Search squid archive

Re: Trans Proxy w/ Web Cache

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thursday 01 September 2005 07:58, Kyle Dunn wrote:
> What options do I need to configure in the squid.conf in order to run a 
> transparent proxy (port 80) with web cache without the need for any 
> authentication (windows xp pro is installed on the server). I already 
> have it mostly configured, and have been doing so via cygwin, the 
> service starts and functions normally but it seems there are a few 
> things incorrect and i only need the 192.168.0.0 network in the acl.

see attached
#Access control list definitions
#Examples:
#acl myexample dst_as 1241
#acl password proxy_auth REQUIRED
#acl fileupload req_mime_type -i ^multipart/form-data$
#acl javascript rep_mime_type -i ^application/x-javascript$
#
acl all src 0.0.0.0/0
acl intranet src 172.16.0.0/12
acl intranet src 195.66.192.167
acl intranet src 195.66.192.168
acl intranet src 195.66.192.169
acl intranet src 195.66.192.170
acl intranet src 195.66.192.171
acl intranet src 1.0.0.0/8
acl localhost src 127.0.0.1/32
acl to_intranet dst 172.16.0.0/12
acl to_intranet dst 1.0.0.0/8
acl to_localhost dst 127.0.0.1/32
acl manager proto cache_object
acl SSL_ports port 443 563
#acl Safe_ports port 80			# http
#acl Safe_ports port 21			# ftp
#acl Safe_ports port 443 563		# https, snews
#acl Safe_ports port 70			# gopher
#acl Safe_ports port 210		# wais
#acl Safe_ports port 1025-65535		# unregistered ports
#acl Safe_ports port 280		# http-mgmt
#acl Safe_ports port 488		# gss-http
#acl Safe_ports port 591		# filemaker
#acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT
acl query urlpath_regex cgi-bin \?

# Keep this file in sync across all peers

# Do NOT ban these
acl no_ads_regex url_regex -i	http://top\.list\.ru/counter\?id=607643;t=211
acl no_ads_regex url_regex -i   /banner\.html*$
# TODO: why is this blocked
acl no_ads_regex url_regex -i   ^http://welcome\.hp\.com:*[0123456789]*/

# Ban these
acl ads_regex	url_regex -i	[./]banners*[./?]
acl ads_regex	url_regex -i	[./]bannerserver[./?]
acl ads_regex	url_regex -i	[./]bannerbank[./?]
acl ads_regex	url_regex -i	[./]bannerfarm[./?]
acl ads_regex   url_regex -i    \.linkexchange\.ru:*[0123456789]*/
acl ads_regex	url_regex -i	[./]adv[./?]
acl ads_regex   url_regex -i    /count.*\?					#counter#
acl ads_regex   url_regex -i    /cnt\.cgi\?                                     #counter#
acl ads_regex   url_regex -i    /ping.*\?					#ping#
acl ads_regex   url_regex -i    /ad/adframe\.php\?

acl ads_regex   url_regex -i    [./]adserver
acl ads_regex   url_regex -i    /phpAdsNew.*/ad.*\.php\?
acl ads_regex   url_regex -i    /adsystem.*/ad.*\.php\?

acl ads_regex   url_regex -i    /adjs\.php\?
acl ads_regex   url_regex -i    /adlog\.php\?
acl ads_regex   url_regex -i    /ADSAdClient[0123456789]*\.dll\?
acl ads_regex   url_regex -i    ads/adstream_lx\.cgi/

acl ads_regex   url_regex -i    ^http://ar\.atwola\.com:*[0123456789]*/
acl ads_regex   url_regex -i    ^http://ads*[0123456789]*\.			#http_ad#

