# This file is automatically generated by pfSense # Do not edit manually ! http_port 192.168.10.252:3128 icp_port 0 digest_generation off dns_v4_first off pid_filename /var/run/squid/squid.pid cache_effective_user squid cache_effective_group proxy error_default_language en icon_directory /usr/local/etc/squid/icons visible_hostname localhost cache_mgr admin@localhost access_log /dev/null cache_log /var/squid/logs/cache.log cache_store_log none netdb_filename /var/squid/logs/netdb.state pinger_enable on pinger_program /usr/local/libexec/squid/pinger logfile_rotate 0 debug_options rotate=0 shutdown_lifetime 3 seconds # Allow local network(s) on interface(s) acl localnet src 192.168.10.0/24 forwarded_for on uri_whitespace strip acl dynamic urlpath_regex cgi-bin \? cache deny dynamic cache_mem 64 MB maximum_object_size_in_memory 256 KB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA minimum_object_size 0 KB maximum_object_size 4 MB cache_dir ufs /var/squid/cache 100 16 256 offline_mode off cache_swap_low 90 cache_swap_high 95 cache allow all # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 #Remote proxies # Setup some default acls # ACLs all, manager, localhost, and to_localhost are predefined. acl allsrc src all acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 4431 3128 3129 1025-65535 acl sslports port 443 563 4431 acl purge method PURGE acl connect method CONNECT # Define protocols used for redirects acl HTTP proto HTTP acl HTTPS proto HTTPS http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections http_access allow localhost request_body_max_size 0 KB delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow allsrc # Reverse Proxy settings http_port xxx.xxx.xxx.xxx:80 accel defaultsite=mail.contoso.hu vhost https_port xxx.xxx.xxx.xxx:443 accel cert=/usr/local/etc/squid/5ae6266c036e3.crt key=/usr/local/etc/squid/5ae6266c036e3.key tls-dh=prime256v1:/dh-parameters.2048 cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!SHA1:!MD5:!PSK \ options=NO_SSLv2,NO_SSLv3,CIPHER_SERVER_PREFERENCE,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE defaultsite=mail.contoso.hu vhost cache_peer 192.168.10.10 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on tls front-end-https=on name=OWA_HOST_443_1_pfs cache_peer 192.168.10.10 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on name=OWA_HOST_80_1_pfs #www.fabrikam.hu - HTTPS cache_peer 192.168.10.81 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin tls front-end-https=auto name=rvp_psp #www.fabrikam.hu - HTTP cache_peer 192.168.10.81 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin name=rvp_psp-http #XCH2016 peer cache_peer 192.168.10.10 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin tls front-end-https=auto name=rvp_XCH2016 #3CX Server cache_peer 192.168.10.9 parent 5001 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin tls front-end-https=auto name=rvp_3CXSERVER #3CX Server HTTP cache_peer 192.168.10.9 parent 5000 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin name=rvp_3CXSERVER-HTTP #RDS Web Access cache_peer 192.168.16.30 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin tls front-end-https=auto name=rvp_rds # cache_peer 192.168.16.30 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin name=rvp_RDS_80 acl OWA_URI_pfs url_regex -i ^https://mail.contoso.hu/owa.*$ acl OWA_URI_pfs url_regex -i ^https://mail.contoso.hu/exchange.*$ acl OWA_URI_pfs url_regex -i ^https://mail.contoso.hu/public.*$ acl OWA_URI_pfs url_regex -i ^https://mail.contoso.hu/exchweb.*$ acl OWA_URI_pfs url_regex -i ^https://mail.contoso.hu/ecp.*$ acl OWA_URI_pfs url_regex -i ^https://mail.contoso.hu/OAB.*$ acl OWA_URI_pfs url_regex -i ^https://mail.contoso.hu/Microsoft-Server-ActiveSync.*$ acl OWA_URI_pfs url_regex -i ^https://mail.contoso.hu/rpc/rpcproxy.dll.*$ acl OWA_URI_pfs url_regex -i ^https://mail.contoso.hu/rpcwithcert/rpcproxy.dll.*$ acl OWA_URI_pfs url_regex -i ^https://mail.contoso.hu/mapi.*$ acl OWA_URI_pfs url_regex -i ^http://mail.contoso.hu/AutoDiscover/AutoDiscover.xml acl OWA_URI_pfs url_regex -i ^https://mail.contoso.hu/AutoDiscover/AutoDiscover.xml acl OWA_URI_pfs url_regex -i ^http://autodiscover.contoso.hu/AutoDiscover/AutoDiscover.xml acl OWA_URI_pfs url_regex -i ^https://autodiscover.contoso.hu/AutoDiscover/AutoDiscover.xml acl rvm_psp url_regex -i ^https://www.fabrikam.hu/.* acl rvm_psp url_regex -i ^http://www.fabrikam.hu/.* acl rvm_XCH2016 url_regex -i ^https://mail.fabrikam1.hu/.* acl rvm_XCH2016 url_regex -i ^https://mail.fabrikam2.hu/.* acl rvm_3CX url_regex -i ^https://contoso.hu/.* acl rvm_3CX url_regex -i ^http://contoso.hu/.* acl rvm_RDS url_regex -i ^https://rds.fabrikam3.net/.* acl rvm_RDS url_regex -i ^http://rds.fabrikam3.net/.* cache_peer_access OWA_HOST_443_1_pfs allow OWA_URI_pfs cache_peer_access OWA_HOST_80_1_pfs allow OWA_URI_pfs cache_peer_access OWA_HOST_443_1_pfs deny allsrc cache_peer_access OWA_HOST_80_1_pfs deny allsrc never_direct allow OWA_URI_pfs http_access allow OWA_URI_pfs cache_peer_access rvp_psp allow rvm_psp cache_peer_access rvp_psp-http allow rvm_psp cache_peer_access rvp_XCH2016 allow rvm_XCH2016 cache_peer_access rvp_3CXSERVER allow rvm_3CX cache_peer_access rvp_3CXSERVER-HTTP allow rvm_3CX cache_peer_access rvp_rds allow rvm_RDS cache_peer_access rvp_RDS_80 allow rvm_RDS cache_peer_access rvp_psp deny allsrc cache_peer_access rvp_psp-http deny allsrc cache_peer_access rvp_XCH2016 deny allsrc cache_peer_access rvp_3CXSERVER deny allsrc cache_peer_access rvp_3CXSERVER-HTTP deny allsrc cache_peer_access rvp_rds deny allsrc cache_peer_access rvp_RDS_80 deny allsrc never_direct allow rvm_psp never_direct allow rvm_XCH2016 never_direct allow rvm_3CX never_direct allow rvm_RDS http_access allow rvm_psp http_access allow rvm_XCH2016 http_access allow rvm_3CX http_access allow rvm_RDS deny_info TCP_RESET allsrc # Custom options before auth # Setup allowed ACLs # Allow local network(s) on interface(s) http_access allow localnet # Default block all to be sure http_access deny allsrc