2020-04-06 11:08:12 -07:00
|
|
|
# bind to port 3128
|
|
|
|
http_port 0.0.0.0:3128
|
|
|
|
|
|
|
|
# only proxy, don't cache
|
|
|
|
cache deny all
|
|
|
|
|
|
|
|
acl ssl_ports port 443
|
|
|
|
acl safe_ports port 80
|
|
|
|
acl safe_ports port 443
|
|
|
|
acl CONNECT method CONNECT
|
2021-02-15 08:27:21 -08:00
|
|
|
acl to_metadata dst 169.254.169.254
|
2020-04-06 11:08:12 -07:00
|
|
|
|
2021-02-15 08:27:21 -08:00
|
|
|
# read client CIDR ranges from clients.txt
|
2020-04-06 11:08:12 -07:00
|
|
|
acl clients src "/etc/squid/clients.txt"
|
|
|
|
|
2021-02-15 08:27:21 -08:00
|
|
|
# read allowed domains from allowlist.txt
|
|
|
|
acl allowlist dstdomain "/etc/squid/allowlist.txt"
|
|
|
|
|
|
|
|
# read denied domains from denylist.txt
|
|
|
|
acl denylist dstdomain "/etc/squid/denylist.txt"
|
2020-04-06 11:08:12 -07:00
|
|
|
|
|
|
|
# deny access to anything other than ports 80 and 443
|
|
|
|
http_access deny !safe_ports
|
|
|
|
|
|
|
|
# deny CONNECT if connection is not using ssl
|
|
|
|
http_access deny CONNECT !ssl_ports
|
|
|
|
|
|
|
|
# deny acccess to cachemgr
|
|
|
|
http_access deny manager
|
|
|
|
|
2021-02-15 08:27:21 -08:00
|
|
|
# deny access to localhost through the proxy
|
2020-04-06 11:08:12 -07:00
|
|
|
http_access deny to_localhost
|
|
|
|
|
2021-02-15 08:27:21 -08:00
|
|
|
# deny access to the local metadata server through the proxy
|
|
|
|
http_access deny to_metadata
|
|
|
|
|
|
|
|
# deny connection from allowed clients to any denied domains
|
|
|
|
http_access deny clients denylist
|
|
|
|
|
|
|
|
# allow connection from allowed clients only to the allowed domains
|
|
|
|
http_access allow clients allowlist
|
2020-04-06 11:08:12 -07:00
|
|
|
|
|
|
|
# deny everything else
|
2021-02-15 08:27:21 -08:00
|
|
|
http_access ${default_action} all
|