acl ads_regex   url_regex -i    ^http://bs\.yandex\.ru:*[0123456789]*/count/
acl ads_regex   url_regex -i    ^http://c\.bigmir\.net:*[0123456789]*/\?
#counter#acl ads_regex   url_regex -i    ^http://counter\.rambler\.ru:*[0123456789]*/top100\.cnt\?
acl ads_regex   url_regex -i    ^http://images\.rambler\.ru:*[0123456789]*/upl/partners/.*gif
acl ads_regex   url_regex -i    ^http://images\.rambler\.ru:*[0123456789]*/upl/clients/.*gif
#counter#acl ads_regex   url_regex -i    ^http://top\.list\.ru:*[0123456789]*/counter\?
acl ads_regex   url_regex -i    ^http://u[0123456789\.]*\.spylog\.com:*[0123456789]*/cnt\?
#counter#acl ads_regex   url_regex -i    ^http://www\.ilk[0123456789]*\.com:*[0123456789]*/counter/count[0123456789]*\.php\?
acl ads_regex   url_regex -i    ^http://engine\.awaps\.net:*[0123456789]*/[0123456789/.]*gif.*
acl ads_regex   url_regex -i    ^http://bbn\.img\.com\.ua:*[0123456789]*/[0123456789/.]*\.gif
acl ads_regex   url_regex -i    ^http://bbn\.img\.com\.ua:*[0123456789]*/[0123456789/.]*\.jpe*g
acl ads_regex   url_regex -i    ^http://bbn\.img\.com\.ua:*[0123456789]*/[0123456789/.]*\.swf
acl ads_regex   url_regex -i    ^http://web\.icq\.com:*[0123456789]*/client/ate/ad-handler/
acl ads_regex   url_regex -i    ^http://.*\.abn\.com\.ua:*[0123456789]*/iframe\?
acl ads_regex   url_regex -i    ^http://62.118.249.36:*[0123456789]*/images/[0123456789/]*\.gif
acl ads_regex   url_regex -i    ^http://www\.ad\.tomshardware\.com:*[0123456789]*/cgi-bin/bd\.m\?
#http_ad#acl ads_regex   url_regex -i    ^http://ad\.doubleclick\.net:*[0123456789]*/ad./
acl ads_regex   url_regex -i    ^http://pagead2\.googlesyndication\.com:*[0123456789]*/pagead/ads\?
acl ads_regex   url_regex -i    ^http://www\.yadro\.ru:*[0123456789]*/cgi-bin/show\?
acl ads_regex   url_regex -i    ^http://counter\.yadro\.ru:*[0123456789]*/hit
acl ads_regex   url_regex -i    ^http://servedby\.advertising\.com:*[0123456789]*/site
acl ads_regex   url_regex -i    ^http://tbs\.susanin\.com:*[0123456789]*/cgi-bin/tbs/banneri\.cgi\?
acl ads_regex   url_regex -i    ^http://pbnet\.ru/show:*[0123456789]*/show\.pl\?
#http_ad#acl ads_regex   url_regex -i    ^http://ad2\.pamedia\.com:*[0123456789]*\.au/js\.ng/site
#http_ad#acl ads_regex   url_regex -i    ^http://ad2\.pamedia\.com:*[0123456789]*\.au/html\.ng/site
acl ads_regex   url_regex -i    ^http://cdn\.valueclick\.com:*[0123456789]*/ad\.s/
acl ads_regex   url_regex -i    ^http://us\.a1\.yimg\.com:*[0123456789]*/us\.yimg\.com/a/in/information_usa/.*\.gif
acl ads_regex   url_regex -i    ^http://icqrus\.ru:*[0123456789]*/cgi/icq2k/all_bn\.cgi\?
#counter#acl ads_regex   url_regex -i    ^http://counter\.yadro\.ru:*[0123456789]*/logo\?
acl ads_regex   url_regex -i    ^http://cnt\.one\.ru:*[0123456789]*/cgi-bin/cnt\.cgi\?
acl ads_regex   url_regex -i    ^http://www2.aport.ru:*[0123456789]*/scripts/popup/popup.dll
acl ads_regex   url_regex -i    ^http://topshop-counter\.rambler\.ru:*[0123456789]*/top100\.cnt\?
acl ads_regex   url_regex -i    ^http://[0-9a-z.]*topcto\.ru:*[0123456789]*/cgi-bin/top\.cgi\?
#counter#acl ads_regex   url_regex -i    ^http://findme\.ru:*[0123456789]*/Counter/\?
acl ads_regex   url_regex -i    ^http://br\.gcl\.ru:*[0123456789]*/cgi-bin/br/br[0123456789_]*\.cgi\?
acl ads_regex   url_regex -i    ^http://195\.161\.118\.21/images/[0123456789/]*\.gif
acl ads_regex   url_regex -i    ^http://194\.125\.249\.67:*[0123456789]*/[0123456789/]*
acl ads_regex   url_regex -i    ^http://sle-ent.com.ua:*[0123456789]*/\?
acl ads_regex   url_regex -i    ^http://sle-pvt.com.ua:*[0123456789]*/\?
#ping#acl ads_regex   url_regex -i    ^http://[0-9a-z.]*topping\.od\.ua:*[0123456789]*/cgi-bin/pinger\.cgi\?
acl ads_regex   url_regex -i    ^http://[0-9a-z.]*a-counter\.kiev\.ua:*[0123456789]*/a/
acl ads_regex   url_regex -i    ^http://im-tub\.yandex\.ru:*[0123456789]*/i\?
acl ads_regex   url_regex -i    ^http://t0\.extreme-dm:*[0123456789]*\.com/0\.gif\?
acl ads_regex   url_regex -i    ^http://www\.yandex\.ru:*[0123456789]*/cycounter\?
acl ads_regex   url_regex -i    ^http://www\.razom\.org\.ua:*[0123456789]*/ads/img/\?
acl ads_regex   url_regex -i    ^http://[0-9a-z.]*huyandex\.com:*[0123456789]*/c_banner\.php\?
acl ads_regex   url_regex -i    ^http://pagead2\.googlesyndication\.com:*[0123456789]*/pagead/show_ads\.js
acl ads_regex   url_regex -i    ^http://www\.clx\.ru:*[0123456789]*/rot\.php?
acl ads_regex   url_regex -i    ^http://s\.clx\.ru:*[0123456789]*/rot\.php\?
acl ads_regex   url_regex -i    ^http://s\.clx\.ru:*[0123456789]*/show\.php\?
acl ads_regex   url_regex -i    ^http://oz\.valueclick\.com:*[0123456789]*/cycle\?
acl ads_regex   url_regex -i    ^http://w[0123456789]*\.hitbox\.com:*[0123456789]*/Hitbox\?
acl ads_regex   url_regex -i    ^http://b[0123456789]*\.abn\.com\.ua:*[0123456789]*/nsimg\?
acl ads_regex   url_regex -i    ^http://www\.burstnet\.com:*[0123456789]*/cgi-bin/ads/
#counter#acl ads_regex   url_regex -i    ^http://top\.list\.ru:*[0123456789]*/counter\?
acl ads_regex   url_regex -i    ^http://cbn\.com\.ua:*[0123456789]*/bn\.php\?
acl ads_regex   url_regex -i    ^http://www\.kat\.ru:*[0123456789]*/banners_view/view\.php\?
acl ads_regex   url_regex -i    ^http://images.e-se.ru:*[0123456789]*/.*rnd=
acl ads_regex   url_regex -i    ^http://uaportal\.com:*[0123456789]*/r/\?/news/[0123456789]
acl ads_regex   url_regex -i    ^http://s1.adward.ru:*[0123456789]*/\?
acl ads_regex   url_regex -i    ^http://global\.msads\.net:*[0123456789]*/ads/

acl ads_regex   url_regex -i    ^http://www.*adnet\.ru:*[0123456789]*/cgi-bin/iframe/vivru
acl ads_regex   url_regex -i    ^http://www.*business\.lbn\.ru:*[0123456789]*/cgi-bin/iframe/
acl ads_regex   url_regex -i    ^http://image\.linkexchange\.com:*[0123456789]*/[0123456789/]*/banner
acl ads_regex   url_regex -i    ^http://rotabanner\.kulichki\.net:*[0123456789]*/cgi-bin/iframe/
acl ads_regex   url_regex -i    ^http://bx\.metka\.ru:*[0123456789]*/.*\?
acl ads_regex   url_regex -i    ^http://aif\.yadro\.ru:*[0123456789]*/cgi-bin/show\?
acl ads_regex   url_regex -i    ^http://btxt\.abn\.com\.ua:*[0123456789]*/jsframe\?
acl ads_regex   url_regex -i    ^http://direct\.lbe\.ru:*[0123456789]*/cgi-bin/iframe/.*\?
acl ads_regex   url_regex -i    ^http://sj4\.ru:*[0123456789]*/cgi-bin/iframe/.*\?
acl ads_regex   url_regex -i    ^http://engine\.awaps\.net:*[0123456789]*/.*\?
acl ads_regex   url_regex -i    ^http://[a-z0-9]*\.startua\.com:*[0123456789]*/.*\?

acl ads_regex   url_regex -i    ^http://uabanner\.com:*[0123456789]*/bn\.php\?
acl ads_regex   url_regex -i    ^http://www.*adnet\.ru:*[0123456789]*/cgi-bin/iframe/books\?

acl ads_regex   url_regex -i    ^http://server\.iad\.liveperson\.net:*[0123456789]*/hc/
acl ads_regex   url_regex -i    ^http://.*\.spylog\.com:*[0123456789]*/java/stats\.phtml
acl ads_regex   url_regex -i    ^http://.*\.adnet\.ru:*[0123456789]*/cgi-bin/iframe/
acl ads_regex   url_regex -i    ^http://rotabanner.*\.ru:*[0123456789]*/cgi-bin/iframe/
acl ads_regex   url_regex -i    ^http://baner\.ukr\.net:*[0123456789]*/adframe\.php
acl ads_regex   url_regex -i    ^http://amch\.questionmarket\.com:*[0123456789]*/adscgen/sta\.php

acl ads_regex   url_regex -i    ^http://mbn\.com\.ua:*[0123456789]*/cgi-bin/iframe/
acl ads_regex   url_regex -i    ^http://*.\.mystat-in\.net:*[0123456789]*/

acl ads_regex   url_regex -i    ^http://r\.mail\.ru:*[0123456789]*/[a-z0-9]*\.jpg$

acl ads_regex   url_regex -i    ^http://www\.mediacenter\.ru:*[0123456789]*/trans/adv200x100\.phtml\?
acl ads_regex   url_regex -i    ^http://counter\.hotlog\.ru:*[0123456789]*/cgi-bin/hotlog/count\.js
acl ads_regex   url_regex -i    ^http://gbs\.gator\.com:*[0123456789]*/gbs/gbs\.dll\?
acl ads_regex   url_regex -i    ^http://www\.equestrian\.ru:*[0123456789]*/Ads/adframe\.php\?
acl ads_regex   url_regex -i    ^http://d\.clx\.ru:*[0123456789]*/show\.php\?
acl ads_regex   url_regex -i    ^http://bs\.yandex\.ru:*[0123456789]*/show/[0123456789]*
acl ads_regex   url_regex -i    ^http://www\.uaportal\.com:*[0123456789]*/r/\?

# To block, or not to block?
acl ads_regex   url_regex -i    ^http://.*download\.windowsupdate\.com:*[0123456789]*/msdownload/update/

# TEST: block .avi .mp? .wmv
acl ads_regex   url_regex -i    \.avi$
acl ads_regex   url_regex -i    \.mp.$
acl ads_regex   url_regex -i    \.wmv$

# Not sure that it is spam...
#acl ads_regex   url_regex -i    ^http://www.rambler.ru:*[0123456789]*/knp.gif?
#acl ads_regex   url_regex -i    ^http://kmindex.ru:*[0123456789]*/c/\?
#acl ads_regex   url_regex -i    ^http://kmindex.ru:*[0123456789]*/p/\?
#acl ads_regex   url_regex -i    ^http://reks.com.ua:*[0123456789]*/cgi-bin/s\?
#acl ads_regex   url_regex -i    ^http://wwwomen.ru:*[0123456789]*/php/wi\.php\?
#acl ads_regex   url_regex -i    ^http://top.germany.ru:*[0123456789]*/cgi-bin/links/top\.cgi\?
#acl ads_regex   url_regex -i    ^http://bs.yandex.ru:*[0123456789]*/show/[0123456789]

# DONT! This incurs reverse DNS lookup if you supplied numeric IP
# (and 5 min (!!!) timeout if that IP does not have reverse DNS set up)
#acl ads		dstdomain	81.222.128.3 www.linkexchange.ru ad0.bigmir.net bbn.img.com.ua


#	Usage:	port
#		hostname:port
#		1.2.3.4:port
http_port 0.0.0.0:9080

#  TAG: https_port
#	Usage:  [ip:]port cert=certificate.pem [key=key.pem] [options...]
#	   cert=	Path to SSL certificate (PEM format)
#	   key=		Path to SSL private key file (PEM format)
#			if not specified, the certificate file is
#			assumed to be a combined certificate and
#			key file
#	   version=	The version of SSL/TLS supported
#			    1	automatic (default)
#			    2	SSLv2 only
#			    3	SSLv3 only
#			    4	TLSv1 only
#	   cipher=	Colon separated list of supported ciphers
#	   options=	Varions SSL engine options. The most important:
#			    NO_SSLv2  Disallow the use of SSLv2
#			    NO_SSLv3  Disallow the use of SSLv3
#			    NO_TLSv1  Disallow the use of TLSv1
#			See src/ssl_support.c or OpenSSL documentation
#			for a more complete list.
#https_port 0.0.0.0:443 cert=/var/service/squid/cert.pem key=/var/service/squid/key.pem

#	Some browsers (especially MSIE) bugs out on SSL shutdown
#	messages.
# ssl_unclean_shutdown off

#	The port number where Squid sends and receives ICP queries to
#	and from neighbor caches.  Default is 3130.  To disable use "0"
icp_port 0

#  TAG: htcp_port
#	The port number where Squid sends and receives HTCP queries to
#	and from neighbor caches.  Default is 4827.  To disable use "0".
# vda:unrecognized: htcp_port 0

#	Usage: mcast_groups 239.128.16.128 224.0.1.20
# none

#	A udp_incoming_address value of 0.0.0.0 indicates that Squid should
#	listen for UDP messages on all available interfaces.
#	If udp_outgoing_address is set to 255.255.255.255 (the default)
#	then it will use the same socket as udp_incoming_address. Only
#	change this if you want to have ICP queries sent using another
#	address than where this Squid listens for ICP queries from other
#	caches.
#	NOTE, udp_incoming_address and udp_outgoing_address can not
#	have the same value since they both use port 3130.
udp_incoming_address 0.0.0.0
udp_outgoing_address 255.255.255.255

#	To specify other caches in a hierarchy, use the format:
#	#                                        proxy  icp
#	#          hostname             type     port   port  options
#	#          -------------------- -------- ----- -----  -----------
#	cache_peer parent.foo.net       parent    3128  3130  [proxy-only]
#	cache_peer sib1.foo.net         sibling   3128  3130  [proxy-only]
#	cache_peer sib2.foo.net         sibling   3128  3130  [proxy-only]
# none
# sourceforge-book-html/x800.html:
# ================================
# default: "Go through this cache for all requests. If it's down,
# return an error message to the client (cannot go direct)"
# no-query: ignore the given ICP port (leaving the port number out will return
# an error), and never attempt to query the cache with ICP
#       Go only thru TM proxies:
### cache_peer 195.66.200.114 parent 80 3130 default no-query
#
#       SSLed proxies are there ;)
#TODO: make it permanent
#cache_peer 127.0.0.1 parent 5500 3130 no-query round-robin allow-miss
#cache_peer 127.0.0.1 parent 5501 3130 no-query round-robin allow-miss
#cache_peer 127.0.0.1 parent 5502 3130 no-query round-robin allow-miss
#cache_peer 127.0.0.1 parent 5503 3130 no-query round-robin allow-miss
#cache_peer 127.0.0.1 parent 5504 3130 no-query round-robin allow-miss
#cache_peer 127.0.0.1 parent 5505 3130 no-query round-robin allow-miss
#cache_peer 127.0.0.1 parent 5506 3130 no-query round-robin allow-miss
#cache_peer 127.0.0.1 parent 5507 3130 no-query round-robin allow-miss
#cache_peer 127.0.0.1 parent 5508 3130 no-query round-robin allow-miss
#cache_peer 127.0.0.1 parent 5509 3130 no-query round-robin allow-miss

#	cache_peer_domain cache-host domain [domain ...]
#	cache_peer_domain cache-host !domain
# none

#	usage: neighbor_type_domain parent|sibling domain domain ...
#	EXAMPLE:
#	cache_peer  parent cache.foo.org 3128 3130
#	neighbor_type_domain cache.foo.org sibling .com .net
#	neighbor_type_domain cache.foo.org sibling .au .de
# none

#       Similar to 'cache_peer_domain' but provides more flexibility by
#       using ACL elements.
#       cache_peer_access cache-host allow|deny [!]aclname ...
### cache_peer_access 195.66.200.114 deny to_intranet
### cache_peer_access 195.66.200.114 allow all

#       commented out: NEVER go direct
#hierarchy_stoplist cgi-bin ?

#       Query-type requests should not be cached
#       commented out: NEVER go direct
#no_cache deny query

#  TAG: always_direct
#       Usage: always_direct allow|deny [!]aclname ...
### always_direct allow to_intranet

#  TAG: never_direct
#       Usage: never_direct allow|deny [!]aclname ...
#
#       Force use of parent caches for everything but intranets
### never_direct deny to_intranet
### never_direct allow all

#  TAG: header_access
#	Usage: header_access header_name allow|deny [!]aclname ...
#
#       This option replaces the old 'anonymize_headers' and the
#       older 'http_anonymizer' option with something that is much
#       more configurable. This new method creates a list of ACLs
#       for each header, allowing you very fine-tuned header
#       mangling.
#
# Top used headers - candidates to elimination:
#   2922 User-Agent
#   2916 Host
#   2753 Accept-Language (?)
#   2737 Connection
#   2550 Referer (!)
#   2381 Accept-Encoding (?)
#   1652 Accept
#    940 Cookie
#
header_access Referer deny all
header_access All allow all

# icp_query_timeout 0

# maximum_icp_query_timeout 2000

# mcast_icp_query_timeout 2000

# dead_peer_timeout 10 seconds

### #hierarchy_stoplist cgi-bin ?

# Query-type requests should not be cached (see ACL defs for 'query')
### #no_cache deny query

#	'cache_mem' specifies the ideal amount of memory to be used for:
#	* In-Transit objects
#	* Hot Objects
#	* Negative-Cached objects
# cache_mem 8 MB

# cache_swap_low 90
# cache_swap_high 95

maximum_object_size 8192 KB

# minimum_object_size 0 KB

# maximum_object_size_in_memory 8 KB

#	The size, low-, and high-water marks for the IP cache.
# ipcache_size 1024
# ipcache_low 90
# ipcache_high 95

#	Maximum number of FQDN cache entries.
# fqdncache_size 1024

#	lru       : Squid's original list based LRU policy
#	heap GDSF : Greedy-Dual Size Frequency
#	heap LFUDA: Least Frequently Used with Dynamic Aging
#	heap LRU  : LRU policy implemented using a heap
# cache_replacement_policy lru
# memory_replacement_policy lru

#	cache_dir Type Directory-Name Fs-specific-data [options]
#
#	"ufs" is the old well-known Squid storage format
#	==================================================================
#	cache_dir ufs Directory-Name Mbytes L1 L2 [options]
#	'Mbytes' is the amount of disk space to use
#	'Level-1' is the number of first-level subdirectories
#	'Level-2' is the number of second-level subdirectories
# vda: ... and files in each second level dir
#
#	"aufs" uses the same storage format as "ufs", utilizing
#	POSIX-threads to avoid blocking the main Squid process on
#	disk-I/O. This was formerly known in Squid as async-io.
#	==================================================================
#	cache_dir aufs Directory-Name Mbytes L1 L2 [options]
#
#	"diskd" uses the same storage format as "ufs", utilizing a
#	separate process to avoid blocking the main Squid process on
#	disk-I/O.
#	==================================================================
#	cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
#	Q1 - if this many messages are in the queues, Squid won't open new files
#	Q2 - ff this many messages are in the queues, Squid blocks until it recevies some replies
#
#	Common options:
#	read-only, this cache_dir is read only.
#	max-size=n, refers to the max object size this storedir supports.
#
# vda: for 4G data I'd set 4096 64 64,
# for   2G: 2048 32 64
# for   1G: 1024 64 32
# for 1/2G:  512 32 32
cache_dir ufs /var/cache/squid-2 512 32 32
#cache_dir ufs /var/cache/squid-2 1500 32 64

#	Logs the client request activity.  Contains an entry for
#	every HTTP and ICP queries received. To disable, enter "none".
cache_access_log logdir/access.fifo

#	Cache logging file. This is where general information about
#	your cache's behavior goes. You can increase the amount of data
#	logged to this file with the "debug_options" tag below.
cache_log logdir/cache.fifo

#	Logs the activities of the storage manager.  Shows which
#	objects are ejected from the cache, and which objects are
#	saved and for how long.  To disable, enter "none".
cache_store_log none #logdir/store.fifo

#       cache_swap_log
#cache_swap_log logdir/swap.fifo

# emulate_httpd_log off

#	Log the destination IP address in the hierarchy log tag when going
#	direct. Earlier Squid versions logged the hostname here.
log_ip_on_direct on

#	Pathname to Squid's MIME table.
mime_table /usr/app/squid-2.5.STABLE10/var/etc/mime.conf


#	The Cache can record both the request and the response MIME
#	headers for each HTTP transaction.  The headers are encoded
#	safely and will appear as two bracketed fields at the end of
#	the access log
log_mime_hdrs off

#	useragent_log
# vda:unrecognized: useragent_log ...

#       referer_log
# vda:unrecognized: referer_log ...

#       pid_filename
pid_filename /var/log/service/squid/squid.pid

# 22:refresh.c
debug_options ALL,2 22,2 33,2

log_fqdn off

#	A netmask for client addresses in logfiles and cachemgr output.
#	A netmask of 255.255.255.0 will log all IP's in that range with
#	the last digit set to '0'.
# client_netmask 255.255.255.255

# ftp_user anon@

# ftp_list_width 32

# ftp_passive on

# ftp_sanitycheck on

#       This option is only available if Squid is rebuilt with the
#       --disable-internal-dns option
#	Specify the location of the executable for dnslookup process.
# cache_dns_program /usr/app/squid-2.5.STABLE10/libexec/dnsserver
# dns_children 5
# dns_retransmit_interval 5 seconds
# dns_timeout 5 minutes
# dns_defnames off

#       dns_nameservers
# none

# hosts_file /etc/hosts

# diskd_program /usr/app/squid-2.5.STABLE10/libexec/diskd

# unlinkd_program /usr/app/squid-2.5.STABLE10/libexec/unlinkd

#       This option is only available if Squid is rebuilt with the
#       --enable-icmp option
# pinger_program /usr/app/squid-2.5.STABLE10/libexec/pinger

#       redirect_program
# none

# redirect_children 5

#	By default Squid rewrites any Host: header in redirected
#	requests.  If you are running an accelerator then this may
#	not be a wanted effect of a redirector.
# redirect_rewrites_host_header on

