e7d · November 6, 2024 08:34 · SoyLuz · Mar 1, 2018
diff --git a/README.md b/README.md
diff --git a/squid-install.sh b/squid-install.sh
 #!/bin/sh

 if [ "$(id -u)" != "0" ]; then
  echo "This script must be run as root" 1>&2
  exit 1
 fi

 echo "Update packages list"
 apt-get update

 echo "Build dependencies"
 RUNLEVEL=1 apt-get -y install squid3 squid3-common apache2-utils

 echo "Create configuration file"
 mv /etc/squid3/squid.conf /etc/squid3/squid.conf.default
 wget --no-check-certificate -O /etc/squid3/squid.conf https://gist.githubusercontent.com/e7d/9472c3e7ac1821056867b95244c73609/raw/squid.conf

 echo "Create users database sample"
 htpasswd -cbd /etc/squid3/users.pwd proxy proxy

 echo "Prepare environment for first start"
 mkdir -p /var/log/squid3
 mkdir -p /var/cache/squid3
 mkdir -p /var/spool/squid3
 chown -cR proxy /var/log/squid3
 chown -cR proxy /var/cache/squid3
 chown -cR proxy /var/spool/squid3
 squid3 -z

 echo "Start service"
 service squid3 start

 exit 0
diff --git a/squid.conf b/squid.conf
 # General

 http_port 3128
 visible_hostname Proxy
 forwarded_for delete
 via off

 # Log

 logformat squid %tg.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
 access_log /var/log/squid3/access.log squid

 # Cache

 cache_dir aufs /var/cache/squid3 1024 16 256
 coredump_dir /var/spool/squid3

 acl QUERY urlpath_regex cgi-bin \?
 cache deny QUERY

 refresh_pattern ^ftp:           1440    20%     10080
 refresh_pattern ^gopher:        1440    0%      1440
 refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
 refresh_pattern .               0       20%     4320

 # Network ACL

 acl localnet src 10.0.0.0/8     # RFC 1918 possible internal network
 acl localnet src 172.16.0.0/12  # RFC 1918 possible internal network
 acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network
 acl localnet src fc00::/7       # RFC 4193 local private network range
 acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

 # Port ACL

 acl SSL_ports port 443          # https
 acl SSL_ports port 563          # snews
 acl SSL_ports port 873          # rync
 acl Safe_ports port 80 8080     # http
 acl Safe_ports port 21          # ftp
 acl Safe_ports port 443 563     # https
 acl Safe_ports port 70          # gopher
 acl Safe_ports port 210         # wais
 acl Safe_ports port 1025-65535  # unregistered ports
 acl Safe_ports port 280         # http-mgmt
 acl Safe_ports port 488         # gss-http
 acl Safe_ports port 591         # filemaker
 acl Safe_ports port 777         # multiling http
 acl purge method PURGE
 acl CONNECT method CONNECT

 # Authentication
 #   Uncomment the following lines to enable file based authentication BUT:
 #   The following section requires to have squid libs installed, especially `nsca_auth`, to be working.
 #   This sections uses a Htpasswd file named `users.pwd` file to store eligible accounts.
 #   You can generate yours using the htpasswd command from "apache2-utils" aptitude package, using "-d" flag to use system CRYPT.

 auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/users.pwd
 auth_param basic children 5
 auth_param basic realm Proxy
 auth_param basic credentialsttl 2 hours
 auth_param basic casesensitive on

 acl Users proxy_auth REQUIRED
 http_access allow Users

 # Access Restrictions

 http_access allow manager localhost
 http_access deny manager

 http_access allow purge localhost
 http_access deny purge

 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports

 http_reply_access allow all
 htcp_access deny all
 icp_access allow all
 always_direct allow all

 # Request Headers Forcing

 request_header_access Allow allow all
 request_header_access Authorization allow all
 request_header_access WWW-Authenticate allow all
 request_header_access Proxy-Authorization allow all
 request_header_access Proxy-Authenticate allow all
 request_header_access Cache-Control allow all
 request_header_access Content-Encoding allow all
 request_header_access Content-Length allow all
 request_header_access Content-Type allow all
 request_header_access Date allow all
 request_header_access Expires allow all
 request_header_access Host allow all
 request_header_access If-Modified-Since allow all
 request_header_access Last-Modified allow all
 request_header_access Location allow all
 request_header_access Pragma allow all
 request_header_access Accept allow all
 request_header_access Accept-Charset allow all
 request_header_access Accept-Encoding allow all
 request_header_access Accept-Language allow all
 request_header_access Content-Language allow all
 request_header_access Mime-Version allow all
 request_header_access Retry-After allow all
 request_header_access Title allow all
 request_header_access Connection allow all
 request_header_access Proxy-Connection allow all
 request_header_access User-Agent allow all
 request_header_access Cookie allow all
 request_header_access All deny all

