http_port 3128 transparent visible_hostname tproxy #list of trusted domains that we will allow downloads from acl noscan dstdomain .emergingthreats.net .blackberry.com .macromedia.com .apple.com .windowsupdate.com .hp.com .xerox.com .sw.be .centos.org .microsoft.com .adobe.com .sun.com .nai.com .symantecliveupdate.com .mcafee.com .symantec.com .vmware.com .trendmicro.com no_cache deny noscan always_direct allow noscan #cache junk hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY acl apache rep_header Server ^Apache broken_vary_encoding allow apache cache_mem 512 MB cache_dir ufs /var/spool/squid 2000 16 256 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl manager proto cache_object #various acl's acl alldst dst 0.0.0.0/0.0.0.0 acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1 acl our_networks src 192.168.2.0/255.255.255.0 acl our_networks src 192.168.1.0/255.255.255.0 #remove accept encoding to prevent gzip stuff along with range requests header_access Accept-Ranges deny alldst header_access Accept-Encoding deny alldst header_replace Accept-Encoding identity header_replace Accept-Ranges none #use OpenDNS servers can block adware pr0n etc.. #If you are using a dynamic IP ddclient works very well for #keeping your account up2date with the latest IP dns_nameservers 208.67.222.222 208.67.220.220 #techmachines acl #acl techmachines src 192.168.2.199 #acl techmachines src 192.168.2.200 #we are only redirecting port 80 so only allow port 80 traffic. acl Safe_ports port 80 # http http_access deny !Safe_ports http_access allow manager localhost http_access deny manager acl DENY_EXE urlpath_regex -i \.(exe|msi|scr|cab|chm|cpl|hlp|hta|ins|isp|jse|lnk|ocx|reg|sct|vbe|wsc|wsf|pif|sys|shs|zip|rar|tar|7z|torrent)\??$ #domains we always want to block acl denydomains dstdomain .ssl86.ru .ytgw123.cn .gmail-security.com perlbody.t35.com summertime.1gokurimu.com doradora.atzend.com http_access deny denydomains #dst ips we always want to block acl dstips dst 195.242.161.63 59.106.145.58 http_access deny dstips #allow trusted domains http_access allow noscan http_reply_access allow noscan #allow your techs or whomever to pull exe's #http_access allow techmachines #http_reply_access allow techmachines #block sites with exe in the uri deny_info ERR_BLOCKEXE DENY_EXE http_access deny DENY_EXE #allow localhost and everything else http_access allow localhost http_access allow our_networks #block exe downloads were the uri does not end exe but they are still sending an exe via conent-dispostion headers #http://www.ietf.org/rfc/rfc2183.txt acl blocked_contdisp rep_header Content-Disposition -i \.(exe|msi|scr|cab|chm|cpl|hlp|hta|ins|isp|jse|lnk|ocx|reg|sct|vbe|wsc|wsf|pif|sys|shs|zip|rar|tar|7z|torrent)\??"$ deny_info ERR_BLOCKEXE contdisp http_reply_access deny blocked_contdisp #block exe mime types acl mime rep_mime_type -i ^application/exe$ acl mime rep_mime_type -i ^application/x-exe$ acl mime rep_mime_type -i ^application/dos-exe$ acl mime rep_mime_type -i ^vms/exe$ acl mime rep_mime_type -i ^application/x-winexe$ acl mime rep_mime_type -i ^application/msdos-windows$ acl mime rep_mime_type -i ^application/x-msdos-program$ acl mime rep_mime_type -i ^application/x-msdownload$ acl mime rep_mime_type -i ^application/x-cab-compressed$ acl mime rep_mime_type -i ^application/x-oleobject$ acl mime rep_mime_type -i ^application/x-cabinet$ acl mime rep_mime_type -i ^application/x-dosexec$ acl mime rep_mime_type -i ^vnd.ms-cab-compressed$ acl mime rep_mime_type -i ^application/x-cabinet-win32-x86$ acl mime rep_mime_type -i ^application/x-pe-win32-x86$ acl mime rep_mime_type -i ^application/x-setupscript$ deny_info ERR_BLOCKEXE mime http_reply_access deny mime #allow all other reply http_reply_access allow all #get some extra logging info strip_query_terms off log_mime_hdrs on #custom log format for more information logformat combined %>a %ui %un [%{%d/%b/%Y:%H:%M:%S -0600}tl] "%rm %ru HTTP/%rv" %Hs %h" "%{User-Agent}>h" %Ss:%Sh %mt access_log /var/log/squid/access_log combined error_directory /usr/share/squid/errors/English coredump_dir /var/spool/squid #disabled for performance cache_store_log none cache_log none