Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
fuss:squid [2016/10/09 08:56]
office [Privacy Settings]
fuss:squid [2017/02/22 18:30] (current)
Line 1: Line 1:
 +====== Refresh Patterns ======
  
 +To use the refresh patterns below, download the file and place it in the
 +same directory as ''​squid.conf''​ and then add a configuration directive in
 +''​squid.conf'':​
 +<​code>​
 +# include refresh patterns
 +include /​etc/​squid3/​refresh_patterns.conf
 +</​code>​
 +
 +<file txt refresh_patterns.conf>​
 +###########################################################################​
 +##  Copyright (C) Wizardry and Steamworks 2014 - License: GNU GPLv3      ##
 +##  Please see: http://​www.gnu.org/​licenses/​gpl.html for legal details, ​ ##
 +##  rights of fair usage, the disclaimer and warranty conditions. ​       ##
 +###########################################################################​
 +
 +refresh_pattern ^ftp: 1440 20% 10080
 +refresh_pattern ^gopher: 1440 0% 1440
 +refresh_pattern -i \.(yuv|tif|tga|gif|bmp|webp|tiff|png|jp(2|e|eg|g)|ico|ilbm|svg)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private reload-into-ims
 +refresh_pattern -i \.(mid|midi|iso|mpg|jar|mpeg|qt|mov|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv|m4a)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private reload-into-ims
 +refresh_pattern -i \.(deb|rpm|exe|bz2|Z|zip|lha|lzx|tar|txt|tgz|gz|inc|pdf|psd|ai|eps|ps|ram|rar|3ds|bin|cab|dll|7z|ppt|pps|ppsx|pptx|doc)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private reload-into-ims
 +refresh_pattern -i \.index.(html|htm)$ 0 75% 10080
 +refresh_pattern -i \.(html|htm|css|js)$ 1440 75% 40320
 +refresh_pattern -i (cgi-bin|php|jsp|cgi|asx|asp|aspx) 0 0% 0
 +refresh_pattern . 0 50% 10080
 +
 +</​file>​
 +====== Privacy Settings ======
 +
 +The following directives block the ''​via''​ and delete the ''​forwarded for''​
 +as well as blocking the header access.
 +
 +<file txt privacy.conf>​
 +###########################################################################​
 +##  Copyright (C) Wizardry and Steamworks 2016 - License: GNU GPLv3      ##
 +##  Please see: http://​www.gnu.org/​licenses/​gpl.html for legal details, ​ ##
 +##  rights of fair usage, the disclaimer and warranty conditions. ​       ##
 +###########################################################################​
 + 
 +##
 +# Rules to anonymize http headers
 +##
 +## Request Header Rules
 +# Content-Types that are acceptable for the response (replace this).
 +request_header_access Accept deny all
 +# Character sets that are acceptable (replace this).
 +request_header_access Accept-Charset deny all
 +# List of acceptable encodings (replace this).
 +request_header_access Accept-Encoding deny all
 +# List of acceptable human languages for response (replace this).
 +request_header_access Accept-Language allow all
 +# Acceptable version in time
 +#​request_header_access Accept-Datetime allow all
 +request_header_access Authorization allow all
 +#​request_header_access Cache-Control allow all
 +request_header_access Connection allow all
 +# Needed for not breaking most websites.
 +request_header_access Cookie allow all
 +request_header_access Content-Length allow all
 +request_header_access Content-MD5 allow all
 +request_header_access Content-Type allow all
 +# The date and time that the message was sent.
 +#​request_header_access Date allow all
 +request_header_access Expect allow all
 +# The email address of the user making the request.
 +#​request_header_access From allow all
 +request_header_access Host allow all
 +request_header_access If-Match allow all
 +request_header_access If-Modified-Since allow all
 +request_header_access If-None-Match allow all
 +request_header_access If-Range allow all
 +request_header_access If-Unmodified-Since allow all
 +# Limit the number of times the message can be forwarded through proxies or gateways.
 +#​request_header_access Max-Forwards allow all
 +# Initiates a request for cross-origin resource sharing.
 +#​request_header_access Origin allow all
 +#​request_header_access Pragma allow all
 +request_header_access Proxy-Authorization allow all
 +request_header_access Range allow all
 +# Needed in order to not break some sites.
 +request_header_access Referer allow all
 +request_header_access TE allow all
 +# The user agent string of the user agent (replace this).
 +request_header_access User-Agent deny all
 +# Ask the server to upgrade to another protocol.
 +#​request_header_access Upgrade allow all
 +# Informs the server of proxies through which the request was sent.
