# Squid Web Proxy — zet.home.arpa

Caching web proxy with content filtering for children's devices on the LAN.

## Overview

| Field | Value |
|-------|-------|
| **Package** | `squid` (Ubuntu) |
| **Version** | Squid 6.14 |
| **Config** | `/etc/squid/squid.conf` |
| **Port** | 3128/tcp |
| **Cache directory** | `/var/spool/squid` (2 GB, UFS) |
| **Access log** | `/var/log/squid/access.log` |

## How It Works

Squid runs as a standard forward proxy. pfSense intercepts HTTP traffic from children's device IPs and redirects port 80 to `172.27.0.35:3128` via NAT port-forward (see [../PROXY-SETUP.md](../PROXY-SETUP.md) for pfSense setup).

```
Child device → pfSense NAT (port 80 → 172.27.0.35:3128) → Squid → Internet
```

## Configuration (`/etc/squid/squid.conf`)

```
http_port 3128

# ACLs
acl children src "/etc/squid/children.txt"
acl blocked_sites dstdomain "/etc/squid/blocked_sites.txt"
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT
acl allowed_hosts src 172.27.0.0/24

# Access rules
http_access deny blocked_sites children
http_access deny !Safe_ports
http_access allow allowed_hosts

# Cache
cache_dir ufs /var/spool/squid 2048 16 256
cache_mem 512 MB
maximum_object_size_in_memory 1 MB
maximum_object_size 128 MB
minimum_object_size 0 KB

# Refresh patterns
refresh_pattern ^ftp:                   1440  20%  10080
refresh_pattern ^gopher:                1440   0%   1440
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$  10080  90%  43200
refresh_pattern -i \.(css|js)$          1440  90%  10080
refresh_pattern .                          0  20%   4320

pipeline_prefetch 1
collapsed_forwarding on
```

## ACL Files

### `/etc/squid/children.txt` — devices subject to content filtering

Contains one IP per line for children's devices on the `172.27.0.0/24` network.

### `/etc/squid/blocked_sites.txt` — blocked domains

Domains blocked for children (partial list):

```
.facebook.com / .fb.com / .instagram.com / .snapchat.com / .tiktok.com
.x.com / .twitter.com / .reddit.com / .redditmedia.com / .redditstatic.com
.pinterest.com / .youtube.com / .youtu.be / .googlevideo.com
.twitch.tv / .vimeo.com / .dailymotion.com
.netflix.com / .hulu.com / .disneyplus.com
```

## Service Management

```bash
sudo systemctl status squid
sudo systemctl restart squid
sudo systemctl reload squid          # reload config without dropping connections
sudo squid -k parse                  # validate squid.conf syntax

# Watch live traffic
sudo tail -f /var/log/squid/access.log

# Check cache stats
sudo squidclient -h 127.0.0.1 mgr:info
```

## Adding/Removing Children's IPs

Edit `/etc/squid/children.txt` — one IP per line, then reload:

```bash
sudo nano /etc/squid/children.txt
sudo systemctl reload squid
```

## Limitations

- Only intercepts plain **HTTP (port 80)**. HTTPS (port 443) is not filtered.
- To filter HTTPS would require SSL bump (TLS interception) with a custom CA installed on every client device — significantly more complex.
- See [../PROXY-SETUP.md](../PROXY-SETUP.md) for pfSense NAT configuration.

## Migration Notes

To move Squid to a new server:
1. Install: `sudo apt install squid`
2. Copy `/etc/squid/squid.conf`, `children.txt`, `blocked_sites.txt`
3. Initialize cache: `sudo squid -z`
4. Start: `sudo systemctl enable --now squid`
5. Update pfSense NAT rule redirect target to the new server IP