For Debian-based systems execute the following commands:

user@localhost: ~ sudo apt update

Optionally:

user@localhost: ~ sudo apt upgrade

To install the latest version for your distribution you will use the command:

user@localhost: ~ sudo apt install squid

Check if it is running:

user@localhost: ~ systemctl status squid

Access configuration

Configuration file /etc/squid/squid.conf, and also the line ‘include /etc/squid/conf.d/*’ will pull up all the files in the /etc/squid/conf.d/ directory. Subnets from which will be posible access are defined by strings that starts with the keywords “http_access allow …” If there is a line “http_access allow localnet” then the localnet definishion should be above.

...
acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
...

Each such line will add its entry to the list of localnet networks

To prohibit downloading files by extension *.exe, *.bat, *.cmd, *.avi for connections not protected with https. To the /etc/squid/squid.conf file add a string like this:

acl my_blacklist url_regex "/etc/squid/ext_blacklist"

http_access deny my_blacklist

Create file /etc/squid/ext_blacklist:

user@localhost: ~ sudo nano /etc/squid/ext_blacklist

Add regular expressions:

\.[Ee][Xx][Ee]$
\.[Bb][Aa][Tt]$
\.[Cc][Mm][Dd]$
\.[Aa][Vv][Ii]

To access from our subnet we need to open port 3128in the firewall <MY_LOCAL_NET> (for example: 192.168.1.0/24 ). In case of firewalld we need to execute commands:

user@localhost: ~ sudo firewall-cmd --zone work -add-source <MY_LOCAL_NET>
user@localhost: ~ sudo firewall-cmd --zone work --add-port=3128/tcp
user@localhost: ~ sudo firewall-cmd --runtime-to-permanent

For iptables before prohibited rules you need to insert a line: (Strongly depends on existing rules, and before adding review already existing rules using the following command: iptables -nvL –line ):

user@localhost: ~ sudo iptables -I INPUT 3 -s <MY_LOCAL_NET> -p tcp --dport 3128 -j ACCEPT

For nftables you need to insert in the /etc/nftables.conf file before prohibited rules line like this:

ip saddr <<MY_LOCAL_NET> tcp dport 3128 accept

Important:

If you are logged in as root superuser then the command sudo (temporary acquisition of the superuser rights) will not be needed