Table of Contents

Refresh Patterns

To use the refresh patterns below, download the file and place it in the same directory as squid.conf and then add a configuration directive in squid.conf:

# include refresh patterns
include /etc/squid3/refresh_patterns.conf
refresh_patterns.conf
###########################################################################
##  Copyright (C) Wizardry and Steamworks 2014 - License: GNU GPLv3      ##
##  Please see: http://www.gnu.org/licenses/gpl.html for legal details,  ##
##  rights of fair usage, the disclaimer and warranty conditions.        ##
###########################################################################
 
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i \.(yuv|tif|tga|gif|bmp|webp|tiff|png|jp(2|e|eg|g)|ico|ilbm|svg)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private reload-into-ims
refresh_pattern -i \.(mid|midi|iso|mpg|jar|mpeg|qt|mov|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv|m4a)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private reload-into-ims
refresh_pattern -i \.(deb|rpm|exe|bz2|Z|zip|lha|lzx|tar|txt|tgz|gz|inc|pdf|psd|ai|eps|ps|ram|rar|3ds|bin|cab|dll|7z|ppt|pps|ppsx|pptx|doc)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private reload-into-ims
refresh_pattern -i \.index.(html|htm)$ 0 75% 10080
refresh_pattern -i \.(html|htm|css|js)$ 1440 75% 40320
refresh_pattern -i (cgi-bin|php|jsp|cgi|asx|asp|aspx) 0 0% 0
refresh_pattern . 0 50% 10080

Privacy Settings

The following directives block the via and delete the forwarded for as well as blocking the header access.

privacy.conf
###########################################################################
##  Copyright (C) Wizardry and Steamworks 2016 - License: GNU GPLv3      ##
##  Please see: http://www.gnu.org/licenses/gpl.html for legal details,  ##
##  rights of fair usage, the disclaimer and warranty conditions.        ##
###########################################################################
 
##
# Rules to anonymize http headers
##
## Request Header Rules
# Content-Types that are acceptable for the response (replace this).
request_header_access Accept deny all
# Character sets that are acceptable (replace this).
request_header_access Accept-Charset deny all
# List of acceptable encodings (replace this).
request_header_access Accept-Encoding deny all
# List of acceptable human languages for response (replace this).
request_header_access Accept-Language allow all
# Acceptable version in time
#request_header_access Accept-Datetime allow all
request_header_access Authorization allow all
#request_header_access Cache-Control allow all
request_header_access Connection allow all
# Needed for not breaking most websites.
request_header_access Cookie allow all
request_header_access Content-Length allow all
request_header_access Content-MD5 allow all
request_header_access Content-Type allow all
# The date and time that the message was sent.
#request_header_access Date allow all
request_header_access Expect allow all
# The email address of the user making the request.
#request_header_access From allow all
request_header_access Host allow all
request_header_access If-Match allow all
request_header_access If-Modified-Since allow all
request_header_access If-None-Match allow all
request_header_access If-Range allow all
request_header_access If-Unmodified-Since allow all
# Limit the number of times the message can be forwarded through proxies or gateways.
#request_header_access Max-Forwards allow all
# Initiates a request for cross-origin resource sharing.
#request_header_access Origin allow all
#request_header_access Pragma allow all
request_header_access Proxy-Authorization allow all
request_header_access Range allow all
# Needed in order to not break some sites.
request_header_access Referer allow all
request_header_access TE allow all
# The user agent string of the user agent (replace this).
request_header_access User-Agent deny all
# Ask the server to upgrade to another protocol.
#request_header_access Upgrade allow all
# Informs the server of proxies through which the request was sent.
request_header_access Via allow all
request_header_access Warning allow all
# Needed for AJAX requests.
request_header_access X-Requested-With allow all
# Requests a web application to disable their tracking of a user.
# request_header_access DNT allow all
# Identifying the originating IP address of a client connecting with a proxy.
#request_header_access X-Forwarded-For allow all
# Identifying the original host requested by the client.
request_header_access X-Forwarded-Host allow all
# Identifying the originating protocol of an HTTP request
request_header_access X-Forwarded-Proto allow all
request_header_access Front-End-Https allow all
request_header_access X-Http-Method-Override allow all
# Allows easier parsing of the MakeModel/Firmware that is usually found in the User-Agent String of AT&T Devices.
#request_header_access X-ATT-DeviceId allow all
# Full description and details about the device currently connecting
#request_header_access X-Wap-Profile allow all
request_header_access Proxy-Connection allow all
# Server-side deep packet insertion of a unique ID identifying customers of Verizon Wireless.
#request_header_access X-UIDH allow all
request_header_access X-Csrf-Token allow all
#request_header_access X-Request-ID allow all
#request_header_access X-Correlation-ID allow all
request_header_access Other deny all
request_header_access All deny all
 
## Response Header Rules
reply_header_access Access-Control-Allow-Origin allow all
reply_header_access Accept-Patch allow all
reply_header_access Accept-Ranges allow all
reply_header_access Age allow all
reply_header_access Allow allow all  
reply_header_access Alt-Svc allow all
#reply_header_access Cache-Control allow all
reply_header_access Connection allow all
reply_header_access Content-Disposition allow all 
reply_header_access Content-Encoding allow all
reply_header_access Content-Language allow all
reply_header_access Content-Length allow all
reply_header_access Content-Location allow all
reply_header_access Content-MD5 allow all
reply_header_access Content-Range allow all
reply_header_access Content-Type allow all
# The date and time that the message was sent.
#reply_header_access Date allow all
reply_header_access ETag allow all
reply_header_access Expires allow all
reply_header_access Last-Modified allow all   
reply_header_access Link allow all   
reply_header_access Location allow all
reply_header_access P3P allow all
#reply_header_access Pragma allow all 
reply_header_access Proxy-Authenticate allow all
reply_header_access Public-Key-Pins allow all
reply_header_access Refresh allow all
reply_header_access Retry-After allow all
reply_header_access Server allow all
reply_header_access Set-Cookie allow all
reply_header_access Status allow all
# HSTS and cache
#reply_header_access Strict-Transport-Security allow all
reply_header_access Trailer allow all  
reply_header_access Transfer-Encoding allow all
# Tracking Status Value, value suggested to be sent in response to a DNT(do-not-track).
#reply_header_access TSV allow all   
# Ask the client to upgrade to another protocol.
#reply_header_access Upgrade allow all 
reply_header_access Vary allow all
reply_header_access Via allow all
reply_header_access Warning allow all
reply_header_access WWW-Authenticate allow all  
reply_header_access X-Frame-Options allow all
reply_header_access X-XSS-Protection allow all
reply_header_access Content-Security-Policy allow all
reply_header_access X-Content-Security-Policy allow all
reply_header_access X-WebKit-CSP allow all
reply_header_access X-Content-Type-Options allow all
reply_header_access X-Powered-By allow all
reply_header_access X-UA-Compatible allow all
reply_header_access X-Content-Duration allow all
#reply_header_access Upgrade-Insecure-Requests allow all
#reply_header_access X-Request-ID allow all
#reply_header_access X-Correlation-ID allow all 
reply_header_access Other deny all
reply_header_access All deny all
 
# Ignore responses from different nameservers
ignore_unknown_nameservers on
 
# Turn off sending squid version information
httpd_suppress_version_string on
 
# Remove via and x-forwarded-for
via off
forwarded_for delete
follow_x_forwarded_for deny all
 
# Replace accept encoding
request_header_replace Accept */*
request_header_replace Accept-Encoding *
request_header_replace Accept-Charset utf-8
request_header_replace Accept-Encoding gzip, deflate
request_header_replace Accept-Language en-US

To use the settings, store the file in /etc/squid3/privacy.conf and then include it in the main squid configuration file:

# include privacy settings
include /etc/squid3/privacy.conf

Disable All Logging

Add the following to squid.conf:

# disable all logs
access_log /dev/null
cache_log /dev/null
logfile_rotate 0

Bypass Hierarchy for Certain Domains

Some domains can be fetched directly through squid without sending the request through the cache hierarchy. This can be achieved by using the always_direct and, if never_direct is used, the never_direct clause.

First we define an ACL for domains that we always fetch directly:

# domains always fetched directly                  
acl direct_domains dstdom_regex "/etc/squid3/direct_domains.conf"
# allow direct domains to bypass cache hierarchy
always_direct allow direct_domains
# this is here in case you pass all the traffic through
# squid by using the directive: never_direct allow all
never_direct deny direct_domains

and then in the direct_domains.conf file we include domain regexes. For example, the direct_domains.conf file would contain the following:

(^|\.)paypal\..+?$
(^|\.)ebay\..+?$

which will attempt to directly fetch any sub-domain of paypal or ebay instead of passing it through the hierarchy.

Bypass Cache For Certain Domains

Similar to bypassing cache hierarchies, add an ACL in squid.conf:

# domains to not cache
acl cache_exceptions dstdom_regex "/etc/squid3/cache_exceptions.conf"

and then use the cache directive:

cache deny cache_exceptions

The cache_exceptions.conf must contain regex domains to match whose responses will not be cached.

Route Requests through Different Outgoing Addresses

If you have a multi-homed server with a set of IPs, it is possible to route web-traffic through a certain IP address by using ACLs and the tcp_outgoing_address configuration key.

Suppose that we have the IP address 193.35.234.82, then we define an ACL out_uk that processes domains from /etc/squid3/out_uk.conf and then fetches through 193.35.234.82:

# domains to fetch through a given IP
acl out_uk dstdom_regex "/etc/squid3/out_uk.conf"
tcp_outgoing_address 193.35.234.82 out_uk

The /etc/squid3/out_uk.conf file should contain domain regexes, for example, to access paypal through an UK address, the /etc/squid3/out_uk.conf file would contain:

(^|\.)paypal\..+?$

Block Domains

With AdBlock being the paragon of human greed, it seems like you will have to manage domain blocking on your own. To prevent connections to any domain, create a list called, say, blocked.conf and then reference it in squid.conf before any ACL rules:

# domains to block (spam)
acl blocked_domains dstdomain "/etc/squid3/blocked.conf"
http_access deny blocked_domains
deny_info TCP_RESET blocked_domains

The deny_info directive takes care to simply reset the connection with the blocked domain instead of showing an error message which makes it ideal for getting spam content out of the way.

A good list to start with domains for your blocked.conf is the Wizardry and Steamworks spam database.