Squid Basics

Page 14 — Proxy server. What a proxy is, what a reverse proxy is, ACLs, and service checks.

On this page

What Squid is
What a proxy is
What a reverse proxy is
Main config
ACL example
Log files
Service checks
Troubleshooting
Config validation and live reload
visible_hostname directive

What Squid is

Squid is a caching and forwarding proxy server.

What a proxy is

A proxy sits between a client and the destination server. Instead of:

client → website

You get:

client → proxy → website

Common reasons to use a (forward) proxy:

Control and log outbound access
Apply ACL rules to what clients can reach
Caching to reduce bandwidth
Network separation (clients in an isolated network)

What a reverse proxy is

A reverse proxy is different — it represents the server to incoming clients, not the client to the outside world:

user → reverse proxy → backend app

Common reasons to use a reverse proxy (Nginx, Apache, HAProxy):

TLS termination — handle HTTPS at the proxy, plain HTTP internally
Load balancing across multiple backends
Hiding internal service details
Routing requests to multiple internal apps under one hostname
Central logging and access control

Squid is usually a forward proxy. Nginx and Apache are more commonly used as reverse proxies.

Main config

/etc/squid/squid.conf

ACL example

acl localnet src 192.168.1.0/24
http_access allow localnet
http_access deny all
http_port 3128

What this means:

Define an ACL called localnet matching that subnet
Allow requests from that ACL
Deny everyone else
Listen on port 3128

ACL order matters. Squid reads rules top to bottom and stops at the first match. Put more specific allow rules before the final deny all.

Log files

/var/log/squid/access.log   # client requests
/var/log/squid/cache.log    # operational problems

Service checks

systemctl status squid
systemctl restart squid
journalctl -u squid -n 50

Troubleshooting

Service running
Port 3128 listening: ss -tulpn | grep squid
ACL order — check if a deny rule is above the allow rule you expect to match
Client configured to use the proxy (http_proxy env var or browser settings)
Access log showing allowed or denied traffic

Config validation and live reload

The squid -k command sends signals to the running squid process. The most important are parse (validate config) and reconfigure (live reload).

# Validate the config file without restarting
squid -k parse

# If valid: no output (exit 0)
# If invalid: specific error with line number:
# FATAL: /etc/squid/squid.conf line 42: invalid ACL type 'destdomain'

# Reload config without dropping connections (graceful)
squid -k reconfigure

# Rotate log files (useful for log management scripts)
squid -k rotate

# Shutdown gracefully
squid -k shutdown

Always run squid -k parse before squid -k reconfigure or systemctl restart squid. A bad config kills the proxy for all clients without warning.

Workflow for config changes:

Edit /etc/squid/squid.conf
squid -k parse — validate
squid -k reconfigure — apply without dropping connections
tail -f /var/log/squid/access.log — verify traffic is flowing

visible_hostname directive

Without visible_hostname, Squid generates a startup warning and may use an incorrect or ugly hostname in error pages and Via headers. Set it explicitly to suppress the warning and control how the proxy identifies itself.

# /etc/squid/squid.conf
visible_hostname proxy01.internal.example.com

The warning you see without this directive: WARNING: Could not determine this machine's hostname. Please set 'visible_hostname'. This appears in /var/log/squid/cache.log on every startup.

# Full minimal squid.conf with visible_hostname
visible_hostname proxy01.internal.example.com

http_port 3128

# Internal network allowed
acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16

http_access allow localnet
http_access deny all

Next: 15 · Nginx Basics →