126 lines
3.7 KiB
Text
126 lines
3.7 KiB
Text
|
# squid.conf by afx
|
||
|
|
||
|
#ports
|
||
|
http_port 192.168.10.1:3128 intercept
|
||
|
https_port 192.168.10.1:3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/etc/opt/quintolabs/qlproxy/afx.pem capath=/etc/ssl/certs
|
||
|
http_port 192.168.10.1:8080
|
||
|
|
||
|
#generic
|
||
|
visible_hostname proxy.deflax.net
|
||
|
icp_port 0
|
||
|
dns_v4_first on
|
||
|
pid_filename /var/run/squid.pid
|
||
|
#cache_effective_user proxy
|
||
|
#cache_effective_group proxy
|
||
|
error_default_language bg
|
||
|
coredump_dir /var/spool/squid
|
||
|
icon_directory /usr/share/squid/icons
|
||
|
cache_mgr admin@fqdn.com
|
||
|
access_log /var/log/squid/access.log
|
||
|
cache_log /var/log/squid/cache.log
|
||
|
cache_store_log none
|
||
|
pinger_enable on
|
||
|
pinger_program /usr/lib/squid/pinger
|
||
|
netdb_filename /var/log/squid/netdb.state
|
||
|
sslcrtd_program /bin/ssl_crtd -s /var/spool/squid_ssldb -M 4MB -b 2048
|
||
|
sslcrtd_children 25
|
||
|
sslproxy_capath /etc/ssl/certs
|
||
|
|
||
|
#timeouts
|
||
|
peer_connect_timeout 2 minutes
|
||
|
persistent_request_timeout 2 minutes
|
||
|
|
||
|
#logfile_rotate 0
|
||
|
#debug_options rotate=0
|
||
|
|
||
|
#acl
|
||
|
acl localnet src 192.168.10.0/24 # RFC1918 possible internal network
|
||
|
acl allsrc src all
|
||
|
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3127 1025-65535
|
||
|
acl sslports port 443 563
|
||
|
acl purge method PURGE
|
||
|
acl connect method CONNECT
|
||
|
acl HTTP proto HTTP
|
||
|
acl HTTPS proto HTTPS
|
||
|
acl allowed_subnets src 192.168.10.0/24
|
||
|
acl dynamic urlpath_regex cgi-bin \?
|
||
|
|
||
|
#ssl
|
||
|
always_direct allow all
|
||
|
#acl broken_ip dst "/etc/squid/ip_whitelist.acl"
|
||
|
acl broken_sites dstdomain "/etc/squid/ssl_whitelist.acl"
|
||
|
#ssl_bump none localhost
|
||
|
ssl_bump none broken_sites
|
||
|
#ssl_bump none broken_ip
|
||
|
sslproxy_cert_error allow all
|
||
|
sslproxy_flags DONT_VERIFY_PEER
|
||
|
ssl_bump server-first all
|
||
|
|
||
|
uri_whitespace strip
|
||
|
|
||
|
#cache settings
|
||
|
cache_dir ufs /var/spool/squid/cache/squid 14000 16 256
|
||
|
#cache deny dynamic
|
||
|
cache deny all
|
||
|
cache_mem 8 MB
|
||
|
maximum_object_size_in_memory 1024 KB
|
||
|
memory_replacement_policy heap GDSF
|
||
|
cache_replacement_policy heap LFUDA
|
||
|
minimum_object_size 0 KB
|
||
|
maximum_object_size 10 KB
|
||
|
offline_mode off
|
||
|
memory_pools off
|
||
|
|
||
|
#httpaccess
|
||
|
http_access allow manager localhost
|
||
|
http_access deny manager
|
||
|
http_access allow purge localhost
|
||
|
http_access deny purge
|
||
|
http_access deny !safeports
|
||
|
http_access deny CONNECT !sslports
|
||
|
|
||
|
# Facebook Like Button Denial
|
||
|
#acl facebook dstdomain .facebook.com
|
||
|
#acl facebook_like urlpath_regex -i ^\/plugins\/like\.php
|
||
|
#deny_info error-facebook-like facebook_like
|
||
|
#http_access deny facebook facebook_like
|
||
|
|
||
|
request_body_max_size 0 KB
|
||
|
delay_pools 1
|
||
|
delay_class 1 2
|
||
|
delay_parameters 1 -1/-1 -1/-1
|
||
|
delay_initial_bucket_level 100
|
||
|
delay_access 1 allow allsrc
|
||
|
|
||
|
icap_enable on
|
||
|
icap_preview_enable on
|
||
|
icap_preview_size 4096
|
||
|
icap_persistent_connections on
|
||
|
icap_send_client_ip on
|
||
|
icap_send_client_username on
|
||
|
icap_client_username_header X-Client-Username
|
||
|
icap_service qlproxy1 reqmod_precache bypass=1 icap://127.0.0.1:1344/reqmod
|
||
|
icap_service qlproxy2 respmod_precache bypass=1 icap://127.0.0.1:1344/respmod
|
||
|
icap_service squidclamav1 reqmod_precache bypass=1 icap://127.0.0.1:1345/squidclamav
|
||
|
icap_service squidclamav2 respmod_precache bypass=1 icap://127.0.0.1:1345/squidclamav
|
||
|
|
||
|
#acl qlproxy_icap_edomains dstdomain "/etc/opt/quintolabs/qlproxy/squid/icap_exclusions_domains.conf"
|
||
|
#acl qlproxy_icap_etypes rep_mime_type "/etc/opt/quintolabs/qlproxy/squid/icap_exclusions_contenttypes.conf"
|
||
|
|
||
|
adaptation_service_chain svcRequest qlproxy1 squidclamav1
|
||
|
adaptation_service_chain svcResponse qlproxy2 squidclamav2
|
||
|
adaptation_access svcRequest allow all
|
||
|
adaptation_access svcResponse allow all
|
||
|
|
||
|
#no clamav
|
||
|
#adaptation_access svcRequest deny qlproxy_icap_edomains
|
||
|
#adaptation_access svcResponse deny qlproxy_icap_edomains
|
||
|
#adaptation_access svcResponse deny qlproxy_icap_etypes
|
||
|
#adaptation_access qlproxy1 allow all
|
||
|
#adaptation_access qlproxy2 allow all
|
||
|
|
||
|
http_access allow allowed_subnets
|
||
|
http_access allow localhost
|
||
|
http_access deny allsrc
|
||
|
|