Vous n'êtes pas identifié(e).
L'icône rouge permet de télécharger chaque page du wiki visitée au format
PDF et la grise au format ODT →
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentes Révision précédente Prochaine révision | Révision précédente Prochaine révision Les deux révisions suivantes | ||
utilisateurs:hypathie:tutos:brouillon-bac-a-sable-de-mes-mini-tutos [19/10/2014 13:10] Hypathie [Example squid conf] |
utilisateurs:hypathie:tutos:brouillon-bac-a-sable-de-mes-mini-tutos [06/12/2014 11:28] Hypathie [Test config] |
||
---|---|---|---|
Ligne 778: | Ligne 778: | ||
/sbin/iptables -F | /sbin/iptables -F | ||
- | |||
/sbin/iptables -X | /sbin/iptables -X | ||
- | |||
- | /sbin/iptables -t nat -F | ||
- | |||
- | /sbin/iptables -t nat -X | ||
- | |||
- | /sbin/iptables -P INPUT ACCEPT | ||
- | |||
- | /sbin/iptables -P FORWARD ACCEPT | ||
- | |||
- | /sbin/iptables -P OUTPUT ACCEPT | ||
- | |||
/sbin/iptables -P INPUT DROP | /sbin/iptables -P INPUT DROP | ||
- | |||
/sbin/iptables -P OUTPUT DROP | /sbin/iptables -P OUTPUT DROP | ||
- | |||
/sbin/iptables -P FORWARD DROP | /sbin/iptables -P FORWARD DROP | ||
- | |||
/sbin/iptables -t nat -P PREROUTING ACCEPT | /sbin/iptables -t nat -P PREROUTING ACCEPT | ||
- | |||
/sbin/iptables -t nat -P POSTROUTING ACCEPT | /sbin/iptables -t nat -P POSTROUTING ACCEPT | ||
- | |||
/sbin/iptables -t nat -P INPUT ACCEPT | /sbin/iptables -t nat -P INPUT ACCEPT | ||
- | |||
/sbin/iptables -t nat -P OUTPUT ACCEPT | /sbin/iptables -t nat -P OUTPUT ACCEPT | ||
- | |||
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | ||
+ | ##commenter / décommenter et adapter les quatre lignes suivantes pour ne pas mettre en place / mettre en place | ||
+ | ##un proxy transparent (squid) | ||
+ | /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.0.1:3129 | ||
+ | /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3129 | ||
+ | /sbin/iptables -t mangle -A PREROUTING -p tcp --dport 3128 -j DROP | ||
+ | /sbin/iptables -t mangle -A PREROUTING -p tcp --dport 3129 -j DROP | ||
+ | #accepter l'interface lo | ||
/sbin/iptables -A INPUT -i lo -j ACCEPT | /sbin/iptables -A INPUT -i lo -j ACCEPT | ||
- | |||
/sbin/iptables -A OUTPUT -o lo -j ACCEPT | /sbin/iptables -A OUTPUT -o lo -j ACCEPT | ||
+ | #accepter le sous-réseau | ||
/sbin/iptables -A INPUT -i eth1 -j ACCEPT | /sbin/iptables -A INPUT -i eth1 -j ACCEPT | ||
- | |||
/sbin/iptables -A OUTPUT -o eth1 -j ACCEPT | /sbin/iptables -A OUTPUT -o eth1 -j ACCEPT | ||
+ | #permettre le passage entre les deux interfaces eternet de la passerelle | ||
/sbin/iptables -t filter -A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -d 0.0.0.0/0 -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | /sbin/iptables -t filter -A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -d 0.0.0.0/0 -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | ||
- | |||
/sbin/iptables -t filter -A FORWARD -i eth0 -o eth1 -s 0.0.0.0/0 -d 192.168.1.0/24 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT | /sbin/iptables -t filter -A FORWARD -i eth0 -o eth1 -s 0.0.0.0/0 -d 192.168.1.0/24 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
- | |||
/sbin/iptables -t filter -A FORWARD -p icmp -j ACCEPT | /sbin/iptables -t filter -A FORWARD -p icmp -j ACCEPT | ||
+ | #accepter le ping entre les réseaux locaux | ||
/sbin/iptables -t filter -A INPUT -p icmp -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | /sbin/iptables -t filter -A INPUT -p icmp -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | ||
- | |||
/sbin/iptables -t filter -A OUTPUT -p icmp -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | /sbin/iptables -t filter -A OUTPUT -p icmp -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | ||
- | |||
/sbin/iptables -t filter -A INPUT -p icmp -i eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | /sbin/iptables -t filter -A INPUT -p icmp -i eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | ||
- | |||
/sbin/iptables -t filter -A OUTPUT -p icmp -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | /sbin/iptables -t filter -A OUTPUT -p icmp -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | ||
- | |||
- | /sbin/iptables -t filter -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | ||
- | |||
- | /sbin/iptables -t filter -A INPUT -i eth0 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
- | |||
- | /sbin/iptables -t filter -A OUTPUT -o eth1 -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | ||
- | |||
- | /sbin/iptables -t filter -A INPUT -i eth1 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
- | |||
- | /sbin/iptables -t filter -A OUTPUT -o eth0 -p tcp -m multiport --dports 80,443,8000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | ||
- | |||
- | /sbin/iptables -t filter -A INPUT -i eth0 -p tcp -m multiport --sports 80,443,8000 -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
- | |||
- | /sbin/iptables -A OUTPUT -o eth1 -p tcp -m multiport --dports 80,443,8000 -j ACCEPT | ||
- | |||
- | /sbin/iptables -A INPUT -i eth1 -p tcp -m multiport --sports 80,443,8000 -j ACCEPT | ||
- | |||
/sbin/iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT | /sbin/iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT | ||
- | |||
/sbin/iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT | /sbin/iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT | ||
- | |||
/sbin/iptables -A FORWARD -p icmp --icmp-type 0 -j ACCEPT | /sbin/iptables -A FORWARD -p icmp --icmp-type 0 -j ACCEPT | ||
- | |||
/sbin/iptables -A INPUT -p icmp --icmp-type 3/4 -j ACCEPT | /sbin/iptables -A INPUT -p icmp --icmp-type 3/4 -j ACCEPT | ||
- | |||
/sbin/iptables -A OUTPUT -p icmp --icmp-type 3/4 -j ACCEPT | /sbin/iptables -A OUTPUT -p icmp --icmp-type 3/4 -j ACCEPT | ||
- | |||
/sbin/iptables -A FORWARD -p icmp --icmp-type 3/4 -j ACCEPT | /sbin/iptables -A FORWARD -p icmp --icmp-type 3/4 -j ACCEPT | ||
- | |||
/sbin/iptables -A FORWARD -p icmp --icmp-type 3/3 -j ACCEPT | /sbin/iptables -A FORWARD -p icmp --icmp-type 3/3 -j ACCEPT | ||
- | |||
/sbin/iptables -A OUTPUT -p icmp --icmp-type 3/3 -j ACCEPT | /sbin/iptables -A OUTPUT -p icmp --icmp-type 3/3 -j ACCEPT | ||
- | |||
/sbin/iptables -A INPUT -p icmp --icmp-type 3/3 -j ACCEPT | /sbin/iptables -A INPUT -p icmp --icmp-type 3/3 -j ACCEPT | ||
- | |||
/sbin/iptables -A FORWARD -p icmp --icmp-type 3/1 -j ACCEPT | /sbin/iptables -A FORWARD -p icmp --icmp-type 3/1 -j ACCEPT | ||
- | |||
/sbin/iptables -A INPUT -p icmp --icmp-type 3/1 -j ACCEPT | /sbin/iptables -A INPUT -p icmp --icmp-type 3/1 -j ACCEPT | ||
- | |||
/sbin/iptables -A OUTPUT -p icmp --icmp-type 3/1 -j ACCEPT | /sbin/iptables -A OUTPUT -p icmp --icmp-type 3/1 -j ACCEPT | ||
- | |||
/sbin/iptables -A INPUT -p icmp --icmp-type 4 -j ACCEPT | /sbin/iptables -A INPUT -p icmp --icmp-type 4 -j ACCEPT | ||
- | |||
/sbin/iptables -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT | /sbin/iptables -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT | ||
- | |||
/sbin/iptables -A FORWARD -p icmp --icmp-type 4 -j ACCEPT | /sbin/iptables -A FORWARD -p icmp --icmp-type 4 -j ACCEPT | ||
- | |||
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT | /sbin/iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT | ||
- | |||
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -j LOG --log-prefix "ICMP/in/8 Excessive: " | /sbin/iptables -A INPUT -p icmp --icmp-type 8 -j LOG --log-prefix "ICMP/in/8 Excessive: " | ||
- | |||
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -j DROP | /sbin/iptables -A INPUT -p icmp --icmp-type 8 -j DROP | ||
- | |||
/sbin/iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT | /sbin/iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT | ||
- | |||
/sbin/iptables -A FORWARD -p icmp --icmp-type 8 -j ACCEPT | /sbin/iptables -A FORWARD -p icmp --icmp-type 8 -j ACCEPT | ||
- | |||
/sbin/iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT | /sbin/iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT | ||
- | |||
/sbin/iptables -A OUTPUT -p icmp --icmp-type 11 -j ACCEPT | /sbin/iptables -A OUTPUT -p icmp --icmp-type 11 -j ACCEPT | ||
- | |||
/sbin/iptables -A FORWARD -p icmp --icmp-type 11 -j ACCEPT | /sbin/iptables -A FORWARD -p icmp --icmp-type 11 -j ACCEPT | ||
- | |||
/sbin/iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT | /sbin/iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT | ||
- | |||
/sbin/iptables -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT | /sbin/iptables -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT | ||
- | |||
/sbin/iptables -A FORWARD -p icmp --icmp-type 12 -j ACCEPT | /sbin/iptables -A FORWARD -p icmp --icmp-type 12 -j ACCEPT | ||
- | |||
/sbin/iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.0.0/24 -p icmp --icmp-type echo-request -j ACCEPT | /sbin/iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.0.0/24 -p icmp --icmp-type echo-request -j ACCEPT | ||
- | |||
/sbin/iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.1.0/24 -p icmp --icmp-type echo-reply -j DROP | /sbin/iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.1.0/24 -p icmp --icmp-type echo-reply -j DROP | ||
- | |||
/sbin/iptables -A INPUT -p icmp -m limit -j LOG --log-prefix "ICMP/IN: " | /sbin/iptables -A INPUT -p icmp -m limit -j LOG --log-prefix "ICMP/IN: " | ||
- | |||
/sbin/iptables -A OUTPUT -p icmp -m limit -j LOG --log-prefix "ICMP/OUT: " | /sbin/iptables -A OUTPUT -p icmp -m limit -j LOG --log-prefix "ICMP/OUT: " | ||
- | |||
/sbin/iptables -N syn_flood | /sbin/iptables -N syn_flood | ||
- | |||
/sbin/iptables -I INPUT -p tcp --syn -j syn_flood | /sbin/iptables -I INPUT -p tcp --syn -j syn_flood | ||
- | |||
/sbin/iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN | /sbin/iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN | ||
- | |||
/sbin/iptables -A syn_flood -j LOG --log-prefix '[SYN_FLOOD] : ' | /sbin/iptables -A syn_flood -j LOG --log-prefix '[SYN_FLOOD] : ' | ||
- | |||
/sbin/iptables -A syn_flood -j DROP | /sbin/iptables -A syn_flood -j DROP | ||
+ | #autoriser la connexion avec les serveurs DNS | ||
+ | /sbin/iptables -t filter -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | ||
+ | /sbin/iptables -t filter -A INPUT -i eth0 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
+ | /sbin/iptables -t filter -A OUTPUT -o eth1 -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | ||
+ | /sbin/iptables -t filter -A INPUT -i eth1 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
+ | #autoriser la navigation web | ||
+ | /sbin/iptables -t filter -A OUTPUT -o eth0 -p tcp -m multiport --dports 80,443,8000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | ||
+ | /sbin/iptables -t filter -A INPUT -i eth0 -p tcp -m multiport --sports 80,443,8000 -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
+ | /sbin/iptables -A OUTPUT -o eth1 -p tcp -m multiport --dports 80,443,8000 -j ACCEPT | ||
+ | /sbin/iptables -A INPUT -i eth1 -p tcp -m multiport --sports 80,443,8000 -j ACCEPT | ||
+ | #Si le serveur cups est branché sur un ordinateur du réseau 192.168.0.0/24, par exemple sur 192.168.0.22 | ||
+ | # laisser décommenter les deux lignes suivantes : | ||
+ | /sbin/iptables -A INPUT -i eth0 -s 192.168.0.22 -d 192.168.0.1 -p tcp --sport 631 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | ||
+ | /sbin/iptables -A OUTPUT -o eth0 -s 192.168.0.1 -d 192.168.0.22 -p tcp --dport 631 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | ||
+ | #créer une chaîne utilisateur pour les connexion ssh, les loguer et les accepter | ||
/sbin/iptables -t filter -N InComingSSH | /sbin/iptables -t filter -N InComingSSH | ||
- | |||
/sbin/iptables -I INPUT -i eth0 -s 192.168.0.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j InComingSSH | /sbin/iptables -I INPUT -i eth0 -s 192.168.0.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j InComingSSH | ||
- | |||
/sbin/iptables -A InComingSSH -j LOG --log-prefix '[INCOMING_SSH] : ' | /sbin/iptables -A InComingSSH -j LOG --log-prefix '[INCOMING_SSH] : ' | ||
- | |||
/sbin/iptables -A InComingSSH -j ACCEPT | /sbin/iptables -A InComingSSH -j ACCEPT | ||
- | |||
/sbin/iptables -t filter -A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT | /sbin/iptables -t filter -A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT | ||
- | |||
/sbin/iptables -t filter -A OUTPUT -o eth1 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | /sbin/iptables -t filter -A OUTPUT -o eth1 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | ||
- | |||
/sbin/iptables -t filter -A INPUT -i eth1 -s 192.168.0.0/24 -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT | /sbin/iptables -t filter -A INPUT -i eth1 -s 192.168.0.0/24 -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT | ||
+ | #créer une chaîne utilisateur pour les connexions ftp, et les accepter | ||
/sbin/iptables -N ftp_in_accept | /sbin/iptables -N ftp_in_accept | ||
- | |||
/sbin/iptables -I INPUT -i eth0 -p tcp --sport 21 -m state --state ESTABLISHED,RELATED -j ftp_in_accept | /sbin/iptables -I INPUT -i eth0 -p tcp --sport 21 -m state --state ESTABLISHED,RELATED -j ftp_in_accept | ||
- | |||
/sbin/iptables -I INPUT -i eth0 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ftp_in_accept | /sbin/iptables -I INPUT -i eth0 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ftp_in_accept | ||
- | |||
/sbin/iptables -I INPUT -i eth0 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ftp_in_accept | /sbin/iptables -I INPUT -i eth0 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ftp_in_accept | ||
- | |||
/sbin/iptables -A ftp_in_accept -p tcp -j ACCEPT | /sbin/iptables -A ftp_in_accept -p tcp -j ACCEPT | ||
- | |||
/sbin/iptables -A INPUT -i eth1 -p tcp --sport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT | /sbin/iptables -A INPUT -i eth1 -p tcp --sport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
- | |||
/sbin/iptables -A INPUT -i eth1 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT | /sbin/iptables -A INPUT -i eth1 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
- | |||
/sbin/iptables -I INPUT -i eth1 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT | /sbin/iptables -I INPUT -i eth1 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT | ||
Ligne 981: | Ligne 911: | ||
* Et maintenant : | * Et maintenant : | ||
<code root>systemctl start iptables.service</code> | <code root>systemctl start iptables.service</code> | ||
+ | |||
+ | |||
=====Example squid conf ===== | =====Example squid conf ===== | ||
Ligne 1048: | Ligne 980: | ||
TCP_REFRESH_UNMODIFIED/304\\ | TCP_REFRESH_UNMODIFIED/304\\ | ||
+ | * cache directories | ||
new cache directory : | new cache directory : | ||
<code>/home/hypathie/cache/spool/squid3/</code> | <code>/home/hypathie/cache/spool/squid3/</code> | ||
+ | -> | ||
+ | <code>/mnt/proxy/cache/spool/squid3</code> | ||
- | logs directory : | + | *logs directory : |
<code>/var/log/squid3/access.log</code> | <code>/var/log/squid3/access.log</code> | ||
+ | -> | ||
+ | <code>/mnt/proxy/log/squid3/access.log</code> | ||
+ | <code root>tail -f /mnt/proxy/log/squid3/access.log</code> | ||
+ | ou | ||
+ | <code root>tail -f /var/log/squid3/access.log</code> | ||
owner : proxy not root | owner : proxy not root | ||
+ | |||
+ | |||
+ | *cache_store_log | ||
+ | |||
+ | <code>/mnt/proxy/cache_store_log/store.log</code> | ||
+ | -> | ||
<code>/home/hypathie/cache/spool/cache_store_log/store.log</code> | <code>/home/hypathie/cache/spool/cache_store_log/store.log</code> | ||
+ | |||
+ | * cache.log | ||
+ | |||
<code>/var/log/squid3/cache.log</code> | <code>/var/log/squid3/cache.log</code> | ||
+ | -> | ||
+ | <code>/mnt/proxy/log/squid3/cache.log</code> | ||
only "TCP_MISS/200" never "TCP_HIT"\\ | only "TCP_MISS/200" never "TCP_HIT"\\ | ||
Ligne 1067: | Ligne 1018: | ||
-l'objet sollicité est périmé ;\\ | -l'objet sollicité est périmé ;\\ | ||
-l'objet sollicité a été purgé du cache pour faire de la place à d'autres objets.\\ | -l'objet sollicité a été purgé du cache pour faire de la place à d'autres objets.\\ | ||
+ | |||
+ | |||
+ | * Voici les règles qui sont suivies pour décider de la mise en cache : | ||
+ | Si des instructions interdisant la mise en cache sont rencontrées (Cache-Control: private), la ressource n’est pas mise en cache.\\ | ||
+ | Si la connexion est sécurisée ou authentifiée, la ressource n’est pas mise en cache. | ||
+ | Si aucune directive de validation n’est présente (Last-Modified ou Etag), la ressource n’est pas mise en cache.\\ | ||
+ | Autrement, la ressource est considérée comme éligible au cache et Squid décide de la stocker. | ||
+ | |||
+ | |||
+ | =====Test config ===== | ||
+ | |||
+ | <code root> | ||
+ | |||
+ | #Définition des ACL | ||
+ | acl all src all | ||
+ | acl manager proto cache_object | ||
+ | acl localhost src 127.0.0.1/32 ::1 | ||
+ | acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 | ||
+ | |||
+ | #acl localnet src 10.0.0.0/8 # RFC1918 possible internal network | ||
+ | #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network | ||
+ | #acl localnet src 192.168.0.0/16 # RFC1918 possible internal network | ||
+ | |||
+ | #acl localnet src 192.168.1.0/24 # RFC1918 possible internal network | ||
+ | #acl lan src 192.168.0.1 192.168.1.0/24 | ||
+ | |||
+ | acl SSL_ports port 443 # https | ||
+ | acl SSL_ports port 563 # snews | ||
+ | acl SSL_ports port 873 # rsync | ||
+ | acl Safe_ports port 80 # http | ||
+ | acl Safe_ports port 21 # ftp | ||
+ | acl Safe_ports port 443 # https | ||
+ | acl Safe_ports port 70 # gopher | ||
+ | acl Safe_ports port 210 # wais | ||
+ | acl Safe_ports port 1025-65535 # unregistered ports | ||
+ | acl Safe_ports port 280 # http-mgmt | ||
+ | acl Safe_ports port 488 # gss-http | ||
+ | acl Safe_ports port 591 # filemaker | ||
+ | acl Safe_ports port 777 # multiling http | ||
+ | acl Safe_ports port 631 # cups | ||
+ | acl Safe_ports port 873 # rsync | ||
+ | acl Safe_ports port 901 # SWAT | ||
+ | acl purge method PURGE | ||
+ | acl CONNECT method CONNECT | ||
+ | |||
+ | ###Nos ACL | ||
+ | #Notre réseau | ||
+ | acl lanhome src 192.168.1.0/255.255.255.0 | ||
+ | |||
+ | #Les domaines qui doivent passer par Tor | ||
+ | |||
+ | acl domain_tor dstdomain .google.fr | ||
+ | acl domain_tor dstdomain .google.com | ||
+ | acl domain_tor dstdomain .googleapis.com | ||
+ | acl domain_tor dstdomain .googleusercontent.com | ||
+ | acl domain_tor dstdomain .recaptcha.net | ||
+ | |||
+ | |||
+ | acl domain_tor dstdomain .fbcdn.net | ||
+ | acl domain_tor dstdomain .facebook.com | ||
+ | |||
+ | #yahoo | ||
+ | acl domain_tor dstdomain .yahoo.com | ||
+ | acl domain_tor dstdomain .yimg.com | ||
+ | acl domain_tor dstdomain .yahoo.fr | ||
+ | |||
+ | #torrent | ||
+ | acl domain_tor dstdomain .openbittorrent.com | ||
+ | |||
+ | #On définie le contrôle si c est un post ou pas | ||
+ | acl method_post method POST | ||
+ | |||
+ | #Le contrôle des extentions qui ne doivent pas être mises en cache | ||
+ | acl extention_no_cache url_regex \.iso$ \.mdf$ \.mkv$ \.mp4$ \.wma$ \.mp3$ \.wav$ \.flac$ \.torrent$ \.mpeg$ \.mpg$ \.exe$ \.vbs$ \.msi$ \.avi$ \.php$ \.php5$ \.php4$ \.php3$ \.html$ \.htm$ | ||
+ | #Si on veut que certaines extentions passent par tor | ||
+ | acl files_to_tor url_regex \.js$ \.css$ | ||
+ | #Si on veut que certaines extentions NE passent PAS par tor | ||
+ | acl files_NO_tor url_regex \.flv$ \.avi$ \.mpg$ \.mpeg$ \.wmv$ | ||
+ | |||
+ | ###L acces HTTP... Utilise donc les ACL définis plus haut. Je m'étend pas dessus | ||
+ | http_access allow manager localhost | ||
+ | http_access deny manager | ||
+ | # Only allow purge requests from localhost | ||
+ | http_access allow purge localhost | ||
+ | http_access deny purge | ||
+ | # Deny requests to unknown ports | ||
+ | http_access deny !Safe_ports | ||
+ | # Deny CONNECT to other than SSL ports | ||
+ | http_access deny CONNECT !SSL_ports | ||
+ | http_access allow lanhome | ||
+ | http_access allow localhost | ||
+ | |||
+ | # And finally deny all other access to this proxy | ||
+ | http_access deny all | ||
+ | |||
+ | ###Les ICP, protocole d'échange entre serveurs de cache | ||
+ | #Allow ICP queries from local networks only | ||
+ | icp_access allow localnet | ||
+ | icp_access deny all | ||
+ | |||
+ | |||
+ | ###Le port d'écoute ! Ici on dit qu'on prend le port 3128, qui écoute notre adresse. | ||
+ | #Transparent, signifie que le proxy accepte une redirection de port, ainsi qu'on ne soit pas obligé de spécifier de proxy dans le navigateur | ||
+ | http_port 192.168.2.1:3128 transparent | ||
+ | |||
+ | #Heu... | ||
+ | hierarchy_stoplist cgi-bin ? | ||
+ | |||
+ | #La mémoire utilisée | ||
+ | cache_mem 128 MB | ||
+ | maximum_object_size_in_memory 1 MB | ||
+ | |||
+ | ##Vous pouvez modifier l'emplacement des repertoires de log | ||
+ | access_log /var/log/squid/access.log squid | ||
+ | #access_log /home/hypathie/squid/squid_access.log squid | ||
+ | |||
+ | cache_log /var/log/squid/cache.log | ||
+ | #cache_log /home/[user]/squid/cache.log | ||
+ | |||
+ | |||
+ | cache_store_log /var/log/squid/store.log | ||
+ | cache_store_log /home/[user]/squid/store.log | ||
+ | |||
+ | ###Durée de cache en seconde. | ||
+ | refresh_pattern -i \.gif$ 10080 150% 43200 ignore-no-store override-expire override-lastmod ignore-reload ignore-no-cache ignore-must-revalidate | ||
+ | refresh_pattern -i \.flv$ 10080 150% 43200 ignore-no-store override-expire override-lastmod ignore-reload ignore-no-cache ignore-must-revalidate | ||
+ | refresh_pattern -i \.js$ 10080 150% 43200 ignore-no-store override-expire override-lastmod ignore-reload ignore-no-cache ignore-must-revalidate | ||
+ | refresh_pattern -i \.pdf$ 10080 90% 43200 ignore-no-store override-expire override-lastmod ignore-reload ignore-no-cache ignore-must-revalidate | ||
+ | refresh_pattern -i \.art$ 10080 150% 43200 ignore-no-store override-expire override-lastmod ignore-reload ignore-no-cache ignore-must-revalidate | ||
+ | refresh_pattern -i \.avi$ 10080 150% 40320 ignore-no-store override-expire override-lastmod ignore-reload ignore-no-cache ignore-must-revalidate | ||
+ | refresh_pattern -i \.mov$ 10080 150% 40320 ignore-no-store override-expire override-lastmod ignore-reload ignore-no-cache ignore-must-revalidate | ||
+ | refresh_pattern -i \.wav$ 10080 150% 40320 ignore-no-store override-expire override-lastmod ignore-reload ignore-no-cache ignore-must-revalidate | ||
+ | refresh_pattern -i \.mp3$ 10080 150% 40320 ignore-no-store override-expire override-lastmod ignore-reload ignore-no-cache ignore-must-revalidate | ||
+ | refresh_pattern -i \.qtm$ 10080 150% 40320 ignore-no-store override-expire override-lastmod ignore-reload ignore-no-cache ignore-must-revalidate | ||
+ | refresh_pattern -i \.mid$ 10080 150% 40320 ignore-no-store override-expire override-lastmod ignore-reload ignore-no-cache ignore-must-revalidate | ||
+ | refresh_pattern -i \.viv$ 10080 150% 40320 ignore-no-store override-expire override-lastmod ignore-reload ignore-no-cache ignore-must-revalidate | ||
+ | refresh_pattern -i \.mpg$ 10080 150% 40320 ignore-no-store override-expire override-lastmod ignore-reload ignore-no-cache ignore-must-revalidate | ||
+ | refresh_pattern -i \.jpg$ 10080 150% 40320 ignore-no-store override-expire override-lastmod ignore-reload ignore-no-cache ignore-must-revalidate | ||
+ | refresh_pattern -i \.jpeg$ 10080 150% 40320 ignore-no-store override-expire override-lastmod ignore-reload ignore-no-cache ignore-must-revalidate | ||
+ | refresh_pattern -i \.png$ 10080 150% 40320 ignore-no-store override-expire override-lastmod ignore-reload ignore-no-cache ignore-must-revalidate | ||
+ | refresh_pattern -i \.rar$ 10080 150% 40320 ignore-no-store override-expire override-lastmod ignore-reload ignore-no-cache ignore-must-revalidate | ||
+ | refresh_pattern -i \.ram$ 10080 150% 40320 ignore-no-store override-expire override-lastmod ignore-reload ignore-no-cache ignore-must-revalidate | ||
+ | refresh_pattern -i \.gif$ 10080 300% 40320 ignore-no-store override-expire override-lastmod ignore-reload ignore-no-cache ignore-must-revalidate | ||
+ | refresh_pattern -i \.txt$ 1440 100% 20160 ignore-no-store override-expire override-lastmod ignore-reload ignore-no-cache ignore-must-revalidate | ||
+ | refresh_pattern -i \.zip$ 2880 200% 40320 ignore-no-store override-expire override-lastmod ignore-reload ignore-no-cache ignore-must-revalidate | ||
+ | refresh_pattern -i \.arj$ 2880 200% 40320 ignore-no-store override-expire override-lastmod ignore-reload ignore-no-cache ignore-must-revalidate | ||
+ | refresh_pattern -i \.exe$ 2880 200% 40320 ignore-no-store override-expire override-lastmod ignore-reload ignore-no-cache ignore-must-revalidate | ||
+ | refresh_pattern -i \.tgz$ 10080 200% 40320 ignore-no-store override-expire override-lastmod ignore-reload ignore-no-cache ignore-must-revalidate | ||
+ | refresh_pattern -i \.gz$ 10080 200% 40320 ignore-no-store override-expire override-lastmod ignore-reload ignore-no-cache ignore-must-revalidate | ||
+ | refresh_pattern -i \.tgz$ 10080 200% 40320 ignore-no-store override-expire override-lastmod ignore-reload ignore-no-cache ignore-must-revalidate | ||
+ | refresh_pattern -i \.tar$ 10080 200% 40320 ignore-no-store override-expire override-lastmod ignore-reload ignore-no-cache ignore-must-revalidate | ||
+ | |||
+ | #Suggested default: | ||
+ | refresh_pattern ^ftp: 1440 20% 10080 | ||
+ | refresh_pattern ^gopher: 1440 0% 1440 | ||
+ | refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 | ||
+ | refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880 | ||
+ | |||
+ | #refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600 | ||
+ | refresh_pattern . 0 20% 4320 | ||
+ | |||
+ | ###ICI on peut spécifier un autre serveur DNS si on le souhaite | ||
+ | #dns_nameservers 89.233.43.71 89.104.194.142 | ||
+ | |||
+ | ##Changer la durée du cache des noms de domaine. | ||
+ | #positive_dns_ttl 48 hours | ||
+ | #negative_dns_ttl 1 minutes | ||
+ | |||
+ | # Don't upgrade ShoutCast responses to HTTP=>Heuuu | ||
+ | acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9] | ||
+ | upgrade_http0.9 deny shoutcast | ||
+ | |||
+ | # Apache to signal ETag correctly on such responses=>Heeuuu | ||
+ | acl apache rep_header Server ^Apache | ||
+ | broken_vary_encoding allow apache | ||
+ | |||
+ | # You can add up to 20 additional "extension" methods here. | ||
+ | extension_methods REPORT MERGE MKACTIVITY CHECKOUT | ||
+ | |||
+ | ###Les repertoires | ||
+ | hosts_file /etc/hosts | ||
+ | coredump_dir /var/spool/squid | ||
+ | ##le nom du proxy... | ||
+ | #visible_hostname not_your_business | ||
+ | |||
+ | #cache_dir ufs /home/[user]/squid/cache 1000 16 256 | ||
+ | cache_dir ufs /home/hypathie/cache/spool/squid3/ 100 16 256 | ||
+ | |||
+ | #La mémoire, demandez moi pas la différence | ||
+ | memory_pools_limit 256 MB | ||
+ | |||
+ | ### Cache | ||
+ | #On interdit de mettre en cache les extensions | ||
+ | #sans caches définis dans les ACL plus haut | ||
+ | #cache deny extention_no_cache | ||
+ | #cache allow src all | ||
+ | ### MULTIPLE CACHE | ||
+ | #Et oui, vous avez vu squid redirige soit vers privoxy un soit vers privoxy2. Il a donc #deux caches différents. | ||
+ | #On indique qu'il a quelqu'un derrière, il doit pas renvoyer directement le paquet sur #le net | ||
+ | #prefer_direct off | ||
+ | |||
+ | #never_direct deny SSL_ports | ||
+ | #never_direct allow all | ||
+ | |||
+ | # | ||
+ | </code> | ||
+ | |||
+ | |||