http_port 192.168.2.230:3128 visible_hostname vproxy.nd.pcsm.perm.ru max_filedescriptors 4096 error_default_language ru error_directory /usr/share/squid/errors/ru cache_mgr pvb@permcsm.ru cache_dir ufs /var/spool/squid 200 16 256 access_log /var/log/squid/access.log squid cache_mem 512 MB coredump_dir /var/spool/squid client_request_buffer_max_size 1 MB #request_header_max_size 1 MB #server_persistent_connections on #client_persistent_connections on #acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) #acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) #acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) #acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines #acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) #acl localnet src fc00::/7 # RFC 4193 local private network range #acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl SSL_ports port 743 # tueconf acl SSL_ports port 3443 # https + vks acl SSL_ports port 7071 # mail2.permcsm.ru/zimbraAdmin acl SSL_ports port 8443 # ir.nalog.ru:8443 acl SSL_ports port 9443 # sbi.sberbank.ru:9443 acl SSL_ports port 9444 # sbi.sberbank.ru:9444 acl SSL_ports port 8000 # https://e-trade.mmk.ru:8000 acl SSL_ports port 4443 # check.kontur.ru:4443 acl Safe_ports port 80 # http acl Safe_ports port 81 # http (http://www.tsouz.ru/) acl Safe_ports port 82 # http (rosstandart PARUS 8) acl Safe_ports port 83 # http (rosstandart PARUS 8 normirovanie) acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https #acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 631 # cups acl Safe_ports port 743 # tueconf acl Safe_ports port 777 # multiling http http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager include /etc/squid/conf.d/*.conf # host_noauth пускаем без авторизации # WSUS, UDRWEB # BORS (2.14) для выхода в инет без авторизации # acl wsus src 192.168.2.22/32 # acl udrweb src 192.168.2.33/32 acl host_noauth src 192.168.2.33/32 192.168.2.22/32 acl AuthorizedUsers proxy_auth REQUIRED acl guestUsers proxy_auth "/etc/squid/GuestUsersToWWW.txt" acl users_unlim proxy_auth "/etc/squid/users_unlim.txt" acl url_guest dstdomain "/etc/squid/url_guest.txt" # acl url_block dstdomain "/etc/squid/url_block.txt" acl url_noauth dstdomain "/etc/squid/url_noauth.txt" # url без ограничений acl url_unlim dstdomain "/etc/squid/url_unlim.txt" acl videofiles urlpath_regex -i \.avi$ \.mpeg$ \.mpg$ \.flv$ acl mp3files urlpath_regex -i \.mp3$ \.wav$ acl imagefiles urlpath_regex -i \.jpg$ acl adminip src 192.168.2.2 192.168.2.3 192.168.2.27 192.168.2.19 192.168.2.117 192.168.2.42 acl buhip src 192.168.2.66 192.168.2.40 192.168.2.91 acl bossip src 192.168.2.61 192.168.2.57 # kal, dam acl night1 time 19:00-23:59 acl night2 time 00:00-07:00 # host monitoring (zabbix server) acl monitor src 192.168.2.254 # # Delay pools # delay_pools 6 delay_class 1 1 delay_class 2 1 delay_class 3 1 delay_class 4 2 delay_class 5 2 delay_class 6 2 delay_parameters 1 1024/1024 delay_access 1 allow mp3files !adminip delay_access 1 deny all delay_parameters 2 8192/16384 delay_access 2 allow night1 !adminip !users_unlim !buhip !url_unlim delay_access 2 allow night2 !adminip !users_unlim !buhip !url_unlim delay_access 2 deny all delay_parameters 3 2024000/16048000 delay_access 3 allow imagefiles !adminip !bossip !url_unlim delay_access 3 deny all delay_parameters 4 -1/-1 -1/-1 delay_access 4 allow adminip delay_access 4 allow buhip delay_access 4 allow bossip delay_access 4 allow url_unlim delay_access 4 allow users_unlim delay_access 4 deny all #для локалки delay_parameters 5 8048000/8048000 20092000/20092000 delay_access 5 allow localnet delay_access 5 deny all # для остального delay_parameters 6 8048000/8048000 20092000/20092000 delay_access 6 allow !localnet delay_access 6 deny all # # HTTP access rules # #acl self_ip src 192.168.2.16 192.168.2.30 http_access deny videofiles #http_access deny url_block http_access allow host_noauth #http_access allow my_pvb_network # url_noauth в обход авторизации http_access allow localnet url_noauth #http_access allow self_ip #http_access allow our_vpn url_noauth # разрешить гостям (guestUsers) из нашей сети ресурсы для гостей url_guest http_access allow localnet url_guest guestUsers http_access deny guestUsers !url_guest # а здесь только авторизованным, входящим в группу INET #http_access allow our_vpn AuthorizedUsers inet_access_1 #http_access allow our_vpn AuthorizedUsers inet_access_2 http_access allow localnet AuthorizedUsers inet_access_1 http_access allow localnet AuthorizedUsers inet_access_2 http_access deny all #http_access allow localhost #http_access allow localnet AuthorizedUsers #http_access deny all # # SNMP support # acl squid_SNMP snmp_community csm_rd snmp_port 3401 snmp_access allow squid_SNMP monitor snmp_access deny all debug_options ALL,1 #debug_options ALL,1 14,9 #debug_options ALL,1 28,3 33,3 74,3 85,3 #debug_options ALL,1 33,2 29,2 #debug_options ALL,1 29,9 #cache_log /var/log/squid/cache.log # local sites access acl always_sites_local dstdomain .permcsm.ru acl always_sites_local dstdomain .pcsm.perm.ru acl always_sites_55 dst 192.168.55.0/24 acl always_hosts_local dst 192.168.0.0/22 # # техэксперт не кэшировать # acl always_sites_nocache dstdomain .kodeks.ru acl always_sites_nocache dstdomain .cntd.ru always_direct allow always_sites_local cache deny always_sites_nocache cache deny all # для локальных сайтов tcp_outgoing_address 192.168.2.230 always_hosts_local !always_sites_55 tcp_outgoing_address 192.168.55.35 icap_enable off icap_preview_enable on icap_preview_size 0 # icap_check_interval 300 # Для поддержки постоянных соединений между drweb-icapd и Squid, что повышает производительность: icap_persistent_connections on #icap_service srv_icap_req reqmod_precache bypass=0 icap://192.168.55.38:1344/reqmod icap_service srv_icap_resp respmod_precache bypass=0 icap://192.168.55.38:1344/respmod #adaptation_access srv_icap_req allow all adaptation_access srv_icap_resp allow all #(В версии Squid 3.2 параметры icap_send_client_ip и # icap_send_client_username были переименованы) adaptation_send_client_ip on adaptation_send_username on