{"id":504,"date":"2025-06-02T13:15:00","date_gmt":"2025-06-02T13:15:00","guid":{"rendered":"https:\/\/blog.ngocha.biz\/?p=504"},"modified":"2025-06-02T13:15:00","modified_gmt":"2025-06-02T13:15:00","slug":"setup-and-configure-proxy-server","status":"publish","type":"post","link":"https:\/\/blog.ngocha.biz\/?p=504","title":{"rendered":"How To Setup and Configures Proxy Server – Squid Proxy"},"content":{"rendered":"

A proxy server<\/a> has many use cases<\/a>. it could range from personal internet access to restrict organization systems\/servers to access the external world or to limit external internet access for a set of servers on the cloud.<\/p>\n

The best way to configure a proxy server is by using the Squid proxy. It is a widely used proxy server.<\/p>\n

In this article, we have covered the following.<\/p>\n

    \n
  1. Install Squid Proxy on a Ubuntu server<\/li>\n
  2. Configure the proxy server<\/li>\n
  3. Configure basic proxy authentication.<\/li>\n
  4. Block websites using Squid proxy<\/li>\n
  5. Squid Proxy cache<\/li>\n<\/ol>\n

    Now, we can begin the installation.<\/p>\n

    Install Squid Proxy on Ubuntu<\/h2>\n

    Follow the steps below to install the latest Squid proxy on a Ubuntu server.<\/p>\n

    Note: For this setup, we use the Ubuntu 24.04 virtual machine.<\/p><\/blockquote>\n

    Step 1:<\/strong> Install Squid Proxy<\/strong><\/h3>\n

    Update the package list and install the Squid Proxy, using the following command.<\/p>\n

