Overview

• What you’ll learn: Forward proxy concepts, Squid installation on Ubuntu, access control lists (ACLs), http_access rules, cache configuration, disk and memory caching, and proxy authentication with basic and NCSA methods.
• Prerequisites: Module 3 — Lessons 21–26 (HTTP Fundamentals through Reverse Proxy and Load Balancing)
• Estimated reading time: 18 minutes

Introduction

A forward proxy is a server that sits between client machines on an internal network and the Internet, intercepting outbound requests and forwarding them on behalf of the clients. Unlike a reverse proxy (which protects servers), a forward proxy protects and controls clients. Forward proxies are widely used in enterprise environments for content filtering, bandwidth optimization through caching, access control, and monitoring employee Internet usage.

Squid is the most widely deployed open-source forward proxy and caching server. It has been in active development since the 1990s and supports HTTP, HTTPS, FTP, and other protocols. Squid can cache frequently accessed content to reduce bandwidth consumption and improve response times, enforce access policies through a flexible ACL system, and authenticate users before allowing Internet access.

In this lesson, you will learn the theory behind forward proxies, install and configure Squid on Ubuntu Server, define access control lists, configure caching parameters, and set up user authentication. By the end, you will be able to deploy a fully functional Squid proxy that controls and optimizes Internet access for your network.

Forward Proxy Concepts

In a forward proxy architecture, clients are configured to send their HTTP requests to the proxy server rather than directly to the destination. The proxy evaluates the request against its access policies, and if allowed, fetches the resource from the Internet and returns it to the client. The destination server sees the proxy’s IP address, not the client’s.

Forward proxies serve several purposes in enterprise and educational environments:

• Content Filtering: Block access to specific websites, domains, or content categories (e.g., social media, malware sites).
• Caching: Store frequently accessed content locally, reducing bandwidth usage and improving response times for repeated requests.
• Access Control: Restrict Internet access based on source IP, user authentication, time of day, or destination.
• Anonymity: Hide client IP addresses from destination servers, providing a layer of privacy.
• Monitoring and Logging: Record all web traffic for auditing, compliance, or troubleshooting purposes.

There are two deployment modes for forward proxies:

• Explicit Proxy: Clients are manually configured (or auto-configured via PAC files) to use the proxy. The client knows it is communicating through a proxy.
• Transparent Proxy: Network infrastructure (firewall/router rules) redirects traffic through the proxy without client configuration. The client is unaware of the proxy.

Installing and Configuring Squid on Ubuntu

Squid is available in the Ubuntu default repositories. Installation is straightforward, and the main configuration file is located at /etc/squid/squid.conf. The default configuration is extensively commented and spans thousands of lines. It is good practice to back up the original before making changes.

# Install Squid
$ sudo apt update
$ sudo apt install squid -y

# Verify installation and service status
$ squid -v | head -1
Squid Cache: Version 5.7

$ sudo systemctl status squid
● squid.service - Squid Web Proxy Server
     Active: active (running)

# Back up the original configuration
$ sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.original

# The default config has ~8000 lines of comments and directives
$ wc -l /etc/squid/squid.conf
8441 /etc/squid/squid.conf

# Strip comments to see active directives
$ grep -v "^#" /etc/squid/squid.conf | grep -v "^$"

After installation, Squid listens on port 3128 by default. The default configuration denies all external access and only permits requests from localhost. You need to customize the ACLs and access rules to allow your network’s clients to use the proxy.

# /etc/squid/squid.conf — Basic configuration

# Define the port Squid listens on
http_port 3128

# Define your local network
acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16

# Define safe ports
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 443         # https
acl Safe_ports port 21          # ftp
acl Safe_ports port 1025-65535  # unregistered ports

# Access rules — order matters (first match wins)
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all

# Restart Squid to apply changes
$ sudo systemctl restart squid

# Test the proxy from a client
$ curl -x http://proxy-server:3128 http://www.example.com/

ACLs and http_access Rules

Squid’s access control system is built on two components: ACL definitions that classify requests based on various criteria, and http_access rules that allow or deny requests based on those classifications. The ACL system is extremely flexible and supports many element types.

Common ACL types include:

• src: Match based on client source IP address or network range.
• dst: Match based on destination IP address.
• dstdomain: Match based on destination domain name.
• port: Match based on destination port number.
• time: Match based on day of week and time of day.
• url_regex: Match based on regular expression against the URL.
• proxy_auth: Match based on authenticated username.

# ACL examples in /etc/squid/squid.conf

# Block specific domains
acl blocked_sites dstdomain .facebook.com .twitter.com .tiktok.com
http_access deny blocked_sites

# Block domains from a file
acl blocked_list dstdomain "/etc/squid/blocked-domains.txt"
http_access deny blocked_list

# Allow access only during business hours (Mon-Fri, 8am-6pm)
acl business_hours time MTWHF 08:00-18:00
acl staff_network src 192.168.10.0/24
http_access allow staff_network business_hours
http_access deny staff_network

# Block URLs containing certain keywords
acl bad_urls url_regex -i gambling poker casino
http_access deny bad_urls

# Allow specific IPs unrestricted access (e.g., IT department)
acl it_dept src 192.168.10.50 192.168.10.51 192.168.10.52
http_access allow it_dept

# Create the blocked domains file
$ sudo tee /etc/squid/blocked-domains.txt <<EOF
.facebook.com
.instagram.com
.tiktok.com
.reddit.com
EOF

# Reconfigure Squid without full restart
$ sudo squid -k reconfigure

The http_access rules are processed from top to bottom, and the first matching rule determines whether the request is allowed or denied. This means rule ordering is critical — more specific rules should appear before general ones. Always end with http_access deny all as a safety net.

Cache Configuration

Caching is one of Squid’s primary features. When a client requests a resource that Squid has already cached, it returns the cached copy without contacting the origin server. This reduces bandwidth, lowers latency for clients, and decreases load on origin servers. Squid supports both memory caching (fast, limited) and disk caching (larger, slower).

# /etc/squid/squid.conf — Cache configuration

# Memory cache size (objects stored in RAM for fastest access)
cache_mem 256 MB

# Maximum size of individual objects stored in memory
maximum_object_size_in_memory 1 MB

# Disk cache: type, directory, size (MB), L1 dirs, L2 dirs
# ufs = standard Squid storage, 10000 MB = 10 GB
cache_dir ufs /var/spool/squid 10000 16 256

# Maximum size of individual cached objects on disk
maximum_object_size 100 MB

# Minimum object size to cache (skip tiny objects)
minimum_object_size 0 KB

# Cache replacement policy
cache_replacement_policy lru

# Memory replacement policy
memory_replacement_policy lru

# Cache log location
cache_log /var/log/squid/cache.log

# Access log — records all client requests
access_log /var/log/squid/access.log squid

# Refresh patterns: min_age percentage max_age
# Controls how long cached objects remain fresh
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|?) 0     0%      0
refresh_pattern .               0       20%     4320

# Initialize the cache directories (first time only)
$ sudo squid -z

# Restart to apply cache changes
$ sudo systemctl restart squid

# Monitor cache performance
$ sudo squidclient -h 127.0.0.1 mgr:info | grep -A5 "Cache"

# View cache hit/miss statistics
$ sudo tail -f /var/log/squid/access.log | awk '{print $4}'

The cache_dir directive defines where and how much disk space Squid uses for caching. The ufs storage type is the default and works well for most deployments. The two numbers after the size (16 and 256) define the number of first-level and second-level subdirectories used to organize cached files. The refresh_pattern directives control how Squid determines whether a cached object is still fresh or needs revalidation from the origin server.

Authentication

Squid supports several authentication schemes to require users to identify themselves before accessing the Internet. The most common approach is NCSA Basic authentication, which uses an Apache-compatible password file. This is suitable for small to medium deployments. For larger environments, LDAP or Active Directory integration is recommended.

# Install the htpasswd utility (from apache2-utils)
$ sudo apt install apache2-utils -y

# Create a password file and add the first user
$ sudo htpasswd -c /etc/squid/passwords user1
New password: ********
Re-type new password: ********

# Add additional users (without -c flag to avoid overwriting)
$ sudo htpasswd /etc/squid/passwords user2
$ sudo htpasswd /etc/squid/passwords user3

# Set correct permissions
$ sudo chown proxy:proxy /etc/squid/passwords
$ sudo chmod 640 /etc/squid/passwords

# Configure authentication in /etc/squid/squid.conf
# Add these lines BEFORE any http_access rules

# Define the authentication helper program
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic children 5 startup=5 idle=1
auth_param basic realm Squid Proxy Authentication
auth_param basic credentialsttl 2 hours

# Create an ACL for authenticated users
acl authenticated proxy_auth REQUIRED

# Require authentication for all access
http_access allow authenticated
http_access deny all

# Restart Squid
$ sudo systemctl restart squid

# Test authenticated proxy access
$ curl -x http://user1:password@proxy-server:3128 http://www.example.com/

# Verify in the access log that the username appears
$ sudo tail -5 /var/log/squid/access.log

The auth_param directives configure the authentication mechanism. The basic_ncsa_auth helper reads the password file and validates credentials. The children parameter controls how many authentication helper processes run — increase this for environments with many concurrent users. The credentialsttl setting controls how long Squid caches valid credentials before requiring re-authentication.

