Squid vs E2Guardian vs SquidGuard: Best Self-Hosted Web Content Filter 2026

Self-hosted web content filtering is the backbone of network security for schools, businesses, and privacy-conscious households. Whether you need to block malware domains, enforce acceptable-use policies, or keep family browsing safe, running your own content filter gives you complete control — no third-party DNS provider, no telemetry, no subscription fees.

In this guide, we compare three of the most widely deployed open-source content filtering solutions: Squid (the industry-standard caching proxy with ACL-based filtering), E2Guardian (a dedicated content filtering engine that sits between clients and upstream proxies), and SquidGuard (a lightweight URL redirector that plugs directly into Squid). Each takes a fundamentally different approach to the same problem, and understanding their architectural differences is the key to picking the right one.

For a broader look at self-hosted proxy options, see our complete web proxy guide covering Squid alongside Tinyproxy and Caddy.

Why Self-Host Web Content Filtering?

Cloud-based DNS filtering services (like OpenDNS, Cloudflare Gateway, or NextDNS) are convenient, but they come with trade-offs:

• Privacy: Every DNS query and browsing decision flows through a third-party server. You have no visibility into how that data is used or retained.
• Cost: Enterprise-tier features (category filtering, reporting, user-level policies) typically cost $3–$10 per user per month.
• Dependency: If the provider’s infrastructure goes down, your entire filtering layer disappears.
• Customization: You cannot add custom block categories, integrate with internal threat intelligence feeds, or fine-tune scoring algorithms.

Running a self-hosted content filter solves all four problems. You own the data, you own the rules, and the only dependency is your own server. Combined with a firewall like pfSense or OPNsense and a WAF like ModSecurity or CrowdSec, you can build a complete, defense-in-depth network security stack entirely from open-source software.

Architecture Comparison

The three tools differ fundamentally in where they sit in the network stack and what they actually inspect:

Squid: The Swiss Army Knife

Squid is fundamentally a caching proxy that happens to include powerful access-control lists (ACLs). Its filtering capability comes from defining rules like “block this domain,” “allow only these hours,” or “deny this file extension.” It does not perform deep content analysis — it blocks based on metadata (URLs, headers, IP addresses) rather than actual page content.

E2Guardian: The Dedicated Filter

E2Guardian (the actively maintained fork of the original DansGuardian) is designed for one purpose: content filtering. It sits as a transparent or explicit proxy between clients and an upstream proxy (typically Squid). It can scan actual HTTP response content for banned phrases, analyze MIME types, check URL categories, and enforce age-based policies — something Squid alone cannot do.

SquidGuard: The Lightweight Redirector

SquidGuard is a redirector plugin for Squid. When Squid receives a request, it passes the URL to SquidGuard, which checks it against Berkeley DB databases of allowed/blocked URLs and domains. If the URL matches a blocklist, SquidGuard tells Squid to redirect the client to a block page. It’s fast, lightweight, and adds URL/category filtering without the overhead of full content scanning.

Installation and Setup

Squid: Installation and Content Filtering Configuration

On Debian/Ubuntu:

1
2

sudo apt update
sudo apt install -y squid

The main configuration file is /etc/squid/squid.conf. Here’s a minimal content filtering setup with ACL-based blocking:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

# /etc/squid/squid.conf — Content Filtering Example

# Define ACLs for blocked categories
acl blocked_domains dstdomain "/etc/squid/blocked_domains.acl"
acl blocked_keywords url_regex -i "/etc/squid/blocked_keywords.acl"
acl blocked_extensions urlpath_regex -i \.(exe|bat|com|vbs|msi)$
acl work_hours time M T W T F 08:00-18:00

# Block rules — order matters (first match wins)
http_access deny blocked_domains
http_access denied blocked_keywords
http_access deny blocked_extensions

# Allow social media only during lunch break
acl social_media dstdomain "/etc/squid/social_media.acl"
acl lunch time 12:00-13:00
http_access deny social_media !lunch

