Optimized Squid.conf for Squid 3.4.4.2

For those of you who are squid optimization geeks. Below is my latest iteration of the squid.conf file I am now using for 3.4.4.2

#
#Recommended minimum configuration:
#
always_direct allow all

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10 # RFC1918 possible internal network
acl Safe_ports port 1-65535 # RFC1918 possible internal network
acl CONNECT method GET POST HEAD CONNECT PUT DELETE # RFC1918 possible internal network
#acl block-fnes urlpath_regex -i .*/fnes/echo # RFC 4193 local private network range
acl noscan dstdomain .symantecliveupdate.com liveupdate.symantec.com psi3.secunia.com update.immunet.com # RFC 4291 link-local (directly plugged) machines

acl video urlpath_regex -i \.(m2a|avi|mov|mp(e?g|a|e|1|2|3|4)|m1s|mp2v|m2v|m2s|wmx|rm|rmvb|3pg|3gpp|omg|ogm|asf|asx|wmvm3u8|flv|ts)

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost

no_cache deny noscan
always_direct allow noscan
always_direct allow video

# Deny requests to certain unsafe ports

# Deny CONNECT to other than secure SSL ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on .localhost. is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
#cache_peer 192.168.1.1 parent 8080 0 default no-query no-digest no-netdb-exchange
#never_direct allow all

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed

http_access allow all

# allow localhost always proxy functionality

# And finally deny all other access to this proxy

# Squid normally listens to port 3128
http_port 192.168.2.2:8080 intercept
http_port 192.168.2.2:3128

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
cache_dir aufs /ssd/squid/cache0 45000 64 1024
cache_dir aufs /ssd/squid/cache1 45000 64 1024
# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

# Add any of your own refresh_pattern entries above these.
# General Rules
refresh_pattern -i \.(gif|png|jp(e?g|e|2)|ico|bmp|tiff|webp|bif|ver|pict|pixel)$ 220000 90% 300000 override-expire reload-into-ims ignore-reload ignore-no-cache ignore-private ignore no-store store-stale refresh-ims max-stale=150000 ignore-auth
refresh_pattern -i \.(swf|js|wav|css|class|dat|zsci|do|ver|advcs|woff|eps|ttf|svg|svgz|ps|acsm|wm(a|v))$ 220000 90% 300000 override-expire reload-into-ims ignore-reload ignore-no-store ignore-private refresh-ims store-stale max-stale=150000
refresh_pattern -i \.(html|htm|crl)$ 9440 90% 259200 override-expire reload-into-ims ignore-reload ignore-no-store ignore-private ignore-must-revalidate store-stale max-stale=100000
refresh_pattern -i \.(xml|flow)$ 0 90% 100000 reload-into-ims
refresh_pattern -i \.(json)$ 1440 90% 5760 reload-into-ims
refresh_pattern -i ^http:\/\/liveupdate.symantecliveupdate.com.*\(zip)$ 0 0% 0
refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip)$ 4320 80% 259200 reload-into-ims
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip)$ 4320 80% 259200 reload-into-ims
refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip)$ 4320 80% 259200 reload-into-ims
refresh_pattern -i \.(bin|deb|rpm|drpm|exe|zip|tar|tgz|bz2|ipa|bz|ram|rar|bin|uxx|gz|crl|msi|dll|hz|cab|psf|vidt|apk|wtex|hz)$ 220000 90% 500000 override-expire reload-into-ims ignore-reload ignore-no-store ignore-private store-stale max-stale=300000
refresh_pattern -i \.(pp[t|x]|do(c?x)|pdf|xl(s?x)|csv|txt)$ 220000 90% 259200 override-expire reload-into-ims ignore-reload ignore-no-store ignore-private refresh-ims store-stale max-stale=100000
refresh_pattern -i ^ftp: 66000 90% 259200
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern -i . 0 90% 200000
log_icp_queries off
icp_port 0
htcp_port 0
snmp_port 0
minimum_object_size 0 KB
buffered_logs on
#pipeline_prefetch on
cache_effective_user squid
#header_replace User-Agent Mozilla/5.0 (X11; U;) Gecko/20080221 Firefox/2.0.0.9
maximum_object_size 1000 MB
maximum_object_size_in_memory 50 MB
vary_ignore_expire on
cache_mem 3 GB
memory_cache_mode disk
cache_swap_low 85
cache_swap_high 90
visible_hostname shadow
unique_hostname shadow-DHS
shutdown_lifetime 0 second
request_header_max_size 256 KB
half_closed_clients off
max_filedesc 65535
connect_timeout 15 second
cache_effective_group squid
#access_log /var/log/squid/access.log squid
access_log daemon:/var/log/squid/access.log buffer-size=512KB
client_db off
dns_nameservers 127.0.0.1
ipcache_low 50
positive_dns_ttl 80 hours
negative_dns_ttl 30 seconds
check_hostnames off
forwarded_for delete
via off
pinger_enable off
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
memory_pools off
reload_into_ims on
cache_store_log none
read_ahead_gap 20 MB
client_persistent_connections on
server_persistent_connections on




Facebooktwittergoogle_plusredditpinterestlinkedinmail