--- ./squid.conf 2021-11-10 06:22:18.000000000 -0500 +++ ./squid.conf 2021-11-10 06:24:17.000000000 -0500 @@ -861,6 +861,7 @@ # user="J. \"Bob\" Smith" #Default: # none +logformat squid_ua %ts.%03tu %6tr %>a %Ss/%03>Hs %h # TAG: acl # Defining an Access List @@ -1432,12 +1433,9 @@ # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed -acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) -acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) -acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) -acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines -acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) -acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) +acl localnet src 10.0.0.0/8 # RFC1918 possible internal network +#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network +#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines @@ -1700,8 +1698,8 @@ # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # ## Allow ICP queries from local networks only -##icp_access allow localnet -##icp_access deny all +icp_access allow localnet +icp_access deny all #Default: # Deny, unless rules exist in squid.conf. @@ -2207,10 +2205,10 @@ # # Squid normally listens to port 3128 -http_port 3128 +http_port @PROXY_SERVER@:3128 # TAG: https_port -# Usage: [ip:]port [mode] tls-cert=certificate.pem [options] +# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] # # The socket address where Squid will listen for client requests made # over TLS or SSL connections. Commonly referred to as HTTPS. @@ -3535,6 +3533,16 @@ #Default: # none +# See http://www.privoxy.org/user-manual/config.html +# Define Privoxy as parent proxy (without ICP) +cache_peer @PROXY_SERVER@ parent 8118 0 no-digest no-query default name=privoxy + +# If privoxy is run on the LAN: +#cache_peer 10.0.1.3 parent 8118 0 no-digest no-query default name=privoxy + +# I2P +# cache_peer @PROXY_SERVER@ parent 4443 0 no-digest no-query default name=i2p + # TAG: cache_peer_access # Restricts usage of cache_peer proxies. # @@ -3573,6 +3581,14 @@ #Default: # No peer usage restrictions. +# deny CONNECT to privoxy +cache_peer_access privoxy deny CONNECT + +# I2P +# acl i2p dstdomain -n .i2p +# cache_peer_access i2p allow i2p +# cache_peer_access i2p deny all + # TAG: neighbor_type_domain # Modify the cache_peer neighbor type when passing requests # about specific domains to the peer. @@ -3668,6 +3684,7 @@ # enough to keep larger objects from hoarding cache_mem. #Default: # maximum_object_size_in_memory 512 KB +maximum_object_size_in_memory 64 KB # TAG: memory_cache_shared on|off # Controls whether the memory cache is shared among SMP workers. @@ -3750,6 +3767,7 @@ # and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html. #Default: # cache_replacement_policy lru +cache_replacement_policy heap LFUDA # TAG: minimum_object_size (bytes) # Objects smaller than this size will NOT be saved on disk. The @@ -3774,6 +3792,7 @@ # See cache_replacement_policy for a discussion of this policy. #Default: # maximum_object_size 4 MB +maximum_object_size 64 MB # TAG: cache_dir # Format: @@ -3931,7 +3950,7 @@ # # Uncomment and adjust the following to add a disk cache directory. -#cache_dir ufs @PREFIX@/var/squid/cache 100 16 256 +cache_dir ufs @PREFIX@/var/squid/cache 100 16 256 # TAG: store_dir_select_algorithm # How Squid selects which cache_dir to use when the response @@ -4824,8 +4843,11 @@ # in the habit of using 'squid -k rotate' instead of 'kill -USR1 # '. # +# Note, from Squid-3.1 this option is only a default for cache.log, +# that log can be rotated separately by using debug_options. #Default: # logfile_rotate 10 +logfile_rotate 31 # TAG: mime_table # Path to Squid's icon configuration file. @@ -4881,6 +4903,7 @@ # Currently honored by 'daemon' and 'tcp' access_log modules only. #Default: # buffered_logs off +buffered_logs on # TAG: netdb_filename # Note: This option is only available if Squid is rebuilt with the @@ -5652,15 +5675,25 @@ refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 -refresh_pattern . 0 20% 4320 +#refresh_pattern . 0 20% 4320 + +# https://www.linux.com/news/speed-your-internet-access-using-squids-refresh-patterns +refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private +refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private +refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private +refresh_pattern -i \.index.(html|htm)$ 0 40% 10080 +refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320 +refresh_pattern . 0 40% 40320 # TAG: quick_abort_min (KB) #Default: # quick_abort_min 16 KB +quick_abort_min 0 KB # TAG: quick_abort_max (KB) #Default: # quick_abort_max 16 KB +quick_abort_max 0 KB # TAG: quick_abort_pct (percent) # The cache by default continues downloading aborted requests @@ -5878,6 +5911,7 @@ # replies as required by RFC2616. #Default: # via on +via off # TAG: vary_ignore_expire on|off # Many HTTP servers supporting Vary gives such objects @@ -5970,6 +6004,130 @@ #Default: # No limits. +# allow localnet headers +request_header_access From allow localnet +request_header_access Server allow localnet +request_header_access Link allow localnet + +request_header_access Cache-Control allow localnet +request_header_access X-Cache allow localnet +request_header_access X-Cache-Lookup allow localnet +request_header_access Via allow localnet +request_header_access Forwarded-For allow localnet +request_header_access X-Forwarded-For allow localnet +request_header_access Pragma allow localnet + +# old 'http_anonymizer standard' +request_header_access From deny all + +# allow privoxy configuration to see the referer, then +acl privoxy-config dstdomain config.privoxy.org p.p +request_header_access Referer allow privoxy-config +cache deny privoxy-config +# forge Referer in Privoxy +request_header_access Referer deny all +request_header_access Server deny all + +# forge User-Agent below and in Privoxy +# header_access User-Agent deny all +# this breaks web authentication -- do not use +#! header_access WWW-Authenticate deny all +request_header_access Link deny all + +# more privacy +request_header_access X-Cache deny all +request_header_access X-Cache-Lookup deny all +request_header_access Via deny all +request_header_access Forwarded-For deny all +request_header_access X-Forwarded-For deny all +request_header_access Pragma deny all + +#! These slow down browsing a lot -- do not use +# header_access Cache-Control deny all +# header_access Keep-Alive deny all + +# Mobile carrier uniquely identifying headers +request_header_access MSISDN deny all # T-Mobile +request_header_access X-MSISDN deny all # T-Mobile +request_header_access X-UIDH deny all # Verizon +request_header_access x-up-subno deny all # AT&T +request_header_access X-ACR deny all # AT&T +request_header_access X-UP-SUBSCRIBER-COS deny all +request_header_access X-OPWV-DDM-HTTPMISCDD deny all +request_header_access X-OPWV-DDM-IDENTITY deny all +request_header_access X-OPWV-DDM-SUBSCRIBER deny all +request_header_access CLIENTID deny all +request_header_access X-VF-ACR deny all +request_header_access X_MTI_USERNAME deny all +request_header_access X_MTI_EMAIL deny all +request_header_access X_MTI_EMPID deny all + +# Don't forge headers to Apple to avoid breaking Apple services +# https://support.apple.com/en-us/HT210060 +# Convert these IP ranges to CIDR: +# whois `nslookup phobos.apple.com | grep Address | tail -1 | perl -ane 'chomp; s/Address: //; print $_'` +# whois `nslookup p32-keyvalueservice-current.edge.icloud.apple-dns.net | grep Address | tail -1 | perl -ane 'chomp; s/Address: //; print $_'` +# whois 23.63.98.0 +# whois `nslookup www-cdn.icloud.com.akadns.net | grep Address | tail -1 | perl -ane 'chomp; s/Address: //; print $_'` +# acl apple-subnet dst 17.0.0.0/8 +acl apple-enterprise-network-domains dstdomain \ + albert.apple.com \ + captive.apple.com \ + gs.apple.com \ + humb.apple.com \ + static.ips.apple.com \ + tbsc.apple.com \ + time-ios.apple.com \ + time.apple.com \ + time-macos.apple.com \ + .push.apple.com \ + gdmf.apple.com \ + deviceenrollment.apple.com \ + deviceservices-external.apple.com \ + identity.apple.com \ + iprofiles.apple.com \ + mdmenrollment.apple.com \ + setup.icloud.com \ + appldnld.apple.com \ + gg.apple.com \ + gnf-mdn.apple.com \ + gnf-mr.apple.com \ + gs.apple.com \ + ig.apple.com \ + mesu.apple.com \ + oscdn.apple.com \ + osrecovery.apple.com \ + skl.apple.com \ + swcdn.apple.com \ + swdist.apple.com \ + swdownload.apple.com \ + swpost.apple.com \ + swscan.apple.com \ + updates-http.cdn-apple.com \ + updates.cdn-apple.com \ + xp.apple.com \ + .itunes.apple.com \ + .apps.apple.com \ + .mzstatic.com \ + ppq.apple.com \ + lcdn-registration.apple.com \ + crl.apple.com \ + crl.entrust.net \ + crl3.digicert.com \ + crl4.digicert.com \ + ocsp.apple.com \ + ocsp.digicert.com \ + ocsp.entrust.net \ + ocsp.verisign.net + +acl apple-appservices-and-akamai-subnets dst \ + 17.248.128.0/18 \ + 17.250.64.0/18 \ + 17.248.192.0/19 + +request_header_access User-Agent deny all +request_header_replace User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15 + # TAG: reply_header_access # Usage: reply_header_access header_name allow|deny [!]aclname ... # @@ -6374,6 +6532,10 @@ # seconds will receive a 'timeout' message. #Default: # shutdown_lifetime 30 seconds +# Make this significantly less than daemondo's kChildDeathTimeout +# to avoid multiple squid processes at boot or on network change +# const CFTimeInterval kChildDeathTimeout = 20; +shutdown_lifetime 5 seconds # ADMINISTRATIVE PARAMETERS # ----------------------------------------------------------------------------- @@ -6442,6 +6604,7 @@ # names with this setting. #Default: # Automatically detect the system host name +visible_hostname localhost # TAG: unique_hostname # If you want to have multiple machines with the same @@ -7222,6 +7385,7 @@ # up or to simplify log analysis. #Default: # log_icp_queries on +log_icp_queries off # TAG: udp_incoming_address # udp_incoming_address is used for UDP packets received from other @@ -7720,6 +7884,41 @@ #Default: # Prevent any cache_peer being used for this request. +# See http://www.privoxy.org/user-manual/config.html +# Define ACL for protocol FTP +acl ftp proto FTP +always_direct allow ftp + +# Direct to specified domain names +#acl mydomainname dstdomain .mydomainname.com +#always_direct allow mydomainname + +# Do not forward Apple services through Privoxy +always_direct allow apple-appservices-and-akamai-subnets +always_direct allow apple-enterprise-network-domains + +# Do not send Zoom https://*.zoom.us through Privoxy +acl zoom-us-domain dstdomain .zoom.us +always_direct allow CONNECT zoom-us-domain + +# Do not send AWS requests through Privoxy +acl aws-domains dstdomain \ + .aws.amazon.com \ + .cloudfront.net +always_direct allow aws-domains + +# See http://www.privoxy.org/user-manual/config.html +# Define ACL for protocol FTP +acl ftp proto FTP +always_direct allow ftp + +# Direct to specified domain names +#acl mydomainname dstdomain .mydomainname.com +#always_direct allow mydomainname + +# Do not forward SSL requests to Privoxy +always_direct allow SSL_ports + # TAG: never_direct # Usage: never_direct allow|deny [!]aclname ... # @@ -7749,6 +7948,14 @@ #Default: # Allow DNS results to be used for this request. +# See http://www.privoxy.org/user-manual/config.html +# Forward all the rest to Privoxy +never_direct allow all + +# See http://www.privoxy.org/user-manual/config.html +# Forward all the rest to Privoxy +never_direct allow all + # ADVANCED NETWORKING OPTIONS # ----------------------------------------------------------------------------- @@ -8589,6 +8796,12 @@ #Default: # Use operating system definitions +# Google DNS +dns_nameservers 8.8.8.8 4.4.4.4 + +# Use LAN IP with possible backup if you're running DNS yourself +#dns_nameservers 10.0.1.3 + # TAG: hosts_file # Location of the host-local IP name-address associations # database. Most Operating Systems have such a file on different @@ -8614,6 +8827,7 @@ # definitions. #Default: # hosts_file /etc/hosts +hosts_file @PREFIX@/etc/@NAME@/@NAME@-hosts # TAG: append_domain # Appends local domain name to hostnames without any dots in @@ -8641,6 +8855,7 @@ # Maximum number of DNS IP cache entries. #Default: # ipcache_size 1024 +ipcache_size 16384 # TAG: ipcache_low (percent) #Default: @@ -8655,6 +8870,7 @@ # Maximum number of FQDN cache entries. #Default: # fqdncache_size 1024 +fqdncache_size 1048576 # MISCELLANEOUS # ----------------------------------------------------------------------------- @@ -8675,6 +8891,7 @@ # routines, disable this. #Default: # memory_pools on +memory_pools off # TAG: memory_pools_limit (bytes) # Used only with memory_pools on: @@ -8721,6 +8938,7 @@ # X-Forwarded-For entries, and place the client IP as the sole entry. #Default: # forwarded_for on +forwarded_for off # TAG: cachemgr_passwd # Specify passwords for cachemgr operations. @@ -8788,6 +9006,7 @@ # turn off client_db here. #Default: # client_db on +client_db off # TAG: refresh_all_ims on|off # When you enable this option, squid will always check @@ -8918,6 +9137,7 @@ # WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. #Default: # Do not pre-parse pipelined requests. +pipeline_prefetch 3 # TAG: high_response_time_warning (msec) # If the one-minute median response time exceeds this value, @@ -8978,6 +9198,7 @@ # Whether to lookup the EUI or MAC address of a connected client. #Default: # eui_lookup on +eui_lookup off # TAG: max_filedescriptors # Set the maximum number of filedescriptors, either below the