Responder 
 
Avaliação do Tópico:
  • 0 Votos - 0 Média
  • 1
  • 2
  • 3
  • 4
  • 5
Squid + SquidGuard
19/10/2007, 21:49
Resposta: #1
Squid + SquidGuard
Galera, estou com outro problema, implementei o squid guard beleza, só que na hora de dá o restart no squid, além do squidguard não inicializar o squid não levanta, segue as confs:

SQUID.CONF:

# WELCOME TO SQUID 2.6.STABLE5
# ----------------------------
#
# This is the default Squid configuration file. You may wish
# to look at the Squid home page (http://www.squid-cache.org/)
# for the FAQ and other documentation.
#
# The default Squid config file shows what the defaults for
# various options happen to be. If you don't need to change the
# default, you shouldn't uncomment the line. Doing so may cause
# run-time problems. In some cases "none" refers to no default
# setting at all, while in other cases it refers to a valid
# option - the comments for that keyword indicate if this is the
# case.
#


# NETWORK OPTIONS
# -----------------------------------------------------------------------------

# TAG: http_port
# Usage: port [options]
# hostname:port [options]
# 1.2.3.4:port [options]
#
# The socket addresses where Squid will listen for HTTP client
# requests. You may specify multiple socket addresses.
# There are three forms: port alone, hostname with port, and
# IP address with port. If you specify a hostname or IP
# address, Squid binds the socket to that specific
# address. This replaces the old 'tcp_incoming_address'
# option. Most likely, you do not need to bind to a specific
# address, so you can use the port number alone.
#
# The default port number is 3128.
#
# If you are running Squid in accelerator mode, you
# probably want to listen on port 80 also, or instead.
#
# The -a command line option will override the *first* port
# number listed here. That option will NOT override an IP
# address, however.
#
# You may specify multiple socket addresses on multiple lines.
#
# options are:
# transparent Support for transparent proxies
# vhost Accelerator using Host directive
# vport Accelerator with IP virtual host support
# vport= As above, but uses specified port number
# rather than the http_port number.
# defaultsite= Main web site name for accelerators.
# urlgroup= Default urlgroup to mark requests
# with (see also acl urlgroup and
# url_rewrite_program)
# protocol= Protocol to reconstruct accelerated
# requests with. Defaults to http.
# no-connection-auth
# Prevent forwarding of Microsoft
# connection oriented authentication
# (NTLM, Negotiate and Kerberos)
# tproxy Support Linux TPROXY for spoofing
# outgoing connections using the client
# IP address.
#
# If you run Squid on a dual-homed machine with an internal
# and an external interface we recommend you to specify the
# internal address:port in http_port. This way Squid will only be
# visible on the internal address.
#
# Squid normally listens to port 3128
http_port 3128 transparent

# TAG: https_port
# Note: This option is only available if Squid is rebuilt with the
# --enable-ssl option
#
# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]
#
# The socket address where Squid will listen for HTTPS client
# requests.
#
# This is really only useful for situations where you are running
# squid in accelerator mode and you want to do the SSL work at the
# accelerator level.
#
# You may specify multiple socket addresses on multiple lines,
# each with their own SSL certificate and/or options.
#
# Options:
#
# defaultsite= The name of the https site presented on
# this port.
#
# urlgroup= Default urlgroup to mark requests with (see
# also acl urlgroup and url_rewrite_program)
#
# protocol= Protocol to reconstruct accelerated requests
# with. Defaults to https.
#
# cert= Path to SSL certificate (PEM format)
#
# key= Path to SSL private key file (PEM format)
# if not specified, the certificate file is
# assumed to be a combined certificate and
# key file
#
# version= The version of SSL/TLS supported
# 1 automatic (default)
# 2 SSLv2 only
# 3 SSLv3 only
# 4 TLSv1 only
#
# cipher= Colon separated list of supported ciphers
#
# options= Various SSL engine options. The most important
# being:
# NO_SSLv2 Disallow the use of SSLv2
# NO_SSLv3 Disallow the use of SSLv3
# NO_TLSv1 Disallow the use of TLSv1
# SINGLE_DH_USE Always create a new key when using
# temporary/ephemeral DH key exchanges
# See src/ssl_support.c or OpenSSL SSL_CTX_set_options
# documentation for a complete list of options.
#
# clientca= File containing the list of CAs to use when
# requesting a client certificate
#
# cafile= File containing additional CA certificates to
# use when verifying client certificates. If unset
# clientca will be used.
#
# capath= Directory containing additional CA certificates
# and CRL lists to use when verifying client certificates
#
# crlfile= File of additional CRL lists to use when verifying
# the client certificate, in addition to CRLs stored in
# the capath. Implies VERIFY_CRL flag below.
#
# dhparams= File containing DH parameters for temporary/ephemeral
# DH key exchanges
#
# sslflags= Various flags modifying the use of SSL:
# DELAYED_AUTH
# Don't request client certificates
# immediately, but wait until acl processing
# requires a certificate (not yet implemented)
# NO_DEFAULT_CA
# Don't use the default CA lists built in
# to OpenSSL.
# NO_SESSION_REUSE
# Don't allow for session reuse. Each connection
# will result in a new SSL session.
# VERIFY_CRL
# Verify CRL lists when accepting client
# certificates
# VERIFY_CRL_ALL
# Verify CRL lists for all certificates in the
# client certificate chain
#
# sslcontext= SSL session ID context identifier.
#
#
#Default:
# none

# TAG: ssl_unclean_shutdown
# Note: This option is only available if Squid is rebuilt with the
# --enable-ssl option
#
# Some browsers (especially MSIE) bugs out on SSL shutdown
# messages.
#
#Default:
# ssl_unclean_shutdown off

# TAG: ssl_engine
# Note: This option is only available if Squid is rebuilt with the
# --enable-ssl option
#
# The OpenSSL engine to use. You will need to set this if you
# would like to use hardware SSL acceleration for example.
#
#Default:
# none

# TAG: sslproxy_client_certificate
# Note: This option is only available if Squid is rebuilt with the
# --enable-ssl option
#
# Client SSL Certificate to use when proxying https:// URLs
#
#Default:
# none

# TAG: sslproxy_client_key
# Note: This option is only available if Squid is rebuilt with the
# --enable-ssl option
#
# Client SSL Key to use when proxying https:// URLs
#
#Default:
# none

# TAG: sslproxy_version
# Note: This option is only available if Squid is rebuilt with the
# --enable-ssl option
#
# SSL version level to use when proxying https:// URLs
#
#Default:
# sslproxy_version 1

# TAG: sslproxy_options
# Note: This option is only available if Squid is rebuilt with the
# --enable-ssl option
#
# SSL engine options to use when proxying https:// URLs
#
#Default:
# none

# TAG: sslproxy_cipher
# Note: This option is only available if Squid is rebuilt with the
# --enable-ssl option
#
# SSL cipher list to use when proxying https:// URLs
#
#Default:
# none

# TAG: sslproxy_cafile
# Note: This option is only available if Squid is rebuilt with the
# --enable-ssl option
#
# TAG: sslproxy_capath
# Note: This option is only available if Squid is rebuilt with the
# --enable-ssl option
#
# TAG: sslproxy_flags
# Note: This option is only available if Squid is rebuilt with the
# --enable-ssl option
#
# TAG: sslpassword_program
# Note: This option is only available if Squid is rebuilt with the
# --enable-ssl option
#
# Specify a program used for entering SSL key passphrases
# when using encrypted SSL certificate keys. If not specified
# keys must either be unencrypted, or Squid started with the -N
# option to allow it to query interactively for the passphrase.
#
#Default:
# none

