--- ./squid.conf	2021-11-10 06:22:18.000000000 -0500
+++ ./squid.conf	2021-11-10 06:24:17.000000000 -0500
@@ -861,6 +861,7 @@
 #		user="J. \"Bob\" Smith"
 #Default:
 # none
+logformat squid_ua      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt %#{User-Agent}>h
 
 #  TAG: acl
 #	Defining an Access List
@@ -1432,12 +1433,9 @@
 # Example rule allowing access from your local networks.
 # Adapt to list your (internal) IP networks from where browsing
 # should be allowed
-acl localnet src 0.0.0.1-0.255.255.255	# RFC 1122 "this" network (LAN)
-acl localnet src 10.0.0.0/8		# RFC 1918 local private network (LAN)
-acl localnet src 100.64.0.0/10		# RFC 6598 shared address space (CGN)
-acl localnet src 169.254.0.0/16 	# RFC 3927 link-local (directly plugged) machines
-acl localnet src 172.16.0.0/12		# RFC 1918 local private network (LAN)
-acl localnet src 192.168.0.0/16		# RFC 1918 local private network (LAN)
+acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
+#acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
+#acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
 acl localnet src fc00::/7       	# RFC 4193 local private network range
 acl localnet src fe80::/10      	# RFC 4291 link-local (directly plugged) machines
 
@@ -1700,8 +1698,8 @@
 #	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
 #
 ## Allow ICP queries from local networks only
-##icp_access allow localnet
-##icp_access deny all
+icp_access allow localnet
+icp_access deny all
 #Default:
 # Deny, unless rules exist in squid.conf.
 
@@ -2207,10 +2205,10 @@
 #
 
 # Squid normally listens to port 3128
-http_port 3128
+http_port @PROXY_SERVER@:3128
 
 #  TAG: https_port
-#	Usage:  [ip:]port [mode] tls-cert=certificate.pem [options]
+#	Usage:  [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...]
 #
 #	The socket address where Squid will listen for client requests made
 #	over TLS or SSL connections. Commonly referred to as HTTPS.
@@ -3535,6 +3533,16 @@
 #Default:
 # none
 
+# See http://www.privoxy.org/user-manual/config.html
+# Define Privoxy as parent proxy (without ICP) 
+cache_peer @PROXY_SERVER@ parent 8118 0 no-digest no-query default name=privoxy
+
+# If privoxy is run on the LAN:
+#cache_peer 10.0.1.3 parent 8118 0 no-digest no-query default name=privoxy
+
+# I2P
+# cache_peer @PROXY_SERVER@ parent 4443 0 no-digest no-query default name=i2p
+
 #  TAG: cache_peer_access
 #	Restricts usage of cache_peer proxies.
 #
@@ -3573,6 +3581,14 @@
 #Default:
 # No peer usage restrictions.
 
+# deny CONNECT to privoxy
+cache_peer_access privoxy deny CONNECT
+
+# I2P
+# acl i2p dstdomain -n .i2p
+# cache_peer_access i2p allow i2p
+# cache_peer_access i2p deny all
+
 #  TAG: neighbor_type_domain
 #	Modify the cache_peer neighbor type when passing requests
 #	about specific domains to the peer.
@@ -3668,6 +3684,7 @@
 #	enough to keep larger objects from hoarding cache_mem.
 #Default:
 # maximum_object_size_in_memory 512 KB
+maximum_object_size_in_memory 64 KB
 
 #  TAG: memory_cache_shared	on|off
 #	Controls whether the memory cache is shared among SMP workers.
@@ -3750,6 +3767,7 @@
 #	and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
 #Default:
 # cache_replacement_policy lru
+cache_replacement_policy heap LFUDA
 
 #  TAG: minimum_object_size	(bytes)
 #	Objects smaller than this size will NOT be saved on disk.  The
@@ -3774,6 +3792,7 @@
 #	See cache_replacement_policy for a discussion of this policy.
 #Default:
 # maximum_object_size 4 MB
+maximum_object_size 64 MB
 
