Configuring Squid on Debian as both a transparent and an usual proxy and allowing users to access only whitelisted domains and IP adresses

The instructions were tested with Debian 12 and Squid 5.9

install necessary packages

apt build-dep squid

download and unpack the source code

cd /root
curl -O -L
tar -x -f squid-5.9.tar.gz

compile the source code

cd squid-5.9
./configure --prefix=/opt/squid --enable-ssl-crtd --with-openssl --with-systemd --with-default-user=proxy --enable-removal-policies=lru,heap
make install

create a self-signed certificate

openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -keyout /opt/squid/etc/bump.key -out /opt/squid/etc/bump.crt

generate DH parameters

openssl dhparam -outform PEM -out /opt/squid/etc/dhparam.pem 2048

initialize a DB for certificates

mkdir /opt/squid/var/db
/opt/squid/libexec/security_file_certgen -c -s /opt/squid/var/db/ssl_db -M 512MB

create the /opt/squid/etc/whitelisted_domains file

create the /opt/squid/etc/whitelisted_ips file

create the /opt/squid/etc/squid.conf file

http_port intercept
https_port intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=512MB tls-cert=/opt/squid/etc/bump.crt tls-key=/opt/squid/etc/bump.key tls-dh=prime256v1:/opt/squid/etc/dhparam.pem
append_domain .domain.lan
cache_mgr [email protected]
httpd_suppress_version_string on
visible_hostname proxy.domain.lan
coredump_dir /opt/squid/var/spool
cache_mem 2048 MB
maximum_object_size_in_memory 50 MB
memory_replacement_policy heap LFUDA
maximum_object_size 50 MB
cache_replacement_policy heap LFUDA
refresh_pattern . 0 20% 4320
logfile_rotate 0
sleep_after_fork 100000
netdb_filename none


acl whitelist_domains_exp dstdomain "/opt/squid/etc/whitelist_domains"
acl whitelist_domains_trans ssl::server_name "/opt/squid/etc/whitelist_domains"
acl whitelist_ips dst "/opt/squid/etc/whitelist_ips"
acl step1 at_step SslBump1
acl ssl_connections connections_encrypted


sslcrtd_program /opt/squid/libexec/security_file_certgen -s /opt/squid/var/db/ssl_db -M 512MB
ssl_bump peek step1 all
ssl_bump bump whitelist_domains_trans
ssl_bump bump whitelist_ips
ssl_bump terminate all


acl intermediate_fetching transaction_initiator certificate-fetching
http_access allow intermediate_fetching

http_access allow whitelist_domains_exp
http_access allow whitelist_ips
http_access allow ssl_connections

http_access deny all


http_reply_access allow

change ownership of files and folders

chown -R proxy:proxy /opt/squid

create the /usr/lib/systemd/system/squid.service file

Description=Squid Web Proxy Server

ExecStartPre=/opt/squid/sbin/squid --foreground -z
ExecStart=/opt/squid/sbin/squid --foreground -sYC
ExecReload=/bin/kill -HUP $MAINPID


start the service

systemctl start squid

configure a firewall to redirect unencrypted and encrypted traffic to 80/TCP and 443/TCP Squid ports respectively

Leave a Reply