squid.conf

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed

visible_hostname proxy
dns_nameservers 8.8.8.8 1.1.1.1
max_filedescriptors 320
#logformat squid-cs %{%Y-%m-%d %H:%M:%S}tl %3tr %>a %Ss/%03>Hs %<st %rm %>ru %un %Sh/%<a %mt "%{User-Agent}>h" "SQUID-CS" %>st %note
#access_log /cygdrive/c/Squid/var/log/squid/access.log squid-cs

#hosts_file hosts.txt

dns_v4_first on
forwarded_for on
debug_options ALL,1

coredump_dir /cygdrive/c/Squid/var/cache/squid
###
acl intermediate_fetching transaction_initiator certificate-fetching
http_access allow intermediate_fetching

acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
acl localnet src 198.51.100.0/24
acl localnet src 192.88.99.0/24
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443 3128 3129
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT

http_access allow localhost manager
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

http_access allow localnet
http_access allow localhost
http_access deny all

# Squid normally listens to port 3128
#http_port 198.51.100.81:3128


#################################
# ap, recent post 3.5:
always_direct allow all

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump none localhost
ssl_bump bump all
#ssl_bump stare all

sslproxy_cert_error allow all

# openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -subj "/C=IL/ST=BUH/L=BUH/O=IR/CN=DC-1.ir.local" -keyout dc1.key -out dc1.crt -config openssl.cnf
# openssl x509 -in dc1.pem -outform DER -out dc1.der
#  for cmd line: http_port 3128 ssl-bump cert=squid.pem key=/cygdrive/d/Squid/etc/ssl/squid.key ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/cygdrive/c/Squid/etc/ssl/dc1.crt key=/cygdrive/c/Squid/etc/ssl/dc1.key sslflags=NO_DEFAULT_CA
#https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=myca.crt key=myca.key sslflags=NO_DEFAULT_CA
#sslflags=NO_DEFAULT_CA

#c:\Squid\lib\squid\security_file_certgen.exe -c -s c:\Squid\var\cache\squid\squid_ssldb -M 20MB
sslcrtd_program /cygdrive/c/Squid/lib/squid/security_file_certgen.exe -s /cygdrive/c/Squid/var/cache/squid/squid_ssldb -M 20MB

# Uncomment the line below to enable disk caching - path format is /cygdrive/<full path to cache folder>, i.e.
#cache_dir aufs /cygdrive/c/squid/cache 3000 16 256


# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320

icap_enable on
icap_persistent_connections off
icap_preview_enable off
#icap_preview_size 1024
icap_send_client_username on
icap_client_username_encode on
icap_client_username_header X-Authenticated-User
icap_service service_resp respmod_precache icap://192.168.102.253:1344/sandblast bypass=1
icap_service service_req reqmod_precache icap://192.168.102.253:1344/sandblast bypass=1
adaptation_access service_resp allow all
adaptation_access service_req allow all