<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">Hello fellow Squid Accelerator/Dynamic Cache/Web Cache Users/PfSense users<div><br></div><div>I think this might resolve any container based issues/fears if they happened to get into the cache. Ie a Docker Proxy got installed and tried to data marshal the network card inside of a freeBSD jail or something like that. Biggest fear with my cache it is a big cache now<div><br></div><div>Please yet me know what you think or if it is wrong.</div><div><br></div><div>Here is my configuration. I wanted to share it as it might help to secure some of this.</div><div><br></div><div>Keep in mine I use cachemgr.cgi within Squidlight so I had to set the password and I have to also adapt the php status file to include the password and also the sqlight php file. </div><div><br></div><div>After that the status and gui pages work still with the new password. Only issues area that it shows up in clear text when it goes over the proxy I can see my password clear as day again that was an issue listed inside the Squid O’REILLY book also. </div><div><br></div><div><br></div><div>I am amazed at the warm updates that was the original goal I was tired of slow updates over and over again. </div><div><br></div><div><pre id="pconf" name="pconf" wrap="hard" readonly="" style="box-sizing: border-box; overflow: auto; font-family: Menlo, Monaco, Consolas, "Courier New", monospace; font-size: 13px; padding: 9.5px; margin-top: 0px; margin-bottom: 10px; line-height: 1.428571; color: rgb(51, 51, 51); word-break: break-all; overflow-wrap: break-word; background-color: rgb(245, 245, 245); border: 1px solid rgb(204, 204, 204); border-radius: 4px; caret-color: rgb(51, 51, 51);"># This file is automatically generated by pfSense

# Do not edit manually !

http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem tls-cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3

http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem tls-cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3

https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem tls-cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3

icp_port 0

digest_generation off

dns_v4_first on

pid_filename /var/run/squid/squid.pid

cache_effective_user squid

cache_effective_group proxy

error_default_language en

icon_directory /usr/local/etc/squid/icons

visible_hostname Lee_Family.home.arpa

cache_mgr jonathanlee571@gmail.com

access_log /var/squid/logs/access.log

cache_log /var/squid/logs/cache.log

cache_store_log none

netdb_filename /var/squid/logs/netdb.state

pinger_enable on

pinger_program /usr/local/libexec/squid/pinger

sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/squid/lib/ssl_db -M 4MB -b 2048

tls_outgoing_options cafile=/usr/local/share/certs/ca-root-nss.crt

tls_outgoing_options capath=/usr/local/share/certs/

tls_outgoing_options options=NO_SSLv3

tls_outgoing_options cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

sslcrtd_children 10

logfile_rotate 0

debug_options rotate=0

shutdown_lifetime 3 seconds

# Allow local network(s) on interface(s)

acl localnet src  192.168.1.0/27

forwarded_for transparent

httpd_suppress_version_string on

uri_whitespace strip

dns_nameservers 127.0.0.1 

acl getmethod method GET

acl to_ipv6 dst ipv6

acl from_ipv6 src ipv6

tls_outgoing_options cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE

acl HttpAccess dstdomain '/usr/local/pkg/http.access'

acl windowsupdate dstdomain '/usr/local/pkg/windowsupdate'

acl rewritedoms dstdomain .facebook.com .akamaihd.net .fbcdn.net .google.com .static.com .apple.com .oracle.com .sun.com .java.com .adobe.com .steamstatic.com .steampowered.com .steamcontent.com .google.com

store_id_program /usr/local/libexec/squid/storeid_file_rewrite /var/squid/storeid/storeid_rewrite.txt

store_id_children 10 startup=5 idle=1 concurrency=0

always_direct allow !getmethod

store_id_access deny connect

store_id_access deny !getmethod

store_id_access allow rewritedoms

reload_into_ims on

max_stale 20 years

minimum_expiry_time 0

refresh_pattern -i squid.internal 10080 80% 79900 override-lastmod override-expire ignore-reload ignore-no-store ignore-private

#FACEBOOK

refresh_pattern ^https.*.facebook.com/* 10080 80% 43200 override-expire override-lastmod ignore-no-cache ignore-reload reload-into-ims ignore-private

