SQUID3 config with upstream proxy

squid.conf

# Squid 3
#
# Sample config
# - use upstream proxy 10.10.10.10:8080
# - Allow 192.168.56.0/24 access
# - Direct access for gitlab.com, github.com

http_port 192.168.56.1:3128
icp_port 0
dns_v4_first on
error_default_language vi
visible_hostname biotech.pt-infra.net
cache_mgr [email protected]

shutdown_lifetime 3 seconds

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255	# RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8		# RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10		# RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 	# RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12		# RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16		# RFC 1918 local private network (LAN)
acl localnet src fc00::/7       	# RFC 4193 local private network range
acl localnet src fe80::/10      	# RFC 4291 link-local (directly plugged) machines

acl allowed_subnets src 192.168.56.0/24

# ACLs all, manager, localhost, and to_localhost are predefined.
acl allsrc src all

acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT

#------------------------------------------------------------------------------
# Upstream Proxy
## Local server/direct access
acl local-intranet dstdomain .pt-infra.net

acl local-external dstdomain github.com
acl local-external dstdomain gitlab.com
acl local-external dstdomain .githubusercontent.com

cache_peer 10.10.10.10 parent 8080 0 no-query default
neighbor_type_domain 10.10.10.10 sibling .pt-infra.net .github.com .gitlab.com .githubusercontent.com

# # Allow external / block TMA intranet
never_direct deny local-external
never_direct allow local-intranet
never_direct allow all
#------------------------------------------------------------------------------

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

#http_access allow localnet
http_access allow localhost
http_access allow allowed_subnets
http_access deny all

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

include /etc/squid/conf.d/*

squid2.conf

# Squid 3

http_port 192.168.56.1:3128
icp_port 0
dns_v4_first on
error_default_language en
visible_hostname cache.tma-dc4.pt-infra.net
cache_mgr [email protected]

shutdown_lifetime 1 seconds

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255	# RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8		# RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10		# RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 	# RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12		# RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16		# RFC 1918 local private network (LAN)
acl localnet src fc00::/7       	# RFC 4193 local private network range
acl localnet src fe80::/10      	# RFC 4291 link-local (directly plugged) machines

acl allowed_subnets src 192.168.56.0/24

# ACLs all, manager, localhost, and to_localhost are predefined.
acl allsrc src all

acl SSL_ports port 443
acl SSL_ports port 6443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl Safe_ports port 6443 
acl CONNECT method CONNECT

acl TMA_SafePort myport 80 # http

#------------------------------------------------------------------------------
# Upstream Proxy
## Local server block access
acl local-intranet dstdomain .tma.com.vn

## Local server/direct access
acl local-external dstdomain .pt-infra.net
acl local-external dstdomain github.com
acl local-external dstdomain gitlab.com
acl local-external dstdomain .githubusercontent.com
acl local-external dstdomain keyserver.ubuntu.com
acl local-external dstdomain .docker.io
acl local-external dstdomain dl-cdn.alpinelinux.org
#acl local-external dstdomain archive.ubuntu.com

## Upstream proxy
###
cache_peer proxy.local parent 1081 0 no-query default
#neighbor_type_domain proxy.local sibling .xxx.com.vn
#neighbor_type_domain proxy.local parent .dockernnn.io

http_access deny all local-intranet
always_direct deny local-intranet
always_direct allow local-external
never_direct allow all

#------------------------------------------------------------------------------

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

#http_access allow localnet
http_access allow localhost
http_access allow allowed_subnets
http_access deny all

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

include /etc/squid/conf.d/*

# /etc/systemd/system/squid.service.d/10-deplay.conf
[Service]
ExecStartPre=/bin/sleep 30

#!/bin/bash

export http_proxy=http://192.168.56.1:3128
export https_proxy=http://192.168.56.1:3128

function assert() {
	url=$1
	status_code_expected=${2:-"200"}

	echo -n "TEST ${url} => "
	status_code=$(curl -s -o /dev/null -w "%{http_code}" "${url}")

	if [ "$status_code" != "$status_code_expected" ]; then
		echo "FAIL"
	else
		echo "PASS"
	fi
}

assert https://intranet.xxx.com.vn 403
assert https://index.docker.io
assert http://archive.ubuntu.com
assert http://bing.com 301
assert http://dl-cdn.alpinelinux.org