# Default: allow everything else
http_access allow localnet
http_access deny all

Create the ACL files:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

# /etc/squid/blocked_domains.acl
.malware-domain.com
.phishing-site.net
.ads-tracker.io

# /etc/squid/blocked_keywords.acl
gambling
adult-content
crypto-mining

# /etc/squid/social_media.acl
.facebook.com
.twitter.com
.tiktok.com
.instagram.com

Enable SSL Bump for HTTPS filtering (requires generating a CA certificate):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

# Generate self-signed CA for SSL interception
sudo openssl req -new -newkey rsa:2048 -sha256 -days 3650 \
  -nodes -x509 -keyout /etc/squid/ssl_cert/myCA.pem \
  -out /etc/squid/ssl_cert/myCA.pem

sudo openssl x509 -in /etc/squid/ssl_cert/myCA.pem -outform DER \
  -out /etc/squid/ssl_cert/myCA.der

sudo chmod 640 /etc/squid/ssl_cert/myCA.pem

# Add SSL bump config to squid.conf
https_port 3129 intercept ssl-bump \
  generate-host-certificates=on \
  dynamic_cert_mem_cache_size=4MB \
  cert=/etc/squid/ssl_cert/myCA.pem

sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB
ssl_bump peek all
ssl_bump bump all

For containerized deployment, here’s a Docker Compose configuration:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

# docker-compose.yml — Squid Proxy with Content Filtering
version: "3.8"

services:
  squid:
    image: ubuntu/squid:latest
    container_name: squid-proxy
    restart: unless-stopped
    ports:
      - "3128:3128"
      - "3129:3129"
    volumes:
      - ./squid.conf:/etc/squid/squid.conf:ro
      - ./blocked_domains.acl:/etc/squid/blocked_domains.acl:ro
      - ./blocked_keywords.acl:/etc/squid/blocked_keywords.acl:ro
      - ./social_media.acl:/etc/squid/social_media.acl:ro
      - squid-cache:/var/spool/squid
      - ./ssl_cert:/etc/squid/ssl_cert:ro
    environment:
      - TZ=UTC
    networks:
      - proxy-net

networks:
  proxy-net:
    driver: bridge

volumes:
  squid-cache:

E2Guardian: Installation and Configuration

On Debian/Ubuntu:

1
2

sudo apt update
sudo apt install -y e2guardian

E2Guardian requires an upstream proxy (Squid) to function. The typical deployment chain is:

1

Client → E2Guardian (port 8080) → Squid (port 3128) → Internet

Configure E2Guardian’s main settings:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

# /etc/e2guardian/e2guardian.conf

# Listen on port 8080 for client connections
filterip =
filterport = 8080

# Forward requests to Squid on port 3128
proxyip = 127.0.0.1
proxyport = 3128

# Use the default filtering group (group1)
filtergroups = 1
filtergroupslist = '/etc/e2guardian/filtergroupslist'

# Log denied requests
loglevel = 3
logfile = '/var/log/e2guardian/access.log'

Configure the content filtering rules:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

# /etc/e2guardian/lists/bannedphraselist
# Blocks pages containing these phrases (case-insensitive)
viagra
casino bonus
free crypto mining
gambling online

# /etc/e2guardian/lists/exceptionphraselist
# Whitelisted phrases that override bans
medical viagra prescription

Configure URL-based filtering with category lists:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

# /etc/e2guardian/lists/bannedurllist
# Blocked URLs and patterns
/ads/
/tracker/
analytics.google.com
doubleclick.net

# /etc/e2guardian/lists/exceptionurllist
# Whitelisted URLs
analytics.example.com/internal

# /etc/e2guardian/lists/bannedsitelist
# Blocked domains
.malware-domain.com
.phishing-example.net

For Docker deployment:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

# docker-compose.yml — E2Guardian + Squid Stack
version: "3.8"

services:
  squid:
    image: ubuntu/squid:latest
    container_name: squid
    restart: unless-stopped
    volumes:
      - ./squid.conf:/etc/squid/squid.conf:ro
      - squid-cache:/var/spool/squid
    networks:
      - filter-net

