# squid.conf for forward proxy, e.g. for a SSH tunnel from an off-site
# location to inside a network, or for speeding up queries by running
# squid on a laptop.
#
# FIXME Look for and correct any FIXME entries, in addition to reviewing
# that the various settings are correct.

visible_hostname 127.0.0.1

http_port 3128

icp_port 0
#htcp_port 0

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

cache_mem 512 MB
# cache_swap_low 90
# cache_swap_high 95

maximum_object_size 32768 KB
# minimum_object_size 0 KB

maximum_object_size_in_memory 16 KB

cache_replacement_policy lru
memory_replacement_policy lru

cache_dir ufs /var/squid/cache 1000 16 256

# FIXME some folks may desire logging?
cache_access_log none
cache_log none
cache_store_log none

# emulate_httpd_log off
# log_ip_on_direct on
# log_mime_hdrs off

log_fqdn off

ftp_user FIXME@example.org
# ftp_sanitycheck on

# FIXME assumes one has a DNS server running locally
dns_nameservers 127.0.0.1
hosts_file none

redirect_rewrites_host_header off

# TODO needed??
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

request_header_max_size 16 KB
# request_body_max_size 0 KB

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320

negative_ttl 1 minutes
negative_dns_ttl 1 minutes

# connect_timeout 1 minutes
# peer_connect_timeout 30 seconds
# read_timeout 10 minutes
# request_timeout 5 minutes
# persistent_request_timeout 2 minute
# half_closed_clients on

ident_timeout 1 seconds

shutdown_lifetime 7 seconds

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

#http_access deny to_localhost

# Allow proxy connections from localhost
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

http_reply_access allow all

icp_access deny all
miss_access allow all

ident_lookup_access deny all

cache_mgr FIXME@example.org

# user account, e.g. _squid on OpenBSD
cache_effective_user FIXME

forwarded_for off

log_icp_queries off

# HTTP security/obfuscation - FIXME some may by required by various sites,
# e.g. User-Agent for wikipedia
header_access Referer deny all
header_access Server deny all
header_access User-Agent deny all
header_access WWW-Authenticate deny all
header_access Link deny all

#snmp_port 0
#snmp_access deny all

# offline_mode off
coredump_dir none

pipeline_prefetch on