| /squid/3/squid3.conf |
|---|
| @@ -0,0 +1,283 @@ |
|---|
| ########################################################################### |
| ## Copyright (C) Wizardry and Steamworks 2012 - License: GNU GPLv3 ## |
| ## Please see: http://www.gnu.org/licenses/gpl.html for legal details, ## |
| ## rights of fair usage, the disclaimer and warranty conditions. ## |
| ########################################################################### |
| ## Squid3 - non-intercepting general configuration. ## |
| ########################################################################### |
| ## Configuration at a glance: ## |
| ## - only in-memory cache, upstream proxies use disk cache. ## |
| ## - connections via HTTP / HTTPs and CONNECT to non-SSL ports. ## |
| ## - spam / add blocking domains via "blocked_domains" ACL. ## |
| ## - direct domain fetching via "direct_domains" ACL. ## |
| ## - cache exception domains via "cache_exceptions" ACL. ## |
| ## - split route fetching via two uplinks (A and B) ACLs. ## |
| ## - polipo parent proxy configuration / darknet i2p and onion. ## |
| ## - DNS load-balancing using tor upstream proxies. ## |
| ## - HTTP reply / request header filtering. ## |
| ########################################################################### |
| |
| ### Access Control Lists (ACL)s |
| ## Commented out on upgrade to 3.4 |
| # acl manager proto cache_object |
| # acl localhost src 127.0.0.1/32 ::1 |
| acl localnets src 192.168.0.0/24 |
| ## Commented out on upgrade to 3.4 |
| # acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 |
| ## SSL ports |
| acl SSL_ports port 443 # https |
| acl SSL_ports port 21 # secure ftp |
| ## Non-SSL ports |
| acl Safe_ports port 80 # http |
| acl Safe_ports port 21 # ftp |
| acl Safe_ports port 443 # https |
| acl Safe_ports port 70 # gopher |
| acl Safe_ports port 210 # wais |
| acl Safe_ports port 280 # http-mgmt |
| acl Safe_ports port 488 # gss-http |
| acl Safe_ports port 591 # filemaker |
| acl Safe_ports port 777 # multiling http |
| acl Safe_ports port 873 # rsync |
| acl Safe_ports port 1025-65535 # un-reserved ports |
| ## CONNECT method |
| acl CONNECT method CONNECT |
| ## FTP |
| acl ftp proto FTP |
| # Allow localhost connections to Squid cache manager. |
| http_access allow manager localhost |
| http_access deny manager |
| # Deny any connections through Squid to any port that is not in the |
| # "Safe_ports" ACL. |
| http_access deny !Safe_ports |
| ## Deny CONNECT method to any non-SSL ports. |
| # Disabled to facilitate the use of command-line tools. |
| # http_access deny CONNECT !SSL_ports |
| ## Allow access to Squid from the local network and the server Squid is on. |
| http_access allow localhost |
| http_access allow localnets |
| ## Allow access using the FTP protocol. |
| http_access allow ftp |
| ## Deny connections through squid to localhost. |
| http_access deny to_localhost |
| ## Deny anything else that does not match any ACL rules above. |
| http_access deny all |
| |
| ### Requests to certain (spam) domains that should be blocked |
| ## Disabled - Better to use client-side anti-add/spam solutions. |
| # acl blocked_domains dstdomain "/etc/squid3/blocked_domains.conf" |
| # http_access deny blocked_domains |
| # deny_info TCP_RESET blocked_domains |
| |
| ### Requests to domains that should always be fetched directly. |
| acl direct_domains dstdom_regex "/etc/squid3/direct_domains.conf" |
| ## Force all requests to go through Squid except the direct domains. |
| always_direct allow direct_domains |
| never_direct deny direct_domains |
| never_direct allow all |
| |
| ### Responses from domains that should never be cached. |
| # acl cache_exceptions dstdom_regex "/etc/squid3/cache_exceptions.conf" |
| ## Disable cache for the cache exceptions ACL |
