From 8f3b60d4a0fb36e96db74b74ed14bfbec343e440 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Mon, 3 Aug 2020 17:11:16 +0100 Subject: [PATCH] added squid.conf --- docker-compose.yml | 1 + squid.conf | 121 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 122 insertions(+) create mode 100644 squid.conf diff --git a/docker-compose.yml b/docker-compose.yml index ddbc472..17429e7 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -10,6 +10,7 @@ services: image: sameersbn/squid:3.5.27-2 volumes: - squid-cache:/var/spool/squid + - ./squid.conf:/etc/squid/squid.conf ports: - 3128:3128 networks: diff --git a/squid.conf b/squid.conf new file mode 100644 index 0000000..b53fd05 --- /dev/null +++ b/squid.conf @@ -0,0 +1,121 @@ +## Tested and working on squid 3.3.10-r0 and Alpine 2.7.1 (kernel 3.10.19-0-grsec), 64-bit +## Example rule allowing access from your local networks. +## Adapt to list your (internal) IP networks from where browsing +## should be allowed +acl localnet src 10.0.0.0/8 # RFC1918 possible internal network +acl localnet src 172.16.0.0/12 # RFC1918 possible internal network +acl localnet src 192.168.2.0/24 # RFC1918 possible internal network +## Allow anyone to use the proxy (you should lock this down to client networks only!): +# acl localnet src all +## IPv6 local addresses: +acl localnet src fc00::/7 # RFC 4193 local private network range +acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines + +acl SSL_ports port 443 +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # waiss +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl CONNECT method CONNECT +acl QUERY urlpath_regex cgi-bin \? asp aspx jsp + +## Prevent caching jsp, cgi-bin etc +cache deny QUERY + +## Only allow access to the defined safe ports whitelist +http_access deny !Safe_ports + +## Deny CONNECT to other than secure SSL ports +http_access deny CONNECT !SSL_ports + +## Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + +## We strongly recommend the following be uncommented to protect innocent +## web applications running on the proxy server who think the only +## one who can access services on "localhost" is a local user +http_access deny to_localhost + +## +## INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS +## + +## Example rule allowing access from your local networks. +## Adapt localnet in the ACL section to list your (internal) IP networks +## from where browsing should be allowed +http_access allow localnet +http_access allow localhost + +## And finally deny all other access to this proxy +http_access deny all + +## Squid normally listens to port 3128 +http_port 3128 +## If you have multiple interfaces you can specify to listen on one IP like this: +#http_port 1.2.3.4:3128 + +## Uncomment and adjust the following to add a disk cache directory. +## 1024 is the disk space to use for cache in MB, adjust as you see fit! +## Default is no disk cache +#cache_dir ufs /var/cache/squid 1024 16 256 +## Better, use 'aufs' cache type, see +##http://www.squid-cache.org/Doc/config/cache_dir/ for info. +#cache_dir aufs /var/cache/squid 1024 16 256 +## Recommended to only change cache type when squid is stopped, and use 'squid -z' to +## ensure cache is (re)created correctly + +## Leave coredumps in the first cache dir +#coredump_dir /var/cache/squid + +## Where does Squid log to? +#access_log /var/log/squid/access.log +## Use the below to turn off access logging +access_log none +## When logging, web auditors want to see the full uri, even with the query terms +#strip_query_terms off +## Keep 7 days of logs +#logfile_rotate 7 + +## How much RAM, in MB, to use for cache? Default since squid 3.1 is 256 MB +cache_mem 64 MB + +## Maximum size of individual objects to store in cache +maximum_object_size 1 MB + +## Amount of data to buffer from server to client +read_ahead_gap 64 KB + +## Use X-Forwarded-For header? +## Some consider this a privacy/security risk so it is often disabled +## However it can be useful to identify misbehaving/problematic clients +#forwarded_for on +forwarded_for delete + +## Suppress sending squid version information +httpd_suppress_version_string on + +## How long to wait when shutting down squid +shutdown_lifetime 30 seconds + +## Replace the User Agent header. Be sure to deny the header first, then replace it :) +#request_header_access User-Agent deny all +#request_header_replace User-Agent Mozilla/5.0 (Windows; MSIE 9.0; Windows NT 9.0; en-US) + +## What hostname to display? (defaults to system hostname) +#visible_hostname a_proxy + +## Use a different hosts file? +#hosts_file /path/to/file + +## Add any of your own refresh_pattern entries above these. +refresh_pattern ^ftp: 1440 20% 10080 +refresh_pattern ^gopher: 1440 0% 1440 +refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 +refresh_pattern . 0 20% 4320 \ No newline at end of file