sysadmin/squid-with-clam-and-qlproxy-test.conf

# squid.conf by afx

#ports
http_port 192.168.10.1:3128 intercept
https_port 192.168.10.1:3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/etc/opt/quintolabs/qlproxy/afx.pem capath=/etc/ssl/certs
http_port 192.168.10.1:8080

#generic
visible_hostname proxy.deflax.net
icp_port 0
dns_v4_first on
pid_filename /var/run/squid.pid
#cache_effective_user proxy
#cache_effective_group proxy
error_default_language bg 
coredump_dir /var/spool/squid
icon_directory /usr/share/squid/icons
cache_mgr admin@fqdn.com
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
pinger_enable on
pinger_program /usr/lib/squid/pinger
netdb_filename /var/log/squid/netdb.state
sslcrtd_program /bin/ssl_crtd -s /var/spool/squid_ssldb -M 4MB -b 2048
sslcrtd_children 25
sslproxy_capath /etc/ssl/certs

#timeouts
peer_connect_timeout 2 minutes
persistent_request_timeout 2 minutes

#logfile_rotate 0
#debug_options rotate=0

#acl
acl localnet src 192.168.10.0/24	# RFC1918 possible internal network
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3127 1025-65535
acl sslports port 443 563
acl purge method PURGE
acl connect method CONNECT
acl HTTP proto HTTP
acl HTTPS proto HTTPS
acl allowed_subnets src 192.168.10.0/24
acl dynamic urlpath_regex cgi-bin \?

#ssl
always_direct allow all
#acl broken_ip dst "/etc/squid/ip_whitelist.acl"
acl broken_sites dstdomain "/etc/squid/ssl_whitelist.acl"
#ssl_bump none localhost
ssl_bump none broken_sites
#ssl_bump none broken_ip
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
ssl_bump server-first all

uri_whitespace strip

#cache settings
cache_dir ufs /var/spool/squid/cache/squid 14000 16 256
#cache deny dynamic
cache deny all
cache_mem 8 MB
maximum_object_size_in_memory 1024 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
minimum_object_size 0 KB
maximum_object_size 10 KB
offline_mode off
memory_pools off

#httpaccess
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Facebook Like Button Denial
#acl facebook dstdomain .facebook.com
#acl facebook_like urlpath_regex -i ^\/plugins\/like\.php
#deny_info error-facebook-like facebook_like
#http_access deny facebook facebook_like

request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

icap_enable on
icap_preview_enable on
icap_preview_size 4096
icap_persistent_connections on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Client-Username
icap_service qlproxy1 reqmod_precache bypass=1 icap://127.0.0.1:1344/reqmod
icap_service qlproxy2 respmod_precache bypass=1 icap://127.0.0.1:1344/respmod
icap_service squidclamav1 reqmod_precache bypass=1 icap://127.0.0.1:1345/squidclamav
icap_service squidclamav2 respmod_precache bypass=1 icap://127.0.0.1:1345/squidclamav

#acl qlproxy_icap_edomains dstdomain "/etc/opt/quintolabs/qlproxy/squid/icap_exclusions_domains.conf"
#acl qlproxy_icap_etypes rep_mime_type "/etc/opt/quintolabs/qlproxy/squid/icap_exclusions_contenttypes.conf"

adaptation_service_chain svcRequest qlproxy1 squidclamav1
adaptation_service_chain svcResponse qlproxy2 squidclamav2
adaptation_access svcRequest allow all
adaptation_access svcResponse allow all

#no clamav
#adaptation_access svcRequest deny qlproxy_icap_edomains
#adaptation_access svcResponse deny qlproxy_icap_edomains
#adaptation_access svcResponse deny qlproxy_icap_etypes
#adaptation_access qlproxy1 allow all
#adaptation_access qlproxy2 allow all

http_access allow allowed_subnets
http_access allow localhost
http_access deny allsrc