shutdown_lifetime 1 secondsicp_port 0http_port 0.0.0.0:8080 transparent

1. shutdown_lifetime 1 seconds
2. icp_port 0
3.  
4. http_port 0.0.0.0:8080 transparent
5.  
6. cache_effective_user squid
7. cache_effective_group squid
8.  
9. pid_filename /var/run/squid.pid
10.  
11. cache_mem 20 MB
12. cache_dir aufs /var/spool/squid 500 16 256
13.  
14. error_directory /usr/share/squid/errors/en
15.  
16. max_filedesc 25800
17.  
18. server_persistent_connections off
19. half_closed_clients off
20. buffered_logs on
21.  
22. # START LOG
23. cache_log /var/log/squid/cache.log
24. cache_access_log syslog:local6.info
25. cache_store_log none
26.  
27. useragent_log /var/log/squid/useragent.log
28. strip_query_terms off
29.  
30. log_mime_hdrs off
31. # END LOG
32.  
33. # FORWARD IP ADDRESS
34. forwarded_for off
35.  
36. # START AUTHENTICATION
37. auth_param basic program /usr/lib/squid/squid_ldap_auth -b dc=sicas,dc=eu -d -D uid=root,ou=Users,dc=sicas,dc=eu -w p1pp3r02010 -f "(&(objectClass=person)(uid=%s))" -u uid -v 3 -P 192.168.1.12:389
38.  
39. # METHOD is LDAP
40. auth_param basic children 20
41. auth_param basic realm sicas
42. auth_param basic credentialsttl 60 minutes
43. external_acl_type ldap_group ttl=300 %LOGIN /usr/lib/squid/squid_ldap_group -b dc=sicas,dc=eu -d -D uid=root,ou=Users,dc=sicas,dc=eu -w p1pp3r02010 -f "(&(objectClass=person)(uid=%u)(memberOf=%g))" -v 3 -P 192.168.1.12:389
44.  
45. acl for_auth_rule0 external ldap_group "/etc/squid/groups/rule0"
46. acl for_auth_users proxy_auth REQUIRED
47. # END AUTHENTICATION
48.  
49. # network - acls
50. acl all src 0.0.0.0/0.0.0.0 #seams to be needed :(
51. acl from_all src 0.0.0.0/0.0.0.0
52. acl to_all dst 0.0.0.0/0.0.0.0
53.  
54. acl from_localhost src 127.0.0.1/255.255.255.255
55. acl CONNECT method CONNECT
56.  
57. acl to_http_port port 80
58. acl to_https_port port 10443
59.  
60. # proxy interfaces - acls
61. acl to_blue_interface dst 192.168.31.1
62. acl to_orange_interface dst 192.168.30.250
63. acl to_green_interface dst 192.168.1.254
64.  
65. acl from_blue src "/etc/squid/acls/blue_subnets.acl"
66. acl to_blue dst "/etc/squid/acls/blue_subnets.acl"
67. acl from_orange src "/etc/squid/acls/orange_subnets.acl"
68. acl to_orange dst "/etc/squid/acls/orange_subnets.acl"
69. acl from_green src "/etc/squid/acls/green_subnets.acl"
70. acl to_green dst "/etc/squid/acls/green_subnets.acl"
71.  
72. # allowed ports - acls
73. acl allowed_ports port "/etc/squid/acls/ports.acl"
74. acl allowed_sslports port "/etc/squid/acls/sslports.acl"
75.  
76. # allowed havp protocol - acls
77. acl HAVP_ALLOWED_PROTOS proto HTTP
78. acl HAVP_ALLOWED_PROTOS proto SSL
79.  
80.  
81. acl to_rule0 dstdomain "/etc/squid/acls/dst_rule0.acl"
82. acl within_timeframe_rule0 time MTWHFAS 00:00-24:00
83. acl within_timeframe_rule1 time MTWHFAS 00:00-24:00
84.  
85. # caching settings
86. refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
87. refresh_pattern . 0 20% 4320
88.  
89. cache deny from_localhost
90. cache deny CONNECT
91. cache allow from_all
92.  
93. # http access to cachemanager
94. acl manager proto cache_object
95. http_access allow manager from_localhost
96. http_access deny manager
97.  
98. # snmp access settings
99. acl snmppublic snmp_community public
100. snmp_access allow snmppublic from_localhost
101. snmp_access deny from_all
102.  
103. # http access to squid
104. http_access allow from_localhost
105. http_access allow from_green to_green_interface to_http_port
106. http_access allow CONNECT from_green to_green_interface to_https_port
107. http_access deny to_blue_interface to_https_port
108. http_access deny to_orange_interface to_https_port
109. http_access deny to_green_interface to_https_port
110.  
111. http_access deny !allowed_ports !allowed_sslports
112. http_access deny CONNECT !allowed_sslports
113.  
114. http_access allow to_rule0 within_timeframe_rule0 for_auth_rule0
115. http_access allow within_timeframe_rule1
116. http_access deny from_all
117.  
118. # http reply access rules
119. http_reply_access allow from_localhost
120. http_reply_access allow to_rule0 within_timeframe_rule0 for_auth_rule0
121. http_reply_access allow within_timeframe_rule1
122. http_reply_access deny from_all
123.  
124. # max/min object size
125. maximum_object_size 4096 KB
126. minimum_object_size 0 KB
127.  
128. # replace body max size
129. request_body_max_size 0 KB
130. reply_body_max_size 0 allow from_all
131.  
132. visible_hostname fw-vma.sicas.eu
133.  
134. # begin custom.tmpl
135. # end custom.tmpl
136.  
137. # HAVP - cache peer
138. cache_peer 127.0.0.1 parent 9998 0 no-query no-digest no-netdb-exchange name=havp login=*:password
139. cache_peer_access havp deny from_localhost
140. cache_peer_access havp deny !HAVP_ALLOWED_PROTOS
141.  
142. # cache peer access
143. cache_peer_access havp deny to_rule0 within_timeframe_rule0 for_auth_rule0
144. cache_peer_access havp allow within_timeframe_rule1
145.  
146. cache_peer_access havp deny from_all
147.  
148. never_direct deny from_localhost
149. never_direct deny to_rule0 within_timeframe_rule0 for_auth_rule0
150. never_direct deny !HAVP_ALLOWED_PROTOS within_timeframe_rule1
151. never_direct deny to_rule0 within_timeframe_rule0 for_auth_rule0
152. never_direct deny !HAVP_ALLOWED_PROTOS within_timeframe_rule1
153. never_direct allow within_timeframe_rule1
154. never_direct allow from_all