71 lines
2.1 KiB
SquidConf
71 lines
2.1 KiB
SquidConf
# Listening
|
|
|
|
http_port 3128
|
|
https_port 3129 tls-cert=/etc/squid/ssl/SLPXYP01.tips-of-mine.crt tls-key=/etc/squid/ssl/SLPXYP01.tips-of-mine.key
|
|
|
|
# Logging
|
|
|
|
access_log daemon:/var/log/squid/access.log common
|
|
access_log syslog:local7.info common # Log to syslog sent to QRadar for Login Sécurité
|
|
|
|
# Local networks
|
|
acl localnet dst 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
|
|
acl localnet dst 10.0.0.0/23 # RFC 1918 local private network (LAN)
|
|
acl localnet dst 100.64.0.0/10 # RFC 6598 shared address space (CGN)
|
|
acl localnet dst 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
|
|
acl localnet dst 172.16.0.0/12 # RFC 1918 local private network (LAN)
|
|
acl localnet dst 192.168.0.0/16 # RFC 1918 local private network (LAN)
|
|
acl localnet dst fc00::/7 # RFC 4193 local private network range
|
|
acl localnet dst fe80::/10 # RFC 4291 link-local (directly plugged) machines
|
|
|
|
acl SSL_ports port 443
|
|
acl Safe_ports port 80 # http
|
|
acl Safe_ports port 21 # ftp
|
|
acl Safe_ports port 443 # https
|
|
acl Safe_ports port 70 # gopher
|
|
acl Safe_ports port 210 # wais
|
|
acl Safe_ports port 1025-65535 # unregistered ports
|
|
acl Safe_ports port 280 # http-mgmt
|
|
acl Safe_ports port 488 # gss-http
|
|
acl Safe_ports port 591 # filemaker
|
|
acl Safe_ports port 777 # multiling http
|
|
acl CONNECT method CONNECT
|
|
|
|
acl https_port port 443
|
|
acl http_port port 80
|
|
acl ftp_port port 21
|
|
acl sftp_port port 22
|
|
acl ftp_port port 990
|
|
acl 993_port port 993
|
|
acl 8080_port port 8080
|
|
|
|
acl ftp proto FTP
|
|
always_direct allow FTP
|
|
|
|
# Deny requests to certain unsafe ports
|
|
#http_access deny !Safe_ports
|
|
|
|
# Deny CONNECT to other than secure SSL ports
|
|
#http_access deny CONNECT !SSL_ports
|
|
|
|
# Only allow cachemgr access from localhost
|
|
http_access allow localhost manager
|
|
http_access deny manager
|
|
|
|
# Deny localhost
|
|
http_access allow localhost
|
|
|
|
# No using proxy to access local network
|
|
http_access deny localnet
|
|
|
|
cache deny all
|
|
|
|
include /etc/squid/conf.d/*
|
|
include /etc/squid/conf.d/01-dev/*
|
|
include /etc/squid/conf.d/02-rec/*
|
|
include /etc/squid/conf.d/03-preprod/*
|
|
include /etc/squid/conf.d/04-prod/*
|
|
|
|
# And finally deny all other access to this proxy
|
|
http_access deny all
|