-
-
Save bright-spark/a25d4fae5311d8e54657eec09dbecc3e to your computer and use it in GitHub Desktop.
Sample configuration for squid proxy server. Source here -> https://calomel.org/squid.html
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| ### Calomel.org Squid squid.conf | |
| # | |
| ########### squid.conf ########### | |
| # | |
| ## interface, port and proxy type | |
| #http_port 10.10.10.1:8080 transparent | |
| http_port 10.10.10.1:8080 | |
| ## general options | |
| cache_mgr not_to_be_disturbed | |
| client_db on | |
| collapsed_forwarding on | |
| detect_broken_pconn on | |
| dns_defnames on | |
| dns_retransmit_interval 2 seconds | |
| dns_timeout 5 minutes | |
| forwarded_for off | |
| half_closed_clients off | |
| httpd_suppress_version_string on | |
| ignore_unknown_nameservers on | |
| pipeline_prefetch on | |
| retry_on_error on | |
| strip_query_terms off | |
| uri_whitespace strip | |
| visible_hostname localhost | |
| ## timeouts | |
| forward_timeout 30 seconds | |
| connect_timeout 30 seconds | |
| read_timeout 30 seconds | |
| request_timeout 30 seconds | |
| persistent_request_timeout 1 minute | |
| client_lifetime 20 hours | |
| ## host definitions | |
| acl all src 0.0.0.0/0 | |
| acl localhost src 127.0.0.1/255.255.255.255 | |
| acl to_localhost dst 127.0.0.0/8 | |
| ## proxy server client access | |
| acl mynetworks src 127.0.0.0/8 10.10.10.0/28 | |
| http_access deny !mynetworks | |
| ## max connections per ip | |
| acl maxuserconn src 127.0.0.0/8 10.0.10.0/28 | |
| acl limitusercon maxconn 500 | |
| http_access deny maxuserconn limitusercon | |
| ## disable caching | |
| cache deny all | |
| cache_dir null /tmp | |
| ## disable multicast icp | |
| icp_port 0 | |
| icp_access deny all | |
| ## disable ident lookups | |
| ident_lookup_access deny all | |
| ## no-trust for on-the-fly Content-Encoding | |
| acl apache rep_header Server ^Apache | |
| broken_vary_encoding allow apache | |
| ## logs | |
| logformat combined [%tl] %>A %{Host}>h "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh | |
| access_log /var/log/squid/access.log combined | |
| cache_store_log /var/log/squid/store.log | |
| cache_log /var/log/squid/cache.log | |
| logfile_rotate 8 | |
| ## support files | |
| coredump_dir /tmp | |
| pid_filename /var/log/squid/squid.pid | |
| ## ports allowed | |
| acl Safe_ports port 80 443 | |
| http_access deny !Safe_ports | |
| ## ssl ports/method allowed | |
| acl SSL_ports port 443 | |
| acl CONNECT method CONNECT | |
| http_access deny CONNECT !SSL_ports | |
| ## protocols allowed | |
| acl Safe_proto proto HTTP SSL | |
| http_access deny !Safe_proto | |
| ## browsers allowed | |
| # acl Safe_browser browser ^Mozilla/5\.0.*Firefox/2\.0\.0\.6 | |
| # http_access deny !Safe_Browser | |
| ## disable ads ( //squid_adservers.html ) | |
| # acl ads dstdom_regex "/etc/squid/ad_block.txt" | |
| # http_access deny ads | |
| # deny_info TCP_RESET ads | |
| ## Banned Sites | |
| # acl Bad_Site dstdom_regex myspace.com youtube.com facebook.com | |
| # http_access deny Bad_Site | |
| ## redirector | |
| # acl my_url dstdomain SITE_NAME.COM | |
| # redirector_access allow my_url | |
| # redirect_children 1 | |
| # redirect_rewrites_host_header off | |
| # redirect_program /etc/squid/squid_redirector.pl | |
| ## methods allowed | |
| acl Safe_method method CONNECT GET HEAD POST | |
| http_access deny !Safe_method | |
| ## allow replies to client requests | |
| http_reply_access allow all | |
| ## header re-write | |
| # header_replace Accept */* | |
| # header_replace Accept-Encoding gzip | |
| # header_replace Accept-Language en | |
| header_replace User-Agent OurBrowser/1.0 (Some Name) | |
| ## header list ( DENY all - ALLOW listed ) | |
| header_access Accept allow all | |
| header_access Accept-Encoding allow all | |
