Optimized Squid Config for Squid v4.0.4

For those of you who are squid optimization geeks. Below is my latest iteration of the squid.conf file I am now using for 4.0.4

#
#Recommended minimum configuration:
#
always_direct allow all

# 3 workers, using worker #1 as the frontend is important

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10 # RFC1918 possible internal network
acl Safe_ports port 1-65535 # RFC1918 possible internal network
acl CONNECT method GET POST HEAD OPTIONS CONNECT PUT DELETE # RFC1918 possible internal network
#acl block-fnes urlpath_regex -i .*/fnes/echo # RFC 4193 local private network range
acl noscan dstdomain symantecliveupdate.com liveupdate.symantec.com psi3.secunia.com update.immunet.com avstats.avira.com premium.avira-update.com 8f8fb293be49781da3e3229cd4469a18.da3e3.net # RFC 4291 link-local (directly plugged) machines

# Disable alternate protocols
request_header_access Alternate-Protocol deny all
reply_header_access Alternate-Protocol deny all

#acl video urlpath_regex -i \.(mpa|m2a|mpe|avi|mov|mpg|mpg3|mpg4|mpeg|m1s|mp2v|m2v|m2s|wmx|rm|rmvb|3pg|3gpp|omg|ogm|asf|asx|mp2|mp3|mp4|wmv|flv|ts|f4v|f4m)

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost

no_cache deny noscan
always_direct allow noscan
#no_cache deny video
#always_direct allow video

# Deny requests to certain unsafe ports

# Deny CONNECT to other than secure SSL ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on .localhost. is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
#cache_peer 192.168.1.1 parent 8080 0 default no-query no-digest no-netdb-exchange
#never_direct allow all

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed

http_access allow all

# allow localhost always proxy functionality

# And finally deny all other access to this proxy

# Squid normally listens to port 3128
pipeline_prefetch 7
read_ahead_gap 256 MB
client_request_buffer_max_size 4096 KB
request_header_max_size 2048 KB
reply_header_max_size 2048 KB
#quick_abort_min -1 KB
#quick_abort_pct 100
#range_offset_limit -1
eui_lookup off
http_port 0.0.0.0:8080 intercept disable-pmtu-discovery=always
http_port 0.0.0.0:3128
tcp_outgoing_address 192.168.2.2
connect_retries 1

client_persistent_connections on
server_persistent_connections on
detect_broken_pconn on

# We recommend you to use at least the following line.
#hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir diskd /ssd/0 54000 32 256 Q1=256 Q2=144
#cache_dir diskd /ssd/1 54000 32 256 Q1=256 Q2=144
#cache_dir diskd /ssd/3 54000 32 256 Q1=256 Q2=144

#cache_dir diskd /ssd2/0 68000 32 256 Q1=256 Q2=144
#cache_dir diskd /ssd2/1 68000 32 256 Q1=256 Q2=144
#cache_dir diskd /ssd2/3 68000 32 256 Q1=256 Q2=144

cache_dir ufs /ssd/0 32000 1024 256
cache_dir ufs /ssd/1 32000 1024 256
cache_dir ufs /ssd/2 32000 1024 256
cache_dir ufs /ssd/3 32000 1024 256
cache_dir ufs /ssd/4 32000 1024 256
cache_dir ufs /ssd/5 32000 1024 256

cache_dir ufs /ssd2/0 43000 1024 256
cache_dir ufs /ssd2/1 43000 1024 256
cache_dir ufs /ssd2/2 43000 1024 256
cache_dir ufs /ssd2/3 43000 1024 256
cache_dir ufs /ssd2/4 43000 1024 256
cache_dir ufs /ssd2/6 43000 1024 256

store_dir_select_algorithm round-robin
#cache_replacement_policy heap GDSF
#memory_replacement_policy heap GDSF

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

# Add any of your own refresh_pattern entries above these.
# General Rules
#cache images

refresh_pattern -i \.(gif|png|ico|jpg|jpeg|jp2|webp)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(jpx|j2k|j2c|fpx|bmp|tif|tiff|bif)$ 100000 90% 20000 override-expire reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(pcd|pict|rif|exif|hdr|bpg|img|jif|jfif)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(woff|woff2|eps|ttf|otf|svg|svgi|svgz|ps|ps1|acsm|eot)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private

#cache content
refresh_pattern -i \.(swf|js|ejs)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(wav|css|class|dat|zsci|ver|advcs)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private

#cache videos
refresh_pattern -i \.(mpa|m2a|mpe|avi|mov|mpg|mpeg|mpg3|mpg4|mpg5)$ 0 90% 200000 reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(m1s|mp2v|m2v|m2s|m2ts|wmx|rm|rmvb|3pg|3gpp|omg|ogm|asf|war)$ 0 90% 200000 reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(asx|mp2|mp3|mp4|mp5|wmv|flv|mts|f4v|f4|pls|midi|mid)$ 0 90% 200000 reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(htm|html)$ 9440 90% 200000 reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(xml|flow|asp|aspx)$ 0 90% 200000
refresh_pattern -i \.(json)$ 0 90% 200000
refresh_pattern -i (/cgi-bin/|\?) 0 90% 200000

#live video cache rules
refresh_pattern -i \.(m3u8|ts)$ 0 90% 200000

#cache specific sites
refresh_pattern -i ^http:\/\/liveupdate.symantecliveupdate.com.*\(zip)$ 0 0% 0
refresh_pattern -i ^http:\/\/premium.avira-update.com.*\(gz) 0 0% 0
refresh_pattern -i microsoft.com/.*\.(cab|exe|msi|msu|msf|asf|wma|dat|zip)$ 4320 80% 43200
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|msi|msu|msf|asf|wma|wmv)|dat|zip)$ 4320 80% 43200
refresh_pattern -i windows.com/.*\.(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip)$ 4320 80% 43200
refresh_pattern -i apple.com/.*\.(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip|dist)$ 0 80% 4320

#cache binaries
refresh_pattern -i \.(app|bin|deb|rpm|drpm|exe|zip|zipx|tar|tgz|tbz2|tlz|iso|arj|cfs|dar|jar)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(bz|bz2|ipa|ram|rar|uxx|gz|msi|dll|lz|lzma|7z|s7z|Z|z|zz|sz)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(exe|msi)$ 0 90% 200000
refresh_pattern -i \.(cab|psf|vidt|apk|wtex|hz|ova|ovf)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private

#cache microsoft and adobe and other documents
refresh_pattern -i \.(ppt|pptx|doc|docx|docm|docb|dot|pdf|pub|ps)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(xls|xlsx|xlt|xlm|xlsm|xltm|xlw|csv|txt)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private
#refresh_pattern -i ^ftp: 100000 90% 200000
#refresh_pattern -i ^gopher: 1440 0% 1440

#allow caching of other things based on cache control headers with some exceptions
refresh_pattern -i . 0 90% 200000

log_icp_queries off
icp_port 0
htcp_port 0
acl snmppublic snmp_community public
snmp_port 3401
snmp_incoming_address 192.168.2.2
snmp_access allow snmppublic all
minimum_object_size 0 KB
cache_effective_user squid
#header_replace User-Agent Mozilla/5.0 (X11; U;) Gecko/20080221 Firefox/2.0.0.9
vary_ignore_expire on
cache_swap_low 90
cache_swap_high 95
visible_hostname shadow
unique_hostname shadow-DHS
shutdown_lifetime 0 second
request_entities on
half_closed_clients off
max_filedesc 65535
connect_timeout 10 seconds
cache_effective_group squid
buffered_logs on
#access_log /var/log/squid/access.log squid
access_log daemon:/var/log/squid/access.log buffer-size=256KB
#access_log none
netdb_filename none
client_db off
dns_nameservers 127.0.0.1 127.0.0.1 192.168.2.2 192.168.1.96
ipcache_size 10000
ipcache_low 90
ipcache_high 95
dns_v4_first on
negative_ttl 5 minutes
positive_dns_ttl 30 days
negative_dns_ttl 5 minutes
dns_retransmit_interval 1 seconds
check_hostnames off
forwarded_for delete
via off
httpd_suppress_version_string on
# mem and cache size
#collapsed_forwarding on
cache_mem 4 GB
memory_cache_mode disk
maximum_object_size 2 GB
maximum_object_size_in_memory 2 GB
digest_generation off
#digest_bits_per_entry 8
pinger_enable off
memory_pools on
max_stale 4 months


My latest optimized squid proxy squid.conf configuration file (squid version 4.0.3)

#You will need to replace x.x.x.x with your own ip configuration. The refresh policy included in this configuration cached hits in the range of 40-60%

 

#
#Recommended minimum configuration:
#
always_direct allow all

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src x.x.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10 # RFC1918 possible internal network
acl Safe_ports port 1-65535 # RFC1918 possible internal network
acl CONNECT method GET POST HEAD OPTIONS CONNECT PUT DELETE # RFC1918 possible internal network
#acl block-fnes urlpath_regex -i .*/fnes/echo # RFC 4193 local private network range
acl noscan dstdomain symantecliveupdate.com liveupdate.symantec.com psi3.secunia.com update.immunet.com avstats.avira.com premium.avira-update.com 8f8fb293be49781da3e3229cd4469a18.da3e3.net # RFC 4291 link-local (directly plugged) machines

#acl video urlpath_regex -i \.(mpa|m2a|mpe|avi|mov|mpg|mpg3|mpg4|mpeg|m1s|mp2v|m2v|m2s|wmx|rm|rmvb|3pg|3gpp|omg|ogm|asf|asx|mp2|mp3|mp4|wmv|flv|ts|f4v|f4m)

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost

no_cache deny noscan
always_direct allow noscan
#no_cache deny video
#always_direct allow video

# Deny requests to certain unsafe ports

# Deny CONNECT to other than secure SSL ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on .localhost. is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
#cache_peer 192.168.1.1 parent 8080 0 default no-query no-digest no-netdb-exchange
#never_direct allow all

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed

http_access allow all

# allow localhost always proxy functionality

# And finally deny all other access to this proxy
# Squid normally listens to port 3128
pipeline_prefetch 4
read_ahead_gap 256 MB
client_request_buffer_max_size 16 MB
#quick_abort_min -1 KB
#quick_abort_pct 100
#range_offset_limit -1
eui_lookup off
http_port 0.0.0.0:8080 intercept disable-pmtu-discovery=always
http_port 0.0.0.0:3128
tcp_outgoing_address x.x.x.x
connect_retries 2

client_persistent_connections on
server_persistent_connections on
detect_broken_pconn on

# We recommend you to use at least the following line.
#hierarchy_stoplist cgi-bin ?
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir diskd /ssd/0 54000 32 256 Q1=256 Q2=144
#cache_dir diskd /ssd/1 54000 32 256 Q1=256 Q2=144
#cache_dir diskd /ssd/3 54000 32 256 Q1=256 Q2=144

#cache_dir diskd /ssd2/0 68000 32 256 Q1=256 Q2=144
#cache_dir diskd /ssd2/1 68000 32 256 Q1=256 Q2=144
#cache_dir diskd /ssd2/3 68000 32 256 Q1=256 Q2=144

cache_dir ufs /ssd/0 54000 128 512
cache_dir ufs /ssd/1 54000 128 512
cache_dir ufs /ssd/3 54000 128 512

cache_dir ufs /ssd2/0 68000 128 512
cache_dir ufs /ssd2/1 68000 128 512
cache_dir ufs /ssd2/3 68000 128 512

store_dir_select_algorithm round-robin
#cache_replacement_policy heap GDSF
#memory_replacement_policy heap GDSF

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid
# Add any of your own refresh_pattern entries above these.
# General Rules
#cache images

refresh_pattern -i \.(gif|png|ico|jpg|jpeg|jp2|webp)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i \.(jpx|j2k|j2c|fpx|bmp|tif|tiff|bif)$ 100000 90% 20000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i \.(pcd|pict|rif|exif|hdr|bpg|img|jif|jfif)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i \.(woff|woff2|eps|ttf|otf|svg|svgi|svgz|ps|ps1|acsm|eot)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims

#cache content
refresh_pattern -i \.(swf|js|ejs)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i \.(wav|css|class|dat|zsci|ver|advcs)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims

#cache videos
refresh_pattern -i \.(mpa|m2a|mpe|avi|mov|mpg|mpeg|mpg3|mpg4|mpg5)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i \.(m1s|mp2v|m2v|m2s|m2ts|wmx|rm|rmvb|3pg|3gpp|omg|ogm|asf|war)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i \.(asx|mp2|mp3|mp4|mp5|wmv|flv|mts|f4v|f4|pls|midi|mid)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i \.(htm|html)$ 9440 90% 200000 reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i \.(xml|flow|asp|aspx)$ 0 90% 200000 refresh-ims
refresh_pattern -i \.(json)$ 0 90% 200000 refresh-ims
refresh_pattern -i (/cgi-bin/|\?) 0 90% 200000

#live video cache rules
refresh_pattern -i \.(m3u8|ts)$ 0 90% 200000 refresh-ims

#cache specific sites
refresh_pattern -i ^http:\/\/liveupdate.symantecliveupdate.com.*\(zip)$ 0 0% 0
refresh_pattern -i ^http:\/\/premium.avira-update.com.*\(gz) 0 0% 0
refresh_pattern -i microsoft.com/.*\.(cab|exe|msi|msu|msf|asf|wma|dat|zip)$ 4320 80% 43200 reload-into-ims refresh-ims
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|msi|msu|msf|asf|wma|wmv)|dat|zip)$ 4320 80% 43200 reload-into-ims refresh-ims
refresh_pattern -i windows.com/.*\.(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip)$ 4320 80% 43200 reload-into-ims refresh-ims
refresh_pattern -i apple.com/.*\.(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip|dist)$ 0 80% 43200 reload-into-ims refresh-ims

#cache binaries
refresh_pattern -i \.(app|bin|deb|rpm|drpm|exe|zip|zipx|tar|tgz|tbz2|tlz|iso|arj|cfs|dar|jar)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i \.(bz|bz2|ipa|ram|rar|uxx|gz|msi|dll|lz|lzma|7z|s7z|Z|z|zz|sz)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i \.(exe|msi)$ 0 90% 200000 refresh-ims
refresh_pattern -i \.(cab|psf|vidt|apk|wtex|hz|ova|ovf)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims

#cache microsoft and adobe and other documents
refresh_pattern -i \.(ppt|pptx|doc|docx|docm|docb|dot|pdf|pub|ps)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i \.(xls|xlsx|xlt|xlm|xlsm|xltm|xlw|csv|txt)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
#refresh_pattern -i ^ftp: 100000 90% 200000
#refresh_pattern -i ^gopher: 1440 0% 1440

#allow caching of other things based on cache control headers with some exceptions
refresh_pattern -i . 0 90% 200000 refresh-ims

log_icp_queries off
icp_port 0
htcp_port 0
acl snmppublic snmp_community public
snmp_port 3401
snmp_incoming_address x.x.x.x
snmp_access allow snmppublic all
minimum_object_size 0 KB
cache_effective_user squid
#header_replace User-Agent Mozilla/5.0 (X11; U;) Gecko/20080221 Firefox/2.0.0.9
vary_ignore_expire on
cache_swap_low 90
cache_swap_high 95
visible_hostname shadow
unique_hostname shadow-DHS
shutdown_lifetime 0 second
request_header_max_size 2048 KB
reply_header_max_size 2048 KB
request_entities on
half_closed_clients off
max_filedesc 65535
connect_timeout 15 seconds
cache_effective_group squid
buffered_logs on
#access_log /var/log/squid/access.log squid
access_log daemon:/var/log/squid/access.log buffer-size=1024KB
#access_log none
netdb_filename none
client_db off
dns_nameservers x.x.x.x x.x.x.x x.x.x.x
ipcache_size 10000
ipcache_low 90
ipcache_high 95
dns_v4_first on
negative_ttl 5 minutes
positive_dns_ttl 30 days
negative_dns_ttl 5 minutes
dns_retransmit_interval 1 seconds
check_hostnames off
forwarded_for delete
via off
httpd_suppress_version_string on
# mem and cache size
#collapsed_forwarding on
cache_mem 8 GB
memory_cache_mode disk
maximum_object_size 2 GB
maximum_object_size_in_memory 2 GB
digest_generation off
#digest_bits_per_entry 8
pinger_enable off
memory_pools on
max_stale 4 months


Optimized Squid proxy squid.conf configuration example

#
#Recommended minimum configuration:
#
always_direct allow all

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10 # RFC1918 possible internal network
acl Safe_ports port 1-65535 # RFC1918 possible internal network
acl CONNECT method GET POST HEAD CONNECT PUT DELETE # RFC1918 possible internal network
#acl block-fnes urlpath_regex -i .*/fnes/echo # RFC 4193 local private network range
acl noscan dstdomain symantecliveupdate.com liveupdate.symantec.com psi3.secunia.com update.immunet.com avstats.avira.com premium.avira-update.com 8f8fb293be49781da3e3229cd4469a18.da3e3.net # RFC 4291 link-local (directly plugged) machines

#acl video urlpath_regex -i \.(mpa|m2a|mpe|avi|mov|mpg|mpg3|mpg4|mpeg|m1s|mp2v|m2v|m2s|wmx|rm|rmvb|3pg|3gpp|omg|ogm|asf|asx|mp2|mp3|mp4|wmv|m3u8|flv|ts|f4v|f4m)

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost

no_cache deny noscan
always_direct allow noscan
#no_cache deny video
#always_direct allow video

# Deny requests to certain unsafe ports

# Deny CONNECT to other than secure SSL ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on .localhost. is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
#cache_peer 192.168.1.1 parent 8080 0 default no-query no-digest no-netdb-exchange
#never_direct allow all

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed

http_access allow all

# allow localhost always proxy functionality

# And finally deny all other access to this proxy
# Squid normally listens to port 3128
#pipeline_prefetch 7
read_ahead_gap 256 MB
client_request_buffer_max_size 1 MB
#quick_abort_min -1 KB
#range_offset_limit -1
eui_lookup off
http_port 0.0.0.0:8080 intercept disable-pmtu-discovery=always
http_port 0.0.0.0:3128
tcp_outgoing_address 192.168.2.2
connect_retries 5

client_persistent_connections on
server_persistent_connections on

# We recommend you to use at least the following line.
#hierarchy_stoplist cgi-bin ?
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir diskd /ssd/0 54000 32 256 Q1=256 Q2=296
#cache_dir diskd /ssd/1 54000 32 256 Q1=256 Q2=296
#cache_dir diskd /ssd/3 54000 32 256 Q1=256 Q2=296

#cache_dir diskd /ssd2/0 68000 32 256
#cache_dir diskd /ssd2/1 68000 32 256
#cache_dir diskd /ssd2/3 68000 32 256

cache_dir ufs /ssd/0 54000 32 256
cache_dir ufs /ssd/1 54000 32 256
cache_dir ufs /ssd/3 54000 32 256

cache_dir diskd /ssd2/0 68000 32 256 Q1=256 Q2=296
cache_dir diskd /ssd2/1 68000 32 256 Q1=256 Q2=296
cache_dir diskd /ssd2/3 68000 32 256 Q1=256 Q2=296

store_dir_select_algorithm round-robin
#cache_replacement_policy heap LFUDA
#memory_replacement_policy heap LFUDA

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

# Add any of your own refresh_pattern entries above these.
# General Rules
refresh_pattern -i \.(gif)|png|jp(g|eg|2)[?])$ 220000 90% 300000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims store-stale
refresh_pattern -i \.(jpx|j2k|j2c|fpx|ico|bmp|tif(f)|webp|bif|ver|pcd|pict|rif|exif|hdr|bpg|img|[?])$ 220000 90% 300000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims store-stale
refresh_pattern -i \.(swf|js)$ 220000 90% 300000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims store-stale
refresh_pattern -i \.(wav|c(la)ss|dat|zsci|ver|advcs|woff(|2)|eps|ttf|svgi(|z)|ps(1))|acsm)$ 220000 90% 300000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims store-stale
refresh_pattern -i \.(mpa|m2a|mpe|avi|mov|mpg(|3|4))$ 220000 90% 300000 reload-into-ims ignore-no-store ignore-private refresh-ims store-stale
refresh_pattern -i \.(mpeg|m1s|mp2v|m2v|m2s|wmx|rm|rmvb|3pg|3gpp|omg|ogm|asf|asx|mp(2|3|4)|wmv|m3u8|flv|ts|f4(v|m))$ 220000 90% 300000 reload-into-ims ignore-no-store ignore-private refresh-ims store-stale
refresh_pattern -i \.(htm(|l)|crl)$ 9440 90% 300000 reload-into-ims refresh-ims ignore-no-store ignore-private store-stale
refresh_pattern -i \.(xml|flow|asp(|x))$ 0 90% 300000
refresh_pattern -i \.(json)$ 0 90% 300000
refresh_pattern -i (/cgi-bin/|\?) 0 0% 300000
refresh_pattern -i ^http:\/\/liveupdate.symantecliveupdate.com.*\(zip)$ 0 0% 0
refresh_pattern -i ^http:\/\/premium.avira-update.com.*\(gz) 0 0% 0
refresh_pattern -i microsoft.com/.*\.(cab|exe|ms(i|u|f)|asf|wm(v|a)|dat|zip)$ 4320 80% 43200 reload-into-ims refresh-ims
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms(i|u|f)|asf|wm(v|a)|dat|zip)$ 4320 80% 43200 reload-into-ims refresh-ims
refresh_pattern -i windows.com/.*\.(cab|exe|ms(i|u|f)|asf|wm(v|a)|dat|zip)$ 4320 80% 43200 reload-into-ims refresh-ims
refresh_pattern -i \.(bin|deb|rpm|drpm|exe|zip|tar|tgz)$ 220000 90% 300000 override-expire reload-into-ims refresh-ims ignore-no-store ignore-private store-stale
refresh_pattern -i \.(bz(|2)|ipa|ram|rar|bin|uxx|gz|crl|msi|dll|hz|cab|psf|vidt|apk|wtex|hz|ov(a|f))$ 220000 90% 300000 override-expire reload-into-ims refresh-ims ignore-no-store ignore-private store-stale
refresh_pattern -i \.(ppt|pptx|doc(x|m|b)|dot|pdf|pub|xl(s|sx|t|m|lsm|tm|w)|csv|txt)$ 220000 90% 300000 override-expire reload-into-ims refresh-ims ignore-no-store ignore-private store-stale
#refresh_pattern -i ^ftp: 66000 90% 200000
#refresh_pattern -i ^gopher: 1440 0% 1440
refresh_pattern -i . 0 90% 300000 override-expire reload-into-ims refresh-ims ignore-no-store store-stale ignore-private
log_icp_queries off
icp_port 0
htcp_port 0
acl snmppublic snmp_community public
snmp_port 3401
snmp_access allow snmppublic all
minimum_object_size 0 KB
cache_effective_user squid
#header_replace User-Agent Mozilla/5.0 (X11; U;) Gecko/20080221 Firefox/2.0.0.9
vary_ignore_expire off
reload_into_ims on
cache_swap_low 85
cache_swap_high 90
visible_hostname shadow
unique_hostname shadow-DHS
shutdown_lifetime 0 second
request_header_max_size 512 KB
reply_header_max_size 512 KB
request_entities on
half_closed_clients off
max_filedesc 65535
connect_timeout 4 second
cache_effective_group squid
buffered_logs on
#access_log /var/log/squid/access.log squid
access_log daemon:/var/log/squid/access.log buffer-size=2048KB
#access_log none
netdb_filename none
client_db off
dns_nameservers 127.0.0.1 127.0.0.1 192.168.2.2 192.168.1.96
ipcache_size 8096
ipcache_low 90
ipcache_high 95
dns_v4_first on
negative_ttl 5 minutes
positive_dns_ttl 30 days
negative_dns_ttl 5 minutes
dns_retransmit_interval 1 seconds
detect_broken_pconn on
check_hostnames off
forwarded_for delete
via off
httpd_suppress_version_string on
# mem and cache size
#collapsed_forwarding on
cache_mem 12 GB
memory_cache_mode disk
maximum_object_size 12 GB
maximum_object_size_in_memory 12 GB
digest_generation off
#digest_bits_per_entry 16
pinger_enable off
memory_pools on
cache_store_log none
max_stale 1 month
#workers 4
#memory_cache_shared on


My latest Gartner Research: Intelligent and Automated Security Controls Impact the Future of the Security Market

Product leaders need insights into the expansion of threat intelligence and adaptive security capabilities across the security market. These new emerging capabilities will be instrumental in defining the future of adaptive security and how incident response automation will evolve into the future. … …

Gartner clients can read this research by clicking here.