 #  TAG: cache_dir
 #	Format:
@@ -3931,7 +3950,7 @@
 #
 
 # Uncomment and adjust the following to add a disk cache directory.
-#cache_dir ufs @PREFIX@/var/squid/cache 100 16 256
+cache_dir ufs @PREFIX@/var/squid/cache 100 16 256
 
 #  TAG: store_dir_select_algorithm
 #	How Squid selects which cache_dir to use when the response
@@ -4824,8 +4843,11 @@
 #	in the habit of using 'squid -k rotate' instead of 'kill -USR1
 #	<pid>'.
 #
+#	Note, from Squid-3.1 this option is only a default for cache.log,
+#	that log can be rotated separately by using debug_options.
 #Default:
 # logfile_rotate 10
+logfile_rotate 31
 
 #  TAG: mime_table
 #	Path to Squid's icon configuration file.
@@ -4881,6 +4903,7 @@
 #	Currently honored by 'daemon' and 'tcp' access_log modules only.
 #Default:
 # buffered_logs off
+buffered_logs on
 
 #  TAG: netdb_filename
 # Note: This option is only available if Squid is rebuilt with the
@@ -5652,15 +5675,25 @@
 refresh_pattern ^ftp:		1440	20%	10080
 refresh_pattern ^gopher:	1440	0%	1440
 refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
-refresh_pattern .		0	20%	4320
+#refresh_pattern .		0	20%	4320
+
+# https://www.linux.com/news/speed-your-internet-access-using-squids-refresh-patterns
+refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
+refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private
+refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
+refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
+refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
+refresh_pattern . 0 40% 40320
 
 #  TAG: quick_abort_min	(KB)
 #Default:
 # quick_abort_min 16 KB
+quick_abort_min 0 KB
 
 #  TAG: quick_abort_max	(KB)
 #Default:
 # quick_abort_max 16 KB
+quick_abort_max 0 KB
 
 #  TAG: quick_abort_pct	(percent)
 #	The cache by default continues downloading aborted requests
@@ -5878,6 +5911,7 @@
 #	replies as required by RFC2616.
 #Default:
 # via on
+via off
 
 #  TAG: vary_ignore_expire	on|off
 #	Many HTTP servers supporting Vary gives such objects
@@ -5970,6 +6004,130 @@
 #Default:
 # No limits.
 
+# allow localnet headers
+request_header_access From allow localnet
+request_header_access Server allow localnet
+request_header_access Link allow localnet
+
+request_header_access Cache-Control allow localnet
+request_header_access X-Cache allow localnet 
+request_header_access X-Cache-Lookup allow localnet
+request_header_access Via allow localnet
+request_header_access Forwarded-For allow localnet
+request_header_access X-Forwarded-For allow localnet
+request_header_access Pragma allow localnet
+
+# old 'http_anonymizer standard'
+request_header_access From deny all
+
+# allow privoxy configuration to see the referer, then
+acl privoxy-config dstdomain config.privoxy.org p.p
+request_header_access Referer allow privoxy-config
+cache deny privoxy-config
+# forge Referer in Privoxy
+request_header_access Referer deny all
+request_header_access Server deny all
+
+# forge User-Agent below and in Privoxy
+# header_access User-Agent deny all
+# this breaks web authentication -- do not use
+#! header_access WWW-Authenticate deny all
+request_header_access Link deny all
+
+# more privacy
+request_header_access X-Cache deny all
+request_header_access X-Cache-Lookup deny all
+request_header_access Via deny all
+request_header_access Forwarded-For deny all
+request_header_access X-Forwarded-For deny all
+request_header_access Pragma deny all
+
+#! These slow down browsing a lot -- do not use
+# header_access Cache-Control deny all
+# header_access Keep-Alive deny all
+
+# Mobile carrier uniquely identifying headers
+request_header_access MSISDN deny all		# T-Mobile
+request_header_access X-MSISDN deny all		# T-Mobile
+request_header_access X-UIDH deny all		# Verizon
+request_header_access x-up-subno deny all	# AT&T
+request_header_access X-ACR deny all		# AT&T
+request_header_access X-UP-SUBSCRIBER-COS deny all
+request_header_access X-OPWV-DDM-HTTPMISCDD deny all
+request_header_access X-OPWV-DDM-IDENTITY deny all
+request_header_access X-OPWV-DDM-SUBSCRIBER deny all
+request_header_access CLIENTID deny all
+request_header_access X-VF-ACR deny all
+request_header_access X_MTI_USERNAME deny all
+request_header_access X_MTI_EMAIL deny all
+request_header_access X_MTI_EMPID deny all
+
+# Don't forge headers to Apple to avoid breaking Apple services
+# https://support.apple.com/en-us/HT210060
+# Convert these IP ranges to CIDR:
+# whois `nslookup phobos.apple.com | grep Address | tail -1 | perl -ane 'chomp; s/Address: //; print $_'`
+# whois `nslookup p32-keyvalueservice-current.edge.icloud.apple-dns.net | grep Address | tail -1 | perl -ane 'chomp; s/Address: //; print $_'`
+# whois 23.63.98.0
+# whois `nslookup www-cdn.icloud.com.akadns.net | grep Address | tail -1 | perl -ane 'chomp; s/Address: //; print $_'`
+# acl apple-subnet dst 17.0.0.0/8
+acl apple-enterprise-network-domains dstdomain \
+        albert.apple.com \
+        captive.apple.com \
+        gs.apple.com \
+        humb.apple.com \
+        static.ips.apple.com \
+        tbsc.apple.com \
+        time-ios.apple.com \
+        time.apple.com \
+        time-macos.apple.com \
+        .push.apple.com \
+        gdmf.apple.com \
+        deviceenrollment.apple.com \
+        deviceservices-external.apple.com \
+        identity.apple.com \
+        iprofiles.apple.com \
+        mdmenrollment.apple.com \
+        setup.icloud.com \
+        appldnld.apple.com \
+        gg.apple.com \
+        gnf-mdn.apple.com \
+        gnf-mr.apple.com \
+        gs.apple.com \
+        ig.apple.com \
+        mesu.apple.com \
+        oscdn.apple.com \
+        osrecovery.apple.com \
+        skl.apple.com \
+        swcdn.apple.com \
+        swdist.apple.com \
+        swdownload.apple.com \
+        swpost.apple.com \
+        swscan.apple.com \
+        updates-http.cdn-apple.com \
+        updates.cdn-apple.com \
+        xp.apple.com \
+        .itunes.apple.com \
+        .apps.apple.com \
+        .mzstatic.com \
+        ppq.apple.com \
+        lcdn-registration.apple.com \
+        crl.apple.com \
+        crl.entrust.net \
+        crl3.digicert.com \
+        crl4.digicert.com \
+        ocsp.apple.com \
+        ocsp.digicert.com \
+        ocsp.entrust.net \
+        ocsp.verisign.net
+
+acl apple-appservices-and-akamai-subnets dst \
+        17.248.128.0/18 \
+        17.250.64.0/18 \
+        17.248.192.0/19
+
+request_header_access User-Agent deny all
+request_header_replace User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15
+
 #  TAG: reply_header_access
 #	Usage: reply_header_access header_name allow|deny [!]aclname ...
 #
@@ -6374,6 +6532,10 @@
 #	seconds will receive a 'timeout' message.
 #Default:
 # shutdown_lifetime 30 seconds
+# Make this significantly less than daemondo's kChildDeathTimeout
+# to avoid multiple squid processes at boot or on network change
+# const CFTimeInterval kChildDeathTimeout = 20;
+shutdown_lifetime 5 seconds
 
 # ADMINISTRATIVE PARAMETERS
 # -----------------------------------------------------------------------------
@@ -6442,6 +6604,7 @@
 #	names with this setting.
 #Default:
 # Automatically detect the system host name
+visible_hostname localhost
 
 #  TAG: unique_hostname
 #	If you want to have multiple machines with the same
@@ -7222,6 +7385,7 @@
 #	up or to simplify log analysis.
 #Default:
 # log_icp_queries on
+log_icp_queries off
 
 #  TAG: udp_incoming_address
 #	udp_incoming_address	is used for UDP packets received from other
@@ -7720,6 +7884,41 @@
 #Default:
 # Prevent any cache_peer being used for this request.
 
