[squid-users] Config Recommendations

creditu at eml.cc creditu at eml.cc
Mon Dec 5 00:44:36 UTC 2016 

For a 3.1 accelerator we have put the followinconfig together.  This
accelerator will not be doing any caching since we use an external
service.  Initially both http and https will be provided.   Some
questions:   I think the ordering of statements and acls is correct, but
was hoping to get some feedback if possible.  Also, since we  want to
turn caching off completely  I was wondering if some of the statements
are unnecessary.  Any feedback or recommendations on the overall config
would be appreciated.     

-----------------------------------
visible_hostname squid.example.com

http_port 192.168.100.1:80 accel defaultsite=www.example.com vhost
http_port 192.168.100.2:80 accel defaultsite=dev.example.com vhost
http_port 192.168.100.4:80 accel defaultsite=test1.example.com vhost

https_port 192.168.100.1:443 accel defaultsite=www.example.com vhost
cert=/path/cert.pem key=/path/key.pem
options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE
cipher=[cipher-list] dhparams=/path/dhparams.pem
https_port 192.168.100.2:443 accel defaultsite=dev.example.com vhost
cert=/path/cert.pem key=/path/key.pem
options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE
cipher=[cipher-list] dhparams=/path/dhparams.pem
https_port 192.168.100.4:443 accel defaultsite=test1.example.com vhost
cert=/path/cert.pem key=/path/key.pem
options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,CIPHER_SERVER_PREFERENCE
cipher=[cipher-list] dhparams=/path/dhparams.pem

# Backend servers for www
acl www dstdomain www.example.com
cache_peer 10.10.10.1 parent 80 0 no-query no-digest originserver
round-robin
cache_peer_access 10.10.10.1 allow www
cache_peer_access 10.10.10.1 deny all

cache_peer 10.10.10.2 parent 80 0 no-query no-digest originserver
round-robin
cache_peer_access 10.10.10.2 allow www
cache_peer_access 10.10.10.2 deny all

# Backend server for dev
acl dev dstdomain dev.example.com
cache_peer 10.10.10.3 parent 80 0 no-query no-digest originserver
round-robin
cache_peer_access 10.10.10.3 allow dev
cache_peer_access 10.10.10.3 deny all

# Debug
#debug_options All,1

cache_effective_user squid
cache_effective_group squid

cache deny all

cache_log /var/log/squid/cache.log
buffered_logs on
cache_store_log none
strip_query_terms off
emulate_httpd_log on
logformat custom %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st
"%{Referer}>h" "%{User-Agent}>h" "%{Host}>h" "%tr" %Ss:%Sh
access_log /var/log/squid/access.log custom

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl Safe_ports port 80
acl Safe_ports port 443
acl SSL_ports port 443
acl internal src 10.10.10.0/24
acl CONNECT method CONNECT

acl test1_dst dstdomain test1.example.com
acl test1-refer referer_regex -i [^:]+://[^/]+/test1/
acl test1 url_regex -i [^:]+://test1.example.com

deny_info TCP_RESET test1

http_access deny !Safe_ports
#http_access deny CONNECT !SSL_ports
http_access deny CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny internal
http_access deny to_localhost
http_access allow localhost
http_access allow www
http_access allow dev
http_access allow test-refer
#http_access deny test1

http_access deny all

url_rewrite_program /usr/local/bin/red_http
url_rewrite_children 5

cachemgr_passwd none info
cachemgr_passwd disable all
cache_mgr user at exampe.com

allow_underscore off
httpd_suppress_version_string on
log_mime_hdrs on

client_db off
log_icp_queries off
cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF
##cache_mem 1000 MB
##cache_dir diskd /var/spool/squid 5000 16 256

More information about the squid-users mailing list