# squid.conf # To be used for Spacewalk Proxy servers. # http_port 8080 cache_mem 400 MB # cached images can be large maximum_object_size 10 GB maximum_object_size_in_memory 1024 KB access_log /var/log/squid/access.log squid # Size should be about 60% of your free space cache_dir aufs /var/cache/squid 15000 16 256 # Average object size, used to estimate number of objects your # cache can hold. The default is 13 KB. store_avg_object_size 817 KB # We want to keep the largest objects around longer, and just download the smaller objects if we can. cache_replacement_policy heap LFUDA memory_replacement_policy heap GDSF # cache repodata only few minutes and then query parent whether it is fresh refresh_pattern /XMLRPC/GET-REQ/.*/repodata/.*$ 0 1% 1440 reload-into-ims refresh-ims refresh_pattern /ks/.*/repodata/.*$ 0 1% 1440 reload-into-ims refresh-ims # salt minions get the repodata via a different URL refresh_pattern /rhn/manager/download/.*/repodata/.*$ 0 1% 1440 reload-into-ims refresh-ims # bootstrap repos needs to be handled as well refresh_pattern /pub/repositories/.*/repodata/.*$ 0 1% 1440 reload-into-ims refresh-ims refresh_pattern /pub/repositories/.*/venv-enabled-.*.txt$ 0 1% 1440 reload-into-ims refresh-ims # rpm will hardly ever change, force to cache it for very long time refresh_pattern \.rpm$ 10080 100% 525600 override-expire override-lastmod ignore-reload reload-into-ims refresh_pattern \.deb$ 10080 100% 525600 override-expire override-lastmod ignore-reload reload-into-ims # once downloaded images will never change. New image will have different revision number refresh_pattern /os-images/.*$ 10080 100% 525600 ignore-no-store ignore-reload ignore-private refresh_pattern /saltboot/.*$ 10080 100% 525600 ignore-no-store ignore-reload ignore-private # kernel and initrd are tied to images, will never change as well refresh_pattern /tftp/images/.*$ 10080 100% 525600 ignore-no-store ignore-reload ignore-private # rest of tftp are config files prone to change frequently refresh_pattern /tftp/.*$ 0 1% 1440 reload-into-ims refresh-ims refresh_pattern . 0 100% 525600 # secure squid # allow request only from localhost and to http and https ports acl all src all acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 443 # https acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all icp_access allow all miss_access allow all # if transport is canceled, finish downloading anyway quick_abort_pct -1 quick_abort_min -1 KB # when range is required, download whole file anyway # when we request rpm header, we will nearly always get # request for the rest of the file range_offset_limit none # we download only from 1 server, default is 1024 # which is too much for us fqdncache_size 4 pid_filename /run/squid/squid.pid