My latest Gartner research: Emerging Technology Analysis: Deception Techniques and Technologies Create Security Technology Business Opportunities

Deception techniques such as honeypots are not a new concept in security; however, new techniques and capabilities promise to deliver game-changing impact on how threats are faced. This research articulates how product managers can successfully use threat deception as a threat response tactic.

Gartner subscribers can read this research by clicking here.


Optimized squid proxy configuration for version 3.5.5

#
#Recommended minimum configuration:
#
always_direct allow all

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10 # RFC1918 possible internal network
acl Safe_ports port 1-65535 # RFC1918 possible internal network
acl CONNECT method GET POST HEAD CONNECT PUT DELETE # RFC1918 possible internal network
#acl block-fnes urlpath_regex -i .*/fnes/echo # RFC 4193 local private network range
acl noscan dstdomain symantecliveupdate.com liveupdate.symantec.com psi3.secunia.com update.immunet.com avstats.avira.com premium.avira-update.com # RFC 4291 link-local (directly plugged) machines

acl video urlpath_regex -i \.(mpa|m2a|mpe|avi|mov|mpeg|m1s|mp2v|m2v|m2s|wmx|rm|rmvb|3pg|3gpp|omg|ogm|asf|asx|mp2|mp3|mp4|wmvm3u8|flv|ts)

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost

no_cache deny noscan
always_direct allow noscan
always_direct allow video

# Deny requests to certain unsafe ports

# Deny CONNECT to other than secure SSL ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on .localhost. is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
#cache_peer 192.168.1.1 parent 8080 0 default no-query no-digest no-netdb-exchange
#never_direct allow all

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed

http_access allow all

# allow localhost always proxy functionality

# And finally deny all other access to this proxy
# Squid normally listens to port 3128
#pipeline_prefetch 4
read_ahead_gap 100 MB
client_request_buffer_max_size 2048 KB
eui_lookup off
http_port 0.0.0.0:8080 intercept disable-pmtu-discovery=always
http_port 0.0.0.0:3128
tcp_outgoing_address 192.168.2.2
connect_retries 5
client_persistent_connections on
server_persistent_connections on
detect_broken_pconn on

# We recommend you to use at least the following line.
#hierarchy_stoplist cgi-bin ?
# Uncomment and adjust the following to add a disk cache directory.
cache_dir diskd /ssd/0 100000 256 1024
cache_dir diskd /ssd/1 100000 256 1024
cache_dir diskd /ssd/2 100000 256 1024
cache_dir diskd /ssd/3 100000 256 1024

cache_dir diskd /ssd2/0 100000 256 1024
cache_dir diskd /ssd2/1 100000 256 1024
cache_dir diskd /ssd2/2 100000 256 1024
cache_dir diskd /ssd2/3 100000 256 1024

#cache_dir ufs /ssd/0 100000 256 1024
#cache_dir ufs /ssd/1 100000 256 1024
#cache_dir ufs /ssd/2 100000 256 1024
#cache_dir ufs /ssd/3 100000 256 1024

#cache_dir ufs /ssd2/0 100000 256 1024
#cache_dir ufs /ssd2/1 100000 256 1024
#cache_dir ufs /ssd2/2 100000 256 1024
#cache_dir ufs /ssd2/3 100000 256 1024

store_dir_select_algorithm round-robin
# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

# Add any of your own refresh_pattern entries above these.
# General Rules
refresh_pattern -i \.(gif|png|jpg|jpeg|jp2|jpx|j2k|j2c|fpx|ico|bmp|tif|tiff|webp|bif|ver|pcd|pict|rif|exifi|hdr|bpg|img) 220000 90% 300000 override-expire reload-into-ims ignore-no-store ignore-private store-stale
refresh_pattern -i \.(swf|js|wav|css|class|dat|zsci|ver|advcs|woff|eps|ttf|svg|svgz|ps|pl|acsm) 220000 90% 300000 override-expire reload-into-ims ignore-reload ignore-no-store ignore-private
refresh_pattern -i \.(mpa|m2a|mpe|avi|mov|mpeg|m1s|mp2v|m2v|m2s|wmx|rm|rmvb|3pg|3gpp|omg|ogm|asf|asx|mp2|mp3|mp4|wmvm3u8|flv|ts|f4v|f4m) 220000 90% 300000 override-expire reload-into-ims ignore-private
refresh_pattern -i \.(html|htm|crl) 9440 90% 300000 override-expire reload-into-ims refresh-ims ignore-private
refresh_pattern -i \.(xml|flow|aspx|asp) 0 90% 300000
refresh_pattern -i \.(json) 0 90% 300000
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
#refresh_pattern -i ^http:\/\/liveupdate.symantecliveupdate.com.*\(zip) 0 0% 0
#refresh_pattern -i ^http:\/\/premium.avira-update.com.*\(gz) 0 0% 0
#refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
#refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
#refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i \.(bin|deb|rpm|drpm|exe|zip|tar|tgz|bz2|ipa|bz|ram|rar|bin|uxx|gz|crl|msi|dll|hz|cab|psf|vidt|apk|wtex|hz) 220000 90% 300000 override-expire refresh-ims ignore-no-store ignore-private store-stale
refresh_pattern -i \.(ppt|pptx|doc|docx|docm|docb|dot|pdf|pub|xls|xlsx|xlt|xlm|xlsm|xltm|xlw|csv|txt) 220000 90% 500000 override-expire reload-into-ims ignore-no-store ignore-private store-stale
#refresh_pattern -i ^ftp: 66000 90% 200000
#refresh_pattern -i ^gopher: 1440 0% 1440
refresh_pattern -i . 0 90% 300000 override-expire reload-into-ims refresh-ims

log_icp_queries off
icp_port 0
htcp_port 0
acl snmppublic snmp_community public
snmp_port 3401
snmp_access allow snmppublic all
minimum_object_size 0 KB
cache_effective_user squid
#header_replace User-Agent Mozilla/5.0 (X11; U;) Gecko/20080221 Firefox/2.0.0.9
vary_ignore_expire on
cache_swap_low 85
cache_swap_high 90
visible_hostname shadow
unique_hostname shadow-DHS
shutdown_lifetime 0 second
request_header_max_size 256 KB
request_entities on
half_closed_clients off
max_filedesc 65535
connect_timeout 8 second
cache_effective_group squid
#buffered_logs on
#access_log /var/log/squid/access.log squid
#access_log daemon:/var/log/squid/access.log buffer-size=1024KB
access_log none
netdb_filename none
client_db off
dns_nameservers 127.0.0.1 192.168.2.2 192.168.1.96
ipcache_low 50
dns_v4_first on
positive_dns_ttl 30 days
negative_dns_ttl 60 seconds
dns_retransmit_interval 2 seconds
check_hostnames off
forwarded_for delete
via off
httpd_suppress_version_string on
# mem and cache size
cache_mem 10 GB
memory_cache_mode disk
maximum_object_size 2047 MB
maximum_object_size_in_memory 2048 KB
digest_generation off
#digest_bits_per_entry 16

pinger_enable off
#memory_pools off
reload_into_ims on
cache_store_log none
#quick_abort_min -1 KB
max_stale 1 month


My latest Gartner research: Best Practices for Detecting and Mitigating Advanced Persistent Threats

Information security practitioners must implement specific strategic and tactical best practices to detect and mitigate advanced persistent threats and targeted malware by leveraging both existing and emerging security technologies in their security architectures. Management silos between network, edge, endpoint and data security systems can restrict an organization’s ability to prevent, detect and respond to advanced attacks. Adversaries continue to use social engineering and social networks to target sensitive roles or individuals within …

Gartner clients can access this research by clicking here.


Advanced & Persistent Security

CLOSE