Haifeng's Blog

Deploying a Squid Proxy on Ubuntu Server with Docker

by · Published · Updated

Squid is a mature and stable web proxy that provides caching, traffic forwarding, and access control.
This article walks you through deploying Squid on Ubuntu Server using Docker, enabling quick installation, persistent configuration, and convenient log management.

1. Environment Preparation

  • Operating System: Ubuntu Server 20.04 / 22.04 / 24.04
  • Privileges: root or a user with sudo rights
  • Network: Internet access to pull images from Docker Hub

First update the system and install Docker:

sudo apt update
sudo apt install -y docker.io
sudo systemctl enable --now docker

Verify the installation:

docker --version

2. Create Persistent Directories

Create host directories for configuration, cache, and logs:

sudo mkdir -p /opt/squid/conf /opt/squid/cache /opt/squid/log

These will be mounted into the container as:

  • /opt/squid/conf/etc/squid
  • /opt/squid/cache/var/spool/squid
  • /opt/squid/log/var/log/squid

3. Export the Default Configuration

Pull the default Squid configuration from the image:

sudo docker run --rm sameersbn/squid cat /etc/squid/squid.conf | sudo tee /opt/squid/conf/squid.conf > /dev/null

4. Edit the Configuration

Open the configuration file:

sudo vi /opt/squid/conf/squid.conf

Minimal working example:

# Squid listening port
http_port 3128

# Allow all sources (for testing only)
acl all src 0.0.0.0/0
http_access allow all

⚠️ Security Warning:
For production, restrict access to trusted IP ranges or enable authentication.
Leaving allow all will expose the proxy to the entire internet.

5. Start the Container

Start Squid using a single docker run command:

sudo docker run -d \
  --name squid \
  -p 3128:3128 \
  -v /opt/squid/conf/squid.conf:/etc/squid/squid.conf \
  -v /opt/squid/cache:/var/spool/squid \
  -v /opt/squid/log:/var/log/squid \
  --restart unless-stopped \
  sameersbn/squid:latest

Key options:

  • -p 3128:3128: Map port 3128 to the host
  • -v: Mount configuration, cache, and logs
  • --restart unless-stopped: Auto-start on boot unless manually stopped

On the client, configure the proxy as:

http://<Server_Public_IP>:3128

Test the proxy:

curl -x http://<Server_IP>:3128 https://www.google.com -v

A 200 OK response indicates success.

6. Viewing Logs

All Squid logs are stored on the host:

cd /opt/squid/log
ls -lh
# access.log  – client requests
# cache.log   – Squid startup and error messages

Common commands:

tail -f /opt/squid/log/access.log   # Real-time access log
tail -f /opt/squid/log/cache.log    # Service status & errors

7. Modifying Configuration and Reloading

After editing /opt/squid/conf/squid.conf, validate syntax inside the container:

sudo docker exec squid squid -k parse

parse OK means the syntax is valid.

Apply changes:

sudo docker exec squid squid -k reconfigure   # Graceful reload
# or
sudo docker restart squid                      # Full restart

8. Configuring Squid to Forward All Traffic to Cloud SWG

To ensure that every client request is relayed through the Cloud SWG upstream proxy, adjust the Squid configuration as shown below.
This setup listens on port 3128, defines the Cloud SWG host as the default parent proxy, and forces all connections to be sent upstream rather than going out directly.

http_port 3128

cache_peer proxy.threatpulse.net parent 8080 0 no-query default
never_direct allow all
always_direct deny all

acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow all

Key points of this configuration:

  • http_port 3128 – Squid listens for client requests on port 3128.
  • cache_peer – Specifies the Cloud SWG server (proxy.threatpulse.net on port 8080) as the parent proxy and sets it as the default forwarding destination.
  • never_direct / always_direct – Prevents Squid from making any direct connections, guaranteeing that all traffic is routed through the parent.
  • ACL and Access Rules – Basic security controls ensure only safe ports are allowed and HTTPS CONNECT requests are properly handled.
  • http_access allow all – Allows all client sources to use the proxy (tighten this rule in production).

With this configuration in place, every client connection handled by Squid will be transparently tunneled to Cloud SWG for inspection and policy enforcement.

Quick Reference

ActionCommand
View container logsdocker logs -f squid
Real-time access logtail -f /opt/squid/log/access.log
Validate config syntaxdocker exec squid squid -k parse
Graceful reloaddocker exec squid squid -k reconfigure

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *