summaryrefslogtreecommitdiff
path: root/data/templates/squid/squid.conf.tmpl
blob: 1876146dd7d4b8006153aa0f3b513ea91a26a3a3 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
### generated by service_webproxy.py ###

acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl net src all
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 873         # rsync
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

{% if authentication is defined and authentication is not none %}
{%   if authentication.children is defined and authentication.children is not none %}
auth_param basic children {{ authentication.children }}
{%   endif %}
{%   if authentication.credentials_ttl is defined and authentication.credentials_ttl is not none %}
auth_param basic credentialsttl {{ authentication.credentials_ttl }} minute
{%   endif %}
{%   if authentication.realm is defined and authentication.realm is not none %}
auth_param basic realm "{{ authentication.realm }}"
{%   endif %}
{# LDAP based Authentication #}
{%   if authentication.method is defined and authentication.method is not none  %}
{%     if authentication.ldap is defined and authentication.ldap is not none and authentication.method == 'ldap' %}
auth_param basic program /usr/lib/squid/basic_ldap_auth -v {{ authentication.ldap.version }} -b "{{ authentication.ldap.base_dn }}" {{ '-D "' + authentication.ldap.bind_dn + '"' if authentication.ldap.bind_dn is defined }} {{ '-w "' + authentication.ldap.password + '"' if authentication.ldap.password is defined }} {{ '-f "' + authentication.ldap.filter_expression + '"' if authentication.ldap.filter_expression is defined }} {{ '-u "' + authentication.ldap.username_attribute + '"' if authentication.ldap.username_attribute is defined }} -p {{ authentication.ldap.port }} {{ '-ZZ' if authentication.ldap.use_ssl is defined }} -R -h "{{ authentication.ldap.server }}"
{%     endif %}
acl auth proxy_auth REQUIRED
http_access allow auth
{%   endif %}
{% endif %}

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow net
http_access deny all

{% if reply_block_mime is defined and reply_block_mime is not none %}
{%   for mime_type in reply_block_mime %}
acl BLOCK_MIME rep_mime_type {{ mime_type }}
{%   endfor %}
http_reply_access deny BLOCK_MIME
{% endif %}

{% if cache_size is defined and cache_size is not none %}
{%   if cache_size | int > 0 %}
cache_dir ufs /var/spool/squid {{ cache_size }} 16 256
{%   else %}
# disabling disk cache
{%   endif %}
{% endif %}
{% if mem_cache_size is defined and mem_cache_size is not none %}
cache_mem {{ mem_cache_size }} MB
{% endif %}
{% if disable_access_log is defined %}
access_log none
{% else %}
access_log /var/log/squid/access.log squid
{% endif %}

{# by default we'll disable the store log #}
cache_store_log none

{% if append_domain is defined and append_domain is not none %}
append_domain {{ append_domain }}
{% endif %}
{% if maximum_object_size is defined and maximum_object_size is not none %}
maximum_object_size {{ maximum_object_size }} KB
{% endif %}
{% if minimum_object_size is defined and minimum_object_size is not none %}
minimum_object_size {{ minimum_object_size }} KB
{% endif %}
{% if reply_body_max_size is defined and reply_body_max_size is not none %}
reply_body_max_size {{ reply_body_max_size }} KB
{% endif %}
{% if outgoing_address is defined and outgoing_address is not none %}
tcp_outgoing_address {{ outgoing_address }}
{% endif %}


{% if listen_address is defined and listen_address is not none %}
{%   for address, config in listen_address.items() %}
http_port {{ address }}:{{ config.port if config.port is defined else default_port }} {{ 'intercept' if config.disable_transparent is not defined }}
{%   endfor %}
{% endif %}
http_port 127.0.0.1:{{ default_port }}

{# NOT insert the client address in X-Forwarded-For header #}
forwarded_for off

{% if cache_peer is defined and cache_peer is not none %}
{%   for peer, config in cache_peer.items() %}
{%     if not 'type' in webproxy['cache-peer'][peer] %}
{%       set p_type = "parent" %}
{%     else %}
{%       set p_type = webproxy['cache-peer'][peer]['type'] %}
{%     endif %}

{%     if not 'http-port' in webproxy['cache-peer'][peer] %}
{%       set p_http_port = 3128 %}
{%     else %}
{%       set p_http_port = webproxy['cache-peer'][peer]['http-port'] %}
{%     endif %}

{%     if not 'icp-port' in webproxy['cache-peer'][peer] %}
{%       set p_icp_port = 0 %}
{%     else %}
{%       set p_icp_port = webproxy['cache-peer'][peer]['icp-port'] %}
{%     endif %}

{%     if not 'options' in webproxy['cache-peer'][peer] %}
{%       set p_options = "no-query default" %}
{%     else %}
{%       set p_options = webproxy['cache-peer'][peer]['options'] %}
{%     endif %}
cache_peer {{ config.address }} {{p_type}} {{p_http_port}} {{p_icp_port}} {{p_options}}
{%   endfor %}
{% endif %}