/squid/3/squid3.conf |
@@ -0,0 +1,283 @@ |
########################################################################### |
## Copyright (C) Wizardry and Steamworks 2012 - License: GNU GPLv3 ## |
## Please see: http://www.gnu.org/licenses/gpl.html for legal details, ## |
## rights of fair usage, the disclaimer and warranty conditions. ## |
########################################################################### |
## Squid3 - non-intercepting general configuration. ## |
########################################################################### |
## Configuration at a glance: ## |
## - only in-memory cache, upstream proxies use disk cache. ## |
## - connections via HTTP / HTTPs and CONNECT to non-SSL ports. ## |
## - spam / add blocking domains via "blocked_domains" ACL. ## |
## - direct domain fetching via "direct_domains" ACL. ## |
## - cache exception domains via "cache_exceptions" ACL. ## |
## - split route fetching via two uplinks (A and B) ACLs. ## |
## - polipo parent proxy configuration / darknet i2p and onion. ## |
## - DNS load-balancing using tor upstream proxies. ## |
## - HTTP reply / request header filtering. ## |
########################################################################### |
|
### Access Control Lists (ACL)s |
## Commented out on upgrade to 3.4 |
# acl manager proto cache_object |
# acl localhost src 127.0.0.1/32 ::1 |
acl localnets src 192.168.0.0/24 |
## Commented out on upgrade to 3.4 |
# acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 |
## SSL ports |
acl SSL_ports port 443 # https |
acl SSL_ports port 21 # secure ftp |
## Non-SSL ports |
acl Safe_ports port 80 # http |
acl Safe_ports port 21 # ftp |
acl Safe_ports port 443 # https |
acl Safe_ports port 70 # gopher |
acl Safe_ports port 210 # wais |
acl Safe_ports port 280 # http-mgmt |
acl Safe_ports port 488 # gss-http |
acl Safe_ports port 591 # filemaker |
acl Safe_ports port 777 # multiling http |
acl Safe_ports port 873 # rsync |
acl Safe_ports port 1025-65535 # un-reserved ports |
## CONNECT method |
acl CONNECT method CONNECT |
## FTP |
acl ftp proto FTP |
# Allow localhost connections to Squid cache manager. |
http_access allow manager localhost |
http_access deny manager |
# Deny any connections through Squid to any port that is not in the |
# "Safe_ports" ACL. |
http_access deny !Safe_ports |
## Deny CONNECT method to any non-SSL ports. |
# Disabled to facilitate the use of command-line tools. |
# http_access deny CONNECT !SSL_ports |
## Allow access to Squid from the local network and the server Squid is on. |
http_access allow localhost |
http_access allow localnets |
## Allow access using the FTP protocol. |
http_access allow ftp |
## Deny connections through squid to localhost. |
http_access deny to_localhost |
## Deny anything else that does not match any ACL rules above. |
http_access deny all |
|
### Requests to certain (spam) domains that should be blocked |
## Disabled - Better to use client-side anti-add/spam solutions. |
# acl blocked_domains dstdomain "/etc/squid3/blocked_domains.conf" |
# http_access deny blocked_domains |
# deny_info TCP_RESET blocked_domains |
|
### Requests to domains that should always be fetched directly. |
acl direct_domains dstdom_regex "/etc/squid3/direct_domains.conf" |
## Force all requests to go through Squid except the direct domains. |
always_direct allow direct_domains |
never_direct deny direct_domains |
never_direct allow all |
|
### Responses from domains that should never be cached. |
# acl cache_exceptions dstdom_regex "/etc/squid3/cache_exceptions.conf" |
## Disable cache for the cache exceptions ACL |
# cache deny cache_exceptions |
|
