[squid-users] this config is ok? is ok the order?

erdosain9 erdosain9 at gmail.com
Tue May 30 15:23:32 UTC 2017

acl local_machines dst 

###Kerberos Auth with ActiveDirectory###
auth_param negotiate program /lib64/squid/negotiate_kerberos_auth -s
HTTP/squid.xxxxxxx.lan at xxxxxxx.LAN
auth_param negotiate children 25 startup=0 idle=1
auth_param negotiate keep_alive on

external_acl_type i-full %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl
-g i-full at xxxxxxx.LAN
external_acl_type i-limitado %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -g i-limitado at xxxxxxx.LAN

acl i-full external i-full
acl i-limitado external i-limitado

####Bloquea Publicidad ( http://pgl.yoyo.org/adservers/ )
acl ads dstdom_regex "/etc/squid/listas/ad_block.lst"
http_access deny ads
#deny_info TCP_RESET ads

acl youtube url_regex -i \.flv$
acl youtube url_regex -i \.mp4$
acl youtube url_regex -i watch?
acl youtube url_regex -i youtube
acl facebook url_regex -i facebook
acl facebook url_regex -i fbcdn\.net\/v\/(.*\.mp4)\?
acl facebook url_regex -i fbcdn\.net\/v\/(.*\.jpg)\? 
acl facebook url_regex -i akamaihd\.net\/v\/(.*\.mp4)\?
acl facebook url_regex -i akamaihd\.net\/v\/(.*\.jpg)\?

##Dominios denegados
acl dominios_denegados dstdomain "/etc/squid/listas/dominios_denegados.lst"

acl SSL_ports port 443
acl SSL_ports port 8443
acl SSL_ports port 8080
acl SSL_ports port 20000
acl SSL_ports port 10000
acl SSL_ports port 2083

acl Safe_ports port 631         # httpCUPS
acl Safe_ports port 85
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 8443        # httpsalt
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 8080        # edesur y otros
acl Safe_ports port 2199	# radio

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost


# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow i-limitado !dominios_denegados 
http_access allow i-full !dominios_denegados 
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem

acl step1 at_step SslBump1 

acl excludeSSL ssl::server_name_regex "/etc/squid/listas/excluidosSSL.lst"

ssl_bump peek step1 
ssl_bump splice excludeSSL 
ssl_bump bump all 

# Uncomment and adjust the following to add a disk cache directory.
cache_dir diskd /var/spool/squid 15000 16 256
cache_mem 1000 MB
maximum_object_size_in_memory 1 MB

cache_swap_low 90
cache_swap_high 95

cache deny local_machines
quick_abort_min 1024 KB
quick_abort_max 2048 KB
quick_abort_pct 90

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#Your refresh_pattern
refresh_pattern -i \.jpg$ 30 0% 30 ignore-no-cache ignore-no-store
refresh_pattern -i ^http:\/\/www\.google\.com\/$ 0 20% 360 override-expire
override-lastmod ignore-reload ignore-no-cache ignore-no-store
reload-into-ims ignore-must-revalidate

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320

###ACTIVAR EN CASO DE "Connection reset by peer" EN MUCHOS HOST
via off
forwarded_for delete

#Pools para ancho de banda
delay_pools 5

#Ancho de Youtube
delay_class 1 2 
delay_parameters 1 1000000/1000000 50000/256000
delay_access 1 allow i-limitado youtube !facebook
delay_access 1 deny all

#Ancho de Facebook
delay_class 2 2 
delay_parameters 2 1000000/1000000 50000/256000
delay_access 2 allow i-limitado facebook !youtube
delay_access 2 deny all

#Ancho de banda YOUTUBE FULL
delay_class 3 1
delay_parameters 3 1000000/1000000
delay_access 3 allow i-full youtube !facebook
delay_access 3 deny all

#Ancho de banda LIMITADO
delay_class 4 3 
delay_parameters 4 3000000/3000000 1000000/1000000 256000/512000
delay_access 4 allow i-limitado !youtube !facebook
delay_access 4 deny all

#Ancho de banda FULL
delay_class 5 3
delay_parameters 5 1500000/1500000 750000/750000 256000/512000
delay_access 5 allow i-full !youtube !facebook
delay_access 5 deny all

visible_hostname squid.xxxxxxx.lan

# try connecting to first 25 ips of a domain name
forward_max_tries 25

# fix some ipv6 errors (recommended to comment out) 
dns_v4_first on

# c-icap integration
# -------------------------------------
# Adaptation parameters
# -------------------------------------
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_avi_req reqmod_precache
icap:// bypass=on
adaptation_access service_avi_req allow all
icap_service service_avi_resp respmod_precache
icap:// bypass=off
adaptation_access service_avi_resp allow all
# end integration

View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/this-config-is-ok-is-ok-the-order-tp4682631.html
Sent from the Squid - Users mailing list archive at Nabble.com.

More information about the squid-users mailing list