This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revision | |||
fuss:squid [2016/11/01 19:02] – [Privacy Settings] office | fuss:squid [2022/04/19 08:28] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Refresh Patterns ====== | ||
+ | To use the refresh patterns below, download the file and place it in the | ||
+ | same directory as '' | ||
+ | '' | ||
+ | < | ||
+ | # include refresh patterns | ||
+ | include / | ||
+ | </ | ||
+ | |||
+ | <file txt refresh_patterns.conf> | ||
+ | ########################################################################### | ||
+ | ## Copyright (C) Wizardry and Steamworks 2014 - License: GNU GPLv3 ## | ||
+ | ## Please see: http:// | ||
+ | ## rights of fair usage, the disclaimer and warranty conditions. | ||
+ | ########################################################################### | ||
+ | |||
+ | refresh_pattern ^ftp: 1440 20% 10080 | ||
+ | refresh_pattern ^gopher: 1440 0% 1440 | ||
+ | refresh_pattern -i \.(yuv|tif|tga|gif|bmp|webp|tiff|png|jp(2|e|eg|g)|ico|ilbm|svg)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private reload-into-ims | ||
+ | refresh_pattern -i \.(mid|midi|iso|mpg|jar|mpeg|qt|mov|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv|m4a)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private reload-into-ims | ||
+ | refresh_pattern -i \.(deb|rpm|exe|bz2|Z|zip|lha|lzx|tar|txt|tgz|gz|inc|pdf|psd|ai|eps|ps|ram|rar|3ds|bin|cab|dll|7z|ppt|pps|ppsx|pptx|doc)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private reload-into-ims | ||
+ | refresh_pattern -i \.index.(html|htm)$ 0 75% 10080 | ||
+ | refresh_pattern -i \.(html|htm|css|js)$ 1440 75% 40320 | ||
+ | refresh_pattern -i (cgi-bin|php|jsp|cgi|asx|asp|aspx) 0 0% 0 | ||
+ | refresh_pattern . 0 50% 10080 | ||
+ | |||
+ | </ | ||
+ | ====== Privacy Settings ====== | ||
+ | |||
+ | The following directives block the '' | ||
+ | as well as blocking the header access. | ||
+ | |||
+ | <file txt privacy.conf> | ||
+ | ########################################################################### | ||
+ | ## Copyright (C) Wizardry and Steamworks 2016 - License: GNU GPLv3 ## | ||
+ | ## Please see: http:// | ||
+ | ## rights of fair usage, the disclaimer and warranty conditions. | ||
+ | ########################################################################### | ||
+ | |||
+ | ## | ||
+ | # Rules to anonymize http headers | ||
+ | ## | ||
+ | ## Request Header Rules | ||
+ | # Content-Types that are acceptable for the response (replace this). | ||
+ | request_header_access Accept deny all | ||
+ | # Character sets that are acceptable (replace this). | ||
+ | request_header_access Accept-Charset deny all | ||
+ | # List of acceptable encodings (replace this). | ||
+ | request_header_access Accept-Encoding deny all | ||
+ | # List of acceptable human languages for response (replace this). | ||
+ | request_header_access Accept-Language allow all | ||
+ | # Acceptable version in time | ||
+ | # | ||
+ | request_header_access Authorization allow all | ||
+ | # | ||
+ | request_header_access Connection allow all | ||
+ | # Needed for not breaking most websites. | ||
+ | request_header_access Cookie allow all | ||
+ | request_header_access Content-Length allow all | ||
+ | request_header_access Content-MD5 allow all | ||
+ | request_header_access Content-Type allow all | ||
+ | # The date and time that the message was sent. | ||
+ | # | ||
+ | request_header_access Expect allow all | ||
+ | # The email address of the user making the request. | ||
+ | # | ||
+ | request_header_access Host allow all | ||
+ | request_header_access If-Match allow all | ||
+ | request_header_access If-Modified-Since allow all | ||
+ | request_header_access If-None-Match allow all | ||
+ | request_header_access If-Range allow all | ||
+ | request_header_access If-Unmodified-Since allow all | ||
+ | # Limit the number of times the message can be forwarded through proxies or gateways. | ||
+ | # | ||
+ | # Initiates a request for cross-origin resource sharing. | ||
+ | # | ||
+ | # | ||
+ | request_header_access Proxy-Authorization allow all | ||
+ | request_header_access Range allow all | ||
+ | # Needed in order to not break some sites. | ||
+ | request_header_access Referer allow all | ||
+ | request_header_access TE allow all | ||
+ | # The user agent string of the user agent (replace this). | ||
+ | request_header_access User-Agent deny all | ||
+ | # Ask the server to upgrade to another protocol. | ||
+ | # | ||
+ | # Informs the server of proxies through which the request was sent. | ||
+ | request_header_access Via allow all | ||
+ | request_header_access Warning allow all | ||
+ | # Needed for AJAX requests. | ||
+ | request_header_access X-Requested-With allow all | ||
+ | # Requests a web application to disable their tracking of a user. | ||
+ | # request_header_access DNT allow all | ||
+ | # Identifying the originating IP address of a client connecting with a proxy. | ||
+ | # | ||
+ | # Identifying the original host requested by the client. | ||
+ | request_header_access X-Forwarded-Host allow all | ||
+ | # Identifying the originating protocol of an HTTP request | ||
+ | request_header_access X-Forwarded-Proto allow all | ||
+ | request_header_access Front-End-Https allow all | ||
+ | request_header_access X-Http-Method-Override allow all | ||
+ | # Allows easier parsing of the MakeModel/ | ||
+ | # | ||
+ | # Full description and details about the device currently connecting | ||
+ | # | ||
+ | request_header_access Proxy-Connection allow all | ||
+ | # Server-side deep packet insertion of a unique ID identifying customers of Verizon Wireless. | ||
+ | # | ||
+ | request_header_access X-Csrf-Token allow all | ||
+ | # | ||
+ | # | ||
+ | request_header_access Other deny all | ||
+ | request_header_access All deny all | ||
+ | |||
+ | ## Response Header Rules | ||
+ | reply_header_access Access-Control-Allow-Origin allow all | ||
+ | reply_header_access Accept-Patch allow all | ||
+ | reply_header_access Accept-Ranges allow all | ||
+ | reply_header_access Age allow all | ||
+ | reply_header_access Allow allow all | ||
+ | reply_header_access Alt-Svc allow all | ||
+ | # | ||
+ | reply_header_access Connection allow all | ||
+ | reply_header_access Content-Disposition allow all | ||
+ | reply_header_access Content-Encoding allow all | ||
+ | reply_header_access Content-Language allow all | ||
+ | reply_header_access Content-Length allow all | ||
+ | reply_header_access Content-Location allow all | ||
+ | reply_header_access Content-MD5 allow all | ||
+ | reply_header_access Content-Range allow all | ||
+ | reply_header_access Content-Type allow all | ||
+ | # The date and time that the message was sent. | ||
+ | # | ||
+ | reply_header_access ETag allow all | ||
+ | reply_header_access Expires allow all | ||
+ | reply_header_access Last-Modified allow all | ||
+ | reply_header_access Link allow all | ||
+ | reply_header_access Location allow all | ||
+ | reply_header_access P3P allow all | ||
+ | # | ||
+ | reply_header_access Proxy-Authenticate allow all | ||
+ | reply_header_access Public-Key-Pins allow all | ||
+ | reply_header_access Refresh allow all | ||
+ | reply_header_access Retry-After allow all | ||
+ | reply_header_access Server allow all | ||
+ | reply_header_access Set-Cookie allow all | ||
+ | reply_header_access Status allow all | ||
+ | # HSTS and cache | ||
+ | # | ||
+ | reply_header_access Trailer allow all | ||
+ | reply_header_access Transfer-Encoding allow all | ||
+ | # Tracking Status Value, value suggested to be sent in response to a DNT(do-not-track). | ||
+ | # | ||
+ | # Ask the client to upgrade to another protocol. | ||
+ | # | ||
+ | reply_header_access Vary allow all | ||
+ | reply_header_access Via allow all | ||
+ | reply_header_access Warning allow all | ||
+ | reply_header_access WWW-Authenticate allow all | ||
+ | reply_header_access X-Frame-Options allow all | ||
+ | reply_header_access X-XSS-Protection allow all | ||
+ | reply_header_access Content-Security-Policy allow all | ||
+ | reply_header_access X-Content-Security-Policy allow all | ||
+ | reply_header_access X-WebKit-CSP allow all | ||
+ | reply_header_access X-Content-Type-Options allow all | ||
+ | reply_header_access X-Powered-By allow all | ||
+ | reply_header_access X-UA-Compatible allow all | ||
+ | reply_header_access X-Content-Duration allow all | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | reply_header_access Other deny all | ||
+ | reply_header_access All deny all | ||
+ | |||
+ | # Ignore responses from different nameservers | ||
+ | ignore_unknown_nameservers on | ||
+ | |||
+ | # Turn off sending squid version information | ||
+ | httpd_suppress_version_string on | ||
+ | |||
+ | # Remove via and x-forwarded-for | ||
+ | via off | ||
+ | forwarded_for delete | ||
+ | follow_x_forwarded_for deny all | ||
+ | |||
+ | # Replace accept encoding | ||
+ | request_header_replace Accept */* | ||
+ | request_header_replace Accept-Encoding * | ||
+ | request_header_replace Accept-Charset utf-8 | ||
+ | request_header_replace Accept-Encoding gzip, deflate | ||
+ | request_header_replace Accept-Language en-US | ||
+ | |||
+ | </ | ||
+ | |||
+ | To use the settings, store the file in ''/ | ||
+ | include it in the main '' | ||
+ | < | ||
+ | # include privacy settings | ||
+ | include / | ||
+ | </ | ||
+ | ====== Disable All Logging ====== | ||
+ | |||
+ | Add the following to '' | ||
+ | |||
+ | < | ||
+ | # disable all logs | ||
+ | access_log /dev/null | ||
+ | cache_log /dev/null | ||
+ | logfile_rotate 0 | ||
+ | </ | ||
+ | |||
+ | ====== Bypass Hierarchy for Certain Domains ====== | ||
+ | |||
+ | Some domains can be fetched directly through squid without sending the | ||
+ | request through the cache hierarchy. This can be achieved by using the | ||
+ | '' | ||
+ | clause. | ||
+ | |||
+ | First we define an ACL for domains that we always fetch directly: | ||
+ | < | ||
+ | # domains always fetched directly | ||
+ | acl direct_domains dstdom_regex "/ | ||
+ | # allow direct domains to bypass cache hierarchy | ||
+ | always_direct allow direct_domains | ||
+ | # this is here in case you pass all the traffic through | ||
+ | # squid by using the directive: never_direct allow all | ||
+ | never_direct deny direct_domains | ||
+ | </ | ||
+ | |||
+ | and then in the '' | ||
+ | example, the '' | ||
+ | < | ||
+ | (^|\.)paypal\..+? | ||
+ | (^|\.)ebay\..+? | ||
+ | </ | ||
+ | |||
+ | which will attempt to directly fetch any sub-domain of paypal or ebay | ||
+ | instead of passing it through the hierarchy. | ||
+ | |||
+ | ====== Bypass Cache For Certain Domains ====== | ||
+ | |||
+ | Similar to bypassing cache hierarchies, | ||
+ | < | ||
+ | # domains to not cache | ||
+ | acl cache_exceptions dstdom_regex "/ | ||
+ | </ | ||
+ | |||
+ | and then use the '' | ||
+ | < | ||
+ | cache deny cache_exceptions | ||
+ | </ | ||
+ | |||
+ | The '' | ||
+ | responses will not be cached. | ||
+ | |||
+ | ====== Route Requests through Different Outgoing Addresses ====== | ||
+ | |||
+ | If you have a multi-homed server with a set of IPs, it is possible to route | ||
+ | web-traffic through a certain IP address by using ACLs and the | ||
+ | '' | ||
+ | |||
+ | Suppose that we have the IP address '' | ||
+ | '' | ||
+ | fetches through '' | ||
+ | < | ||
+ | # domains to fetch through a given IP | ||
+ | acl out_uk dstdom_regex "/ | ||
+ | tcp_outgoing_address 193.35.234.82 out_uk | ||
+ | </ | ||
+ | |||
+ | The ''/ | ||
+ | example, to access paypal through an UK address, the | ||
+ | ''/ | ||
+ | |||
+ | < | ||
+ | (^|\.)paypal\..+? | ||
+ | </ | ||
+ | |||
+ | ====== Block Domains ====== | ||
+ | |||
+ | With AdBlock being the paragon of human greed, it seems like you will have to manage domain blocking on your own. To prevent connections to any domain, create a list called, say, '' | ||
+ | < | ||
+ | # domains to block (spam) | ||
+ | acl blocked_domains dstdomain "/ | ||
+ | http_access deny blocked_domains | ||
+ | deny_info TCP_RESET blocked_domains | ||
+ | </ | ||
+ | |||
+ | The '' | ||
+ | |||
+ | A good list to start with domains for your '' |