Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Recommended minimum configuration:
- #old_test
- #auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -d -s HTTP/squid.ax.loc@AX.LOC
- #auth_param negotiate children 20
- #auth_param negotiate keep_alive on
- #external_acl_type group Internet_Users /usr/lib64/squid/ext_kerberos_ldap_group_acl -a -g proxy_pfsense -D AX.LOC
- #auth_param basic program /usr/lib64/squid/basic_ldap_auth -R -b "dc=ax,dc=loc" -D "squid@ax.loc" -w "squid" -f "sAMAccountName=%s" 192.16
- #acl sites dstdomain .ubuntu.com
- #acl sites dstdomain .mail.ru
- #http_access deny sites
- #auth_param basic program /usr/lib64/squid/basic_ldap_auth -b "dc=ax,dc=loc" -f "uid=%s" -c 2 -t 2 -h 192.168.0.20:389
- #acl ldapusers proxy_auth REQUIRED
- #Вариант 1
- auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -s HTTP/squid.ax.loc
- auth_param negotiate children 30
- auth_param negotiate keep_alive on
- external_acl_type SQUID_BlockedAccess ttl=300 negative_ttl=60 %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -a -g SQUID_BlockedAcces
- external_acl_type SQUID_FullAccess ttl=300 negative_ttl=60 %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -g SQUID_FullAccess@AX.LOC
- external_acl_type SQUID_RestrictedAccess ttl=300 negative_ttl=60 %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -g SQUID_RestrictedAc
- acl SQUID_BlockedAccess external SQUID_BlockedAccess
- acl SQUID_FullAccess external SQUID_FullAccess
- acl SQUID_RestrictedAccess external SQUID_RestrictedAccess
- #Вариант №2
- #auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -s HTTP/squid.ax.loc
- #auth_param negotiate children 30
- #auth_param negotiate keep_alive on
- #auth_param basic program /usr/lib64/squid/basic_ldap_auth -b "dc=ax,dc=loc" -P -R -D "squid@ax.loc" -w "squid" -f "sAMAccountName=%s" dc-#auth_param basic realm Squid Basic Auth
- #auth_param basic children 30
- #auth_param basic credentialsttl 8 hours
- #acl auth proxy_auth REQUIRED
- #external_acl_type kerberos_full_access ttl=900 negative_ttl=900 %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -a -g #SQUID_FullAcces#external_acl_type kerberos_restricted_access ttl=900 negative_ttl=900 %LOGIN #/usr/lib64/squid/ext_kerberos_ldap_group_acl -a -g SQUID_Res#external_acl_type kerberos_blocked_access ttl=900 negative_ttl=900 %LOGIN #/usr/lib64/squid/ext_kerberos_ldap_group_acl -a -g SQUID_Blocke#external_acl_type ldap_group ttl=900 %LOGIN #/usr/lib64/squid/ext_ldap_group_acl -b "dc=ax,dc=loc" -P -R -K -D "squid@ax.loc" -w "squid" -#acl kerberos_full_access external #kerberos_full_access
- #acl kerberos_restricted_access external kerberos_restricted_access
- #acl kerberos_blocked_access external kerberos_blocked_access
- #acl SQUID_FullAccess external ldap_group SQUID_FullAccess
- #acl SQUID_RestrictedAccess external ldap_group SQUID_RestrictedAccess
- #acl SQUID_BlockedAccess external ldap_group SQUID_BlockedAccess
- # Example rule allowing access from your local networks.
- # Adapt to list your (internal) IP networks from where browsing
- # should be allowed
- #acl localnet src 10.0.0.0/8<--># RFC1918 possible internal network
- #acl localnet src 172.16.0.0/12># RFC1918 possible internal network
- #acl localnet src 192.168.0.0/16<------># RFC1918 possible internal network
- #acl localnet src fc00::/7 # RFC 4193 local private network range
- #acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
- acl ax.loc src 192.168.0.0/24
- acl SSL_ports port 443
- acl Safe_ports port 80<><------># http
- acl Safe_ports port 21<><------># ftp
- acl Safe_ports port 443><------># https
- acl Safe_ports port 70<><------># gopher
- acl Safe_ports port 210><------># wais
- acl Safe_ports port 1025-65535<># unregistered ports
- acl Safe_ports port 280><------># http-mgmt
- acl Safe_ports port 488><------># gss-http
- acl Safe_ports port 591><------># filemaker
- acl Safe_ports port 777><------># multiling http
- acl CONNECT method CONNECT
- #
- # Recommended minimum Access Permission configuration:
- #
- # Deny requests to certain unsafe ports
- http_access deny !Safe_ports
- # Deny CONNECT to other than secure SSL ports
- http_access deny CONNECT !SSL_ports
- # Only allow cachemgr access from localhost
- http_access allow localhost manager
- http_access deny manager
- # We strongly recommend the following be uncommented to protect innocent
- # web applications running on the proxy server who think the only
- # one who can access services on "localhost" is a local user
- #http_access deny to_localhost
- #
- # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
- #
- # Example rule allowing access from your local networks.
- # Adapt localnet in the ACL section to list your (internal) IP networks
- # from where browsing should be allowed
- #Вариант №1
- http_access deny SQUID_BlockedAccess
- http_access allow SQUID_FullAccess
- http_access deny all
- #http_access deny squid_deny Time
- #http_access allow localnet
- #http_access allow localhost
- #http_access allow ax.loc
- #http_access deny blacklist squid_deny
- #http_access allow auth
- #http_access deny blacklist SQUID_RestrictedAccess
- #http_access deny SQUID_BlockedAccess
- #http_access allow SQUID_FullAccess
- #http_access deny blacklist SQUID_RestrictedAccess
- #http_access deny SQUID_BlockedAccess
- #http_access allow blacklist squid_deny
- #Вариант №2
- #http_access allow kerberos_full_access
- #http_access allow SQUID_FullAccess
- #http_access deny kerberos_blocked_access
- #http_access deny SQUID_BlockedAccess
- #http_access deny kerberos_restricted_access
- #http_access deny SQUID_RestrictedAccess
- #http_access allow auth
- # And finally deny all other access to this proxy
- #http_access deny all
- # Squid normally listens to port 3128
- http_port 3128
- # Uncomment and adjust the following to add a disk cache directory.
- cache_dir ufs /var/spool/squid 100 16 256
- # Leave coredumps in the first cache dir
- coredump_dir /var/spool/squid
- #
- # Add any of your own refresh_pattern entries above these.
- #
- refresh_pattern ^ftp:<-><------>1440<-->20%<--->10080
- refresh_pattern ^gopher:<------>1440<-->0%<---->1440
- refresh_pattern -i (/cgi-bin/|\?) 0<--->0%<---->0
- refresh_pattern .<-----><------>0<----->20%<--->4320
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement