#Access control list definitions #Examples: #acl myexample dst_as 1241 #acl password proxy_auth REQUIRED #acl fileupload req_mime_type -i ^multipart/form-data$ #acl javascript rep_mime_type -i ^application/x-javascript$ # acl all src 0.0.0.0/0 acl intranet src 172.16.0.0/12 acl intranet src 195.66.192.167 acl intranet src 195.66.192.168 acl intranet src 195.66.192.169 acl intranet src 195.66.192.170 acl intranet src 195.66.192.171 acl intranet src 1.0.0.0/8 acl localhost src 127.0.0.1/32 acl to_intranet dst 172.16.0.0/12 acl to_intranet dst 1.0.0.0/8 acl to_localhost dst 127.0.0.1/32 acl manager proto cache_object acl SSL_ports port 443 563 #acl Safe_ports port 80 # http #acl Safe_ports port 21 # ftp #acl Safe_ports port 443 563 # https, snews #acl Safe_ports port 70 # gopher #acl Safe_ports port 210 # wais #acl Safe_ports port 1025-65535 # unregistered ports #acl Safe_ports port 280 # http-mgmt #acl Safe_ports port 488 # gss-http #acl Safe_ports port 591 # filemaker #acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl query urlpath_regex cgi-bin \? # Keep this file in sync across all peers # Do NOT ban these acl no_ads_regex url_regex -i http://top\.list\.ru/counter\?id=607643;t=211 acl no_ads_regex url_regex -i /banner\.html*$ # TODO: why is this blocked acl no_ads_regex url_regex -i ^http://welcome\.hp\.com:*[0123456789]*/ # Ban these acl ads_regex url_regex -i [./]banners*[./?] acl ads_regex url_regex -i [./]bannerserver[./?] acl ads_regex url_regex -i [./]bannerbank[./?] acl ads_regex url_regex -i [./]bannerfarm[./?] acl ads_regex url_regex -i \.linkexchange\.ru:*[0123456789]*/ acl ads_regex url_regex -i [./]adv[./?] acl ads_regex url_regex -i /count.*\? #counter# acl ads_regex url_regex -i /cnt\.cgi\? #counter# acl ads_regex url_regex -i /ping.*\? #ping# acl ads_regex url_regex -i /ad/adframe\.php\? acl ads_regex url_regex -i [./]adserver acl ads_regex url_regex -i /phpAdsNew.*/ad.*\.php\? acl ads_regex url_regex -i /adsystem.*/ad.*\.php\? acl ads_regex url_regex -i /adjs\.php\? acl ads_regex url_regex -i /adlog\.php\? acl ads_regex url_regex -i /ADSAdClient[0123456789]*\.dll\? acl ads_regex url_regex -i ads/adstream_lx\.cgi/ acl ads_regex url_regex -i ^http://ar\.atwola\.com:*[0123456789]*/ acl ads_regex url_regex -i ^http://ads*[0123456789]*\. #http_ad# acl ads_regex url_regex -i ^http://bs\.yandex\.ru:*[0123456789]*/count/ acl ads_regex url_regex -i ^http://c\.bigmir\.net:*[0123456789]*/\? #counter#acl ads_regex url_regex -i ^http://counter\.rambler\.ru:*[0123456789]*/top100\.cnt\? acl ads_regex url_regex -i ^http://images\.rambler\.ru:*[0123456789]*/upl/partners/.*gif acl ads_regex url_regex -i ^http://images\.rambler\.ru:*[0123456789]*/upl/clients/.*gif #counter#acl ads_regex url_regex -i ^http://top\.list\.ru:*[0123456789]*/counter\? acl ads_regex url_regex -i ^http://u[0123456789\.]*\.spylog\.com:*[0123456789]*/cnt\? #counter#acl ads_regex url_regex -i ^http://www\.ilk[0123456789]*\.com:*[0123456789]*/counter/count[0123456789]*\.php\? acl ads_regex url_regex -i ^http://engine\.awaps\.net:*[0123456789]*/[0123456789/.]*gif.* acl ads_regex url_regex -i ^http://bbn\.img\.com\.ua:*[0123456789]*/[0123456789/.]*\.gif acl ads_regex url_regex -i ^http://bbn\.img\.com\.ua:*[0123456789]*/[0123456789/.]*\.jpe*g acl ads_regex url_regex -i ^http://bbn\.img\.com\.ua:*[0123456789]*/[0123456789/.]*\.swf acl ads_regex url_regex -i ^http://web\.icq\.com:*[0123456789]*/client/ate/ad-handler/ acl ads_regex url_regex -i ^http://.*\.abn\.com\.ua:*[0123456789]*/iframe\? acl ads_regex url_regex -i ^http://62.118.249.36:*[0123456789]*/images/[0123456789/]*\.gif acl ads_regex url_regex -i ^http://www\.ad\.tomshardware\.com:*[0123456789]*/cgi-bin/bd\.m\? #http_ad#acl ads_regex url_regex -i ^http://ad\.doubleclick\.net:*[0123456789]*/ad./ acl ads_regex url_regex -i ^http://pagead2\.googlesyndication\.com:*[0123456789]*/pagead/ads\? acl ads_regex url_regex -i ^http://www\.yadro\.ru:*[0123456789]*/cgi-bin/show\? acl ads_regex url_regex -i ^http://counter\.yadro\.ru:*[0123456789]*/hit acl ads_regex url_regex -i ^http://servedby\.advertising\.com:*[0123456789]*/site acl ads_regex url_regex -i ^http://tbs\.susanin\.com:*[0123456789]*/cgi-bin/tbs/banneri\.cgi\? acl ads_regex url_regex -i ^http://pbnet\.ru/show:*[0123456789]*/show\.pl\? #http_ad#acl ads_regex url_regex -i ^http://ad2\.pamedia\.com:*[0123456789]*\.au/js\.ng/site #http_ad#acl ads_regex url_regex -i ^http://ad2\.pamedia\.com:*[0123456789]*\.au/html\.ng/site acl ads_regex url_regex -i ^http://cdn\.valueclick\.com:*[0123456789]*/ad\.s/ acl ads_regex url_regex -i ^http://us\.a1\.yimg\.com:*[0123456789]*/us\.yimg\.com/a/in/information_usa/.