How to install Squid Proxy Server on Ubuntu 20.04 LTS Linux

How do I install Squid Proxy Server on Ubuntu 20.04 LTS Linux server for web clients? How can I filter out internet traffic for LAN users such as blocking domains, unwanted URLs, office hours for Internet access, and more using Squid running on Ubuntu server?

Squid proxy server is a free and open-source high performance caching and forwarding HTTP web proxy. It is mostly used for speeding up a web server by caching repeated requests, caching DNS and web lookups for a shared network. It also adds a security policy to filter out unwanted traffics for web or office users. This page explains how to install, set up, and configure the Squid proxy server on Ubuntu 20.04 LTS Linux server.

Step 1 – Install Squid proxy server on Ubuntu

First, log in using the ssh command:
ssh user@server-ip-here

Next, update your system using the apt command:
sudo apt update
sudo apt upgrade

We can search for the squid package as follow:
apt show squid

Package: squid
Version: 4.10-1ubuntu1
Priority: optional
Section: web
Origin: Ubuntu
Maintainer: Ubuntu Developers <>
Original-Maintainer: Luigi Gangitano <>
Installed-Size: 8,792 kB
Provides: squid3
Pre-Depends: adduser
Depends: libc6 (>= 2.29), libcap2 (>= 1:2.10), libcom-err2 (>= 1.43.9), libdb5.3, libecap3 (>= 1.0.1), libexpat1 (>= 2.0.1), libgcc-s1 (>= 3.0), libgnutls30 (>= 3.6.6), libgssapi-krb5-2 (>= 1.17), libkrb5-3 (>= 1.10+dfsg~), libldap-2.4-2 (>= 2.4.7), libltdl7 (>= 2.4.6), libnetfilter-conntrack3 (>= 1.0.7), libnettle7, libpam0g (>=, libsasl2-2 (>= 2.1.27+dfsg), libstdc++6 (>= 9), libxml2 (>= 2.7.4), netbase, logrotate (>= 3.5.4-1), squid-common (>= 4.10-1ubuntu1), lsb-base, libdbi-perl, ssl-cert
Recommends: libcap2-bin, ca-certificates
Suggests: squidclient, squid-cgi, squid-purge, resolvconf (>= 0.40), smbclient, ufw, winbind, apparmor
Download-Size: 2,556 kB
APT-Sources: focal/main amd64 Packages
Description: Full featured Web Proxy cache (HTTP proxy)
 Squid is a high-performance proxy caching server for web clients, supporting
 FTP, gopher, ICY and HTTP data objects.

Installing Squid 4

Now that system software up to date, it is time to install the Squid server, enter:
sudo apt install squid

Step 2 – Configuring Squid server

The squid configuration file is located at /etc/squid/squid.conf and /etc/squid/conf.d/ directory. Let us edit the /etc/squid/squid.conf using a text editor. Make a backup of the original file so that we can go back if something goes wrong using the cp command:
sudo cp -v /etc/squid/squid.conf{,.factory}
'/etc/squid/squid.conf' -> '/etc/squid/squid.conf.factory'

sudo nano /etc/squid/squid.conf
## OR ##
sudo vim /etc/squid/squid.conf

Change squid port and listing IP address

By default, squid listens to all IP addresses on all interfaces. The default port is TCP 3128. Find line:
http_port 3128
Change it as follows or as per your needs:

Setting up ACL for ports

ACL means an access control scheme, and we can use it to deny or allow access as per our needs. For example, time acl allows you to set up browsing time of day and day of the week for your users. Don't like social media domains? We can block domain such as Facebook and others using the Squid proxy server. There are several different access lists. Let us see some common examples.

