95 lines
3.5 KiB
SquidConf
95 lines
3.5 KiB
SquidConf
http_port 80 accel defaultsite=kojipkgs.fedoraproject.org
|
|
https_port 443 accel defaultsite=kojipkgs.fedoraproject.org cert=/etc/pki/tls/certs/wildcard-2014.squid.cert key=/etc/pki/tls/private/wildcard-2014.fedoraproject.org.key cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA options=NO_SSLv2,NO_SSLv3
|
|
|
|
cache_peer 127.0.0.1 parent 8080 0 no-query originserver name=kojipkgs
|
|
hierarchy_stoplist cgi-bin ?
|
|
|
|
cache_swap_low 98
|
|
cache_swap_high 99
|
|
cache_mem 32 GB
|
|
maximum_object_size 200 MB
|
|
minimum_object_size 0 KB
|
|
cache_replacement_policy heap LFUDA
|
|
maximum_object_size_in_memory 100 MB
|
|
memory_replacement_policy heap LFUDA
|
|
|
|
logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
|
|
logformat squidmime %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
|
|
logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
|
|
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
|
|
|
|
access_log /var/log/squid/access.log squid
|
|
cache_log /var/log/squid/cache.log
|
|
cache_store_log /var/log/squid/store.log
|
|
|
|
refresh_pattern . 1440 100% 10080
|
|
|
|
#
|
|
# Define all our acls here.
|
|
#
|
|
acl all src all
|
|
acl apache rep_header Server ^Apache
|
|
acl cachemanager proto cache_object
|
|
acl localhost src 127.0.0.1/255.255.255.255
|
|
acl to_localhost dst 127.0.0.0/8
|
|
acl SSL_ports port 443
|
|
acl Safe_ports port 80 # http
|
|
acl Safe_ports port 443 # https
|
|
acl CONNECT method CONNECT
|
|
acl our_sites dstdomain kojipkgs.fedoraproject.org
|
|
acl phx2 src 10.5.125.0/24 10.5.127.0/24
|
|
acl repo_url urlpath_regex -i ^/repo/
|
|
acl kojipkgs urlpath_regex -i \.(rpm|log|sig)$
|
|
acl mash urlpath_regex -i ^/mash/
|
|
acl compose urlpath_regex -i ^/compose/
|
|
|
|
#
|
|
# Here is where we use the above acls
|
|
#
|
|
|
|
# Allow phx2 to repos dir and deny everyone else
|
|
http_access allow phx2 repo_url
|
|
http_access deny repo_url
|
|
|
|
# Only allow cachemanager from localhost
|
|
http_access allow cachemanager localhost
|
|
http_access deny cachemanager
|
|
|
|
# Do not allow non safe ports or connect on anything but ssl ports
|
|
http_access deny !Safe_ports
|
|
http_access deny CONNECT !SSL_ports
|
|
|
|
# Allow our sites and localhost
|
|
http_access allow our_sites
|
|
http_access allow localhost
|
|
http_access deny all
|
|
http_reply_access allow all
|
|
icp_access allow all
|
|
|
|
cache_peer_access kojipkgs allow our_sites
|
|
cache_peer_access kojipkgs deny all
|
|
|
|
# Do not cache mash or compose data
|
|
cache deny mash
|
|
cache deny compose
|
|
|
|
# Do cache all rpms/log/sigs otherwise
|
|
cache allow kojipkgs
|
|
cache deny all
|
|
|
|
coredump_dir /var/spool/squid
|
|
|
|
# put the pid in the tmpdir with worker ipc sockets
|
|
pid_filename /var/run/squid/squid.pid
|
|
|
|
# Run in smp mode with 8 workers
|
|
workers 8
|
|
|
|
# In smp mode you have to specify per worker cache dirs
|
|
# Also you have to manually run squid -z -F -f /etc/squid/squid.conf
|
|
# to create these dirs.
|
|
if ${process_number} = 9
|
|
# nothing
|
|
else
|
|
cache_dir ufs /var/spool/squid/${process_number} 12500 16 256
|
|
endif
|