#  TAG: authenticate_cache_garbage_interval
#	The time period between garbage collection across the username cache.
#	This is a tradeoff between memory utilization (long intervals - say
#	2 days) and CPU (short intervals - say 1 minute). Only change if you
#	have good reason to.
#Default:
# authenticate_cache_garbage_interval 1 hour

#  TAG: authenticate_ttl
#	The time a user & their credentials stay in the logged in
#	user cache since their last request. When the garbage
#	interval passes, all user credentials that have passed their
#	TTL are removed from memory.
#Default:
# authenticate_ttl 1 hour

#  TAG: authenticate_ip_ttl
#	If you use proxy authentication and the 'max_user_ip' ACL,
#	this directive controls how long Squid remembers the IP
#	addresses associated with each user.  Use a small value
#	(e.g., 60 seconds) if your users might change addresses
#	quickly, as is the case with dialups.   You might be safe
#	using a larger value (e.g., 2 hours) in a corporate LAN
#	environment with relatively static address assignments.
#Default:
# authenticate_ip_ttl 0 seconds

# ACCESS CONTROLS
# -----------------------------------------------------------------------------

#  TAG: external_acl_type
#	This option defines external acl classes using a helper program
#	to look up the status
#
#	  external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
#
#	Options:
#
#	  ttl=n		TTL in seconds for cached results (defaults to 3600
#	  		for 1 hour)
#	  negative_ttl=n
#	  		TTL for cached negative lookups (default same
#	  		as ttl)
#	  children=n	Number of acl helper processes spawn to service
#			external acl lookups of this type. (default 5)
#	  concurrency=n	concurrency level per process. Only used with helpers
#			capable of processing more than one query at a time.
#	  cache=n	result cache size, 0 is unbounded (default)
#	  grace=n	Percentage remaining of TTL where a refresh of a
#			cached entry should be initiated without needing to
#			wait for a new reply. (default 0 for no grace period)
#	  protocol=2.5	Compatibility mode for Squid-2.5 external acl helpers
#	  ipv4 / ipv6	IP-mode used to communicate to this helper.
#			For compatability with older configurations and helpers
#			the default is currently 'ipv4'.
#
#	FORMAT specifications
#
#	  %LOGIN	Authenticated user login name
#	  %EXT_USER	Username from external acl
#	  %IDENT	Ident user name
#	  %SRC		Client IP
#	  %SRCPORT	Client source port
#	  %URI		Requested URI
#	  %DST		Requested host
#	  %PROTO	Requested protocol
#	  %PORT		Requested port
#	  %PATH		Requested URL path
#	  %METHOD	Request method
#	  %MYADDR	Squid interface address
#	  %MYPORT	Squid http_port number
#	  %PATH		Requested URL-path (including query-string if any)
#	  %USER_CERT	SSL User certificate in PEM format
#	  %USER_CERTCHAIN SSL User certificate chain in PEM format
#	  %USER_CERT_xx	SSL User certificate subject attribute xx
#	  %USER_CA_xx	SSL User certificate issuer attribute xx
#
#	  %>{Header}	HTTP request header "Header"
#	  %>{Hdr:member}
#	  		HTTP request header "Hdr" list member "member"
#	  %>{Hdr:;member}
#	  		HTTP request header list member using ; as
#	  		list separator. ; can be any non-alphanumeric
#			character.
#
#	  %<{Header}	HTTP reply header "Header"
#	  %<{Hdr:member}
#	  		HTTP reply header "Hdr" list member "member"
#	  %<{Hdr:;member}
#	  		HTTP reply header list member using ; as
#	  		list separator. ; can be any non-alphanumeric
#			character.
#
#	In addition to the above, any string specified in the referencing
#	acl will also be included in the helper request line, after the
#	specified formats (see the "acl external" directive)
#
#	The helper receives lines per the above format specification,
#	and returns lines starting with OK or ERR indicating the validity
#	of the request and optionally followed by additional keywords with
#	more details.
#
#	General result syntax:
#
#	  OK/ERR keyword=value ...
#
#	Defined keywords:
#
#	  user=		The users name (login)
#	  password=	The users password (for login= cache_peer option)
#	  message=	Message describing the reason. Available as %o
#	  		in error pages
#	  tag=		Apply a tag to a request (for both ERR and OK results)
#	  		Only sets a tag, does not alter existing tags.
#	  log=		String to be logged in access.log. Available as
#	  		%ea in logformat specifications
#
#	If protocol=3.0 (the default) then URL escaping is used to protect
#	each value in both requests and responses.
#
#	If using protocol=2.5 then all values need to be enclosed in quotes
#	if they may contain whitespace, or the whitespace escaped using \.
#	And quotes or \ characters within the keyword value must be \ escaped.
#
#	When using the concurrency= option the protocol is changed by
#	introducing a query channel tag infront of the request/response.
#	The query channel tag is a number between 0 and concurrency-1.
#Default:
# none

