# Make squid more anonymous forwarded_for off client_db off # Add anomized headers after a suggestion from prospo from #irantech reply_header_access Allow allow all reply_header_access Authorization allow all reply_header_access WWW-Authenticate allow all reply_header_access Proxy-Authorization allow all reply_header_access Proxy-Authenticate allow all reply_header_access Cache-Control allow all reply_header_access Content-Encoding allow all reply_header_access Content-Length allow all reply_header_access Content-Type allow all reply_header_access Date allow all reply_header_access Expires allow all reply_header_access Host allow all reply_header_access If-Modified-Since allow all reply_header_access Last-Modified allow all reply_header_access Location allow all reply_header_access Pragma allow all reply_header_access Accept allow all reply_header_access Accept-Charset allow all reply_header_access Accept-Encoding allow all reply_header_access Accept-Language allow all reply_header_access Content-Language allow all reply_header_access Mime-Version allow all reply_header_access Retry-After allow all reply_header_access Title allow all reply_header_access Connection allow all reply_header_access Proxy-Connection allow all reply_header_access All deny all # Replace the user-agent header # header_replace User-Agent Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071204 Ubuntu/7.10 (gutsy) Powerlynx/2.0.0.11 acl manager proto cache_object acl localhost src 127.0.0.1/32 acl localnet dst 127.0.0.0/8 acl localnet dst 10.0.0.0/8 acl localnet dst 172.16.0.0/12 acl localnet dst 192.168.0.0/16 # The proxyheap validation servers acl proxyheap src 208.116.53.210 acl proxyheap src 208.116.53.211 # http://www.ripe.net/cgi-bin/search/gdquery.cgi?max-results=100&page-results=10&index=ripedb&boolean=and&record-type=paragraph&header=whois&footer=whois&start-page=%2Fdb%2Fwhois-free.html&terms=ministry+iran&file-match=net[6n]&file-match=org&show-context=yes°ree-of-error=0&submit=Search&page=0 acl iran-gov src "/etc/iran/iran_dropped.txt" # http://www.countryipblocks.net/country-blocks/select-formats/ acl iran-net src "/etc/iran/iran_allowed.txt" # Ports to open acl iran-ports port "/etc/iran/iran_outbound_ports.txt" acl CONNECT method CONNECT # Deny the iranian government http_access deny iran-gov # Allow manager from localhost http_access allow manager localhost http_access deny manager # Only allow certain http+https ports http_access deny !iran-ports http_access deny CONNECT !iran-ports # Don't allow access to private networks http_access deny localnet # Allow Iran http_access allow iran-net # Allow the proxy testing script http_access allow proxyheap # Deny the rest http_access deny all icp_access deny all htcp_access deny all ## Add a couple of http_port statements, on randomly chosen ports http_port EDIT-YOUR-SQUID-CONF hierarchy_stoplist cgi-bin ? access_log /dev/null cache_log /dev/null cache_store_log /dev/null refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern (cgi-bin|\?) 0 0% 0 refresh_pattern . 0 20% 4320 icp_port 0 coredump_dir /var/spool/squid3