*\.gif acl ads_regex url_regex -i ^http://icqrus\.ru:*[0123456789]*/cgi/icq2k/all_bn\.cgi\? #counter#acl ads_regex url_regex -i ^http://counter\.yadro\.ru:*[0123456789]*/logo\? acl ads_regex url_regex -i ^http://cnt\.one\.ru:*[0123456789]*/cgi-bin/cnt\.cgi\? acl ads_regex url_regex -i ^http://www2.aport.ru:*[0123456789]*/scripts/popup/popup.dll acl ads_regex url_regex -i ^http://topshop-counter\.rambler\.ru:*[0123456789]*/top100\.cnt\? acl ads_regex url_regex -i ^http://[0-9a-z.]*topcto\.ru:*[0123456789]*/cgi-bin/top\.cgi\? #counter#acl ads_regex url_regex -i ^http://findme\.ru:*[0123456789]*/Counter/\? acl ads_regex url_regex -i ^http://br\.gcl\.ru:*[0123456789]*/cgi-bin/br/br[0123456789_]*\.cgi\? acl ads_regex url_regex -i ^http://195\.161\.118\.21/images/[0123456789/]*\.gif acl ads_regex url_regex -i ^http://194\.125\.249\.67:*[0123456789]*/[0123456789/]* acl ads_regex url_regex -i ^http://sle-ent.com.ua:*[0123456789]*/\? acl ads_regex url_regex -i ^http://sle-pvt.com.ua:*[0123456789]*/\? #ping#acl ads_regex url_regex -i ^http://[0-9a-z.]*topping\.od\.ua:*[0123456789]*/cgi-bin/pinger\.cgi\? acl ads_regex url_regex -i ^http://[0-9a-z.]*a-counter\.kiev\.ua:*[0123456789]*/a/ acl ads_regex url_regex -i ^http://im-tub\.yandex\.ru:*[0123456789]*/i\? acl ads_regex url_regex -i ^http://t0\.extreme-dm:*[0123456789]*\.com/0\.gif\? acl ads_regex url_regex -i ^http://www\.yandex\.ru:*[0123456789]*/cycounter\? acl ads_regex url_regex -i ^http://www\.razom\.org\.ua:*[0123456789]*/ads/img/\? acl ads_regex url_regex -i ^http://[0-9a-z.]*huyandex\.com:*[0123456789]*/c_banner\.php\? acl ads_regex url_regex -i ^http://pagead2\.googlesyndication\.com:*[0123456789]*/pagead/show_ads\.js acl ads_regex url_regex -i ^http://www\.clx\.ru:*[0123456789]*/rot\.php? acl ads_regex url_regex -i ^http://s\.clx\.ru:*[0123456789]*/rot\.php\? acl ads_regex url_regex -i ^http://s\.clx\.ru:*[0123456789]*/show\.php\? acl ads_regex url_regex -i ^http://oz\.valueclick\.com:*[0123456789]*/cycle\? acl ads_regex url_regex -i ^http://w[0123456789]*\.hitbox\.com:*[0123456789]*/Hitbox\? acl ads_regex url_regex -i ^http://b[0123456789]*\.abn\.com\.ua:*[0123456789]*/nsimg\? acl ads_regex url_regex -i ^http://www\.burstnet\.com:*[0123456789]*/cgi-bin/ads/ #counter#acl ads_regex url_regex -i ^http://top\.list\.ru:*[0123456789]*/counter\? acl ads_regex url_regex -i ^http://cbn\.com\.ua:*[0123456789]*/bn\.php\? acl ads_regex url_regex -i ^http://www\.kat\.ru:*[0123456789]*/banners_view/view\.php\? acl ads_regex url_regex -i ^http://images.e-se.ru:*[0123456789]*/.*rnd= acl ads_regex url_regex -i ^http://uaportal\.com:*[0123456789]*/r/\?/news/[0123456789] acl ads_regex url_regex -i ^http://s1.adward.ru:*[0123456789]*/\? acl ads_regex url_regex -i ^http://global\.msads\.net:*[0123456789]*/ads/ acl ads_regex url_regex -i ^http://www.*adnet\.ru:*[0123456789]*/cgi-bin/iframe/vivru acl ads_regex url_regex -i ^http://www.*business\.lbn\.ru:*[0123456789]*/cgi-bin/iframe/ acl ads_regex url_regex -i ^http://image\.linkexchange\.com:*[0123456789]*/[0123456789/]*/banner acl ads_regex url_regex -i ^http://rotabanner\.kulichki\.net:*[0123456789]*/cgi-bin/iframe/ acl ads_regex url_regex -i ^http://bx\.metka\.ru:*[0123456789]*/.*\? acl ads_regex url_regex -i ^http://aif\.yadro\.ru:*[0123456789]*/cgi-bin/show\? acl ads_regex url_regex -i ^http://btxt\.abn\.com\.ua:*[0123456789]*/jsframe\? acl ads_regex url_regex -i ^http://direct\.lbe\.ru:*[0123456789]*/cgi-bin/iframe/.*\? acl ads_regex url_regex -i ^http://sj4\.ru:*[0123456789]*/cgi-bin/iframe/.*\? acl ads_regex url_regex -i ^http://engine\.awaps\.net:*[0123456789]*/.*\? acl ads_regex url_regex -i ^http://[a-z0-9]*\.startua\.com:*[0123456789]*/.*\? acl ads_regex url_regex -i ^http://uabanner\.com:*[0123456789]*/bn\.php\? acl ads_regex url_regex -i ^http://www.*adnet\.ru:*[0123456789]*/cgi-bin/iframe/books\? acl ads_regex url_regex -i ^http://server\.iad\.liveperson\.net:*[0123456789]*/hc/ acl ads_regex url_regex -i ^http://.*\.spylog\.com:*[0123456789]*/java/stats\.phtml acl ads_regex url_regex -i ^http://.*\.adnet\.ru:*[0123456789]*/cgi-bin/iframe/ acl ads_regex url_regex -i ^http://rotabanner.*\.ru:*[0123456789]*/cgi-bin/iframe/ acl ads_regex url_regex -i ^http://baner\.ukr\.net:*[0123456789]*/adframe\.php acl ads_regex url_regex -i ^http://amch\.questionmarket\.com:*[0123456789]*/adscgen/sta\.php acl ads_regex url_regex -i ^http://mbn\.com\.ua:*[0123456789]*/cgi-bin/iframe/ acl ads_regex url_regex -i ^http://*.