squid-external.conf.mas

<%doc>
    Main configuration file for Squid daemon

  Parameters:

    snmpEnabled - Boolean indicating if SNMP is enabled or not
</%doc>
<%args>
    $port
    $transparent    => undef

    $hostfqdn
    $realm => ''

    $memory
    $cacheDirSize
    $max_object_size

    @nameservers
    $append_domain

    $cache_host
    $cache_port
    $cache_user
    $cache_passwd

    $urlRewriteProgram => undef
    @objectsDelayPools
    @notCachedDomains

    $snmpEnabled => 0
</%args>
<%shared>
our $anyPrefix = 'any_src_';
our $maxAclNameLength = 31;
our %longAclNames = ();
</%shared>
<%perl>
# needed because space scape doesnt work in acl names
sub _escapeWS
{
    my ($string) = @_;
    $string =~ s{ }{__}g;
    return $string;
}
# needed to avoid log acl problems
sub _aclName
{
    my ($name) = @_;
    if (length($name) <= $maxAclNameLength) {
        return _escapeWS($name);
    }

    if (not exists $longAclNames{$name}) {
        my $nextId = 1 + keys %longAclNames;
        $nextId = 'longAcl' . $nextId;
        $longAclNames{$name} = $nextId;
    }

    return _escapeWS($longAclNames{$name});
}
</%perl>
<%def .rulesACLs>
<%args>
    @rules
    $realm
</%args>
% foreach my $rule (@rules) {
%   if ($rule->{any}) {
       <& .timeACLs, rule => $rule, id => $anyPrefix . $rule->{number} &>
%      next;
%   }
%   my $object = $rule->{object};
%   my $group = $rule->{group};
%   my $src = $object ? $object : $group;
%   my $aclName = _aclName($src);
%   if ($object) {
acl <% $aclName %> src <% join ' ', @{ $rule->{addresses} } %>
%   } else {
%       # escape user names
%       my @users = map { $_ =~ s{ }{\\ }g; $_ } @{$rule->{users}};
%       if ($realm) {
%           @users = map { $_ . '@' . $realm } @users;
%       }
acl <% $aclName %> proxy_auth <% join (' ', @users) %>
%   }
   <& .timeACLs, rule => $rule, id => $src &>
% }
</%def>

<%def .timeACLs>
<%args>
    $rule
    $id
</%args>
% if ($rule->{timeDays}) {
acl <% _aclName('timeDays_' . $id) %> time <% $rule->{timeDays} %>
% }
% if ($rule->{timeHours}) {
acl <% _aclName('timeHours_' . $id) %> time <% $rule->{timeHours} %>
% }
</%def>

<%def .delayPools>
<%args>
@objectsDelayPools
</%args>
% if ( @objectsDelayPools ) {
%     my $pools = @objectsDelayPools;
delay_pool_uses_indirect_client on
delay_pools <% $pools %>
% }
<%perl>
 my $id = 0;
 foreach my $objPool (@objectsDelayPools) {
     $id++;
     my $rate =  $objPool->{rate};
     if ($rate > 0) {
         $rate *= 1024;
     }
     my $size = $objPool->{size};
     if ($size > 0) {
         $size *= 1024 * 1024;
     }
</%perl>
delay_class <% $id %> <% $objPool->{class} %>
%     if ( $objPool->{class} eq '1' ) {
delay_parameters <% $id %> <% $rate %>/<% $size %>
%     } elsif ( $objPool->{class} eq '2' ) {
<%perl>
     my $clt_rate =  $objPool->{clt_rate};
     if ($clt_rate > 0) {
         $clt_rate *= 1024;
     }
     my $clt_size = $objPool->{clt_size};
     if ($clt_size > 0) {
         $clt_size *= 1024 * 1024;
     }
</%perl>
delay_parameters <% $id %> <% $rate %>/<% $size %> <% $clt_rate %>/<% $clt_size %>
%     }
delay_initial_bucket_level 90
delay_access <% $id %> allow <% $objPool->{object} %>
delay_access <% $id %> deny all
% }
</%def>

<%def .snmp>
<%doc>
Define the SNMP configuration as SNMP agent
</%doc>
acl snmppublic snmp_community public
snmp_port 3401
snmp_access allow snmppublic from_localhost
snmp_access deny all
</%def>
###################################################################################
http_port localhost:<% $port %> ignore-cc


visible_hostname (external)<% $hostfqdn %>

coredump_dir /var/spool/squid3
cache_effective_user proxy
cache_effective_group proxy
cache_mem 512 MB
cache_dir aufs /var/spool/squid3 <% $cacheDirSize %> 16 256
maximum_object_size 800 MB
maximum_object_size_in_memory 1024 KB
memory_pools off
ipcache_size 10240
buffered_logs on
range_offset_limit 0
client_db off
forwarded_for off
via off
half_closed_clients off
pipeline_prefetch on
quick_abort_min 1 MB
range_offset_limit 10 MB
access_log /var/log/squid3/external-access.log squid
cache_log /var/log/squid3/external-cache.log
cache_store_log /var/log/squid3/external-store.log
pid_filename /var/run/squid3-external.pid
% if (@nameservers) {
%   my $dns_nameservers = '';
%   foreach my $srv (@nameservers) {
%     $dns_nameservers .= "$srv ";
%   }
dns_nameservers <% $dns_nameservers %>
% }
% if ($append_domain) {
append_domain .<% $append_domain %>
% }

# refresh patterns

# windows updates
refresh_pattern http://.*\.windowsupdate\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://.*\.update\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://download\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://windowsupdate\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://.*\.download\.windowsupdate\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://office\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://w?xpsp[0-9]\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://w2ksp[0-9]\.microsoft\.com/ 0 80% 20160 reload-into-ims

# linux updates
refresh_pattern http://.*\.archive\.ubuntu\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://(ftp|http)[0-9]*\.[a-z]+\.debian\.org/ 0 80% 20160 reload-into-ims

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

# end refresh patterns

% if ($cache_host and $cache_port) {
%   my $peerAuth = '';
%   if ($cache_user and $cache_passwd) {
# WARN: remember that for squid auth % are HTML escapes
%    $peerAuth = 'login=' . $cache_user . ':' . $cache_passwd;
%   }
cache_peer <% $cache_host %> parent <% $cache_port %> 0 no-query no-digest <% $peerAuth %>
% }

% if ($urlRewriteProgram) {
url_rewrite_program <% $urlRewriteProgram %>
% }

<& .rulesACLs, rules => [ @objectsDelayPools ], realm => $realm &>
acl_uses_indirect_client on

# no cache domains acl
% foreach my $domain (@notCachedDomains) {
acl noCached dstdomain <% $domain %>
% }


acl from_localhost src 127.0.0.0/8 ::1
acl to_localhost dst 127.0.0.0/8 ::1
acl manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/
acl SSL_ports port 443          # https, snews
acl SSL_ports port 873              # rsync
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563         # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 631             # cups
acl Safe_ports port 777         # multiling http
acl Safe_ports port 873             # rsync
acl Safe_ports port 901             # SWAT

acl CONNECT method CONNECT
acl purge method PURGE


follow_x_forwarded_for allow from_localhost
log_uses_indirect_client on

http_access allow manager to_localhost

http_access deny manager
http_access deny purge
http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports
http_access allow from_localhost

# we use firewall to deny clients from the outside
http_access allow all
% if ($cache_host and $cache_port) {
never_direct allow all
% }

<& .delayPools, objectsDelayPools => \@objectsDelayPools &>

% if ( $snmpEnabled ) {
<& .snmp &>
% }

always_direct allow to_localhost