· 8 years ago · Jan 28, 2017, 07:28 PM
1#########################################################
2### SQUID. ПоÑледнее редактирование конфига - 09.10.15 ##
3#########################################################
4
5#Правила наÑтраиваем. Как без них-то
6
7acl localnet src 192.168.1.0/24 # RFC1918 possible internal network
8acl localnet2 src 192.168.3.0/24 # RFC1918 possible internal network
9
10#ПодÑетка планшетов
11acl pl src "/etc/squid/pl.txt"
12
13#белый ÑпиÑок Ð´Ð»Ñ Ð¿Ð»Ð°Ð½ÑˆÐµÑ‚Ð¾Ð²
14acl whiteres dstdomain "/etc/squid/whitehttp.txt"
15
16#######################################################
17# СпиÑки Ñ Ð°Ð´Ñ€ÐµÑами Ð´Ð»Ñ Ð´Ð¾Ñтупа к конкретным реÑурÑам #
18#######################################################
19
20#Superjob,hh.ru
21acl ip_job src "/etc/squid/ip_job.txt"
22
23#Orsk.ru
24acl ip_orsk src "/etc/squid/ip_orsk.txt"
25
26#Mail
27acl ip_mail src "/etc/squid/ip_mail.txt"
28
29#Video and Music
30acl ip_vidmus src "/etc/squid/ip_vidmus.txt"
31
32#Hoydays =)
33acl ip_razvl src "/etc/squid/ip_razvl.txt"
34
35
36#Рвот Ñтот ÑпиÑок, напротив, Ñ Ð°Ð¹Ð¿Ð¸ÑˆÐ½Ð¸ÐºÐ°Ð¼Ð¸ юзеров, которых надо анально пороть
37acl pidor src "/etc/squid/pidor.txt"
38
39#VIP
40acl ip_vip src "/etc/squid/vip.txt"
41
42#######################################################
43# Блокирование доÑтупа к HTTP реÑурÑам #
44#######################################################
45#Banners
46acl banner url_regex "/etc/squid/antibanner.txt"
47# ОпределÑем регулÑрные Ð²Ñ‹Ñ€Ð°Ð¶ÐµÐ½Ð¸Ñ Ð´Ð»Ñ Ñ€ÐµÐºÐ»Ð°Ð¼Ð½Ñ‹Ñ… ÑÑылок
48acl adv url_regex -i ^.*click.*$
49acl adv url_regex -i ^.*adv.*$
50acl adv url_regex -i ^.*banner.*$
51acl adv url_regex -i ^.*baner.*$
52acl adv url_regex -i ^.*sb.google.*$
53acl adv url_regex -i ^.*.swf.*$
54acl adv url_regex -i ^.*top\.list\.ru.*$
55acl adv url_regex -i ^.*yadro.ru.*$
56acl adv url_regex -i ^.*sindi.*$
57acl adv url_regex -i ^.*sex.*$
58acl adv url_regex -i ^.*top\.list\.ru.*$
59acl adv url_regex -i ^.*google\-analytics.*$
60acl adv url_regex -i ^.*dw\.jsp.*$
61
62# ÐеÑколько правил Ð´Ð»Ñ Ñ€ÐµÐ·ÐºÐ¸ баннеров
63acl adv url_regex -i ^.*88x31.*gif.*$
64acl adv url_regex -i ^.*88x31.*GIF.*$
65acl adv url_regex -i ^.*100x80.*gif.*$
66acl adv url_regex -i ^.*100x80.*GIF.*$
67acl adv url_regex -i ^.*100x100.*gif.*$
68acl adv url_regex -i ^.*100x100.*GIF.*$
69acl adv url_regex -i ^.*120x60.*gif.*$
70acl adv url_regex -i ^.*120x60.*GIF.*$
71acl adv url_regex -i ^.*179x69.*gif.*$
72acl adv url_regex -i ^.*193x72.*gif.*$
73acl adv url_regex -i ^.*468x60.*gif.*$
74
75
76#Anonimizer
77acl http_anonim dstdomain "/etc/squid/anonim.txt"
78
79#Job
80acl http_job dstdomain "/etc/squid/job.txt"
81
82#Orsk
83acl http_orsk dstdomain "/etc/squid/orsk.txt"
84
85#mail
86acl http_mail dstdomain "/etc/squid/mail.txt"
87
88#Video and music
89acl http_vidmus dstdomain "/etc/squid/vidmus.txt"
90
91#Holydays
92acl http_hol dstdomain "/etc/squid/hol.txt"
93
94#Reklama
95acl http_ad_block dstdom_regex "/etc/squid/ad_block.txt"
96
97
98#######################################################
99# Блокирование доÑтупа к HTTPS реÑурÑам #
100#######################################################
101
102#Anonimizer
103acl https_anonim ssl::server_name "/etc/squid/anonim.txt"
104
105#Job
106acl https_job ssl::server_name "/etc/squid/job.txt"
107
108#Orsk
109acl https_orsk ssl::server_name "/etc/squid/orsk.txt"
110
111#mail
112acl https_mail ssl::server_name "/etc/squid/mail.txt"
113
114#Video and music
115acl https_orsk ssl::server_name "/etc/squid/vidmus.txt"
116
117#Holydays
118acl https_hol ssl::server_name "/etc/squid/hol.txt"
119
120#banners
121acl https_banner ssl::server_name "/etc/squid/antibanner.txt"
122
123######################################################
124# Прочие правила блокировки #
125######################################################
126
127#блокировка доÑтупа к Ñайтам по ip
128#acl ip_access url_regex -i ^http://[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
129#acl exclude_ip url_regex -i ^http://85\.192\.179\.[0-9] ^http://192\.168\.[[0-9]].[[0-9]]
130
131
132#блокировка флеша
133acl flash_media rep_mime_type video/flv video/x-flv
134acl flash_reg urlpath_regex \.flv(\?.*)?$
135acl flash_media rep_mime_type application/x-shockwave-flash
136acl flash_reg urlpath_regex \.swf(\?.*)?$
137
138#блокировка аудио
139acl audio rep_mime_type -i ^audio
140
141#блокировка видео
142acl video rep_mime_type -i ^audio/mp4$
143acl video rep_mime_type -i ^video/mp4$
144acl video rep_mime_type -i ^video/x-f4f$
145acl video rep_mime_type -i ^video/x-flv$
146acl video rep_mime_type -i ^video
147
148
149#####################################################
150# Порты #
151#####################################################
152
153acl SSL_ports port 443
154acl Safe_ports port 80 # http
155acl Safe_ports port 21 # ftp
156acl Safe_ports port 443 # https
157acl Safe_ports port 70 # gopher
158acl Safe_ports port 210 # wais
159acl Safe_ports port 1025-65535 # unregistered ports
160acl Safe_ports port 280 # http-mgmt
161acl Safe_ports port 488 # gss-http
162acl Safe_ports port 591 # filemaker
163acl Safe_ports port 777 # multiling http
164acl CONNECT method CONNECT
165
166####################################################
167# Применение правил #
168####################################################
169
170dns_nameservers 192.168.1.12
171http_access deny !Safe_ports
172http_access deny CONNECT !SSL_ports
173http_access allow localhost manager
174http_access deny manager
175
176# Грохнем нахрен Ñкайп
177#acl Skype_UA browser ^skype
178#http_access deny Skype_UA
179
180#acl validUserAgent browser \S+
181#http_access deny !validUserAgent
182
183#################################################
184##### правила кончилиÑÑŒ=) начинаем их применÑÑ‚ÑŒ #
185#################################################
186
187#блокируем доÑтуп по ip
188#http_access deny ip_access !exclude_ip
189
190#блокируем флеш контент
191http_access deny flash_reg !ip_vip !ip_razvl
192http_reply_access deny flash_media !ip_vip !ip_razvl
193
194#блокируем аудио\видео контент
195http_access deny audio !ip_vip !ip_razvl
196http_reply_access deny audio !ip_vip !ip_razvl
197http_access deny video !ip_vip !ip_razvl
198http_reply_access deny video !ip_vip !ip_razvl
199
200
201http_access deny http_anonim !ip_vip
202http_access deny http_job !ip_vip !ip_job
203http_access deny http_orsk !ip_vip !ip_orsk
204http_access deny http_mail !ip_vip !ip_mail
205http_access deny http_vidmus !ip_vip !ip_vidmus
206http_access deny http_hol !ip_vip !ip_razvl
207
208#блокируем рекламу
209http_access deny http_ad_block
210deny_info TCP_RESET http_ad_block
211
212#блочим баннеры
213#http_access deny banner !ip_vip
214
215# Запретить рекламу
216#http_access deny adv !ip_vip
217
218#deny_info https://media.giphy.com/media/DS89v1NqpzCqA/giphy.gif banner
219
220
221#разрешаем доÑтуп в Ñеть Ð´Ð»Ñ ÐºÐ»Ð¸ÐµÐ½Ñ‚Ð¾Ð² наших двух подÑетей, кроме тех, кого нужно анально карать.
222http_access allow localnet !pidor
223http_access allow localnet2 !pidor
224
225#разрешаем планшетам доÑтуп только к реÑурÑам из белого ÑпиÑка
226http_access allow whiteres pl
227
228
229http_access allow localhost
230http_access deny all
231
232http_port 3128 intercept options=NO_SSLv3:NO_SSLv2
233http_port 3130 options=NO_SSLv3:NO_SSLv2
234https_port 3129 intercept ssl-bump options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off cert=/etc/squid/squidCA.pem
235always_direct allow all
236sslproxy_cert_error allow all
237sslproxy_flags DONT_VERIFY_PEER
238
239acl step1 at_step SslBump1
240#ssl_bump none whitehttps
241
242ssl_bump peek step1
243#ssl_bump bump all
244ssl_bump terminate https_job !ip_vip !ip_job
245ssl_bump terminate https_anonim !ip_vip
246ssl_bump terminate https_orsk !ip_vip !ip_orsk
247ssl_bump terminate https_hol !ip_vip !ip_razvl
248ssl_bump terminate https_mail !ip_vip !ip_mail
249ssl_bump terminate https_banner
250
251
252ssl_bump splice all
253sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
254
255coredump_dir /var/spool/squid
256refresh_pattern ^ftp: 1440 20% 10080
257refresh_pattern ^gopher: 1440 0% 1440
258refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
259refresh_pattern . 0 20% 4320
260#cache_dir aufs /var/spool/squid 20000 49 256
261maximum_object_size 61440 KB
262minimum_object_size 3 KB
263
264cache_swap_low 90
265cache_swap_high 95
266maximum_object_size_in_memory 512 KB
267memory_replacement_policy lru
268logfile_rotate 4
269#hierarchy_stoplist cgi-bin ?
270#cache_log /dev/null
271#host_verify_strict on
272via off
273forwarded_for off
274follow_x_forwarded_for deny all
275request_header_access X-Forwarded-For deny all
276strip_query_terms off
277logformat squid %ts.%03tu %6tr %>A %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
278logformat squid_https %ssl::>sni
279#%ssl::>sni
280
281logformat squidmime %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
282logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
283logformat combined %<A %>A %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
284access_log daemon:/var/log/squid/access.log squid
285
286access_log daemon:/var/log/squid/access_https.log squid_https