Define SSL and safe ports that you would like to allow

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http

Adapt to list your (internal) IP networks from where browsing should be allowed

acl localnet src  # RFC 1122 "this" network (LAN)
acl localnet src             # RFC 1918 local private network (LAN)
acl localnet src          # RFC 6598 shared address space (CGN)
acl localnet src         # RFC 3927 link-local (directly plugged) machines
acl localnet src          # RFC 1918 local private network (LAN)
acl localnet src         # RFC 1918 local private network (LAN)
acl localnet src fc00::/7               # RFC 4193 local private network range
acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines

Define your LAN acl as follows

acl mylan src

We can also define other domains that you wish to block
acl baddomain1 dstdomain www-bad-guys-domain-name-here

Allow or deny access

Use the http_access that allows HTTP clients such as browsers to access the HTTP port. It is the primary access control listL

# Block access to all Unsafe ports i.e. only allow Safe_ports defined in acl above #
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# Block domains #
http_access deny baddomain1
# only allow cachemgr access from localhost #
http_access allow localhost manager
http_access deny manager
# Allow internet access to localhost and mylan sub/net #
http_access allow localhost
http_access allow mylan
# and finally deny all other access to this proxy server #
http_access deny all

Squid Proxy Server Change Outgoing IP Address

Say if you have multiple IP addresses assigned to your server we can change proxy server outgoing IP address as follows:

Set cache memory size as per your needs

cache_mem 256 MB

Force squid to hide client’s real IP address

forwarded_for delete
via off
forwarded_for off
follow_x_forwarded_for deny all
request_header_access X-Forwarded-For deny all
forwarded_for delete

Specify a list of DNS name servers to use

Squid has many more options. I covered the basic one here. Hence, see this page where you find all Squid configuration directives.

Verify that config options are valid

To parse and test configuration file, enter:
sudo /usr/sbin/squid -k check
echo $?
sudo /usr/sbin/squid -k parse

See "21 Examples To Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors" for more info.

Step 3 - Start/stop/restart Squid

First, turn on Squid service at boot time using the systemctl command:
sudo systemctl enable squid.service
The syntax is as follows:

Start the Squid server

sudo systemctl start squid.service

Stop the Squid server

sudo systemctl stop squid.service
sudo squid -k shutdown

Restart the Squid server

sudo systemctl restart squid.service

Find the Squid server status

sudo systemctl status squid.service

Reload the Squid after config changes gracefully

Whenever you make changes to the squid.conf, reload it as follows:
sudo squid -k reconfigure
sudo systemctl reload squid.service

Step 4 - Block domains

Let us block and

acl socialsite dstdomain
acl socialsite dstdomain
http_access deny socialsite

Step 5 - Block URLs using keywords

Say if any url contains keyword such as "foo" or "browse.php?u=" block it using the url_regex acl:

acl urlkeywordsblocks url_regex -i "/etc/squid/blocked-urls-keyword.conf"
http_access deny urlkeywordsblocks

Create a file named /etc/squid/blockd-urls-keyword.conf as follows:
sudo vim /etc/squid/blocked-urls-keyword.conf
Append the urls/keywords:

Step 6 - Block file extensions

We can block unwanted file extensions using the squid proxy too:

acl blockedexentions urlpath_regex -i "/etc/squid/blocked-file-externsions.conf"    
http_access deny blockedexentions

Append the following in /etc/squid/blocked-file-externsions.conf

Step 7 - Allow internet access only between 9:00AM and 18:00 during weekdays

acl official_hours time M T W H F 09:00-18:00
http_access deny all
http_access allow official_hours

Step 8 - Configure web browser

Connection settings to use a proxy can be set in Firefox Preferences as follows:

  • Click the menu button and select Preferences
  • In the General panel, go to the Network Settings section by scrolling down option page.
  • Click Settings.... The Connection Settings dialog will open and set proxy server address such as and port 3128:


That is all for now. You learned how to install, set up, and deploy Squid 4 server for internet access and filter unwanted traffic on Ubuntu Linux 20.04 LTS. See Squid server docs here for more info.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 0 comments... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
0 comments… add one

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum