How to Setup Squid Proxy Cache on Windows in Azure/AWS/GCP
To install Squid Proxy Cache on Windows Server on any of the cloud platforms, the recommended way is to use our publicly available images in the cloud marketplaces. They come pre configured with Squid Proxy running on Windows and optimised for speed and performance. Check the links below for more details.
Squid Proxy Windows
Squid Proxy on Windows Server Features
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator.
Along with server caching, Squid offers a wide range of features such as distributing the load over intercommunicating hierarchies of proxy servers, defining strict access control lists for all clients accessing the proxy, allowing or denying access to specific websites with the help of other applications, and generating statistics about frequently visited web pages for the assessment of the users surfing habits. Squid proxy is not just a generic proxy. It normally proxies only HTTP connections. It does also support the protocols FTP, Gopher, SSL, and WAIS.
- Set ACL for which networks have access to internet
- Block/Allow access to certain websites
- Block/Allow Content Based on MIME Types (e.g image, text, mpeg)
- Set time in which users can access the internet at certain times in the day
- Cache frequently accessed websites, cache files/media
- Hide users internal IP Addresses
- Load balance with other Squid proxies
- Traffic Interception with WCCP
- Set authentication to get users to Authenticate (LDAP, Active Directory, RADIUS, POP3, DB, etc)
- Allow/Block IM (Instant Messaging)
- Block coin-mining scripts from using CPU/memory on users browsers. A new modern trend.
- Adaptation protocol (C-ICAP / eCAP)
- Caching Dynamic Content
- Fully Transparent Interception with Squid-2, TPROXYv2 and WCCP
- Configuring multiple interception ports using WCCPv2
- WCCP2 and NAT on a private internal network
- PHP Redirectors
- SMP Carp Cluster
- Torrent filtering
- Webwasher integration – prevent downloading of virus-infected files or to filter out adult content
Table of Contents
Getting Started with Squid Proxy
RDP (Remote Desktop Protocol) into new server
Once you have deployed Squid Proxy on Windows server, the first step is to RDP into the new instance once it has fully booted up. The following links explain how to connect the VM once it has finished being deployed:
- How to RDP to AWS Windows Instance
- How to RDP to Google GCP Windows Instance
- How to RDP to Azure Windows Virtual Machine
Once logged in, you’re now ready to start setting up your new server as per the following sections.
Setting up Squid Proxy
To start Squid, press the ‘Squid Server Tray‘ icon on the desktop and this will create a tray icon. To edit Squid, right click the tray icon and select ‘Open Squid Configuration‘ as per the following screenshot:
Squid Proxy ACL – Access Control List
To use the proxy, you’ll first need to define which networks are allowed access to use your Squid proxy. By default several private networks are enabled for Azure and GCP proxies. For AWS Squid Proxy all networks have been disabled by default.
You can enable or disable any networks you require.
Within the Squid configuration file edit the following lines:
Define Allowed Networks
To define your own networks add a new line and type:
acl name src IP address space
For example for a network called webservers of 10.300.0.0/8 you would write:
acl webservers src 10.300.0.0/8
Simply remove the networks you don’t need or add an ‘#‘ to the start of the line to disable. Add your own private networks you would like to enable. Here is an example of networks enabled called localnet:
In our config we call our network (localnet), you can use any name to identify your networks.
Next step is to tell Squid.conf to allow access for http. Scroll down to http_access allow localnet.
Here we define which networks you defined earlier to allow access for http. Type the following line:
In the screenshot we say allow the network called localnet. This will allow the networks created in the previous step :
Restart Squid Service
Once updated, save the file and then restart the Squid service. You can do this via the Squid Tray Icon (Stop Squid Service, then Start Squid Service).
Update Browser Proxy LAN settings and port
Users can now connect to the proxy by updating their browser proxy config and putting in the IP address and port (3128) and start using the proxy to access the internet.
If users can’t connect, make sure you have port 3128 open on any firewalls and any security groups.
Change the Squid listener port
If you want to change the default port of 3128 to another port, or add and extra ports simply open up the Squid.conf file and search for – http_port 3128 and replace with your desired port.
Then restart the Squid service.
Block access to certain websites
If you need to block access to certain websites for your users you can do this by defining them in your Squid.conf file as follows:
Within the Squid.conf file search for the text
http_access deny all
Lets say, for example, we want to block facebook.com and youtube.com.
Add a new new line above the text http_access deny all as below and add the following lines.
acl block_websites dstdomain .facebook.com .youtube.com http_access deny block_websites
Save the Squid.conf and restart the Squid Service.
You can do this via the Squid Tray Icon (Stop Squid Service, then Start Squid Service).
Users should now be blocked from accessing those websites and receive the Squid Proxy page:
Block access to ports
To block access to ports, its the same process as above to blocking websites, just add the following lines:
acl blocked_port port 80 http_access deny blocked_port
Transparent or Intercepting Proxy
If your going to intercept users browser traffic by forcing http traffic to go via your proxy. For example reconfiguring your router or firewall so that all HTTP connection requests (port 80) are routed to the proxy server on the appropriate port (3128 by default, unless you changed it).
Open up Squid.conf search for http_port 3128.
Simply add the word transparent after the port number. That is it. Save the config and then restart the Squid service.
By default squid forwards the client IP to the respective website, but to set up an anonymous proxy we will disable it to hide client IP’s and send only IP’s which are configured on the squid server.
Add the following line in the squid.conf file:
And add at the bottom of the squid.conf file the following instructions:
request_header_access Allow allow all request_header_access Authorization allow all request_header_access WWW-Authenticate allow all request_header_access Proxy-Authorization allow all request_header_access Proxy-Authenticate allow all request_header_access Cache-Control allow all request_header_access Content-Encoding allow all request_header_access Content-Length allow all request_header_access Content-Type allow all request_header_access Date allow all request_header_access Expires allow all request_header_access Host allow all request_header_access If-Modified-Since allow all request_header_access Last-Modified allow all request_header_access Location allow all request_header_access Pragma allow all request_header_access Accept allow all request_header_access Accept-Charset allow all request_header_access Accept-Encoding allow all request_header_access Accept-Language allow all request_header_access Content-Language allow all request_header_access Mime-Version allow all request_header_access Retry-After allow all request_header_access Title allow all request_header_access Connection allow all request_header_access Proxy-Connection allow all request_header_access User-Agent allow all request_header_access Cookie allow all request_header_access All deny all
Save the Squid.conf and restart the Squid Service.
Squid Firewall Ports
By default the following port has been enabled on the VM. This is the Squid listerner port:
If you are using any of the cloud security groups and need to change / add ports refer to the following guides:
To setup AWS firewall rules refer to – AWS Security Groups
To setup Azure firewall rules refer to – Azure Network Security Groups
To setup Google GCP firewall rules refer to – Creating GCP Firewalls
Squid Proxy Support / Further Documentation
Check out the following links for further documentation and support for Squid Proxy.
Disclaimer: Squid is licensed under GNU GPL license. No warrantee of any kind, express or implied, is included with this software. Use at your risk, responsibility for damages (if any) to anyone resulting from the use of this software rest entirely with the user.