# squid.conf by afx #ports http_port 192.168.10.1:3128 intercept https_port 192.168.10.1:3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/etc/opt/quintolabs/qlproxy/afx.pem capath=/etc/ssl/certs http_port 192.168.10.1:8080 #generic visible_hostname proxy.deflax.net icp_port 0 dns_v4_first on pid_filename /var/run/squid.pid #cache_effective_user proxy #cache_effective_group proxy error_default_language bg coredump_dir /var/spool/squid icon_directory /usr/share/squid/icons cache_mgr admin@fqdn.com access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log none pinger_enable on pinger_program /usr/lib/squid/pinger netdb_filename /var/log/squid/netdb.state sslcrtd_program /bin/ssl_crtd -s /var/spool/squid_ssldb -M 4MB -b 2048 sslcrtd_children 25 sslproxy_capath /etc/ssl/certs #timeouts peer_connect_timeout 2 minutes persistent_request_timeout 2 minutes #logfile_rotate 0 #debug_options rotate=0 #acl acl localnet src 192.168.10.0/24 # RFC1918 possible internal network acl allsrc src all acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3127 1025-65535 acl sslports port 443 563 acl purge method PURGE acl connect method CONNECT acl HTTP proto HTTP acl HTTPS proto HTTPS acl allowed_subnets src 192.168.10.0/24 acl dynamic urlpath_regex cgi-bin \? #ssl always_direct allow all #acl broken_ip dst "/etc/squid/ip_whitelist.acl" acl broken_sites dstdomain "/etc/squid/ssl_whitelist.acl" #ssl_bump none localhost ssl_bump none broken_sites #ssl_bump none broken_ip sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER ssl_bump server-first all uri_whitespace strip #cache settings cache_dir ufs /var/spool/squid/cache/squid 14000 16 256 #cache deny dynamic cache deny all cache_mem 8 MB maximum_object_size_in_memory 1024 KB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA minimum_object_size 0 KB maximum_object_size 10 KB offline_mode off memory_pools off #httpaccess http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Facebook Like Button Denial #acl facebook dstdomain .facebook.com #acl facebook_like urlpath_regex -i ^\/plugins\/like\.php #deny_info error-facebook-like facebook_like #http_access deny facebook facebook_like request_body_max_size 0 KB delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow allsrc icap_enable on icap_preview_enable on icap_preview_size 4096 icap_persistent_connections on icap_send_client_ip on icap_send_client_username on icap_client_username_header X-Client-Username icap_service qlproxy1 reqmod_precache bypass=1 icap://127.0.0.1:1344/reqmod icap_service qlproxy2 respmod_precache bypass=1 icap://127.0.0.1:1344/respmod icap_service squidclamav1 reqmod_precache bypass=1 icap://127.0.0.1:1345/squidclamav icap_service squidclamav2 respmod_precache bypass=1 icap://127.0.0.1:1345/squidclamav #acl qlproxy_icap_edomains dstdomain "/etc/opt/quintolabs/qlproxy/squid/icap_exclusions_domains.conf" #acl qlproxy_icap_etypes rep_mime_type "/etc/opt/quintolabs/qlproxy/squid/icap_exclusions_contenttypes.conf" adaptation_service_chain svcRequest qlproxy1 squidclamav1 adaptation_service_chain svcResponse qlproxy2 squidclamav2 adaptation_access svcRequest allow all adaptation_access svcResponse allow all #no clamav #adaptation_access svcRequest deny qlproxy_icap_edomains #adaptation_access svcResponse deny qlproxy_icap_edomains #adaptation_access svcResponse deny qlproxy_icap_etypes #adaptation_access qlproxy1 allow all #adaptation_access qlproxy2 allow all http_access allow allowed_subnets http_access allow localhost http_access deny allsrc