# This file is automatically generated by pfSense # Do not edit manually ! http_port PfSenseIP:800 http_port PfSenseIP:800 http_port 127.0.0.1:800 tcp_outgoing_address PfSenseIP icp_port 0 digest_generation off dns_v4_first off pid_filename /var/run/squid/squid.pid cache_effective_user squid cache_effective_group proxy error_default_language it icon_directory /usr/local/etc/squid/icons visible_hostname localhost cache_mgr admin@localhost access_log /var/squid/logs/access.log cache_log /var/squid/logs/cache.log cache_store_log none netdb_filename /var/squid/logs/netdb.state pinger_enable on pinger_program /usr/local/libexec/squid/pinger logfile_rotate 0 debug_options rotate=0 shutdown_lifetime 3 seconds # Allow local network(s) on interface(s) acl localnet src x.x.x.0/24 y.y.y.0/24 127.0.0.0/8 forwarded_for on uri_whitespace strip acl dynamic urlpath_regex cgi-bin ? cache deny dynamic cache_mem 64 MB maximum_object_size_in_memory 256 KB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA minimum_object_size 0 KB maximum_object_size 4 MB cache_dir ufs /var/squid/cache 3000 16 256 offline_mode off cache_swap_low 90 cache_swap_high 95 cache allow all # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|?) 0 0% 0 refresh_pattern . 0 20% 4320 #Remote proxies # Setup some default acls # ACLs all, manager, localhost, and to_localhost are predefined. acl allsrc src all acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 800 3129 1025-65535 8006 10443 445 11100 25899 acl sslports port 443 563 8006 10443 445 11100 25899 acl purge method PURGE acl connect method CONNECT # Define protocols used for redirects acl HTTP proto HTTP acl HTTPS proto HTTPS acl unrestricted_hosts src '/var/squid/acl/unrestricted_hosts.acl' acl whitelist dstdom_regex -i '/var/squid/acl/whitelist.acl' acl sslwhitelist ssl::server_name_regex -i '/var/squid/acl/whitelist.acl' http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections http_access allow localhost request_body_max_size 0 KB delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 # Do not throttle unrestricted hosts delay_access 1 deny unrestricted_hosts delay_access 1 allow allsrc # Reverse Proxy settings # Package Integration url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf url_rewrite_bypass off url_rewrite_children 16 startup=8 idle=4 concurrency=0 url_rewrite_access deny CONNECT url_rewrite_access allow all # Custom options before auth # These hosts do not have any restrictions http_access allow unrestricted_hosts # Always allow access to whitelist domains http_access allow whitelist # Set YouTube safesearch restriction acl youtubedst dstdomain -n www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com request_header_access YouTube-Restrict deny all request_header_add YouTube-Restrict none youtubedst auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -v 3 -b 'dc=x,dc=x' -D 'cn=x,dc=x,dc=x' -w 'x' -f '(&(memberOf=CN=x,OU=x,DC=x,DC=x)(sAMAccountName=%s))' -u 'uid' -P -H 'ldap://ServerIp:389' auth_param basic children 5 auth_param basic realm Please enter your credentials to access the proxy auth_param basic credentialsttl 5 minutes acl password proxy_auth REQUIRED authenticate_ip_ttl 5 minute # Custom options after auth http_access allow unrestricted_hosts http_access allow password localnet # Default block all to be sure http_access deny allsrc