|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 16.01.16 7:57, Lucas Castro пишет: > > > On 15-01-2016 17:26, Yuri Voinov wrote: >> >> # ------------------------------------- >> # Access Control Lists >> # ------------------------------------- >> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network >> >> acl SSL_ports port 443 >> acl SSL_ports port 8443 # Telecom exclusion >> acl SSL_ports port 2041 # ICQ/MRA >> acl SSL_ports port 2042 # ICQ/MRA >> acl SSL_ports port 5160 # ICQ/MRA >> acl SSL_ports port 5228 # ICQ/MRA >> acl SSL_ports port 10443 # GZakup exclusion >> acl Safe_ports port 80 # http >> acl Safe_ports port 21 # ftp >> acl Safe_ports port 443 # https >> acl Safe_ports port 70 # gopher >> acl Safe_ports port 210 # wais >> acl Safe_ports port 1025-65535 # unregistered ports >> acl Safe_ports port 280 # http-mgmt >> acl Safe_ports port 488 # gss-http >> acl Safe_ports port 591 # filemaker >> acl Safe_ports port 777 # multiling http >> >> # Common methods >> acl CONNECT method CONNECT >> acl PURGE method PURGE >> acl GET method GET >> >> # Windows update acls >> acl windowsupdate dstdomain sls.update.microsoft.com.akadns.net >> acl windowsupdate dstdomain windowsupdate.microsoft.com >> acl windowsupdate dstdomain .update.microsoft.com >> acl windowsupdate dstdomain download.windowsupdate.com >> acl windowsupdate dstdomain redir.metaservices.microsoft.com >> acl windowsupdate dstdomain images.metaservices.microsoft.com >> acl windowsupdate dstdomain c.microsoft.com >> acl windowsupdate dstdomain www.download.windowsupdate.com >> acl windowsupdate dstdomain wustat.windows.com >> acl windowsupdate dstdomain crl.microsoft.com >> acl windowsupdate dstdomain sls.microsoft.com >> acl windowsupdate dstdomain productactivation.one.microsoft.com >> acl windowsupdate dstdomain ntservicepack.microsoft.com >> >> # Windows update methods >> acl wuCONNECT dstdomain www.update.microsoft.com >> acl wuCONNECT dstdomain sls.microsoft.com >> >> # Youtube & CDN store rewrite ACLs >> acl store_rewrite_list urlpath_regex >> \.(jp(e?g|e|2)|gif|png|bmp|ico|svg|web(p|m)|wm(v|a)|flv|f4f|mp(3|4)|ttf|eot|woff2?|(c|x|j)ss|js(t?|px?))\? >> \/ads\? >> acl store_rewrite_list_web url_regex >> "/usr/local/squid/etc/url.rewrite_web" >> acl store_rewrite_list_web_cdn url_regex >> "/usr/local/squid/etc/url.rewrite_cdn" >> >> # Adobe/Java and other updates >> acl adobe_java_updates url_regex "/usr/local/squid/etc/url.updates" >> >> # No-cache >> acl dont_cache_url url_regex "/usr/local/squid/etc/url.nocache" >> >> # Tor acl >> acl tor_url dstdom_regex -i "/usr/local/squid/etc/url.tor" >> >> # SSL bump acl >> acl net_bump src "/usr/local/squid/etc/net.bump" >> >> # TLD acl >> acl block_tld dstdomain "/usr/local/squid/etc/dstdom.tld" >> >> # ------------------------------------- >> # Access parameters >> # ------------------------------------- >> # Deny requests to unsafe ports >> http_access deny !Safe_ports >> # Deny CONNECT to other than SSL ports >> http_access deny CONNECT !SSL_ports >> >> # Only allow cachemgr access from localhost >> http_access allow localhost manager >> http_access deny manager >> http_access deny to_localhost >> # Allow purge from localhost >> http_access allow PURGE localhost >> http_access deny PURGE >> >> # Normalize Accept-Encoding to support compression via eCAP >> request_header_access Accept-Encoding deny all >> request_header_replace Accept-Encoding gzip;q=1.0, identity;q=0.5, *;q=0 >> # Disable alternate protocols >> request_header_access Alternate-Protocol deny all >> reply_header_access Alternate-Protocol deny all >> # Disable HSTS >> reply_header_access Strict-Transport-Security deny all >> reply_header_replace Strict-Transport-Security max-age=0; >> includeSubDomains >> # Remove User-Agent from Vary >> reply_header_access Vary deny all >> reply_header_replace Vary Accept-Encoding >> # Workaround 4253 >> request_header_access Surrogate-Capability deny all >> >> # Block top level domains >> http_access deny block_tld >> deny_info TCP_RESET block_tld >> >> # Rule allowing access from local networks >> http_access allow localnet >> http_access allow localhost >> >> # No cache directives >> cache deny dont_cache_url >> >> # ICP/HTCP access >> icp_access allow localnet >> icp_access deny all >> htcp_access allow localnet >> htcp_access deny all >> >> # 302 loop >> acl text_mime rep_mime_type text/html text/plain >> acl http302 http_status 302 >> store_miss deny text_mime http302 >> send_hit deny text_mime http302 >> >> # Windows updates rules >> http_access allow CONNECT wuCONNECT localnet >> http_access allow CONNECT wuCONNECT localhost >> http_access allow windowsupdate localnet >> http_access allow windowsupdate localhost >> >> # Minimum ICQ configuration, >> # works for QIP 2012 and squid/ssl_bump, login.icq.com port should be >> either 443 or 5190 >> # >> acl icq dstdomain login.icq.com >> acl icqport port 443 >> acl icqport port 2041 >> acl icqport port 2042 >> acl icqport port 5190 >> # mail.ru network where ICQ/MRIM servers reside >> acl icqip dst 178.237.16.0/20 >> acl icqip dst 217.69.128.0/20 >> # isgeek.info jabber >> acl icqip dst 94.23.0.0/16 >> >> http_access allow CONNECT icq >> http_access allow CONNECT icqip icqport >> >> # SSL bump rules >> acl DiscoverSNIHost at_step SslBump1 >> # ICQ/MRA must splice first >> ssl_bump splice DiscoverSNIHost icq >> ssl_bump splice DiscoverSNIHost icqip icqport >> ssl_bump peek DiscoverSNIHost >> acl NoSSLIntercept ssl::server_name_regex -i >> "/usr/local/squid/etc/url.nobump" >> acl NoSSLIntercept ssl::server_name_regex -i >> "/usr/local/squid/etc/url.tor" >> ssl_bump splice NoSSLIntercept >> ssl_bump bump net_bump >> >> # Privoxy+Tor access rules >> never_direct allow tor_url >> >> # And finally deny all other access to this proxy >> http_access deny all >> >> # ------------------------------------- >> # HTTP parameters >> # ------------------------------------- >> # Local Privoxy is cache parent >> cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default >> >> cache_peer_access 127.0.0.1 allow tor_url >> cache_peer_access 127.0.0.1 deny all >> >> # Don't cache 404 long time >> negative_ttl 5 minutes >> positive_dns_ttl 15 hours >> negative_dns_ttl 1 minutes >> >> # ------------------------------------- >> # Cache parameters >> # ------------------------------------- >> # dhparams is before squid-3.5.12-20151222-r13967 >> # tls-dh is AFTER squid-3.5.12-20151222-r13967 >> http_port 3126 ssl-bump generate-host-certificates=on >> dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt >> key=/usr/local/squid/etc/rootCA.key options=NO_SSLv3 >> tls-dh=/usr/local/squid/etc/dhparam.pem > I've never ever understood why configure ssl-bump related on http_port, > It's redirected port 80 to it, or just serve the certificate to client? My server use both proxy modes: transparent interception and forwarding. This line is forwarding port. Clients points to it using PAC. > >> http_port 3127 >> http_port 3128 intercept >> # dhparams is before squid-3.5.12-20151222-r13967 >> # tls-dh is AFTER squid-3.5.12-20151222-r13967 >> https_port 3129 intercept ssl-bump generate-host-certificates=on >> dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt >> key=/usr/local/squid/etc/rootCA.key options=NO_SSLv3 >> tls-dh=/usr/local/squid/etc/dhparam.pem >> sslproxy_capath /etc/opt/csw/ssl/certs >> # SINGLE_DH_USE is 3.5 before squid-3.5.12-20151222-r13967 >> #sslproxy_options NO_SSLv3,SINGLE_DH_USE >> # SINGLE_ECDH_USE is AFTER squid-3.5.12-20151222-r13967 >> sslproxy_options NO_SSLv3,SINGLE_ECDH_USE >> sslproxy_cipher >> EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS >> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db >> -M 4MB >> >> # Specify ICP/HTCP explicity >> icp_port 3130 >> htcp_port 4827 >> >> # Cache manager >> cache_mgr mymail@xxxxxxxxx >> >> # Cache manager password >> cachemgr_passwd disable shutdown reconfigure rotate >> cachemgr_passwd xxxxxxxx all >> >> # Cache user >> cache_effective_user squid >> cache_effective_group squid >> >> # Forces reload-into-ims >> reload_into_ims on >> >> # Hide internal networks details outside >> via off >> forwarded_for delete >> >> # Do not show Squid version >> httpd_suppress_version_string on >> >> # WCCPv2 parameters >> wccp2_router 192.168.200.2 >> wccp2_forwarding_method l2 >> wccp2_return_method l2 >> wccp2_rebuild_wait off >> wccp2_service standard 0 >> wccp2_service dynamic 70 >> wccp2_service_info 70 protocol=tcp >> flags=dst_ip_hash,src_ip_alt_hash,src_port_alt_hash priority=240 ports=443 >> >> # Prioritization of local hits >> qos_flows tos local-hit=0x68 >> >> # Specify local DNS cache >> dns_nameservers 127.0.0.1 >> >> dns_v4_first on >> ipcache_size 4096 >> >> # ------------------------------------- >> # Adaptation parameters >> # ------------------------------------- >> icap_enable on >> icap_send_client_ip on >> icap_send_client_username on >> icap_client_username_header X-Authenticated-User >> icap_preview_enable on >> icap_preview_size 1024 >> icap_service service_avi_req reqmod_precache >> icap://localhost:1344/squidclamav bypass=off >> adaptation_access service_avi_req allow all >> icap_service service_avi_resp respmod_precache >> icap://localhost:1344/squidclamav bypass=on >> adaptation_access service_avi_resp allow all >> >> ecap_enable on >> acl HTTP_STATUS_OK http_status 200 >> loadable_modules /usr/local/lib/ecap_adapter_gzip.so >> ecap_service gzip_service respmod_precache >> ecap://www.vigos.com/ecap_gzip bypass=off >> adaptation_access gzip_service allow HTTP_STATUS_OK >> >> # ------------------------------------- >> # Memory parameters >> # ------------------------------------- >> cache_mem 512 Mb >> >> #memory_pools off >> >> maximum_object_size_in_memory 1 MB >> >> # ------------------------------------- >> # Tuning parameters >> # ------------------------------------- >> memory_replacement_policy heap LRU >> cache_replacement_policy heap LFUDA >> >> store_avg_object_size 85 KB >> # Default is 20 >> store_objects_per_bucket 32 >> >> # Shutdown delay before terminate connections >> shutdown_lifetime 15 second >> >> # SMP >> #workers 2 >> >> # ------------------------------------- >> # Store parameters >> # ------------------------------------- >> maximum_object_size 8 Gb >> >> cache_dir diskd /data/cache/d1 32767 16 256 >> cache_dir diskd /data/cache/d2 32767 16 256 >> cache_dir diskd /data/cache/d3 32767 16 256 >> cache_dir diskd /data/cache/d4 32767 16 256 >> >> # ------------------------------------- >> # Process/log parameters >> # ------------------------------------- >> #logformat my_squid %tl %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt >> #access_log daemon:/data/cache/log/access.log buffer-size=256KB >> logformat=my_squid !tor_url >> access_log daemon:/data/cache/log/access.log buffer-size=256KB >> logformat=squid !tor_url >> # Don't log ICP queries >> log_icp_queries off >> >> # Turn off internal log rotation >> logfile_rotate 0 >> >> cache_log /data/cache/log/cache.log >> #cache_log /data/cache/log/cache${process_number}.log >> cache_store_log none >> >> # Default is off >> buffered_logs on >> >> coredump_dir /var/core >> >> pid_filename /tmp/squid.pid >> >> strip_query_terms off >> >> # ------------------------------------- >> # Content parameters >> # ------------------------------------- >> #range_offset_limit none store_rewrite_list >> #range_offset_limit none store_rewrite_list_web >> #range_offset_limit none store_rewrite_list_web_cdn >> #range_offset_limit none adobe_java_updates >> #range_offset_limit none windowsupdate >> range_offset_limit none all >> >> # Updates: Windows, Adobe, Java >> refresh_pattern -i >> microsoft.com.*\.(cab|exe|ms[i|u|f|p]|asf|wm[v|a]|dat|zip) 4320 80% >> 43200 reload-into-ims >> refresh_pattern -i >> windowsupdate.com.*\.(cab|exe|ms[i|u|f|p]|asf|wm[v|a]|dat|zip) 4320 >> 80% 43200 reload-into-ims >> refresh_pattern -i >> my.windowsupdate.website.com.