#FACEBOOK IMAGES  

refresh_pattern -i pixel.facebook.com..(jpg|png|gif|ico|css|js|jpg?) 10080 80% 43200 override-expire override-lastmod ignore-no-cache ignore-reload reload-into-ims ignore-private

refresh_pattern -i .akamaihd.net..(jpg|png|gif|ico|css|js|jpg?) 10080 80% 43200 override-expire override-lastmod ignore-no-cache ignore-reload reload-into-ims ignore-private   

refresh_pattern -i facebook.com.(jpg|png|gif|jpg?) 10080 80% 43200 store-stale override-expire override-lastmod ignore-no-cache ignore-reload reload-into-ims ignore-private 

refresh_pattern static.(xx|ak).fbcdn.net.(jpg|gif|png|jpg?) 10080 80% 43200 override-expire override-lastmod ignore-no-cache ignore-reload reload-into-ims ignore-private

refresh_pattern ^https.*profile.ak.fbcdn.net.*(jpg|gif|png|jpg?) 10080 80% 43200 override-expire override-lastmod ignore-no-cache ignore-reload reload-into-ims ignore-private

refresh_pattern ^https.*fbcdn.net.*(jpg|gif|png|jpg?) 10080 80% 43200 override-expire override-lastmod ignore-no-cache ignore-reload reload-into-ims ignore-private

#FACEBOOK VIDEO

refresh_pattern -i .video.ak.fbcdn.net.*.(mp4|flv|mp3|amf) 10080 80% 43200 override-expire override-lastmod ignore-no-cache ignore-reload reload-into-ims ignore-private   

refresh_pattern (audio|video)/(webm|mp4) 10080 80% 43200 override-expire override-lastmod ignore-no-cache ignore-reload reload-into-ims ignore-private

#APPLE STUFF

refresh_pattern -i apple.com/..(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip|dist)$ 0 80% 43200  refresh-ims

#apple update

refresh_pattern -i (download|adcdownload).apple.com/.*.(pkg|dmg) 4320 100% 43200 

refresh_pattern -i appldnld.apple.com 129600 100% 129600     

refresh_pattern -i phobos.apple.com 129600 100% 129600     

refresh_pattern -i iosapps.itunes.apple.com 129600 100% 129600     

# Updates: Windows

refresh_pattern -i microsoft.com/..(cab|exe|msi|msu|msf|asf|wma|dat|zip)$ 4320 80% 43200  refresh-ims

refresh_pattern -i windowsupdate.com/..(cab|exe|msi|msu|msf|asf|wma|wmv)|dat|zip)$ 4320 80% 43200  refresh-ims

refresh_pattern -i windows.com/..(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip)$ 4320 80% 43200  refresh-ims

refresh_pattern -i microsoft.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 

refresh_pattern -i windowsupdate.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 

refresh_pattern -i windows.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 

refresh_pattern -i .*windowsupdate.com/.*.(cab|exe) 259200 100% 259200   

refresh_pattern -i .*update.microsoft.com/.*.(cab|exe|dll|msi|psf) 259200 100% 259200   

refresh_pattern windowsupdate.com/.*.(cab|exe|dll|msi|psf) 10080 100% 43200 

refresh_pattern download.microsoft.com/.*.(cab|exe|dll|msi|psf) 10080 100% 43200 

refresh_pattern www.microsoft.com/.*.(cab|exe|dll|msi|psf) 10080 100% 43200 

refresh_pattern au.download.windowsupdate.com/.*.(cab|exe|dll|msi|psf) 4320 100% 43200 

refresh_pattern bg.v4.pr.dl.ws.microsoft.com/.*.(cab|exe|dll|msi|psf) 4320 100% 43200

#windows update NEW UPDATE 0.04

refresh_pattern update.microsoft.com/.*.(cab|exe) 43200 100% 129600    

refresh_pattern ([^.]+.)?(download|(windows)?update).(microsoft.)?com/.*.(cab|exe|msi|msp|psf) 4320 100% 43200  

refresh_pattern update.microsoft.com/.*.(cab|exe|dll|msi|psf) 10080 100% 43200 

refresh_pattern -i .update.microsoft.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100% 525600       

refresh_pattern -i .windowsupdate.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100% 525600       

refresh_pattern -i .download.microsoft.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100% 525600       

refresh_pattern -i .ws.microsoft.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100% 525600       

refresh_pattern ([^.]+.)?(cs|content[1-9]|hsar|content-origin|client-download).[steampowered|steamcontent].com/.*.* 43200 100% 43200 reload-into-ims ignore-reload ignore-no-store override-expire override-lastmod

