squid2/squid.conf at master · apermuy/squid2 · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
## =============================================================================
## SQUID 5.7 - CONFIGURACION COMPLETA
## Autenticacion: OpenLDAP con SSL
## Trafico cliente-proxy: HTTPS cifrado
## =============================================================================

## -----------------------------------------------------------------------------
## PARAMETROS BASICOS
## -----------------------------------------------------------------------------
visible_hostname proxy.dominio.com
http_port 3128 transparent
https_port 13129 cert=/etc/squid/ssl/certificado.crt key=/etc/squid/ssl/certificado.key options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1 cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
httpd_suppress_version_string on

## -----------------------------------------------------------------------------
## CONFIGURACION CACHE
## -----------------------------------------------------------------------------
## cache_mem: Nunca debe superar 1/4 de la RAM física de la máquina
cache_mem 128 MB

## Tipo de almacenamiento - directorio - cantidad en MB - numero de subdir en level 1- numero subdir en level2
## aufs: Formato de almacenamiento usando POSIX threads
## diskd: Formato de almacenamiento usando procesos separados, en teoría mayor coste de disk-I/O
cache_dir aufs /var/cache/squid 64 128 256

cache_mgr info@dominio.com
coredump_dir /var/spool/squid/coredumpdir
acl manager proto cache_object

## Politica de gestion de cache
## LRU: Los objetos con menor número de accesos serán eliminados
## LFUDA: Los objetos más solicitados permanecen en cache, sin importar el tamaño
## GDSF: Los objetos pequeños más solicitados permanecen en cache. Poco eficiente
maximum_object_size 4 MB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA

## -----------------------------------------------------------------------------
## LOG FILES
## -----------------------------------------------------------------------------
cache_access_log /var/log/squid/access.log
cache_store_log /var/log/squid/store.log
cache_log /var/log/squid/cache.log

## -----------------------------------------------------------------------------
## OTROS PARAMETROS
## -----------------------------------------------------------------------------
half_closed_clients off
ftp_user anonymous@nospam.com
error_directory /usr/share/squid/errors/Spanish

## -----------------------------------------------------------------------------
## TUNNING DE TIEMPOS DE REFRESCO DE FICHEROS
## REFRESCO CACHE -> MIN PORCENTAJE MAX(MIN)
## 1440  = 1 dia
## 2880  = 2 dias
## 10080 = 7 dias
## 20160 = 14 dias
## 30240 = 21 dias
## -----------------------------------------------------------------------------

## Ficheros de sistema / paquetes
refresh_pattern \.iso$    2880 80% 10080
refresh_pattern \.deb$    2880 80% 10080
refresh_pattern \.tar.gz$ 2880 80% 10080
refresh_pattern \.gz$     2880 80% 10080
refresh_pattern \.bz2$    2880 80% 10080
refresh_pattern \.exe$    2880 80% 10080

## Ficheros de imagenes
refresh_pattern \.jpg$  1440 50% 2880
refresh_pattern \.jpeg$ 1440 50% 2880
refresh_pattern \.gif$  1440 50% 2880
refresh_pattern \.bmp$  1440 50% 2880
refresh_pattern \.png$  1440 50% 2880
refresh_pattern \.svg$  1440 50% 2880
refresh_pattern \.tif$  1440 50% 2880
refresh_pattern \.tiff$ 1440 50% 2880

## Documentos
refresh_pattern \.xls$  1440 80% 2880
refresh_pattern \.xlsx$ 1440 80% 2880
refresh_pattern \.doc$  1440 80% 2880
refresh_pattern \.docx$ 1440 80% 2880
refresh_pattern \.odt$  1440 80% 2880
refresh_pattern \.ods$  1440 80% 2880
refresh_pattern \.rtf$  1440 80% 2880
refresh_pattern \.pdf$  1440 80% 2880
refresh_pattern \.txt$  1440 80% 2880
refresh_pattern \.conf$ 1440 80% 2880

## Ficheros comprimidos
refresh_pattern \.zip$ 2880 80% 10080
refresh_pattern \.rar$ 2880 80% 10080
refresh_pattern \.arj$ 2880 80% 10080

## -----------------------------------------------------------------------------
## AUTENTICACION LDAP con SSL (LDAPS - puerto 636)
## Se asume que OpenLDAP permite bind anonimo para busquedas.
## Si no lo permite, añadir:
##   -D "cn=squid,ou=serviceaccounts,dc=dominio,dc=com"
##   -w "PASSWORD_CUENTA_SERVICIO"
## -----------------------------------------------------------------------------

auth_param basic program /usr/lib/squid/basic_ldap_auth \
    -H ldaps://127.0.0.1 \
    -b "ou=People,dc=dominio,dc=com" \
    -D "cn=ldap-reader,ou=Service,dc=dominio,dc=com" \
    -w "password" \
    -f "uid=%s"

auth_param basic children 10 startup=2 idle=2
auth_param basic realm "Please login"
auth_param basic credentialsttl 12 hours
auth_param basic casesensitive off

## Opcional: validacion por grupo LDAP con SSL
## Descomentar si se quiere restringir a un grupo concreto (ej: proxy-users)
#external_acl_type ldap_group %LOGIN /usr/lib/squid/ext_ldap_group_acl \
#    -H ldaps://127.0.0.1 \
#    -b "ou=groups,dc=dominio,dc=com" \
#    -f "(&(objectClass=groupOfNames)(cn=%g)(member=uid=%u,ou=users,dc=dominio,dc=com))" \
#    -E /etc/ssl/certs/ca-certificates.crt

## -----------------------------------------------------------------------------
## LISTAS DE CONTROL DE ACCESO - ACLs
## -----------------------------------------------------------------------------

## Puertos seguros
acl SSL_ports  port 443 563 8080 8443 9443
acl Safe_ports port 20
acl Safe_ports port 21
acl Safe_ports port 80
acl Safe_ports port 443
acl Safe_ports port 563
acl Safe_ports port 777
acl Safe_ports port 1024-65535

acl CONNECT method CONNECT

## Redes y hosts
acl all       src all
acl localhost src 127.0.0.1/255.255.255.255

## Listas negras
acl denywords   url_regex    "/etc/squid/denywords"
acl denydomains dstdom_regex "/etc/squid/denydomains"

## Dominios que se servirán sin pasar por caché
acl sincache dstdom_regex "/etc/squid/sincache"
always_direct allow sincache

## Autenticacion LDAP
acl ldap_users proxy_auth REQUIRED

## Opcional: si usas validacion por grupo, comenta la linea anterior y descomenta estas:
#acl proxy_group external ldap_group proxy-users
#acl ldap_users proxy_auth REQUIRED

## -----------------------------------------------------------------------------
## GESTION DE ACCESOS
## Advertencia: las ACLs se aplican en orden, la primera coincidencia gana
## -----------------------------------------------------------------------------
http_access allow localhost
http_access allow ldap_users
http_access allow SSL_ports
http_access allow Safe_ports
http_access deny  denydomains
http_access deny  denywords
http_access deny  CONNECT !SSL_ports
http_access deny  !Safe_ports
http_access deny  all