|
# General |
|
|
|
http_port 3128 |
|
visible_hostname Proxy |
|
forwarded_for delete |
|
via off |
|
|
|
# Log |
|
|
|
logformat squid %tg.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt |
|
access_log /var/log/squid3/access.log squid |
|
|
|
# Cache |
|
|
|
cache_dir aufs /var/cache/squid3 1024 16 256 |
|
coredump_dir /var/spool/squid3 |
|
|
|
acl QUERY urlpath_regex cgi-bin \? |
|
cache deny QUERY |
|
|
|
refresh_pattern ^ftp: 1440 20% 10080 |
|
refresh_pattern ^gopher: 1440 0% 1440 |
|
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 |
|
refresh_pattern . 0 20% 4320 |
|
|
|
# Network ACL |
|
|
|
acl localnet src 10.0.0.0/8 # RFC 1918 possible internal network |
|
acl localnet src 172.16.0.0/12 # RFC 1918 possible internal network |
|
acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network |
|
acl localnet src fc00::/7 # RFC 4193 local private network range |
|
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines |
|
|
|
# Port ACL |
|
|
|
acl SSL_ports port 443 # https |
|
acl SSL_ports port 563 # snews |
|
acl SSL_ports port 873 # rync |
|
acl Safe_ports port 80 8080 # http |
|
acl Safe_ports port 21 # ftp |
|
acl Safe_ports port 443 563 # https |
|
acl Safe_ports port 70 # gopher |
|
acl Safe_ports port 210 # wais |
|
acl Safe_ports port 1025-65535 # unregistered ports |
|
acl Safe_ports port 280 # http-mgmt |
|
acl Safe_ports port 488 # gss-http |
|
acl Safe_ports port 591 # filemaker |
|
acl Safe_ports port 777 # multiling http |
|
acl purge method PURGE |
|
acl CONNECT method CONNECT |
|
|
|
# Authentication |
|
# Uncomment the following lines to enable file based authentication BUT: |
|
# The following section requires to have squid libs installed, especially `nsca_auth`, to be working. |
|
# This sections uses a Htpasswd file named `users.pwd` file to store eligible accounts. |
|
# You can generate yours using the htpasswd command from "apache2-utils" aptitude package, using "-d" flag to use system CRYPT. |
|
|
|
auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/users.pwd |
|
auth_param basic children 5 |
|
auth_param basic realm Proxy |
|
auth_param basic credentialsttl 2 hours |
|
auth_param basic casesensitive on |
|
|
|
acl Users proxy_auth REQUIRED |
|
http_access allow Users |
|
|
|
# Access Restrictions |
|
|
|
http_access allow manager localhost |
|
http_access deny manager |
|
|
|
http_access allow purge localhost |
|
http_access deny purge |
|
|
|
http_access deny !Safe_ports |
|
http_access deny CONNECT !SSL_ports |
|
|
|
http_reply_access allow all |
|
htcp_access deny all |
|
icp_access allow all |
|
always_direct allow all |
|
|
|
# Request Headers Forcing |
|
|
|
request_header_access Allow allow all |
|
request_header_access Authorization allow all |
|
request_header_access WWW-Authenticate allow all |
|
request_header_access Proxy-Authorization allow all |
|
request_header_access Proxy-Authenticate allow all |
|
request_header_access Cache-Control allow all |
|
request_header_access Content-Encoding allow all |
|
request_header_access Content-Length allow all |
|
request_header_access Content-Type allow all |
|
request_header_access Date allow all |
|
request_header_access Expires allow all |
|
request_header_access Host allow all |
|
request_header_access If-Modified-Since allow all |
|
request_header_access Last-Modified allow all |
|
request_header_access Location allow all |
|
request_header_access Pragma allow all |
|
request_header_access Accept allow all |
|
request_header_access Accept-Charset allow all |
|
request_header_access Accept-Encoding allow all |
|
request_header_access Accept-Language allow all |
|
request_header_access Content-Language allow all |
|
request_header_access Mime-Version allow all |
|
request_header_access Retry-After allow all |
|
request_header_access Title allow all |
|
request_header_access Connection allow all |
|
request_header_access Proxy-Connection allow all |
|
request_header_access User-Agent allow all |
|
request_header_access Cookie allow all |
|
request_header_access All deny all |
|
|
|
# Response Headers Spoofing |
|
|
|
reply_header_access Via deny all |
|
reply_header_access X-Cache deny all |
|
reply_header_access X-Cache-Lookup deny all |