Optimized Squid Config for Squid v4.0.4

For those of you who are squid optimization geeks. Below is my latest iteration of the squid.conf file I am now using for 4.0.4

#
#Recommended minimum configuration:
#
always_direct allow all

# 3 workers, using worker #1 as the frontend is important

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10 # RFC1918 possible internal network
acl Safe_ports port 1-65535 # RFC1918 possible internal network
acl CONNECT method GET POST HEAD OPTIONS CONNECT PUT DELETE # RFC1918 possible internal network
#acl block-fnes urlpath_regex -i .*/fnes/echo # RFC 4193 local private network range
acl noscan dstdomain symantecliveupdate.com liveupdate.symantec.com psi3.secunia.com update.immunet.com avstats.avira.com premium.avira-update.com 8f8fb293be49781da3e3229cd4469a18.da3e3.net # RFC 4291 link-local (directly plugged) machines

# Disable alternate protocols
request_header_access Alternate-Protocol deny all
reply_header_access Alternate-Protocol deny all

#acl video urlpath_regex -i \.(mpa|m2a|mpe|avi|mov|mpg|mpg3|mpg4|mpeg|m1s|mp2v|m2v|m2s|wmx|rm|rmvb|3pg|3gpp|omg|ogm|asf|asx|mp2|mp3|mp4|wmv|flv|ts|f4v|f4m)

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost

no_cache deny noscan
always_direct allow noscan
#no_cache deny video
#always_direct allow video

# Deny requests to certain unsafe ports

# Deny CONNECT to other than secure SSL ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on .localhost. is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
#cache_peer 192.168.1.1 parent 8080 0 default no-query no-digest no-netdb-exchange
#never_direct allow all

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed

http_access allow all

# allow localhost always proxy functionality

# And finally deny all other access to this proxy

# Squid normally listens to port 3128
pipeline_prefetch 7
read_ahead_gap 256 MB
client_request_buffer_max_size 4096 KB
request_header_max_size 2048 KB
reply_header_max_size 2048 KB
#quick_abort_min -1 KB
#quick_abort_pct 100
#range_offset_limit -1
eui_lookup off
http_port 0.0.0.0:8080 intercept disable-pmtu-discovery=always
http_port 0.0.0.0:3128
tcp_outgoing_address 192.168.2.2
connect_retries 1

client_persistent_connections on
server_persistent_connections on
detect_broken_pconn on

# We recommend you to use at least the following line.
#hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir diskd /ssd/0 54000 32 256 Q1=256 Q2=144
#cache_dir diskd /ssd/1 54000 32 256 Q1=256 Q2=144
#cache_dir diskd /ssd/3 54000 32 256 Q1=256 Q2=144

#cache_dir diskd /ssd2/0 68000 32 256 Q1=256 Q2=144
#cache_dir diskd /ssd2/1 68000 32 256 Q1=256 Q2=144
#cache_dir diskd /ssd2/3 68000 32 256 Q1=256 Q2=144

cache_dir ufs /ssd/0 32000 1024 256
cache_dir ufs /ssd/1 32000 1024 256
cache_dir ufs /ssd/2 32000 1024 256
cache_dir ufs /ssd/3 32000 1024 256
cache_dir ufs /ssd/4 32000 1024 256
cache_dir ufs /ssd/5 32000 1024 256

cache_dir ufs /ssd2/0 43000 1024 256
cache_dir ufs /ssd2/1 43000 1024 256
cache_dir ufs /ssd2/2 43000 1024 256
cache_dir ufs /ssd2/3 43000 1024 256
cache_dir ufs /ssd2/4 43000 1024 256
cache_dir ufs /ssd2/6 43000 1024 256

store_dir_select_algorithm round-robin
#cache_replacement_policy heap GDSF
#memory_replacement_policy heap GDSF

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

# Add any of your own refresh_pattern entries above these.
# General Rules
#cache images

refresh_pattern -i \.(gif|png|ico|jpg|jpeg|jp2|webp)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(jpx|j2k|j2c|fpx|bmp|tif|tiff|bif)$ 100000 90% 20000 override-expire reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(pcd|pict|rif|exif|hdr|bpg|img|jif|jfif)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(woff|woff2|eps|ttf|otf|svg|svgi|svgz|ps|ps1|acsm|eot)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private

#cache content
refresh_pattern -i \.(swf|js|ejs)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(wav|css|class|dat|zsci|ver|advcs)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private

#cache videos
refresh_pattern -i \.(mpa|m2a|mpe|avi|mov|mpg|mpeg|mpg3|mpg4|mpg5)$ 0 90% 200000 reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(m1s|mp2v|m2v|m2s|m2ts|wmx|rm|rmvb|3pg|3gpp|omg|ogm|asf|war)$ 0 90% 200000 reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(asx|mp2|mp3|mp4|mp5|wmv|flv|mts|f4v|f4|pls|midi|mid)$ 0 90% 200000 reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(htm|html)$ 9440 90% 200000 reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(xml|flow|asp|aspx)$ 0 90% 200000
refresh_pattern -i \.(json)$ 0 90% 200000
refresh_pattern -i (/cgi-bin/|\?) 0 90% 200000

#live video cache rules
refresh_pattern -i \.(m3u8|ts)$ 0 90% 200000

#cache specific sites
refresh_pattern -i ^http:\/\/liveupdate.symantecliveupdate.com.*\(zip)$ 0 0% 0
refresh_pattern -i ^http:\/\/premium.avira-update.com.*\(gz) 0 0% 0
refresh_pattern -i microsoft.com/.*\.(cab|exe|msi|msu|msf|asf|wma|dat|zip)$ 4320 80% 43200
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|msi|msu|msf|asf|wma|wmv)|dat|zip)$ 4320 80% 43200
refresh_pattern -i windows.com/.*\.(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip)$ 4320 80% 43200
refresh_pattern -i apple.com/.*\.(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip|dist)$ 0 80% 4320

#cache binaries
refresh_pattern -i \.(app|bin|deb|rpm|drpm|exe|zip|zipx|tar|tgz|tbz2|tlz|iso|arj|cfs|dar|jar)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(bz|bz2|ipa|ram|rar|uxx|gz|msi|dll|lz|lzma|7z|s7z|Z|z|zz|sz)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(exe|msi)$ 0 90% 200000
refresh_pattern -i \.(cab|psf|vidt|apk|wtex|hz|ova|ovf)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private

#cache microsoft and adobe and other documents
refresh_pattern -i \.(ppt|pptx|doc|docx|docm|docb|dot|pdf|pub|ps)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(xls|xlsx|xlt|xlm|xlsm|xltm|xlw|csv|txt)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private
#refresh_pattern -i ^ftp: 100000 90% 200000
#refresh_pattern -i ^gopher: 1440 0% 1440

#allow caching of other things based on cache control headers with some exceptions
refresh_pattern -i . 0 90% 200000

log_icp_queries off
icp_port 0
htcp_port 0
acl snmppublic snmp_community public
snmp_port 3401
snmp_incoming_address 192.168.2.2
snmp_access allow snmppublic all
minimum_object_size 0 KB
cache_effective_user squid
#header_replace User-Agent Mozilla/5.0 (X11; U;) Gecko/20080221 Firefox/2.0.0.9
vary_ignore_expire on
cache_swap_low 90
cache_swap_high 95
visible_hostname shadow
unique_hostname shadow-DHS
shutdown_lifetime 0 second
request_entities on
half_closed_clients off
max_filedesc 65535
connect_timeout 10 seconds
cache_effective_group squid
buffered_logs on
#access_log /var/log/squid/access.log squid
access_log daemon:/var/log/squid/access.log buffer-size=256KB
#access_log none
netdb_filename none
client_db off
dns_nameservers 127.0.0.1 127.0.0.1 192.168.2.2 192.168.1.96
ipcache_size 10000
ipcache_low 90
ipcache_high 95
dns_v4_first on
negative_ttl 5 minutes
positive_dns_ttl 30 days
negative_dns_ttl 5 minutes
dns_retransmit_interval 1 seconds
check_hostnames off
forwarded_for delete
via off
httpd_suppress_version_string on
# mem and cache size
#collapsed_forwarding on
cache_mem 4 GB
memory_cache_mode disk
maximum_object_size 2 GB
maximum_object_size_in_memory 2 GB
digest_generation off
#digest_bits_per_entry 8
pinger_enable off
memory_pools on
max_stale 4 months




Facebooktwittergoogle_plusredditpinterestlinkedinmail