-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathsquid.conf
145 lines (124 loc) · 4 KB
/
squid.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
# WELCOME TO SQUID 5.x
# -
# OPTIONS FOR AUTHENTICATION
# -
# Kerberos authentication
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -r -d -s HTTP/[email protected] -k /etc/krb5.keytab
auth_param negotiate children 20 startup=0 idle=1
auth_param negotiate keep_alive off
# NTLM authentication
auth_param ntlm program /usr/lib/squid/wsauth --dc1addr=dc.example.tld --dc1port=389
auth_param ntlm children 20 startup=5 idle=10
auth_param ntlm keep_alive off
# Using AD User's Basic Auth
auth_param basic program /usr/lib/squid/basic_ldap_auth -R -b "dc=example,dc=tld" -D [email protected] -w "P@s$w0rd.789" -f "(|(userPrincipalName=%s)(sAMAccountName=%s))" -h dc.example.tld
auth_param basic children 10
auth_param basic realm EXAMPLE.TLD
auth_param basic credentialsttl 8 hours
auth_param basic casesensitive on
# AD Group Mapping
external_acl_type NACIONAL ttl=300 negative_ttl=60 %LOGIN /usr/lib/squid/ext_kerberos_ldap_group_acl -a -g Intranet -D EXAMPLE.TLD
external_acl_type INTERNET ttl=300 negative_ttl=60 %LOGIN /usr/lib/squid/ext_kerberos_ldap_group_acl -a -g Internet -D EXAMPLE.TLD
external_acl_type UNRESTRICTED ttl=300 negative_ttl=60 %LOGIN /usr/lib/squid/ext_kerberos_ldap_group_acl -a -g Unrestricted -D EXAMPLE.TLD
acl intranet external NACIONAL
acl internet external INTERNET
acl unrestricted external UNRESTRICTED
# ACCESS CONTROL LISTS
# -
acl localnet src 192.168.0.0/24
acl proxy_ip src 192.168.0.2/32
acl local_domain dstdomain .example.tld
acl CUBA dstdomain .cu
acl PORN dstdomain .porn.com
acl AUTH proxy_auth REQUIRED
acl SSL_ports port 443 8443
acl Safe_ports port 80 21 443 70 210 1025-65535 280 488 591 777
acl CONNECT method CONNECT
# NETWORK OPTIONS
# -
http_port 3128
visible_hostname proxy.example.tld
# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
# -
cache_peer proxy.tld parent 3128 0 no-query no-digest proxy-only name=ParentProxy
cache_peer_access ParentProxy allow all
# HTTP_ACCESS
# -
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny manager !localhost !proxy_ip
http_access allow localhost
http_access deny !AUTH
http_access allow localnet unrestricted
http_access allow localnet internet !PORN
http_access allow localnet intranet CUBA
http_access deny all
# MEMORY CACHE OPTIONS
# -
cache_mem 256 MB
maximum_object_size_in_memory 1024 KB
memory_replacement_policy heap GDSF
# DISK CACHE OPTIONS
# -
cache_replacement_policy heap LFUDA
cache_dir aufs /var/spool/squid 1024 16 256
minimum_object_size 0 KB
maximum_object_size 102400 KB
cache_swap_low 95
cache_swap_high 99
offline_mode off
uri_whitespace chop
# LOGFILE OPTIONS
# -
logfile_rotate 0
access_log daemon:/var/log/squid/access.log squid
mime_table /usr/share/squid/mime.conf
pid_filename /var/run/squid.pid
# OPTIONS FOR TROUBLESHOOTING
# -
cache_log /var/log/squid/cache.log
debug_options ALL,1
coredump_dir /squid/var/cache/squid
shutdown_lifetime 2 seconds
# OPTIONS FOR TUNING THE CACHE
# -
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# HTTP OPTIONS
# -
request_header_access User-Agent deny all
request_header_replace User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
# INTERNAL ICON OPTIONS
# -
icon_directory /usr/share/squid/icons
global_internal_static on
short_icon_urls on
# ERROR PAGE OPTIONS
# -
error_directory /usr/share/squid/errors/Spanish
err_page_stylesheet /etc/squid/errorpage.css
# OPTIONS INFLUENCING REQUEST FORWARDING
# -
always_direct allow local_domain
always_direct deny all
never_direct allow all
# DNS OPTIONS
# -
hosts_file /etc/hosts
dns_timeout 1 seconds
dns_nameservers dc.example.tld
# MISCELLANEOUS
# -
follow_x_forwarded_for allow localhost
forwarded_for delete
cachemgr_passwd MyS3cr3tP@s$w0rd all
positive_dns_ttl 1 hour
authenticate_ip_ttl 5 minute
client_db on
# ADMINISTRATIVE PARAMETERS
# -
half_closed_clients off
httpd_suppress_version_string on
via on