########################################################################### ## Copyright (C) Wizardry and Steamworks 2012 - License: GNU GPLv3 ## ## Please see: http://www.gnu.org/licenses/gpl.html for legal details, ## ## rights of fair usage, the disclaimer and warranty conditions. ## ########################################################################### ## Squid3 - non-intercepting general configuration. ## ########################################################################### ## Configuration at a glance: ## ## - only in-memory cache, upstream proxies use disk cache. ## ## - connections via HTTP / HTTPs and CONNECT to non-SSL ports. ## ## - spam / add blocking domains via "blocked_domains" ACL. ## ## - direct domain fetching via "direct_domains" ACL. ## ## - cache exception domains via "cache_exceptions" ACL. ## ## - split route fetching via two uplinks (A and B) ACLs. ## ## - polipo parent proxy configuration / darknet i2p and onion. ## ## - DNS load-balancing using tor upstream proxies. ## ## - HTTP reply / request header filtering. ## ########################################################################### ### Access Control Lists (ACL)s ## Commented out on upgrade to 3.4 # acl manager proto cache_object # acl localhost src 127.0.0.1/32 ::1 acl localnets src 192.168.0.0/24 ## Commented out on upgrade to 3.4 # acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 ## SSL ports acl SSL_ports port 443 # https acl SSL_ports port 21 # secure ftp ## Non-SSL ports acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 873 # rsync acl Safe_ports port 1025-65535 # un-reserved ports ## CONNECT method acl CONNECT method CONNECT ## FTP acl ftp proto FTP # Allow localhost connections to Squid cache manager. http_access allow manager localhost http_access deny manager # Deny any connections through Squid to any port that is not in the # "Safe_ports" ACL. http_access deny !Safe_ports ## Deny CONNECT method to any non-SSL ports. # Disabled to facilitate the use of command-line tools. # http_access deny CONNECT !SSL_ports ## Allow access to Squid from the local network and the server Squid is on. http_access allow localhost http_access allow localnets ## Allow access using the FTP protocol. http_access allow ftp ## Deny connections through squid to localhost. http_access deny to_localhost ## Deny anything else that does not match any ACL rules above. http_access deny all ### Requests to certain (spam) domains that should be blocked ## Disabled - Better to use client-side anti-add/spam solutions. # acl blocked_domains dstdomain "/etc/squid3/blocked_domains.conf" # http_access deny blocked_domains # deny_info TCP_RESET blocked_domains ### Requests to domains that should always be fetched directly. acl direct_domains dstdom_regex "/etc/squid3/direct_domains.conf" ## Force all requests to go through Squid except the direct domains. always_direct allow direct_domains never_direct deny direct_domains never_direct allow all ### Responses from domains that should never be cached. # acl cache_exceptions dstdom_regex "/etc/squid3/cache_exceptions.conf" ## Disable cache for the cache exceptions ACL # cache deny cache_exceptions ### Domains that should be fetched through different uplinks ### using ip / iproute2 routing and iptables marking. # ACL for outbound connection A acl out_A dstdom_regex "/etc/squid3/out_A.conf # Mark the outbound packets to the A domains with 0x65 for routing. tcp_outgoing_mark 0x65 out_A # ACL for outbound connection B acl out_B dstdom_regex "/etc/squid3/out_B.conf # Mark the outbound packets to the B domains with 0x66 for routing. tcp_outgoing_mark 0x66 out_B # Default port that Squid will be listening on. http_port proxy.lan:8123 ### HTCP - cache hierarchy protocol ## Disable HTCP completely if not needed. # htcp_port 4827 # htcp_access allow localnets htcp_port 0 htcp_access deny all ### ICP - cache hierarchy protocol ## Disable ICP completely if not needed. # miss_access allow localnets # miss_access deny all # icp_access allow localnets icp_port 0 icp_access deny all ## Plug ICP leaks reply_header_access X-Cache-Lookup deny !localnets reply_header_access X-Squid-Error deny !localnets reply_header_access X-Cache deny !localnets ## SNMP - monitoring of Squid health through SNMP # Disable SNMP completely if not needed. snmp_port 0 ### Upstream proxy configuration. ## Example: polipo parent proxies listening on 8123 ## - no-query: disable ICP cache queries (not supported by polipo) ## - no-digest: do not use digest hashes for cached objects ## (not supported by polipo) ## - no-netdb-exchange: do not use netdb hashes for cached objects ## (not supported by polipo) ## - no-delay: do not let this parent proxy to influence the delay pools ## - connect-fail-limit=256: consider the parent proxy down after 256 ## failed connection attempts ## - carp: distribute requested Squid URLs between different cache peers ## using the CARP protocol ## - carp-key=host,port: distribute each URL between cache peers as a ## hash of hostname and port ## - name=polipo1.lan: a descriptive name for the cache peer used in the ## current Squid configuration. # polipo1.lan is an polipo-i2p proxy cache_peer polipo1.lan parent 8123 0 no-query no-digest no-netdb-exchange no-delay connect-fail-limit=256 carp carp-key=host,port name=polipo1.lan # polipo2.lan is a polipo-tor proxy. cache_peer polipo2.lan parent 8123 0 no-query no-digest no-netdb-exchange no-delay connect-fail-limit=256 carp carp-key=host,port name=polipo2.lan ## Darknets / darkwebs: i2p, tor, etc... # ACL for domains ending in .i2p acl i2p dstdomain .i2p # Send requests to .i2p domains through the polipo1.lan i2p parent proxy. cache_peer_access polipo1.lan allow i2p # Send requests to .onion domains through the polipo2.lan tor parent proxy. acl onion dstdomain .onion cache_peer_access polipo2.lan allow onion # All other requests that do not match .i2p or .onion goes through the # general tor parent proxy polipo2.lan. cache_peer_access polipo2.lan allow all ### DNS # Query first using IPv4 dns_v4_first on ## Make all DNS requests go through the tor parent proxy polipo2.lan ## polipo2.lan must have tor DNSListenAddress configured properly. dns_nameservers polipo2.lan # In case we add tor DNS servers later, balance the DNS requests. balance_on_multiple_ip on ## Quick Squid shutdown. shutdown_lifetime 1 seconds ### Cache storage for both in-memory and on-disk cache memory. cache_mem 2 GB memory_cache_mode always minimum_object_size 0 KB maximum_object_size 128 KB #minimum_object_size_in_memory 0 KB maximum_object_size_in_memory 128 KB memory_replacement_policy heap GDSF ## Do not set on-disk cache policy if not needed. # cache_replacement_policy heap LFUDA store_avg_object_size 32 KB ### Tweaks ## Symmetric multi-processing (SMP) - balance on multiple CPUs / cores # Example: dual-core set-up using process-pinning to delegate two squid # processes to each CPU workers 2 cpu_affinity_map process_numbers=1,2 cores=1,2 # Buffer logs before writing to disk for non-blocking IO buffered_logs on ## DNS IP cache ipcache_size 819200 ipcache_low 90 ipcache_high 95 fqdncache_size 819200 ## DNS # Store successful queries for one week. positive_dns_ttl 1 week # Store failed queries for one second. negative_dns_ttl 1 second # dns_retransmit_interval 1 second # dns_timeout 1 minute ## Persistent connections client_persistent_connections on # Not needed if squid is not a reverse-proxy. server_persistent_connections off persistent_connection_after_error off ## HTTP Pipelining / Prefetching pipeline_prefetch 8 ## Memory pools memory_pools on memory_pools_limit 128 MB ## Quick abort # quick_abort_max 16384000 KB # quick_abort_max -1 KB # quick_abort_min -1 KB # quick_abort_pct 5 # quick_abort_pct 0 quick_abort_min 0 KB quick_abort_max 0 KB range_offset_limit 0 ## Read ahead ## Set a read-ahead of 32MB # read_ahead_gap 128 KB read_ahead_gap 32 MB # Set the minimum expiry time on cached objects to one week. minimum_expiry_time 1 week # Do not ignore expiry times for HTTP/1.0 vary_ignore_expire off ## Set cache low and high mark - disable if disk cache not used. # cache_swap_low 85 # cache_swap_high 90 ## QoS Flows qos_flows local-hit=0x30 qos_flows parent-hit=0x32 qos_flows disable-preserve-miss ## Miscellaneous pinger_enable off client_db off short_icon_urls off detect_broken_pconn on # Do not retry 403, 500, 501 or 503 retry_on_error off # Do not proxy lan hosts. check_hostnames on # Use multicast DNS for .local domains and reverse-DNS resolution. dns_multicast_local on offline_mode off # Do not prefer to send the request directly. prefer_direct off # Disable half-closed clients. half_closed_clients off # Set the squid core-dump directory for crashes. # coredump_dir /var/spool/squid3 # Disable debugging. debug_options 0 ### General Timeout Configuration. ## Use built-in defaults. # forward_timeout 60 seconds # connect_timeout 60 seconds # read_timeout 60 seconds # request_timeout 60 seconds # persistent_request_timeout 1 minute # client_lifetime 21 hours ### On-disk Cache ## Cache user, this example: proxy # cache_effective_user proxy ## Rock on-disk storage used by SMP configuration. # cache_dir rock /var/spool/squid3/1 16384 max-size=32000 # cache_dir rock /var/spool/squid3/2 16384 max-size=32000 ## AUFS on-disk storage. # cache_dir aufs /var/spool/squid3 20480 64 256 ## Disable on-disk cache - useful since parent proxies in this ## configuration will already be caching. cache deny all cache_dir null /tmp # Disable the cache store log - useful only for debugging. cache_store_log none ## HTTP Header Filtering # HTTP request filtering. include /etc/squid3/anonymize_http_request.conf # HTTP response filtering. include /etc/squid3/anonymize_http_response.conf ## Privacy settings. include /etc/squid3/privacy.conf ## Refresh patterns. include /etc/squid3/refresh_patterns.conf