Skip to content

Enhancement PR#1 #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Enhancement PR#1 #5

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
66b0f9d
- [*] update conf/squid.conf to latest
suntong Jul 10, 2019
848b6b0
- [*] update Dockerfile to latest
suntong Jul 10, 2019
4758fe9
- [!] revert last commit, use back to last-good ver
suntong Jul 13, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
130 changes: 92 additions & 38 deletions conf/squid.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,16 @@
## Tested and working on squid 3.3.10-r0 and Alpine 2.7.1 (kernel 3.10.19-0-grsec), 64-bit
#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
## Example rule allowing access from your local networks.
## Adapt to list your (internal) IP networks from where browsing
## should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
## Allow anyone to use the proxy (you should lock this down to client networks only!):
# acl localnet src all
## IPv6 local addresses:
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

Expand All @@ -16,68 +19,119 @@ acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 210 # waiss
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
## Prevent caching jsp, cgi-bin etc
cache deny QUERY

## Only allow access to the defined safe ports whitelist
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
## Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
## Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
## We strongly recommend the following be uncommented to protect innocent
## web applications running on the proxy server who think the only
## one who can access services on "localhost" is a local user
http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
##
## INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
##

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
## Example rule allowing access from your local networks.
## Adapt localnet in the ACL section to list your (internal) IP networks
## from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
## And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
## Squid normally listens to port 3128
http_port 3128

# Squid normally listens to port 4128 for ssl bump
http_port 4128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid-cert/private.pem key=/etc/squid-cert/private.pem
ssl_bump server-first all
always_direct allow all

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/cache/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

#
# Add any of your own refresh_pattern entries above these.
#
## If you have multiple interfaces you can specify to listen on one IP like this:
#http_port 1.2.3.4:3128

## Uncomment and adjust the following to add a disk cache directory.
## 1024 is the disk space to use for cache in MB, adjust as you see fit!
## Default is no disk cache
#cache_dir ufs /var/cache/squid 1024 16 256
## Better, use 'aufs' cache type, see
##http://www.squid-cache.org/Doc/config/cache_dir/ for info.
cache_dir aufs /var/cache/squid 1024 16 256
## Recommended to only change cache type when squid is stopped, and use 'squid -z' to
## ensure cache is (re)created correctly

## Leave coredumps in the first cache dir
#coredump_dir /var/cache/squid

## Where does Squid log to?
#access_log /var/log/squid/access.log
## Use the below to turn off access logging
access_log none
## When logging, web auditors want to see the full uri, even with the query terms
#strip_query_terms off
## Keep 7 days of logs
#logfile_rotate 7

## How much RAM, in MB, to use for cache? Default since squid 3.1 is 256 MB
cache_mem 64 MB

## Maximum size of individual objects to store in cache
maximum_object_size 1 MB

## Amount of data to buffer from server to client
read_ahead_gap 64 KB

## Use X-Forwarded-For header?
## Some consider this a privacy/security risk so it is often disabled
## However it can be useful to identify misbehaving/problematic clients
#forwarded_for on
forwarded_for delete

## Suppress sending squid version information
httpd_suppress_version_string on

## How long to wait when shutting down squid
shutdown_lifetime 30 seconds

## Replace the User Agent header. Be sure to deny the header first, then replace it :)
#request_header_access User-Agent deny all
#request_header_replace User-Agent Mozilla/5.0 (Windows; MSIE 9.0; Windows NT 9.0; en-US)

## What hostname to display? (defaults to system hostname)
#visible_hostname a_proxy

## Use a different hosts file?
#hosts_file /path/to/file

## Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 30 20% 4320 reload-into-ims

refresh_pattern . 30 20% 4320

range_offset_limit 200 MB
maximum_object_size 200 MB
quick_abort_min -1
quick_abort_min -1

# Squid normally listens to port 4128 for ssl bump
http_port 4128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid-cert/private.pem key=/etc/squid-cert/private.pem
ssl_bump server-first all
always_direct allow all