    sudo apt update -y\nsudo apt -y install squid<\/code><\/pre>\n
    Once the installation is completed, we need to start and enable the Squid Proxy service.<\/p>\n
    Step 3:<\/strong> Start and enable the Squid server<\/h3>\n
    To start and enable the service, use the following command.<\/p>\n
    sudo systemctl start squid\nsudo systemctl enable squid<\/code><\/pre>\n
    Once we start the service, we need to check its status.<\/p>\n
    Step 4:<\/strong> Check the status of the squid server<\/h3>\n
    To check the status of the Squid proxy, use the following command.<\/p>\n
    sudo systemctl status squid<\/code><\/pre>\n
    \"the<\/figure>\n
    The output ensures that the Squid Proxy is running without any issues, so we can configure the settings.<\/p>\n
    Configure Proxy Server<\/h2>\n
    All the configurations for the squid server are present in \/etc\/squid\/squid.conf<\/code> file.<\/p>\n
    Before modifying the squid.conf<\/code>, take the backup of the configuration file using the following commands<\/p>\n
    sudo cp \/etc\/squid\/squid.conf \/etc\/squid\/squid.conf.backup \nsudo chmod a-w \/etc\/squid\/squid.conf.backup<\/code><\/pre>\n
    But the recommended method is to create a custom configuration file for the custom settings.<\/p>\n
    Step 1: Create a Custom Configuration File<\/h3>\n
    To create a custom config file, Squid provides a directory \/etc\/squid\/conf.d<\/code>.<\/p>\n
    We need to create a file with the .conf<\/code> extension in this directory.<\/p>\n
    sudo touch \/etc\/squid\/conf.d\/custom.conf<\/code><\/pre>\n
    Change the ownership of the directory as proxy<\/code> and set the required permissions.<\/p>\n
    sudo chown proxy:proxy \/etc\/squid\/conf.d\n\nsudo chmod 755 \/etc\/squid\/conf.d<\/code><\/pre>\n
    Now, we can add the required configurations inside the file.<\/p>\n
    Step 2: Configure Proxy Sources to Access the Internet<\/h3>\n
    To modify the configuration, open the configuration file.<\/p>\n
    sudo vim \/etc\/squid\/conf.d\/custom.conf<\/code><\/pre>\n
    First, you need to configure the sources from which the Squid proxy should accept connections.<\/p>\n
    For example, you might need to access this proxy server only from your home network or from specific CIDR ranges.<\/p>\n
    You can add a source IP range with an ACL using the following format. Here, I am giving my private CIDR range as the source.<\/p>\n
    acl localnet src 172.31.0.0\/16\nhttp_access allow localnet<\/code><\/pre>\n
    Once you have added the configuration, save and exit the file.<\/p>\n
    Restart the proxy server after making the ACL changes.<\/p>\n
    sudo systemctl restart squid<\/code><\/pre>\n
    Note: After adding or changing any settings, restart the Squid proxy service to apply the changes.<\/p><\/blockquote>\n
    Step 2: Test Proxy Server Connectivity<\/h3>\n
    Now, we can test how we can access a website over the proxy.<\/p>\n
    \n
    \ud83d\udca1<\/div>\n
    If you are installing Squid Proxy on cloud VMs, such as EC2, ensure that you have enabled port 3128<\/code> for incoming traffic.<\/p>\n
    If you want to change the default port, you can edit the squid.conf<\/code> file and modify the HTTP port entry http_port 3128<\/code><\/div>\n<\/div>\n
    To test, use the following command.<\/p>\n
    curl -x http:\/\/<squid-proxy-server-IP>:3128 -I http:\/\/google.com<\/code><\/pre>\n
    \"The<\/figure>\n
    In the next section, we can configure the authentication.<\/p>\n
    \n
    \ud83d\udca1<\/div>\n
    Now, we have added only the private network, so if you try with the public IP, you will face HTTP\/1.1 403 Forbidden<\/code>.<\/div>\n<\/div>\n
    In the next section, we can configure the Squid proxy authentication.<\/p>\n
    Configure Proxy Authentication<\/h2>\n
    Along with access ACL’s, you can add basic authentication to your proxy server for extra security. <\/p>\n
    Follow the steps given below for setting up a basic auth for the squid proxy server.<\/p>\n
    Step 1:<\/strong> Install httpd-tools<\/h3>\n
    We need to install the htpasswd<\/code> utility to setup a basic authentication for Squid proxy.<\/p>\n
    sudo apt install apache2-utils -y\n<\/code><\/pre>\n
    Step 2:<\/strong> Create a passwd file and make squid as the file owner<\/h3>\n
    The password file will stored the encrypted user credentials, such as username and password.<\/p>\n
    Also, setting up the ownership as the user proxy<\/code>.<\/p>\n
    sudo touch \/etc\/squid\/passwd && sudo chown proxy \/etc\/squid\/passwd<\/code><\/pre>\n
    Step 3:<\/strong> Add pxuser<\/code> to the password file using htpasswd<\/code> utility. <\/h3>\n
    Now, we need to create a username and password so that it will be used for all connections through this proxy.<\/p>\n
     sudo htpasswd \/etc\/squid\/passwd pxuser<\/code><\/pre>\n
    It will prompt for a custom password. Enter a strong password you need. <\/p>\n
    \"adding<\/figure>\n
    Now, we need to add this authentication details on the Squid configuration file.<\/p>\n
    Step 4:<\/strong> Add the Authentication Settings on the Config File<\/h3>\n
    Open the configuration file.<\/p>\n
    sudo vi \/etc\/squid\/conf.d\/custom.conf<\/code><\/pre>\n
    Add the following to the config file and save it.<\/p>\n
    acl localnet src 172.31.0.0\/16\n\n# Authentication parameters\n\nauth_param basic program \/usr\/lib\/squid\/basic_ncsa_auth \/etc\/squid\/passwd\nauth_param basic children 5\nauth_param basic realm Squid Basic Authentication\nauth_param basic credentialsttl 2 hours\n\n# Define ACLs\n\nacl auth_users proxy_auth REQUIRED\n\n# Allow authenticated users (for non-blocked sites)\n\nhttp_access allow auth_users\n\nhttp_access allow localnet\n\n# Deny all others\n\nhttp_access deny all\n<\/code><\/pre>\n
    \n
    \ud83d\udca1<\/div>\n
    In Squid, the configuration rules will be applied in order. So if you want to allow something, add it before the deny all rule.<\/div>\n<\/div>\n
    Use the following command to see whether the syntax is correct.<\/p>\n
    sudo squid -k parse<\/code><\/pre>\n
    Now, restart the Squid service.<\/p>\n
    sudo systemctl restart squid<\/code><\/pre>\n
    Step 5:<\/strong> Test Squid Proxy Authentication<\/h3>\n
    Now, we can test the connection with the authentication.<\/p>\n
    curl -x http:\/\/<squid-proxy-server-IP>:3128 --proxy-user pxuser:admin -I http:\/\/google.com<\/code><\/pre>\n
    We can see the same output of the above.<\/p>\n
    But if you are trying to access without the authentication credentials, you will see the following error.<\/p>\n
    \"suqiid<\/figure>\n
    This how we set the basic authentication on the Squid proxy. In the next section, we will configure to block websites.<\/p>\n
    Blocking Websites using Squid Proxy<\/h2>\n
    Another great use of the proxy server is restricting the website access. Follow the steps below for creating a block list.<\/p>\n
    Step 1: Adding Websites on the Block List<\/h3>\n
    Open a .acl<\/code> file in the \/etc\/squid<\/code> directory to add the websites we want to block access.<\/p>\n
    sudo vi \/etc\/squid\/proxy-block-list.acl<\/code><\/pre>\n
    Now, we can add the list of websites.<\/p>\n
    facebook.com\ntwitter.com\ninstagram.com<\/code><\/pre>\n
    Once our blocklist is ready, we need to add this on the Squid config so Squid knows which website access should block.<\/p>\n
    Step 2: Adding ACL List in Config File<\/h3>\n
    Open the custom Squid config and add the following configuration at the very beginning of the file.<\/p>\n
    acl bad_urls dstdomain \"\/etc\/squid\/proxy-block-list.acl\"\nhttp_access deny bad_urls<\/code><\/pre>\n
    So your final config looks like the following <\/p>\n
    acl bad_urls dstdomain \"\/etc\/squid\/proxy-block-list.acl\"\nhttp_access deny bad_urls\n\nacl localnet src 172.31.0.0\/16\n\n# Authentication parameters\n\nauth_param basic program \/usr\/lib\/squid\/basic_ncsa_auth \/etc\/squid\/passwd\nauth_param basic children 5\nauth_param basic realm Squid Basic Authentication\nauth_param basic credentialsttl 2 hours\n\n# Define ACLs\n\nacl auth_users proxy_auth REQUIRED\n\n# Allow authenticated users (for non-blocked sites)\n\nhttp_access allow auth_users\n\nhttp_access allow localnet\n\n# Deny all others\n\nhttp_access deny all<\/code><\/pre>\n
