Optimized Squid.conf configuration for squid proxy 3.4.4

For those of you tracking my squid proxy tuning, this is my latest transparent configuration for squid.

 

#
#Recommended minimum configuration:
#
always_direct allow all

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10 # RFC1918 possible internal network
acl Safe_ports port 1-65535 # RFC1918 possible internal network
acl CONNECT method GET POST HEAD CONNECT PUT DELETE # RFC1918 possible internal network
#acl block-fnes urlpath_regex -i .*/fnes/echo # RFC 4193 local private network range
acl noscan dstdomain .symantecliveupdate.com liveupdate.symantec.com psi3.secunia.com update.immunet.com # RFC 4291 link-local (directly plugged) machines

acl video urlpath_regex -i \.(m2a|avi|mov|mpeg|mpa|mpe|mp1|mp2|mp3|mp4|m1s|mp2v|m2v|m2s|wmx|rm|rmvb|3pg|3gpp|omg|ogm|asf|asx|wmv|m3u8|flv|ts)

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost

no_cache deny noscan
always_direct allow noscan
always_direct allow video

# Deny requests to certain unsafe ports

# Deny CONNECT to other than secure SSL ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on .localhost. is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
#cache_peer 192.168.1.1 parent 8080 0 default no-query no-digest no-netdb-exchange
#never_direct allow all

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed

http_access allow all

# allow localhost always proxy functionality

# And finally deny all other access to this proxy

# Squid normally listens to port 3128
http_port 192.168.2.2:8080 intercept
http_port 192.168.2.2:8081

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
maximum_object_size 100 MB
store_dir_select_algorithm round-robin
cache_dir aufs /ssd/squid/cache0 87000 32 1024
cache_dir aufs /ssd/squid/cache1 87000 32 1024

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

# Add any of your own refresh_pattern entries above these.
# General Rules
refresh_pattern -i \.(jpg|gif|png|webp|jpeg|ico|bmp|tiff|bif|ver|pict|pixel|bs)$ 220000 90% 300000 override-expire ignore-no-store ignore-private ignore-auth refresh-ims
refresh_pattern -i \.(js|css|class|swf|wav|dat|zsci|do|ver|advcs|woff|eps|ttf|svg|svgz|ps|acsm|wma)$ 220000 90% 300000 override-expire ignore-no-store ignore-private ignore-auth refresh-ims
refresh_pattern -i \.(html|htm|crl)$ 220000 90% 259200 override-expire ignore-no-store ignore-private ignore-auth refresh-ims
refresh_pattern -i \.(xml|flow)$ 0 90% 100000
refresh_pattern -i \.(json)$ 1440 90% 5760
refresh_pattern -i ^http:\/\/liveupdate.symantecliveupdate.com.*\(zip)$ 0 0% 0
refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wma|dat|zip)$ 220000 80% 259200
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wma|dat|zip)$ 220000 80% 259200
refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|asf|wma|dat|zip)$ 220000 80% 259200
refresh_pattern -i \.(bin|deb|rpm|drpm|exe|zip|tar|tgz|bz2|ipa|bz|ram|rar|bin|uxx|gz|crl|msi|dll|hz|cab|psf|vidt|apk|wtex|hz|ipsw)$ 220000 90% 500000 override-expire ignore-no-store ignore-private ignore-auth refresh-ims
refresh_pattern -i \.(ppt|pptx|doc|docx|pdf|xls|xlsx|csv|txt)$ 220000 90% 259200 override-expire ignore-no-store ignore-private ignore-auth refresh-ims
refresh_pattern -i ^ftp: 66000 90% 259200
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern -i . 0 90% 259200
log_icp_queries off
icp_port 0
htcp_port 0
snmp_port 3401
acl snmppublic snmp_community public
snmp_access allow snmppublic all
minimum_object_size 0 KB
buffered_logs on
cache_effective_user squid
#header_replace User-Agent Mozilla/5.0 (X11; U;) Gecko/20080221 Firefox/2.0.0.9
vary_ignore_expire on
cache_swap_low 90
cache_swap_high 95
visible_hostname shadow
unique_hostname shadow-DHS
shutdown_lifetime 0 second
request_header_max_size 256 KB
half_closed_clients off
max_filedesc 65535
connect_timeout 10 second
cache_effective_group squid
#access_log /var/log/squid/access.log squid
access_log daemon:/var/log/squid/access.log buffer-size=1MB
client_db off
dns_nameservers 127.0.0.1
#pipeline_prefetch 20
ipcache_size 8192
fqdncache_size 8192
#positive_dns_ttl 72 hours
#negative_dns_ttl 5 minutes
tcp_outgoing_address 192.168.2.2
dns_v4_first on
check_hostnames off
forwarded_for delete
via off
pinger_enable off
cache_mem 2048 MB
maximum_object_size_in_memory 256 KB
memory_cache_mode disk
cache_store_log none
read_ahead_gap 50 MB
reload_into_ims on




Facebooktwittergoogle_plusredditpinterestlinkedinmail