You are here: start / squid / templates / 3 / default_configuration / squid3.conf
###########################################################################
##  Copyright (C) Wizardry and Steamworks 2012 - License: GNU GPLv3      ##
##  Please see: http://www.gnu.org/licenses/gpl.html for legal details,  ##
##  rights of fair usage, the disclaimer and warranty conditions.        ##
###########################################################################
## Squid3 - non-intercepting general configuration.                      ##
###########################################################################
## Configuration at a glance:                                            ##
##   - only in-memory cache, upstream proxies use disk cache.            ##
##   - connections via HTTP / HTTPs and CONNECT to non-SSL ports.        ##
##   - spam / add blocking domains via "blocked_domains" ACL.            ##
##   - direct domain fetching via "direct_domains" ACL.                  ##
##   - cache exception domains via "cache_exceptions" ACL.               ##
##   - split route fetching via two uplinks (A and B) ACLs.              ##
##   - polipo parent proxy configuration / darknet i2p and onion.        ##
##   - DNS load-balancing using tor upstream proxies.                    ##
##   - HTTP reply / request header filtering.                            ##                        
###########################################################################
 
### Access Control Lists (ACL)s
## Commented out on upgrade to 3.4
# acl manager proto cache_object 
# acl localhost src 127.0.0.1/32 ::1
acl localnets src 192.168.0.0/24
## Commented out on upgrade to 3.4
# acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
## SSL ports
acl SSL_ports port 443          # https
acl SSL_ports port 21           # secure ftp
## Non-SSL ports
acl Safe_ports port 80		    # http
acl Safe_ports port 21		    # ftp
acl Safe_ports port 443		    # https
acl Safe_ports port 70		    # gopher
acl Safe_ports port 210		    # wais
acl Safe_ports port 280		    # http-mgmt
acl Safe_ports port 488		    # gss-http
acl Safe_ports port 591		    # filemaker
acl Safe_ports port 777		    # multiling http
acl Safe_ports port 873         # rsync
acl Safe_ports port 1025-65535	# un-reserved ports
## CONNECT method
acl CONNECT method CONNECT
## FTP
acl ftp proto FTP
# Allow localhost connections to Squid cache manager.
http_access allow manager localhost
http_access deny manager
# Deny any connections through Squid to any port that is not in the
# "Safe_ports" ACL.
http_access deny !Safe_ports
## Deny CONNECT method to any non-SSL ports.
# Disabled to facilitate the use of command-line tools.
# http_access deny CONNECT !SSL_ports
## Allow access to Squid from the local network and the server Squid is on.
http_access allow localhost
http_access allow localnets
## Allow access using the FTP protocol.
http_access allow ftp
## Deny connections through squid to localhost.
http_access deny to_localhost
## Deny anything else that does not match any ACL rules above.
http_access deny all
 
### Requests to certain (spam) domains that should be blocked
## Disabled - Better to use client-side anti-add/spam solutions.
# acl blocked_domains dstdomain "/etc/squid3/blocked_domains.conf"
# http_access deny blocked_domains
# deny_info TCP_RESET blocked_domains
 
### Requests to domains that should always be fetched directly.
acl direct_domains dstdom_regex "/etc/squid3/direct_domains.conf"
## Force all requests to go through Squid except the direct domains.
always_direct allow direct_domains
never_direct deny direct_domains
never_direct allow all
 
### Responses from domains that should never be cached.
# acl cache_exceptions dstdom_regex "/etc/squid3/cache_exceptions.conf"
## Disable cache for the cache exceptions ACL
# cache deny cache_exceptions
 
### Domains that should be fetched through different uplinks
### using ip / iproute2 routing and iptables marking.
# ACL for outbound connection A
acl out_A dstdom_regex "/etc/squid3/out_A.conf
# Mark the outbound packets to the A domains with 0x65 for routing.
tcp_outgoing_mark 0x65 out_A
# ACL for outbound connection B
acl out_B dstdom_regex "/etc/squid3/out_B.conf
# Mark the outbound packets to the B domains with 0x66 for routing.
tcp_outgoing_mark 0x66 out_B
 
# Default port that Squid will be listening on.
http_port proxy.lan:8123
 
### HTCP - cache hierarchy protocol
## Disable HTCP completely if not needed.
# htcp_port 4827
# htcp_access allow localnets
htcp_port 0
htcp_access deny all
### ICP - cache hierarchy protocol
## Disable ICP completely if not needed.
# miss_access allow localnets
# miss_access deny all
# icp_access allow localnets
icp_port 0
icp_access deny all
## Plug ICP leaks
reply_header_access X-Cache-Lookup deny !localnets
reply_header_access X-Squid-Error deny !localnets
reply_header_access X-Cache deny !localnets
## SNMP - monitoring of Squid health through SNMP
# Disable SNMP completely if not needed.
snmp_port 0
 
### Upstream proxy configuration.
## Example: polipo parent proxies listening on 8123
##   - no-query: disable ICP cache queries (not supported by polipo)
##   - no-digest: do not use digest hashes for cached objects
##     (not supported by polipo)
##   - no-netdb-exchange: do not use netdb hashes for cached objects
##     (not supported by polipo)
##   - no-delay: do not let this parent proxy to influence the delay pools
##   - connect-fail-limit=256: consider the parent proxy down after 256
##     failed connection attempts
##   - carp: distribute requested Squid URLs between different cache peers
##     using the CARP protocol
##       - carp-key=host,port: distribute each URL between cache peers as a
##         hash of hostname and port
##   - name=polipo1.lan: a descriptive name for the cache peer used in the
##     current Squid configuration.
# polipo1.lan is an polipo-i2p proxy
cache_peer polipo1.lan parent 8123 0 no-query no-digest no-netdb-exchange no-delay connect-fail-limit=256 carp carp-key=host,port name=polipo1.lan
# polipo2.lan is a polipo-tor proxy.
cache_peer polipo2.lan parent 8123 0 no-query no-digest no-netdb-exchange no-delay connect-fail-limit=256 carp carp-key=host,port name=polipo2.lan
 
## Darknets / darkwebs: i2p, tor, etc...
# ACL for domains ending in .i2p
acl i2p dstdomain .i2p
# Send requests to .i2p domains through the polipo1.lan i2p parent proxy.
cache_peer_access polipo1.lan allow i2p
# Send requests to .onion domains through the polipo2.lan tor parent proxy.
acl onion dstdomain .onion
cache_peer_access polipo2.lan allow onion
# All other requests that do not match .i2p or .onion goes through the
# general tor parent proxy polipo2.lan.
cache_peer_access polipo2.lan allow all
 
### DNS
# Query first using IPv4
dns_v4_first on
## Make all DNS requests go through the tor parent proxy polipo2.lan
## polipo2.lan must have tor DNSListenAddress configured properly.
dns_nameservers polipo2.lan
# In case we add tor DNS servers later, balance the DNS requests.
balance_on_multiple_ip on
 
## Quick Squid shutdown.
shutdown_lifetime 1 seconds
 
### Cache storage for both in-memory and on-disk cache memory.
cache_mem 2 GB
memory_cache_mode always
minimum_object_size 0 KB
maximum_object_size 128 KB
#minimum_object_size_in_memory 0 KB
maximum_object_size_in_memory 128 KB 
memory_replacement_policy heap GDSF
## Do not set on-disk cache policy if not needed.
# cache_replacement_policy heap LFUDA
store_avg_object_size 32 KB
 
### Tweaks
## Symmetric multi-processing (SMP) - balance on multiple CPUs / cores
# Example: dual-core set-up using process-pinning to delegate two squid
# processes to each CPU
workers 2
cpu_affinity_map process_numbers=1,2 cores=1,2
# Buffer logs before writing to disk for non-blocking IO
buffered_logs on
## DNS IP cache
ipcache_size 819200
ipcache_low 90
ipcache_high 95
fqdncache_size 819200
## DNS
# Store successful queries for one week.
positive_dns_ttl 1 week
# Store failed queries for one second.
negative_dns_ttl 1 second
# dns_retransmit_interval 1 second
# dns_timeout 1 minute
## Persistent connections
client_persistent_connections on
# Not needed if squid is not a reverse-proxy.
server_persistent_connections off
persistent_connection_after_error off
## HTTP Pipelining / Prefetching
pipeline_prefetch 8
## Memory pools
memory_pools on
memory_pools_limit 128 MB
## Quick abort
# quick_abort_max 16384000 KB
# quick_abort_max -1 KB
# quick_abort_min -1 KB
# quick_abort_pct 5
# quick_abort_pct 0
quick_abort_min 0 KB
quick_abort_max 0 KB
range_offset_limit 0
## Read ahead
## Set a read-ahead of 32MB
# read_ahead_gap 128 KB
read_ahead_gap 32 MB
# Set the minimum expiry time on cached objects to one week.
minimum_expiry_time 1 week
# Do not ignore expiry times for HTTP/1.0
vary_ignore_expire off
## Set cache low and high mark - disable if disk cache not used.
# cache_swap_low 85
# cache_swap_high 90
## QoS Flows
qos_flows local-hit=0x30
qos_flows parent-hit=0x32
qos_flows disable-preserve-miss
## Miscellaneous
pinger_enable off
client_db off
short_icon_urls off
detect_broken_pconn on
# Do not retry 403, 500, 501 or 503
retry_on_error off
# Do not proxy lan hosts.
check_hostnames on
# Use multicast DNS for .local domains and reverse-DNS resolution.
dns_multicast_local on
offline_mode off
# Do not prefer to send the request directly.
prefer_direct off
# Disable half-closed clients.
half_closed_clients off
# Set the squid core-dump directory for crashes.
# coredump_dir /var/spool/squid3
# Disable debugging.
debug_options 0
 
### General Timeout Configuration.
## Use built-in defaults.
# forward_timeout 60 seconds
# connect_timeout 60 seconds
# read_timeout 60 seconds
# request_timeout 60 seconds
# persistent_request_timeout 1 minute
# client_lifetime 21 hours
 
### On-disk Cache
## Cache user, this example: proxy
# cache_effective_user proxy
## Rock on-disk storage used by SMP configuration.
# cache_dir rock /var/spool/squid3/1 16384 max-size=32000
# cache_dir rock /var/spool/squid3/2 16384 max-size=32000
## AUFS on-disk storage.
# cache_dir aufs /var/spool/squid3 20480 64 256
## Disable on-disk cache - useful since parent proxies in this
## configuration will already be caching.
cache deny all
cache_dir null /tmp
# Disable the cache store log - useful only for debugging.
cache_store_log none
 
## HTTP Header Filtering
# HTTP request filtering.
include /etc/squid3/anonymize_http_request.conf
# HTTP response filtering.
include /etc/squid3/anonymize_http_response.conf
## Privacy settings.
include /etc/squid3/privacy.conf
 
## Refresh patterns.
include /etc/squid3/refresh_patterns.conf
squid/templates/3/default_configuration/squid3.conf.txt ยท Last modified: 2022/04/19 08:28 by 127.0.0.1
You are here: start / squid / templates / 3 / default_configuration / squid3.conf

Wizardry and Steamworks

© 2025 Wizardry and Steamworks

Access website using Tor Access website using i2p Wizardry and Steamworks PGP Key


For the contact, copyright, license, warranty and privacy terms for the usage of this website please see the contact, license, privacy, copyright.