Skip to content
PortsDB

Port reference

Port 3128 (TCP) – Squid HTTP Proxy

Default listening port for the Squid caching/forwarding HTTP proxy.

tcpRegisteredCommonly attacked

Default state

Open on hosts running Squid. Often bound to all interfaces and left as an open proxy when ACLs are misconfigured.

Common attacks

  • Open-proxy abuse to relay traffic, spam, and anonymize attacks
  • Internal SSRF and pivoting to reach intranet-only services
  • Scanning for proxies to bypass egress filtering and IP allowlists
  • Exploiting unpatched Squid parsing/RCE bugs

Hardening

  • Bind Squid to internal interfaces only; never expose 3128 to the internet
  • Enforce strict http_access ACLs and deny by default
  • Require proxy authentication for outbound use
  • Restrict reachable destinations to block SSRF/pivoting
  • Keep Squid patched against parsing and RCE vulnerabilities

nmap snippet

nmap -p3128 --script http-open-proxy <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 3128?

Port 3128 is the default listening port for Squid, a widely deployed caching and forwarding HTTP/HTTPS proxy. Organizations use it to centralize web access, cache content, apply egress filtering, and log outbound traffic. Clients send HTTP requests to Squid, which fetches the resource on their behalf and returns it.

Why it matters for security

A proxy sits between clients and the wider network, so a misconfigured Squid becomes a powerful tool for an attacker. If http_access ACLs are too permissive, 3128 turns into an open proxy anyone can relay through — anonymizing attacks, sending spam, and bypassing IP allowlists. Worse, a proxy reachable from outside can be coaxed into SSRF, fetching internal-only URLs and pivoting into the intranet.

How it's attacked

Scanners hunt for open proxies and confirm them with nmap's http-open-proxy script. Once found, attackers route traffic through 3128 to hide their origin or to reach internal services (cloud metadata endpoints, admin panels) the proxy can see but they cannot. Unpatched Squid builds have also suffered request-parsing and RCE bugs that turn the proxy itself into a foothold.

Hardening checklist

Bind Squid to internal interfaces only and never expose 3128 to the internet. Write strict http_access ACLs that deny by default and require proxy authentication for outbound use. Restrict the destinations Squid may reach to blunt SSRF and pivoting, and keep the daemon patched. Use the nmap snippet above to confirm whether a proxy is open on systems you are authorized to test.

Related ports

Port 8080Port 1080Port 8118Port 3129

Frequently asked questions

What is an open proxy on port 3128?
A Squid proxy with permissive ACLs that forwards requests for anyone. Attackers use it to anonymize traffic, bypass IP allowlists, and reach internal services.
How is Squid different from a SOCKS proxy on 1080?
Squid on 3128 is an HTTP/HTTPS forwarding proxy with caching and ACLs. SOCKS on 1080 is a lower-level, protocol-agnostic relay. Both are abused as open proxies when unauthenticated.