-
-
Save ironpillow/e6b86354f4ac3941f74db86d893008f1 to your computer and use it in GitHub Desktop.
squid configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# General | |
http_port 3128 # only used for squidclient and administrative purposes | |
http_port 3129 intercept # use intercept for squid 3.4 or above | |
visible_hostname mycache.proxy | |
forwarded_for delete | |
via off | |
# saves time when waiting for Squid to shut down | |
shutdown_lifetime 5 seconds | |
dns_defnames on | |
# point to dnsmasq | |
dns_nameservers 8.8.8.8 | |
# Log | |
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt | |
# /cache/ is the cache drive (when using VMs) | |
access_log /cache/log/squid/access.log squid | |
# when using single OS/device | |
# access_log /var/log/squid/access.log squid | |
# Cache | |
cache_mem 256 MB | |
maximum_object_size 6000 MB # 2GB is limit on raspbian | |
cache_dir aufs /cache/squid 81920 16 256 | |
coredump_dir /cache/squid | |
# Cache deny sites | |
acl denysites dstdom_regex "/etc/squid/cache_deny_sites.txt" | |
cache deny denysites | |
# Cache update sites | |
acl updatesites dstdom_regex "/etc/squid/updatesites.txt" | |
cache allow updatesites | |
# Windows updates | |
range_offset_limit -1 | |
quick_abort_min -1 KB | |
store_id_program /usr/lib/squid/storeid_file_rewrite.pl /etc/squid/storeid_rewrite.conf | |
store_id_children 10 startup=3 idle=1 concurrency=0 | |
store_id_access allow updatesites | |
store_id_access deny all | |
# have to use this. see refresh patterns (cgi-bin) below | |
# acl QUERY urlpath_regex cgi-bin \? | |
# cache deny QUERY | |
# refresh patterns for caching updates | |
refresh_pattern ([^.]+.|)adobe.com\/.*\.(zip|exe) 43200 100% 43200 reload-into-ims ignore-reload ignore-no-store override-expire override-lastmod | |
refresh_pattern ([^.]+.|)java.com\/.*\.(zip|exe) 43200 100% 43200 reload-into-ims ignore-reload ignore-no-store override-expire override-lastmod | |
refresh_pattern ([^.]+.|)sun.com\/.*\.(zip|exe) 43200 100% 43200 reload-into-ims ignore-reload ignore-no-store override-expire override-lastmod | |
refresh_pattern ([^.]+.|)oracle.com\/.*\.(zip|exe|tar.gz) 43200 100% 43200 reload-into-ims ignore-reload ignore-no-store override-expire override-lastmod | |
refresh_pattern ([^.]+.|)cs\.steampowered\.com 43200 100% 43200 reload-into-ims ignore-reload ignore-no-store override-expire override-lastmod | |
refresh_pattern -i appldnld\.apple\.com 43200 100% 43200 ignore-reload ignore-no-store override-expire override-lastmod | |
refresh_pattern -i ([^.]+.|)apple.com\/.*\.(ipa) 43200 100% 43200 ignore-reload ignore-no-store override-expire override-lastmod | |
refresh_pattern ([^\?]*\/)?([^.]+\.)?(windows|download|(windows)?update)\.(microsoft\.)?com\/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 100% 43200 reload-into-ims ignore-reload ignore-no-store override-expire override-lastmod | |
refresh_pattern -i ([^.]+.|)google.com\/.*\.(tgz|exe|crx) 10080 80% 43200 override-expire override-lastmod ignore-no-cache ignore-reload reload-into-ims ignore-private | |
refresh_pattern -i ([^.]+.|)gstatic.com\/.*\.(exe|crx) 10080 80% 43200 override-expire override-lastmod ignore-no-cache ignore-reload reload-into-ims ignore-private | |
refresh_pattern -i ([^.]+.|)ubuntu.com\/.*\.(deb) 10080 80% 43200 override-expire override-lastmod ignore-no-cache ignore-reload reload-into-ims ignore-private | |
#refresh patterns for caching static files | |
refresh_pattern ^ftp: 1440 20% 10080 | |
refresh_pattern ^gopher: 1440 0% 1440 | |
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private | |
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private | |
refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private | |
refresh_pattern -i \.index.(html|htm)$ 0 40% 10080 | |
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320 | |
# when using below patterns some files (.zip) are being cached. see `acl QUERY` above | |
# deny caching url with query string | |
#refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 | |
# allow caching url with query string | |
# refresh_pattern -i cgi-bin 0 0% 0 | |
refresh_pattern . 0 40% 4320 | |
# Network ACL | |
acl localnet src 10.20.0.0/24 | |
# Port ACL | |
acl SSL_ports port 443 # https | |
acl SSL_ports port 563 # snews | |
acl SSL_ports port 873 # rync | |
acl Safe_ports port 80 8080 # http | |
acl Safe_ports port 21 # ftp | |
acl Safe_ports port 443 563 # https, snews | |
acl Safe_ports port 70 # gopher | |
acl Safe_ports port 210 # wais | |
acl Safe_ports port 1025-65535 # unregistered ports | |
acl Safe_ports port 280 # http-mgmt | |
acl Safe_ports port 488 # gss-http | |
acl Safe_ports port 591 # filemaker | |
acl Safe_ports port 777 # multiling http | |
acl Safe_ports port 631 # cups | |
acl Safe_ports port 873 # rsync | |
acl Safe_ports port 901 # SWAT | |
acl purge method PURGE | |
acl CONNECT method CONNECT | |
# Access Restrictions | |
http_access deny !Safe_ports | |
http_access deny CONNECT !SSL_ports | |
http_access allow manager localhost | |
http_access allow manager localnet | |
http_access deny manager | |
# Strongly recommend the following be uncommented to protect innocent | |
# web applications running on the proxy server who think the only | |
# one who can access services on "localhost" is a local user | |
http_access deny to_localhost | |
http_access allow purge localhost | |
http_access allow purge localnet | |
http_access deny purge | |
http_access allow localhost | |
http_access allow localnet | |
http_access deny all | |
http_reply_access allow all | |
# not synchronizing proxy servers | |
htcp_port 0 | |
htcp_access deny all | |
icp_port 0 | |
icp_access deny all | |
always_direct allow all |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# General | |
http_port 3128 # only used for squidclient and administrative purposes | |
http_port 3129 intercept # use intercept for squid 3.4 or above | |
visible_hostname mycache.proxy | |
forwarded_for delete | |
via off | |
# saves time when waiting for Squid to shut down | |
shutdown_lifetime 5 seconds | |
dns_defnames on | |
# point to dnsmasq | |
dns_nameservers 8.8.8.8 | |
# Log | |
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt | |
# /cache/ is the cache drive (when using VMs) | |
access_log /cache/log/squid/access.log squid | |
# when using single OS/device | |
# access_log /var/log/squid/access.log squid | |
# Cache | |
cache_mem 256 MB | |
maximum_object_size 6000 MB # 2GB is limit on raspbian | |
cache_dir aufs /cache/squid 81920 16 256 | |
coredump_dir /cache/squid | |
# have to use this. see refresh patterns (cgi-bin) below | |
#acl QUERY urlpath_regex cgi-bin \? | |
#cache deny QUERY | |
#refresh patterns for caching static files | |
#refresh_pattern ^ftp: 1440 20% 10080 | |
#refresh_pattern ^gopher: 1440 0% 1440 | |
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private | |
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ig | |
nore-private | |
refresh_pattern -i \.(dmg|deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200 override-expire ignore-no-cache ignor | |
e-no-store ignore-private | |
refresh_pattern -i \.index.(html|htm)$ 0 40% 10080 | |
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320 | |
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 | |
refresh_pattern . 0 0% 0 | |
# Network ACL | |
acl localnet src 10.20.0.0/24 | |
# Port ACL | |
acl SSL_ports port 443 # https | |
acl SSL_ports port 563 # snews | |
acl SSL_ports port 873 # rync | |
acl Safe_ports port 80 8080 # http | |
acl Safe_ports port 21 # ftp | |
acl Safe_ports port 443 563 # https, snews | |
acl Safe_ports port 70 # gopher | |
acl Safe_ports port 210 # wais | |
acl Safe_ports port 1025-65535 # unregistered ports | |
acl Safe_ports port 280 # http-mgmt | |
acl Safe_ports port 488 # gss-http | |
acl Safe_ports port 591 # filemaker | |
acl Safe_ports port 777 # multiling http | |
acl Safe_ports port 631 # cups | |
acl Safe_ports port 873 # rsync | |
acl Safe_ports port 901 # SWAT | |
acl purge method PURGE | |
acl CONNECT method CONNECT | |
# Access Restrictions | |
http_access deny !Safe_ports | |
http_access deny CONNECT !SSL_ports | |
http_access allow manager localhost | |
http_access allow manager localnet | |
http_access deny manager | |
# Strongly recommend the following be uncommented to protect innocent | |
# web applications running on the proxy server who think the only | |
# one who can access services on "localhost" is a local user | |
http_access deny to_localhost | |
http_access allow purge localhost | |
http_access allow purge localnet | |
http_access deny purge | |
http_access allow localhost | |
http_access allow localnet | |
http_access deny all | |
http_reply_access allow all | |
# not synchronizing proxy servers | |
htcp_port 0 | |
htcp_access deny all | |
icp_port 0 | |
icp_access deny all | |
always_direct allow all |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment