Using openSUSE Leap 15.2 x86_64
I’ve been running squid for a very long time on a customers server. The client has moved from Wireless ISP to Fiber connection. The server is connected directly through a ASUS router to a Fibre ONT device.
Basicly every morning the connection through the squid is disconnected to the internet. I restart the squid software, which makes the connection to the internet work the whole day.
Below is my main squid.conf settings.
Recommended minimum configuration:
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1 10.8.0.0/255.255.255.0
acl localhost src 127.0.0.1/32
acl to_localhost dst 0.0.0.0/32 127.0.0.0/8
Example rule allowing access from your local networks.
Adapt to list your (internal) IP networks from where browsing
should be allowed
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
RFC1918 possible internal network
http
ftp
https
gopher
wais
unregistered ports
http-mgmt
gss-http
filemaker
multiling http
openvpn
office365
acl localnet src 192.168.1.0/24
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 1194
acl Safe_ports port 10106
acl CONNECT method CONNECT
acl block_site dstdomain “/etc/squid/blocked”
#acl work_network src 10.9.1.128 10.9.1.13 10.9.1.132 10.9.1.18 10.9.1.69 10.9.1.80 10.9.1.86 10.9.1.89
acl business_hours time MTWHFA 7:00-17:00
#http_access deny block_site
acl extensiondeny url_regex -i “/etc/squid/extensiondeny”
acl download method GET
http_access deny extensiondeny download
http_access deny extensiondeny
#acl whitelist dstdomain “/etc/squid/whitelist”
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl allowsite dstdomain “/etc/squid/blocked”
acl allaccess arp 28:39:26:e0:4c:21 58:00:e3:1c:01:2c 2c:6f:c9:48:c1:fd
http_access allow allowsite allaccess
acl bannedsites dstdomain “/etc/squid/blocked”
http_access deny bannedsites
#acl windowsupdate dstdomain windowsupdate.microsoft.com
#acl windowsupdate dstdomain .update.microsoft.com
#acl windowsupdate dstdomain download.windowsupdate.com
#acl windowsupdate dstdomain redir.metaservices.microsoft.com
#acl windowsupdate dstdomain images.metaservices.microsoft.com
#acl windowsupdate dstdomain c.microsoft.com
#acl windowsupdate dstdomain www.download.windowsupdate.com
#acl windowsupdate dstdomain wustat.windows.com
#acl windowsupdate dstdomain crl.microsoft.com
#acl windowsupdate dstdomain sls.microsoft.com
#acl windowsupdate dstdomain productactivation.one.microsoft.com
#acl windowsupdate dstdomain ntservicepack.microsoft.com
#acl wuCONNECT dstdomain www.update.microsoft.com
#acl wuCONNECT dstdomain sls.microsoft.com
access_log /var/log/squid/access.log squid
#http_access deny all
Recommended minimum Access Permission configuration:
Only allow cachemgr access from localhost
Deny requests to certain unsafe ports
Deny CONNECT to other than secure SSL ports
And finally deny all other access to this proxy
http_access allow business_hours
http_access allow work_network business_hours
http_access deny !whitelist
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow localnet
http_access deny all
#acl work_network arp c4:17:fe:53:d7:7a 24:ec:99:18:7c:75 00:04:e2:37:a3:4b 08:00:27:e3:24da:0d
#http_access allow work_network
We strongly recommend the following be uncommented to protect innocent
web applications running on the proxy server who think the only
one who can access services on “localhost” is a local user
#http_access deny to_localhost
INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
Example rule allowing access from your local networks.
Adapt localnet in the ACL section to list your (internal) IP networks
from where browsing should be allowed
#http_access deny to_localhost
#http_access allow CONNECT wuCONNECT localnet
icp_access deny all
allow localhost always proxy functionality
Squid normally listens to port 3128
http_port 3128
http_port 8080
dns_nameservers 8.8.8.8
Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 40000 16 256
Leave coredumps in the first cache dir
coredump_dir /var/cache/squid
Add any of your own refresh_pattern entries above these.
refresh_pattern -i microsoft.com/..(cab|exe|ms|[ap]sf|wm[v|a]|dat|zip) 4320 80 43200
refresh_pattern -i windowsupdate.com/..(cab|exe|ms|[ap]sf|wm[v|a]|dat|zip) 4320 80 43200
refresh_pattern -i windows.com/..(cab|exe|ms|[ap]sf|wm[v|a]|dat|zip) 4320 80 43200
refresh_pattern ^ftp: 1440 20 10080
refresh_pattern ^gopher: 1440 0 1440
refresh_pattern -i (/cgi-bin/|?) 0 0 0
refresh_pattern . 0 20 4320
maximum_object_size_in_memory 50 KB
cache_replacement_policy heap LFUDA
cache_swap_low 90
cache_swap_high 95
cache_mem 100 MB
cache_effective_user squid
cache_effective_group nogroup
maximum_object_size 50 MB
icp_port 3130
visible_hostname 192.168.1.3
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
pid_filename /run/squid.pid
netdb_filename stdio:/var/log/squid/netdb.state
try to convert domain name to more ip addresses as default
forward_max_tries 25
log_fqdn on
cache_mgr webmaster
client_lifetime 1 day
connect_timeout 2 minute
error_directory /usr/share/squid/errors/en
ftp_passive on
memory_replacement_policy lru
minimum_object_size 0 KB***