Kenji M
7c4c786e7b
- Server overview (README.md) with services, storage, and network summary - Storage layout with disk/fstab/mount details (storage.md) - Service docs: Samba, NFS, Squid, Pi-hole (with DHCP/split-DNS notes) - Let's Encrypt cert via acme.sh + GoDaddy DNS-01 (ssl/) - nginx SSL reverse proxy config and virtual host guide (nginx/) - Pi-hole moved to port 8081; split DNS overrides documented for both Pi-hole and pfSense Unbound to avoid hairpin NAT issues Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Squid Web Proxy — zet.home.arpa
Caching web proxy with content filtering for children's devices on the LAN.
Overview
| Field | Value |
|---|---|
| Package | squid (Ubuntu) |
| Version | Squid 6.14 |
| Config | /etc/squid/squid.conf |
| Port | 3128/tcp |
| Cache directory | /var/spool/squid (2 GB, UFS) |
| Access log | /var/log/squid/access.log |
How It Works
Squid runs as a standard forward proxy. pfSense intercepts HTTP traffic from children's device IPs and redirects port 80 to 172.27.0.35:3128 via NAT port-forward (see ../PROXY-SETUP.md for pfSense setup).
Child device → pfSense NAT (port 80 → 172.27.0.35:3128) → Squid → Internet
Configuration (/etc/squid/squid.conf)
http_port 3128
# ACLs
acl children src "/etc/squid/children.txt"
acl blocked_sites dstdomain "/etc/squid/blocked_sites.txt"
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT
acl allowed_hosts src 172.27.0.0/24
# Access rules
http_access deny blocked_sites children
http_access deny !Safe_ports
http_access allow allowed_hosts
# Cache
cache_dir ufs /var/spool/squid 2048 16 256
cache_mem 512 MB
maximum_object_size_in_memory 1 MB
maximum_object_size 128 MB
minimum_object_size 0 KB
# Refresh patterns
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200
refresh_pattern -i \.(css|js)$ 1440 90% 10080
refresh_pattern . 0 20% 4320
pipeline_prefetch 1
collapsed_forwarding on
ACL Files
/etc/squid/children.txt — devices subject to content filtering
Contains one IP per line for children's devices on the 172.27.0.0/24 network.
/etc/squid/blocked_sites.txt — blocked domains
Domains blocked for children (partial list):
.facebook.com / .fb.com / .instagram.com / .snapchat.com / .tiktok.com
.x.com / .twitter.com / .reddit.com / .redditmedia.com / .redditstatic.com
.pinterest.com / .youtube.com / .youtu.be / .googlevideo.com
.twitch.tv / .vimeo.com / .dailymotion.com
.netflix.com / .hulu.com / .disneyplus.com
Service Management
sudo systemctl status squid
sudo systemctl restart squid
sudo systemctl reload squid # reload config without dropping connections
sudo squid -k parse # validate squid.conf syntax
# Watch live traffic
sudo tail -f /var/log/squid/access.log
# Check cache stats
sudo squidclient -h 127.0.0.1 mgr:info
Adding/Removing Children's IPs
Edit /etc/squid/children.txt — one IP per line, then reload:
sudo nano /etc/squid/children.txt
sudo systemctl reload squid
Limitations
- Only intercepts plain HTTP (port 80). HTTPS (port 443) is not filtered.
- To filter HTTPS would require SSL bump (TLS interception) with a custom CA installed on every client device — significantly more complex.
- See ../PROXY-SETUP.md for pfSense NAT configuration.
Migration Notes
To move Squid to a new server:
- Install:
sudo apt install squid - Copy
/etc/squid/squid.conf,children.txt,blocked_sites.txt - Initialize cache:
sudo squid -z - Start:
sudo systemctl enable --now squid - Update pfSense NAT rule redirect target to the new server IP