Squid Proxy Server: Setup, Access Control, and Cache Optimization

Why Squid Proxy?

In corporate and educational networks, controlling web access is essential. Squid provides:

Web filtering — block social media, gambling, or malware sites by domain.
Bandwidth savings — cache static content (images, JS, CSS) locally.
Compliance logging — record every URL accessed by every user.
Access policies — restrict browsing by time of day, user group, or IP range.

Prerequisites

Ubuntu 22.04 or RHEL 9.
At least 1 GB RAM (more for heavy caching).
Root or sudo access.
Port 3128 open in firewall.

Step 1: Install Squid

sudo apt install squid -y
sudo systemctl enable --now squid

Verify: curl -x http://localhost:3128 http://example.com should return the HTML of example.com.

Step 2: Configure ACLs

The heart of Squid is its Access Control Lists in /etc/squid/squid.conf.

Define Your Internal Network

# Define the internal network
acl localnet src 192.168.1.0/24
acl localnet src 10.0.0.0/8

# Block specific domains
acl blocked_sites dstdomain .facebook.com .tiktok.com .instagram.com
acl blocked_sites dstdomain .gambling-site.com

# Allow work hours only (Mon-Fri 8am-6pm)
acl work_hours time MTWHF 08:00-18:00

# Apply rules (ORDER MATTERS — first match wins)
http_access deny blocked_sites
http_access allow localnet work_hours
http_access deny all

Block by URL Pattern (Regex)

acl blocked_urls url_regex -i \.exe$ \.torrent$ streaming\.
http_access deny blocked_urls

Step 3: Enable Caching

# Disk cache: 10 GB, 16 L1 directories, 256 L2 directories
cache_dir ufs /var/spool/squid 10000 16 256

# In-memory cache
cache_mem 256 MB

# Maximum object size to cache (default is too small)
maximum_object_size 100 MB

# Don't cache private or authenticated content
cache deny QUERY

After changing cache settings:

sudo squid -z    # Initialize cache directories
sudo systemctl restart squid

Step 4: Logging and Monitoring

Squid logs every request to /var/log/squid/access.log.

Check cache hit ratio:

sudo squidclient -h localhost mgr:info | grep "Hit Ratios"

Real-time log tailing:

sudo tail -f /var/log/squid/access.log

A healthy cache should show TCP_HIT (served from cache) for at least 30-40% of static content requests.

Troubleshooting

Problem	Solution
”Access Denied” page for allowed sites	Check ACL order — deny rules before allow rules, first match wins
HTTPS sites not loading	Squid can’t inspect HTTPS without SSL Bump; use `ssl_bump peek` for hostname-only filtering
Cache hit ratio too low	Increase `cache_dir` size and `maximum_object_size`; check `refresh_pattern` rules
Squid won’t start after config change	Run `squid -k parse` to validate config syntax before restarting
Slow browsing	Check DNS resolver performance; reduce regex ACLs; increase `cache_mem`

Summary

Install Squid and define ACLs to control who can access what.
ACL rules are order-dependent — first matching rule wins.
Enable disk and memory caching for bandwidth savings.
Monitor the cache hit ratio to verify caching effectiveness.

Frequently Asked Questions

What is Squid Proxy and why use it?

Squid is an open-source forward proxy server and web cache. It sits between your internal network and the internet, allowing you to filter web traffic by domain or URL, cache frequently accessed content to reduce bandwidth, enforce browsing policies, and log all user web activity for compliance.

How do Squid ACLs control web access?

Access Control Lists (ACLs) define criteria (source IP, destination domain, time of day, URL pattern) and then http_access rules allow or deny traffic matching those criteria. ACLs are evaluated in order—the first matching rule wins. Always place deny rules before the final 'http_access deny all' catch-all.

Can Squid intercept HTTPS traffic?

Yes, using SSL Bumping (also called SSL Peek and Splice). Squid generates a dynamic certificate for each HTTPS site, allowing it to inspect and filter encrypted traffic. This requires installing Squid's CA certificate on all client machines. Without SSL Bumping, Squid can only see the hostname (via CONNECT method), not the URL path or content.

How do I troubleshoot slow browsing through Squid?

Check the cache hit ratio in access.log (DIRECT vs TCP_HIT). A low hit ratio means Squid is fetching most content from origin servers. Increase cache_dir size, ensure cache_mem is adequate (at least 256 MB), and verify that the DNS server Squid uses is fast. Also check if heavy ACL lists with regex matching are slowing request processing.