  e2guardian:
    image: linuxserver/e2guardian:latest
    container_name: e2guardian
    restart: unless-stopped
    ports:
      - "8080:8080"
    volumes:
      - ./e2guardian.conf:/config/e2guardian.conf:ro
      - ./bannedphraselist:/config/lists/bannedphraselist:ro
      - ./bannedurllist:/config/lists/bannedurllist:ro
      - ./bannedsitelist:/config/lists/bannedsitelist:ro
      - ./filtergroupslist:/config/filtergroupslist:ro
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=UTC
    depends_on:
      - squid
    networks:
      - filter-net

networks:
  filter-net:
    driver: bridge

volumes:
  squid-cache:

SquidGuard: Installation and Configuration

On Debian/Ubuntu:

1
2

sudo apt update
sudo apt install -y squidguard

SquidGuard integrates directly with Squid as a url_rewrite_program. Here’s the configuration:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

# /etc/squidguard/squidGuard.conf

# Database directory (Berkeley DB files)
dbhome /var/lib/squidguard/db
logdir /var/log/squidguard

# Destination categories
dest adult {
    domainlist    adult/domains
    urllist       adult/urls
    redirect      https://proxy.example.com/blocked.html?cat=adult&clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}

dest social {
    domainlist    social/domains
    urllist       social/urls
    redirect      https://proxy.example.com/blocked.html?cat=social&clientaddr=%a&url=%u
}

dest malware {
    domainlist    malware/domains
    urllist       malware/urls
    redirect      https://proxy.example.com/blocked.html?cat=malware&url=%u
}

# ACL groups
acl {
    default {
        pass !adult !malware !social all
        redirect https://proxy.example.com/blocked.html
    }

    admin {
        # Admin group — no filtering
        pass all
    }

    office {
        # Office hours policy — block social media during work hours
        pass !adult !malware !social all
    }
}

Compile the blocklists into Berkeley DB format:

1
2

sudo squidGuard -C all
sudo chown -R proxy:proxy /var/lib/squidguard/db

Integrate with Squid by adding this line to squid.conf:

1
2
3

# Add to squid.conf — pipe URLs through SquidGuard
url_rewrite_program /usr/bin/squidGuard
url_rewrite_children 5

Restart both services:

1
2

sudo systemctl restart squidguard
sudo systemctl restart squid

Feature Deep Dive

Content Analysis Capabilities

E2Guardian is the only tool among the three that performs actual content analysis. It scans HTTP response bodies for banned phrases, checks MIME types against allowed lists, and can even limit file download sizes. This is critical for environments like schools where you need to block specific categories of content regardless of the URL — for example, a legitimate news site might host an article with content you want to restrict.

Squid and SquidGuard only filter based on URLs, domains, and file extensions. They cannot see what’s actually on the page. If a banned topic appears at an unexpected URL, these tools will miss it.

HTTPS/SSL Filtering

All three tools require SSL interception (MITM) to filter HTTPS traffic. Without it, encrypted traffic passes through completely uninspected:

• Squid: Native SSL Bump support. Generate a CA certificate, install it on all client devices, and configure ssl_bump rules.
• E2Guardian: Cannot perform SSL interception directly. Must chain with an SSL-capable upstream proxy (Squid with SSL Bump) or use ICAP for content analysis after decryption.
• SquidGuard: Same as Squid — inherits SSL filtering capability from the Squid instance it’s attached to.

For organizations with strict privacy requirements, the SSL certificate management overhead is significant. Every client device (computers, phones, tablets) must trust your custom CA.

Blocklist Management

For automated blocklist updates, consider using public blocklists from sources like StevenBlack’s hosts file, the UT1 classification database, or Shallalist. These can be imported into all three tools with conversion scripts.

Performance and Resource Usage

In benchmark tests with 100 concurrent users:

SquidGuard adds minimal overhead because it performs simple database lookups. E2Guardian’s content scanning adds measurable latency but provides the deepest filtering. Standalone Squid is the fastest but offers the shallowest filtering.

Which Should You Choose?

Choose Squid If:

• You need a full-featured caching proxy with basic ACL filtering
• Performance and caching are your top priorities
• You want a single tool that handles proxy, caching, and simple access control
• Your filtering needs are straightforward (block specific domains, file types, or time-based rules)

Choose E2Guardian If:

• You need deep content analysis (phrase scanning, MIME inspection)
• You’re deploying in a school, library, or regulated environment
• You want category-based filtering with customizable age policies
• You can tolerate the performance overhead of content scanning

Choose SquidGuard If:

• You want URL/category filtering with minimal performance impact
• You already run Squid and want to add a dedicated URL filtering layer
• You need integration with public blocklist databases (UT1, Shallalist)
• You want per-group policies (admin, office, student) without content scanning

For the most robust setup, combine Squid + E2Guardian: use Squid for caching and SSL Bump, and E2Guardian as the content filtering layer. This gives you the best of both worlds — caching performance plus deep content analysis.

FAQ

Can these tools filter HTTPS traffic?

Yes, but only with SSL interception (also called SSL Bump or MITM). Squid has native SSL Bump support. E2Guardian and SquidGuard must work alongside an SSL-capable upstream proxy. Without SSL interception, all three tools can only filter based on the SNI (Server Name Indication) in the TLS handshake, which reveals the domain but not the full URL or content.

Do I need to install a CA certificate on every device?

Yes. For HTTPS content filtering to work, each client device must trust your custom Certificate Authority. On managed corporate devices, this can be deployed via Group Policy or MDM. For personal devices, users must manually install the CA certificate.

Can I use free blocklists with these tools?

Yes. Popular sources include the University of Toulouse UT1 classification database, Shallalist, and StevenBlack’s unified hosts file. SquidGuard has the most straightforward integration — simply download, convert to Berkeley DB format with squidGuard -C all, and reload. Squid and E2Guardian require custom scripts to parse and import these lists.

Which tool is easiest to set up for home use?

Squid is the simplest standalone option. Install it, add a few ACL rules for domains you want to block, and point your router or devices to use it as a proxy. E2Guardian adds complexity because it requires an upstream proxy, but it provides much deeper filtering. SquidGuard is a good middle ground if you want category-based filtering without content scanning.

Can these tools replace DNS-based filtering like Pi-hole?

They complement DNS-based filtering rather than replace it. DNS filtering (Pi-hole, AdGuard Home) blocks at the DNS resolution level — it’s fast but can be bypassed by using alternative DNS servers or hardcoding IPs. Content filters operate at the HTTP/HTTPS level, inspecting actual traffic, which provides a deeper security layer. Running both gives defense in depth.

How do I update blocklists automatically?

Write a cron job that downloads updated blocklists, converts them to the appropriate format (ACL files for Squid, plain text for E2Guardian, Berkeley DB for SquidGuard), and reloads the service. Here’s a simple example for SquidGuard:

1
2
3
4
5
6
7

#!/bin/bash
# /etc/cron.daily/update-blocklists.sh
cd /var/lib/squidguard/db
curl -sL "https://example.com/blocklist.tar.gz" | tar xz -C .
squidGuard -C all
chown -R proxy:proxy /var/lib/squidguard/db
systemctl reload squidguard

Does E2Guardian support multiple filter groups?

Yes. E2Guardian supports multiple filter groups with different policies (e.g., strict filtering for students, relaxed for teachers, no filtering for admins). Each group is defined by a separate configuration file and users are assigned to groups based on their IP address or authentication credentials.

Final Thoughts

The choice between Squid, E2Guardian, and SquidGuard ultimately comes down to how deep you need to look into web traffic. Squid gives you the foundation — a fast, reliable proxy with basic filtering. SquidGuard adds efficient URL and category blocking. E2Guardian delivers the deepest content analysis at the cost of additional complexity and resource usage.

For most organizations, a layered approach works best: DNS filtering at the perimeter, a proxy with URL-based filtering (Squid + SquidGuard) as the middle layer, and E2Guardian on top for environments that require content scanning. This defense-in-depth strategy ensures that even if one layer is bypassed, the others continue to protect your network.