mirror of
https://github.com/iiab/iiab.git
synced 2025-02-12 19:22:24 +00:00
263 lines
6.6 KiB
Text
263 lines
6.6 KiB
Text
# SQUID configuration for OLPC School server
|
|
# April 2007
|
|
#
|
|
###############################
|
|
# Network Interface
|
|
|
|
# ## if dansguardian_enabled ##
|
|
# http_port 127.0.0.1:3130
|
|
# ## else ##
|
|
http_port 0.0.0.0:3128 transparent
|
|
# ## endif ##
|
|
|
|
icp_port 0
|
|
|
|
##############################
|
|
# Access Control Lists
|
|
# These are used throughout this file
|
|
#
|
|
#acl manager proto cache_object
|
|
|
|
# any match on url regular expression is immediately permitted
|
|
acl allow_urlregex url_regex -i "/etc/{{ proxy }}/allowregex.rules"
|
|
http_access allow allow_urlregex
|
|
|
|
# a match on reqular expression denies access (enabled by gw_squid_whitelist variable)
|
|
acl deny_urlregex url_regex -i "/etc/{{ proxy }}/denyregex.rules"
|
|
|
|
# any match of ip address is immediately permitted
|
|
acl f_dstaddress dst "/etc/{{ proxy }}/dstaddress.rules"
|
|
http_access allow f_dstaddress
|
|
|
|
## domain names:
|
|
# define a group of domains that may be denied below
|
|
acl whitelist dstdomain "/etc/{{ proxy }}/sites.whitelist.txt"
|
|
|
|
|
|
acl school src 172.18.0.0/16
|
|
acl localhost src 127.0.0.1/32
|
|
acl to_localhost dst 127.0.0.0/8
|
|
acl to_schoolserver dst 178.16.0.0/16 # to schoolserver or other local hosts.
|
|
acl SSL_ports port 443
|
|
acl Safe_ports port 80 # http
|
|
acl Safe_ports port 21 # ftp
|
|
|
|
{% if gw_block_https == True %}
|
|
#acl Safe_ports port 443 # https
|
|
{% else %}
|
|
acl Safe_ports port 443 # https
|
|
{% endif %}
|
|
|
|
acl Safe_ports port 70 # gopher
|
|
acl Safe_ports port 210 # wais
|
|
acl Safe_ports port 1025-65535 # unregistered ports
|
|
acl Safe_ports port 280 # http-mgmt
|
|
acl Safe_ports port 488 # gss-http
|
|
acl Safe_ports port 591 # filemaker
|
|
acl Safe_ports port 777 # multiling http
|
|
acl CONNECT method CONNECT
|
|
acl QUERY urlpath_regex cgi-bin \?
