Squid Proxy on UCS: Installation, Caching, Access Control, and Authentication

Want faster websites, reduced bandwidth usage, and complete control over who can access what? The Proxy Server/Web Cache (Squid) app from the Univention App Center has you covered. It acts as both a powerful web proxy and caching server, storing frequently accessed pages to speed up load times and optimize network traffic. Plus, with flexible access rules, you can manage and restrict internet usage for individual users or entire groups with ease.

Behind the scenes, Squid (named after the sea creature) is a scalable, Open Source proxy server licensed under the GNU General Public License (GPL). It supports HTTP, HTTPS, and FTP and offers extensive configuration options to fit a variety of use cases.

In this article, you’ll learn how to install Squid on Univention Corporate Server (UCS), optimize caching, set up network and user access controls, and secure the proxy with authentication methods like LDAP, NTLM, and Kerberos.

You click on a website, and boom—it’s there instantly. No lag, no delays. That’s the power of Squid, a caching proxy server that speeds up web access by storing frequently visited pages. Supporting HTTP, HTTPS, and even FTP, Squid reduces network load by serving cached content instead of repeatedly fetching it from the internet. This is a game-changer for schools, businesses, and public institutions, where multiple users access the same sites daily. The result? Less bandwidth consumption, faster response times, and a more efficient network.

But Squid isn’t just about speed—it also gives you full control over internet access. With Access Control Lists (ACLs), you can define exactly which users and devices are allowed online. Whether you’re setting up content restrictions for schools, securing internet access in government offices, or implementing user-based authentication, Squid puts you in charge.

Squid isn’t just a one-trick pony—it operates in two different modes, each optimized for a specific use case:

• Squid as a Web Proxy: This is the classic setup. Squid fetches web content from the internet, stores it in its cache, and serves it to users/clients who request the same page later. If a website doesn’t specify how long its content should be cached, Squid can apply refresh patterns to ensure the cache stays up to date.
• Squid as Reverse Proxy: Here, Squid takes on the opposite role: Instead of fetching content from external websites, it acts as a gateway for internal web servers, delivering content to external users. This setup is ideal for companies, web hosting environments, and organizations that need a secure and high-performance way to serve web applications while shielding backend infrastructure.

Setting up Squid Proxy on Univention Corporate Server (UCS) is quick and easy. You’ll find the Proxy Server/Web Cache (Squid) app in the Univention App Center, ready to install with just a few clicks. Prefer the command line? No problem—simply install the package univention-squid. Click Install, select a server in your UCS domain, and start the setup. Squid comes preconfigured with default settings, so it’s ready to go immediately. By default, it listens on port 3128, but you can customize this later to fit your needs (see “Configuring Squid Ports: Changing Default and Allowing Additional Web Ports”).

Most Squid settings can be configured via UCR variables (Univention Configuration Registry). This article covers some key options, but if you need more advanced customization, you can edit the /etc/squid/local.conf file directly and add any additional Squid parameters. For detailed configuration guidance, check out the official documentation.

Reminder: Any configuration changes require a restart of the Squid service. To do this, open the Univention Management Console, go to System / System services, find squid, select it, and click Restart.

Alternatively, you can restart Squid from the command line. As a user with administrative privileges, run the following command:

Squid functions as a caching proxy, storing previously accessed web content and serving it directly from the cache instead of repeatedly fetching it from the original web server. This reduces bandwidth usage and speeds up page load times, making it an excellent choice for networks with frequent, repeated web traffic. However, caching isn’t always beneficial. In some cases, it may even be counterproductive—depending on your environment and the type of content being accessed.

When Does Caching Help?

• Faster page loads for frequently visited websites.
• Lower bandwidth usage, especially in networks with many clients.
• Reduced strain on the internet connection by serving cached content locally.

When Should You Avoid Caching?

• When real-time content updates are critical (e.g., dynamic web applications).
• In multi-proxy setups, where not all proxies should store cached data.
• If privacy, compliance, or security policies prohibit storing certain content.

If you want to disable Squid caching, set the Univention Configuration Registry (UCR) variable squid/cache to no and restart the service:

ucr set squid/cache=no

systemctl restart squid

By default, Squid only allows access from local networks. For example, if your Squid proxy server is running on a machine with the IP 192.0.2.10 and subnet mask 255.255.255.0, only devices within the 192.0.2.0/24 network can connect. Any external requests are automatically blocked.

If you need to grant access to additional networks, you can configure this using the Univention Configuration Registry (UCR) variable squid/allowfrom. Enter the permitted networks in CIDR notation, separating multiple entries with a space. Squid will apply these settings to the configuration file /etc/squid/squid.conf.

If you add 192.168.2.0/24 and 192.168.3.0/24 to the configuration and restart the service, clients from these networks will be able to access the proxy. If you want to allow access from all networks (not recommended without additional security measures!), set the value to all.

By default, Squid listens on port 3128. If you need to use a different port, update the Univention Configuration Registry (UCR) variable squid/httpport. If the Univention firewall is enabled on your system, you must also adjust the packet filter configuration to allow traffic on the new port.

In addition to Squid’s own listening port, the configuration defines which destination ports are allowed for web requests. By default, Squid only processes traffic for HTTP (port 80), HTTPS (port 443), and FTP (port 21). To allow additional ports, modify the UCR variable squid/webports, separating multiple entries with a space. Squid applies these settings to the configuration file /etc/squid/squid.conf, ensuring that clients can access the newly permitted ports.

By default, Squid Proxy allows access for all users. If you need to restrict access, you can control it based on group memberships. Use the Univention Configuration Registry (UCR) variable squid/auth/allowed_groups to specify which groups can authenticate with Squid. Separate multiple groups with a semicolon. To verify whether a user belongs to an allowed group, authentication must be enabled. Squid supports three authentication methods: LDAP, NTLM, and Kerberos:

• LDAP Authentication: Squid validates user credentials against an LDAP server. When a user connects to the proxy, Squid forwards their login details to the LDAP server for verification. If authentication is successful, internet access is granted. To enable this method, set the UCR variable squid/basicauth to yes and restart Squid.
• NTLM Authentication (NT LAN Manager): Ideal for Windows environments, NTLM enables Single Sign-on (SSO). Users already logged into a Windows client with Active Directory integration won’t need to enter credentials again. The browser automatically sends Windows login details to Squid for verification. To enable NTLM authentication, set the UCR variable squid/ntlmauth to yes and restart Squid.
• Kerberos Authentication: In Samba/Active Directory domains, Kerberos allows secure, passwordless authentication. When users log in to a Windows client, they automatically receive a Kerberos ticket, which Squid verifies to authenticate access. To enable Kerberos authentication, install the univention-squid-kerberos package on each proxy server. Then, set the UCR variable squid/krb5auth to yes and restart Squid.

Important: To prevent users from bypassing the proxy and accessing the internet directly, additional security measures are necessary. A recommended approach is to block all HTTP and HTTPS traffic at the firewall, except for connections routed through the Squid Proxy Server. This ensures that all internet access is controlled and monitored by Squid.

Squid is far more than just a proxy server. In addition to faster web access and optimized bandwidth usage, it offers powerful tools for access control, authentication, and content filtering. Especially in large networks, schools, and businesses, Squid helps improve page load times, regulate internet access, and enhance security.

Do you already use Squid in your environment, or are you considering setting up a proxy server? Leave us a comment below or join the discussion in our forum—we’d love to hear your thoughts!