Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- shutdown_lifetime 1 seconds
- icp_port 0
- http_port 0.0.0.0:8080 transparent
- cache_effective_user squid
- cache_effective_group squid
- pid_filename /var/run/squid.pid
- cache_mem 20 MB
- cache_dir aufs /var/spool/squid 500 16 256
- error_directory /usr/share/squid/errors/en
- max_filedesc 25800
- server_persistent_connections off
- half_closed_clients off
- buffered_logs on
- # START LOG
- cache_log /var/log/squid/cache.log
- cache_access_log syslog:local6.info
- cache_store_log none
- useragent_log /var/log/squid/useragent.log
- strip_query_terms off
- log_mime_hdrs off
- # END LOG
- # FORWARD IP ADDRESS
- forwarded_for off
- # START AUTHENTICATION
- auth_param basic program /usr/lib/squid/squid_ldap_auth -b dc=sicas,dc=eu -d -D uid=root,ou=Users,dc=sicas,dc=eu -w p1pp3r02010 -f "(&(objectClass=person)(uid=%s))" -u uid -v 3 -P 192.168.1.12:389
- # METHOD is LDAP
- auth_param basic children 20
- auth_param basic realm sicas
- auth_param basic credentialsttl 60 minutes
- external_acl_type ldap_group ttl=300 %LOGIN /usr/lib/squid/squid_ldap_group -b dc=sicas,dc=eu -d -D uid=root,ou=Users,dc=sicas,dc=eu -w p1pp3r02010 -f "(&(objectClass=person)(uid=%u)(memberOf=%g))" -v 3 -P 192.168.1.12:389
- acl for_auth_rule0 external ldap_group "/etc/squid/groups/rule0"
- acl for_auth_users proxy_auth REQUIRED
- # END AUTHENTICATION
- # network - acls
- acl all src 0.0.0.0/0.0.0.0 #seams to be needed :(
- acl from_all src 0.0.0.0/0.0.0.0
- acl to_all dst 0.0.0.0/0.0.0.0
- acl from_localhost src 127.0.0.1/255.255.255.255
- acl CONNECT method CONNECT
- acl to_http_port port 80
- acl to_https_port port 10443
- # proxy interfaces - acls
- acl to_blue_interface dst 192.168.31.1
- acl to_orange_interface dst 192.168.30.250
- acl to_green_interface dst 192.168.1.254
- acl from_blue src "/etc/squid/acls/blue_subnets.acl"
- acl to_blue dst "/etc/squid/acls/blue_subnets.acl"
- acl from_orange src "/etc/squid/acls/orange_subnets.acl"
- acl to_orange dst "/etc/squid/acls/orange_subnets.acl"
- acl from_green src "/etc/squid/acls/green_subnets.acl"
- acl to_green dst "/etc/squid/acls/green_subnets.acl"
- # allowed ports - acls
- acl allowed_ports port "/etc/squid/acls/ports.acl"
- acl allowed_sslports port "/etc/squid/acls/sslports.acl"
- # allowed havp protocol - acls
- acl HAVP_ALLOWED_PROTOS proto HTTP
- acl HAVP_ALLOWED_PROTOS proto SSL
- acl to_rule0 dstdomain "/etc/squid/acls/dst_rule0.acl"
- acl within_timeframe_rule0 time MTWHFAS 00:00-24:00
- acl within_timeframe_rule1 time MTWHFAS 00:00-24:00
- # caching settings
- refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
- refresh_pattern . 0 20% 4320
- cache deny from_localhost
- cache deny CONNECT
- cache allow from_all
- # http access to cachemanager
- acl manager proto cache_object
- http_access allow manager from_localhost
- http_access deny manager
- # snmp access settings
- acl snmppublic snmp_community public
- snmp_access allow snmppublic from_localhost
- snmp_access deny from_all
- # http access to squid
- http_access allow from_localhost
- http_access allow from_green to_green_interface to_http_port
- http_access allow CONNECT from_green to_green_interface to_https_port
- http_access deny to_blue_interface to_https_port
- http_access deny to_orange_interface to_https_port
- http_access deny to_green_interface to_https_port
- http_access deny !allowed_ports !allowed_sslports
- http_access deny CONNECT !allowed_sslports
- http_access allow to_rule0 within_timeframe_rule0 for_auth_rule0
- http_access allow within_timeframe_rule1
- http_access deny from_all
- # http reply access rules
- http_reply_access allow from_localhost
- http_reply_access allow to_rule0 within_timeframe_rule0 for_auth_rule0
- http_reply_access allow within_timeframe_rule1
- http_reply_access deny from_all
- # max/min object size
- maximum_object_size 4096 KB
- minimum_object_size 0 KB
- # replace body max size
- request_body_max_size 0 KB
- reply_body_max_size 0 allow from_all
- visible_hostname fw-vma.sicas.eu
- # begin custom.tmpl
- # end custom.tmpl
- # HAVP - cache peer
- cache_peer 127.0.0.1 parent 9998 0 no-query no-digest no-netdb-exchange name=havp login=*:password
- cache_peer_access havp deny from_localhost
- cache_peer_access havp deny !HAVP_ALLOWED_PROTOS
- # cache peer access
- cache_peer_access havp deny to_rule0 within_timeframe_rule0 for_auth_rule0
- cache_peer_access havp allow within_timeframe_rule1
- cache_peer_access havp deny from_all
- never_direct deny from_localhost
- never_direct deny to_rule0 within_timeframe_rule0 for_auth_rule0
- never_direct deny !HAVP_ALLOWED_PROTOS within_timeframe_rule1
- never_direct deny to_rule0 within_timeframe_rule0 for_auth_rule0
- never_direct deny !HAVP_ALLOWED_PROTOS within_timeframe_rule1
- never_direct allow within_timeframe_rule1
- never_direct allow from_all
Add Comment
Please, Sign In to add comment