sudo nano /etc/squid/squid.conf #-------------------------------------------------- # Include additional config files #-------------------------------------------------- include /etc/squid/conf.d/*.conf #-------------------------------------------------- # Network definitions #-------------------------------------------------- acl localnet src 192.168.0.0/16 acl localhost src 127.0.0.1 #-------------------------------------------------- # Allowed destination ports (sinnvoll & sicher) #-------------------------------------------------- acl Safe_ports port 80 # HTTP acl Safe_ports port 443 # HTTPS acl Safe_ports port 21 # FTP (optional) #-------------------------------------------------- # Access rules (Reihenfolge ist entscheidend!) #-------------------------------------------------- http_access deny !Safe_ports http_access allow localnet http_access allow localhost http_access deny all #-------------------------------------------------- # Proxy listener #-------------------------------------------------- http_port 3128 #-------------------------------------------------- # Cache settings (entschärft & realistisch) #-------------------------------------------------- cache_mem 256 MB maximum_object_size 16 MB maximum_object_size_in_memory 512 KB memory_replacement_policy lru cache_replacement_policy lru cache_dir ufs /var/spool/squid 100 16 256 coredump_dir /var/spool/squid #-------------------------------------------------- # Refresh patterns (leicht bereinigt) #-------------------------------------------------- refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 #-------------------------------------------------- # Header handling – FUNKTIONAL & SAUBER #-------------------------------------------------- #request_header_access All allow all #reply_header_access All allow all # Entferne alle potentiell personenbezogenen Header request_header_access Referer deny all #request_header_access Cookie deny all # Benötigt für Browsing #request_header_access Authorization deny all # Bricht Logins, APIS und Downloads request_header_access X-Forwarded-For deny all request_header_access User-Agent allow all # wir setzen unseren eigenen weiter unten! # Erlaube nur die Header, die wir explizit benötigen request_header_access Host allow all request_header_access Accept allow all request_header_access Accept-Language allow all request_header_access Accept-Encoding allow all # Setze einen generischen User‑Agent (reduziert Fingerprinting) #request_header_replace User-Agent "Mozilla/5.0 (compatible; Proxy/1.0)" # Antwort‑Header ebenfalls säubern reply_header_access Server deny all reply_header_access Via deny all reply_header_access X-Powered-By deny all reply_header_access All allow all # falls du weitere Antwort‑Header brauchst, gezielt freigeben #-------------------------------------------------- # Proxy identification (unauffällig, aber ehrlich) #-------------------------------------------------- via off #forwarded_for transparent forwarded_for delete #-------------------------------------------------- # Optional: Lernbeispiel – Header gezielt setzen #-------------------------------------------------- #-Mozilla-Firefox request_header_replace User-Agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"