|
|
acl apache rep_header Server ^Apache
|
|
|
|
###############
|
|
#
|
|
# Append the search domain
|
|
#
|
|
# This means that requests for 'http://schoolserver/'
|
|
# get resolved the way you would expect (using the same
|
|
# search domain that laptops and the XS have defined in
|
|
# resolv.conf
|
|
#
|
|
# NOTE: it must start with a dot
|
|
#
|
|
append_domain .{{ iiab_domain }}
|
|
|
|
|
|
###############################
|
|
# Cache controls
|
|
# The default is to cache everything
|
|
# The following prevents caching of known scripts, etc
|
|
cache deny QUERY
|
|
|
|
# Don't cache or otherwise meddle with local requests.
|
|
always_direct allow to_schoolserver
|
|
cache deny to_schoolserver
|
|
|
|
# Common server don't quite work right...
|
|
# Apache mod_gzip and mod_deflate known to be broken so don't trust
|
|
# Apache to signal ETag correctly on such responses
|
|
|
|
### Not ported to v3
|
|
###broken_vary_encoding allow apache
|
|
|
|
###############################
|
|
# Cache Tuning
|
|
#
|
|
# Memory cache size
|
|
cache_mem 100 MB
|
|
|
|
# Cache object replacement hysteresis
|
|
cache_swap_low 92
|
|
cache_swap_high 95
|
|
|
|
# Maximum object size cached
|
|
maximum_object_size 32 MB
|
|
|
|
# Maximum object size cached in memory
|
|
maximum_object_size_in_memory 48 KB
|
|
|
|
# For more information about the GDSF and LFUDA cache replacement
|
|
# policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
|
|
# and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
|
|
cache_replacement_policy heap LFUDA
|
|
memory_replacement_policy heap GDSF
|
|
|
|
# IP cache tuning
|
|
ipcache_size 4096
|
|
ipcache_low 93
|
|
ipcache_high 95
|
|
|
|
# Fully Qualified Domain Name cache (used other than loggin ?)
|
|
fqdncache_size 1024
|
|
|
|
# Where is the cache stored on disk ?
|
|
# Parameters
|
|
# Type (ufs, aufs, or COSS)
|
|
# | Where
|
|
# | | Size (in MB)
|
|
# | | |
|
|
# | | | L1 (directories)
|
|
# | | | | L2 (directories)
|
|
# | | | | |
|
|
#cache_dir aufs /library/cache 20000 32 256
|
|
cache_dir ufs /library/cache 200 16 128
|
|
|
|
###############################
|
|
# Logging
|
|
#
|
|
# What logformat should be used for debugging ? in trial ?
|
|
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
|
|
|
|
access_log /var/log/{{ proxy }}/access.log
|
|
cache_log /var/log/{{ proxy }}/cache.log
|
|
# log_mime_hdrs on
|
|
# following squid verb log_access discontinued in current squid 150213 -gh
|
|
#log_access allow all
|
|
logfile_rotate 6
|
|
client_db off
|
|
strip_query_terms on
|
|
|
|
# Do NOT use domain names in log, just IP addresses
|
|
#log_fqdn off
|
|
|
|
# Some measure of privacy, even in early debug
|
|
# Mask off the lowest byte of the logged IP addresses
|
|
client_netmask 255.255.255.0
|
|
|
|
# This is the default, and wired into the init.d script
|
|
pid_filename /var/run/{{ proxy }}.pid
|
|
|
|
debug_options ALL,1
|
|
|
|
check_hostnames on
|
|
allow_underscore on
|
|
|
|
dns_retransmit_interval 5 seconds
|
|
dns_timeout 30 seconds
|
|
|
|
dns_nameservers 127.0.0.1
|
|
|
|
# hosts_file /etc/hosts
|
|
|
|
request_header_max_size 20 KB
|
|
request_body_max_size 0 KB
|
|
reply_header_max_size 20 KB
|
|
|
|
refresh_pattern ^ftp: 1440 20% 10080
|
|
refresh_pattern ^gopher: 1440 0% 1440
|
|
refresh_pattern . 0 20% 4320
|
|
|
|
quick_abort_min 10 KB
|
|
quick_abort_max 20 KB
|
|
quick_abort_pct 90
|
|
|
|
read_ahead_gap 16 KB
|
|
|
|
negative_ttl 1 minute
|
|
positive_dns_ttl 12 hours
|
|
negative_dns_ttl 30 seconds
|
|
|
|
range_offset_limit 1 MB
|
|
|
|
# We probably want this to be on !
|
|
### Not ported to v3
|
|
### collapsed_forwarding off
|
|
|
|
### Not ported to v3
|
|
###refresh_stale_hit 0 seconds
|
|
|
|
forward_timeout 2 minutes
|
|
connect_timeout 1 minute
|
|
request_timeout 5 minutes
|
|
persistent_request_timeout 1 minute
|
|
client_lifetime 1 hour
|
|
ident_timeout 10 seconds
|
|
|
|
http_access allow manager localhost
|
|
http_access deny manager
|
|
|
|
http_access deny deny_urlregex
|
|
|
|
{% if gw_squid_whitelist %}
|
|
http_access deny !whitelist
|
|
{% endif %}
|
|
|
|
http_access deny !Safe_ports
|
|
http_access allow school
|
|
http_access allow localhost
|
|
http_access deny all
|
|
|
|
icp_access deny all
|
|
snmp_port 0
|
|
|
|
# Other fun access controls:
|
|
# never_direct ACL
|
|
# always_direct ACL (still caches)
|
|
# no_cache ACL
|
|
|
|
visible_hostname schoolserver
|
|
unique_hostname schoolserver1
|
|
|
|
announce_period 0
|
|
|
|
# In many setups of transparently intercepting proxies Path-MTU
|
|
# discovery can not work on traffic towards the clients. This is
|
|
# the case when the intercepting device does not fully track
|
|
# connections and fails to forward ICMP must fragment messages
|
|
# to the cache server.
|
|
#
|
|
# If you have such setup and experience that certain clients
|
|
# sporadically hang or never complete requests set this to on.
|
|
#
|
|
#Default:
|
|
# httpd_accel_no_pmtu_disc off
|
|
|
|
memory_pools_limit 32 MB
|
|
forwarded_for off
|
|
|
|
minimum_direct_rtt 200
|
|
|
|
#maximum_single_addr_tries 2
|
|
|
|
# offline_mode off
|
|
|
|
uri_whitespace strip
|
|
|
|
redirector_bypass on
|
|
ignore_unknown_nameservers off
|
|
|
|
server_persistent_connections on
|
|
client_persistent_connections on
|
|
persistent_connection_after_error off
|
|
detect_broken_pconn on
|
|
|