configuration-templates – Blame information for rev 9
?pathlinks?
Rev | Author | Line No. | Line |
---|---|---|---|
9 | office | 1 | ########################################################################### |
2 | ## Copyright (C) Wizardry and Steamworks 2012 - License: GNU GPLv3 ## |
||
3 | ## Please see: http://www.gnu.org/licenses/gpl.html for legal details, ## |
||
4 | ## rights of fair usage, the disclaimer and warranty conditions. ## |
||
5 | ########################################################################### |
||
6 | ## Squid3 - non-intercepting general configuration. ## |
||
7 | ########################################################################### |
||
8 | ## Configuration at a glance: ## |
||
9 | ## - only in-memory cache, upstream proxies use disk cache. ## |
||
10 | ## - connections via HTTP / HTTPs and CONNECT to non-SSL ports. ## |
||
11 | ## - spam / add blocking domains via "blocked_domains" ACL. ## |
||
12 | ## - direct domain fetching via "direct_domains" ACL. ## |
||
13 | ## - cache exception domains via "cache_exceptions" ACL. ## |
||
14 | ## - split route fetching via two uplinks (A and B) ACLs. ## |
||
15 | ## - polipo parent proxy configuration / darknet i2p and onion. ## |
||
16 | ## - DNS load-balancing using tor upstream proxies. ## |
||
17 | ## - HTTP reply / request header filtering. ## |
||
18 | ########################################################################### |
||
19 | |||
20 | ### Access Control Lists (ACL)s |
||
21 | ## Commented out on upgrade to 3.4 |
||
22 | # acl manager proto cache_object |
||
23 | # acl localhost src 127.0.0.1/32 ::1 |
||
24 | acl localnets src 192.168.0.0/24 |
||
25 | ## Commented out on upgrade to 3.4 |
||
26 | # acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 |
||
27 | ## SSL ports |
||
28 | acl SSL_ports port 443 # https |
||
29 | acl SSL_ports port 21 # secure ftp |
||
30 | ## Non-SSL ports |
||
31 | acl Safe_ports port 80 # http |
||
32 | acl Safe_ports port 21 # ftp |
||
33 | acl Safe_ports port 443 # https |
||
34 | acl Safe_ports port 70 # gopher |
||
35 | acl Safe_ports port 210 # wais |
||
36 | acl Safe_ports port 280 # http-mgmt |
||
37 | acl Safe_ports port 488 # gss-http |
||
38 | acl Safe_ports port 591 # filemaker |
||
39 | acl Safe_ports port 777 # multiling http |
||
40 | acl Safe_ports port 873 # rsync |
||
41 | acl Safe_ports port 1025-65535 # un-reserved ports |
||
42 | ## CONNECT method |
||
43 | acl CONNECT method CONNECT |
||
44 | ## FTP |
||
45 | acl ftp proto FTP |
||
46 | # Allow localhost connections to Squid cache manager. |
||
47 | http_access allow manager localhost |
||
48 | http_access deny manager |
||
49 | # Deny any connections through Squid to any port that is not in the |
||
50 | # "Safe_ports" ACL. |
||
51 | http_access deny !Safe_ports |
||
52 | ## Deny CONNECT method to any non-SSL ports. |
||
53 | # Disabled to facilitate the use of command-line tools. |
||
54 | # http_access deny CONNECT !SSL_ports |
||
55 | ## Allow access to Squid from the local network and the server Squid is on. |
||
56 | http_access allow localhost |
||
57 | http_access allow localnets |
||
58 | ## Allow access using the FTP protocol. |
||
59 | http_access allow ftp |
||
60 | ## Deny connections through squid to localhost. |
||
61 | http_access deny to_localhost |