| header_access Accept-Language allow all | |
| header_access Authorization allow all | |
| header_access Cache-Control allow all | |
| header_access Content-Disposition allow all | |
| header_access Content-Encoding allow all | |
| header_access Content-Length allow all | |
| header_access Content-Location allow all | |
| header_access Content-Range allow all | |
| header_access Content-Type allow all | |
| header_access Cookie allow all | |
| header_access Expires allow all | |
| header_access Host allow all | |
| header_access If-Modified-Since allow all | |
| header_access Location allow all | |
| header_access Range allow all | |
| header_access Referer allow all | |
| header_access Set-Cookie allow all | |
| header_access WWW-Authenticate allow all | |
| header_access All deny all | |
| ########## END ########### |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ---------------------------------------------------------------------- | |
| # WARNING - do not edit this template unless you know what you are doing | |
| # ---------------------------------------------------------------------- | |
| # the parent cache | |
| cache_peer %PARENTPROXY% parent %PARENTPORT% 7 no-query no-digest no-netdb-exchange default | |
| # performance options | |
| pipeline_prefetch %PIPELINE_PREFETCH% | |
| cache_miss_revalidate %CACHE_MISS_REVALIDATE% | |
| read_ahead_gap %READ_AHEAD_GAP% | |
| cache_replacement_policy %CACHE_REPLACEMENT_POLICY% | |
| memory_replacement_policy %MEMORY_REPLACEMENT_POLICY% | |
| # disk and memory cache settings | |
| cache_dir ufs %CACHEDIR% %CACHESIZE% 16 256 | |
| maximum_object_size %MAXOBJECTSIZE% | |
| cache_mem %MEMCACHESIZE% | |
| maximum_object_size_in_memory %MEMMAXOBJECTSIZE% | |
| # store coredumps in the first cache dir | |
| coredump_dir %CACHEDIR% | |
| # the hostname squid displays in error messages | |
| visible_hostname %VISIBLEHOSTNAME% | |
| # log & process ID file details | |
| cache_access_log stdio:%ACCESSLOG% | |
| cache_store_log stdio:%STORELOG% | |
| cache_log %CACHELOG% | |
| pid_filename %PIDFILE% | |
| # Squid listening port | |
| http_port %PORT% | |
| # Access Control lists | |
| acl SSL_ports port 443 | |
| acl Safe_ports port 80 # http | |
| acl Safe_ports port 21 # ftp | |
| acl Safe_ports port 443 # https | |
| acl Safe_ports port 70 # gopher | |
| acl Safe_ports port 210 # wais | |
| acl Safe_ports port 1025-65535 # unregistered ports | |
| acl Safe_ports port 280 # http-mgmt | |
| acl Safe_ports port 488 # gss-http | |
| acl Safe_ports port 591 # filemaker | |
| acl Safe_ports port 777 # multiling http | |
| acl CONNECT method CONNECT | |
| %ALLOWEDHOSTS% | |
| %DIRECTHOSTS% | |
| # Only allow cachemgr access from localhost | |
| http_access allow localhost manager | |
| http_access deny manager | |
| # Deny requests to certain unsafe ports | |
| http_access deny !Safe_ports | |
| # Deny CONNECT to other than secure SSL ports | |
| http_access deny CONNECT !SSL_ports | |
| # protect web apps running on the proxy host from external users | |
| http_access deny to_localhost | |
| # rules for client access go here | |
| http_access allow localhost | |
| %HTTPACCESSALLOWED% | |
| # after allowed hosts, deny all other access to this proxy | |
| # don't list any other access settings below this point | |
| http_access deny all | |
| # specify which hosts have direct access (bypassing the parent proxy) | |
| %ALWAYSDIRECT% | |
| always_direct deny all | |
| # refresh patterns (squid-recommended) | |
| refresh_pattern ^ftp: 1440 20% 10080 | |
| refresh_pattern ^gopher: 1440 0% 1440 | |
| refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 | |
| refresh_pattern . 0 20% 4320 | |
| # anonymize | |
| via off | |
| forwarded_for off |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment