# Do not modify '/var/ipfire/proxy/squid.conf' directly since any changes
# you make will be overwritten whenever you resave proxy settings using the
# web interface! Instead, modify the file '/var/ipfire/proxy/acl' and then
# restart squid using the web interface. Changes made to the 'acl' file
# will propagate to the 'squid.conf' file at that time.
# [Scott Tregear, 22 Feb 2005]

# Uncomment the following line to enable logging of User-Agent header:
#useragent_log      /var/log/squid/user_agent.log

# Uncomment the following line to enable logging of Referer header:
#referer_log        /var/log/squid/referer.log

acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563 
acl Safe_ports port 80 # http 
acl Safe_ports port 21 # ftp 
acl Safe_ports port 443 563 # https, snews 
acl Safe_ports port 70 # gopher 
acl Safe_ports port 210 # wais 
acl Safe_ports port 1025-65535 # unregistered ports 
acl Safe_ports port 280 # http-mgmt 
acl Safe_ports port 488 # gss-http 
acl Safe_ports port 591 # filemaker 
acl Safe_ports port 777 # multiling http 
acl Safe_ports port __PROXY_PORT__ # Squid port (for icons) 

acl IPCop_http  port 81
acl IPCop_https port 444
acl IPCop_ips  dst __GREEN_IP__ __BLUE_IP__
acl IPCop_networks src __GREEN_NET__ __BLUE_NET__
acl CONNECT method CONNECT 

##Access to squid:
#local machine, no restriction
http_access allow         localhost

#GUI admin if local machine connects
http_access allow         IPCop_ips IPCop_networks IPCop_http
http_access allow CONNECT IPCop_ips IPCop_networks IPCop_https

#Deny not web services
http_access deny          !Safe_ports
http_access deny  CONNECT !SSL_ports

#Finally allow IPCop_networks clients
http_access allow         IPCop_networks
http_access deny          all
