configuration-templates – Rev 9
?pathlinks?
###########################################################################
## Copyright (C) Wizardry and Steamworks 2012 - License: GNU GPLv3 ##
## Please see: http://www.gnu.org/licenses/gpl.html for legal details, ##
## rights of fair usage, the disclaimer and warranty conditions. ##
###########################################################################
## Squid3 - non-intercepting general configuration. ##
###########################################################################
## Configuration at a glance: ##
## - only in-memory cache, upstream proxies use disk cache. ##
## - connections via HTTP / HTTPs and CONNECT to non-SSL ports. ##
## - spam / add blocking domains via "blocked_domains" ACL. ##
## - direct domain fetching via "direct_domains" ACL. ##
## - cache exception domains via "cache_exceptions" ACL. ##
## - split route fetching via two uplinks (A and B) ACLs. ##
## - polipo parent proxy configuration / darknet i2p and onion. ##
## - DNS load-balancing using tor upstream proxies. ##
## - HTTP reply / request header filtering. ##
###########################################################################
### Access Control Lists (ACL)s
## Commented out on upgrade to 3.4
# acl manager proto cache_object
# acl localhost src 127.0.0.1/32 ::1
acl localnets src 192.168.0.0/24
## Commented out on upgrade to 3.4
# acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
## SSL ports
acl SSL_ports port 443 # https
acl SSL_ports port 21 # secure ftp
## Non-SSL ports
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 873 # rsync
acl Safe_ports port 1025-65535 # un-reserved ports
## CONNECT method
acl CONNECT method CONNECT
## FTP
acl ftp proto FTP
# Allow localhost connections to Squid cache manager.
http_access allow manager localhost
http_access deny manager
# Deny any connections through Squid to any port that is not in the
# "Safe_ports" ACL.
http_access deny !Safe_ports
## Deny CONNECT method to any non-SSL ports.
# Disabled to facilitate the use of command-line tools.
# http_access deny CONNECT !SSL_ports
## Allow access to Squid from the local network and the server Squid is on.
http_access allow localhost
http_access allow localnets
## Allow access using the FTP protocol.
http_access allow ftp
## Deny connections through squid to localhost.
http_access deny to_localhost
## Deny anything else that does not match any ACL rules above.
http_access deny all
### Requests to certain (spam) domains that should be blocked
## Disabled - Better to use client-side anti-add/spam solutions.
# acl blocked_domains dstdomain "/etc/squid3/blocked_domains.conf"
# http_access deny blocked_domains
# deny_info TCP_RESET blocked_domains
### Requests to domains that should always be fetched directly.
acl direct_domains dstdom_regex "/etc/squid3/direct_domains.conf"
