# Django : 2011-11-14 LDAP-Benutzerauthentifizierung
auth_param basic program /usr/lib64/squid/squid_ldap_auth -b "ou=People,dc=nausch,dc=org" -f "uid=%s" -h ldap.dmz.nausch.org -D "cn=Technischeruser,dc=nausch,dc=org" -W "/etc/squid/ldap_passwd" -d
auth_param basic children 4
auth_param basic utf8 on
#auth_param basic concurrency on
auth_param basic realm Bitte geben Sie Ihren Benutzernamen und Passwort fuer die Internetberechtigung ein!
auth_param basic credentialsttl 60 minutes
auth_param basic casesensitive off

#
# Recommended minimum configuration:
#
# Django : 2011-11-14 NICHT cachen von dynamischen Inhalten (cgi-scripte)
acl QUERY urlpath_regex cgi_bin \?
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32
# Django : 2011-11-14 IPv6 deaktiviert
# acl localhost src ::1/128
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
# Django : 2011-11-14 IPv6 deaktiviert
# acl to_localhost dst ::1/128

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
# Django : 2011-11-14 Definition des/der eigenen Netzwerke
# acl localnet src 10.0.0.0/8   # RFC1918 possible internal network
# acl localnet src 172.16.0.0/12        # RFC1918 possible internal network
# acl localnet src 192.168.0.0/16       # RFC1918 possible internal network
# acl localnet src fc00::/7   # RFC 4193 local private network range
# acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged) machines
acl localnet src 10.0.0.0/24
acl localnet src 10.0.10.0/26

# Django : 2011-11-14 LDAP-Benutzerauthentifizierung
acl ldap_auth proxy_auth REQUIRED

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

# Django : 2011-11-14 Ausnahmeregelung für den Zugriff ohne caching aktiviert
acl noauthsites url_regex repository\.nausch\.org/*
acl noauthsites url_regex static-cdn\.addons\.mozilla\.net:443
acl noauthsites url_regex ocsp\.digicert\.com/*
acl noauthsites url_regex ocsp\.verisign\.com/*
acl noauthsites url_regex evsecure-ocsp\.verisign\.com/*
acl noauthsites url_regex releases\.mozilla\.org/*
acl noauthsites url_regex addons\.mozilla\.org:443
acl noauthsites url_regex services\.addons\.mozilla\.org:443

# Django : 2011-11-14 Anpassen der Request-IP-Adresseder Clients bei Verwendung von Dansguardian
follow_x_forwarded_for allow localhost
follow_x_forwarded_for allow localnet

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
# Django 2011-11-16 Zugriff auch aus dem lokalen Netz erlauben
http_access allow manager localnet
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
# Django : 2011-11-14 Zugriffsregeln für die LDAP-Benutzerauthentifizierung
# default: 
# http_access allow localnet
# http_access allow localhost
http_access allow localhost noauthsites
http_access allow localhost ldap_auth
http_access allow localnet noauthsites
http_access allow localnet ldap_auth

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Django 2011-11-14 : Squid Cache aktiviert
cache_dir ufs /var/spool/squid 100 16 256

# Django : 2011-11-14 Cache-Memory heruntergesetzt, wegen der Fehlermeldung
#                     WARNING cache_mem is larger than total disk cache space!
# default cache_mem 256 MB
cache_mem 100 MB 

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Django : 2011-11-14 Aktivieren der ACL-Regel zum Unterdrücken des Cachen von dynamischen Inhalten
cache deny QUERY

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

# Django : 2011-11-14 Definition des Squid-Logformates
logformat squid  %tl.%03tu %6tr %>a %un %Ss/%03>Hs %<st %rm %ru %Sh/%<A %mt

# Django : 2011-11-14 deutsche Rückmeldungen bei den Fehlermeldungen aktiviert
error_directory /usr/share/squid/errors/de
error_default_language de

# Django : 2011-11-14 Serveralias statt des Hostnamens ausgeben:
visible_hostname proxy.dmz.nausch.org

# Django : 2011-11-14 Unterdrücken der Squidversion bei der Ausgabe von Fehlerseiten
httpd_suppress_version_string on

# Django : 2011-11-14 Setzen des Cache-Admins und Angabe der eMailadresse
cache_mgr squid-manager@nausch.org

# Django : 2011-11-14 Setzen der eMail-Absendeadresse im Fehlerfall
mail_from squid-proxy@nausch.org

# Django : 2011-11-17 Konfiguration des CMI (Sperren von Menüpunkten uns setzen des Manager-Passwortes)
cachemgr_passwd disable shutdown offline_toggle reconfigure
cachemgr_passwd S0g3ned! all