Squid + AD Auth

#normal proxy
http_port ssl-bump generate-host-certificates=off dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/proxy.mydomain.com.pem
#trasparent proxy
#http_port 3128 intercept
#https_port 3129 intercept ssl-bump connection-auth=off generate-host-certificates=off dynamic_cert_mem_cache_size=4MB sslflags=NO_DEFAULT_CA cert=/etc/squid/ssl/proxy.mydomian.com.pem

always_direct allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

acl blocked ssl::server_name "/etc/squid/db/dst-blacklist.txt"

# method 1
#acl step1 at_step SslBump1
#acl step2 at_step SslBump2
#acl step3 at_step SslBump3
#ssl_bump peek step1 all
#ssl_bump peek step2 all
#ssl_bump terminate step3 blocked
#ssl_bump splice step3 all

# method 2
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump terminate blocked
ssl_bump splice all

workers 3  # = number of CPUs -1
max_filedesc 65535
# do not forget to set: ulimit -HSn 65535

cache deny all
#cache_mem 0 GB
memory_pools on
memory_pools_limit 0 MB

httpd_suppress_version_string on
visible_hostname proxy.mydomain.com
via off
forwarded_for delete
follow_x_forwarded_for allow all


# Kaspersky antivirus
#icap_enable on
#icap_send_client_ip on
#icap_service is_kav_resp respmod_precache 0 icap://
#icap_service is_kav_req reqmod_precache 0 icap://
#adaptation_access is_kav_req allow all
#adaptation_access is_kav_resp allow all

# NTLM auth
#auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=MYDOMAIN
#auth_param ntlm children 100 startup=5 idle=1
#auth_param ntlm keep_alive off
#authenticate_ttl 1 hour
#authenticate_cache_garbage_interval 10 seconds
#authenticate_ip_ttl 60 seconds
#acl AUTH proxy_auth REQUIRED
#external_acl_type nt_group ttl=10 ipv4 %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl

# Traffic shaping
#acl shaper src
#delay_pools 1
#delay_class 1 1
#delay_parameters 1 655360/655360
#delay_access 1 allow shaper

acl localnet  dst
acl localnet  dst
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl Safe_ports port 21
acl Safe_ports port 1025-65535

acl dst-blacklist dstdomain "/etc/squid/db/dst-blacklist.txt"
acl dst-adblock   url_regex "/etc/squid/db/dst-adblock.txt"
acl src-whitelist src "/etc/squid/db/src-whitelist.txt"

acl snmpcom snmp_community public
acl zabbix src
snmp_port 3401
snmp_access allow snmpcom localhost
snmp_access allow snmpcom zabbix
snmp_access deny all

## allow all traffic for all
# http_access allow all localnet

http_access allow all localhost manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny  manager
http_access deny  dst-adblock
http_access deny  dst-blacklist !src-whitelist
http_access allow all
#http_access     allow    AUTH            allow_ips_noauth
#http_access     allow    AUTH            inet_users usersnet
http_access deny all

deny_info ERR_ZERO_SIZE_OBJECT    deny_adv deny_virus
deny_info ERR_CACHE_ACCESS_DENIED deny_porno deny_popular deny_warez deny_torrents deny_anonim deny_mail
deny_info ERR_ACCESS_DENIED       all

logformat squid %tl %ul %>a %Ss/%03>Hs %< st %rm %ru %< a %mt
access_log /var/log/squid/access.log squid
access_log syslog:squid.info squid

coredump_dir /var/spool/squid

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

Adblock lists autoupdate (_update.adblock.lists.sh)

cd /etc/squid/db

wget http://www.malwaredomainlist.com/hostslist/hosts.txt -O /tmp/malware.txt
cat /tmp/malware.txt | egrep -v '^(#|[[:space:]])' | grep -v 'localhost' | awk '{ print "."$2}' | tr -d '\r' >>/tmp/t.acl
rm /tmp/malware.txt

wget https://easylist-downloads.adblockplus.org/easyprivacy.txt -O /tmp/easyprivacy.txt
perl filter-easylist-to-hosts.pl /tmp/easyprivacy.txt >>/tmp/t.acl
rm /tmp/easyprivacy.txt

wget https://easylist-downloads.adblockplus.org/easylist.txt -O /tmp/easylist.txt
perl filter-easylist-to-hosts.pl /tmp/easylist.txt >>/tmp/t.acl
rm /tmp/easylist.txt

wget https://easylist-downloads.adblockplus.org/ruadlist+easylist.txt -O /tmp/advblock.txt
perl filter-easylist-to-hosts.pl /tmp/advblock.txt >>/tmp/t.acl
rm /tmp/advblock.txt

sort -u /tmp/t.acl > dst-adblock.txt
#cat /tmp/t.acl | grep -v '#' | grep -v '+' | grep -v '^\.\*' > dst-adblock.txt
rm /tmp/t.acl
#!/usr/bin/perl -w

use strict;

my %hosts = ();
while ( <> ) {
    if ( $_ =~ m/^\|\|([a-z][a-z0-9-_.]+\.([a-z]{2,3}))\^\s*$/ ) {
        $hosts{$1} = 1;

foreach my $host ( sort keys %hosts ) {
 if ( ( $host ne "clck.yandex.com" ) &&
      ($host ne "an.yandex.ru") &&
      ($host ne "yabs.yandex.ru") &&
      ($host ne "bs.yandex.ru")
) {
    #print( "\t$host\n" );
    print( ".$host\n" );
function FindProxyForURL(url, host)
$Proxy1 = "PROXY";
$Proxy2 = "PROXY proxy.mydomain.com:3128";
if (shExpMatch(host, "" )) {return "DIRECT";}
if (shExpMatch(host, "*/localhost*" )) {return "DIRECT";}
if (shExpMatch(url,"*mydomain.com*")) {return "DIRECT";}
// Servers
if (isInNet(host, "", "")) {return "DIRECT";}
if (isInNet(host, "", "")) {return $Proxy2;}
if (isInNet(myIpAddress(), "", "")) {return $Proxy2;}
if (isInNet(myIpAddress(), "", "")) {return $Proxy2;}
// If URL has no dots in host name, send traffic direct
if (isPlainHostName(host)) {return "DIRECT";}
// if (isInNet(host, "", "")) {return "DIRECT";}
// Default for all others - redirect to proxy
// return $Proxy1;
return ""DIRECT;