Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <%doc>
- Main configuration file for Squid daemon
- Parameters:
- snmpEnabled - Boolean indicating if SNMP is enabled or not
- </%doc>
- <%args>
- $port
- $transparent => undef
- $hostfqdn
- $realm => ''
- $memory
- $cacheDirSize
- $max_object_size
- @nameservers
- $append_domain
- $cache_host
- $cache_port
- $cache_user
- $cache_passwd
- $urlRewriteProgram => undef
- @objectsDelayPools
- @notCachedDomains
- $snmpEnabled => 0
- </%args>
- <%shared>
- our $anyPrefix = 'any_src_';
- our $maxAclNameLength = 31;
- our %longAclNames = ();
- </%shared>
- <%perl>
- # needed because space scape doesnt work in acl names
- sub _escapeWS
- {
- my ($string) = @_;
- $string =~ s{ }{__}g;
- return $string;
- }
- # needed to avoid log acl problems
- sub _aclName
- {
- my ($name) = @_;
- if (length($name) <= $maxAclNameLength) {
- return _escapeWS($name);
- }
- if (not exists $longAclNames{$name}) {
- my $nextId = 1 + keys %longAclNames;
- $nextId = 'longAcl' . $nextId;
- $longAclNames{$name} = $nextId;
- }
- return _escapeWS($longAclNames{$name});
- }
- </%perl>
- <%def .rulesACLs>
- <%args>
- @rules
- $realm
- </%args>
- % foreach my $rule (@rules) {
- % if ($rule->{any}) {
- <& .timeACLs, rule => $rule, id => $anyPrefix . $rule->{number} &>
- % next;
- % }
- % my $object = $rule->{object};
- % my $group = $rule->{group};
- % my $src = $object ? $object : $group;
- % my $aclName = _aclName($src);
- % if ($object) {
- acl <% $aclName %> src <% join ' ', @{ $rule->{addresses} } %>
- % } else {
- % # escape user names
- % my @users = map { $_ =~ s{ }{\\ }g; $_ } @{$rule->{users}};
- % if ($realm) {
- % @users = map { $_ . '@' . $realm } @users;
- % }
- acl <% $aclName %> proxy_auth <% join (' ', @users) %>
- % }
- <& .timeACLs, rule => $rule, id => $src &>
- % }
- </%def>
- <%def .timeACLs>
- <%args>
- $rule
- $id
- </%args>
- % if ($rule->{timeDays}) {
- acl <% _aclName('timeDays_' . $id) %> time <% $rule->{timeDays} %>
- % }
- % if ($rule->{timeHours}) {
- acl <% _aclName('timeHours_' . $id) %> time <% $rule->{timeHours} %>
- % }
- </%def>
- <%def .delayPools>
- <%args>
- @objectsDelayPools
- </%args>
- % if ( @objectsDelayPools ) {
- % my $pools = @objectsDelayPools;
- delay_pool_uses_indirect_client on
- delay_pools <% $pools %>
- % }
- <%perl>
- my $id = 0;
- foreach my $objPool (@objectsDelayPools) {
- $id++;
- my $rate = $objPool->{rate};
- if ($rate > 0) {
- $rate *= 1024;
- }
- my $size = $objPool->{size};
- if ($size > 0) {
- $size *= 1024 * 1024;
- }
- </%perl>
- delay_class <% $id %> <% $objPool->{class} %>
- % if ( $objPool->{class} eq '1' ) {
- delay_parameters <% $id %> <% $rate %>/<% $size %>
- % } elsif ( $objPool->{class} eq '2' ) {
- <%perl>
- my $clt_rate = $objPool->{clt_rate};
- if ($clt_rate > 0) {
- $clt_rate *= 1024;
- }
- my $clt_size = $objPool->{clt_size};
- if ($clt_size > 0) {
- $clt_size *= 1024 * 1024;
- }
- </%perl>
- delay_parameters <% $id %> <% $rate %>/<% $size %> <% $clt_rate %>/<% $clt_size %>
- % }
- delay_initial_bucket_level 90
- delay_access <% $id %> allow <% $objPool->{object} %>
- delay_access <% $id %> deny all
- % }
- </%def>
- <%def .snmp>
- <%doc>
- Define the SNMP configuration as SNMP agent
- </%doc>
- acl snmppublic snmp_community public
- snmp_port 3401
- snmp_access allow snmppublic from_localhost
- snmp_access deny all
- </%def>
- ###################################################################################
- http_port localhost:<% $port %> ignore-cc
- visible_hostname (external)<% $hostfqdn %>
- coredump_dir /var/spool/squid3
- cache_effective_user proxy
- cache_effective_group proxy
- cache_mem 512 MB
- cache_dir aufs /var/spool/squid3 <% $cacheDirSize %> 16 256
- maximum_object_size 800 MB
- maximum_object_size_in_memory 1024 KB
- memory_pools off
- ipcache_size 10240
- buffered_logs on
- range_offset_limit 0
- client_db off
- forwarded_for off
- via off
- half_closed_clients off
- pipeline_prefetch on
- quick_abort_min 1 MB
- range_offset_limit 10 MB
- access_log /var/log/squid3/external-access.log squid
- cache_log /var/log/squid3/external-cache.log
- cache_store_log /var/log/squid3/external-store.log
- pid_filename /var/run/squid3-external.pid
- % if (@nameservers) {
- % my $dns_nameservers = '';
- % foreach my $srv (@nameservers) {
- % $dns_nameservers .= "$srv ";
- % }
- dns_nameservers <% $dns_nameservers %>
- % }
- % if ($append_domain) {
- append_domain .<% $append_domain %>
- % }
- # refresh patterns
- # windows updates
- refresh_pattern http://.*\.windowsupdate\.microsoft\.com/ 0 80% 20160 reload-into-ims
- refresh_pattern http://.*\.update\.microsoft\.com/ 0 80% 20160 reload-into-ims
- refresh_pattern http://download\.microsoft\.com/ 0 80% 20160 reload-into-ims
- refresh_pattern http://windowsupdate\.microsoft\.com/ 0 80% 20160 reload-into-ims
- refresh_pattern http://.*\.download\.windowsupdate\.com/ 0 80% 20160 reload-into-ims
- refresh_pattern http://office\.microsoft\.com/ 0 80% 20160 reload-into-ims
- refresh_pattern http://w?xpsp[0-9]\.microsoft\.com/ 0 80% 20160 reload-into-ims
- refresh_pattern http://w2ksp[0-9]\.microsoft\.com/ 0 80% 20160 reload-into-ims
- # linux updates
- refresh_pattern http://.*\.archive\.ubuntu\.com/ 0 80% 20160 reload-into-ims
- refresh_pattern http://(ftp|http)[0-9]*\.[a-z]+\.debian\.org/ 0 80% 20160 reload-into-ims
- refresh_pattern ^ftp: 1440 20% 10080
- refresh_pattern ^gopher: 1440 0% 1440
- refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
- refresh_pattern . 0 20% 4320
- # end refresh patterns
- % if ($cache_host and $cache_port) {
- % my $peerAuth = '';
- % if ($cache_user and $cache_passwd) {
- # WARN: remember that for squid auth % are HTML escapes
- % $peerAuth = 'login=' . $cache_user . ':' . $cache_passwd;
- % }
- cache_peer <% $cache_host %> parent <% $cache_port %> 0 no-query no-digest <% $peerAuth %>
- % }
- % if ($urlRewriteProgram) {
- url_rewrite_program <% $urlRewriteProgram %>
- % }
- <& .rulesACLs, rules => [ @objectsDelayPools ], realm => $realm &>
- acl_uses_indirect_client on
- # no cache domains acl
- % foreach my $domain (@notCachedDomains) {
- acl noCached dstdomain <% $domain %>
- % }
- acl from_localhost src 127.0.0.0/8 ::1
- acl to_localhost dst 127.0.0.0/8 ::1
- acl manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/
- acl SSL_ports port 443 # https, snews
- acl SSL_ports port 873 # rsync
- acl Safe_ports port 80 # http
- acl Safe_ports port 21 # ftp
- acl Safe_ports port 443 563 # https, snews
- acl Safe_ports port 70 # gopher
- acl Safe_ports port 210 # wais
- acl Safe_ports port 1025-65535 # unregistered ports
- acl Safe_ports port 280 # http-mgmt
- acl Safe_ports port 488 # gss-http
- acl Safe_ports port 591 # filemaker
- acl Safe_ports port 631 # cups
- acl Safe_ports port 777 # multiling http
- acl Safe_ports port 873 # rsync
- acl Safe_ports port 901 # SWAT
- acl CONNECT method CONNECT
- acl purge method PURGE
- follow_x_forwarded_for allow from_localhost
- log_uses_indirect_client on
- http_access allow manager to_localhost
- http_access deny manager
- http_access deny purge
- http_access deny !Safe_ports
- http_access deny CONNECT !SSL_ports
- http_access allow from_localhost
- # we use firewall to deny clients from the outside
- http_access allow all
- % if ($cache_host and $cache_port) {
- never_direct allow all
- % }
- <& .delayPools, objectsDelayPools => \@objectsDelayPools &>
- % if ( $snmpEnabled ) {
- <& .snmp &>
- % }
- always_direct allow to_localhost
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement