--- ./squid.conf 2019-10-22 22:36:27.000000000 -0400 +++ ./squid.conf 2019-10-22 23:08:00.000000000 -0400 @@ -1294,12 +1294,9 @@ # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed -acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) -acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) -acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) -acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines -acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) -acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) +acl localnet src 10.0.0.0/8 # RFC1918 possible internal network +#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network +#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines @@ -1563,8 +1560,8 @@ # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # ## Allow ICP queries from local networks only -##icp_access allow localnet -##icp_access deny all +icp_access allow localnet +icp_access deny all #Default: # Deny, unless rules exist in squid.conf. @@ -2015,10 +2012,10 @@ # # Squid normally listens to port 3128 -http_port 3128 +http_port @PROXY_SERVER@:3128 # TAG: https_port -# Usage: [ip:]port [mode] tls-cert=certificate.pem [options] +# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] # # The socket address where Squid will listen for client requests made # over TLS or SSL connections. Commonly referred to as HTTPS. @@ -3308,6 +3305,16 @@ #Default: # none +# See http://www.privoxy.org/user-manual/config.html +# Define Privoxy as parent proxy (without ICP) +cache_peer @PROXY_SERVER@ parent 8118 0 no-digest no-query default name=privoxy + +# If privoxy is run on the LAN: +#cache_peer 10.0.1.3 parent 8118 0 no-digest no-query default name=privoxy + +# I2P +# cache_peer @PROXY_SERVER@ parent 4443 0 no-digest no-query default name=i2p + # TAG: cache_peer_access # Restricts usage of cache_peer proxies. # @@ -3441,6 +3453,7 @@ # enough to keep larger objects from hoarding cache_mem. #Default: # maximum_object_size_in_memory 512 KB +maximum_object_size_in_memory 64 KB # TAG: memory_cache_shared on|off # Controls whether the memory cache is shared among SMP workers. @@ -3523,6 +3536,7 @@ # and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html. #Default: # cache_replacement_policy lru +cache_replacement_policy heap LFUDA # TAG: minimum_object_size (bytes) # Objects smaller than this size will NOT be saved on disk. The @@ -3547,6 +3561,7 @@ # See cache_replacement_policy for a discussion of this policy. #Default: # maximum_object_size 4 MB +maximum_object_size 64 MB # TAG: cache_dir # Format: @@ -3702,6 +3717,7 @@ #Default: # No disk cache. Store cache ojects only in memory. # +cache_dir ufs @PREFIX@/var/squid/cache 256 16 256 # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs @PREFIX@/var/squid/cache 100 16 256 @@ -4333,6 +4349,8 @@ # access_log daemon:@PREFIX@/var/squid/logs/access.log squid #Default: # access_log daemon:@PREFIX@/var/squid/logs/access.log squid +access_log daemon:@PREFIX@/var/squid/logs/access.log squid +#access_log daemon:@PREFIX@/var/squid/logs/access.log squid_ua # TAG: icap_log # ICAP log files record ICAP transaction summaries, one line per @@ -4533,8 +4551,11 @@ # in the habit of using 'squid -k rotate' instead of 'kill -USR1 # <pid>'. # +# Note, from Squid-3.1 this option is only a default for cache.log, +# that log can be rotated separately by using debug_options. #Default: # logfile_rotate 10 +logfile_rotate 31 # TAG: mime_table # Path to Squid's icon configuration file. @@ -4590,6 +4611,7 @@ # Currently honored by 'daemon' and 'tcp' access_log modules only. #Default: # buffered_logs off +buffered_logs on # TAG: netdb_filename # Note: This option is only available if Squid is rebuilt with the @@ -5351,15 +5376,25 @@ refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 -refresh_pattern . 0 20% 4320 +#refresh_pattern . 0 20% 4320 + +# https://www.linux.com/news/speed-your-internet-access-using-squids-refresh-patterns +refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private +refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private +refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private +refresh_pattern -i \.index.(html|htm)$ 0 40% 10080 +refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320 +refresh_pattern . 0 40% 40320 # TAG: quick_abort_min (KB) #Default: # quick_abort_min 16 KB +quick_abort_min 0 KB # TAG: quick_abort_max (KB) #Default: # quick_abort_max 16 KB +quick_abort_max 0 KB # TAG: quick_abort_pct (percent) # The cache by default continues downloading aborted requests @@ -5577,6 +5612,7 @@ # replies as required by RFC2616. #Default: # via on +via off # TAG: vary_ignore_expire on|off # Many HTTP servers supporting Vary gives such objects @@ -5669,6 +5705,67 @@ #Default: # No limits. +# allow localnet headers +request_header_access From allow localnet +request_header_access Server allow localnet +request_header_access Link allow localnet + +request_header_access Cache-Control allow localnet +request_header_access X-Cache allow localnet +request_header_access X-Cache-Lookup allow localnet +request_header_access Via allow localnet +request_header_access Forwarded-For allow localnet +request_header_access X-Forwarded-For allow localnet +request_header_access Pragma allow localnet + +# old 'http_anonymizer standard' +request_header_access From deny all + +# allow privoxy configuration to see the referer, then +acl privoxy-config dstdomain config.privoxy.org p.p +request_header_access Referer allow privoxy-config +cache deny privoxy-config +# forge Referer in Privoxy +request_header_access Referer deny all +request_header_access Server deny all + +# forge User-Agent below and in Privoxy +# header_access User-Agent deny all +# this breaks web authentication -- do not use +#! header_access WWW-Authenticate deny all +request_header_access Link deny all + +# more privacy +request_header_access X-Cache deny all +request_header_access X-Cache-Lookup deny all +request_header_access Via deny all +request_header_access Forwarded-For deny all +request_header_access X-Forwarded-For deny all +request_header_access Pragma deny all + +#! These slow down browsing a lot -- do not use +# header_access Cache-Control deny all +# header_access Keep-Alive deny all + +# Mobile carrier uniquely identifying headers +request_header_access MSISDN deny all # T-Mobile +request_header_access X-MSISDN deny all # T-Mobile +request_header_access X-UIDH deny all # Verizon +request_header_access x-up-subno deny all # AT&T +request_header_access X-ACR deny all # AT&T +request_header_access X-UP-SUBSCRIBER-COS deny all +request_header_access X-OPWV-DDM-HTTPMISCDD deny all +request_header_access X-OPWV-DDM-IDENTITY deny all +request_header_access X-OPWV-DDM-SUBSCRIBER deny all +request_header_access CLIENTID deny all +request_header_access X-VF-ACR deny all +request_header_access X_MTI_USERNAME deny all +request_header_access X_MTI_EMAIL deny all +request_header_access X_MTI_EMPID deny all + +request_header_access User-Agent deny all +request_header_replace User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.1 Safari/605.1.15 + # TAG: reply_header_access # Usage: reply_header_access header_name allow|deny [!]aclname ... # @@ -6033,6 +6130,10 @@ # seconds will receive a 'timeout' message. #Default: # shutdown_lifetime 30 seconds +# Make this significantly less than daemondo's kChildDeathTimeout +# to avoid multiple squid processes at boot or on network change +# const CFTimeInterval kChildDeathTimeout = 20; +shutdown_lifetime 5 seconds # ADMINISTRATIVE PARAMETERS # ----------------------------------------------------------------------------- @@ -6101,6 +6202,7 @@ # names with this setting. #Default: # Automatically detect the system host name +visible_hostname localhost # TAG: unique_hostname # If you want to have multiple machines with the same @@ -6829,6 +6931,7 @@ # up or to simplify log analysis. #Default: # log_icp_queries on +log_icp_queries off # TAG: udp_incoming_address # udp_incoming_address is used for UDP packets received from other @@ -7326,6 +7429,24 @@ #Default: # Prevent any cache_peer being used for this request. +# Do not send AWS requests through Privoxy +acl aws-domains dstdomain \ + .aws.amazon.com \ + .cloudfront.net +always_direct allow aws-domains + +# See http://www.privoxy.org/user-manual/config.html +# Define ACL for protocol FTP +acl ftp proto FTP +always_direct allow ftp + +# Direct to specified domain names +#acl mydomainname dstdomain .mydomainname.com +#always_direct allow mydomainname + +# Do not forward SSL requests to Privoxy +#always_direct allow SSL_ports + # TAG: never_direct # Usage: never_direct allow|deny [!]aclname ... # @@ -7355,6 +7476,10 @@ #Default: # Allow DNS results to be used for this request. +# See http://www.privoxy.org/user-manual/config.html +# Forward all the rest to Privoxy +never_direct allow all + # ADVANCED NETWORKING OPTIONS # ----------------------------------------------------------------------------- @@ -8195,6 +8320,12 @@ #Default: # Use operating system definitions +# Google DNS +dns_nameservers 8.8.8.8 4.4.4.4 + +# Use LAN IP with possible backup if you're running DNS yourself +#dns_nameservers 10.0.1.3 + # TAG: hosts_file # Location of the host-local IP name-address associations # database. Most Operating Systems have such a file on different @@ -8220,6 +8351,7 @@ # definitions. #Default: # hosts_file /etc/hosts +hosts_file @PREFIX@/etc/@NAME@/hosts-hphosts # TAG: append_domain # Appends local domain name to hostnames without any dots in @@ -8262,6 +8394,7 @@ # Maximum number of DNS IP cache entries. #Default: # ipcache_size 1024 +ipcache_size 16384 # TAG: ipcache_low (percent) #Default: @@ -8276,6 +8409,7 @@ # Maximum number of FQDN cache entries. #Default: # fqdncache_size 1024 +fqdncache_size 1048576 # MISCELLANEOUS # ----------------------------------------------------------------------------- @@ -8296,6 +8430,7 @@ # routines, disable this. #Default: # memory_pools on +memory_pools off # TAG: memory_pools_limit (bytes) # Used only with memory_pools on: @@ -8342,6 +8477,7 @@ # X-Forwarded-For entries, and place the client IP as the sole entry. #Default: # forwarded_for on +forwarded_for off # TAG: cachemgr_passwd # Specify passwords for cachemgr operations. @@ -8409,6 +8545,7 @@ # turn off client_db here. #Default: # client_db on +client_db off # TAG: refresh_all_ims on|off # When you enable this option, squid will always check @@ -8539,6 +8676,7 @@ # WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. #Default: # Do not pre-parse pipelined requests. +pipeline_prefetch 3 # TAG: high_response_time_warning (msec) # If the one-minute median response time exceeds this value, @@ -8596,6 +8734,7 @@ # Whether to lookup the EUI or MAC address of a connected client. #Default: # eui_lookup on +eui_lookup off # TAG: max_filedescriptors # Reduce the maximum number of filedescriptors supported below