#       redirector_access
# none

#  TAG: auth_param
#	This is used to pass parameters to the various authentication
#	schemes.
#	format: auth_param scheme parameter [setting]
#	
#	auth_param basic program /usr/app/squid-2.5.STABLE10/bin/ncsa_auth /etc/passwd
#	would tell the basic authentication scheme it's program parameter.
#
#	=== Parameters for the basic scheme follow. ===
#	"program" cmdline
#	Specify the command for the external authenticator.  Such a
#	program reads a line containing "username password" and replies
#	"OK" or "ERR" in an endless loop.  If you use an authenticator,
#	make sure you have 1 acl of type proxy_auth.
#
#	"children" numberofchildren
#	The number of authenticator processes to spawn (no default).
#	auth_param basic children 5
#
#	"realm" realmstring
#	Specifies the realm name which is to be reported to the
#	client for the basic proxy authentication scheme (part of
#	the text the user will see when prompted their username and
#	password).
#	auth_param basic realm Squid proxy-caching web server
#
#	"credentialsttl" timetolive
#	Specifies how long squid assumes an externally validated
#	username:password pair is valid for
#
#	=== Parameters for the digest scheme follow ===
#	"program" cmdline
#	"children" numberofchildren
#	"realm" realmstring
#	"nonce_garbage_interval" timeinterval
#	Specifies the interval that nonces that have been issued
#	to client_agent's are checked for validity.
#	"nonce_max_duration" timeinterval
#	Specifies the maximum length of time a given nonce will be
#	valid for.
#	"nonce_max_count" number
#	Specifies the maximum number of times a given nonce can be
#	used.
#	"nonce_strictness" on|off
#	Determines if squid requires increment-by-1 behaviour for
#	nonce counts (on - the default), or strictly incrementing
#	(off - for use when useragents generate nonce counts that
#	occasionally miss 1 (ie, 1,2,4,6)).
#
#	=== NTLM scheme options follow ===
#	"program" cmdline
#	auth_param ntlm program /usr/app/squid-2.5.STABLE10/bin/ntlm_auth
#	"children" numberofchildren
#	"max_challenge_reuses" number
#	The maximum number of times a challenge given by a ntlm
#	authentication helper can be reused.
#	0 means use the challenge only once.
#	"max_challenge_lifetime" timespan
#	The maximum time period that a ntlm challenge is reused over.
#	auth_param ntlm max_challenge_lifetime 2 minutes
#Recommended minimum configuration:
#auth_param digest program <uncomment and complete this line>
#auth_param digest children 5
#auth_param digest realm Squid proxy-caching web server
#auth_param digest nonce_garbage_interval 5 minutes
#auth_param digest nonce_max_duration 30 minutes
#auth_param digest nonce_max_count 50
#auth_param ntlm program <uncomment and complete this line to activate>
#auth_param ntlm children 5
#auth_param ntlm max_challenge_reuses 0
#auth_param ntlm max_challenge_lifetime 2 minutes
#auth_param basic program <uncomment and complete this line>
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

# authenticate_cache_garbage_interval 1 hour

# authenticate_ttl 1 hour

# authenticate_ip_ttl 0 seconds

#       external_acl_type
# none

#       wais_relay_host
#       wais_relay_port
# wais_relay_port 0

# request_header_max_size 10 KB

# request_body_max_size 0 KB

#       refresh_pattern
#	NB: refresh calcs fail horribly if your system time is not ok ;)
#	min/max in in minutes
#		regex		min	percent	max	[options]
#
#	FTP: min fresh time 1 day, max 10 days
refresh_pattern ^ftp:		2880	50%	28800
#	GOPHER: min fresh time 1 day, max 1 day
refresh_pattern ^gopher:	2880	0%	2880
#	Images/video
refresh_pattern -i [.]jpg$	2880	50%	2880000	override-lastmod ignore-reload
refresh_pattern -i [.]jpeg$	2880	50%	2880000	override-lastmod ignore-reload
refresh_pattern -i [.]gif$	2880	50%	2880000	override-lastmod ignore-reload
refresh_pattern -i [.]png$	2880	50%	2880000	override-lastmod ignore-reload
refresh_pattern -i [.]swf$	2880	50%	2880000	override-lastmod ignore-reload
refresh_pattern -i [.]mp[g123]$	2880	50%	2880000	override-lastmod reload-into-ims
refresh_pattern -i [.]mpeg$	2880	50%	2880000	override-lastmod reload-into-ims
refresh_pattern -i [.]avi$	2880	50%	2880000	override-lastmod reload-into-ims
#	Data
refresh_pattern -i [.]gz$	2880	50%	2880000	override-lastmod reload-into-ims
refresh_pattern -i [.]tgz$	2880	50%	2880000	override-lastmod reload-into-ims
refresh_pattern -i [.]bz$	2880	50%	2880000	override-lastmod reload-into-ims
refresh_pattern -i [.]bz2$	2880	50%	2880000	override-lastmod reload-into-ims
refresh_pattern -i [.]zip$	2880	50%	2880000	override-lastmod reload-into-ims
refresh_pattern -i [.]arj$	2880	50%	2880000	override-lastmod reload-into-ims
refresh_pattern -i [.]rar$	2880	50%	2880000	override-lastmod reload-into-ims
refresh_pattern -i [.]dat$	2880	50%	2880000	override-lastmod reload-into-ims
#	Probably generated content
refresh_pattern -i [.]php$	0	20%	28800
refresh_pattern -i [?]		0	20%	28800
refresh_pattern -i cgi		0	20%	28800
#	Probably plain HTML (first one is for http://host.com/dir/dir/ type URLs)
refresh_pattern -i /$		2880	50%	2880000	override-lastmod reload-into-ims
refresh_pattern -i [.]htm$	2880	50%	2880000	override-lastmod reload-into-ims
refresh_pattern -i [.]html$	2880	50%	2880000	override-lastmod reload-into-ims
refresh_pattern -i [.]xml$	2880	50%	2880000	override-lastmod reload-into-ims
refresh_pattern -i [.]css$	2880	50%	2880000	override-lastmod ignore-reload
refresh_pattern -i [.]js$	2880	50%	2880000	override-lastmod ignore-reload
#	All other
refresh_pattern .		0	50%	28800

#	If you want retrievals to always continue if they are being
#	cached then set 'quick_abort_min' to '-1 KB'.
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 90

# negative_ttl 5 minutes

# positive_dns_ttl 6 hours

# negative_dns_ttl 5 minutes

#	This is to stop a far ahead range request (lets say start at 17MB)
#	from making Squid fetch the whole object up to that point before
#	sending anything to the client.
# range_offset_limit 0 KB

# connect_timeout 2 minutes

# peer_connect_timeout 30 seconds

# read_timeout 15 minutes

# request_timeout 5 minutes

# persistent_request_timeout 1 minute

# client_lifetime 1 day

# half_closed_clients on

# pconn_timeout 120 seconds

# ident_timeout 10 seconds

# shutdown_lifetime 30 seconds

#Recommended minimum configuration:
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# # Deny requests to unknown ports
# http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
http_access deny CONNECT to_localhost
#
http_access allow no_ads_regex
http_access deny ads_regex
http_access allow intranet
http_access allow localhost
http_access deny all

http_reply_access allow all

icp_access allow all

#	Use to force your neighbors to use you as a sibling instead of
#	a parent.  For example:
#		acl localclients src 172.16.0.0/16
#		miss_access allow localclients
#		miss_access deny  !localclients
# miss_access allow all

#	Similar to 'cache_peer_domain' but provides more flexibility by
#	using ACL elements.
#	cache_peer_access cache-host allow|deny [!]aclname ...
# none

ident_lookup_access deny all

#       tcp_outgoing_tos
# none

#       tcp_outgoing_address
# none

# reply_body_max_size 0 allow all

#	Email-address of local cache manager who will receive
#	mail if the cache dies.  The default is "webmaster."
# cache_mgr webmaster

visible_hostname 127.0.0.1

#       cache_effective_user
#       cache_effective_group
cache_effective_user squid
cache_effective_group daemon

#       unique_hostname
# none

#       hostname_aliases
# none

# announce_period 0

#       announce_host
#       announce_file
#       announce_port
# announce_host tracker.ircache.net
# announce_port 3131


#  TAG: httpd_accel_host
#  TAG: httpd_accel_port
#	If you want to run Squid as an httpd accelerator, define the
#	host name and port number where the real HTTP server is.
#	If you want IP based virtual host support then specify the
#	hostname as "virtual". This will make Squid use the IP address
#	where it accepted the request as hostname in the URL.
#	If you want virtual port support then specify the port as "0".
#	NOTE: enabling httpd_accel_host disables proxy-caching and
#	ICP.  If you want these features enabled also, then set
#	the 'httpd_accel_with_proxy' option.
#
#Default:
httpd_accel_host virtual
httpd_accel_port 0
#debug_options ALL,1 33,6

#  TAG: httpd_accel_single_host	on|off
#	If you are running Squid as an accelerator and have a single backend
#	server then set this to on. This causes Squid to forward the request
#	to this server irregardles of what any redirectors or Host headers
#	says.
# httpd_accel_single_host off

#  TAG: httpd_accel_with_proxy	on|off
#	If you want to use Squid as both a local httpd accelerator
#	and as a proxy, change this to 'on'. Note however that your
#	proxy users may have trouble to reach the accelerated domains
#	unless their browsers are configured not to use this proxy for
#	those domains
httpd_accel_with_proxy on

#  TAG: httpd_accel_uses_host_header	on|off
#	HTTP/1.1 requests include a Host: header which is basically the
#	hostname from the URL.  The Host: header is used for domain based
#	virutal hosts. If your accelerator needs to provide domain based
#	virtual hosts on the same IP address then you will need to turn this
#	on.
httpd_accel_uses_host_header on

dns_testnames localhost

# logfile_rotate 10

#Example:
# append_domain .yourdomain.com
#Default:
# none

# tcp_recv_bufsize 0 bytes

#  TAG: err_html_text
# none

#  TAG: deny_info
# none

#  TAG: memory_pools	on|off
memory_pools off

#  TAG: memory_pools_limit	(bytes)
# none

#  TAG: forwarded_for	on|off
forwarded_for off

#  TAG: log_icp_queries	on|off
# log_icp_queries on

#  TAG: icp_hit_stale	on|off
# icp_hit_stale off

#  TAG: minimum_direct_hops
# minimum_direct_hops 4

#  TAG: minimum_direct_rtt
# minimum_direct_rtt 400

#  TAG: cachemgr_passwd
# cachemgr_passwd disable all

#  TAG: store_avg_object_size	(kbytes)
# store_avg_object_size 13 KB

#  TAG: store_objects_per_bucket
# store_objects_per_bucket 20

#  TAG: client_db	on|off
# client_db off

#  TAG: netdb_low
#  TAG: netdb_high
#	The low and high water marks for the ICMP measurement
#	database.  These are counts, not percents
# netdb_low 900
# netdb_high 1000

#  TAG: netdb_ping_period
# netdb_ping_period 5 minutes

#  TAG: query_icmp	on|off
# query_icmp off

#  TAG: test_reachability	on|off
# test_reachability off

#  TAG: buffered_logs	on|off
# buffered_logs off

#  TAG: reload_into_ims	on|off
#	When you enable this option, client no-cache or reload
#	requests will be changed to If-Modified-Since requests.
#	Doing this VIOLATES the HTTP standard.  Enabling this
#	feature could make you liable for problems which it
#	causes.
# reload_into_ims off

#  TAG: header_access
#	Usage: header_access header_name allow|deny [!]aclname ...
#       For example, to achieve the same behaviour as the old
#       'http_anonymizer standard' option, you should use:
header_access From deny all
header_access Via deny all
header_access X-Forwarded-For deny all

#  TAG: header_replace
#	Usage:   header_replace header_name message
#	Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
# none

