-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathsquid.conf
executable file
·58 lines (41 loc) · 2.99 KB
/
squid.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
(snipped for security)
...
logformat combinedjson { "message": "%ts.%03tu %6tr %>a %Ss/%03>Hs %<st %"rm %"ru %"un %Sh/%<a %mt", "httpRequest": { "requestMethod": "%"rm", "requestUrl": "%"ru", "requestSize": "%>st", "status": "%>Hs", "responseSize": "%<st", "userAgent": "%"{User-Agent}>h", "remoteIp": "%"{X-Real-IP}>h", "serverIp": "%<a", "latency": "%<ttms", "protocol": "HTTP/%rv" }, "client_device_serial": "%"un", "request_status": "%Ss", "hierarchy_status": "%Sh" }
access_log /var/log/squid/access.log combinedjson
cache_log /var/log/squid/cache.log
cache_store_log none
strip_query_terms off
auth_param basic program /sbin/null-auth.sh
auth_param basic children 5 startup=5 idle=1
auth_param basic credentialsttl 5 hours
auth_param basic casesensitive on
auth_param basic realm proxy
acl CONNECT method CONNECT
acl authenticatedusers proxy_auth REQUIRED
acl me src 127.0.0.0/8
acl ssl_ports port 443
acl safe_ports port 80 443
acl whitelist dstdom_regex -i "/etc/squid/acl/whitelist.acl"
acl blacklist dstdom_regex -i "/etc/squid/acl/blacklist.acl"
acl whitelist_unauthenticated dstdom_regex -i "/etc/squid/acl/whitelist_unauthenticated.acl"
acl unauthenticated_ports port 80 443
# Allow unauthenticated whitelist from external IPs (not via mTLS gateway)
http_access allow CONNECT whitelist_unauthenticated unauthenticated_ports !me
http_access allow whitelist_unauthenticated unauthenticated_ports !me
# Block all other connections from external IPs (not via mTLS gateway)
http_access deny !me
# Block all unauthenticated users (mTLS gateway should include authentication headers)
# This is required to make Squid check the authentication headers & log the username.
http_access deny !authenticatedusers
# Also allow authenticated access to the unauthenticated whitelist.
http_access allow CONNECT whitelist_unauthenticated unauthenticated_ports
http_access allow whitelist_unauthenticated unauthenticated_ports
http_access deny !safe_ports
http_access deny CONNECT !ssl_ports
# Always allow access to whitelist domains
http_access allow whitelist
# Block access to blacklist domains
http_access deny blacklist
http_access deny all
...
(snipped for security)