sysadmin/squid-with-clam-and-qlproxy-test.conf

# squid.conf by afx

#ports
http_port 192.168.10.1:3128 intercept
https_port 192.168.10.1:3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/etc/opt/quintolabs/qlproxy/afx.pem capath=/etc/ssl/certs
http_port 192.168.10.1:8080

#generic
visible_hostname proxy.deflax.net
icp_port 0
dns_v4_first on
pid_filename /var/run/squid.pid
#cache_effective_user proxy
#cache_effective_group proxy
error_default_language bg 
coredump_dir /var/spool/squid
icon_directory /usr/share/squid/icons
cache_mgr admin@fqdn.com
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
pinger_enable on
pinger_program /usr/lib/squid/pinger
netdb_filename /var/log/squid/netdb.state
sslcrtd_program /bin/ssl_crtd -s /var/spool/squid_ssldb -M 4MB -b 2048
sslcrtd_children 25
sslproxy_capath /etc/ssl/certs

#timeouts
peer_connect_timeout 2 minutes
persistent_request_timeout 2 minutes

#logfile_rotate 0
#debug_options rotate=0

#acl
acl localnet src 192.168.10.0/24	# RFC1918 possible internal network
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3127 1025-65535
acl sslports port 443 563
acl purge method PURGE
acl connect method CONNECT
acl HTTP proto HTTP
acl HTTPS proto HTTPS
acl allowed_subnets src 192.168.10.0/24
acl dynamic urlpath_regex cgi-bin \?

#ssl
always_direct allow all
#acl broken_ip dst "/etc/squid/ip_whitelist.acl"
acl broken_sites dstdomain "/etc/squid/ssl_whitelist.acl"
#ssl_bump none localhost
ssl_bump none broken_sites
#ssl_bump none broken_ip
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
ssl_bump server-first all

uri_whitespace strip

#cache settings
cache_dir ufs /var/spool/squid/cache/squid 14000 16 256
#cache deny dynamic
cache deny all
cache_mem 8 MB
maximum_object_size_in_memory 1024 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
minimum_object_size 0 KB
maximum_object_size 10 KB
offline_mode off
memory_pools off

#httpaccess
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Facebook Like Button Denial
#acl facebook dstdomain .facebook.com
#acl facebook_like urlpath_regex -i ^\/plugins\/like\.php
#deny_info error-facebook-like facebook_like
#http_access deny facebook facebook_like

request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

icap_enable on
icap_preview_enable on
icap_preview_size 4096
icap_persistent_connections on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Client-Username
icap_service qlproxy1 reqmod_precache bypass=1 icap://127.0.0.1:1344/reqmod
icap_service qlproxy2 respmod_precache bypass=1 icap://127.0.0.1:1344/respmod
icap_service squidclamav1 reqmod_precache bypass=1 icap://127.0.0.1:1345/squidclamav
icap_service squidclamav2 respmod_precache bypass=1 icap://127.0.0.1:1345/squidclamav

#acl qlproxy_icap_edomains dstdomain "/etc/opt/quintolabs/qlproxy/squid/icap_exclusions_domains.conf"
#acl qlproxy_icap_etypes rep_mime_type "/etc/opt/quintolabs/qlproxy/squid/icap_exclusions_contenttypes.conf"

adaptation_service_chain svcRequest qlproxy1 squidclamav1
adaptation_service_chain svcResponse qlproxy2 squidclamav2
adaptation_access svcRequest allow all
adaptation_access svcResponse allow all

#no clamav
#adaptation_access svcRequest deny qlproxy_icap_edomains
#adaptation_access svcResponse deny qlproxy_icap_edomains
#adaptation_access svcResponse deny qlproxy_icap_etypes
#adaptation_access qlproxy1 allow all
#adaptation_access qlproxy2 allow all

http_access allow allowed_subnets
http_access allow localhost
http_access deny allsrc
initial commit 2017-09-15 14:11:31 -04:00			`# squid.conf by afx`

			`#ports`
			`http_port 192.168.10.1:3128 intercept`
			`https_port 192.168.10.1:3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/etc/opt/quintolabs/qlproxy/afx.pem capath=/etc/ssl/certs`
			`http_port 192.168.10.1:8080`

