Squid is an open-source caching and forwarding HTTP/HTTPS proxy server used in corporate networks, ISPs, and data centers to reduce bandwidth usage, speed up web access, and enforce browsing policies. It supports HTTP, HTTPS, FTP, and other protocols, with features like access control lists (ACLs), authentication, content filtering, and disk-based caching. Squid is one of the most deployed proxy solutions on Linux, handling millions of connections at scale.
This guide covers a full installation and configuration of Squid proxy on RHEL 10 and Rocky Linux 10. We walk through ACL-based access control, basic authentication, website blocking, cache tuning, firewall rules, and log monitoring. RHEL 10 and Rocky Linux 10 ship Squid 6.10 in the AppStream repository, which is part of the stable Squid 6.x branch. For the full configuration reference, see the official Squid configuration documentation.
Prerequisites
- A server running RHEL 10 or Rocky Linux 10 with root or sudo access
- A static IP address assigned to the server
- Port 3128/TCP open (default Squid port) – or a custom port of your choice
- DNS resolution working on the server (Squid needs to resolve client requests)
- SELinux in enforcing mode (default on RHEL/Rocky) – we cover the necessary adjustments
Step 1: Install Squid Proxy on RHEL 10 / Rocky Linux 10
Squid is available in the default AppStream repository on both RHEL 10 and Rocky Linux 10. Install it with dnf.
sudo dnf install squid -yVerify the installed version after installation completes.
squid -vThe output confirms the Squid version and build options:
Squid Cache: Version 6.10
Service Name: squid
configure options: '--build=x86_64-redhat-linux-gnu' ...The main configuration file is /etc/squid/squid.conf, and the full reference of all directives is at /usr/share/doc/squid/squid.conf.documented.
Step 2: Configure Squid Proxy Server
Before making changes, back up the default configuration file so you can revert if needed.
sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.bakOpen the main configuration file for editing.
sudo vi /etc/squid/squid.confThe default configuration allows access from localhost only. For a typical forward proxy setup serving a local network, update these key settings:
# Define your local network
acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
# Allowed ports
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
# Deny requests to unsafe ports
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# Allow localhost and local network
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
# Deny everything else
http_access deny all
# Squid listening port
http_port 3128
# Logging
access_log daemon:/var/log/squid/access.log squid
# Leave coredumps in first cache dir
coredump_dir /var/spool/squid
# Cache settings
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320The acl localnet src lines define which networks can use the proxy. Adjust these to match your actual subnet – for example, if your office uses 192.168.1.0/24, you can remove the broader ranges and keep only what you need.
Step 3: Configure Access Control Lists (ACLs)
ACLs are the core of Squid’s access control. They define who can use the proxy and what they can access. Every ACL has two parts – the definition (what to match) and the access rule (allow or deny).
Allow a specific subnet
To restrict proxy access to a single subnet, define it as an ACL and allow it. Add these lines to /etc/squid/squid.conf before the http_access deny all line.
acl office_net src 192.168.1.0/24
http_access allow office_netAllow specific IP addresses
For tighter control, allow individual IP addresses instead of entire subnets.
acl allowed_hosts src 192.168.1.10 192.168.1.20 192.168.1.30
http_access allow allowed_hostsTime-based access control
Squid supports time-based ACLs that restrict proxy access to business hours. The time ACL type uses day codes (M=Monday, T=Tuesday, W=Wednesday, H=Thursday, F=Friday, A=Saturday, S=Sunday).
acl business_hours time MTWHF 08:00-18:00
http_access allow office_net business_hours
http_access deny office_netThis allows the office network to use the proxy only during weekday business hours (8 AM to 6 PM) and denies access outside those times.
Step 4: Set Up Proxy Authentication
Basic HTTP authentication forces users to enter a username and password before using the proxy. This is useful in environments where you need to track individual usage or restrict access beyond IP-based rules.
Install the httpd-tools package to get the htpasswd utility for managing password files.
sudo dnf install httpd-tools -yCreate the password file and add the first user. The -c flag creates a new file – omit it when adding more users later.
sudo htpasswd -c /etc/squid/passwd proxyuser1You will be prompted to set a password for the user. To add more users without overwriting the file, drop the -c flag.
sudo htpasswd /etc/squid/passwd proxyuser2Set proper ownership on the password file so Squid can read it.
sudo chown squid:squid /etc/squid/passwd
sudo chmod 640 /etc/squid/passwdNow configure Squid to use basic authentication. Open /etc/squid/squid.conf and add these lines near the top, before other http_access rules.
sudo vi /etc/squid/squid.confAdd the following authentication configuration:
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Proxy Authentication
auth_param basic credentialsttl 2 hours
acl authenticated proxy_auth REQUIRED
http_access allow authenticatedThe basic_ncsa_auth helper reads the htpasswd file to validate credentials. The credentialsttl directive controls how long Squid caches authenticated sessions before re-prompting. Place the http_access allow authenticated line before http_access deny all.
If you use authentication alongside IP-based ACLs, remember that Squid processes http_access rules top to bottom and stops at the first match. Structure your rules so that authenticated access is checked after any IP-based allows but before the final deny.
Step 5: Configure Firewall for Squid Proxy
Squid listens on port 3128/TCP by default. Open this port in firewalld so clients on your network can reach the proxy. If you are running a firewall like CSF, adjust the rules accordingly.
sudo firewall-cmd --permanent --add-port=3128/tcp
sudo firewall-cmd --reloadVerify that the port is open in the active firewall rules.
sudo firewall-cmd --list-portsYou should see 3128/tcp in the output:
3128/tcpIf you changed the Squid listening port from 3128 to something else, open that port instead.
Step 6: Start and Enable the Squid Service
Before starting Squid, validate the configuration file for syntax errors. This catches typos before they cause startup failures.
sudo squid -k parseIf no errors are reported, start and enable the Squid service so it runs on boot.
sudo systemctl enable --now squidVerify that Squid is running.
sudo systemctl status squidThe output should show the service as active and running:
● squid.service - Squid caching proxy
Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; preset: disabled)
Active: active (running) since Sat 2026-03-22 10:15:32 UTC; 5s ago
Docs: man:squid(8)
Process: 12345 ExecStartPre=/usr/lib/squid/cache_swap.sh (code=exited, status=0/SUCCESS)
Main PID: 12350 (squid)
Tasks: 3 (limit: 23145)
Memory: 18.2M
CPU: 245ms
CGroup: /system.slice/squid.service
├─12350 /usr/sbin/squid --foreground -sYC
├─12352 "(squid-1)" --kid squid-1 --foreground -sYC
└─12353 "(logfile-daemon)" /var/log/squid/access.logConfirm that Squid is listening on port 3128.
sudo ss -tlnp | grep 3128You should see Squid bound to the port:
LISTEN 0 4096 *:3128 *:* users:(("squid",pid=12352,fd=11))Step 7: Configure Client Browsers to Use the Proxy
With Squid running, configure clients to route traffic through the proxy. Replace 192.168.1.100 with your Squid server’s actual IP address.
Linux command line (environment variables)
Set the proxy environment variables for the current shell session. This works for tools like curl, wget, and dnf.
export http_proxy="http://192.168.1.100:3128"
export https_proxy="http://192.168.1.100:3128"
export no_proxy="localhost,127.0.0.1,.internal.example.com"To make these settings persistent across reboots, add the export lines to /etc/environment or ~/.bashrc.
Firefox
Go to Settings – General – Network Settings – Settings. Select “Manual proxy configuration” and enter your Squid server IP (192.168.1.100) and port (3128) for both HTTP and HTTPS proxy fields.
Chrome / Chromium
Chrome uses the system proxy settings on Linux. Set the environment variables as shown above, or launch Chrome with the proxy flag.
google-chrome --proxy-server="http://192.168.1.100:3128"Test the proxy with curl
Verify that the proxy is working from a client machine by making a request through it.
curl -x http://192.168.1.100:3128 -I https://www.google.comA successful response shows HTTP headers from the target site, confirming the proxy is forwarding requests:
HTTP/1.1 200 Connection established
HTTP/2 200
content-type: text/html; charset=ISO-8859-1
...If you configured authentication in Step 4, include credentials in the request.
curl -x http://proxyuser1:[email protected]:3128 -I https://www.google.comStep 8: Block Websites with Squid ACLs
One of Squid’s most common use cases is blocking access to specific websites – social media during work hours, malware domains, or any site that violates your organization’s browsing policy.
Block individual domains
Add these rules to /etc/squid/squid.conf before any http_access allow lines. The dstdomain ACL matches the destination domain in the request.
acl blocked_sites dstdomain .facebook.com .tiktok.com .instagram.com
http_access deny blocked_sitesThe leading dot (.) matches the domain and all its subdomains – so .facebook.com blocks both facebook.com and www.facebook.com.
Block domains from a file
For a longer list of blocked sites, store them in a separate file. Create the blocklist file first.
sudo vi /etc/squid/blocked_sites.txtAdd one domain per line with a leading dot to include subdomains:
.facebook.com
.tiktok.com
.instagram.com
.reddit.com
.twitter.comReference this file in /etc/squid/squid.conf using the dstdomain ACL with a file path.
acl blocked_sites dstdomain "/etc/squid/blocked_sites.txt"
http_access deny blocked_sitesAfter any configuration change, reload Squid to apply the new rules without dropping active connections.
sudo systemctl reload squidBlock by URL keyword
To block URLs containing specific words regardless of domain, use the url_regex ACL type.
acl blocked_words url_regex -i gambling poker casino torrent
http_access deny blocked_wordsThe -i flag makes the match case-insensitive. This blocks any URL containing those words in the path or domain name.
Step 9: Configure Squid Caching
Caching is what makes Squid a powerful bandwidth-saving tool. When multiple clients request the same content, Squid serves it from local cache instead of fetching it from the internet again. This speeds up browsing and reduces external bandwidth consumption.
Enable disk cache
By default, Squid only caches objects in memory. To enable disk-based caching, add a cache_dir directive to /etc/squid/squid.conf.
sudo vi /etc/squid/squid.confAdd the following cache configuration:
# Disk cache: ufs type, 10GB, 16 first-level dirs, 256 second-level dirs
cache_dir ufs /var/spool/squid 10000 16 256
# Maximum object size to cache (default is small - increase for ISP proxies)
maximum_object_size 256 MB
# Memory cache size (objects cached in RAM for fastest access)
cache_mem 512 MB
# Maximum object size in memory
maximum_object_size_in_memory 10 MB
# Cache replacement policy - heap LFUDA keeps frequently used objects longer
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSFThe cache_dir line creates a UFS (Unix File System) cache directory at /var/spool/squid with 10 GB of disk space. Adjust the size based on your available disk. The two numbers (16 and 256) define the directory structure – these defaults work well for most setups.
Tune refresh patterns
Refresh patterns control how Squid decides whether a cached object is still fresh or needs to be re-fetched. The default patterns in squid.conf are conservative. For better cache hit rates, you can add patterns for common static content.
# Aggressively cache static content
refresh_pattern -i \.(gif|png|jpg|jpeg|ico|webp)$ 10080 90% 43200 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.(css|js)$ 10080 90% 43200 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i \.(rpm|deb|pkg)$ 43200 90% 525600 override-expire override-lastmod reload-into-ims ignore-reload
# Default patterns
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320After enabling disk cache for the first time, initialize the cache directory structure before restarting Squid.
sudo squid -zThen restart Squid to apply the cache settings.
sudo systemctl restart squidStep 10: Monitor Squid Proxy Logs
Squid logs are essential for troubleshooting access issues, monitoring bandwidth usage, and verifying that ACL rules are working as expected. There are two main log files to watch.
Access log
The access log records every client request passing through the proxy. It shows the timestamp, response time, client IP, HTTP status, size, request method, URL, and whether the response was served from cache or fetched from the origin server.
sudo tail -f /var/log/squid/access.logA typical access log line looks like this:
1711108532.123 152 192.168.1.10 TCP_MISS/200 12345 GET https://example.com/ - HIER_DIRECT/93.184.216.34 text/htmlKey fields to watch: TCP_MISS means the object was fetched from the internet, while TCP_HIT means it was served from cache. TCP_DENIED means the request was blocked by an ACL rule.
Cache log
The cache log contains Squid’s startup messages, configuration warnings, and internal errors. Check this log first when Squid fails to start or behaves unexpectedly.
sudo tail -50 /var/log/squid/cache.logCheck cache statistics
Use squidclient to query Squid’s internal cache manager for real-time statistics. This shows cache hit ratios, memory usage, and connection counts.
squidclient -h 127.0.0.1 -p 3128 mgr:infoFor a summary of cache hit rates specifically, query the utilization report.
squidclient -h 127.0.0.1 -p 3128 mgr:utilizationIf you need to analyze historical access patterns, install Squid analysis tools or parse the access log with awk to find top users, most accessed domains, or bandwidth consumption per client.
Common squid.conf Directives Reference
This table summarizes the most frequently used Squid configuration directives. For the complete list, see /usr/share/doc/squid/squid.conf.documented on your server or the Squid Wiki.
| Directive | Description | Example |
|---|---|---|
http_port | Port and address Squid listens on | http_port 3128 |
acl | Define an access control list | acl mynet src 10.0.0.0/8 |
http_access | Allow or deny based on ACLs | http_access allow mynet |
cache_dir | Disk cache location and size | cache_dir ufs /var/spool/squid 10000 16 256 |
cache_mem | RAM allocated for in-memory caching | cache_mem 512 MB |
maximum_object_size | Largest object to store on disk | maximum_object_size 256 MB |
refresh_pattern | Rules for cache freshness | refresh_pattern . 0 20% 4320 |
auth_param | Configure authentication helpers | auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd |
dns_nameservers | Override system DNS for Squid | dns_nameservers 8.8.8.8 1.1.1.1 |
visible_hostname | Hostname shown in error pages | visible_hostname proxy.example.com |
forwarded_for | Control X-Forwarded-For header | forwarded_for off |
access_log | Location and format of the access log | access_log daemon:/var/log/squid/access.log squid |
cache_log | Location of the cache/debug log | cache_log /var/log/squid/cache.log |
coredump_dir | Directory for core dumps | coredump_dir /var/spool/squid |
shutdown_lifetime | Wait time before forced shutdown | shutdown_lifetime 10 seconds |
Conclusion
You now have a fully functional Squid proxy server on RHEL 10 or Rocky Linux 10, configured with ACL-based access control, basic authentication, website blocking, disk caching, and log monitoring. Squid handles forward proxy duties well out of the box, and the ACL system gives you fine-grained control over who accesses what through your network.
For production deployments, consider enabling HTTPS interception with SSL bumping for deeper traffic inspection, setting up logrotate for the access log, and monitoring cache hit ratios to tune your cache_mem and cache_dir sizes over time. If you run multiple Squid instances, cache peering with ICP or HTCP protocols lets them share cached objects across a cluster.
