configuration-templates – Blame information for rev 9
?pathlinks?
| Rev | Author | Line No. | Line |
|---|---|---|---|
| 9 | office | 1 | ########################################################################### |
| 2 | ## Copyright (C) Wizardry and Steamworks 2012 - License: GNU GPLv3 ## |
||
| 3 | ## Please see: http://www.gnu.org/licenses/gpl.html for legal details, ## |
||
| 4 | ## rights of fair usage, the disclaimer and warranty conditions. ## |
||
| 5 | ########################################################################### |
||
| 6 | ## Squid3 - non-intercepting general configuration. ## |
||
| 7 | ########################################################################### |
||
| 8 | ## Configuration at a glance: ## |
||
| 9 | ## - only in-memory cache, upstream proxies use disk cache. ## |
||
| 10 | ## - connections via HTTP / HTTPs and CONNECT to non-SSL ports. ## |
||
| 11 | ## - spam / add blocking domains via "blocked_domains" ACL. ## |
||
| 12 | ## - direct domain fetching via "direct_domains" ACL. ## |
||
| 13 | ## - cache exception domains via "cache_exceptions" ACL. ## |
||
| 14 | ## - split route fetching via two uplinks (A and B) ACLs. ## |
||
| 15 | ## - polipo parent proxy configuration / darknet i2p and onion. ## |
||
| 16 | ## - DNS load-balancing using tor upstream proxies. ## |
||
| 17 | ## - HTTP reply / request header filtering. ## |
||
| 18 | ########################################################################### |
||
| 19 | |||
| 20 | ### Access Control Lists (ACL)s |
||
| 21 | ## Commented out on upgrade to 3.4 |
||
| 22 | # acl manager proto cache_object |
||
| 23 | # acl localhost src 127.0.0.1/32 ::1 |
||
| 24 | acl localnets src 192.168.0.0/24 |
||
| 25 | ## Commented out on upgrade to 3.4 |
||
| 26 | # acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 |
||
| 27 | ## SSL ports |
||
| 28 | acl SSL_ports port 443 # https |
||
| 29 | acl SSL_ports port 21 # secure ftp |
||
| 30 | ## Non-SSL ports |
||
| 31 | acl Safe_ports port 80 # http |
||
| 32 | acl Safe_ports port 21 # ftp |
||
| 33 | acl Safe_ports port 443 # https |
||
| 34 | acl Safe_ports port 70 # gopher |
||
| 35 | acl Safe_ports port 210 # wais |
||
| 36 | acl Safe_ports port 280 # http-mgmt |
||
| 37 | acl Safe_ports port 488 # gss-http |
||
| 38 | acl Safe_ports port 591 # filemaker |
||
| 39 | acl Safe_ports port 777 # multiling http |
||
| 40 | acl Safe_ports port 873 # rsync |
||
| 41 | acl Safe_ports port 1025-65535 # un-reserved ports |
||
| 42 | ## CONNECT method |
||
| 43 | acl CONNECT method CONNECT |
||
| 44 | ## FTP |
||
| 45 | acl ftp proto FTP |
||
| 46 | # Allow localhost connections to Squid cache manager. |
||
| 47 | http_access allow manager localhost |
||
| 48 | http_access deny manager |
||
| 49 | # Deny any connections through Squid to any port that is not in the |
||
| 50 | # "Safe_ports" ACL. |
||
| 51 | http_access deny !Safe_ports |
||
| 52 | ## Deny CONNECT method to any non-SSL ports. |
||
| 53 | # Disabled to facilitate the use of command-line tools. |
||
| 54 | # http_access deny CONNECT !SSL_ports |
||
| 55 | ## Allow access to Squid from the local network and the server Squid is on. |
||
| 56 | http_access allow localhost |
||
| 57 | http_access allow localnets |
||
| 58 | ## Allow access using the FTP protocol. |
||
| 59 | http_access allow ftp |
||
| 60 | ## Deny connections through squid to localhost. |
||
| 61 | http_access deny to_localhost |
||
