Skip to main content

Squid

The main squid configuration file, squid.conf, can be found in the following locations:

/etc/squid/squid.conf

/etc/squid3/squid.conf

Commonly configured options include:

http_port: Port to listen on for incoming proxy requests.

http_access: Allow or deny access to certain HTTP requests.

hierarchy_stoplist: Set of strings which disable the cache hierarchy settings. Squid can also parse and check its syntax with a built-in syntax checker:

# squid -k parse

The -k switch takes the following options as well:

reconfigure: Reload the configuration file. shutdown: Safe shutdown. kill: Hard unclean shutdown.

Please consult man squid for more options and details.

Security Configuration

Access list begins with an aclname and acltype followed by:

  • type-specific argument(s), or
  • a quoted filename with one item per line.

Access Control Lists (ACL) format:

acl aclname acltype argument ...
acl aclname acltype "file" ...

To see the possible ACL types, review the "Access Controls in Squid" documentation.

To enable a parent cache server, use the following configuration option:

cache_peer parent.example.com parent 3128 3130

To enable a sibling peer cache server, use the following configuration option:

cache_peer childcache.example.com sibling 3128 3130

Access to the the peer cache can be controlled with the following option:

cache_peer_access <PEER_NAME> <allow|deny> <ACLNAME>

For additional details, take a look at "Squid Configuration Directives".

Access Control

Access control is one of the main reason to use a proxy. The ACL system of Squid has options to control almost every aspect of an HTTP request. Access control can be restricted by time of day, by domain/URI, by user (logging into proxy), and by content. Configuration files are processed sequentially.

To enable the ACL named hourlyworkers to only use the proxy during business hours, do:

acl workinghours time MTWHF 08:00-18:00
http_access allow hourlyworkers workinghours
http_access deny hourlyworkers

To restrict by a part of the URI, do:

acl banned_reddit url_regex ˆhttp://.*reddit.com/.*$
http_access deny banned_reddit

To allow only authenticated users to use the following configuration, do:

acl valid_users proxy_auth REQUIRED
http_access allow valid_users
http_access deny all

When building ACLs or configuration files for Squid, remember that the first match wins. Therefore, start your ACLs with the most specific options in the beginning.