\.mystat-in\.net:*[0123456789]*/ acl ads_regex url_regex -i ^http://r\.mail\.ru:*[0123456789]*/[a-z0-9]*\.jpg$ acl ads_regex url_regex -i ^http://www\.mediacenter\.ru:*[0123456789]*/trans/adv200x100\.phtml\? acl ads_regex url_regex -i ^http://counter\.hotlog\.ru:*[0123456789]*/cgi-bin/hotlog/count\.js acl ads_regex url_regex -i ^http://gbs\.gator\.com:*[0123456789]*/gbs/gbs\.dll\? acl ads_regex url_regex -i ^http://www\.equestrian\.ru:*[0123456789]*/Ads/adframe\.php\? acl ads_regex url_regex -i ^http://d\.clx\.ru:*[0123456789]*/show\.php\? acl ads_regex url_regex -i ^http://bs\.yandex\.ru:*[0123456789]*/show/[0123456789]* acl ads_regex url_regex -i ^http://www\.uaportal\.com:*[0123456789]*/r/\? # To block, or not to block? acl ads_regex url_regex -i ^http://.*download\.windowsupdate\.com:*[0123456789]*/msdownload/update/ # TEST: block .avi .mp? .wmv acl ads_regex url_regex -i \.avi$ acl ads_regex url_regex -i \.mp.$ acl ads_regex url_regex -i \.wmv$ # Not sure that it is spam... #acl ads_regex url_regex -i ^http://www.rambler.ru:*[0123456789]*/knp.gif? #acl ads_regex url_regex -i ^http://kmindex.ru:*[0123456789]*/c/\? #acl ads_regex url_regex -i ^http://kmindex.ru:*[0123456789]*/p/\? #acl ads_regex url_regex -i ^http://reks.com.ua:*[0123456789]*/cgi-bin/s\? #acl ads_regex url_regex -i ^http://wwwomen.ru:*[0123456789]*/php/wi\.php\? #acl ads_regex url_regex -i ^http://top.germany.ru:*[0123456789]*/cgi-bin/links/top\.cgi\? #acl ads_regex url_regex -i ^http://bs.yandex.ru:*[0123456789]*/show/[0123456789] # DONT! This incurs reverse DNS lookup if you supplied numeric IP # (and 5 min (!!!) timeout if that IP does not have reverse DNS set up) #acl ads dstdomain 81.222.128.3 www.linkexchange.ru ad0.bigmir.net bbn.img.com.ua # Usage: port # hostname:port # 1.2.3.4:port http_port 0.0.0.0:9080 # TAG: https_port # Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] # cert= Path to SSL certificate (PEM format) # key= Path to SSL private key file (PEM format) # if not specified, the certificate file is # assumed to be a combined certificate and # key file # version= The version of SSL/TLS supported # 1 automatic (default) # 2 SSLv2 only # 3 SSLv3 only # 4 TLSv1 only # cipher= Colon separated list of supported ciphers # options= Varions SSL engine options. The most important: # NO_SSLv2 Disallow the use of SSLv2 # NO_SSLv3 Disallow the use of SSLv3 # NO_TLSv1 Disallow the use of TLSv1 # See src/ssl_support.c or OpenSSL documentation # for a more complete list. #https_port 0.0.0.0:443 cert=/var/service/squid/cert.pem key=/var/service/squid/key.pem # Some browsers (especially MSIE) bugs out on SSL shutdown # messages. # ssl_unclean_shutdown off # The port number where Squid sends and receives ICP queries to # and from neighbor caches. Default is 3130. To disable use "0" icp_port 0 # TAG: htcp_port # The port number where Squid sends and receives HTCP queries to # and from neighbor caches. Default is 4827. To disable use "0". # vda:unrecognized: htcp_port 0 # Usage: mcast_groups 239.128.16.128 224.0.1.20 # none # A udp_incoming_address value of 0.0.0.0 indicates that Squid should # listen for UDP messages on all available interfaces. # If udp_outgoing_address is set to 255.255.255.255 (the default) # then it will use the same socket as udp_incoming_address. Only # change this if you want to have ICP queries sent using another # address than where this Squid listens for ICP queries from other # caches. # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use port 3130. udp_incoming_address 0.0.0.0 udp_outgoing_address 255.255.255.255 # To specify other caches in a hierarchy, use the format: # # proxy icp # # hostname type port port options # # -------------------- -------- ----- ----- ----------- # cache_peer parent.foo.net parent 3128 3130 [proxy-only] # cache_peer sib1.foo.net sibling 3128 3130 [proxy-only] # cache_peer sib2.foo.net sibling 3128 3130 [proxy-only] # none # sourceforge-book-html/x800.html: # ================================ # default: "Go through this cache for all requests. If it's down, # return an error message to the client (cannot go direct)" # no-query: ignore the given ICP port (leaving the port number out will return # an error), and never attempt to query the cache with ICP # Go only thru TM proxies: ### cache_peer 195.66.200.114 parent 80 3130 default no-query # # SSLed proxies are there ;) #TODO: make it permanent #cache_peer 127.0.0.1 