#  TAG: visible_hostname
#   If you want to present a special hostname in error messages, etc,
#   define this.  Otherwise, the return value of gethostname()
#   will be used. If you have multiple caches in a cluster and
#   get errors about IP-forwarding you must set them to have individual
#   names with this setting.
#
#Default:
# none
visible_hostname wbcd.pl

#  TAG: unique_hostname
#   If you want to have multiple machines with the same
#   'visible_hostname' you must give each machine a different
#   'unique_hostname' so forwarding loops can be detected.
#
#Default:
# none

# DISK CACHE OPTIONS
# -----------------------------------------------------------------------------
#  TAG: cache_dir
#	Usage:
#
#	cache_dir Type Directory-Name Fs-specific-data [options]
#
#	You can specify multiple cache_dir lines to spread the
#	cache among different disk partitions.
#
#	Type specifies the kind of storage system to use. Only "ufs"
#	is built by default. To enable any of the other storage systems
#	see the --enable-storeio configure option.
#
#	'Directory' is a top-level directory where cache swap
#	files will be stored. If you want to use an entire disk
#	for caching, this can be the mount-point directory.
#	The directory must exist and be writable by the Squid
#	process. Squid will NOT create this directory for you.
#	Only using COSS, a raw disk device or a stripe file can
#	be specified, but the configuration of the "cache_swap_log"
#	tag is mandatory.
#
#	The ufs store type:
#
#	"ufs" is the old well-known Squid storage format that has always
#	been there.
#
#	cache_dir ufs Directory-Name Mbytes L1 L2 [options]
#
#	'Mbytes' is the amount of disk space (MB) to use under this
#	directory.  The default is 100 MB.  Change this to suit your
#	configuration.  Do NOT put the size of your disk drive here.
#	Instead, if you want Squid to use the entire disk drive,
#	subtract 20% and use that value.
#
#	'Level-1' is the number of first-level subdirectories which
#	will be created under the 'Directory'.  The default is 16.
#
#	'Level-2' is the number of second-level subdirectories which
#	will be created under each first-level directory.  The default
#	is 256.
#
#	The aufs store type:
#
#	"aufs" uses the same storage format as "ufs", utilizing
#	POSIX-threads to avoid blocking the main Squid process on
#	disk-I/O. This was formerly known in Squid as async-io.
#
#	cache_dir aufs Directory-Name Mbytes L1 L2 [options]
#
#	see argument descriptions under ufs above
#
#	The diskd store type:
#
#	"diskd" uses the same storage format as "ufs", utilizing a
#	separate process to avoid blocking the main Squid process on
#	disk-I/O.
#
#	cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
#
#	see argument descriptions under ufs above
#
#	Q1 specifies the number of unacknowledged I/O requests when Squid
#	stops opening new files. If this many messages are in the queues,
#	Squid won't open new files. Default is 64
#
#	Q2 specifies the number of unacknowledged messages when Squid
#	starts blocking.  If this many messages are in the queues,
#	Squid blocks until it receives some replies. Default is 72
#
#	When Q1 < Q2 (the default), the cache directory is optimized
#	for lower response time at the expense of a decrease in hit
#	ratio.  If Q1 > Q2, the cache directory is optimized for
#	higher hit ratio at the expense of an increase in response
#	time.
#
#	The coss store type:
#
#	block-size=n defines the "block size" for COSS cache_dir's.
#	Squid uses file numbers as block numbers.  Since file numbers
#	are limited to 24 bits, the block size determines the maximum
#	size of the COSS partition.  The default is 512 bytes, which
#	leads to a maximum cache_dir size of 512<<24, or 8 GB.  Note
#	you should not change the COSS block size after Squid
#	has written some objects to the cache_dir.
#
#	overwrite-percent=n defines the percentage of disk that COSS
#	must write to before a given object will be moved to the
#	current stripe.  A value of "n" closer to 100 will cause COSS
#	to waste less disk space by having multiple copies of an object
#	on disk, but will increase the chances of overwriting a popular
#	object as COSS overwrites stripes.  A value of "n" close to 0
#	will cause COSS to keep all current objects in the current COSS
#	stripe at the expense of the hit rate.  The default value of 50
#	will allow any given object to be stored on disk a maximum of
#	2 times.
#
#	max-stripe-waste=n defines the maximum amount of space that COSS
#	will waste in a given stripe (in bytes).  When COSS writes data
#	to disk, it will potentially waste up to "max-size" worth of disk
#	space for each 1MB of data written.  If "max-size" is set to a
#	large value (ie >256k), this could potentially result in large
#	amounts of wasted disk space. Setting this value to a lower value
#	(ie 64k or 32k) will result in a COSS disk refusing to cache
#	larger objects until the COSS stripe has been filled to within
#	"max-stripe-waste" of the maximum size (1MB).
#
#	membufs=n defines the number of "memory-only" stripes that COSS
#	will use.  When an cache hit is performed on a COSS stripe before
#	COSS has reached the overwrite-percent value for that object,
#	COSS will use a series of memory buffers to hold the object in
#	while the data is sent to the client.  This will define the maximum
#	number of memory-only buffers that COSS will use.  The default value
#	is 10, which will use a maximum of 10MB of memory for buffers.
#
#	maxfullbufs=n defines the maximum number of stripes a COSS partition
#	will have in memory waiting to be freed (either because the disk is
#	under load and the stripe is unwritten, or because clients are still
#	transferring data from objects using the memory).  In order to try
#	and maintain a good hit rate under load, COSS will reserve the last
#	2 full stripes for object hits. (ie a COSS cache_dir will reject
#	new objects when the number of full stripes is 2 less than maxfullbufs)
#
#	The null store type:
#
#	no options are allowed or required
#
#	Common options:
#
#	read-only, no new objects should be stored to this cache_dir
#
#	min-size=n, refers to the min object size this storedir will accept.
#	It's used to restrict a storedir to only store large objects
#	(e.g. aufs) while other storedirs are optimized for smaller objects
#	(e.g. COSS). Defaults to 0.
#
#	max-size=n, refers to the max object size this storedir supports.
#	It is used to initially choose the storedir to dump the object.
#	Note: To make optimal use of the max-size limits you should order
#	the cache_dir lines with the smallest max-size value first and the
#	ones with no max-size specification last.
#
#	Note that for coss, max-size must be less than COSS_MEMBUF_SZ
#	(hard coded at 1 MB).
#
#Default:
# cache_dir ufs /var/spool/squid 100 16 256
cache_dir ufs /mnt/data1/squid/cachedir/ 45000 16 256

# Leave coredumps in the first cache dir
coredump_dir /mnt/data1/squid

# LOGFILE OPTIONS
# -----------------------------------------------------------------------------
#  TAG: logformat
#	Usage:
#
#	logformat <name> <format specification>
#
#	Defines an access log format.
#
#	The <format specification> is a string with embedded % format codes
#
#	% format codes all follow the same basic structure where all but
#	the formatcode is optional. Output strings are automatically escaped
#	as required according to their context and the output format
#	modifiers are usually not needed, but can be specified if an explicit
#	output format is desired.
#
#		% ["|[|'|#] [-] [[0]width] [{argument}] formatcode
#
#		"	output in quoted string format
#		[	output in squid text log format as used by log_mime_hdrs
#		#	output in URL quoted format
#		'	output as-is
#
#		-	left aligned
#		width	field width. If starting with 0 the
#			output is zero padded
#		{arg}	argument such as header name etc
#
#	Format codes:
#
#		>a	Client source IP address
#		>A	Client FQDN
#		>p	Client source port
#		<A	Server IP address or peer name
#		la	Local IP address (http_port)
#		lp	Local port number (http_port)
#		ts	Seconds since epoch
#		tu	subsecond time (milliseconds)
#		tl	Local time. Optional strftime format argument
#			default %d/%b/%Y:%H:%M:%S %z
#		tg	GMT time. Optional strftime format argument
#			default %d/%b/%Y:%H:%M:%S %z
#		tr	Response time (milliseconds)
#		>h	Request header. Optional header name argument
#			on the format header[:[separator]element]
#		<h	Reply header. Optional header name argument
#			as for >h
#		un	User name
#		ul	User name from authentication
#		ui	User name from ident
#		us	User name from SSL
#		ue	User name from external acl helper
#		Hs	HTTP status code
#		Ss	Squid request status (TCP_MISS etc)
#		Sh	Squid hierarchy status (DEFAULT_PARENT etc)
#		mt	MIME content type
#		rm	Request method (GET/POST etc)
#		ru	Request URL
#		rv	Request protocol version
#		ea	Log string returned by external acl
#		<st	Reply size including HTTP headers
#		>st	Request size including HTTP headers
#		st	Request+Reply size including HTTP headers
#		%	a literal % character
#
#	The default formats available (which do not need re-defining) are:
#
#logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
#logformat squidmime %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
#logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
#logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
#logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
#
#Default:
# none
logformat squidapache %>a %ui %un [%{%Y/%m/%d-%H:%M:%S}tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
#logformat squidlogv1 %{%d.%m.%Y-%H:%M:%S}tl.%tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt

#  TAG: access_log
#	These files log client request activities. Has a line every HTTP or
#	ICP request. The format is:
#	access_log <filepath> [<logformat name> [acl acl ...]]
#	access_log none [acl acl ...]]
#
#	Will log to the specified file using the specified format (which
#	must be defined in a logformat directive) those entries which match
#	ALL the acl's specified (which must be defined in acl clauses).
#	If no acl is specified, all requests will be logged to this file.
#
#	To disable logging of a request use the filepath "none", in which case
#	a logformat name should not be specified.
#
#	To log the request via syslog specify a filepath of "syslog":
#
#	access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]]
#	where facility could be any of:
#	authpriv, daemon, local0 .. local7 or user.
#
#	And priority could be any of:
#	err, warning, notice, info, debug.
#
#	Note: 2.6.STABLE14 and earlier only supports a slightly different
#	and undocumented format with all uppercase LOG_FACILITY|LOG_PRIORITY
access_log /var/log/squid/access.log squid
access_log /var/log/squid/access-apache.log squidapache

# NETWORK OPTIONS
# -----------------------------------------------------------------------------
#  TAG: http_port
#	Usage:	port [options]
#		hostname:port [options]
#		1.2.3.4:port [options]
#
#	The socket addresses where Squid will listen for HTTP client
#	requests.  You may specify multiple socket addresses.
#	There are three forms: port alone, hostname with port, and
#	IP address with port.  If you specify a hostname or IP
#	address, Squid binds the socket to that specific
#	address.  This replaces the old 'tcp_incoming_address'
#	option.  Most likely, you do not need to bind to a specific
#	address, so you can use the port number alone.
#
#	If you are running Squid in accelerator mode, you
#	probably want to listen on port 80 also, or instead.
#
#	You may specify multiple socket addresses on multiple lines.
#
#	Options:
#
#	   transparent	Support for transparent interception of
#			outgoing requests without browser settings.
#
#	   tproxy	Support Linux TPROXY for spoofing outgoing
#			connections using the client IP address.
#
#	   accel	Accelerator mode. Also needs at least one
#			of vhost/vport/defaultsite.
#
#	   defaultsite=domainname
#			What to use for the Host: header if it is not present
#			in a request. Determines what site (not origin server)
#			accelerators should consider the default.
#			Implies accel.
#
#	   vhost	Accelerator mode using Host header for virtual
#			domain support. Implies accel.
#
#	   vport	Accelerator with IP based virtual host support.
#			Implies accel.
#
#	   vport=NN	As above, but uses specified port number rather
#			than the http_port number. Implies accel.
#
#	   urlgroup=	Default urlgroup to mark requests with (see
#			also acl urlgroup and url_rewrite_program)
#
#	   protocol=	Protocol to reconstruct accelerated requests with.
#			Defaults to http.
#
#	   no-connection-auth
#			Prevent forwarding of Microsoft connection oriented
#			authentication (NTLM, Negotiate and Kerberos)
#
#	If you run Squid on a dual-homed machine with an internal
#	and an external interface we recommend you to specify the
#	internal address:port in http_port. This way Squid will only be
#	visible on the internal address.
#
# Squid normally listens to port 3128
#http_port 3128
http_port 3128 transparent
http_port 8080 transparent

# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
# -----------------------------------------------------------------------------
#  TAG: hierarchy_stoplist
#	A list of words which, if found in a URL, cause the object to
#	be handled directly by this cache.  In other words, use this
#	to not query neighbor caches for certain objects.  You may
#	list this option multiple times. Note: never_direct overrides
#	this option.
#We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?



# OPTIONS FOR TUNING THE CACHE
# -----------------------------------------------------------------------------

#  TAG: cache
#	A list of ACL elements which, if matched, cause the request to
#	not be satisfied from the cache and the reply to not be cached.
#	In other words, use this to force certain objects to never be cached.
#
#	You must use the word 'DENY' to indicate the ACL names which should
#	NOT be cached.
#
#	Default is to allow all to be cached
#We recommend you to use the following two lines.
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

#  TAG: refresh_pattern
#	usage: refresh_pattern [-i] regex min percent max [options]
#
#	By default, regular expressions are CASE-SENSITIVE.  To make
#	them case-insensitive, use the -i option.
#
#	'Min' is the time (in minutes) an object without an explicit
#	expiry time should be considered fresh. The recommended
#	value is 0, any higher values may cause dynamic applications
#	to be erroneously cached unless the application designer
#	has taken the appropriate actions.
#
#	'Percent' is a percentage of the objects age (time since last
#	modification age) an object without explicit expiry time
#	will be considered fresh.
#
#	'Max' is an upper limit on how long objects without an explicit
#	expiry time will be considered fresh.
#
#	options: override-expire
#		 override-lastmod
#		 reload-into-ims
#		 ignore-reload
#		 ignore-no-cache
#		 ignore-private
#		 ignore-auth
#
#		override-expire enforces min age even if the server
#		sent a Expires: header. Doing this VIOLATES the HTTP
#		standard.  Enabling this feature could make you liable
#		for problems which it causes.
#
#		override-lastmod enforces min age even on objects
#		that were modified recently.
#
#		reload-into-ims changes client no-cache or ``reload''
#		to If-Modified-Since requests. Doing this VIOLATES the
#		HTTP standard. Enabling this feature could make you
#		liable for problems which it causes.
#
#		ignore-reload ignores a client no-cache or ``reload''
#		header. Doing this VIOLATES the HTTP standard. Enabling
#		this feature could make you liable for problems which
#		it causes.
#
#		ignore-no-cache ignores any ``Pragma: no-cache'' and
#		``Cache-control: no-cache'' headers received from a server.
#		The HTTP RFC never allows the use of this (Pragma) header
#		from a server, only a client, though plenty of servers
#		send it anyway.
#
#		ignore-private ignores any ``Cache-control: private''
#		headers received from a server. Doing this VIOLATES
#		the HTTP standard. Enabling this feature could make you
#		liable for problems which it causes.
#
#		ignore-auth caches responses to requests with authorization,
#		as if the originserver had sent ``Cache-control: public''
#		in the response header. Doing this VIOLATES the HTTP standard.
#		Enabling this feature could make you liable for problems which
#		it causes.
#
#	Basically a cached object is:
#
#		FRESH if expires < now, else STALE
#		STALE if age > max
#		FRESH if lm-factor < percent, else STALE
#		FRESH if age < min
#		else STALE
#
#	The refresh_pattern lines are checked in the order listed here.
#	The first entry which matches is used.  If none of the entries
#	match the default will be used.
#
#	Note, you must uncomment all the default lines if you want
#	to change one. The default setting is only active if none is
#	used.
#
#Suggested default:
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .		0	20%	4320

# ACCESS CONTROLS
# -----------------------------------------------------------------------------

#  TAG: acl
#	Defining an Access List
#
#	acl aclname acltype string1 ...
#	acl aclname acltype "file" ...
#
#	when using "file", the file should contain one item per line
#
#	acltype is one of the types described below
#
#	By default, regular expressions are CASE-SENSITIVE.  To make
#	them case-insensitive, use the -i option.
#
#	acl aclname src      ip-address/netmask ... (clients IP address)
#	acl aclname src      addr1-addr2/netmask ... (range of addresses)
#	acl aclname dst      ip-address/netmask ... (URL host's IP address)
#	acl aclname myip     ip-address/netmask ... (local socket IP address)
#
#	acl aclname arp      mac-address ... (xx:xx:xx:xx:xx:xx notation)
#	  # The arp ACL requires the special configure option --enable-arp-acl.
#	  # Furthermore, the arp ACL code is not portable to all operating systems.
#	  # It works on Linux, Solaris, FreeBSD and some other *BSD variants.
#	  #
#	  # NOTE: Squid can only determine the MAC address for clients that are on
#	  # the same subnet. If the client is on a different subnet, then Squid cannot
#	  # find out its MAC address.
#
#	acl aclname srcdomain   .foo.com ...    # reverse lookup, client IP
#	acl aclname dstdomain   .foo.com ...    # Destination server from URL
#	acl aclname srcdom_regex [-i] xxx ...   # regex matching client name
#	acl aclname dstdom_regex [-i] xxx ...   # regex matching server
#	  # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
#	  # based URL is used and no match is found. The name "none" is used
#	  # if the reverse lookup fails.
#
#	acl aclname time     [day-abbrevs]  [h1:m1-h2:m2]
#	    day-abbrevs:
#		S - Sunday
#		M - Monday
#		T - Tuesday
#		W - Wednesday
#		H - Thursday
#		F - Friday
#		A - Saturday
#	    h1:m1 must be less than h2:m2
#	acl aclname url_regex [-i] ^http:// ...	# regex matching on whole URL
#	acl aclname urlpath_regex [-i] \.gif$ ...	# regex matching on URL path
#	acl aclname urllogin [-i] [^a-zA-Z0-9] ...	# regex matching on URL login field
#	acl aclname port     80 70 21 ...
#	acl aclname port     0-1024 ...		# ranges allowed
#	acl aclname myport   3128 ...		# (local socket TCP port)
#	acl aclname proto    HTTP FTP ...
#	acl aclname method   GET POST ...
#	acl aclname browser  [-i] regexp ...
#	  # pattern match on User-Agent header (see also req_header below)
#	acl aclname referer_regex  [-i] regexp ...
#	  # pattern match on Referer header
#	  # Referer is highly unreliable, so use with care
#	acl aclname ident    username ...
#	acl aclname ident_regex [-i] pattern ...
#	  # string match on ident output.
#	  # use REQUIRED to accept any non-null ident.
#	acl aclname src_as   number ...
#	acl aclname dst_as   number ...
#	  # Except for access control, AS numbers can be used for
#	  # routing of requests to specific caches. Here's an
#	  # example for routing all requests for AS#1241 and only
#	  # those to mycache.mydomain.net:
#	  # acl asexample dst_as 1241
#	  # cache_peer_access mycache.mydomain.net allow asexample
#	  # cache_peer_access mycache_mydomain.net deny all
#
#	acl aclname proxy_auth [-i] username ...
#	acl aclname proxy_auth_regex [-i] pattern ...
#	  # list of valid usernames
#	  # use REQUIRED to accept any valid username.
#	  #
#	  # NOTE: when a Proxy-Authentication header is sent but it is not
#	  # needed during ACL checking the username is NOT logged
#	  # in access.log.
#	  #
#	  # NOTE: proxy_auth requires a EXTERNAL authentication program
#	  # to check username/password combinations (see
#	  # auth_param directive).
#	  #
#	  # NOTE: proxy_auth can't be used in a transparent proxy as
#	  # the browser needs to be configured for using a proxy in order
#	  # to respond to proxy authentication.
#
#	acl aclname snmp_community string ...
#	  # A community string to limit access to your SNMP Agent
#	  # Example:
#	  #
#	  #	acl snmppublic snmp_community public
#
#	acl aclname maxconn number
#	  # This will be matched when the client's IP address has
#	  # more than <number> HTTP connections established.