 +request_header_access Via allow all
 +request_header_access Warning allow all
 +# Needed for AJAX requests.
 +request_header_access X-Requested-With allow all
 +# Requests a web application to disable their tracking of a user.
 +# request_header_access DNT allow all
 +# Identifying the originating IP address of a client connecting with a proxy.
 +#​request_header_access X-Forwarded-For allow all
 +# Identifying the original host requested by the client.
 +request_header_access X-Forwarded-Host allow all
 +# Identifying the originating protocol of an HTTP request
 +request_header_access X-Forwarded-Proto allow all
 +request_header_access Front-End-Https allow all
 +request_header_access X-Http-Method-Override allow all
 +# Allows easier parsing of the MakeModel/​Firmware that is usually found in the User-Agent String of AT&T Devices.
 +#​request_header_access X-ATT-DeviceId allow all
 +# Full description and details about the device currently connecting
 +#​request_header_access X-Wap-Profile allow all
 +request_header_access Proxy-Connection allow all
 +# Server-side deep packet insertion of a unique ID identifying customers of Verizon Wireless.
 +#​request_header_access X-UIDH allow all
 +request_header_access X-Csrf-Token allow all
 +#​request_header_access X-Request-ID allow all
 +#​request_header_access X-Correlation-ID allow all
 +request_header_access Other deny all
 +request_header_access All deny all
 +
 +## Response Header Rules
 +reply_header_access Access-Control-Allow-Origin allow all
 +reply_header_access Accept-Patch allow all
 +reply_header_access Accept-Ranges allow all
 +reply_header_access Age allow all
 +reply_header_access Allow allow all  ​
 +reply_header_access Alt-Svc allow all
 +#​reply_header_access Cache-Control allow all
 +reply_header_access Connection allow all
 +reply_header_access Content-Disposition allow all 
 +reply_header_access Content-Encoding allow all
 +reply_header_access Content-Language allow all
 +reply_header_access Content-Length allow all
 +reply_header_access Content-Location allow all
 +reply_header_access Content-MD5 allow all
 +reply_header_access Content-Range allow all
 +reply_header_access Content-Type allow all
 +# The date and time that the message was sent.
 +#​reply_header_access Date allow all
 +reply_header_access ETag allow all
 +reply_header_access Expires allow all
 +reply_header_access Last-Modified allow all   
 +reply_header_access Link allow all   
 +reply_header_access Location allow all
 +reply_header_access P3P allow all
 +#​reply_header_access Pragma allow all 
 +reply_header_access Proxy-Authenticate allow all
 +reply_header_access Public-Key-Pins allow all
 +reply_header_access Refresh allow all
 +reply_header_access Retry-After allow all
 +reply_header_access Server allow all
 +reply_header_access Set-Cookie allow all
 +reply_header_access Status allow all
 +# HSTS and cache
 +#​reply_header_access Strict-Transport-Security allow all
 +reply_header_access Trailer allow all  ​
 +reply_header_access Transfer-Encoding allow all
 +# Tracking Status Value, value suggested to be sent in response to a DNT(do-not-track).
 +#​reply_header_access TSV allow all   
 +# Ask the client to upgrade to another protocol.
 +#​reply_header_access Upgrade allow all 
 +reply_header_access Vary allow all
 +reply_header_access Via allow all
 +reply_header_access Warning allow all
 +reply_header_access WWW-Authenticate allow all  ​
 +reply_header_access X-Frame-Options allow all
 +reply_header_access X-XSS-Protection allow all
 +reply_header_access Content-Security-Policy allow all
 +reply_header_access X-Content-Security-Policy allow all
 +reply_header_access X-WebKit-CSP allow all
 +reply_header_access X-Content-Type-Options allow all
 +reply_header_access X-Powered-By allow all
 +reply_header_access X-UA-Compatible allow all
 +reply_header_access X-Content-Duration allow all
 +#​reply_header_access Upgrade-Insecure-Requests allow all
 +#​reply_header_access X-Request-ID allow all
 +#​reply_header_access X-Correlation-ID allow all 
 +reply_header_access Other deny all
 +reply_header_access All deny all
 +
 +# Ignore responses from different nameservers
 +ignore_unknown_nameservers on
 + 
 +# Turn off sending squid version information
 +httpd_suppress_version_string on
 + 
 +# Remove via and x-forwarded-for
 +via off
 +forwarded_for delete
 +follow_x_forwarded_for deny all
 + 
 +# Replace accept encoding
 +request_header_replace Accept */*
 +request_header_replace Accept-Encoding *
 +request_header_replace Accept-Charset utf-8
 +request_header_replace Accept-Encoding gzip, deflate
 +request_header_replace Accept-Language en-US
 +
 +</​file>​
 +
 +To use the settings, store the file in ''/​etc/​squid3/​privacy.conf''​ and then
 +include it in the main ''​squid''​ configuration file:
 +<​code>​
 +# include privacy settings
 +include /​etc/​squid3/​privacy.conf
 +</​code>​
 +====== Disable All Logging ======
 +
 +Add the following to ''​squid.conf'':​
 +
 +<​code>​
 +# disable all logs
 +access_log /dev/null
 +cache_log /dev/null
 +logfile_rotate 0
 +</​code>​
 +
 +====== Bypass Hierarchy for Certain Domains ======
 +
 +Some domains can be fetched directly through squid without sending the
 +request through the cache hierarchy. This can be achieved by using the
 +''​always_direct''​ and, if ''​never_direct''​ is used, the ''​never_direct''​
 +clause.
