Back in 2006 or in the early days after i started this blog. I wrote about Installing Squid Cache on Windows. And i think i should rewrite it again because some parts in the old post is missing (back when this blog started, this blog is hosted at WordPress.com and when i moved to a self hosted solution there are some errors in the importing process and although i know about that since a long time ago i’m just too lazy to rewrite it again lol). But well … what’s done is done :)
Anyway, before we begin, make sure that you have downloaded Squid Windows Binary Package / Squid for Windows that can be downloaded from Acmeconsulting. And you have extracted it somewhere on your hard drive. In this post, i choose to extract it to “C:\Squid” due to hardcoded path and beside most people don’t like to read long post. So if you changed Squid location, make sure to adjust it accordingly. And don’t worry the actual installation process is fast. The other steps described here are optional unless you need it
And as a note, i wrote this post (tested) on Windows 7 x64 with UAC Enabled using Squid 2.7 Stable 8 and i’m pretty sure as it will work with earlier version of Windows as well. And No! you don’t need to turn off UAC because turning UAC off isn’t a good solution
And now let’s get started
Initial Setup
First thing you need to do is, open command prompt as Administrator (if you’re on Windows Vista or Windows 7 and have UAC enabled) and then type below command to copy the default configuration files and install squid as windows service:
cd /d c:\squid copy etc\*.default etc\*. sbin\squid.exe -i
For the sake of completion, if you choose to put Squid.conf (or the entire Squid files) not at Drive C, replace the last command with this one (where x is your drive letter):
sbin\squid.exe -i -f "x:/squid/etc/squid.conf"
What the above code do:
- Change directory to your Squid directory
- Create the default configuration file for Squid which is a copy from the default configuration file
- Install Squid Cache as Windows Service so it’ll start Squid Service automatically
And now we’re going to edit the main configuration for Squid Proxy Cache, and that is squid.conf. But obviously not everything is going to be covered here (you should go to the squid official site for this purpose). So i’m just going to list all the recommended options you should be aware / change
Restricting access to your Squid Proxy Server
To limit on who are allowed to connect to your Proxy Server, you should change / add the allowed IP Address that is allowed to connect to your squid proxy at below section
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
By using the same format as the above code for example, acl localnet src 123.456.789.0
And then right before http_access allow localnet, add http_access allow localhost so it looks like:
http_access allow localhost http_access allow localnet
And finally if you don’t want Squid to bind to all adapters (which is the default) you might want to change Squid Listen Address and Port to your LAN IP Address or if you’re just going to use Squid for yourself only then you should use below
# Default http_port 3128 # Bind to localhost at port 3128 only http_port 127.0.0.1:3128
Limiting access to specific ports only
If you need to limit on which ports your Squid proxy clients are allowed to connect to, then you need to adjust this
acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http
For example if you want to limit your clients to HTTP and HTTPS only, then you can remove / comment all the other lines beside 80 and 443
Changing disk cache location and size
For better performance, it’s better to put the Squid cache directory into another partition (in other words, not your system partition) and even better on different hard drive. So find this line:
cache_dir ufs c:/squid/var/cache 100 16 256
And then change it to any directory you want, and also adjust the disk cache size to your liking, for example to put your squid cache directory at X:\squid-data\cache with a maximum capacity of 1500 MB
cache_dir ufs x:/squid-data/cache 1500 16 256
Also it’d better to put all squid logs into different partition too
Creating Squid cache data directory
Now back at the command prompt again, and this time type:
c:\squid\sbin\squid.exe -z
To create Squid Swap Directories which is used to store cached objects
Starting Squid Service
Now we need to start Squid service for the first time (the next time it’d start automatically), and there are two ways to achieve this, you are free to choose either the command prompt method or the GUI method
If you choose command prompt method then you need to type (run command prompt as administrator if you’re on vista or 7):
net start squid
If you choose the GUI way then, press Windows Key (on your keyboard) + R, and then type services.msc, search for and right click on Squid service and choose Start to start Squid Service
And that’s it you’re done Installing / Configuring Squid on Windows
But if you still want more, then please continue reading :)
Special Note: If you placed squid not at C:\Squid, make sure to change anything in squid.conf that point towards C:\ into where you put Squid
Minimal Squid Configuration Adjustment
While the default configuration included with Squid is optimal for many, but sometimes you want more from your Squid installation and so we’re going to tweak several options i think necessary but obviously this is designed for a really small network, for other purpose or larger network, please consult your nearest squid experts :)
Creating custom.conf file
Create a new text file and save it as custom.conf file inside your squid/etc directory so it’ll looks like c:/squid/etc/custom.conf so we don’t need to modify the original squid.conf directly just to override default values
And the next step would be, opening squid.conf and find this line
refresh_pattern . 0 20% 4320
and comment it (by placing #) at the beginning of the line. Then place below line at the bottom of squid.conf
include "c:/squid/etc/custom.conf"
And now paste this into the custom.conf file you just created:
####### # ACL # ####### # to allow purging cache from localhost only acl PURGE method PURGE http_access allow PURGE localhost http_access deny PURGE # always direct all ftp request acl FTP proto FTP always_direct allow FTP ######## # TUNE # ######## # enable pipeline pipeline_prefetch on # shutdown timeout shutdown_lifetime 5 seconds # no half closed half_closed_clients off ############## # CACHE SIZE # ############## # maximum object size maximum_object_size 64 MB cache_mem 96 MB maximum_object_size_in_memory 256 KB ################### # REFRESH_PATTERN # ################### # ============= # # GENERAL USAGE # # ============= # # Note: This is some of the refresh_pattern i'm using, and of course feel free to adjust it to your liking # For static files i choose to ignore-reload only as for wikipedia it's an example for site specific # static files for websites refresh_pattern -i \.(j|cs)s$ 10080 100% 10081 # static images refresh_pattern -i \.(jpe?g|gif|png|bmp|ico|svg)$ 10080 100% 10081 ignore-reload # static a/v refresh_pattern -i \.(wm(a|v)|mp[0-9]?a?|mpe?g|avi|mk(a|v)|og(g|m)|flv|swf|rmvb|m2?ts)$ 4320 100% 4321 ignore-reload # static archive type refresh_pattern -i \.(exe|zip|r(ar|[0-9]+)|7z|ace|gz|tar|bz2)$ 4320 100% 4321 ignore-reload # static document type refresh_pattern -i \.((doc|xls|ppt)x?|pdf|txt)$ 4320 100% 4321 ignore-reload # wikipedia refresh_pattern -i wikipedia\.org\/wiki\/.* 4320 50% 4321 override-expire ignore-private # =============== # # DEFAULT PATTERN # # =============== # # default pattern refresh_pattern . 0 20% 4320 ######## # MISC # ######## # use specific dns server in this case google and opendns dns_nameservers 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 # disable htcp icp because we aren't going to use it htcp_port 0 icp_port 0 # block displaying specific headers header_access Via deny all header_access X-Forwarded-For deny all # hide version number httpd_suppress_version_string on # change hostname visible_hostname Reaper-X-Cache ########### # THE END # ###########
I believe the Squid config file already tells you on what the above directives do, but just in case:
ACL Section
There are two items here, the first one is an access rule to allow you to purge squid cache manually from the command line while the other one is for directing all ftp requests directly
And to purge your Squid Cache Object manually, you can type this at the command prompt:
c:\squid\bin\squidclient.exe -m PURGE full-url
Where full-url replaced by the full address of the object you’re trying to purge. Here’s an example of what it’ll looks like when you purge a cached object successfully (assume it’s already cached first)
C:\squid\bin\squidclient.exe -m PURGE http://farm1.static.flickr.com/55/136797856_bb683d8f22.jpg HTTP/1.0 200 OK Server: squid Date: Sun, 16 Oct 2011 06:01:48 GMT Content-Length: 0 Expires: Sun, 16 Oct 2011 06:01:48 GMT X-Cache: MISS from Reaper-X-Cache X-Cache-Lookup: NONE from Reaper-X-Cache:3128 Connection: close
Note: if you want to look at what url has been cached by Squid (as long as you didn’t restart the squid process), you can type this:
c:\squid\bin\squidclient.exe mgr:objects | find /i "site url"
Cache Size Section
If you want Squid to cache larger objects then you should increase maximum_object_size from the default of 4 MB into bigger value. And if you frequently access that objects, it’d be better to increase the Memory Cache Options such as cache_mem and maximum_object_size_in_memory to serve that object directly from Memory. And depending on your hardware configuration, i’d suggest you to adjust it to your hardware setup to find the best configuration for you :)
Refresh Pattern Section
The refresh_pattern is used so you can fine tune caching specific file type or page. In this guide i have included caching for common static content such as images, static content that is used for website, audio videos, documents, and archives. With most of them using ignore-reload so even if your client do a hard refresh it’ll still serve the static files from the squid cache. As for the wikipedia part, i believe you can guess what that’s used for :)
Misc. Section
There are 5 items here:
dns_nameservers: This basically tells squid on what DNS server to use. So make sure to change this to your DNS Server (you can use Google public DNS, OpenDNS, Comodo Secure DNS, etc)
Disabling htcp and icp port: Since we’re not going to use this, we’re better off disabling it but if you think you’re going to use it then feel free to change it :)
headers_access: By default Squid will display various HTTP Headers that is indicating that you’re behind a proxy. Some people (including me) don’t like this especially if you’re just in a small network
visible_hostname and httpd_suppress_version_string: While we’re at it, we might as well make a good name for our Squid cache and hide the squid version used :)
Reload Squid configuration file
Now since we’re done configuring Squid, we need to tell Squid to reload it’s configuration file, and to do that you need to open Command Prompt (admin mode as usual if in 7 / Vista) and then type:
c:\squid\sbin\squid.exe -k reconfigure -n Squid
And done … the next step would be configuring your browser to use your Proxy by pointing it to your [proxy server address]:[port]
But what if you want your Windows Squid server to be able to filter ads, and probably more? then please continue reading :)
Filtering Ads on Squid
There are three ways to use Ads Filtering for Squid on Windows (at least there are only three that i’m aware of, so if you know more, i’d be grateful if you could mention them here. Because i’m not sure on whether SquidGuard or DansGuardian can be used on Windows)
1. The first one is using the a pre-made list of various ad servers created by http://pgl.yoyo.org/as/ and the instructions on how to use it with Squid can be found there and it’s straight forward
2. While the second method is by using a redirector program called adzapper that involves installing perl (well there’s a portable version too if you prefer portable perl). But you could use them both if you want. And to use it you just need to:
- Go to adzapper website and download the script, rename it to squid_redirect.pl and place it into C:\squid\etc
- Download Perl if you haven’t already. And if you’re looking for a portable version of Perl that doesn’t need to be installed, you can use Strawberry Perl. Just make sure to go to their releases archive page
- Put this line at the custom.conf our custom config file for squid
# Make sure to change the directory to where perl.exe located redirect_program "x:/strawberry-perl-directory/perl/bin/perl.exe" "c:/squid/etc/squid_redirector.pl"
3. And finally the third method is involving chaining Squid Proxy with Privoxy that is described below because it deserves a new section :P
Chaining Squid to other Proxy Server / Proxy Chain
This part deals with chaining Squid that is designed to handle caching to other proxy server designed for specific purpose. And in this case we’re going to chain squid with privoxy that is going to be used for various filtering purpose. But i’m not going into a much detail about Privoxy (like how to add new rules into Privoxy for example) because it’s already listed on their Documentation :)
Using Squid with Privoxy
First thing first. Put below lines in custom.conf right after the ACL section:
# don't cache privoxy config acl privoxy-config dstdomain config.privoxy.org cache deny privoxy-config # forward request to privoxy cache_peer 127.0.0.1 parent 8118 7 no-query no-digest # force all requests to go to the proxy chain never_direct allow all
And then if you haven’t downloaded Privoxy yet, download and extract it somewhere and then run privoxy.exe and finally reload squid configuration again and then open your browser and point your browser to http://config.privoxy.org
If you do everything correctly, you’ll see this message This is Privoxy X.Y.Z on hostname.com (127.0.0.1), port 8118, enabled
Pssst … To make editing Privoxy configuration much easier, you can use the included web-based editor (although for some items you need to edit the files directly). And to enable it, find and change enable-edit-actions to 1 in config.txt. But please read the reason on why it is disabled by default
And now we’re done with chaining Squid to Privoxy. But what if you want more? like for example chaining Squid to Privoxy and then to other proxy server or perhaps Tor or JAP? all you have to do is just put this line:
If you’re planning on chaining to Tor
# connecting to Tor forward-socks5 / 127.0.0.1:9050 .
or if you want to connect to your local JAP setup
# for JAP forward / 127.0.0.1:4001 .
Into Privoxy config.txt. To forward all requests to Tor (assuming that you have configured Tor correctly and it is running
And that is all … i hope this post isn’t to long, but if you did read it until the end, the reason i choose to rewrite the Squid Windows Guide is because the old one looks like a total mess for me (not that the new one is not messy but i think it’s a little bit better). Anyway I hope you find this guide useful and it helps you on installing Squid on Windows :)
Good guide to Squid configuration!
This is pretty helpful. Was trying to run Squid on a Linus OS (Ubuntu and Lununtu ) but too many options!
Besides, for no apparent reason the proxy service stops after a while! Couldn’t figure how.
This is a good alternative.
Good Job, Reaper-X! Looking forward to many more helpful artiles from you…
Thanks and God Bless!
Thank you :)
hi…
Thank you for valuable information. Really helps a lot to chose the correct settings and also able to know new features providing by “SQUID”
For those who got “Access Denied. ”
add “acl localnet src 127.0.0.1” to the custom.conf
Reaper-X how do i know if the caching proxy is really working?
i first visit a site then i disable the internet and try to visit that site again but that site didnt show up. it showed a error. im using squid with privoxy.
if squid really is working, why squid didnt show the cache version?
thank you for your useful post.
i have configured my squid following this guide and it’s working properly on my server, but my client computer is not working. i’ve set the proxy setting on the browser but it still can’t browse the web.
do you have any idea on what’s going on?
I’m sorry for the delay in response because i didn’t know there was a comment posted here. About your question, i’d suggest you to check the acl to allow access from your client ip address assuming that you’ve configured your firewall to allow incoming request to your squid server from your client
Can you do a tutorial on how to port DansGuardian content filtering to windows
How do you configure squid to authenticate local proxy users based on Windows 7/XP user list and password?
Thanks for this article, i need for chain it with privoxy.
This is a very helpful post.. but this would be better if you changed your text and bg color combination.. It made my eyes watery after reading. Just a suggestion :)
Thank you very much for your suggestion, i’ll keep that in mind when redesigning (although i’m still not sure on what color would be best, so i guess i’ll go back to black on white lol) :D
Thank you for your great tutorial. I know have squid running on my Windows Server 2008 standard edition. But I don’t know how to connect to the proxy service from my computer or other computers. I am hoping that you could tell me how to do this. I am also trying to use my server for private proxies for my clients, how do I add user names, passwords and IP’s for them to use.
I figured out how to connect to squid. but I can’t find anything about creating extra IP’s for my clients to use, I know that it can be done, But I can’t find a tutorial on how to do this.
HI
great tutorial
I’m trying to use squid on windows with Radius Authentication so far no success by many tutorials and main squid faq
can you help me by some tips!!?
To the best of my knowledge, i’m thinking that Radius Authentication on Squid Windows isn’t working / broken or probably not ported yet, because i’ve tried replicating my squid configuration from linux which works fine (CentOS 5 with Squid 3.1 and also tested on 2.7 just to be fair) to Windows (Squid 2.7) but it keep prompting me to insert password and username although i’ve inserted the correct user and password. Even running the squid_radius_auth.exe cli directly didn’t return anything so i’m thinking it’s not compatible with Windows yet
Thanks for your answer I’m trying to run RRAS and squid together in windows i thought maybe port being busy by rras is making problem!!
So far by testing noting works and with your answer Im sure that its cli is broken, is there any way that we can run PPTP/IPsec + HTTPS proxy with radius on any OS linux/win?
You’re welcome Shahryar :) … as for your question, i’m guessing that you’re planning on using Squid as a transparent proxy from a PPTP connection . If that’s what you’re planning and you don’t need authentication as illustrated below then it can be done.
Client (Windows via PPTP) -> PPTP Server -> Squid -> Internet = Possible
but if you’re going to use it like below illustration
Client (Windows via PPTP) -> PPTP Server -> Squid -> Radius -> Internet = Not possible as you can see from official Squid docs here
WARNING: authentication can’t be used in a transparently intercepting proxy as the client then thinks it is talking to an origin server and not the proxy. This is a limitation of bending the TCP/IP protocol to transparently intercepting port 80, not a limitation in Squid.
As a note, other than client the rest is using Linux (CentOS)
Os is not important and VPN/Proxy are two separated Service and only thing I want them to share is Radius server, users have option to chose what ever to use
problem is that I cant run VPN in Linux with radius and proxy in windows with radius
in Centos squid3 works perfectly
in windows RRAS is perfect choice
something to complete the other half is needed
thanks for your time
Actually i’m still not sure on what you’re trying to achieve. I thought that you’re planning on running VPN (PPTP) service and proxy it to Squid. But anyway hopefully you’ll find what you’re looking for :)
I know this is a Lot to ask but can you write tutorial on running PPTP/L2TP with radius Authentication on centos?
Actually it’s available on FreeRadius wiki at this page. Just make sure to configure PopTop (link) beforehand
Thanks, very helpful.
Very good article. Easy to implement and understand. Good job.
Thank you for your kind words
Thanks for this tutor. I need some point from this, it addzap and privoxy. Again Thanks …
You’re welcome elhadiry =)
nice post…
ive used it from win XP…
BTW..i’ve try to use squidNt with Win 7 too…but i had a problem..on the cache place ist always shown 0 KB, its mean nothing cached by squid…
any idea to resolved it….???
are you have the same problem???
ty…
Actually i wrote this on Win 7 with UAC Enabled :)
As for the cache size is always 0, i’m thinking that perhaps your problem were caused by UAC (i’m guessing that you put your cache_dir at drive C), my suggestion is first stop squid service if it’s running and then try changing the cache_dir into different partition and then run squid -z from the command prompt again to create the cache directories
thanks…now i have a cache
:)
I’ll waiting your another trick and tips
You’re welcome :)
that was informative 100%, thank you. that proves how windows need linux and there people to live
thanks for putting this up, was very helpful
You’re welcome raf :)
I had an error loading the custom.conf that it did not recognize header_access. I changed to rquest_header_access as I believe that was the intent, correct?
If you’re running squid version 3.x then the answer is yes, because request_header_access directive is for Squid 3.x series. But if you’re running squid 2.x you need to use header_access or else squid won’t start :)