# SQUID CONF FILE - UPDATED BY PAULD 04/12/2005 http_port 8080 icp_port 0 cache_peer x.x.x.x parent 80 7 no-query default hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? acl QUERY1 urlpath_regex aspx \? acl QUERY2 urlpath_regex asp \? no_cache deny QUERY no_cache deny QUERY1 no_cache deny QUERY2 cache_mem 100 MB cache_dir ufs /var/cache/squid 500 16 256 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log none ftp_user anonymous@blah.com refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 #=========Authentication Bit========================== auth_param ntlm program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp #auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth auth_param ntlm children 15 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm use_ntlm_negotiate off auth_param basic program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 15 auth_param basic realm Squid Proxy Server auth_param basic credentialsttl 2 hours #==========Use AD Domain groups for ACLsv=============== external_acl_type ad_group ttl=0 concurrency=5 %LOGIN /usr/local/squid/libexec/wbinfo_group.pl #==========ACCESS CONTROLS=============================== acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports_ftp port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl CONNECT method CONNECT acl allowedurls url_regex "/etc/squid/okurls" acl blockedurls url_regex "/etc/squid/badurls" acl allowedUsers external ad_group InternetAllowed acl unrestrictedUsers external ad_group InternetBypass acl Authenticated proxy_auth REQUIRED #==file extensions that we don't allow acl nora1 urlpath_regex \.rm$ acl nora2 urlpath_regex \.r1$ acl nora3 urlpath_regex \.ram$ acl nora4 urlpath_regex \.rm acl nomp2 urlpath_regex \.mp2 acl nomp3 urlpath_regex \.mp3 acl nomp2 urlpath_regex \.MP2 acl nomp2 urlpath_regex \.MP3 acl nowma urlpath_regex \.wma acl nowmv urlpath_regex \.wmv acl nompg1 urlpath_regex \.mpg$ acl nompg2 urlpath_regex \.mpeg$ acl nompg3 urlpath_regex \.mpe$ acl noqt urlpath_regex \.mov$ acl noavi urlpath_regex \.avi$ acl noexe urlpath_regex \.exe acl noexe urlpath_regex \.EXE http_access allow manager localhost http_access allow localhost http_access allow allowedurls allowedUsers http_access allow unrestrictedUsers http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny blockedurls http_access deny !Authenticated #==== Now to block those file extensions http_access deny noexe http_access deny nomp2 http_access deny nomp3 http_access deny nowma http_access deny nowmv http_access deny nompg1 http_access deny nompg2 http_access deny nompg3 http_access deny noavi http_access deny noqt http_access deny all http_reply_access allow all icp_access allow all mail_from squid@blah.com mail_program mail cache_effective_user squid cache_effective_group squid append_domain .blah.com never_direct allow all coredump_dir /var/cache/squid #note 33,2 lets you see which acl allowed or denied debug_options ALL,1 33,2