#  SQUID configuration for OLPC School server
#  April 2007
#
###############################
#  Network Interface

{% if dansguardian_enabled %}
http_port 127.0.0.1:3130 
{% else %}
http_port 0.0.0.0:3128 transparent
{% endif %}

icp_port 0

##############################
#  Access Control Lists
#  These are used throughout this file
#
#acl manager proto cache_object

# any match on url regular expression is immediately permitted
acl allow_urlregex url_regex -i "/etc/{{ proxy }}/allowregex.rules"
http_access allow allow_urlregex

# a match on reqular expression denies access (enabled by gw_squid_whitelist variable)
acl deny_urlregex url_regex -i "/etc/{{ proxy }}/denyregex.rules"

# any match of ip address is immediately permitted
acl f_dstaddress dst "/etc/{{ proxy }}/dstaddress.rules"
http_access allow f_dstaddress

## domain names:
# define a group of domains that may be denied below
acl whitelist dstdomain "/etc/{{ proxy }}/sites.whitelist.txt"


acl school src 172.18.0.0/16
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl to_schoolserver dst 178.16.0.0/16  # to schoolserver or other local hosts.
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp

{% if gw_block_https == True %}
#acl Safe_ports port 443         # https
{% else %}
acl Safe_ports port 443         # https
{% endif %}

acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl QUERY urlpath_regex cgi-bin \?
acl apache rep_header Server ^Apache

###############
#
#  Append the search domain
# 
# This means that requests for 'http://schoolserver/'
# get resolved the way you would expect (using the same
# search domain that laptops and the XS have defined in
# resolv.conf
#
# NOTE: it must start with a dot
#
append_domain .{{ iiab_domain }}


###############################
#  Cache controls
# The default is to cache everything
# The following prevents caching of known scripts, etc
cache deny QUERY

# Don't cache or otherwise meddle with local requests.
always_direct allow to_schoolserver
cache deny to_schoolserver

# Common server don't quite work right...
# Apache mod_gzip and mod_deflate known to be broken so don't trust
# Apache to signal ETag correctly on such responses

### Not ported to v3
###broken_vary_encoding allow apache

###############################
#  Cache Tuning
#
#  Memory cache size
cache_mem 100 MB

#  Cache object replacement hysteresis
cache_swap_low  92
cache_swap_high 95

#  Maximum object size cached
maximum_object_size 32 MB

#  Maximum object size cached in memory
maximum_object_size_in_memory  48 KB

#       For more information about the GDSF and LFUDA cache replacement
#       policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
#       and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF

#  IP cache tuning
ipcache_size 4096
ipcache_low  93
ipcache_high 95

#  Fully Qualified Domain Name cache (used other than loggin ?)
fqdncache_size 1024

#  Where is the cache stored on disk ?
#  Parameters
#         Type (ufs, aufs, or COSS)
#          |       Where
#          |         |        Size (in MB)
#          |         |         |
#          |         |         |    L1 (directories)
#          |         |         |    |  L2 (directories)
#          |         |         |    |  |
#cache_dir aufs /library/cache 20000 32 256
cache_dir ufs /library/cache 200 16 128

###############################
#  Logging
#
# What logformat should be used for debugging ?  in trial ?
logformat squid  %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt

access_log /var/log/{{ proxy }}/access.log
cache_log /var/log/{{ proxy }}/cache.log
# log_mime_hdrs on
# following squid verb log_access discontinued in current squid 150213 -gh
#log_access allow all
logfile_rotate 6
client_db off
strip_query_terms on

#  Do NOT use domain names in log, just IP addresses
#log_fqdn off

#  Some measure of privacy, even in early debug
#  Mask off the lowest byte of the logged IP addresses
client_netmask 255.255.255.0

#  This is the default, and wired into the init.d script
pid_filename /var/run/{{ proxy }}.pid

debug_options ALL,1

check_hostnames on
allow_underscore on

dns_retransmit_interval 5 seconds
dns_timeout             30 seconds

dns_nameservers		127.0.0.1

# hosts_file /etc/hosts

request_header_max_size 20 KB
request_body_max_size    0 KB
reply_header_max_size   20 KB

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320

quick_abort_min  10 KB
quick_abort_max  20 KB
quick_abort_pct  90

read_ahead_gap   16 KB

negative_ttl     1  minute
positive_dns_ttl 12 hours
negative_dns_ttl 30 seconds

range_offset_limit  1 MB

#  We probably want this to be on !
### Not ported to v3
### collapsed_forwarding off

### Not ported to v3
###refresh_stale_hit  0 seconds

forward_timeout    2 minutes
connect_timeout    1 minute
request_timeout    5 minutes
persistent_request_timeout  1 minute
client_lifetime    1 hour
ident_timeout      10 seconds

http_access allow manager localhost
http_access deny manager

http_access deny deny_urlregex 

{% if gw_squid_whitelist %}
http_access deny !whitelist
{% endif %}

http_access deny !Safe_ports
http_access allow school
http_access allow localhost
http_access deny all

icp_access deny all
snmp_port 0

#  Other fun access controls:
# never_direct ACL
# always_direct ACL   (still caches)
# no_cache ACL

visible_hostname schoolserver
unique_hostname  schoolserver1

announce_period 0

#       In many setups of transparently intercepting proxies Path-MTU
#       discovery can not work on traffic towards the clients. This is
#       the case when the intercepting device does not fully track
#       connections and fails to forward ICMP must fragment messages
#       to the cache server.
#
#       If you have such setup and experience that certain clients
#       sporadically hang or never complete requests set this to on.
#
#Default:
# httpd_accel_no_pmtu_disc off

memory_pools_limit 32 MB
forwarded_for off

minimum_direct_rtt  200

#maximum_single_addr_tries 2

# offline_mode off

uri_whitespace strip

redirector_bypass on
ignore_unknown_nameservers off

server_persistent_connections on
client_persistent_connections on
persistent_connection_after_error off
detect_broken_pconn on