Squid is a powerful, open-source caching proxy server that sits between clients and servers, intercepting requests and serving cached content when possible. Setting up Squid on Ubuntu 24 gives you control over bandwidth usage, improved browsing speeds through caching, and enhanced security through request filtering. You’ll learn how to install, configure, and optimize Squid for various use cases, from simple web caching to complex proxy authentication setups.

How Squid Proxy Works

Squid operates as an intermediary between client applications and web servers. When a client makes a request, Squid checks its cache first. If the requested content exists and hasn’t expired, Squid serves it directly, saving bandwidth and reducing response time. For cache misses, Squid forwards the request to the origin server, caches the response based on configured rules, and returns the content to the client.

The proxy maintains an in-memory index of cached objects and stores actual content in disk-based storage directories. Squid uses various algorithms like LRU (Least Recently Used) and heap-based replacement policies to manage cache space efficiently. It supports HTTP, HTTPS, and FTP protocols, with configurable access controls and authentication mechanisms.

Installation and Basic Setup

Ubuntu 24.04 includes Squid 6.x in its repositories, which brings significant performance improvements over previous versions. Start by updating your package list and installing Squid:

sudo apt update
sudo apt install squid -y

Verify the installation and check the service status:

squid -v
sudo systemctl status squid

The default configuration file is located at /etc/squid/squid.conf. Before making changes, create a backup:

sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.backup

Squid runs on port 3128 by default. You can verify it’s listening:

sudo netstat -tlnp | grep :3128

Essential Configuration Options

The squid.conf file contains hundreds of directives, but you only need to modify a handful for basic functionality. Here’s a minimal working configuration:

# Basic port configuration
http_port 3128

# Access control lists
acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10

# Safe ports
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT

# Access rules
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all

# Cache directory
cache_dir ufs /var/spool/squid 100 16 256

# Memory cache
cache_mem 256 MB

# Log files
access_log /var/log/squid/access.log squid

After modifying the configuration, test it for syntax errors:

sudo squid -k parse

If the configuration is valid, restart Squid:

sudo systemctl restart squid
sudo systemctl enable squid

Advanced Configuration Examples

For production environments, you’ll want more sophisticated configurations. Here’s an example that includes authentication, custom cache rules, and bandwidth limiting:

# Authentication setup
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Proxy
auth_param basic credentialsttl 2 hours

acl authenticated proxy_auth REQUIRED

# Custom ACLs for different user groups
acl business_hours time MTWHF 09:00-18:00
acl social_media dstdomain .facebook.com .twitter.com .instagram.com
acl downloads urlpath_regex -i \.(exe|zip|rar|mp3|mp4|avi)$

# Bandwidth limiting
delay_pools 2
delay_class 1 2
delay_parameters 1 32000/32000 8000/8000
delay_access 1 allow downloads
delay_access 1 deny all

# Cache customization
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

# Logging
logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/access.log combined

Create the password file for authentication:

sudo htpasswd -c /etc/squid/passwd username
sudo chown proxy:proxy /etc/squid/passwd

Performance Tuning and Cache Optimization

Squid’s performance depends heavily on proper cache configuration and system resources. The cache hierarchy determines how efficiently Squid stores and retrieves objects:

Parameter	Default	Recommended (Small)	Recommended (Large)	Description
cache_mem	256 MB	512 MB	2-4 GB	Memory used for hot objects
cache_dir size	100 MB	10 GB	100+ GB	Disk space for cache
maximum_object_size	4 MB	50 MB	500 MB	Largest cacheable object
cache_replacement_policy	lru	heap LFUDA	heap LFUDA	Object replacement algorithm

For high-traffic environments, consider using multiple cache directories on different disks:

cache_dir aufs /var/cache/squid1 20000 64 256
cache_dir aufs /var/cache/squid2 20000 64 256
cache_dir aufs /var/cache/squid3 20000 64 256

Monitor cache performance using Squid’s built-in statistics:

squidclient -h localhost -p 3128 mgr:info
squidclient -h localhost -p 3128 mgr:storedir

Real-World Use Cases and Examples

Squid serves various purposes in different environments. Here are common implementation scenarios:

• Corporate Network Proxy: Filter content, monitor usage, and cache frequently accessed sites to reduce bandwidth costs
• Content Delivery: Cache static assets for web applications, reducing load on origin servers
• Security Gateway: Inspect and filter outbound traffic, block malicious websites and downloads
• Bandwidth Optimization: Implement traffic shaping and prioritization for different user groups
• Development Environment: Cache package repositories and development tools to speed up builds

