#----------------------------------------------------------------------- # Squid4 config file for INUTIL proxy # By: Koratsuki -> leslie84@nauta.cu, koratsuki.nijuusan@gmail.com #----------------------------------------------------------------------- # General stuff #include "/etc/squid/squid-00-general.conf" # Options file for Squid config #include "/etc/squid/squid-01-options.conf" # Users auth #include "/etc/squid/squid-02-auth.conf" # ACLs #include "/etc/squid/squid-03-acls.conf" # Delay Pools #include "/etc/squid/squid-04-balance.conf" # Hurry to restart shutdown_lifetime 1 seconds # DNSs for the proxy dns_nameservers 200.55.128.3 200.55.128.4 10.50.0.2 dns_v4_first on # Ports where this proy will listen connections #http_port 0.0.0.0:3128 http_port 10.50.0.24:8080 # Hostname for the proxy visible_hostname squid4.mz.unal.cu # Contact Email cache_mgr osmani.fonseca@mz.unal.cu # Domain to append append_domain .mz.unal.cu # FTP config #ftp_user squid4@proxy.inutil.cu #ftp_passive on #ftp_sanitycheck on # Directories for errors and icons error_directory /usr/share/squid/errors/es-es icon_directory /usr/share/squid/icons # Path to Squid's icon configuration file. mime_table /etc/squid/mime.conf # Host file hosts_file /etc/hosts check_hostnames off # Other stuff pid_filename /var/run/squid.pid coredump_dir /var/spool/squid cache_effective_user proxy cache_effective_group proxy ipcache_size 10240 fqdncache_size 10240 ipcache_low 98 ipcache_high 99 # A list of ACL elements which, if matched, cause an ident # (RFC 931) lookup to be performed for this request. ident_lookup_access deny all # Squid will send any non-hierarchical requests # direct to origin servers. nonhierarchical_direct on # Don't show Squid version httpd_suppress_version_string on #Squid will keep open connections until a read or write #on the socket returns an error. half_closed_clients off # Some security forwarded_for off via off request_header_access From deny all request_header_access Server deny all request_header_access WWW-Authenticate deny all request_header_access Link deny all request_header_access Cache-Control deny all request_header_access Proxy-Connection deny all request_header_access X-Cache deny all request_header_access X-Cache-Lookup deny all request_header_access Via deny all request_header_access X-Forwarded-For deny all request_header_access Pragma deny all request_header_access Keep-Alive deny all #Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 # Cache options cache_mem 1024 MB maximum_object_size 99 MB maximum_object_size_in_memory 9072 KB # Peer timeout dead_peer_timeout 1.000000 seconds # Cache dir options cache_dir aufs /var/spool/squid 1000 16 256 coredump_dir /var/spool/squid # Cache Swap cache_swap_low 150 cache_swap_high 200 ipcache_size 90096 ipcache_low 98 ipcache_high 99 fqdncache_size 90096 cache_replacement_policy heap LFUDA memory_replacement_policy heap GDSF memory_pools off memory_pools_limit 512 MB #request_header_max_size 256KB #request_body_max_size 0 KB cache_effective_user proxy cache_effective_group proxy # Cache only mode #offline_mode off # Peer timeout dead_peer_timeout 1.000000 seconds # Cache dir options cache_dir aufs /var/spool/squid 1000 16 256 coredump_dir /var/spool/squid # Cache Swap cache_swap_low 150 cache_swap_high 200 ipcache_size 90096 ipcache_low 98 ipcache_high 99 fqdncache_size 90096 cache_replacement_policy heap LFUDA memory_replacement_policy heap GDSF memory_pools off memory_pools_limit 512 MB #request_header_max_size 256KBquick_abort_pct 100 read_ahead_gap 991 MB negative_ttl 0 seconds positive_dns_ttl 86400 seconds negative_dns_ttl 1 seconds range_offset_limit 0 # Changing User Agent, use it if needed #request_header_access User-Agent deny all #request_header_replace User-Agent Mozilla/5.0 (Linux x64; Intel; rv:49.0) Gecko/20100101 Firefox/49.0 # Limit download to 8MB #reply_body_max_size 9096 KB # Logs cache_log stdio:/var/log/squid/cache.log access_log stdio:/var/log/squid/access.log cache_store_log stdio:/var/log/squid/store.log netdb_filename stdio:/var/spool/squid/netdb.state logfile_rotate 30 # Debug log info #debug_options ALL,2 28,4 82,4 # Debug standard debug_options ALL,1 #request_body_max_size 0 KB cache_effective_user proxy cache_effective_group proxy reload_into_ims on quick_abort_min 0 KB #Servidor Cache Padre Internacional cache_host_domain 10.10.1.18 parent 8080 0 default # Servidor Cache Padre Nacional. cache_host_domain 10.50.0.1 parent 8080 0 default no-query #CACHES POR DOMINIOS cache_host_domain 10.10.1.18 .cubana.cu .google.com.cu !.cu cache_host_domain 10.50.0.1 .cu # NTLM + Kerberos + Groups auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --kerberos /usr/lib/squid/negotiate_kerberos_auth -r -s GSS_C_NO_NAME auth_param negotiate children 200 startup=50 idle=10 auth_param negotiate keep_alive off auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 100 startup=10 idle=5 auth_param ntlm keep_alive off auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 10 startup=1 idle=1 auth_param basic realm MZ.UNAL.CU auth_param basic credentialsttl 1 hours external_acl_type kerberos_ldap_group ttl=300 %LOGIN /usr/lib/squid/ext_kerberos_ldap_group_acl -a -g Intranet:Internet -D MZ.UNAL.CU acl Nav_Nac external kerberos_ldap_group Intranet acl Nav_Int external kerberos_ldap_group Internet acl Squid_Login proxy_auth REQUIRED #----------------------------------------------------------------------- # Squid4 ACLs file for INUTIL proxy #----------------------------------------------------------------------- acl all src all acl localhost src 127.0.0.1/32 acl localnet src 10.50.0.0/24 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http ## Methods allowed acl Safe_method method CONNECT GET HEAD POST http_access deny !Safe_method ## Protocols allowed acl Safe_proto proto HTTP SSL http_access deny !Safe_proto acl allowed_subnets src 10.50.19.0/24 192.168.50.0/24 # Deny requests to certain unsafe ports http_access deny !Safe_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager #Nav_Int http_reply_access allow Squid_Login Nav_Int http_reply_access allow Squid_Login !Nav_Nac http_access allow Squid_Login Nav_Int http_access allow Squid_Login Safe_ports Nav_Int http_access deny !Safe_ports Nav_Int #Nav_Nac acl Only_CU dstdomain .cu http_access allow Squid_Login Nav_Nac Only_CU # Only 10 connection threads per ip[EXAMPLE but works] #acl limited_ips src "/etc/squid/limited/ips" #acl limitreq maxconn 10 #http_access deny limited_ips limitreq # Only 4 connections threads for video sites acl file urlpath_regex -i \.avi.*$ \.asf.*.*$ \.asx.*$ \.mp4.*$ \.ogv.*$ \.ogg.*$ \.flv.*$ \.mov.*$ acl maxconfile maxconn 4 # Denying http_access deny file maxconfile http_access allow localnet icp_access allow localnet # Whitelisting sites acl whitelist dstdomain "/etc/squid/allowed/whitelist" # Allowing whitelisting http_access allow whitelist # Blacklisted stuff # Porno acl blacklist_domain_porn dstdomain "/etc/squid/porn/domains" acl blacklist_urls_porn url_regex "/etc/squid/porn/regularexpressions" # Politics related acl blacklist_domain_politic dstdomain "/etc/squid/politic/domains" # Chat acl blacklist_domain_chat dstdomain "/etc/squid/chat/domains" # Anonymous proxies acl blacklist_domain_proxy dstdomain "/etc/squid/proxy/domains" # Weird domains acl blacklist_domain_suspect dstdomain "/etc/squid/suspect/domains" # ADS acl ads_url url_regex "/etc/squid/ads/regularexpressions" acl ads_domain dstdomain "/etc/squid/ads/domains" # Denying blacklisted http_access deny Squid_Login blacklist_domain_porn http_access deny Squid_Login blacklist_urls_porn http_access deny Squid_Login blacklist_domain_politic http_access deny Squid_Login blacklist_domain_chat http_access deny Squid_Login blacklist_domain_proxy http_access deny Squid_Login blacklist_domain_suspect http_access deny Squid_Login ads_url http_access deny Squid_Login ads_domain # IP+MAC example acl user1_mac arp 80:fa:5b:3d:97:e8 58:fb:84:3a:d9:fa acl user1_ip src 10.50.19.2-10.50.19.15 192.168.50.105/32 192.168.50.106/32 192.168.50.252/32 192.168.50.27/32 10.50.19.5/32 http_access allow user1_mac user1_ip http_access allow allowed_subnets http_access deny all icp_access deny all