			`#generic`
			`visible_hostname proxy.deflax.net`
			`icp_port 0`
			`dns_v4_first on`
			`pid_filename /var/run/squid.pid`
			`#cache_effective_user proxy`
			`#cache_effective_group proxy`
			`error_default_language bg`
			`coredump_dir /var/spool/squid`
			`icon_directory /usr/share/squid/icons`
			`cache_mgr admin@fqdn.com`
			`access_log /var/log/squid/access.log`
			`cache_log /var/log/squid/cache.log`
			`cache_store_log none`
			`pinger_enable on`
			`pinger_program /usr/lib/squid/pinger`
			`netdb_filename /var/log/squid/netdb.state`
			`sslcrtd_program /bin/ssl_crtd -s /var/spool/squid_ssldb -M 4MB -b 2048`
			`sslcrtd_children 25`
			`sslproxy_capath /etc/ssl/certs`

			`#timeouts`
			`peer_connect_timeout 2 minutes`
			`persistent_request_timeout 2 minutes`

			`#logfile_rotate 0`
			`#debug_options rotate=0`

			`#acl`
			`acl localnet src 192.168.10.0/24 # RFC1918 possible internal network`
			`acl allsrc src all`
			`acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3127 1025-65535`
			`acl sslports port 443 563`
			`acl purge method PURGE`
			`acl connect method CONNECT`
			`acl HTTP proto HTTP`
			`acl HTTPS proto HTTPS`
			`acl allowed_subnets src 192.168.10.0/24`
			`acl dynamic urlpath_regex cgi-bin \?`

			`#ssl`
			`always_direct allow all`
			`#acl broken_ip dst "/etc/squid/ip_whitelist.acl"`
			`acl broken_sites dstdomain "/etc/squid/ssl_whitelist.acl"`
			`#ssl_bump none localhost`
			`ssl_bump none broken_sites`
			`#ssl_bump none broken_ip`
			`sslproxy_cert_error allow all`
			`sslproxy_flags DONT_VERIFY_PEER`
			`ssl_bump server-first all`

			`uri_whitespace strip`

			`#cache settings`
			`cache_dir ufs /var/spool/squid/cache/squid 14000 16 256`
			`#cache deny dynamic`
			`cache deny all`
			`cache_mem 8 MB`
			`maximum_object_size_in_memory 1024 KB`
			`memory_replacement_policy heap GDSF`
			`cache_replacement_policy heap LFUDA`
			`minimum_object_size 0 KB`
			`maximum_object_size 10 KB`
			`offline_mode off`
			`memory_pools off`

			`#httpaccess`
			`http_access allow manager localhost`
			`http_access deny manager`
			`http_access allow purge localhost`
			`http_access deny purge`
			`http_access deny !safeports`
			`http_access deny CONNECT !sslports`

			`# Facebook Like Button Denial`
			`#acl facebook dstdomain .facebook.com`
			`#acl facebook_like urlpath_regex -i ^\/plugins\/like\.php`
			`#deny_info error-facebook-like facebook_like`
			`#http_access deny facebook facebook_like`

			`request_body_max_size 0 KB`
			`delay_pools 1`
			`delay_class 1 2`
			`delay_parameters 1 -1/-1 -1/-1`
			`delay_initial_bucket_level 100`
			`delay_access 1 allow allsrc`

			`icap_enable on`
			`icap_preview_enable on`
			`icap_preview_size 4096`
			`icap_persistent_connections on`
			`icap_send_client_ip on`
			`icap_send_client_username on`
			`icap_client_username_header X-Client-Username`
			`icap_service qlproxy1 reqmod_precache bypass=1 icap://127.0.0.1:1344/reqmod`
			`icap_service qlproxy2 respmod_precache bypass=1 icap://127.0.0.1:1344/respmod`
			`icap_service squidclamav1 reqmod_precache bypass=1 icap://127.0.0.1:1345/squidclamav`
			`icap_service squidclamav2 respmod_precache bypass=1 icap://127.0.0.1:1345/squidclamav`

			`#acl qlproxy_icap_edomains dstdomain "/etc/opt/quintolabs/qlproxy/squid/icap_exclusions_domains.conf"`
			`#acl qlproxy_icap_etypes rep_mime_type "/etc/opt/quintolabs/qlproxy/squid/icap_exclusions_contenttypes.conf"`

			`adaptation_service_chain svcRequest qlproxy1 squidclamav1`
			`adaptation_service_chain svcResponse qlproxy2 squidclamav2`
			`adaptation_access svcRequest allow all`
			`adaptation_access svcResponse allow all`

			`#no clamav`
			`#adaptation_access svcRequest deny qlproxy_icap_edomains`
			`#adaptation_access svcResponse deny qlproxy_icap_edomains`
			`#adaptation_access svcResponse deny qlproxy_icap_etypes`
			`#adaptation_access qlproxy1 allow all`
			`#adaptation_access qlproxy2 allow all`

			`http_access allow allowed_subnets`
			`http_access allow localhost`
			`http_access deny allsrc`