| # cache deny cache_exceptions |
| |
| ### Domains that should be fetched through different uplinks |
| ### using ip / iproute2 routing and iptables marking. |
| # ACL for outbound connection A |
| acl out_A dstdom_regex "/etc/squid3/out_A.conf |
| # Mark the outbound packets to the A domains with 0x65 for routing. |
| tcp_outgoing_mark 0x65 out_A |
| # ACL for outbound connection B |
| acl out_B dstdom_regex "/etc/squid3/out_B.conf |
| # Mark the outbound packets to the B domains with 0x66 for routing. |
| tcp_outgoing_mark 0x66 out_B |
| |
| # Default port that Squid will be listening on. |
| http_port proxy.lan:8123 |
| |
| ### HTCP - cache hierarchy protocol |
| ## Disable HTCP completely if not needed. |
| # htcp_port 4827 |
| # htcp_access allow localnets |
| htcp_port 0 |
| htcp_access deny all |
| ### ICP - cache hierarchy protocol |
| ## Disable ICP completely if not needed. |
| # miss_access allow localnets |
| # miss_access deny all |
| # icp_access allow localnets |
| icp_port 0 |
| icp_access deny all |
| ## Plug ICP leaks |
| reply_header_access X-Cache-Lookup deny !localnets |
| reply_header_access X-Squid-Error deny !localnets |
| reply_header_access X-Cache deny !localnets |
| ## SNMP - monitoring of Squid health through SNMP |
| # Disable SNMP completely if not needed. |
| snmp_port 0 |
| |
| ### Upstream proxy configuration. |
| ## Example: polipo parent proxies listening on 8123 |
| ## - no-query: disable ICP cache queries (not supported by polipo) |
| ## - no-digest: do not use digest hashes for cached objects |
| ## (not supported by polipo) |
| ## - no-netdb-exchange: do not use netdb hashes for cached objects |
| ## (not supported by polipo) |
| ## - no-delay: do not let this parent proxy to influence the delay pools |
| ## - connect-fail-limit=256: consider the parent proxy down after 256 |
| ## failed connection attempts |
| ## - carp: distribute requested Squid URLs between different cache peers |
| ## using the CARP protocol |
| ## - carp-key=host,port: distribute each URL between cache peers as a |
| ## hash of hostname and port |
| ## - name=polipo1.lan: a descriptive name for the cache peer used in the |
| ## current Squid configuration. |
| # polipo1.lan is an polipo-i2p proxy |
| cache_peer polipo1.lan parent 8123 0 no-query no-digest no-netdb-exchange no-delay connect-fail-limit=256 carp carp-key=host,port name=polipo1.lan |
| # polipo2.lan is a polipo-tor proxy. |
| cache_peer polipo2.lan parent 8123 0 no-query no-digest no-netdb-exchange no-delay connect-fail-limit=256 carp carp-key=host,port name=polipo2.lan |
| |
| ## Darknets / darkwebs: i2p, tor, etc... |
| # ACL for domains ending in .i2p |
| acl i2p dstdomain .i2p |
| # Send requests to .i2p domains through the polipo1.lan i2p parent proxy. |
| cache_peer_access polipo1.lan allow i2p |
| # Send requests to .onion domains through the polipo2.lan tor parent proxy. |
| acl onion dstdomain .onion |
| cache_peer_access polipo2.lan allow onion |
| # All other requests that do not match .i2p or .onion goes through the |
| # general tor parent proxy polipo2.lan. |
| cache_peer_access polipo2.lan allow all |
| |
| ### DNS |
| # Query first using IPv4 |
| dns_v4_first on |
| ## Make all DNS requests go through the tor parent proxy polipo2.lan |
| ## polipo2.lan must have tor DNSListenAddress configured properly. |
| dns_nameservers polipo2.lan |
| # In case we add tor DNS servers later, balance the DNS requests. |
| balance_on_multiple_ip on |
| |
| ## Quick Squid shutdown. |
| shutdown_lifetime 1 seconds |
| |
| ### Cache storage for both in-memory and on-disk cache memory. |
| cache_mem 2 GB |
| memory_cache_mode always |
| minimum_object_size 0 KB |
| maximum_object_size 128 KB |
| #minimum_object_size_in_memory 0 KB |