For a development team proxy that caches package repositories:

# Package repository caching
acl package_repos dstdomain .ubuntu.com .debian.org .npmjs.org .pypi.org
cache_mem 1024 MB
maximum_object_size 1024 MB
cache_dir ufs /var/spool/squid 50000 16 256

# Longer cache times for packages
refresh_pattern -i \.(deb|rpm|tar\.gz|tgz)$ 43200 90% 432000
refresh_pattern -i /Packages$ 60 90% 1440
refresh_pattern -i /Release$ 60 90% 1440

SSL/TLS Interception and HTTPS Handling

Modern web traffic is predominantly HTTPS, which presents challenges for proxy caching. Squid can handle HTTPS in several ways:

For simple HTTPS tunneling without inspection:

https_port 3129 intercept ssl-bump cert=/etc/squid/ssl/squid.crt key=/etc/squid/ssl/squid.key

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice all

Generate SSL certificates for Squid:

sudo mkdir -p /etc/squid/ssl
sudo openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 \
    -keyout /etc/squid/ssl/squid.key \
    -out /etc/squid/ssl/squid.crt \
    -subj "/C=US/ST=State/L=City/O=Organization/CN=squid-proxy"
sudo chown -R proxy:proxy /etc/squid/ssl

Monitoring and Troubleshooting

Effective Squid management requires continuous monitoring. Key log files include:

• /var/log/squid/access.log – All client requests and responses
• /var/log/squid/cache.log – Squid daemon messages and errors
• /var/log/squid/store.log – Cache storage operations

Common issues and their solutions:

# Check for configuration errors
sudo squid -k parse

# Test connectivity
curl -x localhost:3128 http://example.com

# Monitor real-time access
sudo tail -f /var/log/squid/access.log

# Check cache statistics
squidclient -h localhost -p 3128 mgr:info | grep -E "requests|hits|ratio"

Performance monitoring script:

#!/bin/bash
# squid-stats.sh
echo "=== Squid Performance Report ==="
echo "Hit Ratio:"
squidclient mgr:info | grep -E "Request Hit Ratios|Byte Hit Ratios"
echo -e "\nCache Usage:"
squidclient mgr:storedir | grep -E "KB|%"
echo -e "\nActive Connections:"
squidclient mgr:info | grep "client_http.requests"

Security Considerations and Best Practices

Securing Squid involves multiple layers of protection. Start with restricting access to management interfaces:

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl safe_ports port 80 443 21 70 210 280 488 591 777 1025-65535

http_access allow manager localhost
http_access deny manager
http_access deny !safe_ports
http_access deny CONNECT !SSL_ports

Implement rate limiting to prevent abuse:

acl heavy_users src "/etc/squid/heavy_users.txt"
delay_pools 1
delay_class 1 1
delay_parameters 1 16000/64000
delay_access 1 allow heavy_users

For production deployments on robust infrastructure, consider dedicated servers that provide the CPU and memory resources needed for high-performance proxy operations.

Integration with System Monitoring

Integrate Squid metrics with monitoring systems like Prometheus:

# Create squid exporter systemd service
sudo tee /etc/systemd/system/squid-exporter.service << EOF
[Unit]
Description=Squid Prometheus Exporter
After=network.target

[Service]
Type=simple
User=nobody
ExecStart=/usr/local/bin/squid_exporter --squid-hostname=localhost --squid-port=3128
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

For smaller deployments, VPS instances provide sufficient resources for Squid proxy setups while maintaining cost effectiveness.

The official Squid documentation provides comprehensive details on advanced configurations and optimization techniques at squid-cache.org. Ubuntu's community documentation also offers distribution-specific guidance for Squid deployment and maintenance.

---

---

This article incorporates information and material from various online sources. We acknowledge and appreciate the work of all original authors, publishers, and websites. While every effort has been made to appropriately credit the source material, any unintentional oversight or omission does not constitute a copyright infringement. All trademarks, logos, and images mentioned are the property of their respective owners. If you believe that any content used in this article infringes upon your copyright, please contact us immediately for review and prompt action.

This article is intended for informational and educational purposes only and does not infringe on the rights of the copyright owners. If any copyrighted material has been used without proper credit or in violation of copyright laws, it is unintentional and we will rectify it promptly upon notification. Please note that the republishing, redistribution, or reproduction of part or all of the contents in any form is prohibited without express written permission from the author and website owner. For permissions or further inquiries, please contact us.