forked from fgrehm/squid3-ssl-docker
-
Notifications
You must be signed in to change notification settings - Fork 1
/
squid.conf
58 lines (47 loc) · 2.2 KB
/
squid.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.0.0.0/8 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
# Match gzipped image layers so I can remove header
acl docker_image_layer url_regex docker.io/v1/images/.*/layer$
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access allow localhost manager
http_access allow localhost
http_access allow localnet manager
http_access allow localnet
shutdown_lifetime 2 seconds
# Remove Accept-Encoding header for image layers, otherwise
# layers are doubly gzipped and don't cache well.
request_header_access Accept-Encoding deny docker_image_layer
maximum_object_size 256 MB
cache_dir aufs /var/cache/squid 5120 16 256
netdb_filename none
cache_mem 1024 MB
# refresh_pattern ^ftp: 1440 20% 10080
# refresh_pattern ^gopher: 1440 0% 1440
# refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
# refresh_pattern . 0 20% 4320
refresh_pattern . 1440 20% 10080
# i mean - if you're going in, go in.
sslproxy_cert_error allow all
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/squid/certs/private.pem cert=/etc/squid/certs/<HOST>.crt
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/squid/certs/private.pem cert=/etc/squid/certs/<HOST>.crt
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1
ssl_bump bump step2
always_direct allow all
include /etc/squid/conf.d/*.conf