Squid Proxy Server: Enterprise Caching and Filtering 2026

Introduction

Squid remains one of the most widely used proxy servers in 2026, with decades of production deployment across enterprises, educational institutions, and service providers. Despite the emergence of newer solutions, Squid’s mature feature set, extensive caching capabilities, and robust access control make it the go-to choice for organizations requiring sophisticated proxy and caching infrastructure.

This comprehensive guide covers Squid’s architecture, configuration patterns, access control, authentication integration, caching strategies, and production deployment. Whether you’re deploying a simple forward proxy or a complex transparent caching hierarchy, this article provides the knowledge needed to implement Squid effectively.

What is Squid?

Squid is a Unix-based proxy server that supports HTTP, HTTPS, FTP, and other protocols. It acts as an intermediary between clients and the internet, providing caching, filtering, and access control capabilities.

Core Capabilities

Web Caching: Store frequently accessed content locally to reduce bandwidth and improve response times.

Access Control: Sophisticated ACL-based filtering for content and user access.

Authentication Integration: Support for LDAP, NTLM, PAM, and basic authentication.

Transparent Proxying: Intercept traffic without client configuration.

Reverse Proxy: Front-end caching for web servers.

SSL/TLS Inspection: Decrypt and inspect HTTPS traffic.

Installation

Ubuntu/Debian

sudo apt update
sudo apt install squid
sudo systemctl enable squid

RHEL/CentOS/AlmaLinux

sudo dnf install squid
sudo systemctl enable squid

From Source

# Install dependencies
sudo apt install -y build-essential libssl-dev libcppunit-dev \
  libdb++-dev libexpat1-dev libxml2-dev libkrb5-dev \
  libldap2-dev libpam0g-dev libsasl2-dev libwrap0-dev

# Download and compile
wget http://www.squid-cache.org/Versions/v5/squid-5.2.tar.gz
tar -xzf squid-5.2.tar.gz
cd squid-5.2
./configure --prefix=/usr/local/squid \
  --enable-ssl \
  --enable-ssl-crtd \
  --enable-auth-negotiate \
  --enable-auth-ntlm \
  --enable-external-acl-helpers="file_group"
make
sudo make install

Basic Configuration

Minimal Configuration

# /etc/squid/squid.conf

# Network configuration
http_port 3128

# ACL definitions
acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16

# Allow local network
http_access allow localnet

# Deny all other
http_access deny all

Logging Configuration

# Logging
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
logfile_rotate 30

# Log format
logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt

Access Control Lists

Squid’s ACL system provides fine-grained control over proxy behavior.

Basic ACL Types

# IP-based ACLs
acl internal_network src 10.0.0.0/24
acl development src 192.168.1.0/24
acl trusted_ips src "/etc/squid/acls/trusted_ips.txt"

# Port-based ACLs
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl Safe_ports port 21

# Domain-based ACLs
acl allowed_domains dstdomain .example.com
acl blocked_domains dstdomain "/etc/squid/acls/blocked_domains.txt"

# URL-based ACLs
acl streaming_urls urlpath_regex -i \.(mp4|avi|mkv|flv)$
acl social_media url_regex -i facebook twitter instagram
acl download_files urlpath_regex -i \.exe$ \.zip$ \.rar$

# Time-based ACLs
acl working_hours time M T W T F 09:00-17:00
acl break_time time S 12:00-14:00

# Method-based ACLs
acl purge method PURGE
acl connect method CONNECT

ACL Rule Examples

# Block dangerous ports
http_access deny !Safe_ports

# Block streaming during work hours
acl work_hours time M T W T F 09:00-17:00
http_access deny streaming_urls work_hours

# Allow social media only during breaks
http_access allow social_media break_time
http_access deny social_media

# Block specific domains
http_access deny blocked_domains

# Allow only specific domains during development
acl dev_sites dstdomain .example-dev.com
http_access allow dev_sites development
http_access deny all

Caching Configuration

Cache Size and Location

# Cache size: 10GB
cache_dir ufs /var/spool/squid 10000 16 256

# Memory cache: 512MB
cache_mem 512 MB

# Maximum object size: 50MB
maximum_object_size 50 MB

# Minimum object size: 0KB (cache everything)
minimum_object_size 0 KB

# Maximum object size in memory: 8MB
maximum_object_size_in_memory 8 MB

Cache Rules

# Refresh patterns
# Format: regex min percentage max

# Images - cache for 1 week
refresh_pattern -i \.(jpg|jpeg|png|gif|ico|svg|webp)$ 10080 100%

# CSS/JS - cache for 1 day
refresh_pattern -i \.(css|js)$ 1440 100%

# HTML - cache for 1 hour
refresh_pattern -i \.html$ 60 100%

# Dynamic content - don't cache
refresh_pattern -i \? 0 0%

# Default - 10% of age
refresh_pattern . 1440 20%

Cache Control

# Don't cache these
acl nocache dstdomain .google.com .facebook.com
cache deny nocache

# Cache videos
cache allow video
cache allow all

# Refresh on expiration
cache_swap_high 90
cache_swap_low 80

Authentication

Basic Authentication

# Install utility
sudo apt install apache2-utils

# Create password file
sudo htpasswd -c /etc/squid/passwd username

# Add more users
sudo htpasswd /etc/squid/passwd username2

# Enable basic auth
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm "Squid Proxy"
auth_param basic credentialsttl 2 hours

# ACL for authenticated users
acl authenticated proxy_auth REQUIRED
http_access allow authenticated

LDAP Authentication

# LDAP authentication
auth_param basic program /usr/lib/squid/basic_ldap_auth \
  -R \
  -b "dc=example,dc=com" \
  -D "cn=proxy,ou=service,dc=example,dc=com" \
  -w password \
  -f "(&(uid=%s)(memberOf=cn=internet-users,ou=groups,dc=example,dc=com))" \
  -vv

auth_param basic children 10
auth_param basic realm "Corporate Proxy"

# Require authentication
acl ldap_auth proxy_auth REQUIRED
http_access allow ldap_auth

NTLM Authentication

# NTLM authentication
auth_param ntlm program /usr/lib/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

# Group membership
external_acl_type ntlm_group %LOGIN /usr/lib/squid/ext_msnt_auth_group
acl allowed_group external ntlm_group "Domain Users"

http_access allow allowed_group

Transparent Proxying

iptables Configuration

# Redirect HTTP traffic to Squid
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

# For HTTPS transparent proxy (SSL bump required)
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3129

Squid Transparent Configuration

# Transparent HTTP proxy
http_port 3128 transparent

# Transparent HTTPS proxy (requires SSL bump)
https_port 3129 transparent \
  ssl-bump \
  generate-host-certificates=on \
  dynamic_cert_mem_cache_size=4MB \
  cert=/etc/squid/ssl_cert/myca.crt \
  key=/etc/squid/ssl_cert/myca.key

# SSL bumping configuration
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump peek step1
ssl_bump bump all
ssl_bump terminate all

# Deny risky SSL connections
ssl_bump deny risky

Generate SSL Certificates

# Create CA certificate
sudo mkdir -p /etc/squid/ssl_cert
cd /etc/squid/ssl_cert
sudo openssl req -new -newkey rsa:4096 -sha256 -days 3650 -nodes \
  -x509 -extensions v3_ca -keyout myca.pem -out myca.crt

# Make private key readable
sudo chmod 600 myca.pem
sudo chown squid:squid myca.pem

# Initialize SSL database
sudo /usr/lib64/squid/ssl_crtd -c -s /var/lib/squid/ssl_db
sudo chown -R squid:squid /var/lib/squid/ssl_db

Reverse Proxy

Basic Reverse Proxy

# Listen on port 80, forward to backend
http_port 80 accel defaultsite=webserver

# Backend server
cache_peer webserver.example.com parent 80 0 no-query originserver

# Allow access
http_access allow all

Load Balanced Reverse Proxy

# Multiple backends
cache_peer web1.example.com parent 80 0 no-query round-robin originserver
cache_peer web2.example.com parent 80 0 no-query round-robin originserver
cache_peer web3.example.com parent 80 0 no-query round-robin originserver

# Health check
cache_peer web1.example.com parent 80 0 no-query originserver \
  htcp=0 hmonitor=0 \
  connection_timeout=5

# ACL for backend
acl our_backends dstdomain www.example.com
http_access allow our_backends

SSL Reverse Proxy

# HTTPS frontend
https_port 443 accel defaultsite=www.example.com \
  cert=/etc/ssl/certs/server.crt \
  key=/etc/ssl/private/server.key

# Backend (HTTP)
cache_peer backend1.example.com parent 80 0 no-query originserver
cache_peer backend2.example.com parent 80 0 no-query originserver

http_access allow all

Monitoring and Management

Cache Manager

# Enable cache manager
acl manager proto cache_object
http_access allow manager localhost
http_access deny manager

# Cache manager configuration
cachemgr_passwd secretpassword all

Access at: http://your-squid:3128/squid-internal-mgr/

SNMP Configuration

# Enable SNMP
snmp_port 3401

acl snmppublic snmp_community public
snmp_access allow snmppublic localhost
snmp_access deny all

Statistics Scripts

# Cache hit ratio
squidclient -h localhost -p 3128 mgr:info | grep "Hit Ratio"

# Cache statistics
squidclient -h localhost -p 3128 mgr:store_digest | head -20

# Memory usage
squidclient -h localhost -p 3128 mgr:mem | head -20

Performance Tuning

Resource Limits

# Process limits
max_filedescriptors 65536
max_threads_per_process 32

# Client limits
client_lifetime 1 day
half_closed_clients off
request_timeout 30 seconds
connect_timeout 10 seconds

# Cache limits
cache_dir_ufs /var/spool/squid 20000 16 256

Optimization

# Quick abort
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 95

# Memory management
vm_max_cycle 1000
ipcache_size 4096
ipcache_low 90
ipcache_high 95
fqdncache_size 2048

# Disk cache optimization
read_ahead_gap 64 KB
store_avg_object_size 50 KB
store_objects_per_bucket 50

High Availability

Parent Proxy

# Use parent proxy for external requests
cache_peer parent-proxy.example.com parent 3128 0 no-query default

# Direct access for local networks
acl localnet src 10.0.0.0/8
never_direct allow localnet
never_direct deny all

Cache Hierarchy

# Sibling cache
cache_peer sibling1.example.com sibling 3128 3130 \
  no-query \
  allow-miss \
  max-conn=32

cache_peer sibling2.example.com sibling 3128 3130 \
  no-query \
  allow-miss \
  max-conn=32

# ICP configuration
icp_port 3130
icp_access allow localnet
icp_access deny all

Security Hardening

Essential Security

# Basic security
http_access deny all
http_port 3128

# Hide version
server_persistent_connections off
visible_hostname proxy.example.com
forwarded_for delete

# Disable IP forwarding
forwarded_for off

Advanced Security

# Block unsafe methods
acl safe_methods method GET HEAD POST OPTIONS
http_access deny !safe_methods

# Limit connections
acl maxconn maxconn 20
http_access deny maxconn

# Content filtering (with external helper)
acl blocked_content url_regex -i "/etc/squid/acls/blocked_content.txt"
http_access deny blocked_content

Troubleshooting

Common Issues

# Test configuration
squid -k parse

# Check logs
tail -f /var/log/squid/access.log
tail -f /var/log/squid/cache.log

# Check cache
squid -k rotate
du -sh /var/spool/squid/

# Check ports
netstat -tlnp | grep 3128

# Rebuild cache
squid -k reconfigure
squid -k shutdown
squid -N -d1 &

Debug Mode

# Enable debugging
debug_options ALL,1 28,2

# Or for specific section
debug_options 28,9

Best Practices

Security

Always use authentication for forward proxies
Implement SSL bumping only when necessary
Keep Squid updated
Use strong access controls
Monitor access logs regularly

Performance

Size cache appropriately for workload
Use SSD storage for cache
Tune refresh patterns
Monitor hit ratios
Implement proper logging levels

Reliability

Use parent proxies as fallback
Configure health checks
Implement proper backup procedures
Monitor disk space

Configuration

Version control configurations
Use includes for organization
Document ACL rules
Test before deployment

Conclusion

Squid proxy server remains a powerful and versatile solution for organizations needing sophisticated proxy, caching, and content filtering capabilities. Its mature feature set, extensive protocol support, and proven reliability make it suitable for everything from simple forward proxies to complex multi-tier caching hierarchies.

While newer solutions offer simpler configuration for basic use cases, Squid’s depth of configuration options and fine-grained control make it the choice for enterprise deployments requiring precise control over web traffic. By understanding Squid’s architecture and best practices outlined in this guide, administrators can deploy robust proxy infrastructure that meets demanding operational requirements.