• 0 Votes
    18 Posts
    2k Views
    JonathanLeeJ
    This is a better WPAD file server.modules = ( "mod_access", "mod_staticfile", "mod_expire", "mod_setenv" ) server.document-root = "/var/www/html" server.errorlog = "/var/log/lighttpd/error.log" server.pid-file = "/run/lighttpd.pid" server.username = "www-data" server.groupname = "www-data" server.port = 80 server.bind = "192.168.1.6" server.tag = "" server.range-requests = "disable" server.max-connections = 10 connect-timeout = 2 server.max-keep-alive-idle = 2 server.max-keep-alive-requests = 1 server.max-read-idle = 2 server.max-write-idle = 2 dir-listing = "disable" $HTTP["request-method"] =~ "^(TRACE|TRACK)$" { url.access-deny = ( "" ) } # Cache WPAD and proxy PAC files for 1 day (good practice) expire.url = ( "/wpad.dat" => "access plus 1 day", "/proxy.pac" => "access plus 1 day" ) # Disable access logs to reduce SD card wear (optional) accesslog = "" $HTTP["url"] =~ "^/(wpad\.dat|proxy\.pac)$" { setenv.add-response-header = ( "X-Content-Type-Options" => "nosniff", "X-Frame-Options" => "DENY", "Content-Security-Policy" => "default-src 'none';", "Cache-Control" => "public, max-age=86400", "Referrer-Policy" => "no-referrer", "X-Download-Options" => "noopen", "X-Permitted-Cross-Domain-Policies" => "none" ) # Allow only GET and HEAD methods $HTTP["request-method"] !~ "^(GET|HEAD)$" { url.access-deny = ( "" ) } # Restrict access by IP subnets $HTTP["remoteip"] == "192.168.1.0/27" { } else $HTTP["remoteip"] == "2001:470:8052:a::/64" { } else { url.access-deny = ( "" ) } } # Deny all other URL requests $HTTP["url"] !~ "^/(wpad\.dat|proxy\.pac)$" { url.access-deny = ( "" ) } # Strict URL parsing for security and consistency server.http-parseopts = ( "header-strict" => "enable", "host-strict" => "enable", "host-normalize" => "enable", "url-normalize-unreserved"=> "enable", "url-normalize-required" => "enable", "url-ctrls-reject" => "enable", "url-path-2f-decode" => "disable", "url-path-2f-reject" => "enable", "url-path-dotseg-remove" => "disable", "url-path-dotseg-reject" => "enable", ) url.access-deny = ( "~", ".inc" ) static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" ) # Add WPAD MIME type for correct browser handling mimetype.assign = ( ".dat" => "application/x-ns-proxy-autoconfig", ".pac" => "application/x-ns-proxy-autoconfig" )
  • Squid V6.10

    Cache/Proxy squid squid-proxy squid update
    32
    1 Votes
    32 Posts
    5k Views
    B
    @michmoor Yes, it works for them, unfortunately only there :(
  • 0 Votes
    16 Posts
    4k Views
    JonathanLeeJ
    @jdb67 You might also try to email the Squid users support email to get Squid help they are very helpful sometimes the original code writers chime in and help users. squid-users@lists.squid-cache.org FYI: You will have to register your email and wait for approval before you can send out a email to everyone on this however.
  • connection is not private when using Chrome

    Cache/Proxy squid squid-proxy
    3
    0 Votes
    3 Posts
    2k Views
    GertjanG
    @karimhaydar31 said in connection is not private when using Chrome: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN The certificate is valid, but not co-signed by one of the major players, like Verisign etc. see here for a list. The thing is, your browser only accepts (and stays silent) certificates if they were co or toot signed by one of the authorities that are on 'the list' (in your device). You could actually empty this list, and your browser would not even trust https://www.micirostf.com any more. So, the easiest thing to do, is : export the certificate that is being used by the Webconfigurator, and import it into you browser / OS. Now, your browser / OS it trust it, and no more errors. That's all it takes ! You could also get your hands on a certificate that is trusted out of the box. A trusted certificate is free. Example : if these are your general settings : [image: 1681197872695-5f251b0a-5c89-4ab6-aec6-556829c21c72-image.png] and you actually own, or rent the some-domain.tld domain name, you could obtain certificate for *.some-domain.tld for free. The pfSense package "acme" is all about that functionality. Again : the certificate will be free, the domain name will cost some money.
  • 0 Votes
    1 Posts
    705 Views
    No one has replied
  • website not browsing properly in squid

    Cache/Proxy squid-proxy
    1
    0 Votes
    1 Posts
    431 Views
    No one has replied