[squid-users] Squid configuration sanity check

Alex K rightkicktech at gmail.com
Mon May 7 12:24:30 UTC 2018 

Hi all,

I wanted to check with your accumulated wisdom the following squid
configuration.

The config is working both for splice or bump (by commenting/uncommenting
the respective line) using TPROXY. It is a config ported form an old
installation of squid 3.1 for the new 3.5 and although I did some cleanup I
am wondering if I am misusing any directive or missing any crucial one for
better performance or just for sake of cleanliness.

At the moment for filtering I am using squidGuard and considering to go
with ufdbGuard instead as pointed from Amos (thanx for that).

To avoid issues with some sites I am considering to use only splicing,
although this has some caveats as bumping also does. I could go with a
hybrid approach (splice some and bump all) but this sounds that this will
cause periodically more administrative overhead to sort out the sites that
need splicing.

The config has also some ACLs as an attempt to block media streaming by
those seem to not work.

The hardware running the squid is somehow small with 4 GB of RAM, 4 CPU
cores and 100 GB SSD in case one wonders.


http_port 192.168.200.1:3128 tproxy
https_port 192.168.200.1:3129 tproxy ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem

sslcrtd_program /usr/lib/squid/ssl_crtd -s /usr/local/squid/var/lib/ssl_db
-M 4MB
sslcrtd_children 5

shutdown_lifetime 5 seconds

# ACL
#acl ncsa_users proxy_auth REQUIRED
#acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 192.168.200.1/32

acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 10080
acl Safe_ports port 10443
acl SSL method CONNECT
acl CONNECT method CONNECT # multiling http
#acl block_url dstdomain "/etc/squid/block_url.squid"
#acl allow_url dstdomain "/etc/squid/allow_url.squid"
acl ELAN src 192.168.200.0/24

acl QUERY urlpath_regex cgi-bin \?

# SSL
always_direct allow all

# Video Streaming ACLs
acl media rep_mime_type ^.*mms.*
acl media rep_mime_type ^.*ms-hdr.*
acl media rep_mime_type ^.*x-fcs.*
acl media rep_mime_type ^.*x-ms-asf.*
acl media2 urlpath_regex dvrplayer mediastream mms://
acl media2 urlpath_regex \.asf$ \.afx$ \.flv$ \.swf$
acl flashvideo rep_mime_type -i video/flv
acl flashvideo rep_mime_type -i video/x-flv
acl shockwave rep_mime_type -i ^application/x-shockwave-flash$
acl x-type req_mime_type -i ^application/octet-stream$
acl x-type req_mime_type -i application/octet-stream
acl x-type req_mime_type -i ^application/x-mplayer2$
acl x-type req_mime_type -i application/x-mplayer2
acl x-type req_mime_type -i ^application/x-oleobject$
acl x-type req_mime_type -i application/x-oleobject
acl x-type req_mime_type -i application/x-pncmd
acl x-type req_mime_type -i ^video/x-ms-asf$
acl x-type2 rep_mime_type -i ^application/octet-stream$
acl x-type2 rep_mime_type -i application/octet-stream
acl x-type2 rep_mime_type -i ^application/x-mplayer2$
acl x-type2 rep_mime_type -i application/x-mplayer2
acl x-type2 rep_mime_type -i ^application/x-oleobject$
acl x-type2 rep_mime_type -i application/x-oleobject
acl x-type2 rep_mime_type -i application/x-pncmd
acl x-type2 rep_mime_type -i ^video/x-ms-asf$

# Block Media Streaming
http_reply_access deny flashvideo
http_reply_access deny shockwave
http_reply_access deny media
http_reply_access deny media2
http_reply_access deny x-type
http_reply_access deny x-type2

#
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#http_access deny block_url
#http_access allow allow_url
http_access allow LAN
http_access allow ELAN

http_access allow localhost
#http_access allow ncsa_users
http_reply_access allow all

deny_info ERR_CUSTOM LAN ELAN media media2 flashvideo shockwave x-type
x-type2
error_directory /usr/share/squid-langpack/en

#icp_access allow all

# Logging
logfile_daemon /usr/lib/squid/log_db_daemon
access_log daemon:/127.0.0.1/squid_log/access_log/squid/squid squid
icap_log stdio:/var/log/squid/icap.log squid
cache_store_log stdio:/var/log/squid/store.log

# DNS
dns_nameservers 127.0.0.1
positive_dns_ttl 8 hours
negative_dns_ttl 30 seconds
ipcache_size 2048
ipcache_low 95
ipcache_high 97
fqdncache_size 2048

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
cache_dir ufs /var/spool/squid 10240 16 256
minimum_object_size 0 KB
maximum_object_size 30 MB
maximum_object_size_in_memory 1024 KB

# HTTPS filtering
acl step1 at_step SslBump1

ssl_bump peek step1
ssl_bump splice all
#ssl_bump bump all

# SquidGuard
url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
url_rewrite_children 5


Your input is highly appreciated.

Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180507/0787a525/attachment.html>

More information about the squid-users mailing list