 # Response Headers Spoofing

 reply_header_access Via deny all
 reply_header_access X-Cache deny all
 reply_header_access X-Cache-Lookup deny all
	#!/bin/sh

	if [ "$(id -u)" != "0" ]; then
	echo "This script must be run as root" 1>&2
	exit 1
	fi

	echo "Update packages list"
	apt-get update

	echo "Build dependencies"
	RUNLEVEL=1 apt-get -y install squid3 squid3-common apache2-utils

	echo "Create configuration file"
	mv /etc/squid3/squid.conf /etc/squid3/squid.conf.default
	wget --no-check-certificate -O /etc/squid3/squid.conf https://gist.githubusercontent.com/e7d/9472c3e7ac1821056867b95244c73609/raw/squid.conf

	echo "Create users database sample"
	htpasswd -cbd /etc/squid3/users.pwd proxy proxy

	echo "Prepare environment for first start"
	mkdir -p /var/log/squid3
	mkdir -p /var/cache/squid3
	mkdir -p /var/spool/squid3
	chown -cR proxy /var/log/squid3
	chown -cR proxy /var/cache/squid3
	chown -cR proxy /var/spool/squid3
	squid3 -z

	echo "Start service"
	service squid3 start

	exit 0
	# General

	http_port 3128
	visible_hostname Proxy
	forwarded_for delete
	via off

	# Log

	logformat squid %tg.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
	access_log /var/log/squid3/access.log squid

	# Cache

	cache_dir aufs /var/cache/squid3 1024 16 256
	coredump_dir /var/spool/squid3

	acl QUERY urlpath_regex cgi-bin \?
	cache deny QUERY

	refresh_pattern ^ftp: 1440 20% 10080
	refresh_pattern ^gopher: 1440 0% 1440
	refresh_pattern -i (/cgi-bin/\|\?) 0 0% 0
	refresh_pattern . 0 20% 4320

	# Network ACL

	acl localnet src 10.0.0.0/8 # RFC 1918 possible internal network
	acl localnet src 172.16.0.0/12 # RFC 1918 possible internal network
	acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network
	acl localnet src fc00::/7 # RFC 4193 local private network range
	acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

	# Port ACL

	acl SSL_ports port 443 # https
	acl SSL_ports port 563 # snews
	acl SSL_ports port 873 # rync
	acl Safe_ports port 80 8080 # http
	acl Safe_ports port 21 # ftp
	acl Safe_ports port 443 563 # https
	acl Safe_ports port 70 # gopher
	acl Safe_ports port 210 # wais
	acl Safe_ports port 1025-65535 # unregistered ports
	acl Safe_ports port 280 # http-mgmt
	acl Safe_ports port 488 # gss-http
	acl Safe_ports port 591 # filemaker
	acl Safe_ports port 777 # multiling http
	acl purge method PURGE
	acl CONNECT method CONNECT

	# Authentication
	# Uncomment the following lines to enable file based authentication BUT:
	# The following section requires to have squid libs installed, especially `nsca_auth`, to be working.
	# This sections uses a Htpasswd file named `users.pwd` file to store eligible accounts.
	# You can generate yours using the htpasswd command from "apache2-utils" aptitude package, using "-d" flag to use system CRYPT.

	auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/users.pwd
	auth_param basic children 5
	auth_param basic realm Proxy
	auth_param basic credentialsttl 2 hours
	auth_param basic casesensitive on

	acl Users proxy_auth REQUIRED
	http_access allow Users

	# Access Restrictions

	http_access allow manager localhost
	http_access deny manager

	http_access allow purge localhost
	http_access deny purge

	http_access deny !Safe_ports
	http_access deny CONNECT !SSL_ports

	http_reply_access allow all
	htcp_access deny all
	icp_access allow all
	always_direct allow all

	# Request Headers Forcing

	request_header_access Allow allow all
	request_header_access Authorization allow all
	request_header_access WWW-Authenticate allow all
	request_header_access Proxy-Authorization allow all
	request_header_access Proxy-Authenticate allow all
	request_header_access Cache-Control allow all
	request_header_access Content-Encoding allow all
	request_header_access Content-Length allow all
	request_header_access Content-Type allow all
	request_header_access Date allow all
	request_header_access Expires allow all
	request_header_access Host allow all
	request_header_access If-Modified-Since allow all
	request_header_access Last-Modified allow all
	request_header_access Location allow all
	request_header_access Pragma allow all
	request_header_access Accept allow all
	request_header_access Accept-Charset allow all
	request_header_access Accept-Encoding allow all
	request_header_access Accept-Language allow all
	request_header_access Content-Language allow all
	request_header_access Mime-Version allow all
	request_header_access Retry-After allow all
	request_header_access Title allow all
	request_header_access Connection allow all
	request_header_access Proxy-Connection allow all
	request_header_access User-Agent allow all
	request_header_access Cookie allow all
	request_header_access All deny all

	# Response Headers Spoofing

	reply_header_access Via deny all
	reply_header_access X-Cache deny all
	reply_header_access X-Cache-Lookup deny all