-
-
Save djch/92cf44440b04afbd7917 to your computer and use it in GitHub Desktop.
squid v3.4.11 config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Contents | |
# p01. Authentication settings | |
# p02. External ACL Definitions | |
# p03. Safe Port, local network addresses and other ACL Definitions | |
# p04. Deny Info Definitions | |
# p05. Recommended Minimum Access Permissions | |
# p06. Access Rules | |
# p07. Default Fallback Rules | |
# p08. SSL and Intercepted Traffic Settings | |
# p09. Squid Listening Interfaces | |
# p10. Other Squid Settings | |
# p11. Hostname Definition | |
# p12. URL Rewriting | |
# p13. Log Formatting | |
# p14. Debugging | |
###### p01. Authentication Settings ###### | |
# Provide seamless authentication for Windows via Kerberos/NTLM | |
auth_param negotiate program /usr/bin/squid_negotiate_wrapper_auth --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=local --kerberos /usr/bin/squid_kerb_auth -s GSS_C_NO_NAME | |
auth_param negotiate children 50 startup=10 idle=1 | |
auth_param negotiate keep_alive off | |
# Provide basic authentication via LDAP for clients | |
auth_param basic program /usr/bin/squid_ldap_auth -R -b "dc=blah,dc=local" -D "cn=proxy user,cn=Users,dc=blah,dc=local" -w blahblah -f sAMAccountName=%s -h winsvr.blah.local | |
auth_param basic children 10 startup=5 idle=1 | |
auth_param basic realm Basic Proxy | |
auth_param basic credentialsttl 1 minute | |
###### p02. External ACL Definitions ###### | |
external_acl_type session_checker_type1 ttl=1 children-startup=2 children-idle=1 children-max=5 %SRC python session_checker_type1.pyo | |
acl session_checker1 external session_checker_type1 | |
external_acl_type policy_finder_type ttl=900 children-startup=2 children-idle=1 children-max=50 %URI %EXT_LOG policy_finder.pyo | |
acl policy_finder external policy_finder_type | |
external_acl_type device_group_type ttl=900 children-startup=2 children-idle=1 children-max=25 %EXT_LOG %SRCEUI48 %SRC device_group_acl.pyo | |
acl device_group external device_group_type | |
external_acl_type explicit_user_group_type ttl=900 children-startup=2 children-idle=1 children-max=15 %LOGIN user_group_acl.pyo | |
acl explicit_user_group external explicit_user_group_type | |
external_acl_type intercepted_user_group_type ttl=900 children-startup=2 children-idle=1 children-max=10 %EXT_LOG user_group_acl.pyo | |
acl intercepted_user_group external intercepted_user_group_type | |
external_acl_type cportal_session_checker_type ttl=1 children-idle=1 children-max=25 children-startup=2 %SRC %EXT_LOG %SRCEUI48 cportal_session_checker_acl.pyo | |
acl cportal_session_checker external cportal_session_checker_type | |
external_acl_type allowed_list_type ttl=900 children-startup=2 children-idle=1 children-max=35 %URI %TAG allowed_list_ext_acl.pyo | |
acl allowed_list external allowed_list_type | |
external_acl_type denied_list_type ttl=900 children-startup=2 children-idle=1 children-max=35 %URI %TAG %EXT_LOG denied_list_ext_acl.pyo | |
acl denied_list external denied_list_type | |
external_acl_type white_list_policy_list_type ttl=300 children-startup=2 children-idle=1 children-max=10 %TAG %EXT_LOG white_list_policy_ext_acl.pyo | |
acl white_list_policy external white_list_policy_list_type | |
# %<{Content-Type} syntax generates a warning in squid, but its suggested syntax does not work. | |
external_acl_type mime_deny_type ttl=900 children-idle=1 children-max=5 children-startup=2 %<{Content-Type} %TAG %EXT_LOG mime_deny_ext_acl.pyo | |
acl mime_deny external mime_deny_type | |
external_acl_type category_checker_type ttl=10 children-idle=1 children-max=50 children-startup=2 %URI %TAG %EXT_LOG category_checker_ext_acl.pyo | |
acl category_checker external category_checker_type | |
external_acl_type rewriter_check_type ttl=10 children-idle=1 children-max=30 children-startup=2 %URI %TAG rewriter_check_ext_acl.pyo | |
acl rewriter_check external rewriter_check_type | |
external_acl_type response_size_type ttl=300 children-startup=2 children-idle=1 children-max=50 %URI %TAG %EXT_LOG max_file_size_ext_acl.pyo | |
external_acl_type bandwidth_check_type ttl=300 children-startup=2 children-idle=1 children-max=25 %URI %TAG %EXT_LOG bandwidth_restriction_ext_acl.pyo | |
external_acl_type credit_checker_type ttl=10 children-idle=1 children-max=25 children-startup=2 %EXT_LOG %TAG credit_checker_acl.pyo | |
