53 lines
1.3 KiB
SquidConf
53 lines
1.3 KiB
SquidConf
# bind to port 3128
|
|
http_port 0.0.0.0:3128
|
|
|
|
# only proxy, don't cache
|
|
cache deny all
|
|
|
|
# redirect all logs to /dev/stdout
|
|
logfile_rotate 0
|
|
cache_log stdio:/dev/stdout
|
|
access_log stdio:/dev/stdout
|
|
cache_store_log stdio:/dev/stdout
|
|
|
|
pid_filename /var/run/squid/squid.pid
|
|
|
|
acl ssl_ports port 443
|
|
acl safe_ports port 80
|
|
acl safe_ports port 443
|
|
acl CONNECT method CONNECT
|
|
acl to_metadata dst 169.254.169.254
|
|
|
|
# read client CIDR ranges from clients.txt
|
|
acl clients src "/etc/squid/clients.txt"
|
|
|
|
# read allowed domains from allowlist.txt
|
|
acl allowlist dstdomain "/etc/squid/allowlist.txt"
|
|
|
|
# read denied domains from denylist.txt
|
|
acl denylist dstdomain "/etc/squid/denylist.txt"
|
|
|
|
# deny access to anything other than ports 80 and 443
|
|
http_access deny !safe_ports
|
|
|
|
# deny CONNECT if connection is not using ssl
|
|
http_access deny CONNECT !ssl_ports
|
|
|
|
# deny access to cachemgr
|
|
http_access deny manager
|
|
|
|
# deny access to localhost through the proxy
|
|
http_access deny to_localhost
|
|
|
|
# deny access to the local metadata server through the proxy
|
|
http_access deny to_metadata
|
|
|
|
# deny connection from allowed clients to any denied domains
|
|
http_access deny clients denylist
|
|
|
|
# allow connection from allowed clients only to the allowed domains
|
|
http_access allow clients allowlist
|
|
|
|
# deny everything else
|
|
http_access ${default_action} all
|