 +
 +First we define an ACL for domains that we always fetch directly:
 +<​code>​
 +# domains always fetched directly ​                 ​
 +acl direct_domains dstdom_regex "/​etc/​squid3/​direct_domains.conf"​
 +# allow direct domains to bypass cache hierarchy
 +always_direct allow direct_domains
 +# this is here in case you pass all the traffic through
 +# squid by using the directive: never_direct allow all
 +never_direct deny direct_domains
 +</​code>​
 +
 +and then in the ''​direct_domains.conf''​ file we include domain regexes. For
 +example, the ''​direct_domains.conf''​ file would contain the following:
 +<​code>​
 +(^|\.)paypal\..+?​$
 +(^|\.)ebay\..+?​$
 +</​code>​
 +
 +which will attempt to directly fetch any sub-domain of paypal or ebay
 +instead of passing it through the hierarchy.
 +
 +====== Bypass Cache For Certain Domains ======
 +
 +Similar to bypassing cache hierarchies,​ add an ACL in ''​squid.conf'':​
 +<​code>​
 +# domains to not cache
 +acl cache_exceptions dstdom_regex "/​etc/​squid3/​cache_exceptions.conf"​
 +</​code>​
 +
 +and then use the ''​cache''​ directive:
 +<​code>​
 +cache deny cache_exceptions
 +</​code>​
 +
 +The ''​cache_exceptions.conf''​ must contain regex domains to match whose
 +responses will not be cached.
 +
 +====== Route Requests through Different Outgoing Addresses ======
 +
 +If you have a multi-homed server with a set of IPs, it is possible to route
 +web-traffic through a certain IP address by using ACLs and the
 +''​tcp_outgoing_address''​ configuration key.
 +
 +Suppose that we have the IP address ''​193.35.234.82'',​ then we define an ACL
 +''​out_uk''​ that processes domains from ''/​etc/​squid3/​out_uk.conf''​ and then
 +fetches through ''​193.35.234.82'':​
 +<​code>​
 +# domains to fetch through a given IP
 +acl out_uk dstdom_regex "/​etc/​squid3/​out_uk.conf"​
 +tcp_outgoing_address 193.35.234.82 out_uk
 +</​code>​
 +
 +The ''/​etc/​squid3/​out_uk.conf''​ file should contain domain regexes, for
 +example, to access paypal through an UK address, the
 +''/​etc/​squid3/​out_uk.conf''​ file would contain:
 +
 +<​code>​
 +(^|\.)paypal\..+?​$
 +</​code>​
 +
 +====== Block Domains ======
 +
 +With AdBlock being the paragon of human greed, it seems like you will have to manage domain blocking on your own. To prevent connections to any domain, create a list called, say, ''​blocked.conf''​ and then reference it in ''​squid.conf''​ before any ACL rules:
 +<​code>​
 +# domains to block (spam)
 +acl blocked_domains dstdomain "/​etc/​squid3/​blocked.conf"​
 +http_access deny blocked_domains
 +deny_info TCP_RESET blocked_domains
 +</​code>​
 +
 +The ''​deny_info''​ directive takes care to simply reset the connection with the blocked domain instead of showing an error message which makes it ideal for getting spam content out of the way.
 +
 +A good list to start with domains for your ''​blocked.conf''​ is the [[assets/​databases/​spam|Wizardry and Steamworks spam database]].

fuss/squid.txt ยท Last modified: 2017/02/22 18:30 (external edit)

Access website using Tor Access website using i2p


For the copyright, license, warranty and privacy terms for the usage of this website please see the license, privacy and plagiarism pages.