acl credit_checker external credit_checker_type | |
external_acl_type temp_user_denial_type ttl=300 children-startup=2 children-idle=1 children-max=25 %EXT_LOG temp_user_denial_ext_acl.pyo | |
acl temp_user_denial external temp_user_denial_type | |
###### p03. Safe Port, ålocal network addresses and other ACL Definitions ###### | |
# Rules allowing access from your local networks, Adapt this list your (internal) IP networks from where browsing should be allowed | |
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network | |
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network | |
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network | |
acl localnet src fc00::/7 # RFC 4193 local private network range | |
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines | |
# SSL and Safe ports | |
acl SSL_ports port 443 8080 7070 | |
acl Safe_ports port 80 # http | |
acl Safe_ports port 21 # ftp | |
acl Safe_ports port 443 # https | |
acl Safe_ports port 70 # gopher | |
acl Safe_ports port 210 # wais | |
acl Safe_ports port 1025-65535 # unregistered ports | |
acl Safe_ports port 280 # http-mgmt | |
acl Safe_ports port 488 # gss-http | |
acl Safe_ports port 591 # filemaker | |
acl Safe_ports port 777 # multiling http | |
# SSL Connect traffic method | |
acl CONNECT method CONNECT | |
# Proxy Auth Setting (explicit requests only) | |
acl explicit_auth proxy_auth REQUIRED | |
# Intercepted traffic port definitions | |
acl explicitPorts myportname 3128 | |
acl interceptedPorts myportname 3129 3130 | |
acl interceptedPorts myportname 3130 | |
# The host for verifying if the proxy is a trusted CA or not | |
acl sslbump_test_url dstdomain code.jquery.com | |
# Management/Admin Interface domain | |
acl management_interface dst 192.168.1.10 | |
# URL-rewritable websites | |
acl rewritable-sites dstdom_regex "acls/rewriter/domains.txt" | |
# Bypass Lists | |
# App Compatibility Lists, should they exist | |
acl app_compat_auth_dst dst "app_auth_bypass_dst.txt" | |
acl app_compat_auth_domain dstdomain "app_compat_auth_bypass_dstdomain.txt" | |
acl app_compat_bump_bypass dst "app_compat_bump_bypass_dst.txt" | |
###### p04. Deny Info Definitions - for controlling denied traffic redirection ###### | |
# Custom Squid error pages dir | |
error_directory /usr/local/app/squid/errors/ | |
# Intercepted traffic certificate check | |
deny_info http://192.168.0.10/certcheck?next=%u&src=%i cert_session_checker | |
# Deny pages redirects | |
deny_info http://192.168.0.10/deny/?url=%u&m=%o category_checker | |
deny_info http://192.168.0.10/deny/?url=%u&m=%o denied_list | |
deny_info http://192.168.0.10/unknown-device/ auth_device | |
deny_info http://192.168.0.10/unknown-user/ auth_user intercepted_user_group | |
deny_info http://192.168.0.10/cportal?src=%i&next=%u&m=%o cportal_session_checker | |
deny_info http://192.168.0.10/deny/?url=%u&m=%o temp_user_denial | |
###### p05. Recommended Minimum Access Permissions ###### | |
# Management Interface Bypass | |
always_direct allow management_interface | |
http_access allow management_interface | |
# Ensure that only localhost can access manager | |
http_access allow localhost manager | |
http_access deny manager | |
# Deny requests to certain unsafe ports | |
http_access deny !Safe_ports | |
# Deny CONNECT to other than secure SSL ports | |
http_access deny CONNECT !SSL_ports | |
# SSL Bump Step2 | |
acl step2 at_step SslBump2 | |
###### p06. Access Rules ###### | |
# Make sure the "certificate check" test URL can always be requested | |
http_access deny !management_interface !sslbump_test_url interceptedPorts !cert_session_checker | |
http_access allow sslbump_test_url interceptedPorts | |
## Authentication Rules ## | |
# Immediately allow anything matching app compatibility lists | |
http_access allow app_compat_auth_dst | |
http_access allow app_compat_auth_domain | |
# Allow authenticated users and authorised devices and continue evaluation | |
http_access allow interceptedPorts device_group !all | |
http_access allow explicitPorts device_group !all | |
http_access allow interceptedPorts cportal_session_checker !all | |
http_access deny interceptedPorts !device_group !cportal_session_checker | |
http_access allow explicitPorts !device_group explicit_auth explicit_user_group !all | |
# Deny unauthed clients (except those we can't authenticate) | |
http_access deny interceptedPorts !device_group !intercepted_user_group | |
http_access deny explicitPorts !device_group explicit_auth !explicit_user_group | |
# Temporary user denial check | |
http_access deny temp_user_denial | |
# Find the policy that applies to this user | |
http_access allow set_finder !all | |
# Check if credit is in play and that the user has credit | |
http_access deny !device_group credit_checker | |
# Allow allowed content for whitelist policies | |
http_access allow white_list_policy allowed_list | |
# Deny everything else for whitelist policies | |
http_access deny !management_interface !allowed_list white_list_policy | |
# Denied Lists | |
http_access deny !management_interface denied_list | |
# Allowed Lists | |
http_access allow allowed_list | |
# Category filters | |
http_access deny category_checker | |
# Find the Set that applies to this user | |
# Squid quirk: category_checker retest must be here for the ext_log changes it makes to carry on when the acl returns ERR | |
http_reply_access allow set_finder !category_checker !all | |
# Media type / response Handling | |
# NOTE: MIME Types cannot be explicitly allowed because replies are implicitly allowed | |
http_reply_access deny !management_interface mime_deny | |
# File size (download) restrictions | |
acl response_size_100 external response_size_type 100 192.168.0.10 | |
# Squid quirk: Result caching cannot alter the EXT_LOG for fast acls as cache lookups include the EXT_LOG, so we must | |
# check this result twice to alter the EXT_LOG and then have the result cached against the altered EXT_LOG. | |
http_access allow response_size_100 response_size_100 | |
reply_body_max_size 100 MB response_size_100 | |
###### p07. Default Fallback Rules ###### | |
# Allow for auth'ed devices/users after passing policy evaluation | |
http_access allow device_group | |
http_access allow explicitPorts explicit_user_group | |
http_access allow interceptedPorts | |
# Deny any thus-far unidentified clients | |
http_access deny all | |
# Probably-redundantly allow any replies that haven't been denied already | |
http_reply_access allow all | |
###### p08. SSL and Intercepted Traffic Settings ###### | |
acl step1 at_step SslBump1 | |
ssl_bump peek step1 | |
ssl_bump splice step2 | |
# Setup Options for the dynamic certificate db and helper | |
sslcrtd_program /usr/bin/squid_ssl_crtd -s /usr/local/mwf/mwf13/squid/ssl_db -M 4MB | |
sslcrtd_children 32 startup=5 idle=1 | |
###### p09. Squid Listening Interfaces ###### | |
http_port 3128 | |
http_port 3129 intercept name=3129 | |
https_port 3130 intercept name=3130 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=ssl_cert/proxy-cert.cer key=ssl_cert/proxy-key.key | |
###### p10. Other Squid Settings ###### | |
# Maximum file descriptors | |
max_filedesc 8192 | |
# Caching configuration options | |
maximum_object_size 1024 MB | |
cache_dir aufs /var/spool/squid 60000 16 256 | |
# Leave coredumps in the first cache dir | |
coredump_dir /var/spool/squid | |
# Add any of your own refresh_pattern entries above these. | |
refresh_pattern ^ftp: 1440 20% 10080 | |
refresh_pattern ^gopher: 1440 0% 1440 | |
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 | |
refresh_pattern . 0 20% 4320 | |
# Don't remove query strings from logged URLs | |
strip_query_terms off | |
# Make sure we can restart Squid faster than 30+ seconds | |
shutdown_lifetime 5.00 second | |
# Accommodate Microsoft's large DNS pools | |
# http://www.squid-cache.org/mail-archive/squid-users/201308/0268.html | |
forward_max_tries 25 | |
###### p11. Hostname Definition ###### | |
###### p12. URL Rewriting ###### | |
url_rewrite_program url_rewriter.pyo | |
url_rewrite_children 20 startup=2 | |
url_rewrite_access allow !CONNECT rewritable-sites rewriter_check | |
###### p13. Log Formatting ###### | |
logformat custom %{%d/%b/%Y-%H:%M:%S}tl %6tr %>eui %>a %Ss %>Hs %<st %rm %ru %un %ssl::bump_mode %{User-Agent}>h %Sh/%<a %mt %ea | |
access_log stdio:/var/log/squid/access.log custom | |
access_log stdio:/var/log/squid/default-access.log squid | |
###### p14. Debugging ###### | |
#debug_options 77,9 | |
#debug_options 28,3 26,3 | |
#debug_options ALL,9 | |
#debug_options ALL,1 82,9 84,9 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment