All posts by Lawrence Pingree

Lawrence Pingree has been an active member of the corporate world for many years. He has consulted for large financial institutions, corporations and government entities on technologies and security program development ranging from firewalls, intrusion detection, networks, system penetration, risk management, compliance, eDiscovery and Forensics. He has served as a Chief Security Architect at both Peoplesoft and Netscreen. He is currently an active member of the Information Systems Security Association (ISSA) of Silicon Valley as well as the Open Web Application Security Project (OWASP) and is a published author of two books. Lawrence is served as founding board member and Vice President of the Digital Forensics Association . In his spare time enjoys trading money on the foreign currency market, hiking, nature and performance cars.

Optimized squid 4.0.20 Config

You’ll need to customize the IP addresses to your liking. But here’s my latest most optimzed squid 4.0.20 configuration.

 

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost

#no_cache deny noscan
#http_access deny block-googlezip-dcp
#always_direct allow noscan
#no_cache deny video
#always_direct allow video

# Deny requests to certain unsafe ports

# Deny CONNECT to other than secure SSL ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on .localhost. is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
#cache_peer 192.168.1.1 parent 8080 0 default no-query no-digest no-netdb-exchange
#never_direct allow all

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed

http_access allow all

# allow localhost always proxy functionality

# And finally deny all other access to this proxy
# Squid normally listens to port 3128
pipeline_prefetch 64
read_ahead_gap 768 MB
client_request_buffer_max_size 1024 KB
request_header_max_size 128 KB
reply_header_max_size 128 KB
#quick_abort_min -1 KB
#quick_abort_pct 5
#range_offset_limit 32 MB
#refresh_stale_hit 60 seconds
eui_lookup off
http_port 0.0.0.0:8080 intercept disable-pmtu-discovery=always
http_port 0.0.0.0:3128
tcp_outgoing_address 192.168.2.2

client_persistent_connections on
server_persistent_connections on
#detect_broken_pconn on

# We recommend you to use at least the following line.
#hierarchy_stoplist cgi-bin ?
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir diskd /ssd/0 54000 32 256 Q1=256 Q2=144
#cache_dir diskd /ssd/1 54000 32 256 Q1=256 Q2=144
#cache_dir diskd /ssd/3 54000 32 256 Q1=256 Q2=144

#cache_dir diskd /ssd/0 40000 1024 256
#cache_dir diskd /ssd/1 40000 1024 256
#cache_dir diskd /ssd/2 40000 1024 256
#cache_dir diskd /ssd/3 40000 1024 256
#cache_dir diskd /ssd/4 40000 1024 256
#cache_dir diskd /ssd/5 40000 1024 256

#cache_dir diskd /ssd2/0 40000 1024 256
#cache_dir diskd /ssd2/1 40000 1024 256
#cache_dir diskd /ssd2/2 40000 1024 256
#cache_dir diskd /ssd2/3 40000 1024 256
#cache_dir diskd /ssd2/4 40000 1024 256
#cache_dir diskd /ssd2/5 40000 1024 256

 

cache_dir ufs /ssd/0 100000 512 256
cache_dir ufs /ssd/1 100000 512 256
cache_dir ufs /ssd2/0 100000 512 256
cache_dir ufs /ssd2/1 100000 512 256

store_dir_select_algorithm round-robin
#cache_replacement_policy heap LRU
#memory_replacement_policy heap GDSF

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid
# Add any of your own refresh_pattern entries above these.
# General Rules
#cache images

refresh_pattern -i \.(gif|png|ico|jpg|jpeg|jp2|webp)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(jpx|j2k|j2c|fpx|bmp|tif|tiff|bif)$ 100000 90% 20000 override-expire reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(pcd|pict|rif|exif|hdr|bpg|img|jif|jfif|lsr)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(dds|woff|woff2|eps|ttf|otf|svg|svgi|svgz|ps|ps1|acsm|eot)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private

#cache content
refresh_pattern -i \.(swf|js|ejs)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(wav|css|class|dat|zsci|ver|advcs)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private

#cache videos
refresh_pattern -i \.(mpa|m2a|mpe|avi|mov|mpg|mpeg|mpg3|mpg4|mpg5)$ 0 90% 200000 reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(m1s|mp2v|m2v|m2s|m2ts|wmx|rm|rmvb|3pg|3gpp|omg|ogm|asf|war)$ 0 90% 200000 reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(asx|mp2|mp3|mp4|mp5|wmv|flv|mts|f4v|f4|pls|midi|mid)$ 0 90% 200000 reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(htm|html)$ 9440 90% 200000 reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(xml|flow|asp|aspx)$ 0 90% 200000
refresh_pattern -i \.(json)$ 0 90% 200000
refresh_pattern -i (/cgi-bin/|\?) 0 90% 200000

#live video cache rules
refresh_pattern -i \.(m3u8|ts)$ 0 90% 200000

#cache specific sites
refresh_pattern -i ^http:\/\/liveupdate.symantecliveupdate.com.*\(zip)$ 0 0% 0
refresh_pattern -i ^http:\/\/*.bitdefender.net.*\(*)$ 0 0% 0
refresh_pattern -i ^http:\/\/*.bitdefender.com.*\(*)$ 0 0% 0
refresh_pattern -i ^http:\/\/premium.avira-update.com.*\(gz) 0 0% 0
refresh_pattern -i microsoft.com/.*\.(cab|exe|msi|msu|msf|asf|wma|dat|zip)$ 4320 80% 43200
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|msi|msu|msf|asf|wma|wmv)|dat|zip)$ 4320 80% 43200
refresh_pattern -i windows.com/.*\.(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip)$ 4320 80% 43200
refresh_pattern -i apple.com/.*\.(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip|dist)$ 0 80% 4320

#cache binaries
refresh_pattern -i \.(app|bin|deb|rpm|drpm|exe|zip|zipx|tar|tgz|tbz2|tlz|iso|arj|cfs|dar|jar)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(bz|bz2|ipa|ram|rar|uxx|gz|msi|dll|lz|lzma|7z|s7z|Z|z|xz|zz|sz)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(exe|msi)$ 0 90% 200000
refresh_pattern -i \.(cab|psf|vidt|apk|wtex|hz|ova|ovf)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private

#cache microsoft and adobe and other documents
refresh_pattern -i \.(ppt|pptx|doc|docx|docm|docb|dot|pdf|pub|ps)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.(xls|xlsx|xlt|xlm|xlsm|xltm|xlw|csv|txt)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private
#refresh_pattern -i ^ftp: 100000 90% 200000
#refresh_pattern -i ^gopher: 1440 0% 1440

#allow caching of other things based on cache control headers with some exceptions
refresh_pattern -i . 0 90% 200000 reload-into-ims
reload_into_ims on
log_icp_queries off
icp_port 0
htcp_port 0
acl snmppublic snmp_community public
snmp_port 3401
snmp_incoming_address 192.168.2.2
snmp_incoming_address 127.0.0.1
snmp_access allow snmppublic all
minimum_object_size 0 KB
cache_effective_user squid
#header_replace User-Agent Mozilla/5.0 (X11; U;) Gecko/20080221 Firefox/2.0.0.9
#vary_ignore_expire on
cache_swap_low 90
cache_swap_high 95
visible_hostname shadow
unique_hostname shadow-DHS
shutdown_lifetime 0 second
request_entities on
half_closed_clients off
max_filedesc 65535
connect_timeout 5 seconds
connect_retries 2
cache_effective_group squid
buffered_logs on
#access_log stdio:/var/log/squid/access.log squid
#access_log daemon:/var/log/squid/access.log
access_log none
#netdb_filename none
client_db off
dns_nameservers 127.0.0.1 192.168.1.96 192.168.1.89 192.168.1.92
ipcache_size 4096
ipcache_low 90
ipcache_high 95
dns_v4_first on
negative_ttl 5 minutes
positive_dns_ttl 30 days
negative_dns_ttl 5 minutes
dns_retransmit_interval 2 seconds
check_hostnames off
forwarded_for delete
via off
httpd_suppress_version_string on
# mem and cache size
#collapsed_forwarding on
cache_mem 8 GB
#memory_cache_mode disk
maximum_object_size 2 GB
maximum_object_size_in_memory 2 GB
store_objects_per_bucket 32
digest_generation off
#digest_bits_per_entry 16
#pinger_enable off
memory_pools on
max_stale 4 months




Facebooktwittergoogle_plusredditpinterestlinkedinmail

My latest Gartner research: Forecast Analysis: Information Security, Worldwide, 2Q17 Update

12 September 2017  |  The overall global information security market is forecast to grow at a CAGR of 7.7% to reach $117.7 billion in 2021. Technology strategic planners should use this research to understand the key highlights and associated assumptions for the second-quarter forecast for information security worldwide….

Gartner clients can access this research by clicking here.


Facebooktwittergoogle_plusredditpinterestlinkedinmail

My latest Gartner research: Competitive Landscape: Secure Web Gateways

12 September 2017  |  …building toward a secure internet gateway (SIG) service platform concept. Secure webgateways (SWGs) consist of appliance and service-based web traffic inspection…company now actively sells its ProxySG, Advanced Secure Gateway, Virtual Secure…

Gartner clients can access this research by clicking here.


Facebooktwittergoogle_plusredditpinterestlinkedinmail

My latest Gartner Research: SWOT: Palo Alto Networks, Network Security, Worldwide

While growing commoditization and execution issues led to some sustainable growth setbacks in 2016, Palo Alto Networks is well-placed to become the largest firewall provider. Technology product management leaders should further strengthen management capabilities and prioritize firmware releases….

Gartner clients can read this research by clicking here.


Facebooktwittergoogle_plusredditpinterestlinkedinmail

My latest Gartner Research: Competitive Landscape: Threat Intelligence Services, Worldwide, 2017

26 July 2017  |  Technology product management leaders must focus on demonstrating how products and services bring relevancy and actionability in order to better succeed in a highly fragmented and increasingly competitive marketplace….

Gartner clients can access this research by clicking here.


Facebooktwittergoogle_plusredditpinterestlinkedinmail

My latest Gartner research: Market Share: Unified Threat Management (SMB Multifunction Firewalls), Worldwide, 2016

24 April 2017  |  …Growth by Region: Unified Threat Management (SMB Multifunction Firewalls), Worldwide, 2013-2016 (Percent) 2-1 Total Unified Threat Management (SMB Multifunction…Size: Unified Threat Management(SMB Multifunction Firewalls) by Segment…

Gartner clients can access this research by clicking here.


Facebooktwittergoogle_plusredditpinterestlinkedinmail

My latest Gartner research: Market Opportunity Map: Security and Risk Management Software, Worldwide

20 April 2017  |  The security software market is transforming through four vectors: analytics, adoption of SaaS and managed services, expanded ecosystems, and regulations. Technology business unit leaders must realign their product and go-to-market strategies to address these key forces….

Gartner clients can access this research by clicking here.


Facebooktwittergoogle_plusredditpinterestlinkedinmail

My latest Gartner research: Forecast Analysis: Information Security, Worldwide, 4Q16 Update

11 April 2017  |  The overall global information security market is forecast to grow at a compound annual growth rate of 7.8% through 2020. This document, aimed at technology strategic planners, discusses the key highlights and associated assumptions for the fourth-quarter forecast….

Gartner clients can access this research by clicking here.


Facebooktwittergoogle_plusredditpinterestlinkedinmail