Key Takeaways

• A forward proxy acts on behalf of clients, providing content filtering, caching, access control, and monitoring for outbound Internet traffic.
• Squid is installed via apt on Ubuntu and listens on port 3128 by default; the main configuration file is /etc/squid/squid.conf.
• ACLs classify requests by source IP, destination domain, port, time, URL pattern, or authenticated user; http_access rules allow or deny based on these classifications, processed top to bottom.
• Squid caching uses both memory (cache_mem) and disk (cache_dir) storage, with refresh_pattern directives controlling object freshness and revalidation timing.
• NCSA Basic authentication with htpasswd provides simple user-based access control; for larger deployments, integrate with LDAP or Active Directory.

What’s Next

Congratulations on completing Module 3 — Web Services! You have learned HTTP fundamentals, configured Apache2 and Nginx web servers, secured sites with TLS/HTTPS, deployed PHP applications, set up reverse proxies with load balancing, and configured Squid as a forward proxy. In Module 4, you will explore Storage and File Systems, covering disk partitioning, LVM, file system types, NFS, and Samba.

# 安裝 Squid
$ sudo apt update
$ sudo apt install squid -y

# 驗證安裝和服務狀態
$ squid -v | head -1
Squid Cache: Version 5.7

$ sudo systemctl status squid

# 備份原始設定
$ sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.original

# 移除註解查看有效指令
$ grep -v "^#" /etc/squid/squid.conf | grep -v "^$"

# /etc/squid/squid.conf — 基本設定

# 定義 Squid 監聽的連接埠
http_port 3128

# 定義您的本地網路
acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16

# 定義安全連接埠
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 443         # https
acl Safe_ports port 21          # ftp
acl Safe_ports port 1025-65535  # 未註冊連接埠

# 存取規則——順序很重要（第一個匹配獲勝）
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all

# 重新啟動 Squid 以套用變更
$ sudo systemctl restart squid

# 從用戶端測試代理
$ curl -x http://proxy-server:3128 http://www.example.com/

# /etc/squid/squid.conf 中的 ACL 範例

# 封鎖特定網域
acl blocked_sites dstdomain .facebook.com .twitter.com .tiktok.com
http_access deny blocked_sites

# 從檔案封鎖網域
acl blocked_list dstdomain "/etc/squid/blocked-domains.txt"
http_access deny blocked_list

# 僅在上班時間允許存取（週一至週五，上午 8 點至下午 6 點）
acl business_hours time MTWHF 08:00-18:00
acl staff_network src 192.168.10.0/24
http_access allow staff_network business_hours
http_access deny staff_network

# 封鎖包含特定關鍵字的 URL
acl bad_urls url_regex -i gambling poker casino
http_access deny bad_urls

# 允許特定 IP 不受限制存取（例如 IT 部門）
acl it_dept src 192.168.10.50 192.168.10.51 192.168.10.52
http_access allow it_dept

# 重新設定 Squid 而不完全重啟
$ sudo squid -k reconfigure

# /etc/squid/squid.conf — 快取設定

# 記憶體快取大小
cache_mem 256 MB

# 記憶體中個別物件的最大大小
maximum_object_size_in_memory 1 MB

# 磁碟快取：類型、目錄、大小（MB）、L1 目錄數、L2 目錄數
cache_dir ufs /var/spool/squid 10000 16 256

# 磁碟上個別快取物件的最大大小
maximum_object_size 100 MB

# 快取取代政策
cache_replacement_policy lru

# 存取日誌
access_log /var/log/squid/access.log squid

# 重新整理模式：min_age 百分比 max_age
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|?) 0     0%      0
refresh_pattern .               0       20%     4320

# 初始化快取目錄（僅首次）
$ sudo squid -z

# 重新啟動以套用快取變更
$ sudo systemctl restart squid

# 監控快取效能
$ sudo squidclient -h 127.0.0.1 mgr:info | grep -A5 "Cache"

# 安裝 htpasswd 工具（來自 apache2-utils）
$ sudo apt install apache2-utils -y

# 建立密碼檔案並新增第一個使用者
$ sudo htpasswd -c /etc/squid/passwords user1

# 新增額外使用者（不使用 -c 選項以避免覆蓋）
$ sudo htpasswd /etc/squid/passwords user2

# 設定正確的權限
$ sudo chown proxy:proxy /etc/squid/passwords
$ sudo chmod 640 /etc/squid/passwords

# 在 /etc/squid/squid.conf 中設定認證
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic children 5 startup=5 idle=1
auth_param basic realm Squid Proxy Authentication
auth_param basic credentialsttl 2 hours

# 為已認證使用者建立 ACL
acl authenticated proxy_auth REQUIRED

# 要求所有存取都需認證
http_access allow authenticated
http_access deny all

# 重新啟動 Squid
$ sudo systemctl restart squid

# 測試已認證的代理存取
$ curl -x http://user1:password@proxy-server:3128 http://www.example.com/

# Squid をインストール
$ sudo apt update
$ sudo apt install squid -y

# インストールとサービスのステータスを確認
$ squid -v | head -1
Squid Cache: Version 5.7

$ sudo systemctl status squid

# 元の設定をバックアップ
$ sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.original

# コメントを除去して有効なディレクティブを確認
$ grep -v "^#" /etc/squid/squid.conf | grep -v "^$"

# /etc/squid/squid.conf — 基本設定

# Squid がリッスンするポートを定義
http_port 3128

# ローカルネットワークを定義
acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16

# 安全なポートを定義
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 443         # https
acl Safe_ports port 21          # ftp
acl Safe_ports port 1025-65535  # 未登録ポート

# アクセスルール——順序が重要（最初のマッチが適用）
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all

# Squid を再起動して変更を適用
$ sudo systemctl restart squid

# クライアントからプロキシをテスト
$ curl -x http://proxy-server:3128 http://www.example.com/

# /etc/squid/squid.conf での ACL の例

# 特定のドメインをブロック
acl blocked_sites dstdomain .facebook.com .twitter.com .tiktok.com
http_access deny blocked_sites

# ファイルからドメインをブロック
acl blocked_list dstdomain "/etc/squid/blocked-domains.txt"
http_access deny blocked_list

# 営業時間中のみアクセスを許可（月〜金、8時〜18時）
acl business_hours time MTWHF 08:00-18:00
acl staff_network src 192.168.10.0/24
http_access allow staff_network business_hours
http_access deny staff_network

# 特定のキーワードを含む URL をブロック
acl bad_urls url_regex -i gambling poker casino
http_access deny bad_urls

# 特定の IP に無制限アクセスを許可（例：IT 部門）
acl it_dept src 192.168.10.50 192.168.10.51 192.168.10.52
http_access allow it_dept

# 完全な再起動なしに Squid を再設定
$ sudo squid -k reconfigure

# /etc/squid/squid.conf — キャッシュ設定

# メモリキャッシュサイズ
cache_mem 256 MB

# メモリ内の個別オブジェクトの最大サイズ
maximum_object_size_in_memory 1 MB

# ディスクキャッシュ：タイプ、ディレクトリ、サイズ（MB）、L1ディレクトリ、L2ディレクトリ
cache_dir ufs /var/spool/squid 10000 16 256

# ディスク上のキャッシュオブジェクトの最大サイズ
maximum_object_size 100 MB

# キャッシュ置換ポリシー
cache_replacement_policy lru

# アクセスログ
access_log /var/log/squid/access.log squid

# リフレッシュパターン：min_age パーセンテージ max_age
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|?) 0     0%      0
refresh_pattern .               0       20%     4320

# キャッシュディレクトリを初期化（初回のみ）
$ sudo squid -z

# キャッシュ変更を適用するため再起動
$ sudo systemctl restart squid

# キャッシュパフォーマンスを監視
$ sudo squidclient -h 127.0.0.1 mgr:info | grep -A5 "Cache"

# htpasswd ユーティリティをインストール（apache2-utils から）
$ sudo apt install apache2-utils -y

# パスワードファイルを作成し最初のユーザーを追加
$ sudo htpasswd -c /etc/squid/passwords user1

# 追加ユーザーを追加（-c フラグなしで上書きを防止）
$ sudo htpasswd /etc/squid/passwords user2

# 正しいパーミッションを設定
$ sudo chown proxy:proxy /etc/squid/passwords
$ sudo chmod 640 /etc/squid/passwords

# /etc/squid/squid.conf で認証を設定
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic children 5 startup=5 idle=1
auth_param basic realm Squid Proxy Authentication
auth_param basic credentialsttl 2 hours

# 認証済みユーザー用の ACL を作成
acl authenticated proxy_auth REQUIRED

# すべてのアクセスに認証を要求
http_access allow authenticated
http_access deny all

# Squid を再起動
$ sudo systemctl restart squid

# 認証付きプロキシアクセスをテスト
$ curl -x http://user1:password@proxy-server:3128 http://www.example.com/