# +------------------------------------------------------------------------------+ # | Endian Firewall | # +------------------------------------------------------------------------------+ # | Copyright (c) 2005-2006 Endian | # | Endian GmbH/Srl | # | Bergweg 41 Via Monte | # | 39057 Eppan/Appiano | # | ITALIEN/ITALIA | # | info@endian.it | # | | # | This program is free software; you can redistribute it and/or | # | modify it under the terms of the GNU General Public License | # | as published by the Free Software Foundation; either version 2 | # | of the License, or (at your option) any later version. | # | | # | This program is distributed in the hope that it will be useful, | # | but WITHOUT ANY WARRANTY; without even the implied warranty of | # | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | # | GNU General Public License for more details. | # | | # | You should have received a copy of the GNU General Public License | # | along with this program; if not, write to the Free Software | # | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. | # | http://www.fsf.org/ | # +------------------------------------------------------------------------------+ shutdown_lifetime 1 seconds icp_port 0 http_port 0.0.0.0:8080 transparent cache_effective_user squid cache_effective_group squid pid_filename /var/run/squid.pid cache_mem 200 MB cache_dir aufs /var/spool/squid 30000 16 256 error_directory /usr/share/squid/errors/en max_filedesc 25619 server_persistent_connections off half_closed_clients off buffered_logs on # START LOG cache_log /var/log/squid/cache.log cache_access_log syslog:local6.info cache_store_log none useragent_log /var/log/squid/useragent.log strip_query_terms off log_mime_hdrs off # END LOG # FORWARD IP ADDRESS forwarded_for on # START AUTHENTICATION # METHOD is NCSA auth_param basic program /usr/lib/squid/ncsa_auth /var/efw/proxy/ncsausers auth_param basic children 20 auth_param basic realm Proxy Server auth_param basic credentialsttl 60 minutes acl for_auth_users proxy_auth REQUIRED # END AUTHENTICATION # network - acls acl all src 0.0.0.0/0.0.0.0 #seams to be needed :( acl from_all src 0.0.0.0/0.0.0.0 acl to_all dst 0.0.0.0/0.0.0.0 acl from_localhost src 127.0.0.1/255.255.255.255 acl CONNECT method CONNECT acl to_http_port port 80 acl to_https_port port 10443 # proxy interfaces - acls acl to_green_interface dst 10.1.1.1 acl from_green src "/etc/squid/acls/green_subnets.acl" acl to_green dst "/etc/squid/acls/green_subnets.acl" # allowed ports - acls acl allowed_ports port "/etc/squid/acls/ports.acl" acl allowed_sslports port "/etc/squid/acls/sslports.acl" # allowed havp protocol - acls acl HAVP_ALLOWED_PROTOS proto HTTP acl HAVP_ALLOWED_PROTOS proto SSL acl within_timeframe_rule0 time MTWHFAS 00:00-24:00 acl within_timeframe_rule1 time MTWHFAS 00:00-24:00 # caching settings refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 cache deny from_localhost cache deny CONNECT cache allow from_all # http access to cachemanager acl manager proto cache_object http_access allow manager from_localhost http_access deny manager # snmp access settings acl snmppublic snmp_community public snmp_access allow snmppublic from_localhost snmp_access deny from_all # http access to squid http_access allow from_localhost http_access allow from_green to_green_interface to_http_port http_access allow CONNECT from_green to_green_interface to_https_port http_access deny to_green_interface to_https_port http_access deny !allowed_ports !allowed_sslports http_access deny CONNECT !allowed_sslports http_access allow from_green to_all within_timeframe_rule0 http_access allow from_all to_all within_timeframe_rule1 http_access deny from_all # http reply access rules http_reply_access allow from_localhost http_reply_access allow from_green to_all within_timeframe_rule0 http_reply_access allow from_all to_all within_timeframe_rule1 http_reply_access deny from_all # max/min object size maximum_object_size 200000 KB minimum_object_size 0 KB # replace body max size request_body_max_size 0 KB reply_body_max_size 0 allow from_all cache_mgr proxy1@chariot.net.au visible_hostname PROXY1 # begin custom.tmpl # end custom.tmpl # DANSGUARDIAN / content1 - cache peers cache_peer 127.0.0.1 parent 9999 0 no-query no-digest no-netdb-exchange name=content1 login=*:password cache_peer_access content1 deny from_localhost cache_peer_access content1 deny !HAVP_ALLOWED_PROTOS # DANSGUARDIAN / content2 - cache peers cache_peer 127.0.0.2 parent 9999 0 no-query no-digest no-netdb-exchange name=content2 login=*:password cache_peer_access content2 deny from_localhost cache_peer_access content2 deny !HAVP_ALLOWED_PROTOS # HAVP - cache peer cache_peer 127.0.0.1 parent 9998 0 no-query no-digest no-netdb-exchange name=havp login=*:password cache_peer_access havp deny from_localhost cache_peer_access havp deny !HAVP_ALLOWED_PROTOS # cache peer access cache_peer_access content2 allow from_green to_all within_timeframe_rule0 cache_peer_access content1 deny from_green to_all within_timeframe_rule0 cache_peer_access havp deny from_green to_all within_timeframe_rule0 cache_peer_access havp allow from_all to_all within_timeframe_rule1 cache_peer_access content1 deny from_all to_all within_timeframe_rule1 cache_peer_access content2 deny from_all to_all within_timeframe_rule1 cache_peer_access content1 deny from_all cache_peer_access content2 deny from_all cache_peer_access havp deny from_all never_direct deny from_localhost never_direct deny !HAVP_ALLOWED_PROTOS from_all to_all within_timeframe_rule1 never_direct allow from_green to_all within_timeframe_rule0 never_direct deny !HAVP_ALLOWED_PROTOS from_all to_all within_timeframe_rule1 never_direct allow from_all to_all within_timeframe_rule1 never_direct allow from_all