*\.(cab|exe|ms[i|u|f|p]|asf|wm[v|a]|dat|zip) >> >> 4320 80% 43200 reload-into-ims >> refresh_pattern -i adobe.com.*\.(zip|exe) 4320 80% 43200 >> reload-into-ims >> refresh_pattern -i java.com.*\.(zip|exe) 4320 80% 43200 >> reload-into-ims >> refresh_pattern -i sun.com.*\.(zip|exe) 4320 80% 43200 >> reload-into-ims >> refresh_pattern -i google\.com.*\.(zip|exe) 4320 80% 43200 >> reload-into-ims >> refresh_pattern -i macromedia\.com.*\.(zip|exe) 4320 80% >> 43200 reload-into-ims >> # Other setups and updates >> refresh_pattern -i \.(zip|(g|b)z2?|exe|msi|cvd)$ 4320 80% >> 43200 reload-into-ims >> # Cacle squidinternal >> refresh_pattern -i video-srv\.youtube\.squidinternal 0 0% 0 >> refresh_pattern -i squidinternal 14400 100% 518400 >> override-expire override-lastmod refresh-ims reload-into-ims >> ignore-private ignore-auth ignore-must-revalidate store-stale >> ignore-no-store >> # Keep swf in cache >> refresh_pattern -i \.swf$ 10080 100% 43200 override-expire >> reload-into-ims ignore-private >> # .NET cache >> refresh_pattern -i \.((a|m)s(h|p)x?)$ 10080 100% 43200 >> reload-into-ims ignore-private >> # Other long-lived items >> refresh_pattern -i >> \.(jp(e?g|e|2)|gif|png|bmp|ico|svg|web(p|m)|wm(v|a)|flv|f4f|mp(3|4)|ttf|eot|woff2?|(c|x|j)ss|js(t?|px?))(\?.*)?$ >> >> 14400 100% 518400 override-expire override-lastmod >> reload-into-ims ignore-private ignore-no-store ignore-must-revalidate >> refresh_pattern -i >> \.((cs|d?|m?|p?|r?|s?|w?|x?|z?)h?t?m?(l?)|php(3?|5?)|rss|atom|vr(t|ml))(\?.*)?$ >> >> 10080 100% 86400 override-expire override-lastmod >> reload-into-ims ignore-private ignore-no-store ignore-must-revalidate >> # Default patterns >> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 >> refresh_pattern . 0 20% 4320 reload-into-ims >> >> # ------------------------------------- >> # Rewriter parameters >> # ------------------------------------- >> # ufdbGuard rewriter >> url_rewrite_program /usr/local/ufdbguard/bin/ufdbgclient -C >> url_rewrite_children 64 startup=0 idle=1 concurrency=2 >> redirector_bypass off >> >> # Storeurl rewriter >> store_id_program /usr/local/squid/libexec/storeid_file_rewrite >> /usr/local/squid/etc/storeid.conf >> store_id_children 32 startup=0 idle=1 concurrency=4 >> # Store ID access >> store_id_access deny !GET >> store_id_access allow store_rewrite_list >> store_id_access allow store_rewrite_list_web >> store_id_access allow store_rewrite_list_web_cdn >> store_id_access allow adobe_java_updates >> store_id_access deny all >> store_id_bypass off >> ### >> >> I procrastinate to extract only ssl bump related rows and comments, so >> this is full 3.5.x config from production server. :) >> >> 16.01.16 1:56, Lucas Castro пишет: >> >> >>> On 15-01-2016 16:18, Yuri Voinov wrote: >>>> _MISS/200 30415 GET >>>> >> https://www.google.com/search?q=Sun+2540-M2+Performance+enhancer&biw=1280&bih=699&noj=1&ei=oAmZVvnxCsW3afKevLAO&start=10&sa=N >>>> HIER_DIRECT/216.58.208.227 text/html >>>> 15/Jan/2016:21:03:23 +0600 356 127.0.0.1 TAG_NONE/200 0 CONNECT >>>> ssl.gstatic.com:443 - HIER_DIRECT/178.88.163.157 - >>>> 15/Jan/2016:21:03:24 +0600 518 127.0.0.1 TCP_MISS/20 >>> Can you share your ssl setup? >>> _______________________________________________ >>> squid-users mailing list >>> squid-users@xxxxxxxxxxxxxxxxxxxxx >>> http://lists.squid-cache.org/listinfo/squid-users >> >> >> >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users > > > > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWmf95AAoJENNXIZxhPexG0/4H/RPiw0gQ7V0eKhUUepI02Ux8 X+XVeT5uo4jv8j4UL/Q2RwPV5E784x5U1m0aipPl/9zT++IP85vSPbX3F818+oE4 9woW9DPJzC1p60WIOTFQFSlSmgTvVvD5u+68vJbHMMsdkalikYp6Ayw6iLqrYco7 yOlhX1mRRx6Difs6hYBDaYDYyL4pzFkzrPBxK3hFi+dGfdfkUiQpTKmtCqYpLFlT qUySISE+WFbTlt+ZHLPEW5roktHqj8U/0jMRRljdBjjcEXgm7P9XPfSoViCYXlVU yzRf7ThZ07ta19PZMhpAdst1gswFFAxPd1uQ+eqw8OcoNyJoWqNaSzBreTTZlbM= =qFrf -----END PGP SIGNATURE----- |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
