Commit 80e3c9ac authored by tbrehm's avatar tbrehm

- Improved nginx reverse proxy support.

- Added UFW firewall support.
parent a285fa66
......@@ -51,6 +51,8 @@ $conf['services']['dns'] = true;
$conf['services']['file'] = true;
$conf['services']['db'] = true;
$conf['services']['vserver'] = true;
$conf['services']['proxy'] = false;
$conf['services']['firewall'] = false;
//* MySQL
$conf['mysql']['installed'] = false; // will be detected automatically during installation
......@@ -183,6 +185,28 @@ $conf['jailkit']['jk_chrootsh'] = 'jk_chrootsh.ini';
$conf['jailkit']['jailkit_chroot_app_programs'] = '/usr/bin/groups /usr/bin/id /usr/bin/dircolors /usr/bin/lesspipe /usr/bin/basename /usr/bin/dirname /usr/bin/nano /usr/bin/pico';
$conf['jailkit']['jailkit_chroot_cron_programs'] = '/usr/bin/php /usr/bin/perl /usr/share/perl /usr/share/php';
//* Squid
$conf['squid']['installed'] = false; // will be detected automatically during installation
$conf['squid']['config_dir'] = '/etc/squid';
$conf['squid']['init_script'] = 'squid';
//* Nginx
$conf['nginx']['installed'] = false; // will be detected automatically during installation
$conf['nginx']['config_dir'] = '/etc/nginx';
$conf['nginx']['vhost_conf_dir'] = '/etc/nginx/sites-available';
$conf['nginx']['vhost_conf_enabled_dir'] = '/etc/nginx/sites-enabled';
$conf['nginx']['init_script'] = 'nginx';
//*Ufw
$conf['ufw']['installed'] = false;
$conf['ufw']['config_dir'] = '/etc/ufw';
$conf['ufw']['init_script'] = 'ufw';
//*Bastille-Firwall
$conf['bastille']['installed'] = false;
$conf['bastille']['config_dir'] = '/etc/Bastille';
//* vlogger
$conf['vlogger']['config_dir'] = '/etc';
......
......@@ -51,6 +51,8 @@ $conf['services']['dns'] = true;
$conf['services']['file'] = true;
$conf['services']['db'] = true;
$conf['services']['vserver'] = true;
$conf['services']['proxy'] = false;
$conf['services']['firewall'] = false;
//* MySQL
$conf['mysql']['installed'] = false; // will be detected automatically during installation
......@@ -183,6 +185,27 @@ $conf['jailkit']['jk_chrootsh'] = 'jk_chrootsh.ini';
$conf['jailkit']['jailkit_chroot_app_programs'] = '/usr/bin/groups /usr/bin/id /usr/bin/dircolors /usr/bin/lesspipe /usr/bin/basename /usr/bin/dirname /usr/bin/nano /usr/bin/pico';
$conf['jailkit']['jailkit_chroot_cron_programs'] = '/usr/bin/php /usr/bin/perl /usr/share/perl /usr/share/php';
//* Squid
$conf['squid']['installed'] = false; // will be detected automatically during installation
$conf['squid']['config_dir'] = '/etc/squid';
$conf['squid']['init_script'] = 'squid';
//* Nginx
$conf['nginx']['installed'] = false; // will be detected automatically during installation
$conf['nginx']['config_dir'] = '/etc/nginx';
$conf['nginx']['vhost_conf_dir'] = '/etc/nginx/sites-available';
$conf['nginx']['vhost_conf_enabled_dir'] = '/etc/nginx/sites-enabled';
$conf['nginx']['init_script'] = 'nginx';
//* Ufw
$conf['ufw']['installed'] = false;
$conf['squid']['config_dir'] = '/etc/ufw';
$conf['squid']['init_script'] = 'ufw';
//*Bastille-Firwall
$conf['bastille']['installed'] = false;
$conf['bastille']['config_dir'] = '/etc/Bastille';
//* vlogger
$conf['vlogger']['config_dir'] = '/etc';
......
......@@ -230,9 +230,31 @@ if($install_mode == 'standard') {
$inst->configure_apps_vhost();
//* Configure Firewall
swriteln('Configuring Firewall');
$inst->configure_firewall();
//swriteln('Configuring Firewall');
//$inst->configure_firewall();
//** Configure Firewall
if($conf['bastille']['installed'] == true) {
//* Configure Bastille Firewall
$conf['services']['firewall'] = true;
swriteln('Configuring Bastille Firewall');
$inst->configure_firewall();
} elseif($conf['ufw']['installed'] == true) {
//* Configure Ubuntu Firewall
$conf['services']['firewall'] = true;
swriteln('Configuring Ubuntu Firewall');
$inst->configure_ufw_firewall();
}
if($conf['squid']['installed'] == true) {
$conf['services']['proxy'] = true;
swriteln('Configuring Squid');
$inst->configure_squid();
} else if($conf['nginx']['installed'] == true) {
$conf['services']['proxy'] = true;
swriteln('Configuring Nginx');
$inst->configure_nginx();
}
//* Configure ISPConfig
swriteln('Installing ISPConfig');
......@@ -267,7 +289,9 @@ if($install_mode == 'standard') {
if($conf['mydns']['installed'] == true && $conf['mydns']['init_script'] != '' && is_executable($conf['init_scripts'].'/'.$conf['mydns']['init_script'])) system($conf['init_scripts'].'/'.$conf['mydns']['init_script'].' restart &> /dev/null');
if($conf['powerdns']['installed'] == true && $conf['powerdns']['init_script'] != '' && is_executable($conf['init_scripts'].'/'.$conf['powerdns']['init_script'])) system($conf['init_scripts'].'/'.$conf['powerdns']['init_script'].' restart &> /dev/null');
if($conf['bind']['installed'] == true && $conf['bind']['init_script'] != '' && is_executable($conf['init_scripts'].'/'.$conf['bind']['init_script'])) system($conf['init_scripts'].'/'.$conf['bind']['init_script'].' restart &> /dev/null');
if($conf['squid']['installed'] == true && $conf['squid']['init_script'] != '' && is_file($conf['init_scripts'].'/'.$conf['squid']['init_script'])) system($conf['init_scripts'].'/'.$conf['squid']['init_script'].' restart &> /dev/null');
if($conf['nginx']['installed'] == true && $conf['nginx']['init_script'] != '' && is_file($conf['init_scripts'].'/'.$conf['nginx']['init_script'])) system($conf['init_scripts'].'/'.$conf['nginx']['init_script'].' restart &> /dev/null');
if($conf['ufw']['installed'] == true && $conf['ufw']['init_script'] != '' && is_file($conf['init_scripts'].'/'.$conf['ufw']['init_script'])) system($conf['init_scripts'].'/'.$conf['ufw']['init_script'].' restart &> /dev/null');
}else{
//* In expert mode, we select the services in the following steps, only db is always available
......@@ -275,6 +299,8 @@ if($install_mode == 'standard') {
$conf['services']['web'] = false;
$conf['services']['dns'] = false;
$conf['services']['db'] = true;
$conf['services']['firewall'] = false;
$conf['services']['proxy'] = false;
//** Get Server ID
......@@ -416,6 +442,21 @@ if($install_mode == 'standard') {
}
//** Configure Squid
if(strtolower($inst->simple_query('Configure Proxy Server', array('y','n'),'y') ) == 'y') {
if($conf['squid']['installed'] == true) {
$conf['services']['proxy'] = true;
swriteln('Configuring Squid');
$inst->configure_squid();
if($conf['squid']['init_script'] != '' && is_executable($conf['init_scripts'].'/'.$conf['squid']['init_script']))system($conf['init_scripts'].'/'.$conf['squid']['init_script'].' restart &> /dev/null');
} else if($conf['nginx']['installed'] == true) {
$conf['services']['proxy'] = true;
swriteln('Configuring Nginx');
$inst->configure_nginx();
if($conf['nginx']['init_script'] != '' && is_executable($conf['init_scripts'].'/'.$conf['nginx']['init_script']))system($conf['init_scripts'].'/'.$conf['nginx']['init_script'].' restart &> /dev/null');
}
}
//** Configure Apache
swriteln("\nHint: If this server shall run the ISPConfig interface, select 'y' in the 'Configure Apache Server' option.\n");
if(strtolower($inst->simple_query('Configure Apache Server',array('y','n'),'y')) == 'y') {
......@@ -434,9 +475,25 @@ if($install_mode == 'standard') {
//** Configure Firewall
if(strtolower($inst->simple_query('Configure Firewall Server',array('y','n'),'y')) == 'y') {
if($conf['bastille']['installed'] == true) {
//* Configure Bastille Firewall
$conf['services']['firewall'] = true;
swriteln('Configuring Bastille Firewall');
$inst->configure_firewall();
} elseif($conf['ufw']['installed'] == true) {
//* Configure Ubuntu Firewall
$conf['services']['firewall'] = true;
swriteln('Configuring Ubuntu Firewall');
$inst->configure_ufw_firewall();
}
}
//** Configure Firewall
/*if(strtolower($inst->simple_query('Configure Firewall Server',array('y','n'),'y')) == 'y') {
swriteln('Configuring Firewall');
$inst->configure_firewall();
}
}*/
//** Configure ISPConfig :-)
if(strtolower($inst->simple_query('Install ISPConfig Web Interface',array('y','n'),'y')) == 'y') {
swriteln('Installing ISPConfig');
......
This diff is collapsed.
......@@ -95,6 +95,9 @@ function updateDbAndIni() {
$conf['services']['file'] = ($tmp['file_server'] == 1)?true:false;
$conf['services']['db'] = ($tmp['db_server'] == 1)?true:false;
$conf['services']['vserver'] = ($tmp['vserver_server'] == 1)?true:false;
$conf['services']['proxy'] = ($tmp['proxy_server'] == 1)?true:false;
$conf['services']['firewall'] = ($tmp['firewall_server'] == 1)?true:false;
$conf['postfix']['vmail_mailbox_base'] = $ini_array['mail']['homedir_path'];
//* Do incremental DB updates only on installed ISPConfig versions > 3.0.3
......
CREATE TABLE IF NOT EXISTS `proxy_reverse` (
`rewrite_id` int(11) NOT NULL auto_increment,
`sys_userid` int(11) unsigned NOT NULL default '0',
`sys_groupid` int(11) unsigned NOT NULL default '0',
`sys_perm_user` varchar(5) default NULL,
`sys_perm_group` varchar(5) default NULL,
`sys_perm_other` varchar(5) default NULL,
`server_id` int(11) unsigned NOT NULL default '0',
`rewrite_url_src` varchar(100) NOT NULL,
`rewrite_url_dst` varchar(100) NOT NULL,
`active` enum('n','y') NOT NULL default 'y',
PRIMARY KEY (`rewrite_id`)
) ENGINE=MyISAM AUTO_INCREMENT=5 DEFAULT CHARSET=utf8;
CREATE TABLE IF NOT EXISTS `firewall_filter` (
`firewall_id` int(11) unsigned NOT NULL auto_increment,
`sys_userid` int(11) unsigned NOT NULL default '0',
`domain_id` int(11) NOT NULL,
`sys_groupid` int(11) unsigned NOT NULL default '0',
`sys_perm_user` varchar(5) default NULL,
`sys_perm_group` varchar(5) default NULL,
`sys_perm_other` varchar(5) default NULL,
`server_id` int(11) unsigned NOT NULL default '0',
`rule_name` varchar(100) default NULL,
`rule_id` int(11) default 1,
`src_ip` varchar(20) NOT NULL,
`src_netmask` varchar(20) NOT NULL,
`dst_ip` varchar(20) NOT NULL,
`dst_netmask` varchar(20) NOT NULL,
`src_from_port` varchar(10) NOT NULL,
`src_to_port` varchar(10) NOT NULL,
`dst_to_port` varchar(10) NOT NULL,
`dst_from_port` varchar(10) NOT NULL,
`protocol` varchar(10) default 'tcp',
`inbound_policy` enum('allow','deny','reject','limit') default 'allow',
`outbound_policy` enum('allow','deny','reject','limit') default 'allow',
`active` enum('n','y') NOT NULL default 'y',
`client_id` int(11) NOT NULL,
PRIMARY KEY (`firewall_id`)
) ENGINE=MyISAM AUTO_INCREMENT=12 DEFAULT CHARSET=utf8;
CREATE TABLE IF NOT EXISTS `firewall_forward` (
`firewall_id` int(11) unsigned NOT NULL auto_increment,
`sys_userid` int(11) unsigned NOT NULL default '0',
`domain_id` int(11) NOT NULL,
`sys_groupid` int(11) unsigned NOT NULL default '0',
`sys_perm_user` varchar(5) default NULL,
`sys_perm_group` varchar(5) default NULL,
`sys_perm_other` varchar(5) default NULL,
`server_id` int(11) unsigned NOT NULL default '0',
`application_name` varchar(100) default NULL,
`dst_ip` varchar(20) NOT NULL,
`src_from_port` varchar(10) NOT NULL,
`src_to_port` varchar(10) NOT NULL,
`dst_to_port` varchar(10) NOT NULL,
`dst_from_port` varchar(10) NOT NULL,
`protocol` int(3) default 0,
`active` enum('n','y') NOT NULL default 'y',
`client_id` int(11) NOT NULL,
PRIMARY KEY (`firewall_id`)
) ENGINE=MyISAM AUTO_INCREMENT=12 DEFAULT CHARSET=utf8;
alter table `server` add column `proxy_server` tinyint(1) not null after `vserver_server`;
alter table `server` add column `firewall_server` tinyint(1) not null after `proxy_server`;
alter table `web_domain` add column `nginx_directives` mediumtext not null after `apache_directives`;
......@@ -691,6 +691,8 @@ CREATE TABLE `server` (
`file_server` tinyint(1) NOT NULL default '0',
`db_server` tinyint(1) NOT NULL default '0',
`vserver_server` tinyint(1) NOT NULL default '0',
`proxy_server` tinyint(1) NOT NULL default '0',
`firewall_server` tinyint(1) NOT NULL default '0',
`config` text NOT NULL,
`updated` bigint(20) unsigned NOT NULL default '0',
`mirror_server_id` int(11) unsigned NOT NULL default '0',
......@@ -1141,6 +1143,7 @@ CREATE TABLE `web_domain` (
`stats_type` varchar(255) default 'webalizer',
`allow_override` varchar(255) NOT NULL default 'All',
`apache_directives` mediumtext,
`nginx_directives` mediumtext,
`php_open_basedir` mediumtext,
`custom_php_ini` mediumtext,
`backup_interval` VARCHAR( 255 ) NOT NULL DEFAULT 'none',
......@@ -1150,6 +1153,8 @@ CREATE TABLE `web_domain` (
PRIMARY KEY (`domain_id`)
) ENGINE=MyISAM AUTO_INCREMENT=1;
-- --------------------------------------------------------
--
......@@ -1660,6 +1665,70 @@ INSERT INTO `help_faq` VALUES (1,1,0,'I\'d like to know ...','Yes, of course.',1
ALTER TABLE client ADD COLUMN company_id varchar(30);
CREATE TABLE `proxy_reverse` (
`rewrite_id` int(11) NOT NULL auto_increment,
`sys_userid` int(11) unsigned NOT NULL default '0',
`sys_groupid` int(11) unsigned NOT NULL default '0',
`sys_perm_user` varchar(5) default NULL,
`sys_perm_group` varchar(5) default NULL,
`sys_perm_other` varchar(5) default NULL,
`server_id` int(11) unsigned NOT NULL default '0',
`rewrite_url_src` varchar(100) NOT NULL,
`rewrite_url_dst` varchar(100) NOT NULL,
`active` enum('n','y') NOT NULL default 'y',
PRIMARY KEY (`rewrite_id`)
) ENGINE=MyISAM AUTO_INCREMENT=5 DEFAULT CHARSET=utf8;
CREATE TABLE `firewall_filter` (
`firewall_id` int(11) unsigned NOT NULL auto_increment,
`sys_userid` int(11) unsigned NOT NULL default '0',
`domain_id` int(11) NOT NULL,
`sys_groupid` int(11) unsigned NOT NULL default '0',
`sys_perm_user` varchar(5) default NULL,
`sys_perm_group` varchar(5) default NULL,
`sys_perm_other` varchar(5) default NULL,
`server_id` int(11) unsigned NOT NULL default '0',
`rule_name` varchar(100) default NULL,
`rule_id` int(11) default 1,
`src_ip` varchar(20) NOT NULL,
`src_netmask` varchar(20) NOT NULL,
`dst_ip` varchar(20) NOT NULL,
`dst_netmask` varchar(20) NOT NULL,
`src_from_port` varchar(10) NOT NULL,
`src_to_port` varchar(10) NOT NULL,
`dst_to_port` varchar(10) NOT NULL,
`dst_from_port` varchar(10) NOT NULL,
`protocol` varchar(10) default 'tcp',
`inbound_policy` enum('allow','deny','reject','limit') default 'allow',
`outbound_policy` enum('allow','deny','reject','limit') default 'allow',
`active` enum('n','y') NOT NULL default 'y',
`client_id` int(11) NOT NULL,
PRIMARY KEY (`firewall_id`)
) ENGINE=MyISAM AUTO_INCREMENT=12 DEFAULT CHARSET=utf8;
CREATE TABLE `firewall_forward` (
`firewall_id` int(11) unsigned NOT NULL auto_increment,
`sys_userid` int(11) unsigned NOT NULL default '0',
`domain_id` int(11) NOT NULL,
`sys_groupid` int(11) unsigned NOT NULL default '0',
`sys_perm_user` varchar(5) default NULL,
`sys_perm_group` varchar(5) default NULL,
`sys_perm_other` varchar(5) default NULL,
`server_id` int(11) unsigned NOT NULL default '0',
`application_name` varchar(100) default NULL,
`dst_ip` varchar(20) NOT NULL,
`src_from_port` varchar(10) NOT NULL,
`src_to_port` varchar(10) NOT NULL,
`dst_to_port` varchar(10) NOT NULL,
`dst_from_port` varchar(10) NOT NULL,
`protocol` int(3) default 0,
`active` enum('n','y') NOT NULL default 'y',
`client_id` int(11) NOT NULL,
PRIMARY KEY (`firewall_id`)
) ENGINE=MyISAM AUTO_INCREMENT=12 DEFAULT CHARSET=utf8;
-- --------------------------------------------------------
SET FOREIGN_KEY_CHECKS = 1;
proxy_temp_path /var/cache/nginx/temp;
proxy_cache_path /var/cache/nginx/cache levels=1:2 keys_zone=global:60m inactive=15m max_size=1G;
proxy_cache_valid 200 302 10m;
proxy_cache_valid 301 1h;
proxy_cache_valid 404 3m;
proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
proxy_cache global;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_header Set-Cookie;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;
set $cache_key $scheme$host$uri$is_args$args$cookie_user;
proxy_cache_key $cache_key;
proxy_cache_valid 200 10h;
expires 3d;
### force timeouts if one of backend is died ##
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
location = /status {
stub_status on;
allow 127.0.0.1;
allow 192.168.1.0;
deny all;
}
location ~ /purge(/.*) {
allow 127.0.0.1;
allow 192.168.1.0;
deny all;
proxy_cache_purge global $cache_key;
}
# This configuration file requires squid 2.5+. It is untested with squid 3.x.
# BASIC CONFIGURATION
# ------------------------------------------------------------------------------
visible_hostname {server_name}
# port on which to listen
http_port {ip_address}:80 vhost defaultsite={server_name}
# set cache directory and size (1000 MB) - be sure to set the cache size to
# about 10% less than the physical space available to leave room for squid's
# swap files and other temp files
cache_dir ufs /var/spool/squid 100 16 256
cache_mgr webmaster@{server_name}
# LOGS
# ------------------------------------------------------------------------------
log_icp_queries off
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
cache_effective_user nobody
cache_effective_group nogroup
# emulate_httpd_log off
# RESOURCES
# ------------------------------------------------------------------------------
# amount of memory used for caching recently accessed objects - defaults to 8 MB
cache_mem 64 MB
maximum_object_size 10 MB # max cached object size
maximum_object_size_in_memory 300 KB # max cached-in-memory object size
# ACCESS CONTROL
# ------------------------------------------------------------------------------
# Basic ACLs
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/32
acl ssl_ports port 443 563
acl safe_ports port 80 443
acl openvz_instances src 192.168.1.0/24
acl squid_server src localhost
acl manager proto cache_object
acl connect method connect
# deny requests to unknown ports
http_access deny !safe_ports
acl accelerated_protocols proto http https
acl accelerated_domains dstdomain url_regex -i "{config_dir}/domains.txt"
acl accelerated_ports myport 80 443
http_access allow accelerated_domains
http_access allow accelerated_ports
http_access allow accelerated_protocols
acl purge method PURGE
http_access allow squid_server purge
http_access allow openvz_instances purge
http_access deny purge
# Reply access
http_reply_access allow all
# Cache manager setup - cache manager can only connect from localhost
# only allow cache manager access from localhost
http_access allow manager localhost
http_access deny manager
# deny connect to other than ssl ports
http_access deny connect !ssl_ports
# ICP access - anybody can access icp methods
icp_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# CACHE PEERS
# ------------------------------------------------------------------------------
# CONFIGURE THE CACHE PEERS. FIRST PORT IS THE HTTP PORT, SECOND PORT
# IS THE ICP PORT. REMEMBER TO ENABLE 'icp-server' ON YOUR 'zope.conf'
# LISTENING ON THE ICP PORT YOU USE HERE.
# acl in_backendpool dstdomain backendpool
# cache_peer 127.0.0.1 parent 8080 9090 no-digest no-netdb-exchange
# cache_peer 192.168.0.3 parent 8081 9091 no-digest no-netdb-exchange
# cache_peer_access 127.0.0.1 allow in_backendpool
# cache_peer_access 127.0.0.1 deny all
# cache_peer_access 192.168.0.3 allow in_backendpool
# cache_peer_access 192.168.0.3 deny all
# IF YOU NEED TO FORWARD REQUESTS TO HOSTS NOT IN THE POOL THIS IS
# WHERE YOU ALLOW THE TARGET DOMAINS
# acl local_servers dstdomain some.mysite.com other.mysite.com
always_direct allow all
# THE FOLLOWING DIRECTIVE IS NEEDED TO MAKE 'backendpool' RESOLVE TO
# THE POOL OF CACHE PEERS.
# never_direct allow all
# icp_access allow all
# PROXY ON, NEEDED TO MAKE CACHE PEERS INTERCOMMUNICATE
# httpd_accel_with_proxy on
# REDIRECTOR PROGRAM
# ------------------------------------------------------------------------------
url_rewrite_program {config_dir}/iRedirector.py
url_rewrite_children 1
url_rewrite_concurrency 20
url_rewrite_host_header off
# SPECIFY WHAT REQUESTS SQUID SHOULD CACHE
# ------------------------------------------------------------------------------
# Control what squid caches. We want to have squid handle content that is not
# personalized and that does not require any kind of authorization.
#
# 1) Always cache static content in squid
acl static_content urlpath_regex -i \.(jpg|jpeg|gif|png|tiff|tif|svg|swf|ico|css|js|vsd|doc|ppt|pps|xls|pdf|mp3|mp4|m4a|ogg|mov|avi|wmv|sxw|zip|gz|bz2|tgz|tar|rar|odc|odb|odf|odg|odi|odp|ods|odt|sxc|sxd|sxi|sxw|dmg|torrent|deb|msi|iso|rpm)$
no_cache allow static_content
# 2) (OPTIONAL) Prevent squid from caching an item that is the result of a POST
acl post_requests method POST
no_cache deny post_requests
# 3) (OPTIONAL) Prevent squid from caching items with items in the query string
# If this is uncommented, squid will treat a url with 2 different query strings
# as 2 different urls when caching.
# XXX: where did this example go?
# 4) Prevent squid from caching requests from authenticated users or conditional
# GETs with an If-None-Match header (since squid doesn't know about ETags)
# We use an external python method to check these conditions and pass in the
# value of the __ac cookie (two different ways to allow for different cookie
# delimiters), the HTTP Authorization header, and the If-None-Match header.
#
# Squid caches the results of the external python method, so for debugging, set
# the options ttl=0 negative_ttl=0 so you can see what is going on
# external_acl_type is_cacheable_type children=20 ttl=0 negative_ttl=0 %{Cookie:__ac} %{Cookie:;__ac} %{Authorization} %{If-None-Match} /etc/squid/squidAcl.py
#external_acl_type is_cacheable_type protocol=2.5 children=20 %{Cookie:__ac} %{Cookie:;__ac} %{Authorization} %{If-None-Match} /etc/squid/squidAcl.py
#acl is_cacheable external is_cacheable_type
#no_cache allow is_cacheable
collapsed_forwarding on
#refresh_stale_hit on
# Explicitly disallow squid from handling anything else
no_cache deny all
# SPECIFY EFFECTS OF A BROWSER REFRESH
# ------------------------------------------------------------------------------
# RELOAD_INTO_IMS CAUSES WEIRD SQUID BEHAVIOR - IT APPEARS TO CAUSE FILES WITH
# INAPPROPRIATE HEADERS TO END UP IN THE CACHE, AND AS A RESULT BROWSERS END
# UP MAKING LOTS OF EXTRA (CONDITIONAL) REQUESTS WHEN THEY WOULD OTHERWISE MAKE
# NO REQUESTS. DO NOT USE!
# Tell squid how to handle expiration times for content with no explicit expiration
# Assume static content is fresh for at least an hour and at most a day
#refresh_pattern -i \.(jpg|jpeg|gif|png|tiff|tif|svg|swf|ico|css|js|vsd|doc|ppt|pps|xls|pdf|mp3|mp4|m4a|ogg|mov|avi|wmv|sxw|zip|gz|bz2|tar|rar|odc|odb|odf|odg|odi|odp|ods|odt|sxc|sxd|sxi|sxw|dmg|torrent|deb|msi|iso|rpm)$ 60 50% 1440 reload-into-ims
#refresh_pattern . 0 20% 1440
# Change force-refresh requests into conditional gets using if-modified-since
#reload_into_ims on
# DEBUGGING
# ------------------------------------------------------------------------------
# debug_options ALL,1 33,2 # use this for debugging acls
debug_options ALL,8
# MISCELLANEOUS
# ------------------------------------------------------------------------------
# have squid handle all requests with ranges
# range_offset_limit -1
# amount of time squid waits for existing requests to be serviced before shutting down
shutdown_lifetime 1 seconds
# allow squid to process multiple requests simultaneously if client is pipelining
pipeline_prefetch on
# allow white spaces to be included in URLs
uri_whitespace allow
# OTHER PARAMETERS THAT MAY BE OF INTEREST
# ------------------------------------------------------------------------------
# logfile_rotate 0
# reload_into_ims off
#error_directory /usr/local/squid/share/errors/English