Update squid.conf:
# Define ACL for blocked sites
acl blocked_sites dstdomain "/etc/squid/blocked_sites.txt"
# Deny access to blocked sites
http_access deny blocked_sites
Reload configuration:
sudo squid -k reconfigure
Time-Based Access Control
Allow access only during business hours:
# Define business hours (Monday-Friday, 9 AM - 5 PM)
acl business_hours time MTWHF 09:00-17:00
# Allow access during business hours
http_access allow localnet business_hours
http_access deny localnet
IP-Based Access Control
Allow specific IP addresses or networks:
# Define allowed networks
acl allowed_network src 192.168.1.0/24
acl admin_ips src 192.168.1.10 192.168.1.11
# Allow admin IPs unrestricted access
http_access allow admin_ips
# Allow network with restrictions
http_access allow allowed_network
Block File Downloads
Prevent downloading specific file types:
# Define blocked file extensions
acl blocked_files urlpath_regex -i \.exe$ \.msi$ \.dmg$ \.zip$ \.rar$ \.tar\.gz$
# Deny downloads
http_access deny blocked_files
Bandwidth Control by Content Type
Limit bandwidth for video streaming:
# Define video content
acl video_content urlpath_regex -i \.mp4$ \.avi$ \.mkv$ \.flv$
# Apply bandwidth limit (in bytes per second)
delay_pools 1
delay_class 1 1
delay_parameters 1 32000/32000 # 256 Kbps
delay_access 1 allow video_content
delay_access 1 deny all
SSL/TLS Interception (SSL Bumping)
Generate SSL Certificate Authority
Create CA certificate for SSL bumping:
sudo mkdir -p /etc/squid/ssl_cert
cd /etc/squid/ssl_cert
# Generate CA private key
sudo openssl genrsa -out squid-ca-key.pem 4096
# Generate CA certificate
sudo openssl req -new -x509 -days 3650 -key squid-ca-key.pem \
-out squid-ca-cert.pem -utf8 \
-subj "/C=US/ST=State/L=City/O=Organization/OU=Squid Proxy/CN=Squid CA"
# Combine for Squid
sudo cat squid-ca-cert.pem squid-ca-key.pem > squid-ca.pem
# Create directory for generated certificates
sudo mkdir -p /var/lib/squid/ssl_db
sudo /usr/lib/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 4MB
# Set permissions
sudo chown -R proxy:proxy /var/lib/squid/ssl_db
sudo chown -R proxy:proxy /etc/squid/ssl_cert
Configure SSL Bumping
Update squid.conf:
# SSL Bump Configuration
http_port 3128 ssl-bump \
cert=/etc/squid/ssl_cert/squid-ca-cert.pem \
key=/etc/squid/ssl_cert/squid-ca-key.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 4MB
# SSL Bump rules
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1
ssl_bump stare step2
ssl_bump bump step3
# Don't bump banking or payment sites (optional)
acl nobump_sites ssl::server_name .paypal.com .bank.com
ssl_bump splice nobump_sites
Restart Squid:
sudo systemctl restart squid
Install CA Certificate on Clients
Distribute /etc/squid/ssl_cert/squid-ca-cert.pem to client devices and install as trusted CA:
Windows:
- Double-click certificate file
- Install Certificate → Local Machine → Trusted Root Certification Authorities
macOS:
- Double-click certificate file
- Add to System keychain
- Mark as "Always Trust"
Linux:
sudo cp squid-ca-cert.pem /usr/local/share/ca-certificates/squid-ca.crt
sudo update-ca-certificates
Caching Optimization
Optimize Cache for Web Content
# Cache directory (100GB, 16 first-level dirs, 256 second-level dirs)
cache_dir ufs /var/spool/squid 100000 16 256
# Memory cache (1GB for frequently accessed objects)
cache_mem 1024 MB
# Maximum object sizes
maximum_object_size 200 MB # Largest object to cache on disk
maximum_object_size_in_memory 1 MB # Largest object in RAM cache
# Minimum object size to cache
minimum_object_size 0 KB
# Cache replacement policies
cache_replacement_policy heap LFUDA # Least Frequently Used with Dynamic Aging
memory_replacement_policy heap GDSF # Greedy-Dual Size Frequency
# Refresh patterns for different content types
refresh_pattern -i \.(jpg|jpeg|png|gif|bmp|ico)$ 10080 90% 43200 # Images
refresh_pattern -i \.(js|css)$ 1440 40% 10080 # Scripts/Styles
refresh_pattern -i \.(pdf|doc|docx|xls|xlsx)$ 10080 90% 43200 # Documents
refresh_pattern -i \.(zip|rar|tar|gz|exe)$ 10080 90% 43200 # Archives
refresh_pattern ^ftp: 1440 20% 10080 # FTP
refresh_pattern ^gopher: 1440 0% 1440 # Gopher
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 # Dynamic content
refresh_pattern . 0 20% 4320 # Default
# Don't cache dynamic content
acl dynamic_content urlpath_regex cgi-bin \?
cache deny dynamic_content
# Store cache in directory
cache_swap_low 90
cache_swap_high 95
Multiple Cache Directories
Use multiple physical disks for better I/O performance:
cache_dir ufs /var/spool/squid1 50000 16 256
cache_dir ufs /var/spool/squid2 50000 16 256
cache_dir ufs /var/spool/squid3 50000 16 256
Initialize all cache directories:
sudo mkdir -p /var/spool/squid1 /var/spool/squid2 /var/spool/squid3
sudo chown proxy:proxy /var/spool/squid*
sudo squid -z
Parent Proxy Configuration
Configure Squid to use upstream parent proxy:
# Define parent proxy
cache_peer parent.proxy.com parent 3128 0 no-query default
# Use parent for all requests
never_direct allow all
For parent proxy with authentication:
cache_peer parent.proxy.com parent 3128 0 no-query default login=username:password
Transparent Proxy Setup
Intercept traffic transparently without client configuration:
Update squid.conf:
http_port 3129 intercept
Configure iptables to redirect traffic:
# Redirect HTTP traffic to Squid
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3129
# Save iptables rules
sudo iptables-save | sudo tee /etc/iptables/rules.v4
For HTTPS transparent interception with SSL bumping:
https_port 3130 intercept ssl-bump cert=/etc/squid/ssl_cert/squid-ca-cert.pem key=/etc/squid/ssl_cert/squid-ca-key.pem generate-host-certificates=on
Redirect HTTPS traffic:
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3130
Optimization
Performance Tuning
Increase File Descriptors
sudo nano /etc/security/limits.conf
Add:
proxy soft nofile 65536
proxy hard nofile 65536
Update squid.conf:
max_filedescriptors 65536
Optimize Worker Processes
For multi-core systems:
workers 4 # Set to number of CPU cores
cpu_affinity_map process_numbers=1,2,3,4 cores=1,2,3,4
Memory Optimization
# Increase memory pools
memory_pools on
memory_pools_limit 512 MB
# Optimize object caching in memory
cache_mem 2048 MB
maximum_object_size_in_memory 2 MB
Network Optimization
# Increase network buffers
read_ahead_gap 32 KB
# Connection persistence
client_persistent_connections on
server_persistent_connections on
# Pipelining support
pipeline_prefetch on
Bandwidth Management
Per-User Bandwidth Limits
# Create delay pools
delay_pools 2
# Pool 1: Authenticated users (512 Kbps per user)
delay_class 1 2
delay_parameters 1 -1/-1 64000/64000
delay_access 1 allow authenticated_users
# Pool 2: Guest network (256 Kbps aggregate)
delay_class 2 1
delay_parameters 2 32000/32000
delay_access 2 allow guest_network
Time-Based Bandwidth Control
# Limit bandwidth during business hours
acl business_hours time MTWHF 09:00-17:00
delay_pools 1
delay_class 1 1
delay_parameters 1 128000/128000 # 1 Mbps during business hours
delay_access 1 allow localnet business_hours
delay_access 1 deny all
Log Rotation
Configure automatic log rotation:
sudo nano /etc/logrotate.d/squid
/var/log/squid/*.log {
daily
rotate 14
compress
delaycompress
notifempty
missingok
nocreate
sharedscripts
postrotate
/usr/sbin/squid -k rotate
endscript
}
Troubleshooting
Squid Won't Start
Check configuration syntax:
sudo squid -k parse
Reports configuration errors with line numbers.
Check logs:
sudo tail -n 50 /var/log/squid/cache.log
Common issues:
- Permission errors on cache directories
- Port already in use
- Invalid ACL syntax
Verify cache directories:
ls -la /var/spool/squid
Should be owned by proxy user.
Re-initialize cache:
sudo rm -rf /var/spool/squid/*
sudo squid -z
Connection Refused Errors
Verify Squid is running:
sudo systemctl status squid
Check listening port:
sudo netstat -tlnp | grep 3128
Should show squid process listening.
Test locally:
curl -x http://127.0.0.1:3128 http://example.com
If works locally but not remotely, check firewall.
Verify firewall:
# UFW
sudo ufw status
# Firewalld
sudo firewall-cmd --list-all
Authentication Not Working
Test authentication manually:
echo "user1 password" | /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
Should return OK for valid credentials, ERR for invalid.
Check password file permissions:
ls -la /etc/squid/passwords
Should be readable by proxy user:
sudo chown root:proxy /etc/squid/passwords
sudo chmod 640 /etc/squid/passwords
Increase authentication TTL:
auth_param basic credentialsttl 8 hours
SSL Bumping Issues
Verify CA certificate installation on client.
Check SSL database:
ls -la /var/lib/squid/ssl_db
Regenerate SSL database:
sudo rm -rf /var/lib/squid/ssl_db
sudo /usr/lib/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 4MB
sudo chown -R proxy:proxy /var/lib/squid/ssl_db
Check for SSL errors in logs:
sudo grep -i ssl /var/log/squid/cache.log
High CPU Usage
Identify cause:
top -u proxy
Common causes:
- Too many worker processes
- Excessive logging
- Complex ACLs or regex patterns
- SSL bumping overhead
Optimize ACLs - use simple ACLs before complex regex:
# Fast domain check first
acl blocked_sites dstdomain .example.com
# Slower regex only if needed
acl complex_block url_regex -i badpattern
Reduce log verbosity:
debug_options ALL,1
Cache Not Working
Check cache hit ratio:
sudo squid-client mgr:info
Look for cache statistics.
Verify cache directory size:
du -sh /var/spool/squid
Check refresh patterns - ensure content is cacheable:
sudo tail -f /var/log/squid/access.log
Look for TCP_HIT (cache hit) vs TCP_MISS (cache miss).
Force cache for testing:
# Ignore cache-control headers (testing only!)
refresh_pattern . 0 100% 999999 ignore-no-cache ignore-no-store ignore-private
Monitoring and Reporting
Real-Time Monitoring
View active connections:
sudo squid-client mgr:active_requests
Cache information:
sudo squid-client mgr:info | grep -A 20 "Resource usage"
Real-time access log:
sudo tail -f /var/log/squid/access.log
SARG Log Analyzer
Install SARG (Squid Analysis Report Generator):
sudo apt install sarg -y
Configure SARG:
sudo nano /etc/sarg/sarg.conf
Update:
access_log /var/log/squid/access.log
output_dir /var/www/html/squid-reports
Generate reports:
sudo sarg
View reports at http://PROXY_SERVER_IP/squid-reports/.
SquidAnalyzer
Install SquidAnalyzer for advanced reporting:
sudo apt install squidanalyzer -y
Configure and generate reports:
sudo squid-analyzer -c /etc/squidanalyzer/squidanalyzer.conf
Conclusion
You now have a fully operational Squid proxy server providing comprehensive internet access control, caching, authentication, and monitoring capabilities. This enterprise-grade solution offers the flexibility and performance needed for organizations of all sizes.
Key achievements from this guide:
- Production-ready proxy server with caching, authentication, and access control
- SSL/TLS interception for HTTPS traffic inspection and filtering
- Granular access policies using ACLs for time, user, content, and network-based control
- Performance optimization through caching, bandwidth management, and resource tuning
- Comprehensive logging for compliance, security analysis, and usage monitoring
- Multiple authentication backends supporting NCSA, LDAP, Active Directory, and custom systems
Squid's modular architecture allows incremental feature addition. Start with basic forwarding proxy functionality and progressively implement authentication, SSL bumping, content filtering, and advanced caching as requirements evolve.
Regular maintenance includes monitoring cache hit ratios, reviewing access logs for security incidents, updating blocked site lists, optimizing cache size based on usage patterns, and keeping Squid updated for security patches.
Whether controlling corporate internet access, improving network performance, filtering content, or building sophisticated proxy hierarchies, Squid provides the foundation for professional proxy infrastructure.
Proxy wisely!