#  TAG: icon_directory
# icon_directory /usr/app/squid-2.5.STABLE10/share/icons

#  TAG: error_directory
# error_directory /usr/app/squid-2.5.STABLE10/share/errors/English

#  TAG: minimum_retry_timeout	(seconds)
# minimum_retry_timeout 5 seconds

#  TAG: maximum_single_addr_tries
# maximum_single_addr_tries 3

#  TAG: snmp_port
#	By default it listens to port 3401 on the machine. If you don't
#	wish to use SNMP, set this to "0".
# vda:unrecognized: snmp_port 0

#  TAG: snmp_access
#	snmp_access allow|deny [!]aclname ...
# vda:unrecognized: snmp_access deny all

#  TAG: snmp_incoming_address
#  TAG: snmp_outgoing_address
# snmp_incoming_address 0.0.0.0
# snmp_outgoing_address 255.255.255.255

#  TAG: as_whois_server
#	WHOIS server to query for AS numbers.  NOTE: AS numbers are
#	queried only when Squid starts up, not for every request.
# as_whois_server whois.ra.net
# as_whois_server whois.ra.net

#  TAG: wccp_router
#	Use this option to define your WCCP home router for
#	Squid.   Setting the 'wccp_router' to 0.0.0.0 (the default)
#	disables WCCP.
# wccp_router 0.0.0.0

#  TAG: wccp_version
#	According to some users, Cisco IOS 11.2 only supports WCCP
#	version 3.  If you're using that version of IOS, change
#	this value to 3.
# wccp_version 4

#  TAG: wccp_incoming_address
#  TAG: wccp_outgoing_address
# wccp_incoming_address 0.0.0.0
# wccp_outgoing_address 255.255.255.255

#  TAG: delay_pools
# delay_pools 0

#  TAG: delay_class
# delay_pools 2      # 2 delay pools
# delay_class 1 2    # pool 1 is a class 2 pool
# delay_class 2 3    # pool 2 is a class 3 pool

#  TAG: delay_access
# none

#  TAG: delay_parameters
#	delay_parameters pool aggregate
#	delay_parameters pool aggregate individual
#	delay_parameters pool aggregate network individual
#delay_parameters 1 -1/-1 8000/8000
#delay_parameters 2 32000/32000 8000/8000 600/64000

#  TAG: delay_initial_bucket_level	(percent, 0-100)
# delay_initial_bucket_level 50

#  TAG: incoming_icp_average
#  TAG: incoming_http_average
#  TAG: incoming_dns_average
#  TAG: min_icp_poll_cnt
#  TAG: min_dns_poll_cnt
#  TAG: min_http_poll_cnt
#	Heavy voodoo here.  I can't even believe you are reading this.
#	Are you crazy?  Don't even think about adjusting these unless
#	you understand the algorithms in comm_select.c first!
# incoming_icp_average 6
# incoming_http_average 4
# incoming_dns_average 4
# min_icp_poll_cnt 8
# min_dns_poll_cnt 8
# min_http_poll_cnt 8

#  TAG: max_open_disk_fds
# max_open_disk_fds 0

#  TAG: offline_mode
#	Enable this option and Squid will never try to validate cached
#	objects.
# offline_mode off

#  TAG: uri_whitespace
# uri_whitespace strip

#  TAG: broken_posts
# acl buggy_server url_regex ^http://....
# broken_posts allow buggy_server

#  TAG: mcast_miss_addr
# mcast_miss_addr 255.255.255.255

#  TAG: mcast_miss_ttl
# mcast_miss_ttl 16

#  TAG: mcast_miss_port
# mcast_miss_port 3135

#  TAG: mcast_miss_encode_key
# mcast_miss_encode_key XXXXXXXXXXXXXXXX

#  TAG: nonhierarchical_direct
# nonhierarchical_direct on

#  TAG: prefer_direct
# prefer_direct off

#  TAG: strip_query_terms
# strip_query_terms on

#  TAG: coredump_dir
# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid-2

#  TAG: redirector_bypass
# redirector_bypass off

#  TAG: ignore_unknown_nameservers
# ignore_unknown_nameservers on

#  TAG: digest_generation
# digest_generation on

#  TAG: digest_bits_per_entry
# digest_bits_per_entry 5

#  TAG: digest_rebuild_period	(seconds)
# digest_rebuild_period 1 hour

#  TAG: digest_rewrite_period	(seconds)
# digest_rewrite_period 1 hour

#  TAG: digest_swapout_chunk_size	(bytes)
# digest_swapout_chunk_size 4096 bytes

#  TAG: digest_rebuild_chunk_percentage	(percent, 0-100)
# digest_rebuild_chunk_percentage 10

#  TAG: chroot
# none

#  TAG: client_persistent_connections
#  TAG: server_persistent_connections
# client_persistent_connections on
# server_persistent_connections on

#  TAG: pipeline_prefetch
# pipeline_prefetch off

#  TAG: extension_methods
# none

#  TAG: request_entities
# request_entities off

#  TAG: high_response_time_warning	(msec)
# high_response_time_warning 0

#  TAG: high_page_fault_warning
# high_page_fault_warning 0

#  TAG: high_memory_warning
# high_memory_warning 0

#  TAG: store_dir_select_algorithm
# store_dir_select_algorithm least-load

#  TAG: forward_log
# none

#  TAG: ie_refresh	on|off
# ie_refresh off

#  TAG: vary_ignore_expire	on|off
# vary_ignore_expire off

#  TAG: sleep_after_fork	(microseconds)
# sleep_after_fork 0

# What to log
#debug_options ALL,1 22,3 #22,3: log refresh decisions
#debug_options ALL,1 33,3 #33,3: hit/miss decision, headers

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux