Last active
November 1, 2022 00:59
-
-
Save yordanoweb/aef81f18c3c1bac19d9d1d78227b84eb to your computer and use it in GitHub Desktop.
Squid Cache configuration for caching HTTPS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
################################################################################################################## | |
# openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout squid-ca-key.pem -out squid-ca-cert.pem | |
# cat squid-ca-cert.pem squid-ca-key.pem >> squid-ca-cert-key.pem | |
# sudo mkdir /etc/squid/certs | |
# sudo mv squid-ca-cert-key.pem /etc/squid/certs/ | |
# sudo chown proxy:proxy -R /etc/squid/certs | |
# sudo /usr/lib/squid/security_file_certgen -c -s /var/cache/squid/ssl_db -M16MB | |
# sudo chown -R proxy:proxy /var/cache/squid/ssl_db | |
# sudo systemctl restart squid | |
# echo After this, import in Firefox or Chrome (Settings -> Security -> Certificates -> Authorities) | |
# echo the cert squid-ca-cert.pem | |
################################################################################################################## | |
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) | |
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) | |
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) | |
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines | |
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) | |
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) | |
acl localnet src fc00::/7 # RFC 4193 local private network range | |
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines | |
acl SSL_ports port 443 | |
acl Safe_ports port 80 # http | |
acl Safe_ports port 21 # ftp | |
acl Safe_ports port 443 # https | |
acl Safe_ports port 70 # gopher | |
acl Safe_ports port 210 # wais | |
acl Safe_ports port 1025-65535 # unregistered ports | |
acl Safe_ports port 280 # http-mgmt | |
acl Safe_ports port 488 # gss-http | |
acl Safe_ports port 591 # filemaker | |
acl Safe_ports port 777 # multiling http | |
http_access deny !Safe_ports | |
# Deny CONNECT to other than secure SSL ports | |
http_access deny CONNECT !SSL_ports | |
# Only allow cachemgr access from localhost | |
http_access allow localhost manager | |
http_access deny manager | |
http_access allow localnet | |
http_access allow localhost | |
# And finally deny all other access to this proxy | |
http_access deny all | |
# Squid normally listens to port 3128 | |
# http_port 127.0.0.1:8080 | |
# Uncomment and adjust the following to add a disk cache directory. | |
cache_dir ufs /var/cache/squid 4096 16 32 | |
# Leave coredumps in the first cache dir | |
coredump_dir /var/cache/squid | |
# taken from https://aacable.wordpress.com/tag/squid-maximum-cache-hit/ | |
# | |
# Add any of your own refresh_pattern entries above these. | |
# | |
# 1 year = 525600 mins, 1 month = 43800 mins | |
refresh_pattern -i \.(gif|png|jpg|jpeg|ico|webp) 10080 99999% 432000 override-expire ignore-no-cache ignore-no-store ignore-private | |
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv) 432000 99999% 432000 override-expire ignore-no-cache ignore-no-store ignore-private | |
refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff) 10080 99999% 432000 override-expire ignore-no-cache ignore-no-store ignore-private | |
refresh_pattern -i \.(htm|asp|php|jsp|json|js|css|ico|ttf|woff) 10080 99999% 432000 override-expire ignore-no-cache ignore-no-store ignore-private | |
refresh_pattern -i ^http:\/\/.* 10080 99999% 432000 override-expire ignore-no-cache ignore-no-store ignore-private | |
refresh_pattern -i ^https:\/\/.* 10080 99999% 432000 override-expire ignore-no-cache ignore-no-store ignore-private | |
refresh_pattern -i https:\/\/.*\.googlevideo\.com\/videoplayback\? 10080 99999% 432000 override-expire ignore-no-cache ignore-no-store ignore-private override-lastmod reload-into-ims | |
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 | |
refresh_pattern imeem.*\.flv 0 0% 0 override-lastmod override-expire | |
refresh_pattern \.rapidshare.*\/[0-9]*\/.*\/[^\/]* 161280 99999% 161280 ignore-reload | |
refresh_pattern (get_video\?|videoplayback\?|videodownload\?|\.flv?) 129600 999999% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims | |
refresh_pattern (get_video\?|videoplayback\?id|videoplayback.*id|videodownload\?|\.flv?) 129600 999999% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims | |
refresh_pattern -i (get_video\?|videoplayback\?id|videoplayback.*id||videodownload\?|\.flv?) 129600 999999% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims | |
refresh_pattern \.(ico|video-stats) 129600 999999% 129600 override-expire ignore-reload ignore-no-cache ignore-no-store ignore-private ignore-auth override-lastmod ignore-must-revalidate | |
refresh_pattern \.etology\? 129600 999999% 129600 override-expire ignore-reload ignore-no-cache | |
refresh_pattern galleries\.video(\?|sz) 129600 999999% 129600 override-expire ignore-reload ignore-no-cache | |
refresh_pattern \.adtology\? 129600 999999% 129600 override-expire ignore-reload ignore-no-cache | |
refresh_pattern ^.*(utm\.gif|ads\?|rmxads\.com|ad\.z5x\.net|bh\.contextweb\.com|bstats\.adbrite\.com|a1\.interclick\.com|ad\.trafficmp\.com|ads\.cubics\.com|ad\.xtendmedia\.com|\.googlesyndication\.com|advertising\.com|yieldmanager|game-advertising\.com|pixel\.quantserve\.com|adperium\.com|doubleclick\.net|adserving\.cpxinteractive\.com|syndication\.com|media.fastclick.net).* 129600 20% 129600 ignore-no-cache ignore-no-store ignore-private override-expire ignore-reload ignore-auth ignore-must-revalidate max-stale=10 | |
refresh_pattern ^.*safebrowsing.*google 129600 999999% 129600 override-expire ignore-reload ignore-no-cache ignore-private ignore-auth ignore-must-revalidate | |
refresh_pattern ^http://((cbk|mt|khm|mlt)[0-9]?)\.google\.co(m|\.uk) 129600 999999% 129600 override-expire ignore-reload ignore-private | |
refresh_pattern ytimg\.com.*\.jpg 129600 999999% 129600 override-expire ignore-reload | |
refresh_pattern images\.friendster\.com.*\.(png|gif) 129600 999999% 129600 override-expire ignore-reload | |
refresh_pattern garena\.com 129600 999999% 129600 override-expire reload-into-ims | |
refresh_pattern photobucket.*\.(jp(e?g|e|2)|tiff?|bmp|gif|png) 129600 999999% 129600 override-expire ignore-reload | |
refresh_pattern vid\.akm\.dailymotion\.com.*\.on2\? 129600 999999% 129600 ignore-no-cache override-expire override-lastmod | |
refresh_pattern mediafire.com\/images.*\.(jp(e?g|e|2)|tiff?|bmp|gif|png) 129600 999999% 129600 reload-into-ims override-expire ignore-private | |
refresh_pattern ^http:\/\/images|pics|thumbs[0-9]\. 129600 999999% 129600 reload-into-ims ignore-no-cache ignore-no-store ignore-reload override-expire | |
refresh_pattern ^http:\/\/www.onemanga.com.*\/ 129600 999999% 129600 reload-into-ims ignore-no-cache ignore-no-store ignore-reload override-expire | |
# ANTI VIRUS | |
refresh_pattern guru.avg.com/.*\.(bin) 43200 999999% 43200 ignore-no-cache ignore-no-store ignore-reload reload-into-ims | |
refresh_pattern (avgate|avira).*(idx|gz)$ 43200 999999% 43200 ignore-no-cache ignore-no-store ignore-reload reload-into-ims | |
refresh_pattern kaspersky.*\.avc$ 43200 999999% 43200 ignore-no-cache ignore-no-store ignore-reload reload-into-ims | |
refresh_pattern kaspersky 43200 999999% 43200 ignore-no-cache ignore-no-store ignore-reload reload-into-ims | |
refresh_pattern update.nai.com/.*\.(gem|zip|mcs) 43200 999999% 43200 ignore-no-cache ignore-no-store ignore-reload reload-into-ims | |
refresh_pattern ^http:\/\/liveupdate.symantecliveupdate.com.*\(zip) 43200 999999% 43200 ignore-no-cache ignore-no-store ignore-reload reload-into-ims | |
refresh_pattern windowsupdate.com/.*\.(cab|exe) 43200 999999% 129600 ignore-no-cache ignore-no-store ignore-reload reload-into-ims | |
refresh_pattern update.microsoft.com/.*\.(cab|exe) 43200 999999% 129600 ignore-no-cache ignore-no-store ignore-reload reload-into-ims | |
refresh_pattern download.microsoft.com/.*\.(cab|exe) 43200 999999% 129600 ignore-no-cache ignore-no-store ignore-reload reload-into-ims | |
#images facebook | |
refresh_pattern ((facebook.com)|(85.131.151.39)).*\.(jpg|png|gif) 129600 999999% 129600 ignore-reload override-expire ignore-no-cache ignore-no-store | |
refresh_pattern -i \.fbcdn.net.*\.(jpg|gif|png|swf|mp3) 129600 999999% 129600 ignore-reload override-expire ignore-no-cache ignore-no-store | |
refresh_pattern static\.ak\.fbcdn\.net*\.(jpg|gif|png) 129600 999999% 129600 ignore-reload override-expire ignore-no-cache ignore-no-store | |
refresh_pattern ^http:\/\/profile\.ak\.fbcdn.net*\.(jpg|gif|png) 129600 999999% 129600 ignore-reload override-expire ignore-no-cache ignore-no-store | |
#banner IIX | |
refresh_pattern ^http:\/\/openx.*\.(jp(e?g|e|2)|gif|pn[pg]|swf|ico|css|tiff?) 129600 99999% 129600 reload-into-ims ignore-reload override-expire ignore-no-cache ignore-no-store | |
