Local Caching Proxy Server (Squid + Unbound)
GOAL
You will set up one server (your “cache box”) that:
- Caches web traffic using Squid (HTTP/HTTPS proxy)
- Caches DNS queries locally using Unbound
- Reduces latency & bandwidth on repeated web visits
- Can be used as DNS + Proxy gateway for your Wi-Fi clients
SYSTEM REQUIREMENTS
| Component | Recommendation |
|---|---|
| OS | Ubuntu Server 24.04 / Debian 12 |
| CPU | 2+ cores |
| RAM | 2–4 GB |
| Disk | 20 GB+ (for caching) |
| Network | LAN access (192.168.x.x) |
STEP 1 — Update & Prepare
bash
apt update && apt upgrade -y
STEP 2 — Configure DNS
Make sure your server can resolve domains. You can use public DNS:
Edit /etc/resolv.conf
nano /etc/resolv.conf
Add:
nameserver 8.8.8.8nameserver 1.1.1.1options edns0 trust-adsearch .
Check current DNS settings
resolvectl status
You should see something like:
Link 2 (eth0) Current DNS Server: 1.1.1.1 DNS Servers: 8.8.8.8 1.1.1.1
This ensures Squid can resolve hostnames correctly.
STEP 3 — Install Squid (Web Proxy)
bash
apt install squid -y
Edit Configuration
bash
nano /etc/squid/squid.conf
Replace content with:
conf
# # Force IPv4 for DNS queries if IPv6 fails
# dns_v4_first on
# Listen on all interfaces
http_port 3128
# ACLs
acl allowed_ips src all # Allow all (for testing; restrict later if needed)
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT
# Access rules
http_access allow allowed_ips Safe_ports
http_access allow allowed_ips CONNECT
http_access deny all
# Caching settings
cache_mem 256 MB
maximum_object_size_in_memory 512 KB
maximum_object_size 512 MB
cache_dir ufs /var/spool/squid 10000 16 256
# Refresh patterns (controls how long objects are cached)
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# Logging
access_log /var/log/squid/access.log
# DNS servers
dns_nameservers 1.1.1.1 8.8.8.8
Restart Squid:
bash
# Create cache directories
sudo squid -z
# Start and enable Squid service
sudo systemctl restart squid
sudo systemctl enable squid
# Apply configuration changes without stopping Squid
sudo squid -k reconfigure
Test if it works:
bash
curl -x http://<your-server-ip>:3128 http://example.com
STEP 4 — Install Unbound (DNS Cache)
bash
apt install unbound -y
Configure Unbound
Edit config:
bash
nano /etc/unbound/unbound.conf
Paste:
conf
server:
interface: 0.0.0.0
access-control: 192.168.1.0/24 allow
verbosity: 1
# Caching settings
cache-min-ttl: 3600
cache-max-ttl: 86400
prefetch: yes
prefetch-key: yes
do-ip6: no
hide-identity: yes
hide-version: yes
# Upstream DNS (optional)
forward-zone:
name: "."
forward-addr: 1.1.1.1
forward-addr: 8.8.8.8
Restart Unbound:
bash
systemctl restart unbound
systemctl enable unbound
Test:
bash
dig @127.0.0.1 google.com
STEP 5 — Configure Your Network Clients
Option A: Manually set proxy/DNS on PCs
- Proxy:
http://<server-ip>:3128 - DNS:
<server-ip>
Option B: Router-level configuration
- Set DNS = your server IP on DHCP
- Optionally deploy Proxy Auto Config (PAC) file
Example PAC file (/var/www/html/proxy.pac):
js
function FindProxyForURL(url, host) {
return "PROXY <server-ip>:3128";
}
STEP 6 — Verify Caching Works
Check DNS Cache
bash
unbound-control stats_noreset | grep cache
Check Squid Cache
bash
tail -f /var/log/squid/access.log
Look for lines with:
TCP_HIT
means served from cache!
STEP 7 — (Optional) Transparent Proxy Mode
Enable IP forwarding:
bash
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p
Add iptables redirect:
bash
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
STEP 8 — Monitor Usage
Quick stats
bash
squidclient mgr:info
Web access log
bash
cat /var/log/squid/access.log | grep TCP_HIT | wc -l
RESULTS
- Web & DNS content loads faster
- Reduced bandwidth usage
- Improved browsing latency
- Works even on low-end hardware
Summary
| Component | Port | Purpose |
|---|---|---|
| Squid | 3128 | HTTP/HTTPS proxy + cache |
| Unbound | 53 | DNS resolver + cache |