parent 5500 3130 no-query round-robin allow-miss #cache_peer 127.0.0.1 parent 5501 3130 no-query round-robin allow-miss #cache_peer 127.0.0.1 parent 5502 3130 no-query round-robin allow-miss #cache_peer 127.0.0.1 parent 5503 3130 no-query round-robin allow-miss #cache_peer 127.0.0.1 parent 5504 3130 no-query round-robin allow-miss #cache_peer 127.0.0.1 parent 5505 3130 no-query round-robin allow-miss #cache_peer 127.0.0.1 parent 5506 3130 no-query round-robin allow-miss #cache_peer 127.0.0.1 parent 5507 3130 no-query round-robin allow-miss #cache_peer 127.0.0.1 parent 5508 3130 no-query round-robin allow-miss #cache_peer 127.0.0.1 parent 5509 3130 no-query round-robin allow-miss # cache_peer_domain cache-host domain [domain ...] # cache_peer_domain cache-host !domain # none # usage: neighbor_type_domain parent|sibling domain domain ... # EXAMPLE: # cache_peer parent cache.foo.org 3128 3130 # neighbor_type_domain cache.foo.org sibling .com .net # neighbor_type_domain cache.foo.org sibling .au .de # none # Similar to 'cache_peer_domain' but provides more flexibility by # using ACL elements. # cache_peer_access cache-host allow|deny [!]aclname ... ### cache_peer_access 195.66.200.114 deny to_intranet ### cache_peer_access 195.66.200.114 allow all # commented out: NEVER go direct #hierarchy_stoplist cgi-bin ? # Query-type requests should not be cached # commented out: NEVER go direct #no_cache deny query # TAG: always_direct # Usage: always_direct allow|deny [!]aclname ... ### always_direct allow to_intranet # TAG: never_direct # Usage: never_direct allow|deny [!]aclname ... # # Force use of parent caches for everything but intranets ### never_direct deny to_intranet ### never_direct allow all # TAG: header_access # Usage: header_access header_name allow|deny [!]aclname ... # # This option replaces the old 'anonymize_headers' and the # older 'http_anonymizer' option with something that is much # more configurable. This new method creates a list of ACLs # for each header, allowing you very fine-tuned header # mangling. # # Top used headers - candidates to elimination: # 2922 User-Agent # 2916 Host # 2753 Accept-Language (?) # 2737 Connection # 2550 Referer (!) # 2381 Accept-Encoding (?) # 1652 Accept # 940 Cookie # header_access Referer deny all header_access All allow all # icp_query_timeout 0 # maximum_icp_query_timeout 2000 # mcast_icp_query_timeout 2000 # dead_peer_timeout 10 seconds ### #hierarchy_stoplist cgi-bin ? # Query-type requests should not be cached (see ACL defs for 'query') ### #no_cache deny query # 'cache_mem' specifies the ideal amount of memory to be used for: # * In-Transit objects # * Hot Objects # * Negative-Cached objects # cache_mem 8 MB # cache_swap_low 90 # cache_swap_high 95 maximum_object_size 8192 KB # minimum_object_size 0 KB # maximum_object_size_in_memory 8 KB # The size, low-, and high-water marks for the IP cache. # ipcache_size 1024 # ipcache_low 90 # ipcache_high 95 # Maximum number of FQDN cache entries. # fqdncache_size 1024 # lru : Squid's original list based LRU policy # heap GDSF : Greedy-Dual Size Frequency # heap LFUDA: Least Frequently Used with Dynamic Aging # heap LRU : LRU policy implemented using a heap # cache_replacement_policy lru # memory_replacement_policy lru # cache_dir Type Directory-Name Fs-specific-data [options] # # "ufs" is the old well-known Squid storage format # ================================================================== # cache_dir ufs Directory-Name Mbytes L1 L2 [options] # 'Mbytes' is the amount of disk space to use # 'Level-1' is the number of first-level subdirectories # 'Level-2' is the number of second-level subdirectories # vda: ... and files in each second level dir # # "aufs" uses the same storage format as "ufs", utilizing # POSIX-threads to avoid blocking the main Squid process on # disk-I/O. This was formerly known in Squid as async-io. # ================================================================== # cache_dir aufs Directory-Name Mbytes L1 L2 [options] # # "diskd" uses the same storage format as "ufs", utilizing a # separate process to avoid blocking the main Squid process on # disk-I/O. # ================================================================== # cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] # Q1 - if this many messages are in the queues, Squid won't open new files # Q2 - ff this many messages are in the queues, Squid blocks until it recevies some replies # # Common options: # read-only, this cache_dir is read only. # max-size=n, refers to the max object size this storedir supports. # # vda: for 4G data I'd set 4096 64 64, # for 2G: 2048 32 64 # for 1G: 1024 64 32 # for 1/2G: 512 32 32 cache_dir ufs /var/cache/squid-2 512 32 32 #cache_dir ufs /var/cache/squid-2 1500 32 64 # Logs the client request activity. Contains an entry for # every HTTP and ICP queries received. To disable, enter "none". cache_access_log logdir/access.fifo # Cache logging file. This is where general information about # your cache's behavior goes. You can increase the amount of data # logged to this file with the "debug_options" tag below. cache_log logdir/cache.fifo # Logs the activities of the storage manager. Shows which # objects are ejected from the cache, and which objects are # saved and for how long. To disable, enter "none". cache_store_log none #logdir/store.fifo # cache_swap_log #cache_swap_log logdir/swap.fifo # emulate_httpd_log off # Log the destination IP address in the hierarchy log tag when going # direct. Earlier Squid versions logged the hostname here. log_ip_on_direct on # Pathname to Squid's MIME table. mime_table /usr/app/squid-2.5.STABLE10/var/etc/mime.conf # The Cache can record both the request and the response MIME # headers for each HTTP transaction. The headers are encoded # safely and will appear as two bracketed fields at the end of # the access log log_mime_hdrs off # useragent_log # vda:unrecognized: useragent_log ... # referer_log # vda:unrecognized: referer_log ... # pid_filename pid_filename /var/log/service/squid/squid.pid # 22:refresh.c debug_options ALL,2 22,2 33,2 log_fqdn off # A netmask for client addresses in logfiles and cachemgr output. # A netmask of 255.255.255.0 will log all IP's in that range with # the last digit set to '0'. # client_netmask 255.255.255.255 # ftp_user anon@ # ftp_list_width 32 # ftp_passive on # ftp_sanitycheck on # This option is only available if Squid is rebuilt with the # --disable-internal-dns option # Specify the location of the executable for dnslookup process. # cache_dns_program /usr/app/squid-2.5.STABLE10/libexec/dnsserver # dns_children 5 # dns_retransmit_interval 5 seconds # dns_timeout 5 minutes # dns_defnames off # dns_nameservers # none # hosts_file /etc/hosts # diskd_program /usr/app/squid-2.5.STABLE10/libexec/diskd # unlinkd_program /usr/app/squid-2.5.STABLE10/libexec/unlinkd # This option is only available if Squid is rebuilt with the # --enable-icmp option # pinger_program /usr/app/squid-2.5.STABLE10/libexec/pinger # redirect_program # none # redirect_children 5 # By default Squid rewrites any Host: header in redirected # requests. If you are running an accelerator then this may # not be a wanted effect of a redirector. # redirect_rewrites_host_header on # redirector_access # none # TAG: auth_param # This is used to pass parameters to the various authentication # schemes. # format: auth_param scheme parameter [setting] # # auth_param basic program /usr/app/squid-2.5.STABLE10/bin/ncsa_auth /etc/passwd # would tell the basic authentication scheme it's program parameter. # # === Parameters for the basic scheme follow. === # "program" cmdline # Specify the command for the external authenticator. Such a # program reads a line containing "username password" and replies # "OK" or "ERR" in an endless loop. If you use an authenticator, # make sure you have 1 acl of type proxy_auth. # # "children" numberofchildren # The number of authenticator processes to spawn (no default). # auth_param basic children 5 # # "realm" realmstring # Specifies the realm name which is to be reported to the # client for the basic proxy authentication scheme (part of # the text the user will see when prompted their username and # password). # auth_param basic realm Squid proxy-caching web server # # "credentialsttl" timetolive # Specifies how long squid assumes an externally validated # username:password pair is valid for # # === Parameters for the digest scheme follow === # "program" cmdline # "children" numberofchildren # "realm" realmstring # "nonce_garbage_interval" timeinterval # Specifies the interval that nonces that have been issued # to client_agent's are checked for validity. # "nonce_max_duration" timeinterval # Specifies the maximum length of time a given nonce will be # valid for. # "nonce_max_count" number # Specifies the maximum number of times a given nonce can be # used. # "nonce_strictness" on|off # Determines if squid requires increment-by-1 behaviour for # nonce counts (on - the default), or strictly incrementing # (off - for use when