## Force all requests to go through Squid except the direct domains.
always_direct allow direct_domains
never_direct deny direct_domains
never_direct allow all
### Responses from domains that should never be cached.
# acl cache_exceptions dstdom_regex "/etc/squid3/cache_exceptions.conf"
## Disable cache for the cache exceptions ACL
# cache deny cache_exceptions
### Domains that should be fetched through different uplinks
### using ip / iproute2 routing and iptables marking.
# ACL for outbound connection A
acl out_A dstdom_regex "/etc/squid3/out_A.conf
# Mark the outbound packets to the A domains with 0x65 for routing.
tcp_outgoing_mark 0x65 out_A
# ACL for outbound connection B
acl out_B dstdom_regex "/etc/squid3/out_B.conf
# Mark the outbound packets to the B domains with 0x66 for routing.
tcp_outgoing_mark 0x66 out_B
# Default port that Squid will be listening on.
http_port proxy.lan:8123
### HTCP - cache hierarchy protocol
## Disable HTCP completely if not needed.
# htcp_port 4827
# htcp_access allow localnets
htcp_port 0
htcp_access deny all
### ICP - cache hierarchy protocol
## Disable ICP completely if not needed.
# miss_access allow localnets
# miss_access deny all
# icp_access allow localnets
icp_port 0
icp_access deny all
## Plug ICP leaks
reply_header_access X-Cache-Lookup deny !localnets
reply_header_access X-Squid-Error deny !localnets
reply_header_access X-Cache deny !localnets
## SNMP - monitoring of Squid health through SNMP
# Disable SNMP completely if not needed.
snmp_port 0
### Upstream proxy configuration.
## Example: polipo parent proxies listening on 8123
## - no-query: disable ICP cache queries (not supported by polipo)
## - no-digest: do not use digest hashes for cached objects
## (not supported by polipo)
## - no-netdb-exchange: do not use netdb hashes for cached objects
## (not supported by polipo)
## - no-delay: do not let this parent proxy to influence the delay pools
## - connect-fail-limit=256: consider the parent proxy down after 256
## failed connection attempts
## - carp: distribute requested Squid URLs between different cache peers
## using the CARP protocol
## - carp-key=host,port: distribute each URL between cache peers as a
## hash of hostname and port
## - name=polipo1.lan: a descriptive name for the cache peer used in the
## current Squid configuration.
# polipo1.lan is an polipo-i2p proxy
cache_peer polipo1.lan parent 8123 0 no-query no-digest no-netdb-exchange no-delay connect-fail-limit=256 carp carp-key=host,port name=polipo1.lan
# polipo2.lan is a polipo-tor proxy.
cache_peer polipo2.lan parent 8123 0 no-query no-digest no-netdb-exchange no-delay connect-fail-limit=256 carp carp-key=host,port name=polipo2.lan
## Darknets / darkwebs: i2p, tor, etc...
# ACL for domains ending in .i2p
acl i2p dstdomain .i2p
# Send requests to .i2p domains through the polipo1.lan i2p parent proxy.
cache_peer_access polipo1.lan allow i2p
# Send requests to .onion domains through the polipo2.lan tor parent proxy.
acl onion dstdomain .onion
cache_peer_access polipo2.lan allow onion
# All other requests that do not match .i2p or .onion goes through the
# general tor parent proxy polipo2.lan.
cache_peer_access polipo2.lan allow all
### DNS
# Query first using IPv4
dns_v4_first on
## Make all DNS requests go through the tor parent proxy polipo2.lan
## polipo2.lan must have tor DNSListenAddress configured properly.
dns_nameservers polipo2.lan
# In case we add tor DNS servers later, balance the DNS requests.
balance_on_multiple_ip on
## Quick Squid shutdown.
shutdown_lifetime 1 seconds
### Cache storage for both in-memory and on-disk cache memory.
cache_mem 2 GB
memory_cache_mode always
minimum_object_size 0 KB
maximum_object_size 128 KB
#minimum_object_size_in_memory 0 KB
maximum_object_size_in_memory 128 KB
memory_replacement_policy heap GDSF
## Do not set on-disk cache policy if not needed.
# cache_replacement_policy heap LFUDA
store_avg_object_size 32 KB
### Tweaks
## Symmetric multi-processing (SMP) - balance on multiple CPUs / cores
# Example: dual-core set-up using process-pinning to delegate two squid
# processes to each CPU
workers 2
cpu_affinity_map process_numbers=1,2 cores=1,2
# Buffer logs before writing to disk for non-blocking IO
buffered_logs on
## DNS IP cache
ipcache_size 819200
ipcache_low 90
ipcache_high 95
fqdncache_size 819200
## DNS
# Store successful queries for one week.
positive_dns_ttl 1 week
# Store failed queries for one second.
negative_dns_ttl 1 second
# dns_retransmit_interval 1 second
# dns_timeout 1 minute
## Persistent connections
client_persistent_connections on
# Not needed if squid is not a reverse-proxy.
server_persistent_connections off
persistent_connection_after_error off
## HTTP Pipelining / Prefetching
pipeline_prefetch 8
## Memory pools
memory_pools on
memory_pools_limit 128 MB
## Quick abort
# quick_abort_max 16384000 KB
# quick_abort_max -1 KB
# quick_abort_min -1 KB
# quick_abort_pct 5
# quick_abort_pct 0
quick_abort_min 0 KB
quick_abort_max 0 KB
range_offset_limit 0
## Read ahead
## Set a read-ahead of 32MB
# read_ahead_gap 128 KB
read_ahead_gap 32 MB
# Set the minimum expiry time on cached objects to one week.
minimum_expiry_time 1 week
# Do not ignore expiry times for HTTP/1.0
vary_ignore_expire off
## Set cache low and high mark - disable if disk cache not used.
# cache_swap_low 85
# cache_swap_high 90
## QoS Flows
qos_flows local-hit=0x30
qos_flows parent-hit=0x32
qos_flows disable-preserve-miss
## Miscellaneous
pinger_enable off
client_db off
short_icon_urls off
detect_broken_pconn on
# Do not retry 403, 500, 501 or 503
retry_on_error off
# Do not proxy lan hosts.
check_hostnames on
# Use multicast DNS for .local domains and reverse-DNS resolution.
dns_multicast_local on
offline_mode off
# Do not prefer to send the request directly.
prefer_direct off
# Disable half-closed clients.
half_closed_clients off
# Set the squid core-dump directory for crashes.
# coredump_dir /var/spool/squid3
# Disable debugging.
debug_options 0
### General Timeout Configuration.
## Use built-in defaults.
# forward_timeout 60 seconds
# connect_timeout 60 seconds
# read_timeout 60 seconds
# request_timeout 60 seconds
# persistent_request_timeout 1 minute
# client_lifetime 21 hours
### On-disk Cache
## Cache user, this example: proxy
# cache_effective_user proxy
## Rock on-disk storage used by SMP configuration.
# cache_dir rock /var/spool/squid3/1 16384 max-size=32000
# cache_dir rock /var/spool/squid3/2 16384 max-size=32000
## AUFS on-disk storage.
# cache_dir aufs /var/spool/squid3 20480 64 256
## Disable on-disk cache - useful since parent proxies in this
## configuration will already be caching.
cache deny all
cache_dir null /tmp
# Disable the cache store log - useful only for debugging.
cache_store_log none
## HTTP Header Filtering
# HTTP request filtering.
include /etc/squid3/anonymize_http_request.conf
# HTTP response filtering.
include /etc/squid3/anonymize_http_response.conf
## Privacy settings.
include /etc/squid3/privacy.conf
## Refresh patterns.
include /etc/squid3/refresh_patterns.conf