I have an infrastructure with a DMZ, where the squid proxy is housed there, and there is internal I have machines that go out through that proxy, the configuration is next.
Example rule allowing access from your local networks.
Adapt to list your (internal) IP networks from where browsing
should be allowed
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machinesacl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)acl localnet src fc00::/7 # RFC 4193 local private network rangeacl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443acl Safe_ports port 80 # httpacl Safe_ports port 21 # ftpacl Safe_ports port 443 # httpsacl Safe_ports port 70 # gopheracl Safe_ports port 210 # waisacl Safe_ports port 1025-65535 # unregistered portsacl Safe_ports port 280 # http-mgmtacl Safe_ports port 488 # gss-httpacl Safe_ports port 591 # filemakeracl Safe_ports port 777 # multiling http
Deny requests to certain unsafe ports
http_access deny !Safe_ports
Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
Only allow cachemgr access from localhost
http_access allow localhost managerhttp_access deny manager
INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
include /etc/squid/conf.d/*.conf
For example, to allow access from your local networks, you may uncomment the
following rule (and/or add rules that match your definition of "local"):
http_access allow localnet
http_access allow localhost
#REGLA o ACL PARA REALIZAR DESCARGAS#http_access allow allacl all_updates url_regex -i "/etc/squid/all_updates"http_access allow all_updates
And finally deny all other access to this proxy
http_access deny all
INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
include /etc/squid/conf.d/*.conf
For example, to allow access from your local networks, you may uncomment the
following rule (and/or add rules that match your definition of "local"):
http_access allow localnet
http_access allow localhost
#REGLA o ACL PARA REALIZAR DESCARGAS#http_access allow allacl all_updates url_regex -i "/etc/squid/all_updates"http_access allow all_updates
And finally deny all other access to this proxy
http_access deny all
Squid normally listens to port 3128
http_port 3128
Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080refresh_pattern ^gopher: 1440 0% 1440refresh_pattern -i (/cgi-bin/|?) 0 0% 0refresh_pattern /(Packages|Sources)(|.bz2|.gz|.xz)$ 0 0% 0 refresh-imsrefresh_pattern /Release(|.gpg)$ 0 0% 0 refresh-imsrefresh_pattern /InRelease$ 0 0% 0 refresh-imsrefresh_pattern /(Translation-.*)(|.bz2|.gz|.xz)$ 0 0% 0 refresh-ims
example pattern for deb packages
#refresh_pattern (.deb|.udeb)$ 129600 100% 129600refresh_pattern . 0 20% 4320
But when trying to update the machine, I show these errors
failed to fetch http://archive.ubuntu.com/ubuntu/dist/jammy-security/inrelease 403 Forbidden IP ...…
I request your collaboration to resolve this error, much thanks