author | Rich Burridge <rich.burridge@oracle.com> |
Mon, 14 Nov 2011 09:56:09 -0800 | |
changeset 584 | f4e402a57670 |
parent 211 | f37f16a2a99c |
permissions | -rw-r--r-- |
211
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
1 |
# |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
2 |
# Recommended minimum configuration: |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
3 |
# |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
4 |
acl manager proto cache_object |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
5 |
acl localhost src 127.0.0.1/32 ::1 |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
6 |
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
7 |
|
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
8 |
# Example rule allowing access from your local networks. |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
9 |
# Adapt to list your (internal) IP networks from where browsing |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
10 |
# should be allowed |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
11 |
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
12 |
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
13 |
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
14 |
acl localnet src fc00::/7 # RFC 4193 local private network range |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
15 |
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
16 |
|
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
17 |
acl SSL_ports port 443 |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
18 |
acl Safe_ports port 80 # http |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
19 |
acl Safe_ports port 21 # ftp |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
20 |
acl Safe_ports port 443 # https |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
21 |
acl Safe_ports port 70 # gopher |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
22 |
acl Safe_ports port 210 # wais |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
23 |
acl Safe_ports port 1025-65535 # unregistered ports |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
24 |
acl Safe_ports port 280 # http-mgmt |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
25 |
acl Safe_ports port 488 # gss-http |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
26 |
acl Safe_ports port 591 # filemaker |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
27 |
acl Safe_ports port 777 # multiling http |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
28 |
acl CONNECT method CONNECT |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
29 |
|
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
30 |
# |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
31 |
# Recommended minimum Access Permission configuration: |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
32 |
# |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
33 |
# Only allow cachemgr access from localhost |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
34 |
http_access allow manager localhost |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
35 |
http_access deny manager |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
36 |
|
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
37 |
# Deny requests to certain unsafe ports |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
38 |
http_access deny !Safe_ports |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
39 |
|
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
40 |
# Deny CONNECT to other than secure SSL ports |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
41 |
http_access deny CONNECT !SSL_ports |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
42 |
|
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
43 |
# We strongly recommend the following be uncommented to protect innocent |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
44 |
# web applications running on the proxy server who think the only |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
45 |
# one who can access services on "localhost" is a local user |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
46 |
#http_access deny to_localhost |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
47 |
|
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
48 |
# |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
49 |
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
50 |
# |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
51 |
|
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
52 |
# Example rule allowing access from your local networks. |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
53 |
# Adapt localnet in the ACL section to list your (internal) IP networks |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
54 |
# from where browsing should be allowed |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
55 |
http_access allow localnet |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
56 |
http_access allow localhost |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
57 |
|
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
58 |
# And finally deny all other access to this proxy |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
59 |
http_access deny all |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
60 |
|
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
61 |
# Squid normally listens to port 3128 |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
62 |
http_port 3128 |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
63 |
|
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
64 |
# We recommend you to use at least the following line. |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
65 |
hierarchy_stoplist cgi-bin ? |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
66 |
|
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
67 |
# Uncomment and adjust the following to add a disk cache directory. |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
68 |
#cache_dir ufs /var/squid/cache 100 16 256 |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
69 |
|
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
70 |
# Leave coredumps in the first cache dir |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
71 |
coredump_dir /var/squid/cache |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
72 |
|
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
73 |
# Add any of your own refresh_pattern entries above these. |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
74 |
refresh_pattern ^ftp: 1440 20% 10080 |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
75 |
refresh_pattern ^gopher: 1440 0% 1440 |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
76 |
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
77 |
refresh_pattern . 0 20% 4320 |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
78 |
|
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
79 |
# TAG: cache_effective_user |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
80 |
# If you start Squid as root, it will change its effective/real |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
81 |
# UID/GID to the user specified below. The default is to change |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
82 |
# to UID to nobody. If you define cache_effective_user, but not |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
83 |
# cache_effective_group, Squid sets the GID to the effective |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
84 |
# user's default group ID (taken from the password file) and |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
85 |
# supplementary group list from the from groups membership of |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
86 |
# cache_effective_user. |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
87 |
# |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
88 |
#Default: |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
89 |
cache_effective_user webservd |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
90 |
|
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
91 |
# TAG: cache_effective_group |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
92 |
# If you want Squid to run with a specific GID regardless of |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
93 |
# the group memberships of the effective user then set this |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
94 |
# to the group (or GID) you want Squid to run as. When set |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
95 |
# all other group privileges of the effective user is ignored |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
96 |
# and only this GID is effective. If Squid is not started as |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
97 |
# root the user starting Squid must be member of the specified |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
98 |
# group. |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
99 |
# |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
100 |
#Default: |
f37f16a2a99c
7035372 update squid to 3.1.8
Srinivasa Sarva <srinivasa.sarva@oracle.com>
parents:
diff
changeset
|
101 |
# none |