How to Install and Configure Squid Proxy Server on Enterprise Linux

This step-by-step guide will show you how to install and securely configure a basic explicit forward Squid Proxy Server on an Enterprise Linux system (such as AlmaLinux, Rocky Linux, or RHEL) using the dnf package manager.

If you are managing a high performance dedicated server, setting up a proxy server is a great way to control outbound web traffic, improve access control, enhance privacy, and cache eligible web content. Squid is one of the most reliable and widely used forward proxy servers available.

Want the easier route?

👍
Installing Squid Proxy on your own server is not difficult when you follow the correct steps, but it still involves package installation, modifying configuration files, setting up access control lists (ACLs), and adjusting firewall rules.

If you would rather receive the server ready to use, Servers99 can provision your server with Enterprise Linux and Squid Proxy pre-installed before handover. You can simply open a support ticket or add the request in your order notes (conditions apply).

Prerequisitesn

Before you begin, make sure you have:

  • A dedicated server running Enterprise Linux (AlmaLinux, Rocky Linux, etc.)
  • Root or sudo privileges

Step 1: Install Squid Proxy

First, update your package repository and install the Squid package using the dnf package manager.

1
Run:
Bash dnf -y install squid

Step 2: Backup the Default Configuration

Before making any changes, it is heavily recommended to back up the original configuration file. This preserves the default packaged comments and settings in case you need to restore them later.

2
Run:
Bash cp -a /etc/squid/squid.conf /etc/squid/squid.conf.bak.$(date +%F)

Step 3: Create a Secure, Minimal Configuration

While you can modify the default file, starting with a clean, minimal configuration is often easier for a basic explicit forward proxy setup.

Open the Squid configuration file using your preferred text editor:

3
Run:
Bash vi /etc/squid/squid.conf

Clear the existing content and replace it with the following secure base configuration:

4
Replace:
Plaintext # Default listening port for Squid http_port 3128 # Define the client network allowed to use your proxy acl allowed_clients src 10.0.0.0/24 # Define Safe destination ports acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 443 acl Safe_ports port 21 # Block access to unsafe ports http_access deny !Safe_ports http_access deny CONNECT !SSL_ports # Cache manager access rules http_access allow localhost manager http_access deny manager # Local / link-local protection http_access deny to_localhost http_access deny to_linklocal # Access rules: Allow localhost and your specific subnet http_access allow localhost http_access allow allowed_clients # Deny everything else (Crucial for security) http_access deny all # Privacy-focused header settings request_header_access Referer deny all request_header_access X-Forwarded-For deny all request_header_access Via deny all forwarded_for delete # Log file locations access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log
⚠️
Security & Privacy Note: This configuration utilizes standard safe access rules (deny !Safe_ports). Placing http_access deny all at the very end of your access lists prevents ambiguity. The header privacy settings (forwarded_for delete and request_header_access limits) create a privacy-focused setup by stripping out identifying forward headers, reducing client IP leaks.

Step 4: Adjust the Subnet for Your Network

In the configuration above, you must modify the allowed_clients ACL to match your actual client network.

Find this line in the file:

acl allowed_clients src 10.0.0.0/24

Examples of how to modify this:

  • If your local network is 192.168.1.x, change it to: acl allowed_clients src 192.168.1.0/24
  • If you only want to allow a single specific IP address, use /32: acl allowed_clients src 203.0.113.50/32

Step 5: Validate the Configuration Syntax

Before starting the service, it is a sysadmin best practice to parse the configuration file for any syntax errors. This prevents the service from failing silently.

5
Run:
Bash squid -k parse

♦️If this command returns no errors, your configuration is structurally valid.

Step 6: Start and Enable the Squid Service

Enable Squid to start automatically on system boot and start the service immediately:

6
Run:
Bash systemctl enable --now squid

Verify that the service is running actively:

7
Run:
Bash systemctl status squid

Step 7: Open the Proxy Port in the Firewall

Squid listens on port 3128 by default. You need to open this port in firewalld to allow client traffic.

8
Run:
Bash firewall-cmd --add-port=3128/tcp --permanent firewall-cmd --reload

Step 8: Test the Proxy and View Logs

You can verify that your proxy is actively accepting connections using the curl command.

From the proxy server itself:

9
Run:
Bash curl -I --proxy http://127.0.0.1:3128 https://example.com

From a remote client machine:

(Ensure the client is within the allowed_clients subnet)

10
Run:
Bash curl -I --proxy http://SERVER_IP:3128 https://example.com

Monitor Proxy Traffic:

To verify that traffic is passing through your new proxy successfully, you can monitor the real-time access and cache logs:

11
Run:
Bash tail -f /var/log/squid/access.log tail -f /var/log/squid/cache.log
Recommended Choice

Need a Dedicated Server for Your Proxy Network?

Route traffic securely and efficiently with a high-performance Enterprise Linux server built for proxy and caching workloads.

  • Enterprise Linux (AlmaLinux/Rocky/RHEL) servers ready for Squid deployments
  • High-performance dedicated server hardware for intensive traffic routing
  • Fast and reliable bandwidth for stable, low-latency proxy performance
  • Built-in DDoS protection to keep your proxy network secure and online
  • Full root access so you can configure Squid ACLs and privacy settings exactly the way you want

If you need a robust environment for your network infrastructure, choose a dedicated server optimized for proxy hosting. A properly configured dedicated server gives you the performance, bandwidth, security, and flexibility needed for secure web gateways, access control, and enterprise routing.

View Dedicated Servers Talk to Expert

Common mistakes to avoid

One of the most common mistakes is configuring the wrong subnet in the allowed_clients ACL. If the subnet is too broad, you may accidentally expose your proxy to unauthorized systems. If it is too narrow or incorrect, legitimate clients will be denied access. Always double-check the source network before enabling the service. Squid ACLs and http_access rules are what control who can use the proxy.
A Squid proxy should always end its access policy with an explicit deny rule. Without a final http_access deny all, you increase the risk of unintended access behavior and a poorly restricted proxy configuration. Squid’s access system is rule-based, and access outcomes depend on the order and completeness of those rules.
Do not remove or casually reorder these lines:

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

These checks help prevent unsafe requests and unrestricted tunneling to inappropriate ports. Squid’s own security guidance notes that Safe_ports and SSL_ports are placed very deliberately in the default configuration to reduce security risks.
Testing Squid with an HTTPS URL only proves that the proxy path is working; it does not automatically mean encrypted content is being cached or inspected. By default, Squid handles HTTPS through the CONNECT method, which creates a TCP tunnel and passes traffic through without interpreting the encrypted data. This is an important distinction when describing proxy behavior in technical documentation.
It is possible to remove request headers such as Referer, Via, or X-Forwarded-For, but these changes should be made carefully. Squid documents that request_header_access removes outgoing request headers, so incorrect header filtering can affect how some websites or upstream systems behave. Keep privacy-related changes minimal and intentional.

Copyright Servers99. All Rights Reserved

Uptime Status
Visa card
master card
amex card
bitcoin
usdt