Configuring the Squid Package as a Transparent HTTP Proxy

This How-To describes how to install and configure Squid as a transparent proxy on pfSense.

Install the Package

First, install the Squid package.

  1. Click System > Package Manager
  2. Click Available Packages
  3. Enter squid in the search bar and click search or scroll down until the squid package listing is visible
  4. Click the install button on the far right
  5. Click Confirm when prompted (“Confirmation Required to install package pfSense-pkg-squid”)
  6. Wait for the installer to download, install, and do post-install tasks for squid, such as creating the cache directories.

Configure the Squid Package

After the installation has finished, the Squid proxy server may be configured.

  1. Click on the Local Cache tab.
    1. Hard disk cache size (in MB): Set this as needed, but keep it a reasonable size. 3000 (3GB) may be a good place to start.
    2. Hard disk cache location: Should be /var/squid/cache but may be moved if needed
    3. Memory cache size: The amount of RAM that squid should claim for caching. Use as much as can be spared, as this is much faster than caching to disk. It should not exceed 50% of the installed RAM, however.
    4. Hard disk cache location: The directory where the cache will be stored. If using a non-default location enter it here.
    5. Minimum object size: Can be left at 0 to cache everything, but may be raised if small objects are not desired in the cache.
    6. Maximum object size: Objects larger than this setting will not be saved on disk. If speed is more desirable than saving bandwidth, this should be set to a low value.
    7. Do Not Cache: Set a list of domains that should never be cached. This may also be left blank.
    8. Click Save.
  2. Click on Services > Squid Proxy Server
  3. Set the options on the General tab as desired.
    1. Proxy Interface(s): Select which interface(s) the proxy will listen on. LAN is probably the desired setting.
    2. Allow users on interface: If this is checked, the subnets for the interfaces selected in the last step will automatically have access. There will be no need to add them on the Access Control tab.
    3. Transparent Proxy: Check this to have pfSense automatically redirect outbound HTTP (tcp/80) traffic through the proxy.
    4. Enabled logging: Check this if logging is needed, be sure to put a path in the following box
    5. Log Store Directory: Should be /var/squid/log unless another location is absolutely necessary.
    6. Proxy Port: Leave this as 3128. There is no need to change the port number for the transparent proxy to work.
    7. The remaining settings may be left at their defaults, or changed if desired. It is likely best to leave them alone until the proxy is operational and tested.
    8. Click Save.
  4. Click on the ACLs tab (optional for most)
    1. If any other subnets will pass through the proxy aside from the subnet for the interface squid is using, enter them here.
    2. Click Save.

That’s it! Squid should be up and running. The status of the squid proxy can be checked by clicking Status > Services.

Also available are:

  • Lightsquid package to view web access reports from the squid log.
  • squidGuard package for who wish to have more fine-grained control over what web resources may be viewed by clients.
  • Squid Package Tuning