Squid: различия между версиями

Материал из wiki.nntc.nnov.ru
Перейти к навигации Перейти к поиску
(Новая страница: « cat squid.conf <pre> acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 443 # https acl CONNECT method CONNECT # white…»)
 
 
Строка 56: Строка 56:
  
 
# blacklist mode
 
# blacklist mode
# deny anything else, just in case
 
 
http_access allow all
 
http_access allow all
  

Текущая версия на 13:05, 4 декабря 2021

cat squid.conf
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 443         # https
acl CONNECT method CONNECT

# whitelist mode
##acl http dstdomain "/etc/squid/http.txt"  # whitelisted domains
##acl httpip dst "/etc/squid/httpip.txt"  # whitelisted IP addressed
##acl https dstdomain "/etc/squid/https.txt" # domains allowing https only
##acl httpsip dst "/etc/squid/httpsip.txt"  # whitelisted IP addressed for https only

# blacklist mode
acl bl_http dstdomain "/etc/squid/bl_http.txt"  # blacklist domains
acl bl_httpip dst "/etc/squid/bl_httpip.txt"  # blacklist IP addressed
acl bl_https dstdomain "/etc/squid/bl_https.txt" # domains blocking https only
acl bl_httpsip dst "/etc/squid/bl_httpsip.txt"  # blacklisted IP addressed for https only

# kafe
acl kafe src 172.16.99.7
acl kafe src 172.16.90.7

# block anything not targeting authorized ports
http_access deny !Safe_ports 
http_access deny CONNECT !SSL_ports 

# manager access
http_access allow localhost manager 
http_access deny manager 

# whitelist mode
# allow domains in the whitelists
# replace 'localhost' by an ACL with your IP 
# if you don't run Squid locally
##http_access allow localhost http Safe_ports
##http_access allow localhost httpip Safe_ports
##http_access allow CONNECT localhost https SSL_ports
##http_access allow CONNECT localhost httpsip SSL_ports

# whitelist mode
# deny anything else, just in case
##http_access deny all

# allow all for kafe
http_access allow kafe all

# blacklist mode
http_access deny all bl_http Safe_ports
http_access deny all bl_httpip Safe_ports
http_access deny CONNECT all bl_https SSL_ports
http_access deny CONNECT all bl_httpsip SSL_ports


# blacklist mode
http_access allow all

# port your proxy listens to
http_port 3128

# just for cosmetics when access denied pages are shown
visible_hostname proxy.nntc
cache_mgr support@nntc.nnov.ru

# some websites (like Google) react badly to v6 dns inquiries 
# (if you know why, please let me know)
dns_v4_first on

# this adds querystrings into your logs. 
# consider enabling this if you grant access to other users
# as querystrings often contain private information
# (although they should not...)
strip_query_terms off

# default cache configuration
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .               0       20%     4320

# logging
access_log /var/log/squid/combined.log combined
access_log /var/log/squid/access.log squid
cat bl_http.txt
.google.com
.yandex.ru
.yahoo.com
.mail.ru
.youtube.com

cat bl_https.txt
.google.com
.yandex.ru
.yahoo.com
.mail.ru
.youtube.com
cat bl_httpip.txt
1.2.3.4
cat bl_httpsip.txt
1.2.3.4