Port 3128: Squid HTTP Proxy — The Cache That Let the World Share Bandwidth

In the mid-1990s, the World Wide Web was growing faster than the infrastructure could handle. Modem speeds topped out around 28.8 Kbps. Transatlantic links cost a fortune. Every time ten students at the same university wanted to view the same CNN article, ten separate requests traveled across the ocean and back.

This was not sustainable. The Web was about to become a victim of its own success.

Port 3128 is where Squid lives, the caching proxy that helped solve this problem. When you see traffic on port 3128, you are watching the Internet remember what it has already fetched, so it does not have to fetch it again.

How Squid Works

Squid sits between users and the Internet. When a user requests a web page, Squid checks if it already has a copy. If it does (a cache hit), it serves the page immediately from local storage. If it does not (a cache miss), it fetches the page from the origin server, stores a copy, and delivers it to the user.

The next user who wants the same page gets it from the cache. No round trip across the network. No additional load on the origin server. In the 1990s, this was not optimization. It was survival.

The key insight is that web traffic follows a power law: a small number of URLs account for a large percentage of requests. Cache those popular URLs, and you can reduce network traffic by 30-50%.¹ When your international link costs thousands of dollars per month, that reduction matters.

Squid also speaks the Internet Cache Protocol (ICP), defined in RFC 2186 and RFC 2187.²³ ICP allows caches to ask their neighbors "do you have this URL?" before fetching from the origin. A cache hierarchy can have siblings (peers) and parents. Ask the siblings first. If no one has it, ask a parent. If the parent does not have it, fetch from the origin. This architecture allowed organizations to build cache meshes that covered entire regions.

The History

The story begins at the University of Colorado Boulder in 1994. Researchers including Mic Bowman, Peter Danzig, Udi Manber, and Michael Schwartz created the Harvest project, funded by DARPA and the National Science Foundation.⁴ Harvest was a system for discovering and accessing information on the Internet, and one of its components was a web cache called the Harvest Cache.

Duane Wessels joined the project in late 1994 as a graduate student in telecommunications. He was interested in web caching as a thesis topic and began working on the cache software.⁵

In 1995, some of the Harvest team left for industry positions, and the commercial fork became NetCache (later acquired by various companies). Wessels took the last pre-commercial version of Harvest, continued development independently, and renamed it to avoid confusion with the commercial product.⁶

He called it Squid.

Squid version 1.0.0 was released in July 1996.⁷

From 1996 to 2000, Wessels was co-principal investigator of the NLANR (National Laboratory for Applied Network Research) Information Resource Caching project, funded by the National Science Foundation.⁸ NLANR operated large caches at each of the five NSF-sponsored supercomputer center sites, forming the backbone of a global web caching hierarchy. By July 1996, these caches were serving 15-20 gigabytes per day from over 100 cache clients in dozens of countries.⁹

This was the infrastructure that helped the early Web scale. Squid was the software that ran it.

Why Port 3128?

The official IANA registry for port 3128 tells a curious story. The registered service name is "ndl-aas" (Active API Server Port), assigned to Martin Norman.¹⁰ But virtually no one uses port 3128 for that purpose.

Squid adopted 3128 as its default port in the 1990s, and the association stuck. The Squid documentation reportedly jokes that the port number was "chosen by a fair dice roll."¹¹ Whether or not that is literally true, the result is that port 3128 is now synonymous with Squid worldwide.

This is a case where the de facto standard won. When people scan for port 3128, they are looking for proxy servers, not Active API Servers.

How Squid Is Used Today

Squid remains actively deployed. Approximately 87,000 websites use it,¹² and it serves several key purposes:

Corporate Networks: Enterprises use Squid to monitor and control employee Internet access, enforce acceptable use policies, cache frequently accessed content, and reduce bandwidth costs.

ISPs: Internet Service Providers deploy Squid to cache popular content for their customers, reducing the load on upstream links and improving response times.

Transparent Proxying: Squid can intercept HTTP traffic without client configuration, allowing network administrators to enforce policies network-wide. Users may not even know their traffic passes through a proxy.

Reverse Proxying: Squid can sit in front of web servers, caching responses and protecting backends from traffic spikes. The original Harvest cache was ten times faster than the commercial web servers of its era when used as an accelerator.¹³

Content Filtering: Schools and organizations use Squid to block access to inappropriate or dangerous content.

Security Considerations

Squid has a long and complicated security history. A 2021 security audit identified 55 vulnerabilities, of which only a handful have been assigned CVEs. As of late 2023, 35 of those vulnerabilities remained unpatched.¹⁴ The Squid team is effectively understaffed and does not have the resources to address all discovered issues.

Recent critical vulnerabilities include:

• CVE-2025-62168 (CVSS 10.0): Information disclosure through error messages that fail to redact HTTP authentication credentials.¹⁵
• CVE-2025-54574 (CVSS 9.3): Heap-based buffer overflow in URN processing, potentially allowing remote code execution.¹⁶

Historical vulnerability categories include buffer overflows, denial of service attacks, cache poisoning, HTTP request/response splitting, and ACL bypass.

Organizations running Squid should:

• Keep Squid updated to the latest version
• Restrict access to the proxy port (do not expose 3128 to the public Internet without authentication)
• Review error page templates to ensure they do not leak sensitive information
• Monitor Squid security advisories at squid-cache.org

Port 3128 is also associated with malware including the RingZero trojan and variants of Mydoom, which scan for open proxy servers to relay traffic.¹⁷

The Protocol

Squid speaks HTTP for data transfer, but cache-to-cache communication uses ICP (Internet Cache Protocol) over UDP.² The protocol is intentionally lightweight: a cache can broadcast "do you have this URL?" to all its neighbors and collect responses quickly enough to decide where to fetch from before the user notices any delay.

ICP messages are limited to 16,384 octets. The header is fixed at 20 octets. Responses are simple: HIT (I have it), MISS (I do not), HIT_OBJ (I have it and here it is inline), DENIED (access denied), or ERROR.²

The protocol has limitations. It does not handle HTTPS well (encrypted content cannot be cached transparently without breaking the security model). HTCP (Hypertext Caching Protocol) was designed as a successor to address some of ICP's shortcomings.

Related Ports

Checking for Squid

To see if port 3128 is open:

# Using nc (netcat)
nc -zv hostname 3128

# Using curl through the proxy
curl -x http://hostname:3128 http://example.com

# Using nmap
nmap -p 3128 hostname

If Squid is running without authentication, connecting to port 3128 and sending an HTTP request will return a response with the Squid version in the headers.