    Now, you should restart the Squid service.<\/p>\n
    sudo systemctl restart squid<\/code><\/pre>\n
    Now, we can try to access one of the blocked site through the Squid proxy.<\/p>\n
    Step 3: Test Squid Proxy Blocked Websites<\/h3>\n
    Now, if you try to access the websites that are in the block list, you will get a 403 error<\/code> as shown below.<\/p>\n
    \"the<\/figure>\n
    In the next section, we can configure the cache configurations on the Squid Proxy.<\/p>\n
    Cache, Performance Tuning and Logs on Squid Proxy<\/h2>\n
    The caching feature in Squid proxy stores frequently accessed web content locally.<\/p>\n
    When we access the same web content again, Squid will initially check the local cache, and if it is valid, it will show us the page from the local cache.<\/p>\n
    This caching can reduce server load and latency.<\/p>\n
    Step 1: Add the Cache Configuration<\/h3>\n
    Open the Squid configuration file.<\/p>\n
    sudo vi \/etc\/squid\/conf.d\/custom.conf<\/code><\/pre>\n
    Add the following cache configurations on the custom config file.<\/p>\n
    # Allow caching of all allowed content\ncache allow all\n\n# Memory and disk settings\ncache_mem 512 MB\nmaximum_object_size_in_memory 512 KB\nmaximum_object_size 1024 MB\ncache_dir ufs \/var\/spool\/squid 10000 16 256\n\n# Memory and disk cache replacement policies\nmemory_replacement_policy heap GDSF\ncache_replacement_policy heap LFUDA\n\n# Static content - cache aggressively\nrefresh_pattern -i \\.(gif|png|jpg|jpeg|ico|webp)$  10080 90% 43200 override-expire ignore-reload\nrefresh_pattern -i \\.(css|js)$                     1440  90% 10080 override-expire\nrefresh_pattern -i \\.(html|htm)$                   1440  50% 10080\n\n# Specific domains\nrefresh_pattern ^http:\/\/.*\\.google\\.com\/            1440  80% 10080\n\n# Protocol patterns\nrefresh_pattern ^ftp:                               1440  20% 10080\nrefresh_pattern ^https:\/\/                           1440  70% 10080\nrefresh_pattern ^http:\/\/                            1440  70% 10080\n\n# Default catch-all (must be last)\nrefresh_pattern .                                   0     20% 4320<\/code><\/pre>\n
    The above configuration, stores the images, CSS, JS and some HTML on in memory to speed up the browsing.<\/p>\n
    Also, will keep some other useful files in memory and on the disk.<\/p>\n
    Next section, we can configure the performance settings.<\/p>\n
    Step 2: Performance Tuning<\/h3>\n
     For the performance tuning, you can use the following parameters<\/p>\n
    workers 1\nclient_lifetime 1 day\n\n# Connection management \n\nclient_persistent_connections on\nserver_persistent_connections on\nhalf_closed_clients off\n\n# More conservative timeout settings\n\nconnect_timeout 60 seconds\nrequest_timeout 3 minutes\npersistent_request_timeout 1 minute\nread_timeout 3 minutes\nwrite_timeout 3 minutes\n\n# Add connection limits\n\nclient_db off\nmaximum_single_addr_tries 3<\/code><\/pre>\n
    The above configuration defines the number of workers for traffic and open connection limits as well as timeouts.<\/p>\n
    Next, we can configure for Squid proxy logs.<\/p>\n
    Step 3: Log Configuration<\/h3>\n
    For the log configuration, use the following parameters.<\/p>\n
    access_log \/var\/log\/squid\/access.log combined\ncache_log \/var\/log\/squid\/cache.log\nlogfile_rotate 10\n\n# Enable cache status in logs\nlog_mime_hdrs off\nstrip_query_terms off<\/code><\/pre>\n
    The above configuration will logs all the client requests, cache logs and log rotation settings.<\/p>\n
    Once you add all the configurations, the config file looks like the following.<\/p>\n
    # === BLOCKED URLS ===\nacl bad_urls dstdomain \"\/etc\/squid\/proxy-block-list.acl\"\nhttp_access deny bad_urls\n\n# === INTERNAL NETWORK ===\nacl localnet src 172.31.0.0\/16\n\n# === AUTHENTICATION SETTINGS ===\nauth_param basic program \/usr\/lib\/squid\/basic_ncsa_auth \/etc\/squid\/passwd\nauth_param basic children 5\nauth_param basic realm Squid Basic Authentication\nauth_param basic credentialsttl 2 hours\n\n# === AUTHENTICATED USERS ===\nacl auth_users proxy_auth REQUIRED\n\n# === CACHE BEHAVIOR ===\n# Allow caching of all allowed content\ncache allow all\n\n# Memory and disk settings\ncache_mem 512 MB\nmaximum_object_size_in_memory 512 KB\nmaximum_object_size 1024 MB\ncache_dir ufs \/var\/spool\/squid 10000 16 256\n\n# Cache replacement policies\nmemory_replacement_policy heap GDSF\ncache_replacement_policy heap LFUDA\n\n# === REFRESH PATTERNS ===\n# Static content - cache aggressively\nrefresh_pattern -i \\.(gif|png|jpg|jpeg|ico|webp)$  10080 90% 43200 override-expire ignore-reload\nrefresh_pattern -i \\.(css|js)$                     1440  90% 10080 override-expire\nrefresh_pattern -i \\.(html|htm)$                   1440  50% 10080\n\n# Specific domains\nrefresh_pattern ^http:\/\/.*\\.google\\.com\/            1440  80% 10080\n\n# Protocol patterns\nrefresh_pattern ^ftp:                               1440  20% 10080\nrefresh_pattern ^https:\/\/                           1440  70% 10080\nrefresh_pattern ^http:\/\/                            1440  70% 10080\n\n# Default catch-all (must be last)\nrefresh_pattern .                                   0     20% 4320\n\n# === PERFORMANCE TUNING ===\n# Use single worker for stability\nworkers 1\nclient_lifetime 1 day\n\n# Connection management\nclient_persistent_connections on\nserver_persistent_connections on\nhalf_closed_clients off\n\n# Conservative timeout settings\nconnect_timeout 60 seconds\nrequest_timeout 3 minutes\npersistent_request_timeout 1 minute\nread_timeout 3 minutes\nwrite_timeout 3 minutes\n\n# Connection limits\nclient_db off\nmaximum_single_addr_tries 3\n\n# === LOGGING ===\naccess_log \/var\/log\/squid\/access.log combined\ncache_log \/var\/log\/squid\/cache.log\nlogfile_rotate 10\n\n# Log settings\nlog_mime_hdrs off\nstrip_query_terms off\n\n# === ACCESS CONTROL ===\n# Allow authenticated users (not blocked by bad_urls)\nhttp_access allow auth_users\n\n# Allow local network\nhttp_access allow localnet\n\n# Deny all others\nhttp_access deny all\n<\/code><\/pre>\n
    Now, we can check our configurations are correct using the following command.<\/p>\n
    sudo squid -k parse<\/code><\/pre>\n
    After ensuring the configurations, we need to initialize to create the cache directories.<\/p>\n
    Step 4: Initialize Cache Directories<\/h3>\n
    First, stop the Squid proxy service.<\/p>\n
    sudo systemctl stop squid<\/code><\/pre>\n
    Follow the command to create cache directories.<\/p>\n
    sudo squid -z<\/code><\/pre>\n
    Step 5: <\/strong>Start the Squid server and check the status<\/h3>\n
    Once the cache directories are created, we need to again start the service and check the status.<\/p>\n
    sudo systemctl start squid\nsudo systemctl status squid<\/code><\/pre>\n
    Now, our configurations are ready so we can test the cache.<\/p>\n
    Step 6: Test squid proxy cache <\/h3>\n
    Check the cache directory to ensure whether it is storing the cache or not<\/p>\n
    ls -la \/var\/spool\/squid<\/code><\/pre>\n
    You can see the following output of the Cache.<\/p>\n
    \"The<\/figure>\n
    To test the caching, we need to access any of the non blocked website.<\/p>\n
    curl -x http:\/\/<squid-proxy-server-IP>:3128 --proxy-user pxuser:admin -I http:\/\/google.com<\/code><\/pre>\n
    When you access a website for the first time, Squid will save the cache of the website. Next time, you try to access, Squid load the website from the cache so the response time will be reduced.<\/p>\n
    \"the<\/figure>\n
    This we can even identify from the access log as well<\/p>\n
    sudo tail \/var\/log\/squid\/access.log<\/code><\/pre>\n
    \"The<\/figure>\n