+# See http://www.privoxy.org/user-manual/config.html
+# Define ACL for protocol FTP
+acl ftp proto FTP
+always_direct allow ftp
+
+# Direct to specified domain names
+#acl mydomainname dstdomain .mydomainname.com
+#always_direct allow mydomainname
+
+# Do not forward Apple services through Privoxy
+always_direct allow apple-appservices-and-akamai-subnets
+always_direct allow apple-enterprise-network-domains
+
+# Do not send Zoom https://*.zoom.us through Privoxy
+acl zoom-us-domain dstdomain .zoom.us
+always_direct allow CONNECT zoom-us-domain
+
+# Do not send AWS requests through Privoxy
+acl aws-domains dstdomain \
+      .aws.amazon.com \
+      .cloudfront.net
+always_direct allow aws-domains
+
+# See http://www.privoxy.org/user-manual/config.html
+# Define ACL for protocol FTP
+acl ftp proto FTP
+always_direct allow ftp
+
+# Direct to specified domain names
+#acl mydomainname dstdomain .mydomainname.com
+#always_direct allow mydomainname
+
+# Do not forward SSL requests to Privoxy
+always_direct allow SSL_ports
+
 #  TAG: never_direct
 #	Usage: never_direct allow|deny [!]aclname ...
 #
@@ -7749,6 +7948,14 @@
 #Default:
 # Allow DNS results to be used for this request.
 
+# See http://www.privoxy.org/user-manual/config.html
+# Forward all the rest to Privoxy
+never_direct allow all
+
+# See http://www.privoxy.org/user-manual/config.html
+# Forward all the rest to Privoxy
+never_direct allow all
+
 # ADVANCED NETWORKING OPTIONS
 # -----------------------------------------------------------------------------
 
@@ -8589,6 +8796,12 @@
 #Default:
 # Use operating system definitions
 
+# Google DNS
+dns_nameservers 8.8.8.8 4.4.4.4
+
+# Use LAN IP with possible backup if you're running DNS yourself
+#dns_nameservers 10.0.1.3
+
 #  TAG: hosts_file
 #	Location of the host-local IP name-address associations
 #	database. Most Operating Systems have such a file on different
@@ -8614,6 +8827,7 @@
 #	definitions.
 #Default:
 # hosts_file /etc/hosts
+hosts_file @PREFIX@/etc/@NAME@/@NAME@-hosts
 
 #  TAG: append_domain
 #	Appends local domain name to hostnames without any dots in
@@ -8641,6 +8855,7 @@
 #	Maximum number of DNS IP cache entries.
 #Default:
 # ipcache_size 1024
+ipcache_size 16384
 
 #  TAG: ipcache_low	(percent)
 #Default:
@@ -8655,6 +8870,7 @@
 #	Maximum number of FQDN cache entries.
 #Default:
 # fqdncache_size 1024
+fqdncache_size 1048576
 
 # MISCELLANEOUS
 # -----------------------------------------------------------------------------
@@ -8675,6 +8891,7 @@
 #	routines, disable this.
 #Default:
 # memory_pools on
+memory_pools off
 
 #  TAG: memory_pools_limit	(bytes)
 #	Used only with memory_pools on:
@@ -8721,6 +8938,7 @@
 #	X-Forwarded-For entries, and place the client IP as the sole entry.
 #Default:
 # forwarded_for on
+forwarded_for off
 
 #  TAG: cachemgr_passwd
 #	Specify passwords for cachemgr operations.
@@ -8788,6 +9006,7 @@
 #	turn off client_db here.
 #Default:
 # client_db on
+client_db off
 
 #  TAG: refresh_all_ims	on|off
 #	When you enable this option, squid will always check
@@ -8918,6 +9137,7 @@
 #	WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication.
 #Default:
 # Do not pre-parse pipelined requests.
+pipeline_prefetch 3
 
 #  TAG: high_response_time_warning	(msec)
 #	If the one-minute median response time exceeds this value,
@@ -8978,6 +9198,7 @@
 #	Whether to lookup the EUI or MAC address of a connected client.
 #Default:
 # eui_lookup on
+eui_lookup off
 
 #  TAG: max_filedescriptors
 #	Set the maximum number of filedescriptors, either below the