#
#	acl aclname max_user_ip [-s] number
#	  # This will be matched when the user attempts to log in from more
#	  # than <number> different ip addresses. The authenticate_ip_ttl
#	  # parameter controls the timeout on the ip entries.
#	  # If -s is specified the limit is strict, denying browsing
#	  # from any further IP addresses until the ttl has expired. Without
#	  # -s Squid will just annoy the user by "randomly" denying requests.
#	  # (the counter is reset each time the limit is reached and a
#	  # request is denied)
#	  # NOTE: in acceleration mode or where there is mesh of child proxies,
#	  # clients may appear to come from multiple addresses if they are
#	  # going through proxy farms, so a limit of 1 may cause user problems.
#
#	acl aclname req_mime_type mime-type1 ...
#	  # regex match against the mime type of the request generated
#	  # by the client. Can be used to detect file upload or some
#	  # types HTTP tunneling requests.
#	  # NOTE: This does NOT match the reply. You cannot use this
#	  # to match the returned file type.
#
#	acl aclname req_header header-name [-i] any\.regex\.here
#	  # regex match against any of the known request headers.  May be
#	  # thought of as a superset of "browser", "referer" and "mime-type"
#	  # ACLs.
#
#	acl aclname rep_mime_type mime-type1 ...
#	  # regex match against the mime type of the reply received by
#	  # squid. Can be used to detect file download or some
#	  # types HTTP tunneling requests.
#	  # NOTE: This has no effect in http_access rules. It only has
#	  # effect in rules that affect the reply data stream such as
#	  # http_reply_access.
#
#	acl aclname rep_header header-name [-i] any\.regex\.here
#	  # regex match against any of the known reply headers. May be
#	  # thought of as a superset of "browser", "referer" and "mime-type"
#	  # ACLs.
#	  #
#	  # Example:
#	  #
#	  # acl many_spaces rep_header Content-Disposition -i [ [:space:] ]{3,}
#
#	acl acl_name external class_name [arguments...]
#	  # external ACL lookup via a helper class defined by the
#	  # external_acl_type directive.
#
#	acl urlgroup group1 ...
#	  # match against the urlgroup as indicated by redirectors
#
#	acl aclname user_cert attribute values...
#	  # match against attributes in a user SSL certificate
#	  # attribute is one of DN/C/O/CN/L/ST
#
#	acl aclname ca_cert attribute values...
#	  # match against attributes a users issuing CA SSL certificate
#	  # attribute is one of DN/C/O/CN/L/ST
#
#	acl aclname ext_user username ...
#	acl aclname ext_user_regex [-i] pattern ...
#	  # string match on username returned by external acl helper
#	  # use REQUIRED to accept any non-null user name.
#
#Examples:
#acl macaddress arp 09:00:2b:23:45:67
#acl myexample dst_as 1241
#acl password proxy_auth REQUIRED
#acl fileupload req_mime_type -i ^multipart/form-data$
#acl javascript rep_mime_type -i ^application/x-javascript$
#
#
# Recommended minimum configuration:
#
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl localhost src ::1/128
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl to_localhost dst ::1/128

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80			# http
acl Safe_ports port 21			# ftp
acl Safe_ports port 443			# https
acl Safe_ports port 70			# gopher
acl Safe_ports port 210			# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280			# http-mgmt
acl Safe_ports port 488			# gss-http
acl Safe_ports port 591			# filemaker
acl Safe_ports port 777			# multiling http
acl CONNECT method CONNECT

#  TAG: http_access
#	Allowing or Denying access based on defined access lists
#
#	Access to the HTTP port:
#	http_access allow|deny [!]aclname ...
#
#	NOTE on default values:
#
#	If there are no "access" lines present, the default is to deny
#	the request.
#
#	If none of the "access" lines cause a match, the default is the
#	opposite of the last line in the list.  If the last line was
#	deny, the default is allow.  Conversely, if the last line
#	is allow, the default will be deny.  For these reasons, it is a
#	good idea to have an "deny all" or "allow all" entry at the end
#	of your access lists to avoid potential confusion.
#
#Default:
# http_access deny all
#
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all