| 62 | ## Deny anything else that does not match any ACL rules above. |
||
| 63 | http_access deny all |
||
| 64 | |||
| 65 | ### Requests to certain (spam) domains that should be blocked |
||
| 66 | ## Disabled - Better to use client-side anti-add/spam solutions. |
||
| 67 | # acl blocked_domains dstdomain "/etc/squid3/blocked_domains.conf" |
||
| 68 | # http_access deny blocked_domains |
||
| 69 | # deny_info TCP_RESET blocked_domains |
||
| 70 | |||
| 71 | ### Requests to domains that should always be fetched directly. |
||
| 72 | acl direct_domains dstdom_regex "/etc/squid3/direct_domains.conf" |
||
| 73 | ## Force all requests to go through Squid except the direct domains. |
||
| 74 | always_direct allow direct_domains |
||
| 75 | never_direct deny direct_domains |
||
| 76 | never_direct allow all |
||
| 77 | |||
| 78 | ### Responses from domains that should never be cached. |
||
| 79 | # acl cache_exceptions dstdom_regex "/etc/squid3/cache_exceptions.conf" |
||
| 80 | ## Disable cache for the cache exceptions ACL |
||
| 81 | # cache deny cache_exceptions |
||
| 82 | |||
| 83 | ### Domains that should be fetched through different uplinks |
||
| 84 | ### using ip / iproute2 routing and iptables marking. |
||
| 85 | # ACL for outbound connection A |
||
| 86 | acl out_A dstdom_regex "/etc/squid3/out_A.conf |
||
| 87 | # Mark the outbound packets to the A domains with 0x65 for routing. |
||
| 88 | tcp_outgoing_mark 0x65 out_A |
||
| 89 | # ACL for outbound connection B |
||
| 90 | acl out_B dstdom_regex "/etc/squid3/out_B.conf |
||
| 91 | # Mark the outbound packets to the B domains with 0x66 for routing. |
||
| 92 | tcp_outgoing_mark 0x66 out_B |
||
| 93 | |||
| 94 | # Default port that Squid will be listening on. |
||
| 95 | http_port proxy.lan:8123 |
||
| 96 | |||
| 97 | ### HTCP - cache hierarchy protocol |
||
| 98 | ## Disable HTCP completely if not needed. |
||
| 99 | # htcp_port 4827 |
||
| 100 | # htcp_access allow localnets |
||
| 101 | htcp_port 0 |
||
| 102 | htcp_access deny all |
||
| 103 | ### ICP - cache hierarchy protocol |
||
| 104 | ## Disable ICP completely if not needed. |
||
| 105 | # miss_access allow localnets |
||
| 106 | # miss_access deny all |
||
| 107 | # icp_access allow localnets |
||
| 108 | icp_port 0 |
||
| 109 | icp_access deny all |
||
| 110 | ## Plug ICP leaks |
||
| 111 | reply_header_access X-Cache-Lookup deny !localnets |
||
| 112 | reply_header_access X-Squid-Error deny !localnets |
||
| 113 | reply_header_access X-Cache deny !localnets |
||
| 114 | ## SNMP - monitoring of Squid health through SNMP |
||
| 115 | # Disable SNMP completely if not needed. |
||
| 116 | snmp_port 0 |
||
| 117 | |||
| 118 | ### Upstream proxy configuration. |
||
| 119 | ## Example: polipo parent proxies listening on 8123 |
||
| 120 | ## - no-query: disable ICP cache queries (not supported by polipo) |
||
| 121 | ## - no-digest: do not use digest hashes for cached objects |
||
| 122 | ## (not supported by polipo) |
||
| 123 | ## - no-netdb-exchange: do not use netdb hashes for cached objects |
||
| 124 | ## (not supported by polipo) |
||
| 125 | ## - no-delay: do not let this parent proxy to influence the delay pools |
||
| 126 | ## - connect-fail-limit=256: consider the parent proxy down after 256 |
||
| 127 | ## failed connection attempts |
||
| 128 | ## - carp: distribute requested Squid URLs between different cache peers |
||
| 129 | ## using the CARP protocol |
||
| 130 | ## - carp-key=host,port: distribute each URL between cache peers as a |
||
| 131 | ## hash of hostname and port |
||
| 132 | ## - name=polipo1.lan: a descriptive name for the cache peer used in the |
||
| 133 | ## current Squid configuration. |
||
| 134 | # polipo1.lan is an polipo-i2p proxy |
||
| 135 | cache_peer polipo1.lan parent 8123 0 no-query no-digest no-netdb-exchange no-delay connect-fail-limit=256 carp carp-key=host,port name=polipo1.lan |
||
| 136 | # polipo2.lan is a polipo-tor proxy. |
||
| 137 | cache_peer polipo2.lan parent 8123 0 no-query no-digest no-netdb-exchange no-delay connect-fail-limit=256 carp carp-key=host,port name=polipo2.lan |
||
| 138 | |||
| 139 | ## Darknets / darkwebs: i2p, tor, etc... |
||
| 140 | # ACL for domains ending in .i2p |
||
| 141 | acl i2p dstdomain .i2p |
||
| 142 | # Send requests to .i2p domains through the polipo1.lan i2p parent proxy. |
||
| 143 | cache_peer_access polipo1.lan allow i2p |
||
| 144 | # Send requests to .onion domains through the polipo2.lan tor parent proxy. |
||
| 145 | acl onion dstdomain .onion |
||
| 146 | cache_peer_access polipo2.lan allow onion |
||
| 147 | # All other requests that do not match .i2p or .onion goes through the |
||
| 148 | # general tor parent proxy polipo2.lan. |
||
| 149 | cache_peer_access polipo2.lan allow all |
||
| 150 | |||
| 151 | ### DNS |
||
| 152 | # Query first using IPv4 |
||
| 153 | dns_v4_first on |
||
| 154 | ## Make all DNS requests go through the tor parent proxy polipo2.lan |
||
| 155 | ## polipo2.lan must have tor DNSListenAddress configured properly. |
||
| 156 | dns_nameservers polipo2.lan |
||
| 157 | # In case we add tor DNS servers later, balance the DNS requests. |
||
| 158 | balance_on_multiple_ip on |
||
| 159 | |||
| 160 | ## Quick Squid shutdown. |
||
| 161 | shutdown_lifetime 1 seconds |
||
| 162 | |||
| 163 | ### Cache storage for both in-memory and on-disk cache memory. |
||
| 164 | cache_mem 2 GB |
||
| 165 | memory_cache_mode always |
||
| 166 | minimum_object_size 0 KB |
||
| 167 | maximum_object_size 128 KB |
||
| 168 | #minimum_object_size_in_memory 0 KB |
||
| 169 | maximum_object_size_in_memory 128 KB |
||
| 170 | memory_replacement_policy heap GDSF |
||
| 171 | ## Do not set on-disk cache policy if not needed. |
||
| 172 | # cache_replacement_policy heap LFUDA |
||
| 173 | store_avg_object_size 32 KB |
||
| 174 | |||
| 175 | ### Tweaks |
||
| 176 | ## Symmetric multi-processing (SMP) - balance on multiple CPUs / cores |
||
| 177 | # Example: dual-core set-up using process-pinning to delegate two squid |
||
| 178 | # processes to each CPU |
||
| 179 | workers 2 |
||
| 180 | cpu_affinity_map process_numbers=1,2 cores=1,2 |
||
| 181 | # Buffer logs before writing to disk for non-blocking IO |
||
| 182 | buffered_logs on |
||
| 183 | ## DNS IP cache |
||
| 184 | ipcache_size 819200 |
||
| 185 | ipcache_low 90 |
||
| 186 | ipcache_high 95 |
||
| 187 | fqdncache_size 819200 |
||
| 188 | ## DNS |
||
| 189 | # Store successful queries for one week. |
||
| 190 | positive_dns_ttl 1 week |
||
| 191 | # Store failed queries for one second. |
||
| 192 | negative_dns_ttl 1 second |
||
| 193 | # dns_retransmit_interval 1 second |
||
| 194 | # dns_timeout 1 minute |
||
| 195 | ## Persistent connections |
||
| 196 | client_persistent_connections on |
||
| 197 | # Not needed if squid is not a reverse-proxy. |
||
| 198 | server_persistent_connections off |
||
| 199 | persistent_connection_after_error off |
||
| 200 | ## HTTP Pipelining / Prefetching |
||
| 201 | pipeline_prefetch 8 |
||
| 202 | ## Memory pools |
||
| 203 | memory_pools on |
||
| 204 | memory_pools_limit 128 MB |
||
| 205 | ## Quick abort |
||
| 206 | # quick_abort_max 16384000 KB |
||
| 207 | # quick_abort_max -1 KB |
||
| 208 | # quick_abort_min -1 KB |
||
| 209 | # quick_abort_pct 5 |
||
| 210 | # quick_abort_pct 0 |
||
| 211 | quick_abort_min 0 KB |
||
| 212 | quick_abort_max 0 KB |
||
| 213 | range_offset_limit 0 |
||
| 214 | ## Read ahead |
||
| 215 | ## Set a read-ahead of 32MB |
||
| 216 | # read_ahead_gap 128 KB |
||
| 217 | read_ahead_gap 32 MB |
||
| 218 | # Set the minimum expiry time on cached objects to one week. |
||
| 219 | minimum_expiry_time 1 week |
||
| 220 | # Do not ignore expiry times for HTTP/1.0 |
||
| 221 | vary_ignore_expire off |
||
| 222 | ## Set cache low and high mark - disable if disk cache not used. |
||
| 223 | # cache_swap_low 85 |
||
| 224 | # cache_swap_high 90 |
||
| 225 | ## QoS Flows |
||
| 226 | qos_flows local-hit=0x30 |
||
| 227 | qos_flows parent-hit=0x32 |
||
| 228 | qos_flows disable-preserve-miss |
||
| 229 | ## Miscellaneous |
||
| 230 | pinger_enable off |
||
| 231 | client_db off |
||
| 232 | short_icon_urls off |
||
| 233 | detect_broken_pconn on |
||
| 234 | # Do not retry 403, 500, 501 or 503 |
||
| 235 | retry_on_error off |
||
| 236 | # Do not proxy lan hosts. |
||
| 237 | check_hostnames on |
||
| 238 | # Use multicast DNS for .local domains and reverse-DNS resolution. |
||
| 239 | dns_multicast_local on |
||
| 240 | offline_mode off |
||
| 241 | # Do not prefer to send the request directly. |
||
| 242 | prefer_direct off |
||
| 243 | # Disable half-closed clients. |
||
| 244 | half_closed_clients off |
||
| 245 | # Set the squid core-dump directory for crashes. |
||
| 246 | # coredump_dir /var/spool/squid3 |
||
| 247 | # Disable debugging. |
||
| 248 | debug_options 0 |
||
| 249 | |||
| 250 | ### General Timeout Configuration. |
||
| 251 | ## Use built-in defaults. |
||
| 252 | # forward_timeout 60 seconds |
||
| 253 | # connect_timeout 60 seconds |
||
| 254 | # read_timeout 60 seconds |
||
| 255 | # request_timeout 60 seconds |
||
| 256 | # persistent_request_timeout 1 minute |
||
| 257 | # client_lifetime 21 hours |
||
| 258 | |||
| 259 | ### On-disk Cache |
||
| 260 | ## Cache user, this example: proxy |
||
| 261 | # cache_effective_user proxy |
||
| 262 | ## Rock on-disk storage used by SMP configuration. |
||
| 263 | # cache_dir rock /var/spool/squid3/1 16384 max-size=32000 |
||
| 264 | # cache_dir rock /var/spool/squid3/2 16384 max-size=32000 |
||
| 265 | ## AUFS on-disk storage. |
||
| 266 | # cache_dir aufs /var/spool/squid3 20480 64 256 |
||
| 267 | ## Disable on-disk cache - useful since parent proxies in this |
||
| 268 | ## configuration will already be caching. |
||
| 269 | cache deny all |
||
| 270 | cache_dir null /tmp |
||
| 271 | # Disable the cache store log - useful only for debugging. |
||
| 272 | cache_store_log none |
||
| 273 | |||
| 274 | ## HTTP Header Filtering |
||
| 275 | # HTTP request filtering. |
||
| 276 | include /etc/squid3/anonymize_http_request.conf |
||
| 277 | # HTTP response filtering. |
||
| 278 | include /etc/squid3/anonymize_http_response.conf |
||
| 279 | ## Privacy settings. |
||
| 280 | include /etc/squid3/privacy.conf |
||
| 281 | |||
| 282 | ## Refresh patterns. |
||
| 283 | include /etc/squid3/refresh_patterns.conf |