{"id":628,"date":"2025-09-19T14:36:29","date_gmt":"2025-09-19T09:06:29","guid":{"rendered":"https:\/\/vvcares.com\/blog\/?p=628"},"modified":"2025-10-22T20:30:04","modified_gmt":"2025-10-22T15:00:04","slug":"squid-with-squidguard","status":"publish","type":"post","link":"https:\/\/vvcares.com\/blog\/squid-with-squidguard\/","title":{"rendered":"Squid + SquidGuard Installing on Ubuntu"},"content":{"rendered":"\r\n<h2 class=\"wp-block-heading\">1. What are we installing?<\/h2>\r\n\r\n\r\n\r\n<figure class=\"wp-block-table\">\r\n<table class=\"has-fixed-layout\">\r\n<thead>\r\n<tr>\r\n<th>Component<\/th>\r\n<th>Purpose<\/th>\r\n<th>License<\/th>\r\n<\/tr>\r\n<\/thead>\r\n<tbody>\r\n<tr>\r\n<td><strong>Squid<\/strong><\/td>\r\n<td>Open\u2011source HTTP\/HTTPS proxy and caching server<\/td>\r\n<td>GNU GPL v2 (open-source)<\/td>\r\n<\/tr>\r\n<tr>\r\n<td><strong>SquidGuard<\/strong><\/td>\r\n<td>URL filtering &amp; blacklist engine that runs in front of Squid<\/td>\r\n<td>GNU GPL v2 (open-source<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n<\/figure>\r\n\r\n\r\n\r\n<p>Together they give you a <a href=\"https:\/\/www.squid-cache.org\"><em>proxy<\/em> <\/a>that can protect your webtraffic from your PC access to dangerous websites.<\/p>\r\n\r\n\r\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\r\n\r\n\r\n<h2 class=\"wp-block-heading\">2. Quick FAQ<\/h2>\r\n\r\n\r\n\r\n<figure class=\"wp-block-table\">\r\n<table class=\"has-fixed-layout\">\r\n<thead>\r\n<tr>\r\n<th>Question<\/th>\r\n<th>Answer<\/th>\r\n<\/tr>\r\n<\/thead>\r\n<tbody>\r\n<tr>\r\n<td><strong>How much does it cost?<\/strong><\/td>\r\n<td>Both packages are free (open\u2011source). Commercial support can be purchased from vendors, but the software itself costs nothing.<\/td>\r\n<\/tr>\r\n<tr>\r\n<td><strong>Is a firewall required?<\/strong><\/td>\r\n<td>No, SquidGuard does not replace a firewall. It works on top of Squid (a forward proxy). You still need a firewall (UFW, iptables, etc.) to limit who can reach the proxy.<\/td>\r\n<\/tr>\r\n<tr>\r\n<td><strong>What\u2019s the main benefit of SquidGuard?<\/strong><\/td>\r\n<td>URL filtering, content\u2011based blocking, parental controls, bandwidth savings, and the ability to create whitelists\/blacklists that apply to all users behind the proxy.<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n<\/figure>\r\n\r\n\r\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\r\n\r\n\r\n<h2 class=\"wp-block-heading\">3. Prerequisites<\/h2>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li>Ubuntu 20.04 LTS or newer (the steps work on 22.04\/24.04 as well)<\/li>\r\n\r\n\r\n\r\n<li>A user with <code>sudo<\/code> privileges<\/li>\r\n\r\n\r\n\r\n<li>A machine that will act as the proxy (can be a router, a dedicated VM, or a desktop)<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\r\n<p><strong>Tip:<\/strong> Keep the system updated before you start.<\/p>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code>sudo apt update &amp;&amp; sudo apt upgrade -y<\/code><\/pre>\r\n<\/blockquote>\r\n\r\n\r\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\r\n\r\n\r\n<h2 class=\"wp-block-heading\">4. Installation<\/h2>\r\n\r\n\r\n\r\n<h3 class=\"wp-block-heading\">4.1 Install Squid<\/h3>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code>sudo apt install squid -y<\/code><\/pre>\r\n\r\n\r\n\r\n<p><em>Default config file:<\/em> <code>\/etc\/squid\/squid.conf<\/code><\/p>\r\n\r\n\r\n\r\n<h3 class=\"wp-block-heading\">4.2 Install SquidGuard<\/h3>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code>sudo apt install squidguard -y<\/code><\/pre>\r\n\r\n\r\n\r\n<p><em>Default config file:<\/em> <code>\/etc\/squidguard\/squidGuard.conf<\/code><\/p>\r\n\r\n\r\n\r\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\r\n<p>On Ubuntu the SquidGuard package comes with a <em>pre\u2011built<\/em> configuration that works out of the box for most use\u2011cases.<br \/>However, you\u2019ll want to tweak it for your own domain names, IP ranges, and blacklist sources.<\/p>\r\n<\/blockquote>\r\n\r\n\r\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\r\n\r\n\r\n<h2 class=\"wp-block-heading\">5. Basic Configuration<\/h2>\r\n\r\n\r\n\r\n<h3 class=\"wp-block-heading\">5.1 Squid \u2013 Listening on Port 3128<\/h3>\r\n\r\n\r\n\r\n<p>Open <code>\/etc\/squid\/squid.conf<\/code> and ensure the following:<\/p>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code>http_port 3128<\/code><\/pre>\r\n\r\n\r\n\r\n<p>If you want to restrict access to your LAN only, add:<\/p>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code>acl localnet src 192.168.0.0\/16   # adjust to your network\r\nhttp_access allow localnet\r\nhttp_access deny all<\/code><\/pre>\r\n\r\n\r\n\r\n<h3 class=\"wp-block-heading\">5.2 SquidGuard \u2013 Set the Database Directories<\/h3>\r\n\r\n\r\n\r\n<p>Edit <code>\/etc\/squidguard\/squidGuard.conf<\/code>:<\/p>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code>dbroot       \/var\/lib\/squidguard\r\nlogroot      \/var\/log\/squidguard\r\nBlacklist    \/etc\/squidguard\/blacklists\r\nWhitelist    \/etc\/squidguard\/whitelists<\/code><\/pre>\r\n\r\n\r\n\r\n<p>Create the directories:<\/p>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code>sudo mkdir -p \/etc\/squidguard\/blacklists\r\nsudo mkdir -p \/etc\/squidguard\/whitelists<\/code><\/pre>\r\n\r\n\r\n\r\n<h3 class=\"wp-block-heading\">5.3 Create a Simple Blacklist<\/h3>\r\n\r\n\r\n\r\n<p>Create <code>\/etc\/squidguard\/blacklists\/exceptions<\/code>:<\/p>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code># Example\r\nadultporn.com\r\nexample.com<\/code><\/pre>\r\n\r\n\r\n\r\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\r\n<p>The file names are <em>categories<\/em>. SquidGuard can combine many categories in a single ACL.<\/p>\r\n<\/blockquote>\r\n\r\n\r\n\r\n<h3 class=\"wp-block-heading\">5.4 Tell Squid to Use SquidGuard<\/h3>\r\n\r\n\r\n\r\n<p>In <code>squid.conf<\/code> add the ACL and the <code>url_rewrite_program<\/code> line:<\/p>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code>acl blocked_site dstdomain \"\/etc\/squidguard\/blacklists\/exceptions\"\r\nurl_rewrite_program \/usr\/lib\/squid\/squidGuard -c \/etc\/squidguard\/squidGuard.conf\r\nurl_rewrite_access deny blocked_site<\/code><\/pre>\r\n\r\n\r\n\r\n<h3 class=\"wp-block-heading\">5.5 Restart Services<\/h3>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code>sudo systemctl restart squid\r\nsudo systemctl restart squidguard<\/code><\/pre>\r\n\r\n\r\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\r\n\r\n\r\n<h2 class=\"wp-block-heading\">6. Verify the Setup<\/h2>\r\n\r\n\r\n\r\n<ol class=\"wp-block-list\">\r\n<li><strong>Check Squid\u2019s status<\/strong><\/li>\r\n<\/ol>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code>   sudo systemctl status squid<\/code><\/pre>\r\n\r\n\r\n\r\n<ol class=\"wp-block-list\" start=\"2\">\r\n<li><strong>Test from a client within the LAN<\/strong><\/li>\r\n<\/ol>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li>Point the browser\u2019s proxy settings to <code>IP_of_proxy:3128<\/code>.<\/li>\r\n\r\n\r\n\r\n<li>Try visiting <code>adultporn.com<\/code> \u2192 should be blocked.<\/li>\r\n\r\n\r\n\r\n<li>Visit <code>example.com<\/code> \u2192 should be allowed.<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<ol class=\"wp-block-list\" start=\"2\">\r\n<li><strong>Check logs<\/strong><\/li>\r\n<\/ol>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code>   sudo tail -f \/var\/log\/squid\/access.log\r\n   sudo tail -f \/var\/log\/squidguard\/urls.log<\/code><\/pre>\r\n\r\n\r\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\r\n\r\n\r\n<h2 class=\"wp-block-heading\">7. Firewall (UFW) \u2013 Allow Only Trusted Clients<\/h2>\r\n\r\n\r\n\r\n<pre class=\"wp-block-code\"><code>sudo ufw allow from 192.168.0.0\/16 to any port 3128\r\nsudo ufw enable<\/code><\/pre>\r\n\r\n\r\n\r\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\r\n<p>Adjust the subnet (<code>192.168.0.0\/16<\/code>) to match your LAN.<\/p>\r\n<\/blockquote>\r\n\r\n\r\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\r\n\r\n\r\n<h2 class=\"wp-block-heading\">8. Advanced Tips<\/h2>\r\n\r\n\r\n\r\n<figure class=\"wp-block-table\">\r\n<table class=\"has-fixed-layout\">\r\n<thead>\r\n<tr>\r\n<th>Topic<\/th>\r\n<th>How to Do It<\/th>\r\n<\/tr>\r\n<\/thead>\r\n<tbody>\r\n<tr>\r\n<td><strong>Automatic Blacklist Updates<\/strong><\/td>\r\n<td>Use <code>squidguard-update<\/code> which pulls daily lists from sites like <code>http:\/\/www.squidguard.com<\/code> or <code>https:\/\/www.malwarebytes.com<\/code>.<\/td>\r\n<\/tr>\r\n<tr>\r\n<td><strong>Whitelist<\/strong><\/td>\r\n<td>Create <code>\/etc\/squidguard\/whitelists\/allowed<\/code> and define domains that should bypass the blacklist.<\/td>\r\n<\/tr>\r\n<tr>\r\n<td><strong>Custom Categories<\/strong><\/td>\r\n<td>Define more files under <code>\/etc\/squidguard\/blacklists\/<\/code> (e.g., <code>social<\/code>, <code>video<\/code>) and reference them in Squid ACLs.<\/td>\r\n<\/tr>\r\n<tr>\r\n<td><strong>HTTPS (SSL) Filtering<\/strong><\/td>\r\n<td>Requires <code>ssl-bump<\/code> in Squid and a self\u2011signed proxy cert. SquidGuard can\u2019t inspect the SSL handshake, so you\u2019ll need to use Squid\u2019s own blocking rules for HTTPS.<\/td>\r\n<\/tr>\r\n<tr>\r\n<td><strong>Multi\u2011Site Proxy<\/strong><\/td>\r\n<td>Set <code>http_port 3128<\/code> + <code>http_port 8080<\/code> to expose different interfaces.<\/td>\r\n<\/tr>\r\n<tr>\r\n<td><strong>Performance<\/strong><\/td>\r\n<td>Tweak <code>cache_mem<\/code>, <code>maximum_object_size_in_memory<\/code>, and <code>maximum_object_size<\/code> in <code>squid.conf<\/code> for your traffic profile.<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n<\/figure>\r\n\r\n\r\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\r\n\r\n\r\n<h2 class=\"wp-block-heading\">9. Licensing &amp; Cost Recap<\/h2>\r\n\r\n\r\n\r\n<figure class=\"wp-block-table\">\r\n<table class=\"has-fixed-layout\">\r\n<thead>\r\n<tr>\r\n<th>Component<\/th>\r\n<th>License<\/th>\r\n<th>Commercial Support<\/th>\r\n<\/tr>\r\n<\/thead>\r\n<tbody>\r\n<tr>\r\n<td>Squid<\/td>\r\n<td>GPL\u202fv2<\/td>\r\n<td>Available from vendors like Squidware, Cisco, or via community support.<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>SquidGuard<\/td>\r\n<td>GPL\u202fv2<\/td>\r\n<td>Same as Squid; there are not many commercial editions, but you can hire a sysadmin for setup.<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n<\/figure>\r\n\r\n\r\n\r\n<p><strong>Bottom line:<\/strong> The software is <em>free<\/em>. You only pay for hardware or paid support if you need it.<\/p>\r\n\r\n\r\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\r\n\r\n\r\n<h2 class=\"wp-block-heading\">10. Resources<\/h2>\r\n\r\n\r\n\r\n<ul class=\"wp-block-list\">\r\n<li><strong>Official Docs<\/strong><\/li>\r\n\r\n\r\n\r\n<li>Squid: <a href=\"https:\/\/wiki.squid-cache.org\/ConfigExamples\/Reverse\/BasicAccelerator\">https:\/\/wiki.squid-cache.org\/ConfigExamples\/BasicConfiguration<\/a><\/li>\r\n\r\n\r\n\r\n<li>Reff : <a href=\"https:\/\/en.wikipedia.org\/wiki\/SquidGuard\">https:\/\/en.wikipedia.org\/wiki\/SquidGuard<\/a><\/li>\r\n\r\n\r\n\r\n<li><strong>Community Forums<\/strong><\/li>\r\n\r\n\r\n\r\n<li>Ubuntu Forums \u2013 Squid section<\/li>\r\n\r\n\r\n\r\n<li>Reddit r\/networking<\/li>\r\n<li><strong>Hosts Blacklists<\/strong><\/li>\r\n\r\n\r\n\r\n\r\n\r\n<li><a href=\"https:\/\/github.com\/Ultimate-Hosts-Blacklist\/Ultimate.Hosts.Blacklist\">https:\/\/github.com\/Ultimate-Hosts-Blacklist\/<\/a><\/li>\r\n\r\n\r\n\r\n<li><strong>UFW Cheat Sheet<\/strong><\/li>\r\n\r\n\r\n\r\n<li>https:\/\/help.ubuntu.com\/community\/UFW<\/li>\r\n<\/ul>\r\n\r\n\r\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\r\n\r\n\r\n<h3 class=\"wp-block-heading\">TL;DR<\/h3>\r\n\r\n\r\n\r\n<ol class=\"wp-block-list\">\r\n<li><code>sudo apt install squid squidguard<\/code><\/li>\r\n\r\n\r\n\r\n<li>Configure <code>squid.conf<\/code> (port, ACLs)<\/li>\r\n\r\n\r\n\r\n<li>Create a simple blacklist in <code>\/etc\/squidguard\/blacklists\/<\/code><\/li>\r\n\r\n\r\n\r\n<li>Tell Squid to use SquidGuard (<code>url_rewrite_program<\/code>).<\/li>\r\n\r\n\r\n\r\n<li>Restart services.<\/li>\r\n\r\n\r\n\r\n<li>Open firewall port 3128 for your LAN.<\/li>\r\n\r\n\r\n\r\n<li>Test from a client.<\/li>\r\n<\/ol>\r\n\r\n\r\n\r\n<p>That\u2019s it! You now have a working Squid proxy with URL filtering powered by SquidGuard, all for free. Happy filtering!<\/p>\r\n","protected":false},"excerpt":{"rendered":"<p>1. What are we installing? Component Purpose License Squid Open\u2011source HTTP\/HTTPS proxy and caching server GNU GPL v2 (open-source) SquidGuard URL filtering &amp; blacklist engine that runs in front of Squid GNU GPL v2 (open-source Together they give you a proxy that can protect your webtraffic from your PC access to dangerous websites. 2. Quick [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,1,4,22],"tags":[9,8,24,10,7],"class_list":["post-628","post","type-post","status-publish","format-standard","hentry","category-linux-ubuntu","category-servers","category-softwares","category-vpn-servers","tag-linux","tag-pihole","tag-servers","tag-ubuntu","tag-vpn"],"_links":{"self":[{"href":"https:\/\/vvcares.com\/blog\/wp-json\/wp\/v2\/posts\/628","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/vvcares.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vvcares.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vvcares.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/vvcares.com\/blog\/wp-json\/wp\/v2\/comments?post=628"}],"version-history":[{"count":8,"href":"https:\/\/vvcares.com\/blog\/wp-json\/wp\/v2\/posts\/628\/revisions"}],"predecessor-version":[{"id":736,"href":"https:\/\/vvcares.com\/blog\/wp-json\/wp\/v2\/posts\/628\/revisions\/736"}],"wp:attachment":[{"href":"https:\/\/vvcares.com\/blog\/wp-json\/wp\/v2\/media?parent=628"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vvcares.com\/blog\/wp-json\/wp\/v2\/categories?post=628"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vvcares.com\/blog\/wp-json\/wp\/v2\/tags?post=628"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}