# WELCOME TO SQUID 3.5.

28
# —————————-
#
#

# Rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#acl localnet src fc00::/7 # RFC 4193 local private network range
#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl localnet src 192.168.3.0/24

# Safe ports
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 980 # httpd-admin (server-manager)
acl CONNECT method CONNECT

# Allow access from localhost

http_access allow localhost

# Deny requests to certain unsafe ports

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost

http_access allow localhost manager
http_access deny manager

#
# Skip URL rewriter for local addresses
#
acl self_port port 80
acl self_port port 443
url_rewrite_access deny localnet self_port

# No authentication on green and trusted networks

http_access allow localnet

# And finally deny all other access to this proxy

http_access deny all

cache_mem 256 MB

# Enable disk cache

minimum_object_size 0 KB
maximum_object_size 70 MB
cache_dir aufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir

coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern . 0 20% 4320

# Always enable manual proxy

http_port 3128

# Enable transparent proxy

# http_port 3129 transparent
http_port 3129 tproxy

# Enable SSL transparent proxy

#https_port 3127 tproxy ssl-bump generate-host-certificates=off
cert=/etc/squid/ssl_cert/myCA.pem sslflags=NO_DEFAULT_CA
options=NO_SSLv2,NO_SSLv3,No_Compression dynamic_cert_mem_cache_size=128KB

#acl https_proto proto https

#always_direct allow https_proto
#ssl_bump none localhost
#sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
#sslproxy_cipher ALL:!SSLv2:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!
aNULL:!eNULL

# TLS/SSL bumping definitions

#acl tls_s1_connect at_step SslBump1
#acl tls_s2_client_hello at_step SslBump2
#acl tls_s3_server_hello at_step SslBump3

# TLS/SSL bumping steps

#ssl_bump peek tls_s1_connect all
#ssl_bump splice all

# peek at TLS/SSL connect data

# splice: no active bumping

#
# 90options
#
forward_max_tries 25
shutdown_lifetime 1 seconds
buffered_logs on
max_filedesc 16384
logfile_rotate 0

# Http HIT
qos_flows tos local-hit=0x30

# END