refresh_pattern ([^.]+.)?.akamai.steamstatic.com/.*.* 43200 100% 43200 reload-into-ims ignore-reload ignore-no-store override-expire override-lastmod

refresh_pattern -i ([^.]+.)?.adobe.com/.*.(zip|exe) 43200 100% 43200 reload-into-ims ignore-reload ignore-no-store override-expire override-lastmod

refresh_pattern -i ([^.]+.)?.java.com/.*.(zip|exe) 43200 100% 43200 reload-into-ims ignore-reload ignore-no-store override-expire override-lastmod

refresh_pattern -i ([^.]+.)?.sun.com/.*.(zip|exe) 43200 100% 43200 reload-into-ims ignore-reload ignore-no-store override-expire override-lastmod

refresh_pattern -i ([^.]+.)?.oracle.com/.*.(zip|exe|tar.gz) 43200 100% 43200 reload-into-ims ignore-reload ignore-no-store override-expire override-lastmod

refresh_pattern -i appldnld.apple.com 43200 100% 43200 ignore-reload ignore-no-store override-expire override-lastmod

refresh_pattern -i ([^.]+.)?apple.com/.*.(ipa) 43200 100% 43200 ignore-reload ignore-no-store override-expire override-lastmod

refresh_pattern -i ([^.]+.)?.google.com/.*.(exe|crx) 10080 80% 43200 override-expire override-lastmod ignore-reload reload-into-ims ignore-private

refresh_pattern -i ([^.]+.)?g.static.com/.*.(exe|crx) 10080 80% 43200 override-expire override-lastmod ignore-reload reload-into-ims ignore-private

acl https_login url_regex -i ^https.*(login|Login).*

cache deny https_login

range_offset_limit 512 MB windowsupdate

range_offset_limit 4 MB

range_offset_limit 0

quick_abort_min -1 KB

cache_mem 64 MB

maximum_object_size_in_memory 256 KB

memory_replacement_policy heap LFUDA

cache_replacement_policy heap LFUDA

minimum_object_size 0 KB

maximum_object_size 512 MB

cache_dir diskd /var/squid/cache 64000 256 256

offline_mode off

cache_swap_low 90

cache_swap_high 95

acl donotcache dstdomain '/var/squid/acl/donotcache.acl'

cache deny donotcache

cache allow all

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp:    1440  20%  10080

refresh_pattern ^gopher:  1440  0%  1440

refresh_pattern -i (/cgi-bin/|?) 0  0%  0

refresh_pattern .    0  20%  4320

#Remote proxies

# Setup some default acls

# ACLs all, manager, localhost, and to_localhost are predefined.

acl allsrc src all

acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 8080 3128 3129 1025-65535 

acl sslports port 443 563 8080 5223 2197

acl purge method PURGE

acl connect method CONNECT

# Define protocols used for redirects

acl HTTP proto HTTP

acl HTTPS proto HTTPS

# SslBump Peek and Splice

# http://wiki.squid-cache.org/Features/SslPeekAndSplice

# http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

# Match against the current step during ssl_bump evaluation [fast]

# Never matches and should not be used outside the ssl_bump context.

#

# At each SslBump step, Squid evaluates ssl_bump directives to find

# the next bumping action (e.g., peek or splice). Valid SslBump step

# values and the corresponding ssl_bump evaluation moments are:

#   SslBump1: After getting TCP-level and HTTP CONNECT info.

#   SslBump2: After getting TLS Client Hello info.

#   SslBump3: After getting TLS Server Hello info.

# These ACLs exist even when 'SSL/MITM Mode' is set to 'Custom' so that

# they can be used there for custom configuration.

acl step1 at_step SslBump1

acl step2 at_step SslBump2

acl step3 at_step SslBump3

acl banned_hosts src '/var/squid/acl/banned_hosts.acl'

acl whitelist dstdom_regex -i '/var/squid/acl/whitelist.acl'

acl blacklist dstdom_regex -i '/var/squid/acl/blacklist.acl'

http_access allow manager localhost

http_access deny manager

http_access allow purge localhost

http_access deny purge

http_access deny !safeports

http_access deny CONNECT !sslports

# Always allow localhost connections

http_access allow localhost

quick_abort_min 0 KB

quick_abort_max 0 KB

quick_abort_pct 95

request_body_max_size 0 KB

delay_pools 1

delay_class 1 2

delay_parameters 1 -1/-1 -1/-1

delay_initial_bucket_level 100

delay_access 1 allow allsrc

# Reverse Proxy settings

deny_info TCP_RESET allsrc

# Package Integration

url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf

url_rewrite_bypass off

url_rewrite_children 32 startup=8 idle=4 concurrency=0

# Custom options before auth

#host_verify_strict on

# These hosts are banned

http_access deny banned_hosts

# Always allow access to whitelist domains

http_access allow whitelist

# Block access to blacklist domains

http_access deny blacklist

# List of domains allowed to logging in to Google services

request_header_access X-GoogApps-Allowed-Domains deny all

request_header_add X-GoogApps-Allowed-Domains consumer_accounts

# Set YouTube safesearch restriction

acl youtubedst dstdomain -n www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com

request_header_access YouTube-Restrict deny all

request_header_add YouTube-Restrict none youtubedst

acl sglog url_regex -i sgr=ACCESSDENIED

http_access deny sglog

# Custom SSL/MITM options before auth

cachemgr_passwd disable offline_toggle reconfigure shutdown

cachemgr_passwd REDACTED_CLASSIFIED all

eui_lookup on

acl no_miss url_regex -i gateway.facebook.com/ws/realtime?

acl no_miss url_regex -i web-chat-e2ee.facebook.com/ws/chat

acl CONNECT method CONNECT

acl wuCONNECT dstdomain www.update.microsoft.com

acl wuCONNECT dstdomain sls.microsoft.com

http_access allow CONNECT wuCONNECT localnet

http_access allow CONNECT wuCONNECT localhost

http_access allow windowsupdate localnet

http_access allow windowsupdate localhost

http_access allow HttpAccess localnet

http_access allow HttpAccess localhost

http_access deny manager

http_access deny to_ipv6

http_access deny from_ipv6

acl BrokenButTrustedServers dstdomain '/usr/local/pkg/dstdom.broken'

acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH

sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch

sslproxy_cert_error deny all

acl splice_only src 192.168.1.8 #Tasha iPhone

acl splice_only src 192.168.1.10 #Jon iPhone

acl splice_only src 192.168.1.11 #Amazon Fire

acl splice_only src 192.168.1.15 #Tasha HP

acl splice_only src 192.168.1.16 #iPad

acl splice_only_mac arp REDACTED<br>acl splice_only_mac arp REDACTED

acl splice_only_mac arp REDACTED

acl splice_only_mac arp REDACTED

acl splice_only_mac arp REDACTED<br>

acl NoSSLIntercept ssl::server_name_regex -i '/usr/local/pkg/reg.url.nobump'

acl NoBumpDNS dstdomain '/usr/local/pkg/dns.nobump'

acl markBumped annotate_client bumped=true

acl bump_only src 192.168.1.3 #webtv

acl bump_only src 192.168.1.4 #toshiba

acl bump_only src 192.168.1.5 #imac

acl bump_only src 192.168.1.9 #macbook

acl bump_only src 192.168.1.13 #dell

acl bump_only_mac arp REDACTED

acl bump_only_mac arp REDACTED

acl bump_only_mac arp REDACTED

acl bump_only_mac arp REDACTED

acl bump_only_mac arp REDACTED<br>

ssl_bump peek step1

miss_access deny no_miss 

ssl_bump splice https_login

ssl_bump splice splice_only_mac

ssl_bump splice NoBumpDNS

ssl_bump splice NoSSLIntercept

ssl_bump bump bump_only_mac

ssl_bump terminate all # if its not on the list kill the connection

acl markedBumped note bumped true

url_rewrite_access deny markedBumped

read_ahead_gap 64 KB

negative_ttl 1 second

connect_timeout 30 seconds

request_timeout 60 seconds

half_closed_clients off

shutdown_lifetime 10 seconds

negative_dns_ttl 1 seconds

ignore_unknown_nameservers on

pipeline_prefetch 100

#acl SSLIntercept ssl::server_name_regex -i '/usr/local/pkg/url.bump'

#ssl_bump bump SSLIntercept

# Setup allowed ACLs

# Allow local network(s) on interface(s)

http_access allow localnet

# Default block all to be sure

http_access deny allsrc</pre></div></div></body></html>