### Domains that should be fetched through different uplinks |
### using ip / iproute2 routing and iptables marking. |
# ACL for outbound connection A |
acl out_A dstdom_regex "/etc/squid3/out_A.conf |
# Mark the outbound packets to the A domains with 0x65 for routing. |
tcp_outgoing_mark 0x65 out_A |
# ACL for outbound connection B |
acl out_B dstdom_regex "/etc/squid3/out_B.conf |
# Mark the outbound packets to the B domains with 0x66 for routing. |
tcp_outgoing_mark 0x66 out_B |
|
# Default port that Squid will be listening on. |
http_port proxy.lan:8123 |
|
### HTCP - cache hierarchy protocol |
## Disable HTCP completely if not needed. |
# htcp_port 4827 |
# htcp_access allow localnets |
htcp_port 0 |
htcp_access deny all |
### ICP - cache hierarchy protocol |
## Disable ICP completely if not needed. |
# miss_access allow localnets |
# miss_access deny all |
# icp_access allow localnets |
icp_port 0 |
icp_access deny all |
## Plug ICP leaks |
reply_header_access X-Cache-Lookup deny !localnets |
reply_header_access X-Squid-Error deny !localnets |
reply_header_access X-Cache deny !localnets |
## SNMP - monitoring of Squid health through SNMP |
# Disable SNMP completely if not needed. |
snmp_port 0 |
|
### Upstream proxy configuration. |
## Example: polipo parent proxies listening on 8123 |
## - no-query: disable ICP cache queries (not supported by polipo) |
## - no-digest: do not use digest hashes for cached objects |
## (not supported by polipo) |
## - no-netdb-exchange: do not use netdb hashes for cached objects |
## (not supported by polipo) |
## - no-delay: do not let this parent proxy to influence the delay pools |
## - connect-fail-limit=256: consider the parent proxy down after 256 |
## failed connection attempts |
## - carp: distribute requested Squid URLs between different cache peers |
## using the CARP protocol |
## - carp-key=host,port: distribute each URL between cache peers as a |
## hash of hostname and port |
## - name=polipo1.lan: a descriptive name for the cache peer used in the |
## current Squid configuration. |
# polipo1.lan is an polipo-i2p proxy |
cache_peer polipo1.lan parent 8123 0 no-query no-digest no-netdb-exchange no-delay connect-fail-limit=256 carp carp-key=host,port name=polipo1.lan |
# polipo2.lan is a polipo-tor proxy. |
cache_peer polipo2.lan parent 8123 0 no-query no-digest no-netdb-exchange no-delay connect-fail-limit=256 carp carp-key=host,port name=polipo2.lan |
|
## Darknets / darkwebs: i2p, tor, etc... |
# ACL for domains ending in .i2p |
acl i2p dstdomain .i2p |
# Send requests to .i2p domains through the polipo1.lan i2p parent proxy. |
cache_peer_access polipo1.lan allow i2p |
# Send requests to .onion domains through the polipo2.lan tor parent proxy. |
acl onion dstdomain .onion |
cache_peer_access polipo2.lan allow onion |
# All other requests that do not match .i2p or .onion goes through the |
# general tor parent proxy polipo2.lan. |
cache_peer_access polipo2.lan allow all |
|
### DNS |
# Query first using IPv4 |
dns_v4_first on |
## Make all DNS requests go through the tor parent proxy polipo2.lan |
## polipo2.lan must have tor DNSListenAddress configured properly. |
dns_nameservers polipo2.lan |
# In case we add tor DNS servers later, balance the DNS requests. |
balance_on_multiple_ip on |
|
## Quick Squid shutdown. |
shutdown_lifetime 1 seconds |
|
### Cache storage for both in-memory and on-disk cache memory. |
cache_mem 2 GB |
memory_cache_mode always |
minimum_object_size 0 KB |
maximum_object_size 128 KB |
#minimum_object_size_in_memory 0 KB |
maximum_object_size_in_memory 128 KB |
memory_replacement_policy heap GDSF |
## Do not set on-disk cache policy if not needed. |
# cache_replacement_policy heap LFUDA |
store_avg_object_size 32 KB |
|
### Tweaks |
## Symmetric multi-processing (SMP) - balance on multiple CPUs / cores |
# Example: dual-core set-up using process-pinning to delegate two squid |
# processes to each CPU |
workers 2 |
cpu_affinity_map process_numbers=1,2 cores=1,2 |
# Buffer logs before writing to disk for non-blocking IO |
buffered_logs on |
## DNS IP cache |
ipcache_size 819200 |
ipcache_low 90 |
ipcache_high 95 |
fqdncache_size 819200 |
## DNS |
# Store successful queries for one week. |
positive_dns_ttl 1 week |
# Store failed queries for one second. |
negative_dns_ttl 1 second |
# dns_retransmit_interval 1 second |
# dns_timeout 1 minute |
## Persistent connections |
client_persistent_connections on |
# Not needed if squid is not a reverse-proxy. |
server_persistent_connections off |
persistent_connection_after_error off |
## HTTP Pipelining / Prefetching |
pipeline_prefetch 8 |
## Memory pools |
memory_pools on |
memory_pools_limit 128 MB |
## Quick abort |
# quick_abort_max 16384000 KB |
# quick_abort_max -1 KB |
# quick_abort_min -1 KB |
# quick_abort_pct 5 |
# quick_abort_pct 0 |
quick_abort_min 0 KB |
quick_abort_max 0 KB |
range_offset_limit 0 |
## Read ahead |
## Set a read-ahead of 32MB |
# read_ahead_gap 128 KB |
read_ahead_gap 32 MB |
# Set the minimum expiry time on cached objects to one week. |
minimum_expiry_time 1 week |
# Do not ignore expiry times for HTTP/1.0 |
vary_ignore_expire off |
## Set cache low and high mark - disable if disk cache not used. |
# cache_swap_low 85 |
# cache_swap_high 90 |
## QoS Flows |
qos_flows local-hit=0x30 |
qos_flows parent-hit=0x32 |
qos_flows disable-preserve-miss |
## Miscellaneous |
pinger_enable off |
client_db off |
short_icon_urls off |
detect_broken_pconn on |
# Do not retry 403, 500, 501 or 503 |
retry_on_error off |
# Do not proxy lan hosts. |
check_hostnames on |
# Use multicast DNS for .local domains and reverse-DNS resolution. |
dns_multicast_local on |
offline_mode off |
# Do not prefer to send the request directly. |
prefer_direct off |
# Disable half-closed clients. |
half_closed_clients off |
# Set the squid core-dump directory for crashes. |
# coredump_dir /var/spool/squid3 |
# Disable debugging. |
debug_options 0 |
|
### General Timeout Configuration. |
## Use built-in defaults. |
# forward_timeout 60 seconds |
# connect_timeout 60 seconds |
# read_timeout 60 seconds |
# request_timeout 60 seconds |
# persistent_request_timeout 1 minute |
# client_lifetime 21 hours |
|
### On-disk Cache |
## Cache user, this example: proxy |
# cache_effective_user proxy |
## Rock on-disk storage used by SMP configuration. |
# cache_dir rock /var/spool/squid3/1 16384 max-size=32000 |
# cache_dir rock /var/spool/squid3/2 16384 max-size=32000 |
## AUFS on-disk storage. |
# cache_dir aufs /var/spool/squid3 20480 64 256 |
## Disable on-disk cache - useful since parent proxies in this |
## configuration will already be caching. |
cache deny all |
cache_dir null /tmp |
# Disable the cache store log - useful only for debugging. |
cache_store_log none |
|
## HTTP Header Filtering |
# HTTP request filtering. |
include /etc/squid3/anonymize_http_request.conf |
# HTTP response filtering. |
include /etc/squid3/anonymize_http_response.conf |
## Privacy settings. |
include /etc/squid3/privacy.conf |
|
## Refresh patterns. |
include /etc/squid3/refresh_patterns.conf |