||
62 | ## Deny anything else that does not match any ACL rules above. |
||
63 | http_access deny all |
||
64 | |||
65 | ### Requests to certain (spam) domains that should be blocked |
||
66 | ## Disabled - Better to use client-side anti-add/spam solutions. |
||
67 | # acl blocked_domains dstdomain "/etc/squid3/blocked_domains.conf" |
||
68 | # http_access deny blocked_domains |
||
69 | # deny_info TCP_RESET blocked_domains |
||
70 | |||
71 | ### Requests to domains that should always be fetched directly. |
||
72 | acl direct_domains dstdom_regex "/etc/squid3/direct_domains.conf" |
||
73 | ## Force all requests to go through Squid except the direct domains. |
||
74 | always_direct allow direct_domains |
||
75 | never_direct deny direct_domains |
||
76 | never_direct allow all |
||
77 | |||
78 | ### Responses from domains that should never be cached. |
||
79 | # acl cache_exceptions dstdom_regex "/etc/squid3/cache_exceptions.conf" |
||
80 | ## Disable cache for the cache exceptions ACL |
||
81 | # cache deny cache_exceptions |
||
82 | |||
83 | ### Domains that should be fetched through different uplinks |
||
84 | ### using ip / iproute2 routing and iptables marking. |
||
85 | # ACL for outbound connection A |
||
86 | acl out_A dstdom_regex "/etc/squid3/out_A.conf |
||
87 | # Mark the outbound packets to the A domains with 0x65 for routing. |
||
88 | tcp_outgoing_mark 0x65 out_A |
||
89 | # ACL for outbound connection B |
||
90 | acl out_B dstdom_regex "/etc/squid3/out_B.conf |
||
91 | # Mark the outbound packets to the B domains with 0x66 for routing. |
||
92 | tcp_outgoing_mark 0x66 out_B |
||
93 | |||
94 | # Default port that Squid will be listening on. |
||
95 | http_port proxy.lan:8123 |
||
96 | |||
97 | ### HTCP - cache hierarchy protocol |
||
98 | ## Disable HTCP completely if not needed. |
||
99 | # htcp_port 4827 |
||
100 | # htcp_access allow localnets |
||
101 | htcp_port 0 |
||
102 | htcp_access deny all |
||
103 | ### ICP - cache hierarchy protocol |
||
104 | ## Disable ICP completely if not needed. |
||
105 | # miss_access allow localnets |
||
106 | # miss_access deny all |
||
107 | # icp_access allow localnets |
||
108 | icp_port 0 |
||
109 | icp_access deny all |
||
110 | ## Plug ICP leaks |
||
111 | reply_header_access X-Cache-Lookup deny !localnets |
||
112 | reply_header_access X-Squid-Error deny !localnets |
||
113 | reply_header_access X-Cache deny !localnets |
||
114 | ## SNMP - monitoring of Squid health through SNMP |
||
115 | # Disable SNMP completely if not needed. |
||
116 | snmp_port 0 |
||
117 | |||
118 | ### Upstream proxy configuration. |
||
119 | ## Example: polipo parent proxies listening on 8123 |
||
120 | ## - no-query: disable ICP cache queries (not supported by polipo) |
||
121 | ## - no-digest: do not use digest hashes for cached objects |
||
122 | ## (not supported by polipo) |
||
123 | ## - no-netdb-exchange: do not use netdb hashes for cached objects |
||
124 | ## (not supported by polipo) |
||
125 | ## - no-delay: do not let this parent proxy to influence the delay pools |
||
126 | ## - connect-fail-limit=256: consider the parent proxy down after 256 |
||
127 | ## failed connection attempts |
||
128 | ## - carp: distribute requested Squid URLs between different cache peers |
||
129 | ## using the CARP protocol |
||
130 | ## - carp-key=host,port: distribute each URL between cache peers as a |
||
131 | ## hash of hostname and port |
||
132 | ## - name=polipo1.lan: a descriptive name for the cache peer used in the |
||
133 | ## current Squid configuration. |
||
134 | # polipo1.lan is an polipo-i2p proxy |
||
135 | cache_peer polipo1.lan parent 8123 0 no-query no-digest no-netdb-exchange no-delay connect-fail-limit=256 carp carp-key=host,port name=polipo1.lan |
||
136 | # polipo2.lan is a polipo-tor proxy. |
||
137 | cache_peer polipo2.lan parent 8123 0 no-query no-digest no-netdb-exchange no-delay connect-fail-limit=256 carp carp-key=host,port name=polipo2.lan |
||
138 | |||
139 | ## Darknets / darkwebs: i2p, tor, etc... |
||
140 | # ACL for domains ending in .i2p |
||
141 | acl i2p dstdomain .i2p |
||
142 | # Send requests to .i2p domains through the polipo1.lan i2p parent proxy. |
||
143 | cache_peer_access polipo1.lan allow i2p |
||
144 | # Send requests to .onion domains through the polipo2.lan tor parent proxy. |
||
145 | acl onion dstdomain .onion |
||
146 | cache_peer_access polipo2.lan allow onion |
||
147 | # All other requests that do not match .i2p or .onion goes through the |
||
148 | # general tor parent proxy polipo2.lan. |
||
149 | cache_peer_access polipo2.lan allow all |
||
150 | |||
151 | ### DNS |
||
152 | # Query first using IPv4 |
||
153 | dns_v4_first on |
||
154 | ## Make all DNS requests go through the tor parent proxy polipo2.lan |
||
155 | ## polipo2.lan must have tor DNSListenAddress configured properly. |
||
156 | dns_nameservers polipo2.lan |
||
157 | # In case we add tor DNS servers later, balance the DNS requests. |
||
158 | balance_on_multiple_ip on |
||
159 | |||
160 | ## Quick Squid shutdown. |
||
161 | shutdown_lifetime 1 seconds |
||
162 | |||
163 | ### Cache storage for both in-memory and on-disk cache memory. |
||
164 | cache_mem 2 GB |
||
165 | memory_cache_mode always |
||
166 | minimum_object_size 0 KB |
||
167 | maximum_object_size 128 KB |
||
168 | #minimum_object_size_in_memory 0 KB |
||
169 | maximum_object_size_in_memory 128 KB |
||
170 | memory_replacement_policy heap GDSF |
||
171 | ## Do not set on-disk cache policy if not needed. |
||
172 | # cache_replacement_policy heap LFUDA |
||
173 | store_avg_object_size 32 KB |
||
174 | |||
175 | ### Tweaks |
||
176 | ## Symmetric multi-processing (SMP) - balance on multiple CPUs / cores |
||
177 | # Example: dual-core set-up using process-pinning to delegate two squid |
||
178 | # processes to each CPU |
||
179 | workers 2 |
||
180 | cpu_affinity_map process_numbers=1,2 cores=1,2 |
||
181 | # Buffer logs before writing to disk for non-blocking IO |
||
182 | buffered_logs on |
||
183 | ## DNS IP cache |
||
184 | ipcache_size 819200 |
||
185 | ipcache_low 90 |
||
186 | ipcache_high 95 |
||
187 | fqdncache_size 819200 |
||
188 | ## DNS |
||
189 | # Store successful queries for one week. |
||
190 | positive_dns_ttl 1 week |
||
191 | # Store failed queries for one second. |
||
192 | negative_dns_ttl 1 second |
||
193 | # dns_retransmit_interval 1 second |
||
194 | # dns_timeout 1 minute |
||
195 | ## Persistent connections |
||
196 | client_persistent_connections on |
||
197 | # Not needed if squid is not a reverse-proxy. |
||
198 | server_persistent_connections off |
||
199 | persistent_connection_after_error off |
||
200 | ## HTTP Pipelining / Prefetching |
||
201 | pipeline_prefetch 8 |
||
202 | ## Memory pools |
||
203 | memory_pools on |
||
204 | memory_pools_limit 128 MB |
||
205 | ## Quick abort |
||
206 | # quick_abort_max 16384000 KB |
||
207 | # quick_abort_max -1 KB |
||
208 | # quick_abort_min -1 KB |
||
209 | # quick_abort_pct 5 |
||
210 | # quick_abort_pct 0 |
||
211 | quick_abort_min 0 KB |
||
212 | quick_abort_max 0 KB |
||
213 | range_offset_limit 0 |
||
214 | ## Read ahead |
||
215 | ## Set a read-ahead of 32MB |
||
216 | # read_ahead_gap 128 KB |
||
217 | read_ahead_gap 32 MB |
||
218 | # Set the minimum expiry time on cached objects to one week. |
||
219 | minimum_expiry_time 1 week |
||
220 | # Do not ignore expiry times for HTTP/1.0 |
||
221 | vary_ignore_expire off |
||
222 | ## Set cache low and high mark - disable if disk cache not used. |
||
223 | # cache_swap_low 85 |
||
224 | # cache_swap_high 90 |
||
225 | ## QoS Flows |
||
226 | qos_flows local-hit=0x30 |
||
227 | qos_flows parent-hit=0x32 |
||
228 | qos_flows disable-preserve-miss |
||
229 | ## Miscellaneous |
||
230 | pinger_enable off |
||
231 | client_db off |
||
232 | short_icon_urls off |
||
233 | detect_broken_pconn on |
||
234 | # Do not retry 403, 500, 501 or 503 |
||
235 | retry_on_error off |
||
236 | # Do not proxy lan hosts. |
||
237 | check_hostnames on |
||
238 | # Use multicast DNS for .local domains and reverse-DNS resolution. |
||
239 | dns_multicast_local on |
||
240 | offline_mode off |
||
241 | # Do not prefer to send the request directly. |
||
242 | prefer_direct off |
||
243 | # Disable half-closed clients. |
||
244 | half_closed_clients off |
||
245 | # Set the squid core-dump directory for crashes. |
||
246 | # coredump_dir /var/spool/squid3 |
||
247 | # Disable debugging. |
||
248 | debug_options 0 |
||
249 | |||
250 | ### General Timeout Configuration. |
||
251 | ## Use built-in defaults. |
||
252 | # forward_timeout 60 seconds |
||
253 | # connect_timeout 60 seconds |
||
254 | # read_timeout 60 seconds |
||
255 | # request_timeout 60 seconds |
||
256 | # persistent_request_timeout 1 minute |
||
257 | # client_lifetime 21 hours |
||
258 | |||
259 | ### On-disk Cache |
||
260 | ## Cache user, this example: proxy |
||
261 | # cache_effective_user proxy |
||
262 | ## Rock on-disk storage used by SMP configuration. |
||
263 | # cache_dir rock /var/spool/squid3/1 16384 max-size=32000 |
||
264 | # cache_dir rock /var/spool/squid3/2 16384 max-size=32000 |
||
265 | ## AUFS on-disk storage. |
||
266 | # cache_dir aufs /var/spool/squid3 20480 64 256 |
||
267 | ## Disable on-disk cache - useful since parent proxies in this |
||
268 | ## configuration will already be caching. |
||
269 | cache deny all |
||
270 | cache_dir null /tmp |
||
271 | # Disable the cache store log - useful only for debugging. |
||
272 | cache_store_log none |
||
273 | |||
274 | ## HTTP Header Filtering |
||
275 | # HTTP request filtering. |
||
276 | include /etc/squid3/anonymize_http_request.conf |
||
277 | # HTTP response filtering. |
||
278 | include /etc/squid3/anonymize_http_response.conf |
||
279 | ## Privacy settings. |
||
280 | include /etc/squid3/privacy.conf |
||
281 | |||
282 | ## Refresh patterns. |
||
283 | include /etc/squid3/refresh_patterns.conf |