| maximum_object_size_in_memory 128 KB |
| memory_replacement_policy heap GDSF |
| ## Do not set on-disk cache policy if not needed. |
| # cache_replacement_policy heap LFUDA |
| store_avg_object_size 32 KB |
| |
| ### Tweaks |
| ## Symmetric multi-processing (SMP) - balance on multiple CPUs / cores |
| # Example: dual-core set-up using process-pinning to delegate two squid |
| # processes to each CPU |
| workers 2 |
| cpu_affinity_map process_numbers=1,2 cores=1,2 |
| # Buffer logs before writing to disk for non-blocking IO |
| buffered_logs on |
| ## DNS IP cache |
| ipcache_size 819200 |
| ipcache_low 90 |
| ipcache_high 95 |
| fqdncache_size 819200 |
| ## DNS |
| # Store successful queries for one week. |
| positive_dns_ttl 1 week |
| # Store failed queries for one second. |
| negative_dns_ttl 1 second |
| # dns_retransmit_interval 1 second |
| # dns_timeout 1 minute |
| ## Persistent connections |
| client_persistent_connections on |
| # Not needed if squid is not a reverse-proxy. |
| server_persistent_connections off |
| persistent_connection_after_error off |
| ## HTTP Pipelining / Prefetching |
| pipeline_prefetch 8 |
| ## Memory pools |
| memory_pools on |
| memory_pools_limit 128 MB |
| ## Quick abort |
| # quick_abort_max 16384000 KB |
| # quick_abort_max -1 KB |
| # quick_abort_min -1 KB |
| # quick_abort_pct 5 |
| # quick_abort_pct 0 |
| quick_abort_min 0 KB |
| quick_abort_max 0 KB |
| range_offset_limit 0 |
| ## Read ahead |
| ## Set a read-ahead of 32MB |
| # read_ahead_gap 128 KB |
| read_ahead_gap 32 MB |
| # Set the minimum expiry time on cached objects to one week. |
| minimum_expiry_time 1 week |
| # Do not ignore expiry times for HTTP/1.0 |
| vary_ignore_expire off |
| ## Set cache low and high mark - disable if disk cache not used. |
| # cache_swap_low 85 |
| # cache_swap_high 90 |
| ## QoS Flows |
| qos_flows local-hit=0x30 |
| qos_flows parent-hit=0x32 |
| qos_flows disable-preserve-miss |
| ## Miscellaneous |
| pinger_enable off |
| client_db off |
| short_icon_urls off |
| detect_broken_pconn on |
| # Do not retry 403, 500, 501 or 503 |
| retry_on_error off |
| # Do not proxy lan hosts. |
| check_hostnames on |
| # Use multicast DNS for .local domains and reverse-DNS resolution. |
| dns_multicast_local on |
| offline_mode off |
| # Do not prefer to send the request directly. |
| prefer_direct off |
| # Disable half-closed clients. |
| half_closed_clients off |
| # Set the squid core-dump directory for crashes. |
| # coredump_dir /var/spool/squid3 |
| # Disable debugging. |
| debug_options 0 |
| |
| ### General Timeout Configuration. |
| ## Use built-in defaults. |
| # forward_timeout 60 seconds |
| # connect_timeout 60 seconds |
| # read_timeout 60 seconds |
| # request_timeout 60 seconds |
| # persistent_request_timeout 1 minute |
| # client_lifetime 21 hours |
| |
| ### On-disk Cache |
| ## Cache user, this example: proxy |
| # cache_effective_user proxy |
| ## Rock on-disk storage used by SMP configuration. |
| # cache_dir rock /var/spool/squid3/1 16384 max-size=32000 |
| # cache_dir rock /var/spool/squid3/2 16384 max-size=32000 |
| ## AUFS on-disk storage. |
| # cache_dir aufs /var/spool/squid3 20480 64 256 |
| ## Disable on-disk cache - useful since parent proxies in this |
| ## configuration will already be caching. |
| cache deny all |
| cache_dir null /tmp |
| # Disable the cache store log - useful only for debugging. |
| cache_store_log none |
| |
| ## HTTP Header Filtering |
| # HTTP request filtering. |
| include /etc/squid3/anonymize_http_request.conf |
| # HTTP response filtering. |
| include /etc/squid3/anonymize_http_response.conf |
| ## Privacy settings. |
| include /etc/squid3/privacy.conf |
| |
| ## Refresh patterns. |
| include /etc/squid3/refresh_patterns.conf |