#  TAG: acl
#	Defining an Access List
#
#	Every access list definition must begin with an aclname and acltype, 
#	followed by either type-specific arguments or a quoted filename that
#	they are read from.
#
#	   acl aclname acltype argument ...
#	   acl aclname acltype "file" ...
#
#	When using "file", the file should contain one item per line.
#
#	By default, regular expressions are CASE-SENSITIVE.  To make
#	them case-insensitive, use the -i option.
#
#	Some acl types require suspending the current request in order
#	to access some external data source.
#	Those which do are marked with the tag [slow], those which
#	don't are marked as [fast].
#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl
#	for further information
#
#	***** ACL TYPES AVAILABLE *****
#
#	acl aclname src ip-address/netmask ...	# clients IP address [fast]
#	acl aclname src addr1-addr2/netmask ...	# range of addresses [fast]
#	acl aclname dst ip-address/netmask ...	# URL host's IP address [slow]
#	acl aclname myip ip-address/netmask ...	# local socket IP address [fast]
#
#	acl aclname arp      mac-address ... (xx:xx:xx:xx:xx:xx notation)
#	  # The arp ACL requires the special configure option --enable-arp-acl.
#	  # Furthermore, the ARP ACL code is not portable to all operating systems.
#	  # It works on Linux, Solaris, Windows, FreeBSD, and some
#	  # other *BSD variants.
#	  # [fast]
#	  #
#	  # NOTE: Squid can only determine the MAC address for clients that are on
#	  # the same subnet. If the client is on a different subnet,
#	  # then Squid cannot find out its MAC address.
#
#	acl aclname srcdomain   .foo.com ...
#	  # reverse lookup, from client IP [slow]
#	acl aclname dstdomain   .foo.com ...
#	  # Destination server from URL [fast]
#	acl aclname srcdom_regex [-i] \.foo\.com ...
#	  # regex matching client name [slow]
#	acl aclname dstdom_regex [-i] \.foo\.com ...
#	  # regex matching server [fast]
#	  #
#	  # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
#	  # based URL is used and no match is found. The name "none" is used
#	  # if the reverse lookup fails.
#
#	acl aclname src_as number ...
#	acl aclname dst_as number ...
#	  # [fast]
#	  # Except for access control, AS numbers can be used for
#	  # routing of requests to specific caches. Here's an
#	  # example for routing all requests for AS#1241 and only
#	  # those to mycache.mydomain.net:
#	  # acl asexample dst_as 1241
#	  # cache_peer_access mycache.mydomain.net allow asexample
#	  # cache_peer_access mycache_mydomain.net deny all
#
#	acl aclname peername myPeer ...
#	  # [fast]
#	  # match against a named cache_peer entry
#	  # set unique name= on cache_peer lines for reliable use.
#
#	acl aclname time [day-abbrevs] [h1:m1-h2:m2]
#	  # [fast]
#	  #  day-abbrevs:
#	  #	S - Sunday
#	  #	M - Monday
#	  #	T - Tuesday
#	  #	W - Wednesday
#	  #	H - Thursday
#	  #	F - Friday
#	  #	A - Saturday
#	  #  h1:m1 must be less than h2:m2
#
#	acl aclname url_regex [-i] ^http:// ...
#	  # regex matching on whole URL [fast]
#	acl aclname urlpath_regex [-i] \.gif$ ...
#	  # regex matching on URL path [fast]
#
#	acl aclname port 80 70 21 0-1024...   # destination TCP port [fast]
#	                                      # ranges are alloed
#	acl aclname myport 3128 ...	          # local socket TCP port [fast]
#	acl aclname myportname 3128 ...       # http(s)_port name [fast]
#
#	acl aclname proto HTTP FTP ...        # request protocol [fast]
# 
#	acl aclname method GET POST ...       # HTTP request method [fast]
#
#	acl aclname http_status 200 301 500- 400-403 ... 
#	  # status code in reply [fast]
#
#	acl aclname browser [-i] regexp ...
#	  # pattern match on User-Agent header (see also req_header below) [fast]
#
#	acl aclname referer_regex [-i] regexp ...
#	  # pattern match on Referer header [fast]
#	  # Referer is highly unreliable, so use with care
#
#	acl aclname ident username ...
#	acl aclname ident_regex [-i] pattern ...
#	  # string match on ident output [slow]
#	  # use REQUIRED to accept any non-null ident.
#
#	acl aclname proxy_auth [-i] username ...
#	acl aclname proxy_auth_regex [-i] pattern ...
#	  # perform http authentication challenge to the client and match against
#	  # supplied credentials [slow]
#	  #
#	  # takes a list of allowed usernames.
#	  # use REQUIRED to accept any valid username.
#	  #
#	  # Will use proxy authentication in forward-proxy scenarios, and plain
#	  # http authenticaiton in reverse-proxy scenarios
#	  #
#	  # NOTE: when a Proxy-Authentication header is sent but it is not
#	  # needed during ACL checking the username is NOT logged
#	  # in access.log.
#	  #
#	  # NOTE: proxy_auth requires a EXTERNAL authentication program
#	  # to check username/password combinations (see
#	  # auth_param directive).
#	  #
#	  # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
#	  # as the browser needs to be configured for using a proxy in order
#	  # to respond to proxy authentication.
#
#	acl aclname snmp_community string ...
#	  # A community string to limit access to your SNMP Agent [fast]
#	  # Example:
#	  #
#	  #	acl snmppublic snmp_community public
#
#	acl aclname maxconn number
#	  # This will be matched when the client's IP address has
#	  # more than <number> TCP connections established. [fast]
#	  # NOTE: This only measures direct TCP links so X-Forwarded-For
#	  # indirect clients are not counted.
#
#	acl aclname max_user_ip [-s] number
#	  # This will be matched when the user attempts to log in from more
#	  # than <number> different ip addresses. The authenticate_ip_ttl
#	  # parameter controls the timeout on the ip entries. [fast]
#	  # If -s is specified the limit is strict, denying browsing
#	  # from any further IP addresses until the ttl has expired. Without
#	  # -s Squid will just annoy the user by "randomly" denying requests.
#	  # (the counter is reset each time the limit is reached and a
#	  # request is denied)
#	  # NOTE: in acceleration mode or where there is mesh of child proxies,
#	  # clients may appear to come from multiple addresses if they are
#	  # going through proxy farms, so a limit of 1 may cause user problems.
#
#	acl aclname req_mime_type [-i] mime-type ...
#	  # regex match against the mime type of the request generated
#	  # by the client. Can be used to detect file upload or some
#	  # types HTTP tunneling requests [fast]
#	  # NOTE: This does NOT match the reply. You cannot use this
#	  # to match the returned file type.
#
#	acl aclname req_header header-name [-i] any\.regex\.here
#	  # regex match against any of the known request headers.  May be
#	  # thought of as a superset of "browser", "referer" and "mime-type"
#	  # ACL [fast]
#
#	acl aclname rep_mime_type [-i] mime-type ...
#	  # regex match against the mime type of the reply received by
#	  # squid. Can be used to detect file download or some
#	  # types HTTP tunneling requests. [fast]
#	  # NOTE: This has no effect in http_access rules. It only has
#	  # effect in rules that affect the reply data stream such as
#	  # http_reply_access.
#
#	acl aclname rep_header header-name [-i] any\.regex\.here
#	  # regex match against any of the known reply headers. May be
#	  # thought of as a superset of "browser", "referer" and "mime-type"
#	  # ACLs [fast]
#
#	acl aclname external class_name [arguments...]
#	  # external ACL lookup via a helper class defined by the
#	  # external_acl_type directive [slow]
#
#	acl aclname user_cert attribute values...
#	  # match against attributes in a user SSL certificate
#	  # attribute is one of DN/C/O/CN/L/ST [fast]
#
#	acl aclname ca_cert attribute values...
#	  # match against attributes a users issuing CA SSL certificate
#	  # attribute is one of DN/C/O/CN/L/ST [fast]
#
#	acl aclname ext_user username ...
#	acl aclname ext_user_regex [-i] pattern ...
#	  # string match on username returned by external acl helper [slow]
#	  # use REQUIRED to accept any non-null user name.
#
#	acl aclname tag tagvalue ...
#	  # string match on tag returned by external acl helper [slow]
#
#	Examples:
#		acl macaddress arp 09:00:2b:23:45:67
#		acl myexample dst_as 1241
#		acl password proxy_auth REQUIRED
#		acl fileupload req_mime_type -i ^multipart/form-data$
#		acl javascript rep_mime_type -i ^application/x-javascript$
#
#Default:
# acl all src all
#
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