refresh_pattern ^http:\/\/ads(1|2|3).kompas.com.*\/ 43200 99999% 129600 reload-into-ims ignore-reload override-expire ignore-no-cache ignore-no-store | |
refresh_pattern ^http:\/\/img.ads.kompas.com.*\/ 43200 99999% 129600 reload-into-ims ignore-reload override-expire ignore-no-cache ignore-no-store | |
refresh_pattern .kompasimages.com.*\.(jpg|gif|png|swf) 43200 99999% 129600 reload-into-ims ignore-reload override-expire ignore-no-cache ignore-no-store | |
refresh_pattern ^http:\/\/openx.kompas.com.*\/ 43200 99999% 129600 reload-into-ims ignore-reload override-expire ignore-no-cache ignore-no-store | |
refresh_pattern kaskus.\us.*\.(jp(e?g|e|2)|gif|png|swf) 43200 99999% 129600 reload-into-ims ignore-reload override-expire ignore-no-cache ignore-no-store | |
refresh_pattern ^http:\/\/img.kaskus.us.*\.(jpg|gif|png|swf) 43200 99999% 129600 reload-into-ims ignore-reload override-expire ignore-no-cache ignore-no-store | |
#All File | |
refresh_pattern -i \.(3gp|7z|ace|asx|avi|bin|cab|dat|deb|divx|dvr-ms) 129600 999999% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload | |
refresh_pattern -i \.(rar|jar|gz|tgz|bz2|iso|m1v|m2(v|p)|mo(d|v)) 129600 999999% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload | |
refresh_pattern -i \.(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js) 129600 999999% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-must-revalidate ignore-reload | |
refresh_pattern -i \.(mp(e?g|a|e|1|2|3|4)|mk(a|v)|ms(i|u|p)|og(x|v|a|g)|rar|rm|r(a|p)m|snd|vob|wav) 129600 999999% 129600 ignore-no-cache ignore-private override-expire override-lastmod reload-into-ims ignore-reload | |
refresh_pattern -i \.(pp(s|t)|wax|wm(a|v)|wmx|wpl|zip|cb(r|z|t)) 129600 999999% 43200 ignore-no-cache ignore-private override-expire override-lastmod reload-into-ims ignore-reload | |
refresh_pattern ^gopher: 1440 0% 1440 | |
refresh_pattern ^ftp: 10080 95% 43200 override-lastmod reload-into-ims | |
refresh_pattern -i \.(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js) 129600 999999% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload | |
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 432000 99999% 432000 override-expire ignore-no-cache ignore-no-store ignore-private ignore-reload | |
refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|pdf|tiff)$ 100080 99999% 43200 override-expire ignore-no-cache ignore-no-store ignore-private ignore-reload | |
# Add any of your own refresh_pattern entries above these. | |
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 | |
# example lin deb packages | |
refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600 | |
refresh_pattern . 10080 99999% 129600 override-expire ignore-no-cache override-lastmod reload-into-ims | |
dns_nameservers 208.67.222.222 208.67.220.220 | |
shutdown_lifetime 5 seconds | |
# some linux distros or old squid version use "ssl_crtd" instead of "security_file_certgen" | |
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/cache/squid/ssl_db -M 16MB | |
http_port 127.0.0.1:8080 ssl-bump \ | |
cert=/etc/squid/certs/squid-ca-cert-key.pem \ | |
generate-host-certificates=on dynamic_cert_mem_cache_size=16MB | |
https_port 127.0.0.1:8081 intercept ssl-bump \ | |
cert=/etc/squid/certs/squid-ca-cert-key.pem \ | |
generate-host-certificates=on dynamic_cert_mem_cache_size=16MB | |
acl step1 at_step SslBump1 | |
ssl_bump peek step1 | |
ssl_bump bump all | |
ssl_bump splice all | |
cache_mem 128 MB | |
minimum_object_size 0 bytes | |
maximum_object_size 700 MB | |
maximum_object_size_in_memory 32 KB | |
global_internal_static off | |
max_stale 10 years | |
retry_on_error on | |
buffered_logs on | |
read_ahead_gap 32 KB | |
#header_access Accept-Encoding deny all | |
client_persistent_connections off | |
server_persistent_connections on | |
half_closed_clients off | |
strip_query_terms off | |
quick_abort_min 0 KB | |
quick_abort_max 0 KB | |
quick_abort_pct 100 | |
vary_ignore_expire on | |
reload_into_ims on | |
pipeline_prefetch on | |
read_timeout 30 minutes | |
client_lifetime 6 hours | |
negative_ttl 30 seconds | |
positive_dns_ttl 6 hours | |
negative_dns_ttl 60 seconds | |
pconn_timeout 15 seconds | |
request_timeout 1 minute | |
store_avg_object_size 13 KB | |
log_icp_queries off | |
ipcache_size 16384 | |
ipcache_low 98 | |
ipcache_high 99 | |
fqdncache_size 16384 | |
memory_pools off | |
forwarded_for on | |
client_db off | |
max_filedescriptors 8192 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment