1个squid3.2配置

kkkggg

备忘一下
freebsd+squid透明代理
限制普通用户在工作时间的下载文件类型、文件大小、网址。

1. #
   
2. # Recommended minimum configuration:
   
3. #
   
4. 
   
5. # Example rule allowing access from your local networks.
   
6. # Adapt to list your (internal) IP networks from where browsing
   
7. # should be allowed
   
8. acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
   
9. acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
   
10. acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
    
11. acl localnet src fc00::/7 # RFC 4193 local private network range
    
12. acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
    
13. 
    
14. acl SSL_ports port 443
    
15. acl Safe_ports port 80 # http
    
16. acl Safe_ports port 21 # ftp
    
17. acl Safe_ports port 443 # https
    
18. acl Safe_ports port 70 # gopher
    
19. acl Safe_ports port 210 # wais
    
20. acl Safe_ports port 1025-65535 # unregistered ports
    
21. acl Safe_ports port 280 # http-mgmt
    
22. acl Safe_ports port 488 # gss-http
    
23. acl Safe_ports port 591 # filemaker
    
24. acl Safe_ports port 777 # multiling http
    
25. acl CONNECT method CONNECT
    
26. acl unlimited_client src 10.0.1.32/32
    
27. acl working_time_am time MTWHFA 6:30-12:20
    
28. acl working_time_pm time MTWHFA 12:50-18:10
    
29. acl working_website dstdom_regex -i 10086.cn 95599.cn abchina.com adobe.com apple.com avg.com avira.com boc.cn ccb.com cgbchina.com.cn cmbchina.com fetion.com.cn gov.cn gov.hk icbc.com iegallery.com live.com maps.google.com(\.hk)? microsoft.com mozilla.net mydrivers.com passport.net psbc.com translate.google.com(\.hk)? web.qq.com (www[0-9]?\.)+baidu.com www.google.com(\.hk)? ydstatic.com youdao.com
    
30. acl prohibited_url url_regex -i ://(.+\.)*56.com/ ://(.+\.)*cntv.cn/ ://(.+\.)*funshion.com/ ://(.+\.)*haoetv.com/ ://(.+\.)*imgo.tv/ ://(.+\.)*joy.cn/ ://(.+\.)*jstv.com/ ://(.+\.)*ku6.com/ ://(.+\.)*letv.com/ ://(.+\.)*pipi.cn/ ://(.+\.)*pps.tv/ ://(.+\.)*pptv.com/ ://(.+\.)*qiyi.com/ ://(.+\.)*game.qq.com/ ://(.+\.)*qqgame.qq.com ://(.+\.)*user.qzone.qq.com/ ://(.+\.)*qzone.com/ ://(.+\.)*soku.com/ ://(.+\.)*tudou.com/ ://(.+\.)*tv.sohu.com/ ://(.+\.)*uusee.com/ ://(.+\.)*video.baidu.com/ ://(.+\.)*xunlei.com/ ://(.+\.)*youku.com/
    
31. acl general_client src 10.0.0.2-10.0.2.254/32
    
32. acl limited_client src 10.0.2.5/32
    
33. acl prohibited_file_types urlpath_regex -i \.avi$ \.bat$ \.exe$ \.flv$ \.gz$ \.mp3$ \.mp4$ \.mpeg$ \.mpg$ \.pif$ \.ra$ \.rar$ \.rm$ \.rmvb$ \.wma$ \.wmv$ \.wav$ \.zip$
    
34. acl no_cache url_regex -i ://(.+\.)*szaic.gov.cn/
    
35. 
    
36. #
    
37. # Recommended minimum Access Permission configuration:
    
38. #
    
39. # Only allow cachemgr access from localhost
    
40. http_access allow manager localhost
    
41. http_access deny manager
    
42. 
    
43. # Deny requests to certain unsafe ports
    
44. http_access deny !Safe_ports
    
45. 
    
46. # Deny CONNECT to other than secure SSL ports
    
47. http_access deny CONNECT !SSL_ports
    
48. 
    
49. # We strongly recommend the following be uncommented to protect innocent
    
50. # web applications running on the proxy server who think the only
    
51. # one who can access services on "localhost" is a local user
    
52. #http_access deny to_localhost
    
53. 
    
54. #
    
55. # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    
56. #
    
57. 
    
58. # Example rule allowing access from your local networks.
    
59. # Adapt localnet in the ACL section to list your (internal) IP networks
    
60. # from where browsing should be allowed
    
61. http_access allow localhost
    
62. http_access allow unlimited_client
    
63. http_access allow working_website
    
64. http_access deny working_time_am prohibited_url general_client
    
65. http_access deny working_time_pm prohibited_url general_client
    
66. http_access deny working_time_am general_client prohibited_file_types
    
67. http_access deny working_time_pm general_client prohibited_file_types
    
68. http_access deny limited_client
    
69. http_access allow all
    
70. 
    
71. # And finally deny all other access to this proxy
    
72. 
    
73. # Squid normally listens to port 3128
    
74. http_port 3128 transparent
    
75. 
    
76. # Uncomment and adjust the following to add a disk cache directory.
    
77. #cache_dir ufs /var/squid/cache 100 16 256
    
78. cache_dir ufs /var/squid/cache 10000 16 256
    
79. 
    
80. # Leave coredumps in the first cache dir
    
81. coredump_dir /var/squid/cache
    
82. 
    
83. # Add any of your own refresh_pattern entries above these.
    
84. refresh_pattern ^ftp:                1440        20%        10080
    
85. refresh_pattern ^gopher:        1440        0%        1440
    
86. refresh_pattern -i (/cgi-bin/|\?) 0        0%        0
    
87. refresh_pattern .                0        20%        4320
    
88. cache_effective_user squid
    
89. cache_effective_group squid
    
90. reply_body_max_size 10 MB working_time_am general_client !working_website !unlimited_client
    
91. reply_body_max_size 10 MB working_time_pm general_client !working_website !unlimited_client
    
92. forwarded_for off
    
93. cache deny no_cache
    
94. 
    
95. visible_hostname node1
    

复制代码

上面是用webmin的官方squid模块生成的。设置下载文件大小限制是在Cache Options页面的
Maximum reply body sizes         　　　Size (kB)         For requests matching ACLs (leave empty for all)
这项下面。这个可以限制网页上的视频，不用知道网址也能限制。
第1个框填文件大小数字(纯数字，不要加单位)。第二个框最前面要填文件大小的单位(例如MB),接着是acl选择项。
例如：
10    MB working_time_am general_client !working_website !unlimited_client
10    MB working_time_pm general_client !working_website !unlimited_client
上面两行用途是限制普通用户在工作时间访问超过10MB大小的非工作网站。这样超过10MB大小的网页视频就打不开了。