djch/squid.conf.txt Secret

## squid.conf.txt
# Contents
# p01. Authentication settings
# p02. External ACL Definitions
# p03. Safe Port, local network addresses and other ACL Definitions
# p04. Deny Info Definitions
# p05. Recommended Minimum Access Permissions
# p06. Access Rules
# p07. Default Fallback Rules
# p08. SSL and Intercepted Traffic Settings
# p09. Squid Listening Interfaces
# p10. Other Squid Settings
# p11. Hostname Definition
# p12. URL Rewriting
# p13. Log Formatting
# p14. Debugging


###### p01. Authentication Settings ######

# Provide seamless authentication for Windows via Kerberos/NTLM
auth_param negotiate program /usr/bin/squid_negotiate_wrapper_auth --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=local --kerberos /usr/bin/squid_kerb_auth -s GSS_C_NO_NAME
auth_param negotiate children 50 startup=10 idle=1
auth_param negotiate keep_alive off

# Provide basic authentication via LDAP for clients
auth_param basic program /usr/bin/squid_ldap_auth -R -b "dc=blah,dc=local"  -D "cn=proxy user,cn=Users,dc=blah,dc=local" -w blahblah -f sAMAccountName=%s -h winsvr.blah.local
auth_param basic children 10 startup=5  idle=1
auth_param basic realm Basic Proxy
auth_param basic credentialsttl 1 minute


###### p02. External ACL Definitions ######

external_acl_type session_checker_type1 ttl=1 children-startup=2 children-idle=1 children-max=5 %SRC python session_checker_type1.pyo
acl session_checker1 external session_checker_type1

external_acl_type policy_finder_type ttl=900 children-startup=2 children-idle=1 children-max=50 %URI %EXT_LOG policy_finder.pyo
acl policy_finder external policy_finder_type

external_acl_type device_group_type ttl=900 children-startup=2 children-idle=1 children-max=25 %EXT_LOG %SRCEUI48 %SRC device_group_acl.pyo
acl device_group external device_group_type

external_acl_type explicit_user_group_type ttl=900 children-startup=2 children-idle=1 children-max=15 %LOGIN user_group_acl.pyo
acl explicit_user_group external explicit_user_group_type

external_acl_type intercepted_user_group_type ttl=900 children-startup=2 children-idle=1 children-max=10 %EXT_LOG user_group_acl.pyo
acl intercepted_user_group external intercepted_user_group_type

external_acl_type cportal_session_checker_type ttl=1 children-idle=1 children-max=25 children-startup=2 %SRC %EXT_LOG %SRCEUI48 cportal_session_checker_acl.pyo
acl cportal_session_checker external cportal_session_checker_type

external_acl_type allowed_list_type ttl=900 children-startup=2 children-idle=1 children-max=35 %URI %TAG allowed_list_ext_acl.pyo
acl allowed_list external allowed_list_type

external_acl_type denied_list_type ttl=900 children-startup=2 children-idle=1 children-max=35 %URI %TAG %EXT_LOG denied_list_ext_acl.pyo
acl denied_list external denied_list_type

external_acl_type white_list_policy_list_type ttl=300 children-startup=2 children-idle=1 children-max=10 %TAG %EXT_LOG white_list_policy_ext_acl.pyo
acl white_list_policy external white_list_policy_list_type

# %<{Content-Type} syntax generates a warning in squid, but its suggested syntax does not work.
external_acl_type mime_deny_type ttl=900 children-idle=1 children-max=5 children-startup=2 %<{Content-Type} %TAG %EXT_LOG mime_deny_ext_acl.pyo
acl mime_deny external mime_deny_type

external_acl_type category_checker_type ttl=10 children-idle=1 children-max=50 children-startup=2 %URI %TAG %EXT_LOG category_checker_ext_acl.pyo
acl category_checker external category_checker_type

external_acl_type rewriter_check_type ttl=10 children-idle=1 children-max=30 children-startup=2 %URI %TAG rewriter_check_ext_acl.pyo
acl rewriter_check external rewriter_check_type

external_acl_type response_size_type ttl=300 children-startup=2 children-idle=1 children-max=50 %URI %TAG %EXT_LOG max_file_size_ext_acl.pyo

external_acl_type bandwidth_check_type ttl=300 children-startup=2 children-idle=1 children-max=25 %URI %TAG %EXT_LOG bandwidth_restriction_ext_acl.pyo

external_acl_type credit_checker_type ttl=10 children-idle=1 children-max=25 children-startup=2 %EXT_LOG %TAG credit_checker_acl.pyo
acl credit_checker external credit_checker_type

external_acl_type temp_user_denial_type ttl=300 children-startup=2 children-idle=1 children-max=25 %EXT_LOG temp_user_denial_ext_acl.pyo
acl temp_user_denial external temp_user_denial_type


###### p03. Safe Port, ålocal network addresses and other ACL Definitions ######

# Rules allowing access from your local networks, Adapt this list your (internal) IP networks from where browsing should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

# SSL and Safe ports
acl SSL_ports port 443 8080 7070
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http

# SSL Connect traffic method
acl CONNECT method CONNECT

# Proxy Auth Setting (explicit requests only)
acl explicit_auth proxy_auth REQUIRED

# Intercepted traffic port definitions
acl explicitPorts myportname 3128
acl interceptedPorts myportname 3129 3130
acl interceptedPorts myportname 3130

# The host for verifying if the proxy is a trusted CA or not
acl sslbump_test_url dstdomain code.jquery.com

# Management/Admin Interface domain
acl management_interface dst 192.168.1.10

# URL-rewritable websites
acl rewritable-sites dstdom_regex "acls/rewriter/domains.txt"

# Bypass Lists
# App Compatibility Lists, should they exist
acl app_compat_auth_dst dst "app_auth_bypass_dst.txt"
acl app_compat_auth_domain dstdomain "app_compat_auth_bypass_dstdomain.txt"
acl app_compat_bump_bypass dst "app_compat_bump_bypass_dst.txt"


###### p04. Deny Info Definitions - for controlling denied traffic redirection ######

# Custom Squid error pages dir
error_directory /usr/local/app/squid/errors/
# Intercepted traffic certificate check
deny_info http://192.168.0.10/certcheck?next=%u&src=%i cert_session_checker
# Deny pages redirects
deny_info http://192.168.0.10/deny/?url=%u&m=%o category_checker
deny_info http://192.168.0.10/deny/?url=%u&m=%o denied_list
deny_info http://192.168.0.10/unknown-device/ auth_device
deny_info http://192.168.0.10/unknown-user/ auth_user intercepted_user_group
deny_info http://192.168.0.10/cportal?src=%i&next=%u&m=%o cportal_session_checker
deny_info http://192.168.0.10/deny/?url=%u&m=%o temp_user_denial


###### p05. Recommended Minimum Access Permissions ######

# Management Interface Bypass
always_direct allow management_interface
http_access allow management_interface

# Ensure that only localhost can access manager
http_access allow localhost manager
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# SSL Bump Step2
acl step2 at_step SslBump2


###### p06. Access Rules ######

# Make sure the "certificate check" test URL can always be requested
http_access deny !management_interface !sslbump_test_url interceptedPorts !cert_session_checker
http_access allow sslbump_test_url interceptedPorts

## Authentication Rules ##
# Immediately allow anything matching app compatibility lists
http_access allow app_compat_auth_dst
http_access allow app_compat_auth_domain

# Allow authenticated users and authorised devices and continue evaluation
http_access allow interceptedPorts device_group !all
http_access allow explicitPorts device_group !all

http_access allow interceptedPorts cportal_session_checker !all
http_access deny interceptedPorts !device_group !cportal_session_checker
http_access allow explicitPorts !device_group explicit_auth explicit_user_group !all

# Deny unauthed clients (except those we can't authenticate)
http_access deny interceptedPorts !device_group !intercepted_user_group
http_access deny explicitPorts !device_group explicit_auth !explicit_user_group

# Temporary user denial check
http_access deny temp_user_denial

# Find the policy that applies to this user
http_access allow set_finder !all

# Check if credit is in play and that the user has credit
http_access deny !device_group credit_checker

# Allow allowed content for whitelist policies
http_access allow white_list_policy allowed_list

# Deny everything else for whitelist policies
http_access deny !management_interface !allowed_list white_list_policy

# Denied Lists
http_access deny !management_interface denied_list

# Allowed Lists
http_access allow allowed_list

# Category filters
http_access deny category_checker

# Find the Set that applies to this user
# Squid quirk: category_checker retest must be here for the ext_log changes it makes to carry on when the acl returns ERR
http_reply_access allow set_finder !category_checker !all

# Media type / response Handling
# NOTE: MIME Types cannot be explicitly allowed because replies are implicitly allowed
http_reply_access deny !management_interface mime_deny

# File size (download) restrictions
acl response_size_100 external response_size_type 100 192.168.0.10

# Squid quirk: Result caching cannot alter the EXT_LOG for fast acls as cache lookups include the EXT_LOG, so we must
# check this result twice to alter the EXT_LOG and then have the result cached against the altered EXT_LOG.

http_access allow response_size_100 response_size_100
reply_body_max_size 100 MB response_size_100


###### p07. Default Fallback Rules ######

# Allow for auth'ed devices/users after passing policy evaluation
http_access allow device_group
http_access allow explicitPorts explicit_user_group
http_access allow interceptedPorts

# Deny any thus-far unidentified clients
http_access deny all

# Probably-redundantly allow any replies that haven't been denied already
http_reply_access allow all


###### p08. SSL and Intercepted Traffic Settings ######

acl step1 at_step SslBump1

ssl_bump peek step1
ssl_bump splice step2

# Setup Options for the dynamic certificate db and helper
sslcrtd_program /usr/bin/squid_ssl_crtd -s /usr/local/mwf/mwf13/squid/ssl_db -M 4MB
sslcrtd_children 32 startup=5 idle=1


###### p09. Squid Listening Interfaces ######

http_port 3128
http_port 3129 intercept name=3129
https_port 3130 intercept name=3130 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=ssl_cert/proxy-cert.cer key=ssl_cert/proxy-key.key


###### p10. Other Squid Settings ######

# Maximum file descriptors
max_filedesc 8192

# Caching configuration options
maximum_object_size 1024 MB
cache_dir aufs /var/spool/squid 60000 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

# Don't remove query strings from logged URLs
strip_query_terms off

# Make sure we can restart Squid faster than 30+ seconds
shutdown_lifetime 5.00 second

# Accommodate Microsoft's large DNS pools
# http://www.squid-cache.org/mail-archive/squid-users/201308/0268.html
forward_max_tries 25


###### p11. Hostname Definition ######

###### p12. URL Rewriting ######
url_rewrite_program url_rewriter.pyo
url_rewrite_children 20 startup=2
url_rewrite_access allow !CONNECT rewritable-sites rewriter_check

###### p13. Log Formatting ######

logformat custom %{%d/%b/%Y-%H:%M:%S}tl %6tr %>eui %>a %Ss %>Hs %<st %rm %ru %un %ssl::bump_mode %{User-Agent}>h %Sh/%<a %mt %ea
access_log stdio:/var/log/squid/access.log custom
access_log stdio:/var/log/squid/default-access.log squid

###### p14. Debugging ######
#debug_options 77,9
#debug_options 28,3 26,3
#debug_options ALL,9
#debug_options ALL,1 82,9 84,9
	# Contents
	# p01. Authentication settings
	# p02. External ACL Definitions
	# p03. Safe Port, local network addresses and other ACL Definitions
	# p04. Deny Info Definitions
	# p05. Recommended Minimum Access Permissions
	# p06. Access Rules
	# p07. Default Fallback Rules
	# p08. SSL and Intercepted Traffic Settings
	# p09. Squid Listening Interfaces
	# p10. Other Squid Settings
	# p11. Hostname Definition
	# p12. URL Rewriting
	# p13. Log Formatting
	# p14. Debugging


	###### p01. Authentication Settings ######

	# Provide seamless authentication for Windows via Kerberos/NTLM
	auth_param negotiate program /usr/bin/squid_negotiate_wrapper_auth --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=local --kerberos /usr/bin/squid_kerb_auth -s GSS_C_NO_NAME
	auth_param negotiate children 50 startup=10 idle=1
	auth_param negotiate keep_alive off