useragents generate nonce counts that # occasionally miss 1 (ie, 1,2,4,6)). # # === NTLM scheme options follow === # "program" cmdline # auth_param ntlm program /usr/app/squid-2.5.STABLE10/bin/ntlm_auth # "children" numberofchildren # "max_challenge_reuses" number # The maximum number of times a challenge given by a ntlm # authentication helper can be reused. # 0 means use the challenge only once. # "max_challenge_lifetime" timespan # The maximum time period that a ntlm challenge is reused over. # auth_param ntlm max_challenge_lifetime 2 minutes #Recommended minimum configuration: #auth_param digest program #auth_param digest children 5 #auth_param digest realm Squid proxy-caching web server #auth_param digest nonce_garbage_interval 5 minutes #auth_param digest nonce_max_duration 30 minutes #auth_param digest nonce_max_count 50 #auth_param ntlm program #auth_param ntlm children 5 #auth_param ntlm max_challenge_reuses 0 #auth_param ntlm max_challenge_lifetime 2 minutes #auth_param basic program auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours # authenticate_cache_garbage_interval 1 hour # authenticate_ttl 1 hour # authenticate_ip_ttl 0 seconds # external_acl_type # none # wais_relay_host # wais_relay_port # wais_relay_port 0 # request_header_max_size 10 KB # request_body_max_size 0 KB # refresh_pattern # NB: refresh calcs fail horribly if your system time is not ok ;) # min/max in in minutes # regex min percent max [options] # # FTP: min fresh time 1 day, max 10 days refresh_pattern ^ftp: 2880 50% 28800 # GOPHER: min fresh time 1 day, max 1 day refresh_pattern ^gopher: 2880 0% 2880 # Images/video refresh_pattern -i [.]jpg$ 2880 50% 2880000 override-lastmod ignore-reload refresh_pattern -i [.]jpeg$ 2880 50% 2880000 override-lastmod ignore-reload refresh_pattern -i [.]gif$ 2880 50% 2880000 override-lastmod ignore-reload refresh_pattern -i [.]png$ 2880 50% 2880000 override-lastmod ignore-reload refresh_pattern -i [.]swf$ 2880 50% 2880000 override-lastmod ignore-reload refresh_pattern -i [.]mp[g123]$ 2880 50% 2880000 override-lastmod reload-into-ims refresh_pattern -i [.]mpeg$ 2880 50% 2880000 override-lastmod reload-into-ims refresh_pattern -i [.]avi$ 2880 50% 2880000 override-lastmod reload-into-ims # Data refresh_pattern -i [.]gz$ 2880 50% 2880000 override-lastmod reload-into-ims refresh_pattern -i [.]tgz$ 2880 50% 2880000 override-lastmod reload-into-ims refresh_pattern -i [.]bz$ 2880 50% 2880000 override-lastmod reload-into-ims refresh_pattern -i [.]bz2$ 2880 50% 2880000 override-lastmod reload-into-ims refresh_pattern -i [.]zip$ 2880 50% 2880000 override-lastmod reload-into-ims refresh_pattern -i [.]arj$ 2880 50% 2880000 override-lastmod reload-into-ims refresh_pattern -i [.]rar$ 2880 50% 2880000 override-lastmod reload-into-ims refresh_pattern -i [.]dat$ 2880 50% 2880000 override-lastmod reload-into-ims # Probably generated content refresh_pattern -i [.]php$ 0 20% 28800 refresh_pattern -i [?] 0 20% 28800 refresh_pattern -i cgi 0 20% 28800 # Probably plain HTML (first one is for http://host.com/dir/dir/ type URLs) refresh_pattern -i /$ 2880 50% 2880000 override-lastmod reload-into-ims refresh_pattern -i [.]htm$ 2880 50% 2880000 override-lastmod reload-into-ims refresh_pattern -i [.]html$ 2880 50% 2880000 override-lastmod reload-into-ims refresh_pattern -i [.]xml$ 2880 50% 2880000 override-lastmod reload-into-ims refresh_pattern -i [.]css$ 2880 50% 2880000 override-lastmod ignore-reload refresh_pattern -i [.]js$ 2880 50% 2880000 override-lastmod ignore-reload # All other refresh_pattern . 0 50% 28800 # If you want retrievals to always continue if they are being # cached then set 'quick_abort_min' to '-1 KB'. quick_abort_min 0 KB quick_abort_max 0 KB quick_abort_pct 90 # negative_ttl 5 minutes # positive_dns_ttl 6 hours # negative_dns_ttl 5 minutes # This is to stop a far ahead range request (lets say start at 17MB) # from making Squid fetch the whole object up to that point before # sending anything to the client. # range_offset_limit 0 KB # connect_timeout 2 minutes # peer_connect_timeout 30 seconds # read_timeout 15 minutes # request_timeout 5 minutes # persistent_request_timeout 1 minute # client_lifetime 1 day # half_closed_clients on # pconn_timeout 120 seconds # ident_timeout 10 seconds # shutdown_lifetime 30 seconds #Recommended minimum configuration: # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # # Deny requests to unknown ports # http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports http_access deny CONNECT to_localhost # http_access allow no_ads_regex http_access deny ads_regex http_access allow intranet http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all # Use to force your neighbors to use you as a sibling instead of # a parent. For example: # acl localclients src 172.16.0.0/16 # miss_access allow localclients # miss_access deny !localclients # miss_access allow all # Similar to 'cache_peer_domain' but provides more flexibility by # using ACL elements. # cache_peer_access cache-host allow|deny [!]aclname ... # none ident_lookup_access deny all # tcp_outgoing_tos # none # tcp_outgoing_address # none # reply_body_max_size 0 allow all # Email-address of local cache manager who will receive # mail if the cache dies. The default is "webmaster." # cache_mgr webmaster visible_hostname 127.0.0.1 # cache_effective_user # cache_effective_group cache_effective_user squid cache_effective_group daemon # unique_hostname # none # hostname_aliases # none # announce_period 0 # announce_host # announce_file # announce_port # announce_host tracker.ircache.net # announce_port 3131 # TAG: httpd_accel_host # TAG: httpd_accel_port # If you want to run Squid as an httpd accelerator, define the # host name and port number where the real HTTP server is. # If you want IP based virtual host support then specify the # hostname as "virtual". This will make Squid use the IP address # where it accepted the request as hostname in the URL. # If you want virtual port support then specify the port as "0". # NOTE: enabling httpd_accel_host disables proxy-caching and # ICP. If you want these features enabled also, then set # the 'httpd_accel_with_proxy' option. # #Default: httpd_accel_host virtual httpd_accel_port 0 #debug_options ALL,1 33,6 # TAG: httpd_accel_single_host on|off # If you are running Squid as an accelerator and have a single backend # server then set this to on. This causes Squid to forward the request # to this server irregardles of what any redirectors or Host headers # says. # httpd_accel_single_host off # TAG: httpd_accel_with_proxy on|off # If you want to use Squid as both a local httpd accelerator # and as a proxy, change this to 'on'. Note however that your # proxy users may have trouble to reach the accelerated domains # unless their browsers are configured not to use this proxy for # those domains httpd_accel_with_proxy on # TAG: httpd_accel_uses_host_header on|off # HTTP/1.1 requests include a Host: header which is basically the # hostname from the URL. The Host: header is used for domain based # virutal hosts. If your accelerator needs to provide domain based # virtual hosts on the same IP address then you will need to turn this # on. httpd_accel_uses_host_header on dns_testnames localhost # logfile_rotate 10 #Example: # append_domain .yourdomain.com #Default: # none # tcp_recv_bufsize 0 bytes # TAG: err_html_text # none # TAG: deny_info # none # TAG: memory_pools on|off memory_pools off # TAG: memory_pools_limit (bytes) # none # TAG: forwarded_for on|off forwarded_for off # TAG: log_icp_queries on|off # log_icp_queries on # TAG: icp_hit_stale on|off # icp_hit_stale off # TAG: minimum_direct_hops # minimum_direct_hops 4 # TAG: minimum_direct_rtt # minimum_direct_rtt 400 # TAG: cachemgr_passwd # cachemgr_passwd disable all # TAG: store_avg_object_size (kbytes) # store_avg_object_size 13 KB # TAG: store_objects_per_bucket # store_objects_per_bucket 20 # TAG: client_db on|off # client_db off # TAG: netdb_low # TAG: netdb_high # The low and high water marks for the ICMP measurement # database. These are counts, not percents # netdb_low 900 # netdb_high 1000 # TAG: netdb_ping_period # netdb_ping_period 5 minutes # TAG: query_icmp on|off # query_icmp off # TAG: test_reachability on|off # test_reachability off # TAG: buffered_logs on|off # buffered_logs off # TAG: reload_into_ims on|off # When you enable this option, client no-cache or reload # requests will be changed to If-Modified-Since requests. # Doing this VIOLATES the HTTP standard. Enabling this # feature could make you liable for problems which it # causes. # reload_into_ims off # TAG: header_access # Usage: header_access header_name allow|deny [!]aclname ... # For example, to achieve the same behaviour as the old # 'http_anonymizer standard' option, you should use: header_access From deny all header_access Via deny all header_access X-Forwarded-For deny all # TAG: header_replace # Usage: header_replace header_name message # Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit) # none # TAG: icon_directory # icon_directory /usr/app/squid-2.5.STABLE10/share/icons # TAG: error_directory # error_directory /usr/app/squid-2.5.STABLE10/share/errors/English # TAG: minimum_retry_timeout (seconds) # minimum_retry_timeout 5 seconds # TAG: maximum_single_addr_tries # maximum_single_addr_tries 3 # TAG: snmp_port # By default it listens to port 3401 on the machine. If you don't # wish to use SNMP, set this to "0". # vda:unrecognized: snmp_port 0 # TAG: snmp_access # snmp_access allow|deny [!]aclname ... # vda:unrecognized: snmp_access deny all # TAG: snmp_incoming_address # TAG: snmp_outgoing_address # snmp_incoming_address 0.0.0.0 # snmp_outgoing_address 255.255.255.255 # TAG: as_whois_server # WHOIS server to query for AS numbers. NOTE: AS numbers are # queried only when Squid starts up, not for every request. # as_whois_server whois.ra.net # as_whois_server whois.ra.net # TAG: wccp_router # Use this option to define your WCCP home router for # Squid. Setting the 'wccp_router' to 0.0.0.0 (the default) # disables WCCP. # wccp_router 0.0.0.0 # TAG: wccp_version # According to some users, Cisco IOS 11.2 only supports WCCP # version 3. If you're using that version of IOS, change # this value to 3. # wccp_version 4 # TAG: wccp_incoming_address # TAG: wccp_outgoing_address # wccp_incoming_address 0.0.0.0 # wccp_outgoing_address 255.255.255.255 # TAG: delay_pools # delay_pools 0 # TAG: delay_class # delay_pools 2 # 2 delay pools # delay_class 1 2 # pool 1 is a class 2 pool # delay_class 2 3 # pool 2 is a class 3 pool # TAG: delay_access # none # TAG: delay_parameters # delay_parameters pool aggregate # delay_parameters pool aggregate individual # delay_parameters pool aggregate network individual #delay_parameters 1 -1/-1 8000/8000 #delay_parameters 2 32000/32000 8000/8000 600/64000 # TAG: delay_initial_bucket_level (percent, 0-100) # delay_initial_bucket_level 50 # TAG: incoming_icp_average # TAG: incoming_http_average # TAG: incoming_dns_average # TAG: min_icp_poll_cnt # TAG: min_dns_poll_cnt # TAG: min_http_poll_cnt # Heavy voodoo here. I can't even believe you are reading this. # Are you crazy? Don't even think about adjusting these unless # you understand the algorithms in comm_select.c first! # incoming_icp_average 6 # incoming_http_average 4 # incoming_dns_average 4 # min_icp_poll_cnt 8 # min_dns_poll_cnt 8 # min_http_poll_cnt 8 # TAG: max_open_disk_fds # max_open_disk_fds 0 # TAG: offline_mode # Enable this option and Squid will never try to validate cached # objects. # offline_mode off # TAG: uri_whitespace # uri_whitespace strip # TAG: broken_posts # acl buggy_server url_regex ^http://.... # broken_posts allow buggy_server # TAG: mcast_miss_addr # mcast_miss_addr 255.255.255.255 # TAG: mcast_miss_ttl # mcast_miss_ttl 16 # TAG: mcast_miss_port # mcast_miss_port 3135 # TAG: mcast_miss_encode_key # mcast_miss_encode_key XXXXXXXXXXXXXXXX # TAG: nonhierarchical_direct # nonhierarchical_direct on # TAG: prefer_direct # prefer_direct off # TAG: strip_query_terms # strip_query_terms on # TAG: coredump_dir # Leave coredumps in the first cache dir coredump_dir /var/cache/squid-2 # TAG: redirector_bypass # redirector_bypass off # TAG: ignore_unknown_nameservers # ignore_unknown_nameservers on # TAG: digest_generation # digest_generation on # TAG: digest_bits_per_entry # digest_bits_per_entry 5 # TAG: digest_rebuild_period (seconds) # digest_rebuild_period 1 hour # TAG: digest_rewrite_period (seconds) # digest_rewrite_period 1 hour # TAG: digest_swapout_chunk_size (bytes) # digest_swapout_chunk_size 4096 bytes # TAG: digest_rebuild_chunk_percentage (percent, 0-100) # digest_rebuild_chunk_percentage 10 # TAG: chroot # none # TAG: client_persistent_connections # TAG: server_persistent_connections # client_persistent_connections on # server_persistent_connections on # TAG: pipeline_prefetch # pipeline_prefetch off # TAG: extension_methods # none # TAG: request_entities # request_entities off # TAG: high_response_time_warning (msec) # high_response_time_warning 0 # TAG: high_page_fault_warning # high_page_fault_warning 0 # TAG: high_memory_warning # high_memory_warning 0 # TAG: store_dir_select_algorithm # store_dir_select_algorithm least-load # TAG: forward_log # none # TAG: ie_refresh on|off # ie_refresh off # TAG: vary_ignore_expire on|off # vary_ignore_expire off # TAG: sleep_after_fork (microseconds) # sleep_after_fork 0 # What to log #debug_options ALL,1 22,3 #22,3: log refresh decisions #debug_options ALL,1 33,3 #33,3: hit/miss decision, headers