How To Install Squid Proxy on Rocky Linux 10

Squid Proxy stands as one of the most powerful and versatile open-source caching proxy servers available today. Organizations and system administrators worldwide rely on this robust HTTP proxy cache server to optimize bandwidth, enhance security, and control internet access across their networks. Since its initial release in 1996, Squid has evolved into a comprehensive solution that supports HTTP, HTTPS, FTP protocols, and offers advanced features like distributed caching, user authentication, and content filtering.

Installing Squid Proxy on Rocky Linux 10 provides numerous advantages for your infrastructure. The proxy server acts as an intermediary between client machines and the internet, caching frequently accessed content to reduce bandwidth consumption and improve response times. Beyond performance benefits, Squid enables granular access control through Access Control Lists (ACLs), allowing administrators to restrict or permit access based on IP addresses, time of day, or specific websites. Security-conscious organizations appreciate Squid’s ability to filter malicious content, monitor user activity through detailed logs, and provide an additional layer of protection between internal networks and external threats.

This comprehensive guide walks you through every step of installing and configuring Squid Proxy on Rocky Linux 10. You’ll learn how to install the software, configure basic settings, implement access controls, enable authentication, and troubleshoot common issues. Whether you’re setting up a proxy for a small office or enterprise environment, this tutorial provides the foundational knowledge needed to deploy Squid effectively.

Prerequisites

Before beginning the Squid installation process, ensure your system meets specific requirements. Your Rocky Linux 10 server should have at least 1GB of RAM, though 2GB or more is recommended for production environments. Squid requires approximately 14MB of RAM per gigabyte of disk cache, so plan your memory allocation accordingly. Allocate a minimum of 4GB disk space for cache storage, though larger caches significantly improve performance for networks with many users.

Access to a non-root user account with sudo privileges is essential for security best practices. Executing commands as root directly increases security risks and should be avoided when possible. Basic familiarity with Linux command-line operations, text editors like nano or vim, and understanding of networking concepts will make the installation process smoother. Ensure your server has a stable internet connection for downloading packages and updates.

Fast hard disk drives improve cache performance significantly. Traditional spinning disks work adequately, but solid-state drives (SSDs) deliver superior read/write speeds for cache operations. Your system’s firewall should be operational and configured properly to allow proxy traffic while maintaining security.

Understanding Squid Proxy Architecture

Squid functions as a high-performance proxy cache server positioned between client devices and internet resources. When a client requests a web resource, the request passes through Squid rather than going directly to the destination server. Squid examines its cache to determine whether it already possesses a fresh copy of the requested content. If cached content exists and remains valid, Squid delivers it immediately to the client, drastically reducing latency and bandwidth usage.

Two primary architectural modes exist: standard proxy and transparent proxy. Standard proxy mode requires explicit client configuration, where users manually specify the proxy server address and port in their applications. Transparent proxy mode operates invisibly to end users, intercepting traffic automatically through network routing or firewall rules. Each approach offers distinct advantages depending on your network requirements and management preferences.

Squid employs sophisticated caching algorithms including Least Recently Used (LRU), Most Recently Used (MRU), Greedy-Dual Size Frequency (GDSF), and Least Frequently Used with Dynamic Aging (LFUDA). These algorithms determine which cached objects to retain and which to discard when cache storage reaches capacity. Understanding HTTP response codes enhances troubleshooting capabilities: 200 indicates successful requests, 301/302 represent redirects, 403 signals forbidden access, and 404 means content not found.

Cache hierarchy configurations allow multiple Squid servers to share cached content, distributing load and improving redundancy. This distributed caching mechanism proves invaluable for large-scale deployments across multiple geographic locations.

Step 1: Update System Packages

Maintaining updated system packages ensures security patches, bug fixes, and compatibility with the latest software versions. Begin by updating your Rocky Linux 10 package repository cache and upgrading installed packages.

Execute the following command to update your system:

sudo dnf update -y

This command refreshes repository metadata and installs available updates for all packages. The -y flag automatically confirms installation prompts, streamlining the process. After updates complete, install essential utility packages that facilitate system administration and troubleshooting.

Install basic utilities with this command:

sudo dnf install wget curl nano unzip vim -y

These tools prove invaluable throughout the Squid configuration process. Wget and curl enable file downloads and HTTP testing, while nano and vim provide text editing capabilities. Verify your system is current before proceeding with Squid installation to prevent compatibility issues.

Step 2: Install Squid Proxy on Rocky Linux 10

Rocky Linux 10 includes Squid in its default repositories, simplifying the installation process considerably. The DNF package manager handles dependency resolution automatically, ensuring all required libraries install correctly.

Install Squid Proxy with the following command:

sudo dnf install squid -y

The installation process downloads Squid and its dependencies, including libecap, perl-DBI, and other required packages. Package sizes typically total approximately 3-4MB, with installed size around 12-14MB.

Verify successful installation by checking the Squid version:

squid -v

This command displays version information, confirming Squid installed correctly. You should see output indicating Squid Cache version 5.x or newer, along with compilation details and supported features. Do not start the Squid service yet—cache directories must be initialized first to prevent startup failures.

Step 3: Understanding Squid Directory Structure

Familiarity with Squid’s directory structure facilitates configuration, troubleshooting, and maintenance tasks. The main configuration file resides at /etc/squid/squid.conf. This comprehensive file contains hundreds of configuration directives controlling every aspect of Squid’s behavior. Most directives include detailed comments explaining their purpose and acceptable values.

Squid maintains multiple log files for different purposes. The access log at /var/log/squid/access.log records every request processed by the proxy, including timestamps, client IPs, HTTP methods, URLs, response codes, and bytes transferred. The cache log at /var/log/squid/cache.log contains operational messages, errors, and diagnostic information useful for troubleshooting.

Cache storage resides in /var/spool/squid/ by default. This directory holds cached objects in a hierarchical structure optimized for fast retrieval. Additional configuration snippets can be placed in /etc/squid/conf.d/ for modular configuration management. Understanding these locations streamlines administrative tasks and simplifies troubleshooting when issues arise.

Step 4: Basic Squid Configuration

Configuring Squid requires editing the main configuration file with careful attention to syntax and directive placement. Always create a backup before modifying configuration files to facilitate recovery if errors occur.

Create a configuration backup:

sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.backup

Open the configuration file with your preferred text editor:

sudo nano /etc/squid/squid.conf

Squid listens on port 3128 by default. Locate the http_port directive and verify or modify it as needed. Many administrators prefer port 8080 for compatibility with existing applications:

http_port 3128

Configure the visible hostname directive so Squid identifies itself correctly in error messages and logs:

visible_hostname proxy.yourdomain.com

Memory cache allocation significantly impacts performance. Squid recommends allocating approximately one-third of available RAM to cache memory. For a server with 3GB RAM, configure 1GB cache memory:

cache_mem 1024 MB

Configure disk cache storage by locating and uncommenting the cache_dir directive. The syntax follows this format: cache_dir ufs /var/spool/squid/ <size_mb> <L1_dirs> <L2_dirs>. Allocate 10GB disk cache with 16 first-level and 256 second-level directories:

cache_dir ufs /var/spool/squid 10000 16 256

Set maximum object size for cached items. Larger values cache bigger files but consume more disk space:

maximum_object_size 512 MB

Configure cache replacement policy for optimal performance:

cache_replacement_policy heap LFUDA

Save your configuration file and exit the editor. These basic settings establish a functional proxy server suitable for most environments.

Step 5: Configure Access Control Lists (ACLs)

Access Control Lists form the foundation of Squid’s security model. ACLs define conditions for allowing or denying proxy access based on various criteria including source IP addresses, destination domains, ports, time periods, and authentication status.

ACL syntax follows a consistent pattern: acl <name> <type> <argument>. Open your Squid configuration file and locate the ACL section, typically near the beginning. Define an ACL for your local network to grant proxy access to internal clients.

Add your local network ACL. Replace the IP range with your actual network addressing:

acl localnet src 192.168.1.0/24

For multiple network segments, define separate ACLs or use multiple address ranges:

acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12

Define ACLs for allowed SSL ports to permit HTTPS connections:

acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl Safe_ports port 21
acl CONNECT method CONNECT

Configure http_access directives to implement your access policy. These directives evaluate sequentially from top to bottom, with the first match determining the action. Position matters significantly—more specific rules should precede general ones.

Add these directives above the http_access deny all line:

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all

This configuration denies access to unsafe ports, restricts CONNECT method to SSL ports, allows cache manager access only from localhost, permits your local network, and denies everything else. The cumulative nature of ACLs requires careful ordering to achieve desired results.

Step 6: Initialize Squid Cache

Cache initialization creates the directory structure Squid needs for storing cached objects. This critical step must occur before starting the Squid service; failure to initialize causes startup errors.

Initialize cache directories with this command:

sudo squid -z

The initialization process creates first-level and second-level subdirectories within /var/spool/squid/ according to parameters specified in your cache_dir directive. This hierarchical structure optimizes filesystem performance by distributing cached objects across many directories, preventing any single directory from containing excessive files.

Initialization typically completes within seconds for empty cache directories. Output confirms successful directory creation. If errors occur, verify your cache_dir directive syntax and ensure adequate disk space exists. Permission problems sometimes arise; ensure the squid user owns the cache directory:

sudo chown -R squid:squid /var/spool/squid

Never start Squid before initializing cache directories—doing so results in service failures requiring manual intervention.

Step 7: Start and Enable Squid Service

With configuration complete and cache initialized, start the Squid service and enable automatic startup during system boot.

Start Squid service:

sudo systemctl start squid

Enable automatic startup:

sudo systemctl enable squid

Verify service status to confirm successful startup:

sudo systemctl status squid

Successful startup displays “active (running)” status with process information. You should observe the main Squid process, worker processes, and log daemon in the process list. Typical output shows multiple processes: the main parent process, child worker processes handling requests, and a logfile daemon managing log rotation.

Check for errors in the cache log if the service fails to start:

sudo tail -n 50 /var/log/squid/cache.log

Common startup issues include configuration syntax errors, missing cache directories, or port conflicts with other services. Address any errors before proceeding with firewall configuration.

Step 8: Configure Firewall Rules

Rocky Linux 10 uses firewalld for firewall management. Configure firewall rules to permit incoming connections to your Squid proxy while maintaining security.

Allow Squid service through the firewall:

sudo firewall-cmd --add-service=squid --permanent

Alternatively, specify the port explicitly if using a non-standard port:

sudo firewall-cmd --add-port=3128/tcp --permanent

For custom ports, adjust accordingly. If using port 8080:

sudo firewall-cmd --add-port=8080/tcp --permanent

Reload firewall rules to apply changes:

sudo firewall-cmd --reload

Verify firewall configuration:

sudo firewall-cmd --list-all

Output displays active services and open ports. Confirm your Squid service or port appears in the list. Proper firewall configuration ensures clients can connect while blocking unauthorized access attempts.

Step 9: Configure Basic Authentication (Optional)

Implementing authentication prevents unauthorized proxy usage and enables user-specific access controls. Basic authentication provides a straightforward security layer, though more advanced methods like LDAP or Active Directory integration exist for enterprise environments.

Install httpd-tools package for password file management:

sudo dnf install httpd-tools -y

Create a password file and add your first user. Replace “username” with the actual username:

sudo htpasswd -c /etc/squid/squid_passwd username

The -c flag creates a new password file; omit it when adding subsequent users. You’ll be prompted to enter and confirm the password. Add additional users without the -c flag:

sudo htpasswd /etc/squid/squid_passwd seconduser

Set proper ownership and permissions on the password file:

sudo chown squid:squid /etc/squid/squid_passwd
sudo chmod 640 /etc/squid/squid_passwd

Edit your Squid configuration file to enable authentication. Add these directives before your http_access rules:

auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid_passwd
auth_param basic children 5
auth_param basic realm Squid Proxy Server
auth_param basic credentialsttl 2 hours
acl authenticated proxy_auth REQUIRED

Modify your http_access rules to require authentication:

http_access allow authenticated

Restart Squid to apply authentication settings:

sudo systemctl restart squid

Clients must now provide valid credentials to use the proxy. While basic authentication provides reasonable security, consider implementing digest authentication or integrating with directory services for enhanced security in production environments.

Step 10: Test Squid Proxy Configuration

Testing verifies your proxy functions correctly before deploying to production. Several methods exist for validating Squid functionality.

Verify configuration file syntax without restarting the service:

sudo squid -k parse

This command identifies syntax errors preventing successful startup. No output indicates a valid configuration file. If errors exist, the output specifies the problematic line number and nature of the error.

Test proxy functionality using curl. Open a new terminal session and monitor access logs:

sudo tail -f /var/log/squid/access.log

From another terminal, test HTTP access through the proxy:

curl -I --proxy "http://192.168.1.10:3128" https://www.google.com

Replace the IP address with your Squid server’s actual address. Successful tests display HTTP response headers and generate entries in the access log. The log entry shows TCP_TUNNEL for HTTPS connections or TCP_MISS for initial HTTP requests.

Test with squidclient if available:

squidclient -h 192.168.1.10 -p 3128 http://www.example.com

Configure a web browser to test interactively. In Firefox, navigate to Settings > Network Settings > Manual proxy configuration. Enter your proxy server IP and port 3128. Browse to various websites and verify connectivity. Check access logs for corresponding entries confirming traffic flows through Squid.

Advanced Configuration Options

Squid offers extensive advanced features for sophisticated deployments. Modular configuration management using /etc/squid/conf.d/ improves maintainability by separating concerns into distinct files. Create separate configuration files for ACLs, authentication, and caching policies.

Configure custom cache hierarchies for distributed caching across multiple servers:

cache_peer parent.proxy.local parent 3128 3130 default

Implement transparent proxy mode by changing the http_port directive:

http_port 3128 transparent

Reverse proxy configurations allow Squid to serve as an accelerator for web servers, caching dynamic content and SSL offloading. Configure reverse proxy mode:

http_port 80 accel defaultsite=www.example.com
cache_peer backend.server.local parent 80 0 no-query originserver

SSL bumping enables HTTPS inspection for security scanning, though it requires certificate management and raises privacy considerations. Implement with caution and proper legal guidance.

Security Best Practices

Securing your Squid proxy protects against unauthorized access and potential abuse. Always implement authentication rather than allowing anonymous proxy access. Unauthenticated proxies commonly become targets for abuse, potentially resulting in blacklisting and legal issues.

Change default ports when appropriate to reduce automated scanning attempts. While security through obscurity shouldn’t be your primary defense, non-standard ports decrease casual exploitation attempts. Regularly update Squid and system packages to address security vulnerabilities.

Configure strict ACLs limiting access to authorized networks only. Review and refine ACLs periodically as network requirements evolve. Restrict the CONNECT method to SSL ports exclusively, preventing potential tunneling abuse:

acl SSL_ports port 443
http_access deny CONNECT !SSL_ports

Run Squid with a non-privileged service account rather than root. Rocky Linux configures this correctly by default, but verify the squid user exists and owns relevant directories. Implement rate limiting and bandwidth controls to prevent resource exhaustion:

delay_pools 1
delay_class 1 2
delay_parameters 1 32000/32000 8000/8000

Monitor logs regularly for suspicious activity patterns indicating potential compromise or abuse. Automated log analysis tools help identify anomalies efficiently.

Monitoring and Log Analysis

Comprehensive logging enables performance monitoring, troubleshooting, and security auditing. Squid’s access log records detailed information about every request including timestamp, response time, client IP, HTTP status code, bytes transferred, request method, URL, and cache result.

Monitor logs in real-time during testing and troubleshooting:

sudo tail -f /var/log/squid/access.log

Understand cache result codes for performance analysis. TCP_HIT indicates content served from cache, reducing bandwidth and improving response times. TCP_MISS means content fetched from the origin server. TCP_TUNNEL applies to SSL/TLS connections where content passes through without caching.

Analyze response times to identify performance bottlenecks. The fourth field shows elapsed time in milliseconds. Consistently high response times suggest network issues, underpowered hardware, or cache configuration problems.

Configure log rotation to prevent logs from consuming excessive disk space:

sudo squid -k rotate

Implement automated log rotation with logrotate by creating /etc/logrotate.d/squid:

/var/log/squid/*.log {
    daily
    compress
    delaycompress
    rotate 30
    notifempty
    missingok
    postrotate
        /usr/sbin/squid -k rotate
    endscript
}

This configuration rotates logs daily, compresses old logs, retains 30 days of history, and signals Squid to reopen log files.

Common Troubleshooting Issues

Understanding common problems accelerates issue resolution. “Too many open files” errors indicate file descriptor limits restrict Squid’s ability to handle concurrent connections. Increase system limits by editing /etc/security/limits.conf:

squid soft nofile 65536
squid hard nofile 65536

Connection refused errors typically indicate Squid isn’t running, firewall blocks connections, or port conflicts exist. Verify service status, confirm firewall rules, and check for other services using the same port:

sudo ss -tlnp | grep 3128

Permission problems with cache directories prevent Squid startup. Verify ownership and permissions:

ls -ld /var/spool/squid

The squid user must own this directory with appropriate permissions. Correct ownership if necessary:

sudo chown -R squid:squid /var/spool/squid
sudo chmod 750 /var/spool/squid

Performance issues manifesting as slow responses often stem from insufficient memory allocation, inadequate cache size, or suboptimal cache replacement policies. Review resource allocation in your configuration and monitor system resources during peak usage periods.

ACL configuration errors prevent expected access patterns. Test ACL logic incrementally, adding one rule at a time and testing thoroughly. Remember ACLs evaluate sequentially—order matters significantly.

DNS resolution problems cause slow proxy responses or complete failures. Configure reliable DNS servers in /etc/resolv.conf and consider implementing DNS caching.

Use Case: Configure DNF to Use Squid Proxy

Configuring package managers to utilize Squid optimizes update bandwidth, especially for environments with multiple servers. Edit the DNF configuration file to specify your proxy:

sudo nano /etc/dnf/dnf.conf

Add the proxy directive:

proxy=http://192.168.1.10:3128

If authentication is enabled, include credentials:

proxy=http://username:password@192.168.1.10:3128

Clean the DNF cache to ensure fresh metadata retrieval:

sudo dnf clean all

Test package manager functionality through the proxy:

sudo dnf check-update

Monitor Squid access logs to verify DNF connections route through the proxy. Package caching dramatically reduces bandwidth consumption when updating multiple servers, as packages download once and serve from cache to subsequent servers.

Performance Optimization Tips

Optimizing Squid performance ensures efficient resource utilization and responsive user experience. Allocate cache memory appropriately based on available RAM, typically dedicating one-third to cache memory. Monitor memory usage to prevent swapping, which severely degrades performance.

Configure multiple cache directories on separate physical disks to distribute I/O load:

cache_dir ufs /cache1/squid 5000 16 256
cache_dir ufs /cache2/squid 5000 16 256

Tune cache replacement policies based on usage patterns. LFUDA works well for varied object sizes, while LRU suits environments with similar-sized objects. Experiment with different policies and monitor cache hit ratios.

Adjust maximum object sizes based on your user base. Larger values cache more content but consume more space:

maximum_object_size 1024 MB
minimum_object_size 0 KB

Implement cache hierarchies for large deployments, distributing load across multiple Squid instances. Parent-child relationships enable sharing cached content, improving overall cache efficiency.

Ensure adequate CPU and RAM resources exist. Underpowered hardware significantly impacts Squid performance, particularly under heavy load. Monitor CPU utilization, memory usage, and I/O wait times to identify resource constraints.

Congratulations! You have successfully installed Squid. Thanks for using this tutorial for installing the Squid Proxy Cache on your Rocky Linux 10 system. For additional help or useful information, we recommend you check the official Squid website.