	# Provide basic authentication via LDAP for clients
	auth_param basic program /usr/bin/squid_ldap_auth -R -b "dc=blah,dc=local" -D "cn=proxy user,cn=Users,dc=blah,dc=local" -w blahblah -f sAMAccountName=%s -h winsvr.blah.local
	auth_param basic children 10 startup=5 idle=1
	auth_param basic realm Basic Proxy
	auth_param basic credentialsttl 1 minute


	###### p02. External ACL Definitions ######

	external_acl_type session_checker_type1 ttl=1 children-startup=2 children-idle=1 children-max=5 %SRC python session_checker_type1.pyo
	acl session_checker1 external session_checker_type1

	external_acl_type policy_finder_type ttl=900 children-startup=2 children-idle=1 children-max=50 %URI %EXT_LOG policy_finder.pyo
	acl policy_finder external policy_finder_type

	external_acl_type device_group_type ttl=900 children-startup=2 children-idle=1 children-max=25 %EXT_LOG %SRCEUI48 %SRC device_group_acl.pyo
	acl device_group external device_group_type

	external_acl_type explicit_user_group_type ttl=900 children-startup=2 children-idle=1 children-max=15 %LOGIN user_group_acl.pyo
	acl explicit_user_group external explicit_user_group_type

	external_acl_type intercepted_user_group_type ttl=900 children-startup=2 children-idle=1 children-max=10 %EXT_LOG user_group_acl.pyo
	acl intercepted_user_group external intercepted_user_group_type

	external_acl_type cportal_session_checker_type ttl=1 children-idle=1 children-max=25 children-startup=2 %SRC %EXT_LOG %SRCEUI48 cportal_session_checker_acl.pyo
	acl cportal_session_checker external cportal_session_checker_type

	external_acl_type allowed_list_type ttl=900 children-startup=2 children-idle=1 children-max=35 %URI %TAG allowed_list_ext_acl.pyo
	acl allowed_list external allowed_list_type

	external_acl_type denied_list_type ttl=900 children-startup=2 children-idle=1 children-max=35 %URI %TAG %EXT_LOG denied_list_ext_acl.pyo
	acl denied_list external denied_list_type

	external_acl_type white_list_policy_list_type ttl=300 children-startup=2 children-idle=1 children-max=10 %TAG %EXT_LOG white_list_policy_ext_acl.pyo
	acl white_list_policy external white_list_policy_list_type

	# %<{Content-Type} syntax generates a warning in squid, but its suggested syntax does not work.
	external_acl_type mime_deny_type ttl=900 children-idle=1 children-max=5 children-startup=2 %<{Content-Type} %TAG %EXT_LOG mime_deny_ext_acl.pyo
	acl mime_deny external mime_deny_type

	external_acl_type category_checker_type ttl=10 children-idle=1 children-max=50 children-startup=2 %URI %TAG %EXT_LOG category_checker_ext_acl.pyo
	acl category_checker external category_checker_type

	external_acl_type rewriter_check_type ttl=10 children-idle=1 children-max=30 children-startup=2 %URI %TAG rewriter_check_ext_acl.pyo
	acl rewriter_check external rewriter_check_type

	external_acl_type response_size_type ttl=300 children-startup=2 children-idle=1 children-max=50 %URI %TAG %EXT_LOG max_file_size_ext_acl.pyo

	external_acl_type bandwidth_check_type ttl=300 children-startup=2 children-idle=1 children-max=25 %URI %TAG %EXT_LOG bandwidth_restriction_ext_acl.pyo

	external_acl_type credit_checker_type ttl=10 children-idle=1 children-max=25 children-startup=2 %EXT_LOG %TAG credit_checker_acl.pyo
	acl credit_checker external credit_checker_type

	external_acl_type temp_user_denial_type ttl=300 children-startup=2 children-idle=1 children-max=25 %EXT_LOG temp_user_denial_ext_acl.pyo
	acl temp_user_denial external temp_user_denial_type


	###### p03. Safe Port, ålocal network addresses and other ACL Definitions ######

	# Rules allowing access from your local networks, Adapt this list your (internal) IP networks from where browsing should be allowed
	acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
	acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
	acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
	acl localnet src fc00::/7 # RFC 4193 local private network range
	acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

	# SSL and Safe ports
	acl SSL_ports port 443 8080 7070
	acl Safe_ports port 80 # http
	acl Safe_ports port 21 # ftp
	acl Safe_ports port 443 # https
	acl Safe_ports port 70 # gopher
	acl Safe_ports port 210 # wais
	acl Safe_ports port 1025-65535 # unregistered ports
	acl Safe_ports port 280 # http-mgmt
	acl Safe_ports port 488 # gss-http
	acl Safe_ports port 591 # filemaker
	acl Safe_ports port 777 # multiling http

	# SSL Connect traffic method
	acl CONNECT method CONNECT

	# Proxy Auth Setting (explicit requests only)
	acl explicit_auth proxy_auth REQUIRED

	# Intercepted traffic port definitions
	acl explicitPorts myportname 3128
	acl interceptedPorts myportname 3129 3130
	acl interceptedPorts myportname 3130

	# The host for verifying if the proxy is a trusted CA or not
	acl sslbump_test_url dstdomain code.jquery.com

	# Management/Admin Interface domain
	acl management_interface dst 192.168.1.10

	# URL-rewritable websites
	acl rewritable-sites dstdom_regex "acls/rewriter/domains.txt"

	# Bypass Lists
	# App Compatibility Lists, should they exist
	acl app_compat_auth_dst dst "app_auth_bypass_dst.txt"
	acl app_compat_auth_domain dstdomain "app_compat_auth_bypass_dstdomain.txt"
	acl app_compat_bump_bypass dst "app_compat_bump_bypass_dst.txt"


	###### p04. Deny Info Definitions - for controlling denied traffic redirection ######

	# Custom Squid error pages dir
	error_directory /usr/local/app/squid/errors/
	# Intercepted traffic certificate check
	deny_info http://192.168.0.10/certcheck?next=%u&src=%i cert_session_checker
	# Deny pages redirects
	deny_info http://192.168.0.10/deny/?url=%u&m=%o category_checker
	deny_info http://192.168.0.10/deny/?url=%u&m=%o denied_list
	deny_info http://192.168.0.10/unknown-device/ auth_device
	deny_info http://192.168.0.10/unknown-user/ auth_user intercepted_user_group
	deny_info http://192.168.0.10/cportal?src=%i&next=%u&m=%o cportal_session_checker
	deny_info http://192.168.0.10/deny/?url=%u&m=%o temp_user_denial


	###### p05. Recommended Minimum Access Permissions ######

	# Management Interface Bypass
	always_direct allow management_interface
	http_access allow management_interface

	# Ensure that only localhost can access manager
	http_access allow localhost manager
	http_access deny manager

	# Deny requests to certain unsafe ports
	http_access deny !Safe_ports

	# Deny CONNECT to other than secure SSL ports
	http_access deny CONNECT !SSL_ports

	# SSL Bump Step2
	acl step2 at_step SslBump2


	###### p06. Access Rules ######

	# Make sure the "certificate check" test URL can always be requested
	http_access deny !management_interface !sslbump_test_url interceptedPorts !cert_session_checker
	http_access allow sslbump_test_url interceptedPorts

	## Authentication Rules ##
	# Immediately allow anything matching app compatibility lists
	http_access allow app_compat_auth_dst
	http_access allow app_compat_auth_domain

	# Allow authenticated users and authorised devices and continue evaluation
	http_access allow interceptedPorts device_group !all
	http_access allow explicitPorts device_group !all

	http_access allow interceptedPorts cportal_session_checker !all
	http_access deny interceptedPorts !device_group !cportal_session_checker
	http_access allow explicitPorts !device_group explicit_auth explicit_user_group !all

	# Deny unauthed clients (except those we can't authenticate)
	http_access deny interceptedPorts !device_group !intercepted_user_group
	http_access deny explicitPorts !device_group explicit_auth !explicit_user_group

	# Temporary user denial check
	http_access deny temp_user_denial

	# Find the policy that applies to this user
	http_access allow set_finder !all

	# Check if credit is in play and that the user has credit
	http_access deny !device_group credit_checker

	# Allow allowed content for whitelist policies
	http_access allow white_list_policy allowed_list

	# Deny everything else for whitelist policies
	http_access deny !management_interface !allowed_list white_list_policy

	# Denied Lists
	http_access deny !management_interface denied_list

	# Allowed Lists
	http_access allow allowed_list

	# Category filters
	http_access deny category_checker

	# Find the Set that applies to this user
	# Squid quirk: category_checker retest must be here for the ext_log changes it makes to carry on when the acl returns ERR
	http_reply_access allow set_finder !category_checker !all

	# Media type / response Handling
	# NOTE: MIME Types cannot be explicitly allowed because replies are implicitly allowed
	http_reply_access deny !management_interface mime_deny

	# File size (download) restrictions
	acl response_size_100 external response_size_type 100 192.168.0.10

	# Squid quirk: Result caching cannot alter the EXT_LOG for fast acls as cache lookups include the EXT_LOG, so we must
	# check this result twice to alter the EXT_LOG and then have the result cached against the altered EXT_LOG.

	http_access allow response_size_100 response_size_100
	reply_body_max_size 100 MB response_size_100


	###### p07. Default Fallback Rules ######

	# Allow for auth'ed devices/users after passing policy evaluation
	http_access allow device_group
	http_access allow explicitPorts explicit_user_group
	http_access allow interceptedPorts

	# Deny any thus-far unidentified clients
	http_access deny all

	# Probably-redundantly allow any replies that haven't been denied already
	http_reply_access allow all


	###### p08. SSL and Intercepted Traffic Settings ######

	acl step1 at_step SslBump1

	ssl_bump peek step1
	ssl_bump splice step2

	# Setup Options for the dynamic certificate db and helper
	sslcrtd_program /usr/bin/squid_ssl_crtd -s /usr/local/mwf/mwf13/squid/ssl_db -M 4MB
	sslcrtd_children 32 startup=5 idle=1


	###### p09. Squid Listening Interfaces ######

	http_port 3128
	http_port 3129 intercept name=3129
	https_port 3130 intercept name=3130 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=ssl_cert/proxy-cert.cer key=ssl_cert/proxy-key.key


	###### p10. Other Squid Settings ######

	# Maximum file descriptors
	max_filedesc 8192

	# Caching configuration options
	maximum_object_size 1024 MB
	cache_dir aufs /var/spool/squid 60000 16 256

	# Leave coredumps in the first cache dir
	coredump_dir /var/spool/squid

	# Add any of your own refresh_pattern entries above these.
	refresh_pattern ^ftp: 1440 20% 10080
	refresh_pattern ^gopher: 1440 0% 1440
	refresh_pattern -i (/cgi-bin/\|\?) 0 0% 0
	refresh_pattern . 0 20% 4320

	# Don't remove query strings from logged URLs
	strip_query_terms off

	# Make sure we can restart Squid faster than 30+ seconds
	shutdown_lifetime 5.00 second

	# Accommodate Microsoft's large DNS pools
	# http://www.squid-cache.org/mail-archive/squid-users/201308/0268.html
	forward_max_tries 25


	###### p11. Hostname Definition ######

	###### p12. URL Rewriting ######
	url_rewrite_program url_rewriter.pyo
	url_rewrite_children 20 startup=2
	url_rewrite_access allow !CONNECT rewritable-sites rewriter_check

	###### p13. Log Formatting ######

	logformat custom %{%d/%b/%Y-%H:%M:%S}tl %6tr %>eui %>a %Ss %>Hs %<st %rm %ru %un %ssl::bump_mode %{User-Agent}>h %Sh/%<a %mt %ea
	access_log stdio:/var/log/squid/access.log custom
	access_log stdio:/var/log/squid/default-access.log squid

	###### p14. Debugging ######
	#debug_options 77,9
	#debug_options 28,3 26,3
	#debug_options ALL,9
	#debug_options ALL,1 82,9 84,9