# TAG: icp_port
# The port number where Squid sends and receives ICP queries to
# and from neighbor caches. Default is 3130. To disable use
# "0". May be overridden with -u on the command line.
#
#Default:
# icp_port 3130

# TAG: htcp_port
# The port number where Squid sends and receives HTCP queries to
# and from neighbor caches. To turn it on you want to set it 4827.
# By default it is set to "0" (disabled).
#
#Default:
# htcp_port 0

# TAG: mcast_groups
# This tag specifies a list of multicast groups which your server
# should join to receive multicasted ICP queries.
#
# NOTE! Be very careful what you put here! Be sure you
# understand the difference between an ICP _query_ and an ICP
# _reply_. This option is to be set only if you want to RECEIVE
# multicast queries. Do NOT set this option to SEND multicast
# ICP (use cache_peer for that). ICP replies are always sent via
# unicast, so this option does not affect whether or not you will
# receive replies from multicast group members.
#
# You must be very careful to NOT use a multicast address which
# is already in use by another group of caches.
#
# If you are unsure about multicast, please read the Multicast
# chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
#
# Usage: mcast_groups 239.128.16.128 224.0.1.20
#
# By default, Squid doesn't listen on any multicast groups.
#
#Default:
# none

# TAG: udp_incoming_address
# TAG: udp_outgoing_address
# udp_incoming_address is used for the ICP socket receiving packets
# from other caches.
# udp_outgoing_address is used for ICP packets sent out to other
# caches.
#
# The default behavior is to not bind to any specific address.
#
# A udp_incoming_address value of 0.0.0.0 indicates Squid
# should listen for UDP messages on all available interfaces.
#
# If udp_outgoing_address is set to 255.255.255.255 (the default)
# it will use the same socket as udp_incoming_address. Only
# change this if you want to have ICP queries sent using another
# address than where this Squid listens for ICP queries from other
# caches.
#
# NOTE, udp_incoming_address and udp_outgoing_address can not
# have the same value since they both use port 3130.
#
#Default:
# udp_incoming_address 0.0.0.0
# udp_outgoing_address 255.255.255.255


# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
# -----------------------------------------------------------------------------

# TAG: cache_peer
# To specify other caches in a hierarchy, use the format:
#
# cache_peer hostname type http_port icp_port [options]
#
# For example,
#
# # proxy icp
# # hostname type port port options
# # -------------------- -------- ----- ----- -----------
# cache_peer parent.foo.net parent 3128 3130 [proxy-only]
# cache_peer sib1.foo.net sibling 3128 3130 [proxy-only]
# cache_peer sib2.foo.net sibling 3128 3130 [proxy-only]
#
# type: either 'parent', 'sibling', or 'multicast'.
#
# proxy_port: The port number where the cache listens for proxy
# requests.
#
# icp_port: Used for querying neighbor caches about
# objects. To have a non-ICP neighbor
# specify '7' for the ICP port and make sure the
# neighbor machine has the UDP echo port
# enabled in its /etc/inetd.conf file.
#
# options: proxy-only
# weight=n
# ttl=n
# no-query
# default
# round-robin
# multicast-responder
# closest-only
# no-digest
# no-netdb-exchange
# no-delay
# login=user:password | PASS | *:password
# connect-timeout=nn
# digest-url=url
# allow-miss
# max-conn
# htcp
# htcp-oldsquid
# carp-load-factor
# originserver
# userhash
# sourcehash
# name=xxx
# monitorurl=url
# monitorsize=sizespec
# monitorinterval=seconds
# monitortimeout=seconds
# group=name
# forceddomain=name
# ssl
# sslcert=/path/to/ssl/certificate
# sslkey=/path/to/ssl/key
# sslversion=1|2|3|4
# sslcipher=...
# ssloptions=...
# front-end-https[=on|auto]
# connection-auth[=on|off|auto]
#
# use 'proxy-only' to specify objects fetched
# from this cache should not be saved locally.
#
# use 'weight=n' to specify a weighted parent.
# The weight must be an integer. The default weight
# is 1, larger weights are favored more.
#
# use 'ttl=n' to specify a IP multicast TTL to use
# when sending an ICP queries to this address.
# Only useful when sending to a multicast group.
# Because we don't accept ICP replies from random
# hosts, you must configure other group members as
# peers with the 'multicast-responder' option below.
#
# use 'no-query' to NOT send ICP queries to this
# neighbor.
#
# use 'default' if this is a parent cache which can
# be used as a "last-resort." You should probably
# only use 'default' in situations where you cannot
# use ICP with your parent cache(s).
#
# use 'round-robin' to define a set of parents which
# should be used in a round-robin fashion in the
# absence of any ICP queries.
#
# 'multicast-responder' indicates the named peer
# is a member of a multicast group. ICP queries will
# not be sent directly to the peer, but ICP replies
# will be accepted from it.
#
# 'closest-only' indicates that, for ICP_OP_MISS
# replies, we'll only forward CLOSEST_PARENT_MISSes
# and never FIRST_PARENT_MISSes.
#
# use 'no-digest' to NOT request cache digests from
# this neighbor.
#
# 'no-netdb-exchange' disables requesting ICMP
# RTT database (NetDB) from the neighbor.
#
# use 'no-delay' to prevent access to this neighbor
# from influencing the delay pools.
#
# use 'login=user:password' if this is a personal/workgroup
# proxy and your parent requires proxy authentication.
# Note: The string can include URL escapes (i.e. %20 for
# spaces). This also means % must be written as %%.
#
# use 'login=PASS' to forward authentication to the peer.
# Needed if the peer requires login.
# Note: To combine this with local authentication the Basic
# authentication scheme must be used, and both servers must
# share the same user database as HTTP only allows for
# a single login (one for proxy, one for origin server).
#
# use 'login=*:password' to pass the username to the
# upstream cache, but with a fixed password. This is meant
# to be used when the peer is in another administrative
# domain, but it is still needed to identify each user.
# The star can optionally be followed by some extra
# information which is added to the username. This can
# be used to identify this proxy to the peer, similar to
# the login=username:password option above.
#
# use 'connect-timeout=nn' to specify a peer
# specific connect timeout (also see the
# peer_connect_timeout directive)
#
# use 'digest-url=url' to tell Squid to fetch the cache
# digest (if digests are enabled) for this host from
# the specified URL rather than the Squid default
# location.
#
# use 'allow-miss' to disable Squid's use of only-if-cached
# when forwarding requests to siblings. This is primarily
# useful when icp_hit_stale is used by the sibling. To
# extensive use of this option may result in forwarding
# loops, and you should avoid having two-way peerings
# with this option. (for example to deny peer usage on
# requests from peer by denying cache_peer_access if the
# source is a peer)
#
# use 'max-conn' to limit the amount of connections Squid
# may open to this peer.
#
# use 'htcp' to send HTCP, instead of ICP, queries
# to the neighbor. You probably also want to
# set the "icp port" to 4827 instead of 3130.
#
# use 'htcp-oldsquid' to send HTCP to old Squid versions
#
# use 'carp-load-factor=f' to define a parent
# cache as one participating in a CARP array.
# The 'f' values for all CARP parents must add
# up to 1.0.
#
# 'originserver' causes this parent peer to be contacted as
# a origin server. Meant to be used in accelerator setups.
#
# use 'userhash' to load-balance amongst a set of parents
# based on the client proxy_auth or ident username.
#
# use 'sourcehash' to load-balanse amongs a set of parents
# based on the client source ip.
#
# use 'name=xxx' if you have multiple peers on the same
# host but different ports. This name can then be used to
# differentiate the peers in cache_peer_access and similar
# directives.
#
# use 'monitorurl=url' to have periodically request a given
# URL from the peer, and only consider the peer as alive
# if this monitoring is successful (default none)
#
# use 'monitorsize=min[-max]' to limit the size range of
# 'monitorurl' replies considered valid. Defaults to 0 to
# accept any size replies as valid.
#
# use 'monitorinterval=seconds' to change frequency of
# how often the peer is monitored with 'monitorurl'
# (default 300 for a 5 minute interval). If set to 0
# then monitoring is disabled even if a URL is defined.
#
# use 'monitortimeout=seconds' to change the timeout of
# 'monitorurl'. Defaults to 'monitorinterval'.
#
# use 'forceddomain=name' to forcibly set the Host header
# of requests forwarded to this peer. Useful in accelerator
# setups where the server (peer) expects a certain domain
# name and using redirectors to feed this domain name
# is not feasible.
#
# use 'ssl' to indicate that connections to this peer should
# bs SSL/TLS encrypted.
#
# use 'sslcert=/path/to/ssl/certificate' to specify a client
# SSL certificate to use when connecting to this peer.
#
# use 'sslkey=/path/to/ssl/key' to specify the private SSL
# key corresponding to sslcert above. If 'sslkey' is not
# specified then 'sslcert' is assumed to reference a
# combined file containing both the certificate and the key.
#
# use sslversion=1|2|3|4 to specify the SSL version to use
# when connecting to this peer
# 1 = automatic (default)
# 2 = SSL v2 only
# 3 = SSL v3 only
# 4 = TLS v1 only
#
# use sslcipher=... to specify the list of valid SSL ciphers
# to use when connecting to this peer.
#
# use ssloptions=... to specify various SSL engine options:
# NO_SSLv2 Disallow the use of SSLv2
# NO_SSLv3 Disallow the use of SSLv3
# NO_TLSv1 Disallow the use of TLSv1
# See src/ssl_support.c or the OpenSSL documentation for
# a more complete list.
#
# use sslcafile=... to specify a file containing
# additional CA certificates to use when verifying the
# peer certificate.
#
# use sslcapath=... to specify a directory containing
# additional CA certificates to use when verifying the
# peer certificate.
#
# use sslcrlfile=... to specify a certificate revocation
# list file to use when verifying the peer certificate.
#
# use sslflags=... to specify various flags modifying the
# SSL implementation:
# DONT_VERIFY_PEER
# Accept certificates even if they fail to
# verify.
# NO_DEFAULT_CA
# Don't use the default CA list built in
# to OpenSSL.
#
# use ssldomain= to specify the peer name as advertised
# in it's certificate. Used for verifying the correctness
# of the received peer certificate. If not specified the
# peer hostname will be used.
#
# use front-end-https to enable the "Front-End-Https: On"
# header needed when using Squid as a SSL frontend in front
# of Microsoft OWA. See MS KB document Q307347 for details
# on this header. If set to auto then the header will
# only be added if the request is forwarded as a https://
# URL.
#
# use connection-auth=off to tell Squid that this peer does
# not support Microsoft connection oriented authentication,
# and any such challenges received from there should be
# ignored. Default is auto to automatically determine the
# status of the peer.
#
# NOTE: non-ICP/HTCP neighbors must be specified as 'parent'.
#
#Default:
# none

# TAG: cache_peer_domain
# Use to limit the domains for which a neighbor cache will be
# queried. Usage:
#
# cache_peer_domain cache-host domain [domain ...]
# cache_peer_domain cache-host !domain
#
# For example, specifying
#
# cache_peer_domain parent.foo.net .edu
#
# has the effect such that UDP query packets are sent to
# 'bigserver' only when the requested object exists on a
# server in the .edu domain. Prefixing the domain name
# with '!' means the cache will be queried for objects
# NOT in that domain.
#
# NOTE: * Any number of domains may be given for a cache-host,
# either on the same or separate lines.
# * When multiple domains are given for a particular
# cache-host, the first matched domain is applied.
# * Cache hosts with no domain restrictions are queried
# for all requests.
# * There are no defaults.
# * There is also a 'cache_peer_access' tag in the ACL
# section.
#
#Default:
# none

# TAG: neighbor_type_domain
# usage: neighbor_type_domain neighbor parent|sibling domain domain ...
#
# Modifying the neighbor type for specific domains is now
# possible. You can treat some domains differently than the the
# default neighbor type specified on the 'cache_peer' line.
# Normally it should only be necessary to list domains which
# should be treated differently because the default neighbor type
# applies for hostnames which do not match domains listed here.
#
#EXAMPLE:
# cache_peer parent cache.foo.org 3128 3130
# neighbor_type_domain cache.foo.org sibling .com .net
# neighbor_type_domain cache.foo.org sibling .au .de
#
#Default:
# none

# TAG: icp_query_timeout (msec)
# Normally Squid will automatically determine an optimal ICP
# query timeout value based on the round-trip-time of recent ICP
# queries. If you want to override the value determined by
# Squid, set this 'icp_query_timeout' to a non-zero value. This
# value is specified in MILLISECONDS, so, to use a 2-second
# timeout (the old default), you would write:
#
# icp_query_timeout 2000
#
#Default:
# icp_query_timeout 0

# TAG: maximum_icp_query_timeout (msec)
# Normally the ICP query timeout is determined dynamically. But
# sometimes it can lead to very large values (say 5 seconds).
# Use this option to put an upper limit on the dynamic timeout
# value. Do NOT use this option to always use a fixed (instead
# of a dynamic) timeout value. To set a fixed timeout see the
# 'icp_query_timeout' directive.
#
#Default:
# maximum_icp_query_timeout 2000

# TAG: mcast_icp_query_timeout (msec)
# For multicast peers, Squid regularly sends out ICP "probes" to
# count how many other peers are listening on the given multicast
# address. This value specifies how long Squid should wait to
# count all the replies. The default is 2000 msec, or 2
# seconds.
#
#Default:
# mcast_icp_query_timeout 2000

# TAG: dead_peer_timeout (seconds)
# This controls how long Squid waits to declare a peer cache
# as "dead." If there are no ICP replies received in this
# amount of time, Squid will declare the peer dead and not
# expect to receive any further ICP replies. However, it
# continues to send ICP queries, and will mark the peer as
# alive upon receipt of the first subsequent ICP reply.
#
# This timeout also affects when Squid expects to receive ICP
# replies from peers. If more than 'dead_peer' seconds have
# passed since the last ICP reply was received, Squid will not
# expect to receive an ICP reply on the next query. Thus, if
# your time between requests is greater than this timeout, you
# will see a lot of requests sent DIRECT to origin servers
# instead of to your parents.
#
#Default:
# dead_peer_timeout 10 seconds

# TAG: hierarchy_stoplist
# A list of words which, if found in a URL, cause the object to
# be handled directly by this cache. In other words, use this
# to not query neighbor caches for certain objects. You may
# list this option multiple times. Note: never_direct overrides
# this option.
#We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# TAG: cache
# A list of ACL elements which, if matched, cause the request to
# not be satisfied from the cache and the reply to not be cached.
# In other words, use this to force certain objects to never be cached.
#
# You must use the word 'DENY' to indicate the ACL names which should
# NOT be cached.
#
# Default is to allow all to be cached
#We recommend you to use the following two lines.
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

# TAG: cache_vary
# Set to off to disable caching of Vary:in objects.
#
#Default:
# cache_vary on

# TAG: broken_vary_encoding
# Many servers have broken support for on-the-fly Content-Encoding,
# returning the same ETag on both plain and gzip:ed variants.
# Vary replies matching this access list will have the cache split
# on the Accept-Encoding header of the request and not trusting the
# ETag to be unique.
#
# Apache mod_gzip and mod_deflate known to be broken so don't trust
# Apache to signal ETag correctly on such responses
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache


# OPTIONS WHICH AFFECT THE CACHE SIZE
# -----------------------------------------------------------------------------

# TAG: cache_mem (bytes)
# NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
# IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
# USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
# THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
#
# 'cache_mem' specifies the ideal amount of memory to be used
# for:
# * In-Transit objects
# * Hot Objects
# * Negative-Cached objects
#
# Data for these objects are stored in 4 KB blocks. This
# parameter specifies the ideal upper limit on the total size of
# 4 KB blocks allocated. In-Transit objects take the highest
# priority.
#
# In-transit objects have priority over the others. When
# additional space is needed for incoming data, negative-cached
# and hot objects will be released. In other words, the
# negative-cached and hot objects will fill up any unused space
# not needed for in-transit objects.
#
# If circumstances require, this limit will be exceeded.
# Specifically, if your incoming request rate requires more than
# 'cache_mem' of memory to hold in-transit objects, Squid will
# exceed this limit to satisfy the new requests. When the load
# decreases, blocks will be freed until the high-water mark is
# reached. Thereafter, blocks will be used to store hot
# objects.
#
#Default:
# cache_mem 8 MB

# TAG: cache_swap_low (percent, 0-100)
# TAG: cache_swap_high (percent, 0-100)
#
# The low- and high-water marks for cache object replacement.
# Replacement begins when the swap (disk) usage is above the
# low-water mark and attempts to maintain utilization near the
# low-water mark. As swap utilization gets close to high-water
# mark object eviction becomes more aggressive. If utilization is
# close to the low-water mark less replacement is done each time.
#
# Defaults are 90% and 95%. If you have a large cache, 5% could be
# hundreds of MB. If this is the case you may wish to set these
# numbers closer together.
#
#Default:
# cache_swap_low 90
# cache_swap_high 95

# TAG: maximum_object_size (bytes)
# Objects larger than this size will NOT be saved on disk. The
# value is specified in kilobytes, and the default is 4MB. If
# you wish to get a high BYTES hit ratio, you should probably
# increase this (one 32 MB object hit counts for 3200 10KB
# hits). If you wish to increase speed more than your want to
# save bandwidth you should leave this low.
#
# NOTE: if using the LFUDA replacement policy you should increase
# this value to maximize the byte hit rate improvement of LFUDA!
# See replacement_policy below for a discussion of this policy.
#
#Default:
# maximum_object_size 4096 KB

# TAG: minimum_object_size (bytes)
# Objects smaller than this size will NOT be saved on disk. The
# value is specified in kilobytes, and the default is 0 KB, which
# means there is no minimum.
#
#Default:
# minimum_object_size 0 KB

# TAG: maximum_object_size_in_memory (bytes)
# Objects greater than this size will not be attempted to kept in
# the memory cache. This should be set high enough to keep objects
# accessed frequently in memory to improve performance whilst low
# enough to keep larger objects from hoarding cache_mem.
#
#Default:
# maximum_object_size_in_memory 8 KB

# TAG: ipcache_size (number of entries)
# TAG: ipcache_low (percent)
# TAG: ipcache_high (percent)
# The size, low-, and high-water marks for the IP cache.
#
#Default:
# ipcache_size 1024
# ipcache_low 90
# ipcache_high 95

# TAG: fqdncache_size (number of entries)
# Maximum number of FQDN cache entries.
#
#Default:
# fqdncache_size 1024

# TAG: cache_replacement_policy
# The cache replacement policy parameter determines which
# objects are evicted (replaced) when disk space is needed.
#
# lru : Squid's original list based LRU policy
# heap GDSF : Greedy-Dual Size Frequency
# heap LFUDA: Least Frequently Used with Dynamic Aging
# heap LRU : LRU policy implemented using a heap
#
# Applies to any cache_dir lines listed below this.
#
# The LRU policies keeps recently referenced objects.
#
# The heap GDSF policy optimizes object hit rate by keeping smaller
# popular objects in cache so it has a better chance of getting a
# hit. It achieves a lower byte hit rate than LFUDA though since
# it evicts larger (possibly popular) objects.
#
# The heap LFUDA policy keeps popular objects in cache regardless of
# their size and thus optimizes byte hit rate at the expense of
# hit rate since one large, popular object will prevent many
# smaller, slightly less popular objects from being cached.
#
# Both policies utilize a dynamic aging mechanism that prevents
# cache pollution that can otherwise occur with frequency-based
# replacement policies.
#
# NOTE: if using the LFUDA replacement policy you should increase
# the value of maximum_object_size above its default of 4096 KB to
# to maximize the potential byte hit rate improvement of LFUDA.
#
# For more information about the GDSF and LFUDA cache replacement
# policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
# and http://fog.hpl.external.hp.com/techrepo ... 8-173.html.
#
#Default:
# cache_replacement_policy lru

# TAG: memory_replacement_policy
# The memory replacement policy parameter determines which
# objects are purged from memory when memory space is needed.
#
# See cache_replacement_policy for details.
#
#Default:
# memory_replacement_policy lru


# LOGFILE PATHNAMES AND CACHE DIRECTORIES
# -----------------------------------------------------------------------------

# TAG: cache_dir
# Usage:
#
# cache_dir Type Directory-Name Fs-specific-data [options]
#
# You can specify multiple cache_dir lines to spread the
# cache among different disk partitions.
#
# Type specifies the kind of storage system to use. Only "ufs"
# is built by default. To enable any of the other storage systems
# see the --enable-storeio configure option.
#
# 'Directory' is a top-level directory where cache swap
# files will be stored. If you want to use an entire disk
# for caching, this can be the mount-point directory.
# The directory must exist and be writable by the Squid
# process. Squid will NOT create this directory for you.
# Only using COSS, a raw disk device or a stripe file can
# be specified, but the configuration of the "cache_wap_log"
# tag is mandatory.
#
# The ufs store type:
#
# "ufs" is the old well-known Squid storage format that has always
# been there.
#
# cache_dir ufs Directory-Name Mbytes L1 L2 [options]
#
# 'Mbytes' is the amount of disk space (MB) to use under this
# directory. The default is 100 MB. Change this to suit your
# configuration. Do NOT put the size of your disk drive here.
# Instead, if you want Squid to use the entire disk drive,
# subtract 20% and use that value.
#
# 'Level-1' is the number of first-level subdirectories which
# will be created under the 'Directory'. The default is 16.
#
# 'Level-2' is the number of second-level subdirectories which
# will be created under each first-level directory. The default
# is 256.
#
# The aufs store type:
#
# "aufs" uses the same storage format as "ufs", utilizing
# POSIX-threads to avoid blocking the main Squid process on
# disk-I/O. This was formerly known in Squid as async-io.
#
# cache_dir aufs Directory-Name Mbytes L1 L2 [options]
#
# see argument descriptions under ufs above
#
# The diskd store type:
#
# "diskd" uses the same storage format as "ufs", utilizing a
# separate process to avoid blocking the main Squid process on
# disk-I/O.
#
# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
#
# see argument descriptions under ufs above
#
# Q1 specifies the number of unacknowledged I/O requests when Squid
# stops opening new files. If this many messages are in the queues,
# Squid won't open new files. Default is 64
#
# Q2 specifies the number of unacknowledged messages when Squid
# starts blocking. If this many messages are in the queues,
# Squid blocks until it receives some replies. Default is 72
#
# When Q1 < Q2 (the default), the cache directory is optimized
# for lower response time at the expense of a decrease in hit
# ratio. If Q1 > Q2, the cache directory is optimized for
# higher hit ratio at the expense of an increase in response
# time.
#
# The COSS store type:
#
# block-size=n defines the "block size" for COSS cache_dir's.
# Squid uses file numbers as block numbers. Since file numbers
# are limited to 24 bits, the block size determines the maximum
# size of the COSS partition. The default is 512 bytes, which
# leads to a maximum cache_dir size of 512<<24, or 8 GB. Note
# you should not change the COSS block size after Squid
# has written some objects to the cache_dir.
#
# overwrite-percent=n defines the percentage of disk that COSS
# must write to before a given object will be moved to the
# current stripe. A value of "n" closer to 100 will cause COSS
# to waste less disk space by having multiple copies of an object
# on disk, but will increase the chances of overwriting a popular
# object as COSS overwrites stripes. A value of "n" close to 0
# will cause COSS to keep all current objects in the current COSS
# stripe at the expense of the hit rate. The default value of 50
# will allow any given object to be stored on disk a maximum of
# 2 times.
#
# max-stripe-waste=n defines the maximum amount of space that COSS
# will waste in a given stripe (in bytes). When COSS writes data
# to disk, it will potentially waste up to "max-size" worth of disk
# space for each 1MB of data written. If "max-size" is set to a
# large value (ie >256k), this could potentially result in large
# amounts of wasted disk space. Setting this value to a lower value
# (ie 64k or 32k) will result in a COSS disk refusing to cache
# larger objects until the COSS stripe has been filled to within
# "max-stripe-waste" of the maximum size (1MB).
#
# membufs=n defines the number of "memory-only" stripes that COSS
# will use. When an cache hit is performed on a COSS stripe before
# COSS has reached the overwrite-percent value for that object,
# COSS will use a series of memory buffers to hold the object in
# while the data is sent to the client. This will define the maximum
# number of memory-only buffers that COSS will use. The default value
# is 10, which will use a maximum of 10MB of memory for buffers.
#
# maxfullbufs=n defines the maximum number of stripes a COSS partition
# will have in memory waiting to be freed (either because the disk is
# under load and the stripe is unwritten, or because clients are still
# transferring data from objects using the memory). In order to try
# and maintain a good hit rate under load, COSS will reserve the last
# 2 full stripes for object hits. (ie a COSS cache_dir will reject
# new objects when the number of full stripes is 2 less than maxfullbufs)
#
# Common options:
#
# read-only, this cache_dir is read only.
#
# max-size=n, refers to the max object size this storedir supports.
# It is used to initially choose the storedir to dump the object.
# Note: To make optimal use of the max-size limits you should order
# the cache_dir lines with the smallest max-size value first and the
# ones with no max-size specification last.
#
# Note that for coss, max-size must be less than COSS_MEMBUF_SZ
# (hard coded at 1 MB).
#
#Default:
# cache_dir ufs /var/spool/squid 100 16 256

# TAG: logformat
# Usage:
#
# logformat <name> <format specification>
#
# Defines an access log format.
#
# The <format specification> is a string with embedded % format codes
#
# % format codes all follow the same basic structure where all but
# the formatcode is optional. Output strings are automatically escaped
# as required according to their context and the output format
# modifiers are usually not needed, but can be specified if an explicit
# output format is desired.
#
# % ["|[|'|#] [-] [[0]width] [{argument}] formatcode
#
# " output in quoted string format
# [ output in squid text log format as used by log_mime_hdrs
# # output in URL quoted format
# ' output as-is
#
# - left aligned
# width field width. If starting with 0 then the
# output is zero padded
# {arg} argument such as header name etc
#
# Format codes:
#
# >a Client source IP address
# >A Client FQDN
# <A Server IP address or peer name
# la Local IP address (http_port)
# lp Local port number (http_port)
# ts Seconds since epoch
# tu subsecond time (milliseconds)
# tl Local time. Optional strftime format argument
# default %d/%b/%Y:%H:%M:%S %z
# tg GMT time. Optional strftime format argument
# default %d/%b/%Y:%H:%M:%S %z
# tr Response time (milliseconds)
# >h Request header. Optional header name argument
# on the format header[:[separator]element]
# <h Reply header. Optional header name argument
# as for >h
# un User name
# ul User login
# ui User ident
# us User SSL
# ue User external acl
# Hs HTTP status code
# Ss Squid request status (TCP_MISS etc)
# Sh Squid hierarchy status (DEFAULT_PARENT etc)
# mt MIME content type
# rm Request method (GET/POST etc)
# ru Request URL
# rv Request protocol version
# ea Log string returned by external acl
# <st Reply size including HTTP headers
# % a literal % character
#
#logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
#logformat squidmime %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
#logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
#logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
#
#Default:
# none

# TAG: access_log
# These files log client request activities. Has a line every HTTP or
# ICP request. The format is:
# access_log <filepath> [<logformat name> [acl acl ...]]
#
# Will log to the specified file using the specified format (which
# must be defined in a logformat directive) those entries which match
# ALL the acl's specified (which must be defined in acl clauses).
# If no acl is specified, all requests will be logged to this file.
#
# To disable logging of a request use the filepath "none", in which case
# a logformat name should not be specified.
#
# To log the request via syslog specify a filepath of "syslog"
access_log /var/log/squid/access.log squid

# TAG: cache_log
# Cache logging file. This is where general information about
# your cache's behavior goes. You can increase the amount of data
# logged to this file with the "debug_options" tag below.
#
#Default:
# cache_log /var/log/squid/cache.log

# TAG: cache_store_log
# Logs the activities of the storage manager. Shows which
# objects are ejected from the cache, and which objects are
# saved and for how long. To disable, enter "none". There are
# not really utilities to analyze this data, so you can safely
# disable it.
#
#Default:
# cache_store_log /var/log/squid/store.log

# TAG: cache_swap_log
# Location for the cache "swap.state" file. This log file holds
# the metadata of objects saved on disk. It is used to rebuild
# the cache during startup. Normally this file resides in each
# 'cache_dir' directory, but you may specify an alternate
# pathname here. Note you must give a full filename, not just
# a directory. Since this is the index for the whole object
# list you CANNOT periodically rotate it!
#
# If %s can be used in the file name it will be replaced with a
# a representation of the cache_dir name where each / is replaced
# with '.'. This is needed to allow adding/removing cache_dir
# lines when cache_swap_log is being used.
#
# If have more than one 'cache_dir', and %s is not used in the name
# these swap logs will have names such as:
#
# cache_swap_log.00
# cache_swap_log.01
# cache_swap_log.02
#
# The numbered extension (which is added automatically)
# corresponds to the order of the 'cache_dir' lines in this
# configuration file. If you change the order of the 'cache_dir'
# lines in this file, these log files will NOT correspond to
# the correct 'cache_dir' entry (unless you manually rename
# them). We recommend you do NOT use this option. It is
# better to keep these log files in each 'cache_dir' directory.
#
#Default:
# none

# TAG: emulate_httpd_log on|off
# The Cache can emulate the log file format which many 'httpd'
# programs use. To disable/enable this emulation, set
# emulate_httpd_log to 'off' or 'on'. The default
# is to use the native log format since it includes useful
# information Squid-specific log analyzers use.
#
#Default:
# emulate_httpd_log off

# TAG: log_ip_on_direct on|off
# Log the destination IP address in the hierarchy log tag when going
# direct. Earlier Squid versions logged the hostname here. If you
# prefer the old way set this to off.
#
#Default:
# log_ip_on_direct on

# TAG: mime_table
# Pathname to Squid's MIME table. You shouldn't need to change
# this, but the default file contains examples and formatting
# information if you do.
#
#Default:
# mime_table /usr/share/squid/mime.conf

# TAG: log_mime_hdrs on|off
# The Cache can record both the request and the response MIME
# headers for each HTTP transaction. The headers are encoded
# safely and will appear as two bracketed fields at the end of
# the access log (for either the native or httpd-emulated log
# formats). To enable this logging set log_mime_hdrs to 'on'.
#
#Default:
# log_mime_hdrs off

# TAG: useragent_log
# Squid will write the User-Agent field from HTTP requests
# to the filename specified here. By default useragent_log
# is disabled.
#
#Default:
# none

# TAG: referer_log
# Squid will write the Referer field from HTTP requests to the
# filename specified here. By default referer_log is disabled.
# Note that "referer" is actually a misspelling of "referrer"
# however the misspelt version has been accepted into the HTTP RFCs
# and we accept both.
#
#Default:
# none

# TAG: pid_filename
# A filename to write the process-id to. To disable, enter "none".
#
#Default:
# pid_filename /var/run/squid.pid

# TAG: debug_options
# Logging options are set as section,level where each source file
# is assigned a unique section. Lower levels result in less
# output, Full debugging (level 9) can result in a very large
# log file, so be careful. The magic word "ALL" sets debugging
# levels for all sections. We recommend normally running with
# "ALL,1".
#
#Default:
# debug_options ALL,1

# TAG: log_fqdn on|off
# Turn this on if you wish to log fully qualified domain names
# in the access.log. To do this Squid does a DNS lookup of all
# IP's connecting to it. This can (in some situations) increase
# latency, which makes your cache seem slower for interactive
# browsing.
#
#Default:
# log_fqdn off

# TAG: client_netmask
# A netmask for client addresses in logfiles and cachemgr output.
# Change this to protect the privacy of your cache clients.
# A netmask of 255.255.255.0 will log all IP's in that range with
# the last digit set to '0'.
#
#Default:
# client_netmask 255.255.255.255


# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
# -----------------------------------------------------------------------------

# TAG: ftp_user
# If you want the anonymous login password to be more informative
# (and enable the use of picky ftp servers), set this to something
# reasonable for your domain, like [email protected]
#
# The reason why this is domainless by default is the
# request can be made on the behalf of a user in any domain,
# depending on how the cache is used.
# Some ftp server also validate the email address is valid
# (for example perl.com).
#
#Default:
# ftp_user [email protected]

# TAG: ftp_list_width
# Sets the width of ftp listings. This should be set to fit in
# the width of a standard browser. Setting this too small
# can cut off long filenames when browsing ftp sites.
#
#Default:
# ftp_list_width 32

# TAG: ftp_passive
# If your firewall does not allow Squid to use passive
# connections, turn off this option.
#
#Default:
# ftp_passive on

# TAG: ftp_sanitycheck
# For security and data integrity reasons Squid by default performs
# sanity checks of the addresses of FTP data connections ensure the
# data connection is to the requested server. If you need to allow
# FTP connections to servers using another IP address for the data
# connection turn this off.
#
#Default:
# ftp_sanitycheck on

# TAG: ftp_telnet_protocol
# The FTP protocol is officially defined to use the telnet protocol
# as transport channel for the control connection. However, many
# implementations are broken and does not respect this aspect of
# the FTP protocol.
#
# If you have trouble accessing files with ASCII code 255 in the
# path or similar problems involving this ASCII code you can
# try setting this directive to off. If that helps, report to the
# operator of the FTP server in question that their FTP server
# is broken and does not follow the FTP standard.
#
#Default:
# ftp_telnet_protocol on

# TAG: check_hostnames
# For security and stability reasons Squid by default checks
# hostnames for Internet standard RFC compliance. If you do not want
# Squid to perform these checks then turn this directive off.
#
#Default:
# check_hostnames on

# TAG: allow_underscore
# Underscore characters is not strictly allowed in Internet hostnames
# but nevertheless used by many sites. Set this to off if you want
# Squid to be strict about the standard.
#
#Default:
# allow_underscore on

# TAG: cache_dns_program
# Note: This option is only available if Squid is rebuilt with the
# --disable-internal-dns option
#
# Specify the location of the executable for dnslookup process.
#
#Default:
# cache_dns_program /usr/lib/squid/dnsserver

# TAG: dns_children
# Note: This option is only available if Squid is rebuilt with the
# --disable-internal-dns option
#
# The number of processes spawn to service DNS name lookups.
# For heavily loaded caches on large servers, you should
# probably increase this value to at least 10. The maximum
# is 32. The default is 5.
#
# You must have at least one dnsserver process.
#
#Default:
# dns_children 5

# TAG: dns_retransmit_interval
# Initial retransmit interval for DNS queries. The interval is
# doubled each time all configured DNS servers have been tried.
#
#
#Default:
# dns_retransmit_interval 5 seconds

# TAG: dns_timeout
# DNS Query timeout. If no response is received to a DNS query
# within this time all DNS servers for the queried domain
# are assumed to be unavailable.
#
#Default:
# dns_timeout 2 minutes

# TAG: dns_defnames on|off
# Normally the RES_DEFNAMES resolver option is disabled
# (see res_init(3)). This prevents caches in a hierarchy
# from interpreting single-component hostnames locally. To allow
# Squid to handle single-component names, enable this option.
#
#Default:
# dns_defnames off

# TAG: dns_nameservers
# Use this if you want to specify a list of DNS name servers
# (IP addresses) to use instead of those given in your
# /etc/resolv.conf file.
# On Windows platforms, if no value is specified here or in
# the /etc/resolv.conf file, the list of DNS name servers are
# taken from the Windows registry, both static and dynamic DHCP
# configurations are supported.
#
# Example: dns_nameservers 10.0.0.1 192.172.0.4
#
#Default:
# none

# TAG: hosts_file
# Location of the host-local IP name-address associations
# database. Most Operating Systems have such a file on different
# default locations:
# - Un*X & Linux: /etc/hosts
# - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
# (%SystemRoot% value install default is c:\winnt)
# - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts
# (%SystemRoot% value install default is c:\windows)
# - Windows 9x/Me: %windir%\hosts
# (%windir% value is usually c:\windows)
# - Cygwin: /etc/hosts
#
# The file contains newline-separated definitions, in the
# form ip_address_in_dotted_form name [name ...] names are
# whitespace-separated. Lines beginning with an hash (#)
# character are comments.
#
# The file is checked at startup and upon configuration.
# If set to 'none', it won't be checked.
# If append_domain is used, that domain will be added to
# domain-local (i.e. not containing any dot character) host
# definitions.
#
#Default:
# hosts_file /etc/hosts
#
hosts_file /etc/hosts

# TAG: diskd_program
# Specify the location of the diskd executable.
# Note that this is only useful if you have compiled in
# diskd as one of the store io modules.
#
#Default:
# diskd_program /usr/lib/squid/diskd-daemon

# TAG: unlinkd_program
# Specify the location of the executable for file deletion process.
#
#Default:
# unlinkd_program /usr/lib/squid/unlinkd

# TAG: pinger_program
# Note: This option is only available if Squid is rebuilt with the
# --enable-icmp option
#
# Specify the location of the executable for the pinger process.
#
#Default:
# pinger_program /usr/lib/squid/pinger

# TAG: url_rewrite_program
# Specify the location of the executable for the URL rewriter.
# Since they can perform almost any function there isn't one included.
#
# For each requested URL rewriter will receive on line with the format
#
# URL <SP> client_ip "/" fqdn <SP> user <SP> method <SP> urlgroup <NL>
#
# And the rewriter may return a rewritten URL. The other components of
# the request line does not need to be returned (ignored if they are).
#
# The rewriter can also indicate that a client-side redirect should
# be performed to the new URL. This is done by prefixing the returned
# URL with "301:" (moved permanently) or 302: (moved temporarily).
#
# It can also return a "urlgroup" that can subsequently be matched
# in cache_peer_access and similar ACL driven rules. An urlgroup is
# returned by prefixing the returned url with "!urlgroup!"
#
# By default, a URL rewriter is not used.
#
#Default:
redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf

# TAG: url_rewrite_children
# The number of redirector processes to spawn. If you start
# too few Squid will have to wait for them to process a backlog of
# URLs, slowing it down. If you start too many they will use RAM
# and other system resources.
#
#Default:
# url_rewrite_children 5

# TAG: url_rewrite_concurrency
# The number of requests each redirector helper can handle in
# parallel. Defaults to 0 which indicates that the redirector
# is a old-style singlethreaded redirector.
#
#Default:
# url_rewrite_concurrency 0

# TAG: url_rewrite_host_header
# By default Squid rewrites any Host: header in redirected
# requests. If you are running an accelerator this may
# not be a wanted effect of a redirector.
#
# WARNING: Entries are cached on the result of the URL rewriting
# process, so be careful if you have domain-virtual hosts.
#
#Default:
# url_rewrite_host_header on

# TAG: url_rewrite_access
# If defined, this access list specifies which requests are
# sent to the redirector processes. By default all requests
# are sent.
#
#Default:
# none

# TAG: location_rewrite_program
# Specify the location of the executable for the Location rewriter,
# used to rewrite server generated redirects. Usually used in
# conjunction with a url_rewrite_program
#
# For each Location header received the location rewriter will receive
# one line with the format:
#
# location URL <SP> requested URL <SP> urlgroup <NL>
#
# And the rewriter may return a rewritten Location URL or a blank line.
# The other components of the request line does not need to be returned
# (ignored if they are).
#
# By default, a Location rewriter is not used.
#
#Default:
# none

# TAG: location_rewrite_children
# The number of location rewriting processes to spawn. If you start
# too few Squid will have to wait for them to process a backlog of
# URLs, slowing it down. If you start too many they will use RAM
# and other system resources.
#
#Default:
# location_rewrite_children 5

# TAG: location_rewrite_concurrency
# The number of requests each Location rewriter helper can handle in
# parallel. Defaults to 0 which indicates that the helper
# is a old-style singlethreaded helper.
#
#Default:
# location_rewrite_concurrency 0

# TAG: location_rewrite_access
# If defined, this access list specifies which requests are
# sent to the location rewriting processes. By default all Location
# headers are sent.
#
#Default:
# none

# TAG: auth_param
# This is used to define parameters for the various authentication
# schemes supported by Squid.
#
# format: auth_param scheme parameter [setting]
#
# The order in which authentication schemes are presented to the client is
# dependent on the order the scheme first appears in config file. IE
# has a bug (it's not RFC 2617 compliant) in that it will use the basic
# scheme if basic is the first entry presented, even if more secure
# schemes are presented. For now use the order in the recommended
# settings section below. If other browsers have difficulties (don't
# recognize the schemes offered even if you are using basic) either
# put basic first, or disable the other schemes (by commenting out their
# program entry).
#
# Once an authentication scheme is fully configured, it can only be
# shutdown by shutting squid down and restarting. Changes can be made on
# the fly and activated with a reconfigure. I.E. You can change to a
# different helper, but not unconfigure the helper completely.
#
# Please note that while this directive defines how Squid processes
# authentication it does not automatically activate authentication.
# To use authentication you must in addition make use of ACLs based
# on login name in http_access (proxy_auth, proxy_auth_regex or
# external with %LOGIN used in the format tag). The browser will be
# challenged for authentication on the first such acl encountered
# in http_access processing and will also be re-challenged for new
# login credentials if the request is being denied by a proxy_auth
# type acl.
#
# WARNING: authentication can't be used in a transparently intercepting
# proxy as the client then thinks it is talking to an origin server and
# not the proxy. This is a limitation of bending the TCP/IP protocol to
# transparently intercepting port 80, not a limitation in Squid.
#
# === Parameters for the basic scheme follow. ===
#
# "program" cmdline
# Specify the command for the external authenticator. Such a program
# reads a line containing "username password" and replies "OK" or
# "ERR" in an endless loop. "ERR" responses may optionally be followed
# by a error description available as %m in the returned error page.
#
# By default, the basic authentication scheme is not used unless a
# program is specified.
#
# If you want to use the traditional proxy authentication, jump over to
# the helpers/basic_auth/NCSA directory and type:
# % make
# % make install
#
# Then, set this line to something like
#
# auth_param basic program /usr/lib/squid/ncsa_auth /usr/etc/passwd
#
# "children" numberofchildren
# The number of authenticator processes to spawn. If you start too few
# squid will have to wait for them to process a backlog of credential
# verifications, slowing it down. When credential verifications are
# done via a (slow) network you are likely to need lots of
# authenticator processes.
# auth_param basic children 5
#
# "concurrency" numberofconcurrentrequests
# The number of concurrent requests/channels the helper supports.
# Changes the protocol used to include a channel number first on
# the request/response line, allowing multiple requests to be sent
# to the same helper in parallell without wating for the response.
# Must not be set unless it's known the helper supports this.
#
# "realm" realmstring
# Specifies the realm name which is to be reported to the client for
# the basic proxy authentication scheme (part of the text the user
# will see when prompted their username and password).
# auth_param basic realm Squid proxy-caching web server
#
# "credentialsttl" timetolive
# Specifies how long squid assumes an externally validated
# username:password pair is valid for - in other words how often the
# helper program is called for that user. Set this low to force
# revalidation with short lived passwords. Note that setting this high
# does not impact your susceptibility to replay attacks unless you are
# using an one-time password system (such as SecureID). If you are using
# such a system, you will be vulnerable to replay attacks unless you
# also use the max_user_ip ACL in an http_access rule.
# auth_param basic credentialsttl 2 hours
#
# "casesensitive" on|off
# Specifies if usernames are case sensitive. Most user databases are
# case insensitive allowing the same username to be spelled using both
# lower and upper case letters, but some are case sensitive. This
# makes a big difference for user_max_ip ACL processing and similar.
# auth_param basic casesensitive off
#
# "blankpassword" on|off
# Specifies if blank passwords should be supported. Defaults to off
# as there is multiple authentication backends which handles blank
# passwords as "guest" access.
#
# === Parameters for the digest scheme follow ===
#
# "program" cmdline
# Specify the command for the external authenticator. Such a program
# reads a line containing "username":"realm" and replies with the
# appropriate H(A1) value base64 encoded or ERR if the user (or his H(A1)
# hash) does not exists. See RFC 2616 for the definition of H(A1).
# "ERR" responses may optionally be followed by a error description
# available as %m in the returned error page.
#
# By default, the digest authentication scheme is not used unless a
# program is specified.
#
# If you want to use a digest authenticator, jump over to the
# helpers/digest_auth/ directory and choose the authenticator to use.
# It it's directory type
# % make
# % make install
#
# Then, set this line to something like
#
# auth_param digest program /usr/lib/squid/digest_auth_pw /usr/etc/digpass
#
#
# "children" numberofchildren
# The number of authenticator processes to spawn. If you start too few
# squid will have to wait for them to process a backlog of credential
# verifications, slowing it down. When credential verifications are
# done via a (slow) network you are likely to need lots of
# authenticator processes.
# auth_param digest children 5
#
# "concurrency" numberofconcurrentrequests
# The number of concurrent requests/channels the helper supports.
# Changes the protocol used to include a channel number first on
# the request/response line, allowing multiple requests to be sent
# to the same helper in parallell without wating for the response.
# Must not be set unless it's known the helper supports this.
#
# "realm" realmstring
# Specifies the realm name which is to be reported to the client for the
# digest proxy authentication scheme (part of the text the user will see
# when prompted their username and password).
# auth_param digest realm Squid proxy-caching web server
#
# "nonce_garbage_interval" timeinterval
# Specifies the interval that nonces that have been issued to clients are
# checked for validity.
# auth_param digest nonce_garbage_interval 5 minutes
#
# "nonce_max_duration" timeinterval
# Specifies the maximum length of time a given nonce will be valid for.
# auth_param digest nonce_max_duration 30 minutes
#
# "nonce_max_count" number
# Specifies the maximum number of times a given nonce can be used.
# auth_param digest nonce_max_count 50
#
# "nonce_strictness" on|off
# Determines if squid requires strict increment-by-1 behavior for nonce
# counts, or just incrementing (off - for use when useragents generate
# nonce counts that occasionally miss 1 (ie, 1,2,4,6)).
# auth_param digest nonce_strictness off
#
# "check_nonce_count" on|off
# This directive if set to off can disable the nonce count check
# completely to work around buggy digest qop implementations in certain
# mainstream browser versions. Default on to check the nonce count to
# protect from authentication replay attacks.
# auth_param digest check_nonce_count on
#
# "post_workaround" on|off
# This is a workaround to certain buggy browsers who sends an incorrect
# request digest in POST requests when reusing the same nonce as acquired
# earlier in response to a GET request.
# auth_param digest post_workaround off
#
# === NTLM scheme options follow ===
#
# "program" cmdline
# Specify the command for the external NTLM authenticator. Such a
# program participates in the NTLMSSP exchanges between Squid and the
# client and reads commands according to the Squid NTLMSSP helper
# protocol. See helpers/ntlm_auth/ for details. Recommended ntlm
# authenticator is ntlm_auth from Samba-3.X, but a number of other
# ntlm authenticators is available.
#
# By default, the ntlm authentication scheme is not used unless a
# program is specified.
#
# Note: If you're using Samba >= 3.0.2, please install the winbind
# package and use the ntlm_auth helper from that package.
#
# auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
#
# "children" numberofchildren
# The number of authenticator processes to spawn. If you start too few
# squid will have to wait for them to process a backlog of credenti

thechacal.net
Visitar o website do usuário Encontrar todas as respostas deste usuário
Citar esta mensagem em uma resposta
19/10/2007, 21:56
Resposta: #2
 
#
# CONFIG FILE FOR SQUIDGUARD
#

dbhome /var/lib/squidguard/db
logdir /var/log/squid

#
# TIME RULES:
# abbrev for weekdays:
# s = sun, m = mon, t =tue, w = wed, h = thu, f = fri, a = sat

#time workhours {
# weekly mtwhf 08:00 - 16:30
# date *-*-01 08:00 - 16:30
#}

#define um grupo interno
src intranet {
ip 192.168.0.0/24
}

#define um grupo de destinos

dest blog
{
domainlist blacklists/blog/domains
urllist blacklists/blog/urls
}

dest porn
{
domainlist blacklists/porn/domains
urllist blacklists/porn/urls
expressionlist blacklists/porn/expressions
}

dest ads
{
domainlist blacklists/ads/domains
urllist blacklists/ads/urls
expressionlist blacklists/ads/expressions
}

dest hacking
{
domainlist blacklists/hacking/domains
urllist blacklists/hacking/urls
}

dest proxy
{
domainlist blacklists/proxy/domains
urllist blacklists/proxy/urls
}

dest adult
{
domainlist blacklists/adult/domains
urllist blacklists/adult/urls
}

dest chat
{
domainlist blacklists/chat/domains
urllist blacklists/chat/urls
}

dest games
{
domainlist blacklists/games/domains
urllist blacklists/games/urls
}

dest livre
{
domainlist liberado
}

dest blocked
{
domainlist proibido
}

#quem pode o que

acl{
intranet{
pass livre !adult !ads !blocked !blog !chat !games !hacking !porn! !proxy all
redirect http://localhost/deny.html
}
}

thechacal.net
Visitar o website do usuário Encontrar todas as respostas deste usuário
Citar esta mensagem em uma resposta
22/10/2007, 07:51
Resposta: #3
 
Cara, vc acha mesmo que alguém vai ler isso tudo? Que tal postar apenas suas confs, que tal mostrar a msg de erro... já checou os logs?

O movimento está parado!
Encontrar todas as respostas deste usuário
Citar esta mensagem em uma resposta
Responder 


Ir ao Fórum:


Usuários visualizando este tópico: 1 Visitantes

Entre em Contato | Fórum Debian | Voltar ao Topo | Voltar ao Conteúdo | Modo Leve (Arquivo) | Feeds RSS