Skip to content

Instantly share code, notes, and snippets.

@tjgruber

tjgruber/squid.conf

Last active December 4, 2017 12:43
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save tjgruber/c69e3c97ebe837a12691 to your computer and use it in GitHub Desktop.
Save tjgruber/c69e3c97ebe837a12691 to your computer and use it in GitHub Desktop.
Download ZIP
Squid Stuff
Raw
squid.conf
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 25
acl Safe_ports port 80 # http
acl Safe_ports port 110
acl Safe_ports port 143
acl Safe_ports port 587
acl Safe_ports port 993
acl Safe_ports port 995
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#__________________________________________________________________________________
# Custom ACL DOMAINS Block Lists
#__________________________________________________________________________________
acl block_ads dstdomain "/etc/squid/blacklists/squid-ads.acl"
acl block_blasphemy dstdomain "/etc/squid/blacklists/squid-blasphemy.acl"
acl block_chanology dstdomain "/etc/squid/blacklists/squid-chanology.acl"
acl block_cp dstdomain "/etc/squid/blacklists/squid-cp.acl"
acl block_dating dstdomain "/etc/squid/blacklists/squid-dating.acl"
acl block_dyn dstdomain "/etc/squid/blacklists/squid-dyn.acl"
acl block_facebook dstdomain "/etc/squid/blacklists/squid-facebook.acl"
acl block_file dstdomain "/etc/squid/blacklists/squid-file.acl"
acl block_freeweb dstdomain "/etc/squid/blacklists/squid-freeweb.acl"
acl block_gambling dstdomain "/etc/squid/blacklists/squid-gambling.acl"
acl block_gaming dstdomain "/etc/squid/blacklists/squid-gaming.acl"
acl block_image dstdomain "/etc/squid/blacklists/squid-image.acl"
acl block_malicious dstdomain "/etc/squid/blacklists/squid-malicious.acl"
acl block_newtlds dstdomain "/etc/squid/blacklists/squid-new-tlds.acl"
acl block_pharmarx dstdomain "/etc/squid/blacklists/squid-pharma-rx.acl"
acl block_piracy dstdomain "/etc/squid/blacklists/squid-piracy.acl"
acl block_porn dstdomain "/etc/squid/blacklists/squid-porn.acl"
acl block_prime dstdomain "/etc/squid/blacklists/squid-prime.acl"
acl block_proxies dstdomain "/etc/squid/blacklists/squid-proxies.acl"
acl block_racism dstdomain "/etc/squid/blacklists/squid-racism.acl"
acl block_smedia dstdomain "/etc/squid/blacklists/squid-smedia.acl"
acl block_usg dstdomain "/etc/squid/blacklists/squid-usg.acl"
acl block_video dstdomain "/etc/squid/blacklists/squid-video.acl"
#__________________________________________________________________________________
# Custom ACL Lists
#__________________________________________________________________________________
acl block_manuallist dstdomain "/etc/squid/squid-manual-blacklist.acl"
acl allow_whitelist dstdomain "/etc/squid/squid-whitelist.acl"
#__________________________________________________________________________________
# Custom ACL EXPRESSIONS Lists
#__________________________________________________________________________________
acl block_pornregex url_regex -i "/etc/squid/blacklists/squid-porn-regex.acl"
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#__________________________________________________________________________________
# Custom HTTP ACCESS ALLOW DOMAINS Lists
#__________________________________________________________________________________
http_access allow allow_whitelist
#__________________________________________________________________________________
# Custom HTTP ACCESS DOMAINS Block Lists
#__________________________________________________________________________________
http_access deny block_ads
http_access deny block_blasphemy
http_access deny block_chanology
http_access deny block_cp
http_access deny block_dating
http_access deny block_dyn
http_access deny block_facebook
http_access deny block_file
http_access deny block_freeweb
http_access deny block_gambling
http_access deny block_gaming
http_access deny block_image
http_access deny block_malicious
http_access deny block_newtlds
http_access deny block_pharmarx
http_access deny block_piracy
http_access deny block_porn
http_access deny block_prime
http_access deny block_proxies
http_access deny block_racism
http_access deny block_smedia
http_access deny block_usg
http_access deny block_video
http_access deny block_manuallist
#__________________________________________________________________________________
# Custom HTTP ACCESS ALLOW EXPRESSIONS/URLS Lists
#__________________________________________________________________________________
#http_access allow allow_whitelist_expressions
#http_access allow allow_whitelist_urls
#__________________________________________________________________________________
# Custom HTTP ACCESS EXPRESSIONS Block Lists
#__________________________________________________________________________________
http_access deny block_pornregex
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 25600 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
refresh_pattern . 0 20% 4320
append_domain .your.domain
cache_effective_user squid
cache_effective_group squid
cache_mgr email@email.com
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment