1 |
|
# WELCOME TO SQUID 3.2.10 |
2 |
|
# ---------------------------- |
3 |
|
# |
4 |
|
# This is the documentation for the Squid configuration file. |
5 |
|
# This documentation can also be found online at: |
6 |
|
# http://www.squid-cache.org/Doc/config/ |
7 |
|
# |
8 |
|
# You may wish to look at the Squid home page and wiki for the |
9 |
|
# FAQ and other documentation: |
10 |
|
# http://www.squid-cache.org/ |
11 |
|
# http://wiki.squid-cache.org/SquidFaq |
12 |
|
# http://wiki.squid-cache.org/ConfigExamples |
13 |
|
# |
14 |
|
# This documentation shows what the defaults for various directives |
15 |
|
# happen to be. If you don't need to change the default, you should |
16 |
|
# leave the line out of your squid.conf in most cases. |
17 |
|
# |
18 |
|
# In some cases "none" refers to no default setting at all, |
19 |
|
# while in other cases it refers to the value of the option |
20 |
|
# - the comments for that keyword indicate if this is the case. |
21 |
|
# |
22 |
|
|
23 |
|
# Configuration options can be included using the "include" directive. |
24 |
|
# Include takes a list of files to include. Quoting and wildcards are |
25 |
|
# supported. |
26 |
|
# |
27 |
|
# For example, |
28 |
|
# |
29 |
|
# include /path/to/included/file/squid.acl.config |
30 |
|
# |
31 |
|
# Includes can be nested up to a hard-coded depth of 16 levels. |
32 |
|
# This arbitrary restriction is to prevent recursive include references |
33 |
|
# from causing Squid entering an infinite loop whilst trying to load |
34 |
|
# configuration files. |
35 |
|
# |
36 |
|
# |
37 |
|
# Conditional configuration |
38 |
|
# |
39 |
|
# If-statements can be used to make configuration directives |
40 |
|
# depend on conditions: |
41 |
|
# |
42 |
|
# if <CONDITION> |
43 |
|
# ... regular configuration directives ... |
44 |
|
# [else |
45 |
|
# ... regular configuration directives ...] |
46 |
|
# endif |
47 |
|
# |
48 |
|
# The else part is optional. The keywords "if", "else", and "endif" |
49 |
|
# must be typed on their own lines, as if they were regular |
50 |
|
# configuration directives. |
51 |
|
# |
52 |
|
# NOTE: An else-if condition is not supported. |
53 |
|
# |
54 |
|
# These individual conditions types are supported: |
55 |
|
# |
56 |
|
# true |
57 |
|
# Always evaluates to true. |
58 |
|
# false |
59 |
|
# Always evaluates to false. |
60 |
|
# <integer> = <integer> |
61 |
|
# Equality comparison of two integer numbers. |
62 |
|
# |
63 |
|
# |
64 |
|
# SMP-Related Macros |
65 |
|
# |
66 |
|
# The following SMP-related preprocessor macros can be used. |
67 |
|
# |
68 |
|
# ${process_name} expands to the current Squid process "name" |
69 |
|
# (e.g., squid1, squid2, or cache1). |
70 |
|
# |
71 |
|
# ${process_number} expands to the current Squid process |
72 |
|
# identifier, which is an integer number (e.g., 1, 2, 3) unique |
73 |
|
# across all Squid processes. |
74 |
|
|
75 |
|
# TAG: broken_vary_encoding |
76 |
|
# This option is not yet supported by Squid-3. |
77 |
|
#Default: |
78 |
|
# none |
79 |
|
|
80 |
|
# TAG: cache_vary |
81 |
|
# This option is not yet supported by Squid-3. |
82 |
|
#Default: |
83 |
|
# none |
84 |
|
|
85 |
|
# TAG: collapsed_forwarding |
86 |
|
# This option is not yet supported by Squid-3. see http://bugs.squid-cache.org/show_bug.cgi?id=3495 |
87 |
|
#Default: |
88 |
|
# none |
89 |
|
|
90 |
|
# TAG: error_map |
91 |
|
# This option is not yet supported by Squid-3. |
92 |
|
#Default: |
93 |
|
# none |
94 |
|
|
95 |
|
# TAG: external_refresh_check |
96 |
|
# This option is not yet supported by Squid-3. |
97 |
|
#Default: |
98 |
|
# none |
99 |
|
|
100 |
|
# TAG: ignore_ims_on_miss |
101 |
|
# This option is not yet supported by Squid-3. |
102 |
|
#Default: |
103 |
|
# none |
104 |
|
|
105 |
|
# TAG: location_rewrite_program |
106 |
|
# This option is not yet supported by Squid-3. |
107 |
|
#Default: |
108 |
|
# none |
109 |
|
|
110 |
|
# TAG: refresh_stale_hit |
111 |
|
# This option is not yet supported by Squid-3. |
112 |
|
#Default: |
113 |
|
# none |
114 |
|
|
115 |
|
# TAG: storeurl_access |
116 |
|
# This option is not yet supported by this version of Squid-3. Please try a later release. |
117 |
|
#Default: |
118 |
|
# none |
119 |
|
|
120 |
|
# TAG: ignore_expect_100 |
121 |
|
# Remove this line. The HTTP/1.1 feature is now fully supported by default. |
122 |
|
#Default: |
123 |
|
# none |
124 |
|
|
125 |
|
# TAG: dns_v4_fallback |
126 |
|
# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. |
127 |
|
#Default: |
128 |
|
# none |
129 |
|
|
130 |
|
# TAG: ftp_list_width |
131 |
|
# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead. |
132 |
|
#Default: |
133 |
|
# none |
134 |
|
|
135 |
|
# TAG: maximum_single_addr_tries |
136 |
|
# Replaced by connect_retries. The behaviour has changed, please read the documentation before altering. |
137 |
|
#Default: |
138 |
|
# none |
139 |
|
|
140 |
|
# TAG: update_headers |
141 |
|
# Remove this line. The feature is supported by default in storage types where update is implemented. |
142 |
|
#Default: |
143 |
|
# none |
144 |
|
|
145 |
|
# TAG: url_rewrite_concurrency |
146 |
|
# Remove this line. Set the 'concurrency=' option of url_rewrite_children instead. |
147 |
|
#Default: |
148 |
|
# none |
149 |
|
|
150 |
|
# TAG: dns_testnames |
151 |
|
# Remove this line. DNS is no longer tested on startup. |
152 |
|
#Default: |
153 |
|
# none |
154 |
|
|
155 |
|
# TAG: extension_methods |
156 |
|
# Remove this line. All valid methods for HTTP are accepted by default. |
157 |
|
#Default: |
158 |
|
# none |
159 |
|
|
160 |
|
# TAG: zero_buffers |
161 |
|
#Default: |
162 |
|
# none |
163 |
|
|
164 |
|
# TAG: incoming_rate |
165 |
|
#Default: |
166 |
|
# none |
167 |
|
|
168 |
|
# TAG: server_http11 |
169 |
|
# Remove this line. HTTP/1.1 is supported by default. |
170 |
|
#Default: |
171 |
|
# none |
172 |
|
|
173 |
|
# TAG: upgrade_http0.9 |
174 |
|
# Remove this line. ICY/1.0 streaming protocol is supported by default. |
175 |
|
#Default: |
176 |
|
# none |
177 |
|
|
178 |
|
# TAG: zph_local |
179 |
|
# Alter these entries. Use the qos_flows directive instead. |
180 |
|
#Default: |
181 |
|
# none |
182 |
|
|
183 |
|
# TAG: header_access |
184 |
|
# Since squid-3.0 replace with request_header_access or reply_header_access |
185 |
|
# depending on whether you wish to match client requests or server replies. |
186 |
|
#Default: |
187 |
|
# none |
188 |
|
|
189 |
|
# TAG: httpd_accel_no_pmtu_disc |
190 |
|
# Since squid-3.0 use the 'disable-pmtu-discovery' flag on http_port instead. |
191 |
|
#Default: |
192 |
|
# none |
193 |
|
|
194 |
|
# TAG: wais_relay_host |
195 |
|
# Replace this line with 'cache_peer' configuration. |
196 |
|
#Default: |
197 |
|
# none |
198 |
|
|
199 |
|
# TAG: wais_relay_port |
200 |
|
# Replace this line with 'cache_peer' configuration. |
201 |
|
#Default: |
202 |
|
# none |
203 |
|
|
204 |
|
# OPTIONS FOR AUTHENTICATION |
205 |
|
# ----------------------------------------------------------------------------- |
206 |
|
|
207 |
|
# TAG: auth_param |
208 |
|
# This is used to define parameters for the various authentication |
209 |
|
# schemes supported by Squid. |
210 |
|
# |
211 |
|
# format: auth_param scheme parameter [setting] |
212 |
|
# |
213 |
|
# The order in which authentication schemes are presented to the client is |
214 |
|
# dependent on the order the scheme first appears in config file. IE |
215 |
|
# has a bug (it's not RFC 2617 compliant) in that it will use the basic |
216 |
|
# scheme if basic is the first entry presented, even if more secure |
217 |
|
# schemes are presented. For now use the order in the recommended |
218 |
|
# settings section below. If other browsers have difficulties (don't |
219 |
|
# recognize the schemes offered even if you are using basic) either |
220 |
|
# put basic first, or disable the other schemes (by commenting out their |
221 |
|
# program entry). |
222 |
|
# |
223 |
|
# Once an authentication scheme is fully configured, it can only be |
224 |
|
# shutdown by shutting squid down and restarting. Changes can be made on |
225 |
|
# the fly and activated with a reconfigure. I.E. You can change to a |
226 |
|
# different helper, but not unconfigure the helper completely. |
227 |
|
# |
228 |
|
# Please note that while this directive defines how Squid processes |
229 |
|
# authentication it does not automatically activate authentication. |
230 |
|
# To use authentication you must in addition make use of ACLs based |
231 |
|
# on login name in http_access (proxy_auth, proxy_auth_regex or |
232 |
|
# external with %LOGIN used in the format tag). The browser will be |
233 |
|
# challenged for authentication on the first such acl encountered |
234 |
|
# in http_access processing and will also be re-challenged for new |
235 |
|
# login credentials if the request is being denied by a proxy_auth |
236 |
|
# type acl. |
237 |
|
# |
238 |
|
# WARNING: authentication can't be used in a transparently intercepting |
239 |
|
# proxy as the client then thinks it is talking to an origin server and |
240 |
|
# not the proxy. This is a limitation of bending the TCP/IP protocol to |
241 |
|
# transparently intercepting port 80, not a limitation in Squid. |
242 |
|
# Ports flagged 'transparent', 'intercept', or 'tproxy' have |
243 |
|
# authentication disabled. |
244 |
|
# |
245 |
|
# === Parameters for the basic scheme follow. === |
246 |
|
# |
247 |
|
# "program" cmdline |
248 |
|
# Specify the command for the external authenticator. Such a program |
249 |
|
# reads a line containing "username password" and replies "OK" or |
250 |
|
# "ERR" in an endless loop. "ERR" responses may optionally be followed |
251 |
|
# by a error description available as %m in the returned error page. |
252 |
|
# If you use an authenticator, make sure you have 1 acl of type |
253 |
|
# proxy_auth. |
254 |
|
# |
255 |
|
# By default, the basic authentication scheme is not used unless a |
256 |
|
# program is specified. |
257 |
|
# |
258 |
|
# If you want to use the traditional NCSA proxy authentication, set |
259 |
|
# this line to something like |
260 |
|
# |
261 |
|
# auth_param basic program /usr/libexec/ncsa_auth /usr/etc/passwd |
262 |
|
# |
263 |
|
# "utf8" on|off |
264 |
|
# HTTP uses iso-latin-1 as character set, while some authentication |
265 |
|
# backends such as LDAP expects UTF-8. If this is set to on Squid will |
266 |
|
# translate the HTTP iso-latin-1 charset to UTF-8 before sending the |
267 |
|
# username & password to the helper. |
268 |
|
# |
269 |
|
# "children" numberofchildren [startup=N] [idle=N] [concurrency=N] |
270 |
|
# The maximum number of authenticator processes to spawn. If you start too few |
271 |
|
# Squid will have to wait for them to process a backlog of credential |
272 |
|
# verifications, slowing it down. When password verifications are |
273 |
|
# done via a (slow) network you are likely to need lots of |
274 |
|
# authenticator processes. |
275 |
|
# |
276 |
|
# The startup= and idle= options permit some skew in the exact amount |
277 |
|
# run. A minimum of startup=N will begin during startup and reconfigure. |
278 |
|
# Squid will start more in groups of up to idle=N in an attempt to meet |
279 |
|
# traffic needs and to keep idle=N free above those traffic needs up to |
280 |
|
# the maximum. |
281 |
|
# |
282 |
|
# The concurrency= option sets the number of concurrent requests the |
283 |
|
# helper can process. The default of 0 is used for helpers who only |
284 |
|
# supports one request at a time. Setting this to a number greater than |
285 |
|
# 0 changes the protocol used to include a channel number first on the |
286 |
|
# request/response line, allowing multiple requests to be sent to the |
287 |
|
# same helper in parallel without waiting for the response. |
288 |
|
# Must not be set unless it's known the helper supports this. |
289 |
|
# |
290 |
|
# auth_param basic children 20 startup=0 idle=1 |
291 |
|
# |
292 |
|
# "realm" realmstring |
293 |
|
# Specifies the realm name which is to be reported to the |
294 |
|
# client for the basic proxy authentication scheme (part of |
295 |
|
# the text the user will see when prompted their username and |
296 |
|
# password). There is no default. |
297 |
|
# auth_param basic realm Squid proxy-caching web server |
298 |
|
# |
299 |
|
# "credentialsttl" timetolive |
300 |
|
# Specifies how long squid assumes an externally validated |
301 |
|
# username:password pair is valid for - in other words how |
302 |
|
# often the helper program is called for that user. Set this |
303 |
|
# low to force revalidation with short lived passwords. Note |
304 |
|
# setting this high does not impact your susceptibility |
305 |
|
# to replay attacks unless you are using an one-time password |
306 |
|
# system (such as SecureID). If you are using such a system, |
307 |
|
# you will be vulnerable to replay attacks unless you also |
308 |
|
# use the max_user_ip ACL in an http_access rule. |
309 |
|
# |
310 |
|
# "casesensitive" on|off |
311 |
|
# Specifies if usernames are case sensitive. Most user databases are |
312 |
|
# case insensitive allowing the same username to be spelled using both |
313 |
|
# lower and upper case letters, but some are case sensitive. This |
314 |
|
# makes a big difference for user_max_ip ACL processing and similar. |
315 |
|
# auth_param basic casesensitive off |
316 |
|
# |
317 |
|
# === Parameters for the digest scheme follow === |
318 |
|
# |
319 |
|
# "program" cmdline |
320 |
|
# Specify the command for the external authenticator. Such |
321 |
|
# a program reads a line containing "username":"realm" and |
322 |
|
# replies with the appropriate H(A1) value hex encoded or |
323 |
|
# ERR if the user (or his H(A1) hash) does not exists. |
324 |
|
# See rfc 2616 for the definition of H(A1). |
325 |
|
# "ERR" responses may optionally be followed by a error description |
326 |
|
# available as %m in the returned error page. |
327 |
|
# |
328 |
|
# By default, the digest authentication scheme is not used unless a |
329 |
|
# program is specified. |
330 |
|
# |
331 |
|
# If you want to use a digest authenticator, set this line to |
332 |
|
# something like |
333 |
|
# |
334 |
|
# auth_param digest program /usr/bin/digest_pw_auth /usr/etc/digpass |
335 |
|
# |
336 |
|
# "utf8" on|off |
337 |
|
# HTTP uses iso-latin-1 as character set, while some authentication |
338 |
|
# backends such as LDAP expects UTF-8. If this is set to on Squid will |
339 |
|
# translate the HTTP iso-latin-1 charset to UTF-8 before sending the |
340 |
|
# username & password to the helper. |
341 |
|
# |
342 |
|
# "children" numberofchildren [startup=N] [idle=N] [concurrency=N] |
343 |
|
# The maximum number of authenticator processes to spawn (default 5). |
344 |
|
# If you start too few Squid will have to wait for them to |
345 |
|
# process a backlog of H(A1) calculations, slowing it down. |
346 |
|
# When the H(A1) calculations are done via a (slow) network |
347 |
|
# you are likely to need lots of authenticator processes. |
348 |
|
# |
349 |
|
# The startup= and idle= options permit some skew in the exact amount |
350 |
|
# run. A minimum of startup=N will begin during startup and reconfigure. |
351 |
|
# Squid will start more in groups of up to idle=N in an attempt to meet |
352 |
|
# traffic needs and to keep idle=N free above those traffic needs up to |
353 |
|
# the maximum. |
354 |
|
# |
355 |
|
# The concurrency= option sets the number of concurrent requests the |
356 |
|
# helper can process. The default of 0 is used for helpers who only |
357 |
|
# supports one request at a time. Setting this to a number greater than |
358 |
|
# 0 changes the protocol used to include a channel number first on the |
359 |
|
# request/response line, allowing multiple requests to be sent to the |
360 |
|
# same helper in parallel without waiting for the response. |
361 |
|
# Must not be set unless it's known the helper supports this. |
362 |
|
# |
363 |
|
# auth_param digest children 20 startup=0 idle=1 |
364 |
|
# |
365 |
|
# "realm" realmstring |
366 |
|
# Specifies the realm name which is to be reported to the |
367 |
|
# client for the digest proxy authentication scheme (part of |
368 |
|
# the text the user will see when prompted their username and |
369 |
|
# password). There is no default. |
370 |
|
# auth_param digest realm Squid proxy-caching web server |
371 |
|
# |
372 |
|
# "nonce_garbage_interval" timeinterval |
373 |
|
# Specifies the interval that nonces that have been issued |
374 |
|
# to client_agent's are checked for validity. |
375 |
|
# |
376 |
|
# "nonce_max_duration" timeinterval |
377 |
|
# Specifies the maximum length of time a given nonce will be |
378 |
|
# valid for. |
379 |
|
# |
380 |
|
# "nonce_max_count" number |
381 |
|
# Specifies the maximum number of times a given nonce can be |
382 |
|
# used. |
383 |
|
# |
384 |
|
# "nonce_strictness" on|off |
385 |
|
# Determines if squid requires strict increment-by-1 behavior |
386 |
|
# for nonce counts, or just incrementing (off - for use when |
387 |
|
# user agents generate nonce counts that occasionally miss 1 |
388 |
|
# (ie, 1,2,4,6)). Default off. |
389 |
|
# |
390 |
|
# "check_nonce_count" on|off |
391 |
|
# This directive if set to off can disable the nonce count check |
392 |
|
# completely to work around buggy digest qop implementations in |
393 |
|
# certain mainstream browser versions. Default on to check the |
394 |
|
# nonce count to protect from authentication replay attacks. |
395 |
|
# |
396 |
|
# "post_workaround" on|off |
397 |
|
# This is a workaround to certain buggy browsers who sends |
398 |
|
# an incorrect request digest in POST requests when reusing |
399 |
|
# the same nonce as acquired earlier on a GET request. |
400 |
|
# |
401 |
|
# === NTLM scheme options follow === |
402 |
|
# |
403 |
|
# "program" cmdline |
404 |
|
# Specify the command for the external NTLM authenticator. |
405 |
|
# Such a program reads exchanged NTLMSSP packets with |
406 |
|
# the browser via Squid until authentication is completed. |
407 |
|
# If you use an NTLM authenticator, make sure you have 1 acl |
408 |
|
# of type proxy_auth. By default, the NTLM authenticator_program |
409 |
|
# is not used. |
410 |
|
# |
411 |
|
# auth_param ntlm program /usr/bin/ntlm_auth |
412 |
|
# |
413 |
|
# "children" numberofchildren [startup=N] [idle=N] |
414 |
|
# The maximum number of authenticator processes to spawn (default 5). |
415 |
|
# If you start too few Squid will have to wait for them to |
416 |
|
# process a backlog of credential verifications, slowing it |
417 |
|
# down. When credential verifications are done via a (slow) |
418 |
|
# network you are likely to need lots of authenticator |
419 |
|
# processes. |
420 |
|
# |
421 |
|
# The startup= and idle= options permit some skew in the exact amount |
422 |
|
# run. A minimum of startup=N will begin during startup and reconfigure. |
423 |
|
# Squid will start more in groups of up to idle=N in an attempt to meet |
424 |
|
# traffic needs and to keep idle=N free above those traffic needs up to |
425 |
|
# the maximum. |
426 |
|
# |
427 |
|
# auth_param ntlm children 20 startup=0 idle=1 |
428 |
|
# |
429 |
|
# "keep_alive" on|off |
430 |
|
# If you experience problems with PUT/POST requests when using the |
431 |
|
# Negotiate authentication scheme then you can try setting this to |
432 |
|
# off. This will cause Squid to forcibly close the connection on |
433 |
|
# the initial requests where the browser asks which schemes are |
434 |
|
# supported by the proxy. |
435 |
|
# |
436 |
|
# auth_param ntlm keep_alive on |
437 |
|
# |
438 |
|
# === Options for configuring the NEGOTIATE auth-scheme follow === |
439 |
|
# |
440 |
|
# "program" cmdline |
441 |
|
# Specify the command for the external Negotiate authenticator. |
442 |
|
# This protocol is used in Microsoft Active-Directory enabled setups with |
443 |
|
# the Microsoft Internet Explorer or Mozilla Firefox browsers. |
444 |
|
# Its main purpose is to exchange credentials with the Squid proxy |
445 |
|
# using the Kerberos mechanisms. |
446 |
|
# If you use a Negotiate authenticator, make sure you have at least |
447 |
|
# one acl of type proxy_auth active. By default, the negotiate |
448 |
|
# authenticator_program is not used. |
449 |
|
# The only supported program for this role is the ntlm_auth |
450 |
|
# program distributed as part of Samba, version 4 or later. |
451 |
|
# |
452 |
|
# auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego |
453 |
|
# |
454 |
|
# "children" numberofchildren [startup=N] [idle=N] |
455 |
|
# The maximum number of authenticator processes to spawn (default 5). |
456 |
|
# If you start too few Squid will have to wait for them to |
457 |
|
# process a backlog of credential verifications, slowing it |
458 |
|
# down. When credential verifications are done via a (slow) |
459 |
|
# network you are likely to need lots of authenticator |
460 |
|
# processes. |
461 |
|
# |
462 |
|
# The startup= and idle= options permit some skew in the exact amount |
463 |
|
# run. A minimum of startup=N will begin during startup and reconfigure. |
464 |
|
# Squid will start more in groups of up to idle=N in an attempt to meet |
465 |
|
# traffic needs and to keep idle=N free above those traffic needs up to |
466 |
|
# the maximum. |
467 |
|
# |
468 |
|
# auth_param negotiate children 20 startup=0 idle=1 |
469 |
|
# |
470 |
|
# "keep_alive" on|off |
471 |
|
# If you experience problems with PUT/POST requests when using the |
472 |
|
# Negotiate authentication scheme then you can try setting this to |
473 |
|
# off. This will cause Squid to forcibly close the connection on |
474 |
|
# the initial requests where the browser asks which schemes are |
475 |
|
# supported by the proxy. |
476 |
|
# |
477 |
|
# auth_param negotiate keep_alive on |
478 |
|
# |
479 |
|
# |
480 |
|
# Examples: |
481 |
|
# |
482 |
|
##Recommended minimum configuration per scheme: |
483 |
|
##auth_param negotiate program <uncomment and complete this line to activate> |
484 |
|
##auth_param negotiate children 20 startup=0 idle=1 |
485 |
|
##auth_param negotiate keep_alive on |
486 |
|
## |
487 |
|
##auth_param ntlm program <uncomment and complete this line to activate> |
488 |
|
##auth_param ntlm children 20 startup=0 idle=1 |
489 |
|
##auth_param ntlm keep_alive on |
490 |
|
## |
491 |
|
##auth_param digest program <uncomment and complete this line> |
492 |
|
##auth_param digest children 20 startup=0 idle=1 |
493 |
|
##auth_param digest realm Squid proxy-caching web server |
494 |
|
##auth_param digest nonce_garbage_interval 5 minutes |
495 |
|
##auth_param digest nonce_max_duration 30 minutes |
496 |
|
##auth_param digest nonce_max_count 50 |
497 |
|
## |
498 |
|
##auth_param basic program <uncomment and complete this line> |
499 |
|
##auth_param basic children 5 startup=5 idle=1 |
500 |
|
##auth_param basic realm Squid proxy-caching web server |
501 |
|
##auth_param basic credentialsttl 2 hours |
502 |
|
#Default: |
503 |
|
# none |
504 |
|
|
505 |
|
# TAG: authenticate_cache_garbage_interval |
506 |
|
# The time period between garbage collection across the username cache. |
507 |
|
# This is a trade-off between memory utilization (long intervals - say |
508 |
|
# 2 days) and CPU (short intervals - say 1 minute). Only change if you |
509 |
|
# have good reason to. |
510 |
|
#Default: |
511 |
|
# authenticate_cache_garbage_interval 1 hour |
512 |
|
|
513 |
|
# TAG: authenticate_ttl |
514 |
|
# The time a user & their credentials stay in the logged in |
515 |
|
# user cache since their last request. When the garbage |
516 |
|
# interval passes, all user credentials that have passed their |
517 |
|
# TTL are removed from memory. |
518 |
|
#Default: |
519 |
|
# authenticate_ttl 1 hour |
520 |
|
|
521 |
|
# TAG: authenticate_ip_ttl |
522 |
|
# If you use proxy authentication and the 'max_user_ip' ACL, |
523 |
|
# this directive controls how long Squid remembers the IP |
524 |
|
# addresses associated with each user. Use a small value |
525 |
|
# (e.g., 60 seconds) if your users might change addresses |
526 |
|
# quickly, as is the case with dialup. You might be safe |
527 |
|
# using a larger value (e.g., 2 hours) in a corporate LAN |
528 |
|
# environment with relatively static address assignments. |
529 |
|
#Default: |
530 |
|
# authenticate_ip_ttl 0 seconds |
531 |
|
|
532 |
|
# ACCESS CONTROLS |
533 |
|
# ----------------------------------------------------------------------------- |
534 |
|
|
535 |
|
# TAG: external_acl_type |
536 |
|
# This option defines external acl classes using a helper program |
537 |
|
# to look up the status |
538 |
|
# |
539 |
|
# external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..] |
540 |
|
# |
541 |
|
# Options: |
542 |
|
# |
543 |
|
# ttl=n TTL in seconds for cached results (defaults to 3600 |
544 |
|
# for 1 hour) |
545 |
|
# negative_ttl=n |
546 |
|
# TTL for cached negative lookups (default same |
547 |
|
# as ttl) |
548 |
|
# children-max=n |
549 |
|
# Maximum number of acl helper processes spawned to service |
550 |
|
# external acl lookups of this type. (default 20) |
551 |
|
# children-startup=n |
552 |
|
# Minimum number of acl helper processes to spawn during |
553 |
|
# startup and reconfigure to service external acl lookups |
554 |
|
# of this type. (default 0) |
555 |
|
# children-idle=n |
556 |
|
# Number of acl helper processes to keep ahead of traffic |
557 |
|
# loads. Squid will spawn this many at once whenever load |
558 |
|
# rises above the capabilities of existing processes. |
559 |
|
# Up to the value of children-max. (default 1) |
560 |
|
# concurrency=n concurrency level per process. Only used with helpers |
561 |
|
# capable of processing more than one query at a time. |
562 |
|
# cache=n limit the result cache size, default is unbounded. |
563 |
|
# grace=n Percentage remaining of TTL where a refresh of a |
564 |
|
# cached entry should be initiated without needing to |
565 |
|
# wait for a new reply. (default is for no grace period) |
566 |
|
# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers |
567 |
|
# ipv4 / ipv6 IP protocol used to communicate with this helper. |
568 |
|
# The default is to auto-detect IPv6 and use it when available. |
569 |
|
# |
570 |
|
# FORMAT specifications |
571 |
|
# |
572 |
|
# %LOGIN Authenticated user login name |
573 |
|
# %EXT_USER Username from previous external acl |
574 |
|
# %EXT_LOG Log details from previous external acl |
575 |
|
# %EXT_TAG Tag from previous external acl |
576 |
|
# %IDENT Ident user name |
577 |
|
# %SRC Client IP |
578 |
|
# %SRCPORT Client source port |
579 |
|
# %URI Requested URI |
580 |
|
# %DST Requested host |
581 |
|
# %PROTO Requested protocol |
582 |
|
# %PORT Requested port |
583 |
|
# %PATH Requested URL path |
584 |
|
# %METHOD Request method |
585 |
|
# %MYADDR Squid interface address |
586 |
|
# %MYPORT Squid http_port number |
587 |
|
# %PATH Requested URL-path (including query-string if any) |
588 |
|
# %USER_CERT SSL User certificate in PEM format |
589 |
|
# %USER_CERTCHAIN SSL User certificate chain in PEM format |
590 |
|
# %USER_CERT_xx SSL User certificate subject attribute xx |
591 |
|
# %USER_CA_xx SSL User certificate issuer attribute xx |
592 |
|
# |
593 |
|
# %>{Header} HTTP request header "Header" |
594 |
|
# %>{Hdr:member} |
595 |
|
# HTTP request header "Hdr" list member "member" |
596 |
|
# %>{Hdr:;member} |
597 |
|
# HTTP request header list member using ; as |
598 |
|
# list separator. ; can be any non-alphanumeric |
599 |
|
# character. |
600 |
|
# |
601 |
|
# %<{Header} HTTP reply header "Header" |
602 |
|
# %<{Hdr:member} |
603 |
|
# HTTP reply header "Hdr" list member "member" |
604 |
|
# %<{Hdr:;member} |
605 |
|
# HTTP reply header list member using ; as |
606 |
|
# list separator. ; can be any non-alphanumeric |
607 |
|
# character. |
608 |
|
# |
609 |
|
# %% The percent sign. Useful for helpers which need |
610 |
|
# an unchanging input format. |
611 |
|
# |
612 |
|
# In addition to the above, any string specified in the referencing |
613 |
|
# acl will also be included in the helper request line, after the |
614 |
|
# specified formats (see the "acl external" directive) |
615 |
|
# |
616 |
|
# The helper receives lines per the above format specification, |
617 |
|
# and returns lines starting with OK or ERR indicating the validity |
618 |
|
# of the request and optionally followed by additional keywords with |
619 |
|
# more details. |
620 |
|
# |
621 |
|
# General result syntax: |
622 |
|
# |
623 |
|
# OK/ERR keyword=value ... |
624 |
|
# |
625 |
|
# Defined keywords: |
626 |
|
# |
627 |
|
# user= The users name (login) |
628 |
|
# password= The users password (for login= cache_peer option) |
629 |
|
# message= Message describing the reason. Available as %o |
630 |
|
# in error pages |
631 |
|
# tag= Apply a tag to a request (for both ERR and OK results) |
632 |
|
# Only sets a tag, does not alter existing tags. |
633 |
|
# log= String to be logged in access.log. Available as |
634 |
|
# %ea in logformat specifications |
635 |
|
# |
636 |
|
# If protocol=3.0 (the default) then URL escaping is used to protect |
637 |
|
# each value in both requests and responses. |
638 |
|
# |
639 |
|
# If using protocol=2.5 then all values need to be enclosed in quotes |
640 |
|
# if they may contain whitespace, or the whitespace escaped using \. |
641 |
|
# And quotes or \ characters within the keyword value must be \ escaped. |
642 |
|
# |
643 |
|
# When using the concurrency= option the protocol is changed by |
644 |
|
# introducing a query channel tag infront of the request/response. |
645 |
|
# The query channel tag is a number between 0 and concurrency-1. |
646 |
|
#Default: |
647 |
|
# none |
648 |
|
|
649 |
|
# TAG: acl |
650 |
|
# Defining an Access List |
651 |
|
# |
652 |
|
# Every access list definition must begin with an aclname and acltype, |
653 |
|
# followed by either type-specific arguments or a quoted filename that |
654 |
|
# they are read from. |
655 |
|
# |
656 |
|
# acl aclname acltype argument ... |
657 |
|
# acl aclname acltype "file" ... |
658 |
|
# |
659 |
|
# When using "file", the file should contain one item per line. |
660 |
|
# |
661 |
|
# By default, regular expressions are CASE-SENSITIVE. |
662 |
|
# To make them case-insensitive, use the -i option. To return case-sensitive |
663 |
|
# use the +i option between patterns, or make a new ACL line without -i. |
664 |
|
# |
665 |
|
# Some acl types require suspending the current request in order |
666 |
|
# to access some external data source. |
667 |
|
# Those which do are marked with the tag [slow], those which |
668 |
|
# don't are marked as [fast]. |
669 |
|
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl |
670 |
|
# for further information |
671 |
|
# |
672 |
|
# ***** ACL TYPES AVAILABLE ***** |
673 |
|
# |
674 |
|
# acl aclname src ip-address/netmask ... # clients IP address [fast] |
675 |
|
# acl aclname src addr1-addr2/netmask ... # range of addresses [fast] |
676 |
|
# acl aclname dst ip-address/netmask ... # URL host's IP address [slow] |
677 |
|
# acl aclname myip ip-address/netmask ... # local socket IP address [fast] |
678 |
|
# |
679 |
|
# acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) |
680 |
|
# # The arp ACL requires the special configure option --enable-arp-acl. |
681 |
|
# # Furthermore, the ARP ACL code is not portable to all operating systems. |
682 |
|
# # It works on Linux, Solaris, Windows, FreeBSD, and some |
683 |
|
# # other *BSD variants. |
684 |
|
# # [fast] |
685 |
|
# # |
686 |
|
# # NOTE: Squid can only determine the MAC address for clients that are on |
687 |
|
# # the same subnet. If the client is on a different subnet, |
688 |
|
# # then Squid cannot find out its MAC address. |
689 |
|
# |
690 |
|
# acl aclname srcdomain .foo.com ... |
691 |
|
# # reverse lookup, from client IP [slow] |
692 |
|
# acl aclname dstdomain .foo.com ... |
693 |
|
# # Destination server from URL [fast] |
694 |
|
# acl aclname srcdom_regex [-i] \.foo\.com ... |
695 |
|
# # regex matching client name [slow] |
696 |
|
# acl aclname dstdom_regex [-i] \.foo\.com ... |
697 |
|
# # regex matching server [fast] |
698 |
|
# # |
699 |
|
# # For dstdomain and dstdom_regex a reverse lookup is tried if a IP |
700 |
|
# # based URL is used and no match is found. The name "none" is used |
701 |
|
# # if the reverse lookup fails. |
702 |
|
# |
703 |
|
# acl aclname src_as number ... |
704 |
|
# acl aclname dst_as number ... |
705 |
|
# # [fast] |
706 |
|
# # Except for access control, AS numbers can be used for |
707 |
|
# # routing of requests to specific caches. Here's an |
708 |
|
# # example for routing all requests for AS#1241 and only |
709 |
|
# # those to mycache.mydomain.net: |
710 |
|
# # acl asexample dst_as 1241 |
711 |
|
# # cache_peer_access mycache.mydomain.net allow asexample |
712 |
|
# # cache_peer_access mycache_mydomain.net deny all |
713 |
|
# |
714 |
|
# acl aclname peername myPeer ... |
715 |
|
# # [fast] |
716 |
|
# # match against a named cache_peer entry |
717 |
|
# # set unique name= on cache_peer lines for reliable use. |
718 |
|
# |
719 |
|
# acl aclname time [day-abbrevs] [h1:m1-h2:m2] |
720 |
|
# # [fast] |
721 |
|
# # day-abbrevs: |
722 |
|
# # S - Sunday |
723 |
|
# # M - Monday |
724 |
|
# # T - Tuesday |
725 |
|
# # W - Wednesday |
726 |
|
# # H - Thursday |
727 |
|
# # F - Friday |
728 |
|
# # A - Saturday |
729 |
|
# # h1:m1 must be less than h2:m2 |
730 |
|
# |
731 |
|
# acl aclname url_regex [-i] ^http:// ... |
732 |
|
# # regex matching on whole URL [fast] |
733 |
|
# acl aclname urllogin [-i] [^a-zA-Z0-9] ... |
734 |
|
# # regex matching on URL login field |
735 |
|
# acl aclname urlpath_regex [-i] \.gif$ ... |
736 |
|
# # regex matching on URL path [fast] |
737 |
|
# |
738 |
|
# acl aclname port 80 70 21 0-1024... # destination TCP port [fast] |
739 |
|
# # ranges are alloed |
740 |
|
# acl aclname myport 3128 ... # local socket TCP port [fast] |
741 |
|
# acl aclname myportname 3128 ... # http(s)_port name [fast] |
742 |
|
# |
743 |
|
# acl aclname proto HTTP FTP ... # request protocol [fast] |
744 |
|
# |
745 |
|
# acl aclname method GET POST ... # HTTP request method [fast] |
746 |
|
# |
747 |
|
# acl aclname http_status 200 301 500- 400-403 ... |
748 |
|
# # status code in reply [fast] |
749 |
|
# |
750 |
|
# acl aclname browser [-i] regexp ... |
751 |
|
# # pattern match on User-Agent header (see also req_header below) [fast] |
752 |
|
# |
753 |
|
# acl aclname referer_regex [-i] regexp ... |
754 |
|
# # pattern match on Referer header [fast] |
755 |
|
# # Referer is highly unreliable, so use with care |
756 |
|
# |
757 |
|
# acl aclname ident username ... |
758 |
|
# acl aclname ident_regex [-i] pattern ... |
759 |
|
# # string match on ident output [slow] |
760 |
|
# # use REQUIRED to accept any non-null ident. |
761 |
|
# |
762 |
|
# acl aclname proxy_auth [-i] username ... |
763 |
|
# acl aclname proxy_auth_regex [-i] pattern ... |
764 |
|
# # perform http authentication challenge to the client and match against |
765 |
|
# # supplied credentials [slow] |
766 |
|
# # |
767 |
|
# # takes a list of allowed usernames. |
768 |
|
# # use REQUIRED to accept any valid username. |
769 |
|
# # |
770 |
|
# # Will use proxy authentication in forward-proxy scenarios, and plain |
771 |
|
# # http authenticaiton in reverse-proxy scenarios |
772 |
|
# # |
773 |
|
# # NOTE: when a Proxy-Authentication header is sent but it is not |
774 |
|
# # needed during ACL checking the username is NOT logged |
775 |
|
# # in access.log. |
776 |
|
# # |
777 |
|
# # NOTE: proxy_auth requires a EXTERNAL authentication program |
778 |
|
# # to check username/password combinations (see |
779 |
|
# # auth_param directive). |
780 |
|
# # |
781 |
|
# # NOTE: proxy_auth can't be used in a transparent/intercepting proxy |
782 |
|
# # as the browser needs to be configured for using a proxy in order |
783 |
|
# # to respond to proxy authentication. |
784 |
|
# |
785 |
|
# acl aclname snmp_community string ... |
786 |
|
# # A community string to limit access to your SNMP Agent [fast] |
787 |
|
# # Example: |
788 |
|
# # |
789 |
|
# # acl snmppublic snmp_community public |
790 |
|
# |
791 |
|
# acl aclname maxconn number |
792 |
|
# # This will be matched when the client's IP address has |
793 |
|
# # more than <number> TCP connections established. [fast] |
794 |
|
# # NOTE: This only measures direct TCP links so X-Forwarded-For |
795 |
|
# # indirect clients are not counted. |
796 |
|
# |
797 |
|
# acl aclname max_user_ip [-s] number |
798 |
|
# # This will be matched when the user attempts to log in from more |
799 |
|
# # than <number> different ip addresses. The authenticate_ip_ttl |
800 |
|
# # parameter controls the timeout on the ip entries. [fast] |
801 |
|
# # If -s is specified the limit is strict, denying browsing |
802 |
|
# # from any further IP addresses until the ttl has expired. Without |
803 |
|
# # -s Squid will just annoy the user by "randomly" denying requests. |
804 |
|
# # (the counter is reset each time the limit is reached and a |
805 |
|
# # request is denied) |
806 |
|
# # NOTE: in acceleration mode or where there is mesh of child proxies, |
807 |
|
# # clients may appear to come from multiple addresses if they are |
808 |
|
# # going through proxy farms, so a limit of 1 may cause user problems. |
809 |
|
# |
810 |
|
# acl aclname random probability |
811 |
|
# # Pseudo-randomly match requests. Based on the probability given. |
812 |
|
# # Probability may be written as a decimal (0.333), fraction (1/3) |
813 |
|
# # or ratio of matches:non-matches (3:5). |
814 |
|
# |
815 |
|
# acl aclname req_mime_type [-i] mime-type ... |
816 |
|
# # regex match against the mime type of the request generated |
817 |
|
# # by the client. Can be used to detect file upload or some |
818 |
|
# # types HTTP tunneling requests [fast] |
819 |
|
# # NOTE: This does NOT match the reply. You cannot use this |
820 |
|
# # to match the returned file type. |
821 |
|
# |
822 |
|
# acl aclname req_header header-name [-i] any\.regex\.here |
823 |
|
# # regex match against any of the known request headers. May be |
824 |
|
# # thought of as a superset of "browser", "referer" and "mime-type" |
825 |
|
# # ACL [fast] |
826 |
|
# |
827 |
|
# acl aclname rep_mime_type [-i] mime-type ... |
828 |
|
# # regex match against the mime type of the reply received by |
829 |
|
# # squid. Can be used to detect file download or some |
830 |
|
# # types HTTP tunneling requests. [fast] |
831 |
|
# # NOTE: This has no effect in http_access rules. It only has |
832 |
|
# # effect in rules that affect the reply data stream such as |
833 |
|
# # http_reply_access. |
834 |
|
# |
835 |
|
# acl aclname rep_header header-name [-i] any\.regex\.here |
836 |
|
# # regex match against any of the known reply headers. May be |
837 |
|
# # thought of as a superset of "browser", "referer" and "mime-type" |
838 |
|
# # ACLs [fast] |
839 |
|
# |
840 |
|
# acl aclname external class_name [arguments...] |
841 |
|
# # external ACL lookup via a helper class defined by the |
842 |
|
# # external_acl_type directive [slow] |
843 |
|
# |
844 |
|
# acl aclname user_cert attribute values... |
845 |
|
# # match against attributes in a user SSL certificate |
846 |
|
# # attribute is one of DN/C/O/CN/L/ST [fast] |
847 |
|
# |
848 |
|
# acl aclname ca_cert attribute values... |
849 |
|
# # match against attributes a users issuing CA SSL certificate |
850 |
|
# # attribute is one of DN/C/O/CN/L/ST [fast] |
851 |
|
# |
852 |
|
# acl aclname ext_user username ... |
853 |
|
# acl aclname ext_user_regex [-i] pattern ... |
854 |
|
# # string match on username returned by external acl helper [slow] |
855 |
|
# # use REQUIRED to accept any non-null user name. |
856 |
|
# |
857 |
|
# acl aclname tag tagvalue ... |
858 |
|
# # string match on tag returned by external acl helper [slow] |
859 |
|
# |
860 |
|
# acl aclname hier_code codename ... |
861 |
|
# # string match against squid hierarchy code(s); [fast] |
862 |
|
# # e.g., DIRECT, PARENT_HIT, NONE, etc. |
863 |
|
# # |
864 |
|
# # NOTE: This has no effect in http_access rules. It only has |
865 |
|
# # effect in rules that affect the reply data stream such as |
866 |
|
# # http_reply_access. |
867 |
|
# |
868 |
|
# Examples: |
869 |
|
# acl macaddress arp 09:00:2b:23:45:67 |
870 |
|
# acl myexample dst_as 1241 |
871 |
|
# acl password proxy_auth REQUIRED |
872 |
|
# acl fileupload req_mime_type -i ^multipart/form-data$ |
873 |
|
# acl javascript rep_mime_type -i ^application/x-javascript$ |
874 |
|
# |
875 |
|
#Default: |
876 |
|
# ACLs all, manager, localhost, and to_localhost are predefined. |
877 |
|
# |
878 |
|
# |
879 |
|
# Recommended minimum configuration: |
880 |
|
# |
881 |
|
|
882 |
|
# Example rule allowing access from your local networks. |
883 |
|
# Adapt to list your (internal) IP networks from where browsing |
884 |
|
# should be allowed |
885 |
|
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network |
886 |
|
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network |
887 |
|
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network |
888 |
|
acl localnet src fc00::/7 # RFC 4193 local private network range |
889 |
|
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines |
890 |
|
|
891 |
|
acl SSL_ports port 443 |
892 |
|
acl Safe_ports port 80 # http |
893 |
|
acl Safe_ports port 21 # ftp |
894 |
|
acl Safe_ports port 443 # https |
895 |
|
acl Safe_ports port 70 # gopher |
896 |
|
acl Safe_ports port 210 # wais |
897 |
|
acl Safe_ports port 1025-65535 # unregistered ports |
898 |
|
acl Safe_ports port 280 # http-mgmt |
899 |
|
acl Safe_ports port 488 # gss-http |
900 |
|
acl Safe_ports port 591 # filemaker |
901 |
|
acl Safe_ports port 777 # multiling http |
902 |
|
acl CONNECT method CONNECT |
903 |
|
|
904 |
# WELCOME TO SQUID 2 |
# TAG: follow_x_forwarded_for |
905 |
# ------------------ |
# Allowing or Denying the X-Forwarded-For header to be followed to |
906 |
|
# find the original source of a request. |
907 |
|
# |
908 |
|
# Requests may pass through a chain of several other proxies |
909 |
|
# before reaching us. The X-Forwarded-For header will contain a |
910 |
|
# comma-separated list of the IP addresses in the chain, with the |
911 |
|
# rightmost address being the most recent. |
912 |
|
# |
913 |
|
# If a request reaches us from a source that is allowed by this |
914 |
|
# configuration item, then we consult the X-Forwarded-For header |
915 |
|
# to see where that host received the request from. If the |
916 |
|
# X-Forwarded-For header contains multiple addresses, we continue |
917 |
|
# backtracking until we reach an address for which we are not allowed |
918 |
|
# to follow the X-Forwarded-For header, or until we reach the first |
919 |
|
# address in the list. For the purpose of ACL used in the |
920 |
|
# follow_x_forwarded_for directive the src ACL type always matches |
921 |
|
# the address we are testing and srcdomain matches its rDNS. |
922 |
|
# |
923 |
|
# The end result of this process is an IP address that we will |
924 |
|
# refer to as the indirect client address. This address may |
925 |
|
# be treated as the client address for access control, ICAP, delay |
926 |
|
# pools and logging, depending on the acl_uses_indirect_client, |
927 |
|
# icap_uses_indirect_client, delay_pool_uses_indirect_client, |
928 |
|
# log_uses_indirect_client and tproxy_uses_indirect_client options. |
929 |
|
# |
930 |
|
# This clause only supports fast acl types. |
931 |
|
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
932 |
|
# |
933 |
|
# SECURITY CONSIDERATIONS: |
934 |
|
# |
935 |
|
# Any host for which we follow the X-Forwarded-For header |
936 |
|
# can place incorrect information in the header, and Squid |
937 |
|
# will use the incorrect information as if it were the |
938 |
|
# source address of the request. This may enable remote |
939 |
|
# hosts to bypass any access control restrictions that are |
940 |
|
# based on the client's source addresses. |
941 |
|
# |
942 |
|
# For example: |
943 |
|
# |
944 |
|
# acl localhost src 127.0.0.1 |
945 |
|
# acl my_other_proxy srcdomain .proxy.example.com |
946 |
|
# follow_x_forwarded_for allow localhost |
947 |
|
# follow_x_forwarded_for allow my_other_proxy |
948 |
|
#Default: |
949 |
|
# follow_x_forwarded_for deny all |
950 |
|
|
951 |
|
# TAG: acl_uses_indirect_client on|off |
952 |
|
# Controls whether the indirect client address |
953 |
|
# (see follow_x_forwarded_for) is used instead of the |
954 |
|
# direct client address in acl matching. |
955 |
|
# |
956 |
|
# NOTE: maxconn ACL considers direct TCP links and indirect |
957 |
|
# clients will always have zero. So no match. |
958 |
|
#Default: |
959 |
|
# acl_uses_indirect_client on |
960 |
|
|
961 |
|
# TAG: delay_pool_uses_indirect_client on|off |
962 |
|
# Controls whether the indirect client address |
963 |
|
# (see follow_x_forwarded_for) is used instead of the |
964 |
|
# direct client address in delay pools. |
965 |
|
#Default: |
966 |
|
# delay_pool_uses_indirect_client on |
967 |
|
|
968 |
|
# TAG: log_uses_indirect_client on|off |
969 |
|
# Controls whether the indirect client address |
970 |
|
# (see follow_x_forwarded_for) is used instead of the |
971 |
|
# direct client address in the access log. |
972 |
|
#Default: |
973 |
|
# log_uses_indirect_client on |
974 |
|
|
975 |
|
# TAG: tproxy_uses_indirect_client on|off |
976 |
|
# Controls whether the indirect client address |
977 |
|
# (see follow_x_forwarded_for) is used instead of the |
978 |
|
# direct client address when spoofing the outgoing client. |
979 |
|
# |
980 |
|
# This has no effect on requests arriving in non-tproxy |
981 |
|
# mode ports. |
982 |
|
# |
983 |
|
# SECURITY WARNING: Usage of this option is dangerous |
984 |
|
# and should not be used trivially. Correct configuration |
985 |
|
# of follow_x_forewarded_for with a limited set of trusted |
986 |
|
# sources is required to prevent abuse of your proxy. |
987 |
|
#Default: |
988 |
|
# tproxy_uses_indirect_client off |
989 |
|
|
990 |
|
# TAG: http_access |
991 |
|
# Allowing or Denying access based on defined access lists |
992 |
|
# |
993 |
|
# Access to the HTTP port: |
994 |
|
# http_access allow|deny [!]aclname ... |
995 |
|
# |
996 |
|
# NOTE on default values: |
997 |
|
# |
998 |
|
# If there are no "access" lines present, the default is to deny |
999 |
|
# the request. |
1000 |
|
# |
1001 |
|
# If none of the "access" lines cause a match, the default is the |
1002 |
|
# opposite of the last line in the list. If the last line was |
1003 |
|
# deny, the default is allow. Conversely, if the last line |
1004 |
|
# is allow, the default will be deny. For these reasons, it is a |
1005 |
|
# good idea to have an "deny all" entry at the end of your access |
1006 |
|
# lists to avoid potential confusion. |
1007 |
|
# |
1008 |
|
# This clause supports both fast and slow acl types. |
1009 |
|
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
1010 |
|
# |
1011 |
|
#Default: |
1012 |
|
# http_access deny all |
1013 |
# |
# |
1014 |
# This is the default Squid configuration file. You may wish |
|
1015 |
# to look at the Squid home page (http://www.squid-cache.org/) |
# |
1016 |
# for the FAQ and other documentation. |
# Recommended minimum Access Permission configuration: |
1017 |
# |
# |
1018 |
# The default Squid config file shows what the defaults for |
# Only allow cachemgr access from localhost |
1019 |
# various options happen to be. If you don't need to change the |
http_access allow localhost manager |
1020 |
# default, you shouldn't uncomment the line. Doing so may cause |
http_access deny manager |
1021 |
# run-time problems. In some cases "none" refers to no default |
|
1022 |
# setting at all, while in other cases it refers to a valid |
# Deny requests to certain unsafe ports |
1023 |
# option - the comments for that keyword indicate if this is the |
http_access deny !Safe_ports |
1024 |
# case. |
|
1025 |
|
# Deny CONNECT to other than secure SSL ports |
1026 |
|
http_access deny CONNECT !SSL_ports |
1027 |
|
|
1028 |
|
# We strongly recommend the following be uncommented to protect innocent |
1029 |
|
# web applications running on the proxy server who think the only |
1030 |
|
# one who can access services on "localhost" is a local user |
1031 |
|
#http_access deny to_localhost |
1032 |
|
|
1033 |
|
# |
1034 |
|
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS |
1035 |
# |
# |
1036 |
|
|
1037 |
|
# Example rule allowing access from your local networks. |
1038 |
|
# Adapt localnet in the ACL section to list your (internal) IP networks |
1039 |
|
# from where browsing should be allowed |
1040 |
|
http_access allow localnet |
1041 |
|
http_access allow localhost |
1042 |
|
|
1043 |
|
# And finally deny all other access to this proxy |
1044 |
|
http_access allow localhost |
1045 |
|
|
1046 |
|
# TAG: adapted_http_access |
1047 |
|
# Allowing or Denying access based on defined access lists |
1048 |
|
# |
1049 |
|
# Essentially identical to http_access, but runs after redirectors |
1050 |
|
# and ICAP/eCAP adaptation. Allowing access control based on their |
1051 |
|
# output. |
1052 |
|
# |
1053 |
|
# If not set then only http_access is used. |
1054 |
|
#Default: |
1055 |
|
# none |
1056 |
|
|
1057 |
|
# TAG: http_reply_access |
1058 |
|
# Allow replies to client requests. This is complementary to http_access. |
1059 |
|
# |
1060 |
|
# http_reply_access allow|deny [!] aclname ... |
1061 |
|
# |
1062 |
|
# NOTE: if there are no access lines present, the default is to allow |
1063 |
|
# all replies |
1064 |
|
# |
1065 |
|
# If none of the access lines cause a match the opposite of the |
1066 |
|
# last line will apply. Thus it is good practice to end the rules |
1067 |
|
# with an "allow all" or "deny all" entry. |
1068 |
|
# |
1069 |
|
# This clause supports both fast and slow acl types. |
1070 |
|
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
1071 |
|
#Default: |
1072 |
|
# none |
1073 |
|
|
1074 |
|
# TAG: icp_access |
1075 |
|
# Allowing or Denying access to the ICP port based on defined |
1076 |
|
# access lists |
1077 |
|
# |
1078 |
|
# icp_access allow|deny [!]aclname ... |
1079 |
|
# |
1080 |
|
# See http_access for details |
1081 |
|
# |
1082 |
|
# This clause only supports fast acl types. |
1083 |
|
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
1084 |
|
# |
1085 |
|
## Allow ICP queries from local networks only |
1086 |
|
##icp_access allow localnet |
1087 |
|
##icp_access deny all |
1088 |
|
#Default: |
1089 |
|
# icp_access deny all |
1090 |
|
|
1091 |
|
# TAG: htcp_access |
1092 |
|
# Allowing or Denying access to the HTCP port based on defined |
1093 |
|
# access lists |
1094 |
|
# |
1095 |
|
# htcp_access allow|deny [!]aclname ... |
1096 |
|
# |
1097 |
|
# See http_access for details |
1098 |
|
# |
1099 |
|
# NOTE: The default if no htcp_access lines are present is to |
1100 |
|
# deny all traffic. This default may cause problems with peers |
1101 |
|
# using the htcp option. |
1102 |
|
# |
1103 |
|
# This clause only supports fast acl types. |
1104 |
|
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
1105 |
|
# |
1106 |
|
## Allow HTCP queries from local networks only |
1107 |
|
##htcp_access allow localnet |
1108 |
|
##htcp_access deny all |
1109 |
|
#Default: |
1110 |
|
# htcp_access deny all |
1111 |
|
|
1112 |
|
# TAG: htcp_clr_access |
1113 |
|
# Allowing or Denying access to purge content using HTCP based |
1114 |
|
# on defined access lists |
1115 |
|
# |
1116 |
|
# htcp_clr_access allow|deny [!]aclname ... |
1117 |
|
# |
1118 |
|
# See http_access for details |
1119 |
|
# |
1120 |
|
# This clause only supports fast acl types. |
1121 |
|
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
1122 |
|
# |
1123 |
|
## Allow HTCP CLR requests from trusted peers |
1124 |
|
#acl htcp_clr_peer src 172.16.1.2 |
1125 |
|
#htcp_clr_access allow htcp_clr_peer |
1126 |
|
#Default: |
1127 |
|
# htcp_clr_access deny all |
1128 |
|
|
1129 |
|
# TAG: miss_access |
1130 |
|
# Determins whether network access is permitted when satisfying a request. |
1131 |
|
# |
1132 |
|
# For example; |
1133 |
|
# to force your neighbors to use you as a sibling instead of |
1134 |
|
# a parent. |
1135 |
|
# |
1136 |
|
# acl localclients src 172.16.0.0/16 |
1137 |
|
# miss_access allow localclients |
1138 |
|
# miss_access deny !localclients |
1139 |
|
# |
1140 |
|
# This means only your local clients are allowed to fetch relayed/MISS |
1141 |
|
# replies from the network and all other clients can only fetch cached |
1142 |
|
# objects (HITs). |
1143 |
|
# |
1144 |
|
# |
1145 |
|
# The default for this setting allows all clients who passed the |
1146 |
|
# http_access rules to relay via this proxy. |
1147 |
|
# |
1148 |
|
# This clause only supports fast acl types. |
1149 |
|
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
1150 |
|
#Default: |
1151 |
|
# none |
1152 |
|
|
1153 |
|
# TAG: ident_lookup_access |
1154 |
|
# Note: This option is only available if Squid is rebuilt with the |
1155 |
|
# --enable-ident-lookups |
1156 |
|
# |
1157 |
|
# A list of ACL elements which, if matched, cause an ident |
1158 |
|
# (RFC 931) lookup to be performed for this request. For |
1159 |
|
# example, you might choose to always perform ident lookups |
1160 |
|
# for your main multi-user Unix boxes, but not for your Macs |
1161 |
|
# and PCs. By default, ident lookups are not performed for |
1162 |
|
# any requests. |
1163 |
|
# |
1164 |
|
# To enable ident lookups for specific client addresses, you |
1165 |
|
# can follow this example: |
1166 |
|
# |
1167 |
|
# acl ident_aware_hosts src 198.168.1.0/24 |
1168 |
|
# ident_lookup_access allow ident_aware_hosts |
1169 |
|
# ident_lookup_access deny all |
1170 |
|
# |
1171 |
|
# Only src type ACL checks are fully supported. A srcdomain |
1172 |
|
# ACL might work at times, but it will not always provide |
1173 |
|
# the correct result. |
1174 |
|
# |
1175 |
|
# This clause only supports fast acl types. |
1176 |
|
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
1177 |
|
#Default: |
1178 |
|
# ident_lookup_access deny all |
1179 |
|
|
1180 |
|
# TAG: reply_body_max_size size [acl acl...] |
1181 |
|
# This option specifies the maximum size of a reply body. It can be |
1182 |
|
# used to prevent users from downloading very large files, such as |
1183 |
|
# MP3's and movies. When the reply headers are received, the |
1184 |
|
# reply_body_max_size lines are processed, and the first line where |
1185 |
|
# all (if any) listed ACLs are true is used as the maximum body size |
1186 |
|
# for this reply. |
1187 |
|
# |
1188 |
|
# This size is checked twice. First when we get the reply headers, |
1189 |
|
# we check the content-length value. If the content length value exists |
1190 |
|
# and is larger than the allowed size, the request is denied and the |
1191 |
|
# user receives an error message that says "the request or reply |
1192 |
|
# is too large." If there is no content-length, and the reply |
1193 |
|
# size exceeds this limit, the client's connection is just closed |
1194 |
|
# and they will receive a partial reply. |
1195 |
|
# |
1196 |
|
# WARNING: downstream caches probably can not detect a partial reply |
1197 |
|
# if there is no content-length header, so they will cache |
1198 |
|
# partial responses and give them out as hits. You should NOT |
1199 |
|
# use this option if you have downstream caches. |
1200 |
|
# |
1201 |
|
# WARNING: A maximum size smaller than the size of squid's error messages |
1202 |
|
# will cause an infinite loop and crash squid. Ensure that the smallest |
1203 |
|
# non-zero value you use is greater that the maximum header size plus |
1204 |
|
# the size of your largest error page. |
1205 |
|
# |
1206 |
|
# If you set this parameter none (the default), there will be |
1207 |
|
# no limit imposed. |
1208 |
|
# |
1209 |
|
# Configuration Format is: |
1210 |
|
# reply_body_max_size SIZE UNITS [acl ...] |
1211 |
|
# ie. |
1212 |
|
# reply_body_max_size 10 MB |
1213 |
|
# |
1214 |
|
#Default: |
1215 |
|
# none |
1216 |
|
|
1217 |
# NETWORK OPTIONS |
# NETWORK OPTIONS |
1218 |
# ----------------------------------------------------------------------------- |
# ----------------------------------------------------------------------------- |
1219 |
|
|
1220 |
# TAG: http_port |
# TAG: http_port |
1221 |
# Usage: port |
# Usage: port [mode] [options] |
1222 |
# hostname:port |
# hostname:port [mode] [options] |
1223 |
# 1.2.3.4:port |
# 1.2.3.4:port [mode] [options] |
1224 |
# |
# |
1225 |
# The socket addresses where Squid will listen for HTTP client |
# The socket addresses where Squid will listen for HTTP client |
1226 |
# requests. You may specify multiple socket addresses. |
# requests. You may specify multiple socket addresses. |
1227 |
# There are three forms: port alone, hostname with port, and |
# There are three forms: port alone, hostname with port, and |
1228 |
# IP address with port. If you specify a hostname or IP |
# IP address with port. If you specify a hostname or IP |
1229 |
# address, then Squid binds the socket to that specific |
# address, Squid binds the socket to that specific |
1230 |
# address. This replaces the old 'tcp_incoming_address' |
# address. Most likely, you do not need to bind to a specific |
|
# option. Most likely, you do not need to bind to a specific |
|
1231 |
# address, so you can use the port number alone. |
# address, so you can use the port number alone. |
1232 |
# |
# |
1233 |
# The default port number is 3128. |
# If you are running Squid in accelerator mode, you |
|
# |
|
|
# If you are running Squid in accelerator mode, then you |
|
1234 |
# probably want to listen on port 80 also, or instead. |
# probably want to listen on port 80 also, or instead. |
1235 |
# |
# |
1236 |
# The -a command line option will override the *first* port |
# The -a command line option may be used to specify additional |
1237 |
# number listed here. That option will NOT override an IP |
# port(s) where Squid listens for proxy request. Such ports will |
1238 |
# address, however. |
# be plain proxy ports with no options. |
1239 |
# |
# |
1240 |
# You may specify multiple socket addresses on multiple lines. |
# You may specify multiple socket addresses on multiple lines. |
1241 |
# |
# |
1242 |
|
# Modes: |
1243 |
|
# |
1244 |
|
# intercept Support for IP-Layer interception of |
1245 |
|
# outgoing requests without browser settings. |
1246 |
|
# NP: disables authentication and IPv6 on the port. |
1247 |
|
# |
1248 |
|
# tproxy Support Linux TPROXY for spoofing outgoing |
1249 |
|
# connections using the client IP address. |
1250 |
|
# NP: disables authentication and maybe IPv6 on the port. |
1251 |
|
# |
1252 |
|
# accel Accelerator / reverse proxy mode |
1253 |
|
# |
1254 |
|
# ssl-bump Intercept each CONNECT request matching ssl_bump ACL, |
1255 |
|
# establish secure connection with the client and with |
1256 |
|
# the server, decrypt HTTP messages as they pass through |
1257 |
|
# Squid, and treat them as unencrypted HTTP messages, |
1258 |
|
# becoming the man-in-the-middle. |
1259 |
|
# |
1260 |
|
# The ssl_bump option is required to fully enable |
1261 |
|
# the SslBump feature. |
1262 |
|
# |
1263 |
|
# Omitting the mode flag causes default forward proxy mode to be used. |
1264 |
|
# |
1265 |
|
# |
1266 |
|
# Accelerator Mode Options: |
1267 |
|
# |
1268 |
|
# defaultsite=domainname |
1269 |
|
# What to use for the Host: header if it is not present |
1270 |
|
# in a request. Determines what site (not origin server) |
1271 |
|
# accelerators should consider the default. |
1272 |
|
# |
1273 |
|
# no-vhost Disable using HTTP/1.1 Host header for virtual domain support. |
1274 |
|
# |
1275 |
|
# protocol= Protocol to reconstruct accelerated requests with. |
1276 |
|
# Defaults to http for http_port and https for |
1277 |
|
# https_port |
1278 |
|
# |
1279 |
|
# vport Virtual host port support. Using the http_port number |
1280 |
|
# instead of the port passed on Host: headers. |
1281 |
|
# |
1282 |
|
# vport=NN Virtual host port support. Using the specified port |
1283 |
|
# number instead of the port passed on Host: headers. |
1284 |
|
# |
1285 |
|
# act-as-origin |
1286 |
|
# Act as if this Squid is the origin server. |
1287 |
|
# This currently means generate new Date: and Expires: |
1288 |
|
# headers on HIT instead of adding Age:. |
1289 |
|
# |
1290 |
|
# ignore-cc Ignore request Cache-Control headers. |
1291 |
|
# |
1292 |
|
# WARNING: This option violates HTTP specifications if |
1293 |
|
# used in non-accelerator setups. |
1294 |
|
# |
1295 |
|
# allow-direct Allow direct forwarding in accelerator mode. Normally |
1296 |
|
# accelerated requests are denied direct forwarding as if |
1297 |
|
# never_direct was used. |
1298 |
|
# |
1299 |
|
# WARNING: this option opens accelerator mode to security |
1300 |
|
# vulnerabilities usually only affecting in interception |
1301 |
|
# mode. Make sure to protect forwarding with suitable |
1302 |
|
# http_access rules when using this. |
1303 |
|
# |
1304 |
|
# |
1305 |
|
# SSL Bump Mode Options: |
1306 |
|
# In addition to these options ssl-bump requires TLS/SSL options. |
1307 |
|
# |
1308 |
|
# generate-host-certificates[=<on|off>] |
1309 |
|
# Dynamically create SSL server certificates for the |
1310 |
|
# destination hosts of bumped CONNECT requests.When |
1311 |
|
# enabled, the cert and key options are used to sign |
1312 |
|
# generated certificates. Otherwise generated |
1313 |
|
# certificate will be selfsigned. |
1314 |
|
# If there is a CA certificate lifetime of the generated |
1315 |
|
# certificate equals lifetime of the CA certificate. If |
1316 |
|
# generated certificate is selfsigned lifetime is three |
1317 |
|
# years. |
1318 |
|
# This option is enabled by default when ssl-bump is used. |
1319 |
|
# See the ssl-bump option above for more information. |
1320 |
|
# |
1321 |
|
# dynamic_cert_mem_cache_size=SIZE |
1322 |
|
# Approximate total RAM size spent on cached generated |
1323 |
|
# certificates. If set to zero, caching is disabled. The |
1324 |
|
# default value is 4MB. An average XXX-bit certificate |
1325 |
|
# consumes about XXX bytes of RAM. |
1326 |
|
# |
1327 |
|
# TLS / SSL Options: |
1328 |
|
# |
1329 |
|
# cert= Path to SSL certificate (PEM format). |
1330 |
|
# |
1331 |
|
# key= Path to SSL private key file (PEM format) |
1332 |
|
# if not specified, the certificate file is |
1333 |
|
# assumed to be a combined certificate and |
1334 |
|
# key file. |
1335 |
|
# |
1336 |
|
# version= The version of SSL/TLS supported |
1337 |
|
# 1 automatic (default) |
1338 |
|
# 2 SSLv2 only |
1339 |
|
# 3 SSLv3 only |
1340 |
|
# 4 TLSv1.0 only |
1341 |
|
# 5 TLSv1.1 only |
1342 |
|
# 6 TLSv1.2 only |
1343 |
|
# |
1344 |
|
# cipher= Colon separated list of supported ciphers. |
1345 |
|
# NOTE: some ciphers such as EDH ciphers depend on |
1346 |
|
# additional settings. If those settings are |
1347 |
|
# omitted the ciphers may be silently ignored |
1348 |
|
# by the OpenSSL library. |
1349 |
|
# |
1350 |
|
# options= Various SSL implementation options. The most important |
1351 |
|
# being: |
1352 |
|
# NO_SSLv2 Disallow the use of SSLv2 |
1353 |
|
# NO_SSLv3 Disallow the use of SSLv3 |
1354 |
|
# NO_TLSv1 Disallow the use of TLSv1.0 |
1355 |
|
# NO_TLSv1_1 Disallow the use of TLSv1.1 |
1356 |
|
# NO_TLSv1_2 Disallow the use of TLSv1.2 |
1357 |
|
# SINGLE_DH_USE Always create a new key when using |
1358 |
|
# temporary/ephemeral DH key exchanges |
1359 |
|
# ALL Enable various bug workarounds |
1360 |
|
# suggested as "harmless" by OpenSSL |
1361 |
|
# Be warned that this reduces SSL/TLS |
1362 |
|
# strength to some attacks. |
1363 |
|
# See OpenSSL SSL_CTX_set_options documentation for a |
1364 |
|
# complete list of options. |
1365 |
|
# |
1366 |
|
# clientca= File containing the list of CAs to use when |
1367 |
|
# requesting a client certificate. |
1368 |
|
# |
1369 |
|
# cafile= File containing additional CA certificates to |
1370 |
|
# use when verifying client certificates. If unset |
1371 |
|
# clientca will be used. |
1372 |
|
# |
1373 |
|
# capath= Directory containing additional CA certificates |
1374 |
|
# and CRL lists to use when verifying client certificates. |
1375 |
|
# |
1376 |
|
# crlfile= File of additional CRL lists to use when verifying |
1377 |
|
# the client certificate, in addition to CRLs stored in |
1378 |
|
# the capath. Implies VERIFY_CRL flag below. |
1379 |
|
# |
1380 |
|
# dhparams= File containing DH parameters for temporary/ephemeral |
1381 |
|
# DH key exchanges. See OpenSSL documentation for details |
1382 |
|
# on how to create this file. |
1383 |
|
# WARNING: EDH ciphers will be silently disabled if this |
1384 |
|
# option is not set. |
1385 |
|
# |
1386 |
|
# sslflags= Various flags modifying the use of SSL: |
1387 |
|
# DELAYED_AUTH |
1388 |
|
# Don't request client certificates |
1389 |
|
# immediately, but wait until acl processing |
1390 |
|
# requires a certificate (not yet implemented). |
1391 |
|
# NO_DEFAULT_CA |
1392 |
|
# Don't use the default CA lists built in |
1393 |
|
# to OpenSSL. |
1394 |
|
# NO_SESSION_REUSE |
1395 |
|
# Don't allow for session reuse. Each connection |
1396 |
|
# will result in a new SSL session. |
1397 |
|
# VERIFY_CRL |
1398 |
|
# Verify CRL lists when accepting client |
1399 |
|
# certificates. |
1400 |
|
# VERIFY_CRL_ALL |
1401 |
|
# Verify CRL lists for all certificates in the |
1402 |
|
# client certificate chain. |
1403 |
|
# |
1404 |
|
# sslcontext= SSL session ID context identifier. |
1405 |
|
# |
1406 |
|
# Other Options: |
1407 |
|
# |
1408 |
|
# connection-auth[=on|off] |
1409 |
|
# use connection-auth=off to tell Squid to prevent |
1410 |
|
# forwarding Microsoft connection oriented authentication |
1411 |
|
# (NTLM, Negotiate and Kerberos) |
1412 |
|
# |
1413 |
|
# disable-pmtu-discovery= |
1414 |
|
# Control Path-MTU discovery usage: |
1415 |
|
# off lets OS decide on what to do (default). |
1416 |
|
# transparent disable PMTU discovery when transparent |
1417 |
|
# support is enabled. |
1418 |
|
# always disable always PMTU discovery. |
1419 |
|
# |
1420 |
|
# In many setups of transparently intercepting proxies |
1421 |
|
# Path-MTU discovery can not work on traffic towards the |
1422 |
|
# clients. This is the case when the intercepting device |
1423 |
|
# does not fully track connections and fails to forward |
1424 |
|
# ICMP must fragment messages to the cache server. If you |
1425 |
|
# have such setup and experience that certain clients |
1426 |
|
# sporadically hang or never complete requests set |
1427 |
|
# disable-pmtu-discovery option to 'transparent'. |
1428 |
|
# |
1429 |
|
# name= Specifies a internal name for the port. Defaults to |
1430 |
|
# the port specification (port or addr:port) |
1431 |
|
# |
1432 |
|
# tcpkeepalive[=idle,interval,timeout] |
1433 |
|
# Enable TCP keepalive probes of idle connections. |
1434 |
|
# In seconds; idle is the initial time before TCP starts |
1435 |
|
# probing the connection, interval how often to probe, and |
1436 |
|
# timeout the time before giving up. |
1437 |
|
# |
1438 |
|
# If you run Squid on a dual-homed machine with an internal |
1439 |
|
# and an external interface we recommend you to specify the |
1440 |
|
# internal address:port in http_port. This way Squid will only be |
1441 |
|
# visible on the internal address. |
1442 |
|
# |
1443 |
|
# |
1444 |
|
|
1445 |
|
# Squid normally listens to port 3128 |
1446 |
|
http_port 3128 |
1447 |
|
|
1448 |
|
# TAG: https_port |
1449 |
|
# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] |
1450 |
|
# |
1451 |
|
# The socket address where Squid will listen for client requests made |
1452 |
|
# over TLS or SSL connections. Commonly referred to as HTTPS. |
1453 |
|
# |
1454 |
|
# This is most useful for situations where you are running squid in |
1455 |
|
# accelerator mode and you want to do the SSL work at the accelerator level. |
1456 |
|
# |
1457 |
|
# You may specify multiple socket addresses on multiple lines, |
1458 |
|
# each with their own SSL certificate and/or options. |
1459 |
|
# |
1460 |
|
# See http_port for a list of available options. |
1461 |
#Default: |
#Default: |
1462 |
# http_port 3128 |
# none |
1463 |
|
|
1464 |
# TAG: icp_port |
# TAG: tcp_outgoing_tos |
1465 |
# The port number where Squid sends and receives ICP queries to |
# Allows you to select a TOS/Diffserv value for packets outgoing |
1466 |
# and from neighbor caches. Default is 3130. To disable use |
# on the server side, based on an ACL. |
1467 |
# "0". May be overridden with -u on the command line. |
# |
1468 |
|
# tcp_outgoing_tos ds-field [!]aclname ... |
1469 |
|
# |
1470 |
|
# Example where normal_service_net uses the TOS value 0x00 |
1471 |
|
# and good_service_net uses 0x20 |
1472 |
|
# |
1473 |
|
# acl normal_service_net src 10.0.0.0/24 |
1474 |
|
# acl good_service_net src 10.0.1.0/24 |
1475 |
|
# tcp_outgoing_tos 0x00 normal_service_net |
1476 |
|
# tcp_outgoing_tos 0x20 good_service_net |
1477 |
|
# |
1478 |
|
# TOS/DSCP values really only have local significance - so you should |
1479 |
|
# know what you're specifying. For more information, see RFC2474, |
1480 |
|
# RFC2475, and RFC3260. |
1481 |
|
# |
1482 |
|
# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or |
1483 |
|
# "default" to use whatever default your host has. Note that in |
1484 |
|
# practice often only multiples of 4 is usable as the two rightmost bits |
1485 |
|
# have been redefined for use by ECN (RFC 3168 section 23.1). |
1486 |
# |
# |
1487 |
|
# Processing proceeds in the order specified, and stops at first fully |
1488 |
|
# matching line. |
1489 |
#Default: |
#Default: |
1490 |
# icp_port 3130 |
# none |
1491 |
|
|
1492 |
# TAG: htcp_port |
# TAG: clientside_tos |
1493 |
# The port number where Squid sends and receives HTCP queries to |
# Allows you to select a TOS/Diffserv value for packets being transmitted |
1494 |
# and from neighbor caches. Default is 4827. To disable use |
# on the client-side, based on an ACL. |
1495 |
# "0". |
# |
1496 |
|
# clientside_tos ds-field [!]aclname ... |
1497 |
|
# |
1498 |
|
# Example where normal_service_net uses the TOS value 0x00 |
1499 |
|
# and good_service_net uses 0x20 |
1500 |
|
# |
1501 |
|
# acl normal_service_net src 10.0.0.0/24 |
1502 |
|
# acl good_service_net src 10.0.1.0/24 |
1503 |
|
# clientside_tos 0x00 normal_service_net |
1504 |
|
# clientside_tos 0x20 good_service_net |
1505 |
# |
# |
1506 |
# To enable this option, you must use --enable-htcp with the |
# Note: This feature is incompatible with qos_flows. Any TOS values set here |
1507 |
# configure script. |
# will be overwritten by TOS values in qos_flows. |
1508 |
|
#Default: |
1509 |
|
# none |
1510 |
|
|
1511 |
|
# TAG: tcp_outgoing_mark |
1512 |
|
# Note: This option is only available if Squid is rebuilt with the |
1513 |
|
# Packet MARK (Linux) |
1514 |
|
# |
1515 |
|
# Allows you to apply a Netfilter mark value to outgoing packets |
1516 |
|
# on the server side, based on an ACL. |
1517 |
# |
# |
1518 |
|
# tcp_outgoing_mark mark-value [!]aclname ... |
1519 |
|
# |
1520 |
|
# Example where normal_service_net uses the mark value 0x00 |
1521 |
|
# and good_service_net uses 0x20 |
1522 |
|
# |
1523 |
|
# acl normal_service_net src 10.0.0.0/24 |
1524 |
|
# acl good_service_net src 10.0.1.0/24 |
1525 |
|
# tcp_outgoing_mark 0x00 normal_service_net |
1526 |
|
# tcp_outgoing_mark 0x20 good_service_net |
1527 |
#Default: |
#Default: |
1528 |
# htcp_port 4827 |
# none |
1529 |
|
|
1530 |
# TAG: mcast_groups |
# TAG: clientside_mark |
1531 |
# This tag specifies a list of multicast groups which your server |
# Note: This option is only available if Squid is rebuilt with the |
1532 |
# should join to receive multicasted ICP queries. |
# Packet MARK (Linux) |
1533 |
# |
# |
1534 |
# NOTE! Be very careful what you put here! Be sure you |
# Allows you to apply a Netfilter mark value to packets being transmitted |
1535 |
# understand the difference between an ICP _query_ and an ICP |
# on the client-side, based on an ACL. |
|
# _reply_. This option is to be set only if you want to RECEIVE |
|
|
# multicast queries. Do NOT set this option to SEND multicast |
|
|
# ICP (use cache_peer for that). ICP replies are always sent via |
|
|
# unicast, so this option does not affect whether or not you will |
|
|
# receive replies from multicast group members. |
|
1536 |
# |
# |
1537 |
# You must be very careful to NOT use a multicast address which |
# clientside_mark mark-value [!]aclname ... |
|
# is already in use by another group of caches. |
|
1538 |
# |
# |
1539 |
# If you are unsure about multicast, please read the Multicast |
# Example where normal_service_net uses the mark value 0x00 |
1540 |
# chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/). |
# and good_service_net uses 0x20 |
1541 |
# |
# |
1542 |
# Usage: mcast_groups 239.128.16.128 224.0.1.20 |
# acl normal_service_net src 10.0.0.0/24 |
1543 |
|
# acl good_service_net src 10.0.1.0/24 |
1544 |
|
# clientside_mark 0x00 normal_service_net |
1545 |
|
# clientside_mark 0x20 good_service_net |
1546 |
# |
# |
1547 |
# By default, Squid doesn't listen on any multicast groups. |
# Note: This feature is incompatible with qos_flows. Any mark values set here |
1548 |
|
# will be overwritten by mark values in qos_flows. |
1549 |
|
#Default: |
1550 |
|
# none |
1551 |
|
|
1552 |
|
# TAG: qos_flows |
1553 |
|
# Allows you to select a TOS/DSCP value to mark outgoing |
1554 |
|
# connections with, based on where the reply was sourced. For |
1555 |
|
# platforms using netfilter, allows you to set a netfilter mark |
1556 |
|
# value instead of, or in addition to, a TOS value. |
1557 |
|
# |
1558 |
|
# TOS values really only have local significance - so you should |
1559 |
|
# know what you're specifying. For more information, see RFC2474, |
1560 |
|
# RFC2475, and RFC3260. |
1561 |
|
# |
1562 |
|
# The TOS/DSCP byte must be exactly that - a octet value 0 - 255. Note that |
1563 |
|
# in practice often only multiples of 4 is usable as the two rightmost bits |
1564 |
|
# have been redefined for use by ECN (RFC 3168 section 23.1). |
1565 |
|
# |
1566 |
|
# Mark values can be any unsigned 32-bit integer value. |
1567 |
|
# |
1568 |
|
# This setting is configured by setting the following values: |
1569 |
|
# |
1570 |
|
# tos|mark Whether to set TOS or netfilter mark values |
1571 |
|
# |
1572 |
|
# local-hit=0xFF Value to mark local cache hits. |
1573 |
|
# |
1574 |
|
# sibling-hit=0xFF Value to mark hits from sibling peers. |
1575 |
|
# |
1576 |
|
# parent-hit=0xFF Value to mark hits from parent peers. |
1577 |
|
# |
1578 |
|
# miss=0xFF[/mask] Value to mark cache misses. Takes precedence |
1579 |
|
# over the preserve-miss feature (see below), unless |
1580 |
|
# mask is specified, in which case only the bits |
1581 |
|
# specified in the mask are written. |
1582 |
|
# |
1583 |
|
# The TOS variant of the following features are only possible on Linux |
1584 |
|
# and require your kernel to be patched with the TOS preserving ZPH |
1585 |
|
# patch, available from http://zph.bratcheda.org |
1586 |
|
# No patch is needed to preserve the netfilter mark, which will work |
1587 |
|
# with all variants of netfilter. |
1588 |
|
# |
1589 |
|
# disable-preserve-miss |
1590 |
|
# This option disables the preservation of the TOS or netfilter |
1591 |
|
# mark. By default, the existing TOS or netfilter mark value of |
1592 |
|
# the response coming from the remote server will be retained |
1593 |
|
# and masked with miss-mark. |
1594 |
|
# NOTE: in the case of a netfilter mark, the mark must be set on |
1595 |
|
# the connection (using the CONNMARK target) not on the packet |
1596 |
|
# (MARK target). |
1597 |
|
# |
1598 |
|
# miss-mask=0xFF |
1599 |
|
# Allows you to mask certain bits in the TOS or mark value |
1600 |
|
# received from the remote server, before copying the value to |
1601 |
|
# the TOS sent towards clients. |
1602 |
|
# Default for tos: 0xFF (TOS from server is not changed). |
1603 |
|
# Default for mark: 0xFFFFFFFF (mark from server is not changed). |
1604 |
|
# |
1605 |
|
# All of these features require the --enable-zph-qos compilation flag |
1606 |
|
# (enabled by default). Netfilter marking also requires the |
1607 |
|
# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and |
1608 |
|
# libcap 2.09+ (--with-libcap). |
1609 |
# |
# |
1610 |
#Default: |
#Default: |
1611 |
# none |
# none |
1612 |
|
|
1613 |
# TAG: tcp_outgoing_address |
# TAG: tcp_outgoing_address |
1614 |
# TAG: udp_incoming_address |
# Allows you to map requests to different outgoing IP addresses |
1615 |
# TAG: udp_outgoing_address |
# based on the username or source address of the user making |
1616 |
# Usage: tcp_incoming_address 10.20.30.40 |
# the request. |
|
# udp_outgoing_address fully.qualified.domain.name |
|
1617 |
# |
# |
1618 |
# tcp_outgoing_address is used for connections made to remote |
# tcp_outgoing_address ipaddr [[!]aclname] ... |
|
# servers and other caches. |
|
|
# udp_incoming_address is used for the ICP socket receiving packets |
|
|
# from other caches. |
|
|
# udp_outgoing_address is used for ICP packets sent out to other |
|
|
# caches. |
|
1619 |
# |
# |
1620 |
# The default behavior is to not bind to any specific address. |
# For example; |
1621 |
|
# Forwarding clients with dedicated IPs for certain subnets. |
1622 |
# |
# |
1623 |
# A *_incoming_address value of 0.0.0.0 indicates that Squid should |
# acl normal_service_net src 10.0.0.0/24 |
1624 |
# listen on all available interfaces. |
# acl good_service_net src 10.0.2.0/24 |
1625 |
# |
# |
1626 |
# If udp_outgoing_address is set to 255.255.255.255 (the default) |
# tcp_outgoing_address 2001:db8::c001 good_service_net |
1627 |
# then it will use the same socket as udp_incoming_address. Only |
# tcp_outgoing_address 10.1.0.2 good_service_net |
|
# change this if you want to have ICP queries sent using another |
|
|
# address than where this Squid listens for ICP queries from other |
|
|
# caches. |
|
1628 |
# |
# |
1629 |
# NOTE, udp_incoming_address and udp_outgoing_address can not |
# tcp_outgoing_address 2001:db8::beef normal_service_net |
1630 |
# have the same value since they both use port 3130. |
# tcp_outgoing_address 10.1.0.1 normal_service_net |
1631 |
|
# |
1632 |
|
# tcp_outgoing_address 2001:db8::1 |
1633 |
|
# tcp_outgoing_address 10.1.0.3 |
1634 |
|
# |
1635 |
|
# Processing proceeds in the order specified, and stops at first fully |
1636 |
|
# matching line. |
1637 |
|
# |
1638 |
|
# Squid will add an implicit IP version test to each line. |
1639 |
|
# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. |
1640 |
|
# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. |
1641 |
|
# |
1642 |
|
# |
1643 |
|
# NOTE: The use of this directive using client dependent ACLs is |
1644 |
|
# incompatible with the use of server side persistent connections. To |
1645 |
|
# ensure correct results it is best to set server_persistent_connections |
1646 |
|
# to off when using this directive in such configurations. |
1647 |
# |
# |
1648 |
# NOTE, tcp_incoming_address has been removed. You can now |
# NOTE: The use of this directive to set a local IP on outgoing TCP links |
1649 |
# specify IP addresses on the 'http_port' line. |
# is incompatible with using TPROXY to set client IP out outbound TCP links. |
1650 |
|
# When needing to contact peers use the no-tproxy cache_peer option and the |
1651 |
|
# client_dst_passthru directive re-enable normal forwarding such as this. |
1652 |
# |
# |
1653 |
#Default: |
#Default: |
1654 |
# tcp_outgoing_address 255.255.255.255 |
# none |
|
# udp_incoming_address 0.0.0.0 |
|
|
# udp_outgoing_address 255.255.255.255 |
|
1655 |
|
|
1656 |
|
# TAG: host_verify_strict |
1657 |
|
# Regardless of this option setting, when dealing with intercepted |
1658 |
|
# traffic, Squid always verifies that the destination IP address matches |
1659 |
|
# the Host header domain or IP (called 'authority form URL'). |
1660 |
|
# |
1661 |
|
# This enforcement is performed to satisfy a MUST-level requirement in |
1662 |
|
# RFC 2616 section 14.23: "The Host field value MUST represent the naming |
1663 |
|
# authority of the origin server or gateway given by the original URL". |
1664 |
|
# |
1665 |
|
# When set to ON: |
1666 |
|
# Squid always responds with an HTTP 409 (Conflict) error |
1667 |
|
# page and logs a security warning if there is no match. |
1668 |
|
# |
1669 |
|
# Squid verifies that the destination IP address matches |
1670 |
|
# the Host header for forward-proxy and reverse-proxy traffic |
1671 |
|
# as well. For those traffic types, Squid also enables the |
1672 |
|
# following checks, comparing the corresponding Host header |
1673 |
|
# and Request-URI components: |
1674 |
|
# |
1675 |
|
# * The host names (domain or IP) must be identical, |
1676 |
|
# but valueless or missing Host header disables all checks. |
1677 |
|
# For the two host names to match, both must be either IP |
1678 |
|
# or FQDN. |
1679 |
|
# |
1680 |
|
# * Port numbers must be identical, but if a port is missing |
1681 |
|
# the scheme-default port is assumed. |
1682 |
|
# |
1683 |
|
# |
1684 |
|
# When set to OFF (the default): |
1685 |
|
# Squid allows suspicious requests to continue but logs a |
1686 |
|
# security warning and blocks caching of the response. |
1687 |
|
# |
1688 |
|
# * Forward-proxy traffic is not checked at all. |
1689 |
|
# |
1690 |
|
# * Reverse-proxy traffic is not checked at all. |
1691 |
|
# |
1692 |
|
# * Intercepted traffic which passes verification is handled |
1693 |
|
# according to client_dst_passthru. |
1694 |
|
# |
1695 |
|
# * Intercepted requests which fail verification are sent |
1696 |
|
# to the client original destination instead of DIRECT. |
1697 |
|
# This overrides 'client_dst_passthru off'. |
1698 |
|
# |
1699 |
|
# For now suspicious intercepted CONNECT requests are always |
1700 |
|
# responded to with an HTTP 409 (Conflict) error page. |
1701 |
|
# |
1702 |
|
# |
1703 |
|
# SECURITY NOTE: |
1704 |
|
# |
1705 |
|
# As described in CVE-2009-0801 when the Host: header alone is used |
1706 |
|
# to determine the destination of a request it becomes trivial for |
1707 |
|
# malicious scripts on remote websites to bypass browser same-origin |
1708 |
|
# security policy and sandboxing protections. |
1709 |
|
# |
1710 |
|
# The cause of this is that such applets are allowed to perform their |
1711 |
|
# own HTTP stack, in which case the same-origin policy of the browser |
1712 |
|
# sandbox only verifies that the applet tries to contact the same IP |
1713 |
|
# as from where it was loaded at the IP level. The Host: header may |
1714 |
|
# be different from the connected IP and approved origin. |
1715 |
|
# |
1716 |
|
#Default: |
1717 |
|
# host_verify_strict off |
1718 |
|
|
1719 |
|
# TAG: client_dst_passthru |
1720 |
|
# With NAT or TPROXY intercepted traffic Squid may pass the request |
1721 |
|
# directly to the original client destination IP or seek a faster |
1722 |
|
# source using the HTTP Host header. |
1723 |
|
# |
1724 |
|
# Using Host to locate alternative servers can provide faster |
1725 |
|
# connectivity with a range of failure recovery options. |
1726 |
|
# But can also lead to connectivity trouble when the client and |
1727 |
|
# server are attempting stateful interactions unaware of the proxy. |
1728 |
|
# |
1729 |
|
# This option (on by default) prevents alternative DNS entries being |
1730 |
|
# located to send intercepted traffic DIRECT to an origin server. |
1731 |
|
# The clients original destination IP and port will be used instead. |
1732 |
|
# |
1733 |
|
# Regardless of this option setting, when dealing with intercepted |
1734 |
|
# traffic Squid will verify the Host: header and any traffic which |
1735 |
|
# fails Host verification will be treated as if this option were ON. |
1736 |
|
# |
1737 |
|
# see host_verify_strict for details on the verification process. |
1738 |
|
#Default: |
1739 |
|
# client_dst_passthru on |
1740 |
|
|
1741 |
|
# SSL OPTIONS |
1742 |
|
# ----------------------------------------------------------------------------- |
1743 |
|
|
1744 |
|
# TAG: ssl_unclean_shutdown |
1745 |
|
# Some browsers (especially MSIE) bugs out on SSL shutdown |
1746 |
|
# messages. |
1747 |
|
#Default: |
1748 |
|
# ssl_unclean_shutdown off |
1749 |
|
|
1750 |
|
# TAG: ssl_engine |
1751 |
|
# The OpenSSL engine to use. You will need to set this if you |
1752 |
|
# would like to use hardware SSL acceleration for example. |
1753 |
|
#Default: |
1754 |
|
# none |
1755 |
|
|
1756 |
|
# TAG: sslproxy_client_certificate |
1757 |
|
# Client SSL Certificate to use when proxying https:// URLs |
1758 |
|
#Default: |
1759 |
|
# none |
1760 |
|
|
1761 |
|
# TAG: sslproxy_client_key |
1762 |
|
# Client SSL Key to use when proxying https:// URLs |
1763 |
|
#Default: |
1764 |
|
# none |
1765 |
|
|
1766 |
|
# TAG: sslproxy_version |
1767 |
|
# SSL version level to use when proxying https:// URLs |
1768 |
|
# |
1769 |
|
# The versions of SSL/TLS supported: |
1770 |
|
# |
1771 |
|
# 1 automatic (default) |
1772 |
|
# 2 SSLv2 only |
1773 |
|
# 3 SSLv3 only |
1774 |
|
# 4 TLSv1.0 only |
1775 |
|
# 5 TLSv1.1 only |
1776 |
|
# 6 TLSv1.2 only |
1777 |
|
#Default: |
1778 |
|
# sslproxy_version 1 |
1779 |
|
|
1780 |
|
# TAG: sslproxy_options |
1781 |
|
# SSL implementation options to use when proxying https:// URLs |
1782 |
|
# |
1783 |
|
# The most important being: |
1784 |
|
# |
1785 |
|
# NO_SSLv2 Disallow the use of SSLv2 |
1786 |
|
# NO_SSLv3 Disallow the use of SSLv3 |
1787 |
|
# NO_TLSv1 Disallow the use of TLSv1.0 |
1788 |
|
# NO_TLSv1_1 Disallow the use of TLSv1.1 |
1789 |
|
# NO_TLSv1_2 Disallow the use of TLSv1.2 |
1790 |
|
# SINGLE_DH_USE |
1791 |
|
# Always create a new key when using temporary/ephemeral |
1792 |
|
# DH key exchanges |
1793 |
|
# SSL_OP_NO_TICKET |
1794 |
|
# Disable use of RFC5077 session tickets. Some servers |
1795 |
|
# may have problems understanding the TLS extension due |
1796 |
|
# to ambiguous specification in RFC4507. |
1797 |
|
# ALL Enable various bug workarounds suggested as "harmless" |
1798 |
|
# by OpenSSL. Be warned that this may reduce SSL/TLS |
1799 |
|
# strength to some attacks. |
1800 |
|
# |
1801 |
|
# See the OpenSSL SSL_CTX_set_options documentation for a |
1802 |
|
# complete list of possible options. |
1803 |
|
#Default: |
1804 |
|
# none |
1805 |
|
|
1806 |
|
# TAG: sslproxy_cipher |
1807 |
|
# SSL cipher list to use when proxying https:// URLs |
1808 |
|
# |
1809 |
|
# Colon separated list of supported ciphers. |
1810 |
|
#Default: |
1811 |
|
# none |
1812 |
|
|
1813 |
|
# TAG: sslproxy_cafile |
1814 |
|
# file containing CA certificates to use when verifying server |
1815 |
|
# certificates while proxying https:// URLs |
1816 |
|
#Default: |
1817 |
|
# none |
1818 |
|
|
1819 |
|
# TAG: sslproxy_capath |
1820 |
|
# directory containing CA certificates to use when verifying |
1821 |
|
# server certificates while proxying https:// URLs |
1822 |
|
#Default: |
1823 |
|
# none |
1824 |
|
|
1825 |
|
# TAG: ssl_bump |
1826 |
|
# This ACL controls which CONNECT requests to an http_port |
1827 |
|
# marked with an sslBump flag are actually "bumped". Please |
1828 |
|
# see the sslBump flag of an http_port option for more details |
1829 |
|
# about decoding proxied SSL connections. |
1830 |
|
# |
1831 |
|
# By default, no requests are bumped. |
1832 |
|
# |
1833 |
|
# See also: http_port ssl-bump |
1834 |
|
# |
1835 |
|
# This clause supports both fast and slow acl types. |
1836 |
|
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
1837 |
|
# |
1838 |
|
# |
1839 |
|
# # Example: Bump all requests except those originating from localhost and |
1840 |
|
# # those going to webax.com or example.com sites. |
1841 |
|
# |
1842 |
|
# acl localhost src 127.0.0.1/32 |
1843 |
|
# acl broken_sites dstdomain .webax.com |
1844 |
|
# acl broken_sites dstdomain .example.com |
1845 |
|
# ssl_bump deny localhost |
1846 |
|
# ssl_bump deny broken_sites |
1847 |
|
# ssl_bump allow all |
1848 |
|
#Default: |
1849 |
|
# none |
1850 |
|
|
1851 |
|
# TAG: sslproxy_flags |
1852 |
|
# Various flags modifying the use of SSL while proxying https:// URLs: |
1853 |
|
# DONT_VERIFY_PEER Accept certificates that fail verification. |
1854 |
|
# For refined control, see sslproxy_cert_error. |
1855 |
|
# NO_DEFAULT_CA Don't use the default CA list built in |
1856 |
|
# to OpenSSL. |
1857 |
|
#Default: |
1858 |
|
# none |
1859 |
|
|
1860 |
|
# TAG: sslproxy_cert_error |
1861 |
|
# Use this ACL to bypass server certificate validation errors. |
1862 |
|
# |
1863 |
|
# For example, the following lines will bypass all validation errors |
1864 |
|
# when talking to servers for example.com. All other |
1865 |
|
# validation errors will result in ERR_SECURE_CONNECT_FAIL error. |
1866 |
|
# |
1867 |
|
# acl BrokenButTrustedServers dstdomain example.com |
1868 |
|
# sslproxy_cert_error allow BrokenButTrustedServers |
1869 |
|
# sslproxy_cert_error deny all |
1870 |
|
# |
1871 |
|
# This clause only supports fast acl types. |
1872 |
|
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
1873 |
|
# Using slow acl types may result in server crashes |
1874 |
|
# |
1875 |
|
# Without this option, all server certificate validation errors |
1876 |
|
# terminate the transaction. Bypassing validation errors is dangerous |
1877 |
|
# because an error usually implies that the server cannot be trusted and |
1878 |
|
# the connection may be insecure. |
1879 |
|
# |
1880 |
|
# See also: sslproxy_flags and DONT_VERIFY_PEER. |
1881 |
|
# |
1882 |
|
# Default setting: sslproxy_cert_error deny all |
1883 |
|
#Default: |
1884 |
|
# none |
1885 |
|
|
1886 |
|
# TAG: sslpassword_program |
1887 |
|
# Specify a program used for entering SSL key passphrases |
1888 |
|
# when using encrypted SSL certificate keys. If not specified |
1889 |
|
# keys must either be unencrypted, or Squid started with the -N |
1890 |
|
# option to allow it to query interactively for the passphrase. |
1891 |
|
# |
1892 |
|
# The key file name is given as argument to the program allowing |
1893 |
|
# selection of the right password if you have multiple encrypted |
1894 |
|
# keys. |
1895 |
|
#Default: |
1896 |
|
# none |
1897 |
|
|
1898 |
|
# OPTIONS RELATING TO EXTERNAL SSL_CRTD |
1899 |
|
# ----------------------------------------------------------------------------- |
1900 |
|
|
1901 |
|
# TAG: sslcrtd_program |
1902 |
|
# Note: This option is only available if Squid is rebuilt with the |
1903 |
|
# --enable-ssl-crtd |
1904 |
|
# |
1905 |
|
# Specify the location and options of the executable for ssl_crtd process. |
1906 |
|
# /usr/lib64/squid/ssl_crtd program requires -s and -M parameters |
1907 |
|
# For more information use: |
1908 |
|
# /usr/lib64/squid/ssl_crtd -h |
1909 |
|
#Default: |
1910 |
|
# sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB |
1911 |
|
|
1912 |
|
# TAG: sslcrtd_children |
1913 |
|
# Note: This option is only available if Squid is rebuilt with the |
1914 |
|
# --enable-ssl-crtd |
1915 |
|
# |
1916 |
|
# The maximum number of processes spawn to service ssl server. |
1917 |
|
# The maximum this may be safely set to is 32. |
1918 |
|
# |
1919 |
|
# The startup= and idle= options allow some measure of skew in your |
1920 |
|
# tuning. |
1921 |
|
# |
1922 |
|
# startup=N |
1923 |
|
# |
1924 |
|
# Sets the minimum number of processes to spawn when Squid |
1925 |
|
# starts or reconfigures. When set to zero the first request will |
1926 |
|
# cause spawning of the first child process to handle it. |
1927 |
|
# |
1928 |
|
# Starting too few children temporary slows Squid under load while it |
1929 |
|
# tries to spawn enough additional processes to cope with traffic. |
1930 |
|
# |
1931 |
|
# idle=N |
1932 |
|
# |
1933 |
|
# Sets a minimum of how many processes Squid is to try and keep available |
1934 |
|
# at all times. When traffic begins to rise above what the existing |
1935 |
|
# processes can handle this many more will be spawned up to the maximum |
1936 |
|
# configured. A minimum setting of 1 is required. |
1937 |
|
# |
1938 |
|
# You must have at least one ssl_crtd process. |
1939 |
|
#Default: |
1940 |
|
# sslcrtd_children 32 startup=5 idle=1 |
1941 |
|
|
1942 |
# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM |
# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM |
1943 |
# ----------------------------------------------------------------------------- |
# ----------------------------------------------------------------------------- |
1944 |
|
|
1945 |
# TAG: cache_peer |
# TAG: cache_peer |
1946 |
# To specify other caches in a hierarchy, use the format: |
# To specify other caches in a hierarchy, use the format: |
1947 |
# |
# |
1948 |
# cache_peer hostname type http_port icp_port |
# cache_peer hostname type http-port icp-port [options] |
1949 |
# |
# |
1950 |
# For example, |
# For example, |
1951 |
# |
# |
1952 |
# # proxy icp |
# # proxy icp |
1953 |
# # hostname type port port options |
# # hostname type port port options |
1954 |
# # -------------------- -------- ----- ----- ----------- |
# # -------------------- -------- ----- ----- ----------- |
1955 |
# cache_peer parent.foo.net parent 3128 3130 [proxy-only] |
# cache_peer parent.foo.net parent 3128 3130 default |
1956 |
# cache_peer sib1.foo.net sibling 3128 3130 [proxy-only] |
# cache_peer sib1.foo.net sibling 3128 3130 proxy-only |
1957 |
# cache_peer sib2.foo.net sibling 3128 3130 [proxy-only] |
# cache_peer sib2.foo.net sibling 3128 3130 proxy-only |
1958 |
# |
# cache_peer example.com parent 80 0 default |
1959 |
# type: either 'parent', 'sibling', or 'multicast'. |
# cache_peer cdn.example.com sibling 3128 0 |
1960 |
# |
# |
1961 |
# proxy_port: The port number where the cache listens for proxy |
# type: either 'parent', 'sibling', or 'multicast'. |
1962 |
# requests. |
# |
1963 |
# |
# proxy-port: The port number where the peer accept HTTP requests. |
1964 |
# icp_port: Used for querying neighbor caches about |
# For other Squid proxies this is usually 3128 |
1965 |
# objects. To have a non-ICP neighbor |
# For web servers this is usually 80 |
1966 |
# specify '7' for the ICP port and make sure the |
# |
1967 |
# neighbor machine has the UDP echo port |
# icp-port: Used for querying neighbor caches about objects. |
1968 |
# enabled in its /etc/inetd.conf file. |
# Set to 0 if the peer does not support ICP or HTCP. |
1969 |
# |
# See ICP and HTCP options below for additional details. |
1970 |
# options: proxy-only |
# |
1971 |
# weight=n |
# |
1972 |
# ttl=n |
# ==== ICP OPTIONS ==== |
1973 |
# no-query |
# |
1974 |
# default |
# You MUST also set icp_port and icp_access explicitly when using these options. |
1975 |
# round-robin |
# The defaults will prevent peer traffic using ICP. |
1976 |
# multicast-responder |
# |
1977 |
# closest-only |
# |
1978 |
# no-digest |
# no-query Disable ICP queries to this neighbor. |
1979 |
# no-netdb-exchange |
# |
1980 |
# no-delay |
# multicast-responder |
1981 |
# login=user:password |
# Indicates the named peer is a member of a multicast group. |
1982 |
# connect-timeout=nn |
# ICP queries will not be sent directly to the peer, but ICP |
1983 |
# digest-url=url |
# replies will be accepted from it. |
1984 |
# allow-miss |
# |
1985 |
# |
# closest-only Indicates that, for ICP_OP_MISS replies, we'll only forward |
1986 |
# use 'proxy-only' to specify that objects fetched |
# CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes. |
1987 |
# from this cache should not be saved locally. |
# |
1988 |
# |
# background-ping |
1989 |
# use 'weight=n' to specify a weighted parent. |
# To only send ICP queries to this neighbor infrequently. |
1990 |
# The weight must be an integer. The default weight |
# This is used to keep the neighbor round trip time updated |
1991 |
# is 1, larger weights are favored more. |
# and is usually used in conjunction with weighted-round-robin. |
1992 |
# |
# |
1993 |
# use 'ttl=n' to specify a IP multicast TTL to use |
# |
1994 |
# when sending an ICP queries to this address. |
# ==== HTCP OPTIONS ==== |
1995 |
# Only useful when sending to a multicast group. |
# |
1996 |
# Because we don't accept ICP replies from random |
# You MUST also set htcp_port and htcp_access explicitly when using these options. |
1997 |
# hosts, you must configure other group members as |
# The defaults will prevent peer traffic using HTCP. |
1998 |
# peers with the 'multicast-responder' option below. |
# |
1999 |
# |
# |
2000 |
# use 'no-query' to NOT send ICP queries to this |
# htcp Send HTCP, instead of ICP, queries to the neighbor. |
2001 |
# neighbor. |
# You probably also want to set the "icp-port" to 4827 |
2002 |
# |
# instead of 3130. This directive accepts a comma separated |
2003 |
# use 'default' if this is a parent cache which can |
# list of options described below. |
2004 |
# be used as a "last-resort." You should probably |
# |
2005 |
# only use 'default' in situations where you cannot |
# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier). |
2006 |
# use ICP with your parent cache(s). |
# |
2007 |
# |
# htcp=no-clr Send HTCP to the neighbor but without |
2008 |
# use 'round-robin' to define a set of parents which |
# sending any CLR requests. This cannot be used with |
2009 |
# should be used in a round-robin fashion in the |
# only-clr. |
2010 |
# absence of any ICP queries. |
# |
2011 |
# |
# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests. |
2012 |
# 'multicast-responder' indicates that the named peer |
# This cannot be used with no-clr. |
2013 |
# is a member of a multicast group. ICP queries will |
# |
2014 |
# not be sent directly to the peer, but ICP replies |
# htcp=no-purge-clr |
2015 |
# will be accepted from it. |
# Send HTCP to the neighbor including CLRs but only when |
2016 |
# |
# they do not result from PURGE requests. |
2017 |
# 'closest-only' indicates that, for ICP_OP_MISS |
# |
2018 |
# replies, we'll only forward CLOSEST_PARENT_MISSes |
# htcp=forward-clr |
2019 |
# and never FIRST_PARENT_MISSes. |
# Forward any HTCP CLR requests this proxy receives to the peer. |
2020 |
# |
# |
2021 |
# use 'no-digest' to NOT request cache digests from |
# |
2022 |
# this neighbor. |
# ==== PEER SELECTION METHODS ==== |
2023 |
# |
# |
2024 |
# 'no-netdb-exchange' disables requesting ICMP |
# The default peer selection method is ICP, with the first responding peer |
2025 |
# RTT database (NetDB) from the neighbor. |
# being used as source. These options can be used for better load balancing. |
2026 |
# |
# |
2027 |
# use 'no-delay' to prevent access to this neighbor |
# |
2028 |
# from influencing the delay pools. |
# default This is a parent cache which can be used as a "last-resort" |
2029 |
# |
# if a peer cannot be located by any of the peer-selection methods. |
2030 |
# use 'login=user:password' if this is a personal/workgroup |
# If specified more than once, only the first is used. |
2031 |
# proxy and your parent requires proxy authentication. |
# |
2032 |
# |
# round-robin Load-Balance parents which should be used in a round-robin |
2033 |
# use 'connect-timeout=nn' to specify a peer |
# fashion in the absence of any ICP queries. |
2034 |
# specific connect timeout (also see the |
# weight=N can be used to add bias. |
2035 |
# peer_connect_timeout directive) |
# |
2036 |
# |
# weighted-round-robin |
2037 |
# use 'digest-url=url' to tell Squid to fetch the cache |
# Load-Balance parents which should be used in a round-robin |
2038 |
# digest (if digests are enabled) for this host from |
# fashion with the frequency of each parent being based on the |
2039 |
# the specified URL rather than the Squid default |
# round trip time. Closer parents are used more often. |
2040 |
# location. |
# Usually used for background-ping parents. |
2041 |
# |
# weight=N can be used to add bias. |
2042 |
# use 'allow-miss' to disable Squid's use of only-if-cached |
# |
2043 |
# when forwarding requests to siblings. This is primarily |
# carp Load-Balance parents which should be used as a CARP array. |
2044 |
# useful when icp_hit_stale is used by the sibling. To |
# The requests will be distributed among the parents based on the |
2045 |
# extensive use of this option may result in forwarding |
# CARP load balancing hash function based on their weight. |
2046 |
# loops, and you should avoid having two-way peerings |
# |
2047 |
# with this option. (for example to deny peer usage on |
# userhash Load-balance parents based on the client proxy_auth or ident username. |
2048 |
# requests from peer by denying cache_peer_access if the |
# |
2049 |
# source is a peer) |
# sourcehash Load-balance parents based on the client source IP. |
2050 |
# |
# |
2051 |
# NOTE: non-ICP neighbors must be specified as 'parent'. |
# multicast-siblings |
2052 |
|
# To be used only for cache peers of type "multicast". |
2053 |
|
# ALL members of this multicast group have "sibling" |
2054 |
|
# relationship with it, not "parent". This is to a multicast |
2055 |
|
# group when the requested object would be fetched only from |
2056 |
|
# a "parent" cache, anyway. It's useful, e.g., when |
2057 |
|
# configuring a pool of redundant Squid proxies, being |
2058 |
|
# members of the same multicast group. |
2059 |
|
# |
2060 |
|
# |
2061 |
|
# ==== PEER SELECTION OPTIONS ==== |
2062 |
|
# |
2063 |
|
# weight=N use to affect the selection of a peer during any weighted |
2064 |
|
# peer-selection mechanisms. |
2065 |
|
# The weight must be an integer; default is 1, |
2066 |
|
# larger weights are favored more. |
2067 |
|
# This option does not affect parent selection if a peering |
2068 |
|
# protocol is not in use. |
2069 |
|
# |
2070 |
|
# basetime=N Specify a base amount to be subtracted from round trip |
2071 |
|
# times of parents. |
2072 |
|
# It is subtracted before division by weight in calculating |
2073 |
|
# which parent to fectch from. If the rtt is less than the |
2074 |
|
# base time the rtt is set to a minimal value. |
2075 |
|
# |
2076 |
|
# ttl=N Specify a TTL to use when sending multicast ICP queries |
2077 |
|
# to this address. |
2078 |
|
# Only useful when sending to a multicast group. |
2079 |
|
# Because we don't accept ICP replies from random |
2080 |
|
# hosts, you must configure other group members as |
2081 |
|
# peers with the 'multicast-responder' option. |
2082 |
|
# |
2083 |
|
# no-delay To prevent access to this neighbor from influencing the |
2084 |
|
# delay pools. |
2085 |
|
# |
2086 |
|
# digest-url=URL Tell Squid to fetch the cache digest (if digests are |
2087 |
|
# enabled) for this host from the specified URL rather |
2088 |
|
# than the Squid default location. |
2089 |
|
# |
2090 |
|
# |
2091 |
|
# ==== CARP OPTIONS ==== |
2092 |
|
# |
2093 |
|
# carp-key=key-specification |
2094 |
|
# use a different key than the full URL to hash against the peer. |
2095 |
|
# the key-specification is a comma-separated list of the keywords |
2096 |
|
# scheme, host, port, path, params |
2097 |
|
# Order is not important. |
2098 |
|
# |
2099 |
|
# ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== |
2100 |
|
# |
2101 |
|
# originserver Causes this parent to be contacted as an origin server. |
2102 |
|
# Meant to be used in accelerator setups when the peer |
2103 |
|
# is a web server. |
2104 |
|
# |
2105 |
|
# forceddomain=name |
2106 |
|
# Set the Host header of requests forwarded to this peer. |
2107 |
|
# Useful in accelerator setups where the server (peer) |
2108 |
|
# expects a certain domain name but clients may request |
2109 |
|
# others. ie example.com or www.example.com |
2110 |
|
# |
2111 |
|
# no-digest Disable request of cache digests. |
2112 |
|
# |
2113 |
|
# no-netdb-exchange |
2114 |
|
# Disables requesting ICMP RTT database (NetDB). |
2115 |
|
# |
2116 |
|
# |
2117 |
|
# ==== AUTHENTICATION OPTIONS ==== |
2118 |
|
# |
2119 |
|
# login=user:password |
2120 |
|
# If this is a personal/workgroup proxy and your parent |
2121 |
|
# requires proxy authentication. |
2122 |
|
# |
2123 |
|
# Note: The string can include URL escapes (i.e. %20 for |
2124 |
|
# spaces). This also means % must be written as %%. |
2125 |
|
# |
2126 |
|
# login=PASSTHRU |
2127 |
|
# Send login details received from client to this peer. |
2128 |
|
# Both Proxy- and WWW-Authorization headers are passed |
2129 |
|
# without alteration to the peer. |
2130 |
|
# Authentication is not required by Squid for this to work. |
2131 |
|
# |
2132 |
|
# Note: This will pass any form of authentication but |
2133 |
|
# only Basic auth will work through a proxy unless the |
2134 |
|
# connection-auth options are also used. |
2135 |
|
# |
2136 |
|
# login=PASS Send login details received from client to this peer. |
2137 |
|
# Authentication is not required by this option. |
2138 |
|
# |
2139 |
|
# If there are no client-provided authentication headers |
2140 |
|
# to pass on, but username and password are available |
2141 |
|
# from an external ACL user= and password= result tags |
2142 |
|
# they may be sent instead. |
2143 |
|
# |
2144 |
|
# Note: To combine this with proxy_auth both proxies must |
2145 |
|
# share the same user database as HTTP only allows for |
2146 |
|
# a single login (one for proxy, one for origin server). |
2147 |
|
# Also be warned this will expose your users proxy |
2148 |
|
# password to the peer. USE WITH CAUTION |
2149 |
|
# |
2150 |
|
# login=*:password |
2151 |
|
# Send the username to the upstream cache, but with a |
2152 |
|
# fixed password. This is meant to be used when the peer |
2153 |
|
# is in another administrative domain, but it is still |
2154 |
|
# needed to identify each user. |
2155 |
|
# The star can optionally be followed by some extra |
2156 |
|
# information which is added to the username. This can |
2157 |
|
# be used to identify this proxy to the peer, similar to |
2158 |
|
# the login=username:password option above. |
2159 |
|
# |
2160 |
|
# login=NEGOTIATE |
2161 |
|
# If this is a personal/workgroup proxy and your parent |
2162 |
|
# requires a secure proxy authentication. |
2163 |
|
# The first principal from the default keytab or defined by |
2164 |
|
# the environment variable KRB5_KTNAME will be used. |
2165 |
|
# |
2166 |
|
# WARNING: The connection may transmit requests from multiple |
2167 |
|
# clients. Negotiate often assumes end-to-end authentication |
2168 |
|
# and a single-client. Which is not strictly true here. |
2169 |
|
# |
2170 |
|
# login=NEGOTIATE:principal_name |
2171 |
|
# If this is a personal/workgroup proxy and your parent |
2172 |
|
# requires a secure proxy authentication. |
2173 |
|
# The principal principal_name from the default keytab or |
2174 |
|
# defined by the environment variable KRB5_KTNAME will be |
2175 |
|
# used. |
2176 |
|
# |
2177 |
|
# WARNING: The connection may transmit requests from multiple |
2178 |
|
# clients. Negotiate often assumes end-to-end authentication |
2179 |
|
# and a single-client. Which is not strictly true here. |
2180 |
|
# |
2181 |
|
# connection-auth=on|off |
2182 |
|
# Tell Squid that this peer does or not support Microsoft |
2183 |
|
# connection oriented authentication, and any such |
2184 |
|
# challenges received from there should be ignored. |
2185 |
|
# Default is auto to automatically determine the status |
2186 |
|
# of the peer. |
2187 |
|
# |
2188 |
|
# |
2189 |
|
# ==== SSL / HTTPS / TLS OPTIONS ==== |
2190 |
|
# |
2191 |
|
# ssl Encrypt connections to this peer with SSL/TLS. |
2192 |
|
# |
2193 |
|
# sslcert=/path/to/ssl/certificate |
2194 |
|
# A client SSL certificate to use when connecting to |
2195 |
|
# this peer. |
2196 |
|
# |
2197 |
|
# sslkey=/path/to/ssl/key |
2198 |
|
# The private SSL key corresponding to sslcert above. |
2199 |
|
# If 'sslkey' is not specified 'sslcert' is assumed to |
2200 |
|
# reference a combined file containing both the |
2201 |
|
# certificate and the key. |
2202 |
|
# |
2203 |
|
# sslversion=1|2|3|4|5|6 |
2204 |
|
# The SSL version to use when connecting to this peer |
2205 |
|
# 1 = automatic (default) |
2206 |
|
# 2 = SSL v2 only |
2207 |
|
# 3 = SSL v3 only |
2208 |
|
# 4 = TLS v1.0 only |
2209 |
|
# 5 = TLS v1.1 only |
2210 |
|
# 6 = TLS v1.2 only |
2211 |
|
# |
2212 |
|
# sslcipher=... The list of valid SSL ciphers to use when connecting |
2213 |
|
# to this peer. |
2214 |
|
# |
2215 |
|
# ssloptions=... Specify various SSL implementation options: |
2216 |
# |
# |
2217 |
|
# NO_SSLv2 Disallow the use of SSLv2 |
2218 |
|
# NO_SSLv3 Disallow the use of SSLv3 |
2219 |
|
# NO_TLSv1 Disallow the use of TLSv1.0 |
2220 |
|
# NO_TLSv1_1 Disallow the use of TLSv1.1 |
2221 |
|
# NO_TLSv1_2 Disallow the use of TLSv1.2 |
2222 |
|
# SINGLE_DH_USE |
2223 |
|
# Always create a new key when using |
2224 |
|
# temporary/ephemeral DH key exchanges |
2225 |
|
# ALL Enable various bug workarounds |
2226 |
|
# suggested as "harmless" by OpenSSL |
2227 |
|
# Be warned that this reduces SSL/TLS |
2228 |
|
# strength to some attacks. |
2229 |
|
# |
2230 |
|
# See the OpenSSL SSL_CTX_set_options documentation for a |
2231 |
|
# more complete list. |
2232 |
|
# |
2233 |
|
# sslcafile=... A file containing additional CA certificates to use |
2234 |
|
# when verifying the peer certificate. |
2235 |
|
# |
2236 |
|
# sslcapath=... A directory containing additional CA certificates to |
2237 |
|
# use when verifying the peer certificate. |
2238 |
|
# |
2239 |
|
# sslcrlfile=... A certificate revocation list file to use when |
2240 |
|
# verifying the peer certificate. |
2241 |
|
# |
2242 |
|
# sslflags=... Specify various flags modifying the SSL implementation: |
2243 |
|
# |
2244 |
|
# DONT_VERIFY_PEER |
2245 |
|
# Accept certificates even if they fail to |
2246 |
|
# verify. |
2247 |
|
# NO_DEFAULT_CA |
2248 |
|
# Don't use the default CA list built in |
2249 |
|
# to OpenSSL. |
2250 |
|
# DONT_VERIFY_DOMAIN |
2251 |
|
# Don't verify the peer certificate |
2252 |
|
# matches the server name |
2253 |
|
# |
2254 |
|
# ssldomain= The peer name as advertised in it's certificate. |
2255 |
|
# Used for verifying the correctness of the received peer |
2256 |
|
# certificate. If not specified the peer hostname will be |
2257 |
|
# used. |
2258 |
|
# |
2259 |
|
# front-end-https |
2260 |
|
# Enable the "Front-End-Https: On" header needed when |
2261 |
|
# using Squid as a SSL frontend in front of Microsoft OWA. |
2262 |
|
# See MS KB document Q307347 for details on this header. |
2263 |
|
# If set to auto the header will only be added if the |
2264 |
|
# request is forwarded as a https:// URL. |
2265 |
|
# |
2266 |
|
# |
2267 |
|
# ==== GENERAL OPTIONS ==== |
2268 |
|
# |
2269 |
|
# connect-timeout=N |
2270 |
|
# A peer-specific connect timeout. |
2271 |
|
# Also see the peer_connect_timeout directive. |
2272 |
|
# |
2273 |
|
# connect-fail-limit=N |
2274 |
|
# How many times connecting to a peer must fail before |
2275 |
|
# it is marked as down. Default is 10. |
2276 |
|
# |
2277 |
|
# allow-miss Disable Squid's use of only-if-cached when forwarding |
2278 |
|
# requests to siblings. This is primarily useful when |
2279 |
|
# icp_hit_stale is used by the sibling. To extensive use |
2280 |
|
# of this option may result in forwarding loops, and you |
2281 |
|
# should avoid having two-way peerings with this option. |
2282 |
|
# For example to deny peer usage on requests from peer |
2283 |
|
# by denying cache_peer_access if the source is a peer. |
2284 |
|
# |
2285 |
|
# max-conn=N Limit the amount of connections Squid may open to this |
2286 |
|
# peer. see also |
2287 |
|
# |
2288 |
|
# name=xxx Unique name for the peer. |
2289 |
|
# Required if you have multiple peers on the same host |
2290 |
|
# but different ports. |
2291 |
|
# This name can be used in cache_peer_access and similar |
2292 |
|
# directives to dentify the peer. |
2293 |
|
# Can be used by outgoing access controls through the |
2294 |
|
# peername ACL type. |
2295 |
|
# |
2296 |
|
# no-tproxy Do not use the client-spoof TPROXY support when forwarding |
2297 |
|
# requests to this peer. Use normal address selection instead. |
2298 |
|
# |
2299 |
|
# proxy-only objects fetched from the peer will not be stored locally. |
2300 |
|
# |
2301 |
#Default: |
#Default: |
2302 |
# none |
# none |
2303 |
|
|
2315 |
# has the effect such that UDP query packets are sent to |
# has the effect such that UDP query packets are sent to |
2316 |
# 'bigserver' only when the requested object exists on a |
# 'bigserver' only when the requested object exists on a |
2317 |
# server in the .edu domain. Prefixing the domainname |
# server in the .edu domain. Prefixing the domainname |
2318 |
# with '!' means that the cache will be queried for objects |
# with '!' means the cache will be queried for objects |
2319 |
# NOT in that domain. |
# NOT in that domain. |
2320 |
# |
# |
2321 |
# NOTE: * Any number of domains may be given for a cache-host, |
# NOTE: * Any number of domains may be given for a cache-host, |
2327 |
# * There are no defaults. |
# * There are no defaults. |
2328 |
# * There is also a 'cache_peer_access' tag in the ACL |
# * There is also a 'cache_peer_access' tag in the ACL |
2329 |
# section. |
# section. |
2330 |
|
#Default: |
2331 |
|
# none |
2332 |
|
|
2333 |
|
# TAG: cache_peer_access |
2334 |
|
# Similar to 'cache_peer_domain' but provides more flexibility by |
2335 |
|
# using ACL elements. |
2336 |
# |
# |
2337 |
|
# cache_peer_access cache-host allow|deny [!]aclname ... |
2338 |
|
# |
2339 |
|
# The syntax is identical to 'http_access' and the other lists of |
2340 |
|
# ACL elements. See the comments for 'http_access' below, or |
2341 |
|
# the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl). |
2342 |
#Default: |
#Default: |
2343 |
# none |
# none |
2344 |
|
|
2345 |
# TAG: neighbor_type_domain |
# TAG: neighbor_type_domain |
2346 |
# usage: neighbor_type_domain parent|sibling domain domain ... |
# usage: neighbor_type_domain neighbor parent|sibling domain domain ... |
2347 |
# |
# |
2348 |
# Modifying the neighbor type for specific domains is now |
# Modifying the neighbor type for specific domains is now |
2349 |
# possible. You can treat some domains differently than the the |
# possible. You can treat some domains differently than the |
2350 |
# default neighbor type specified on the 'cache_peer' line. |
# default neighbor type specified on the 'cache_peer' line. |
2351 |
# Normally it should only be necessary to list domains which |
# Normally it should only be necessary to list domains which |
2352 |
# should be treated differently because the default neighbor type |
# should be treated differently because the default neighbor type |
2353 |
# applies for hostnames which do not match domains listed here. |
# applies for hostnames which do not match domains listed here. |
2354 |
# |
# |
2355 |
#EXAMPLE: |
#EXAMPLE: |
2356 |
# cache_peer parent cache.foo.org 3128 3130 |
# cache_peer cache.foo.org parent 3128 3130 |
2357 |
# neighbor_type_domain cache.foo.org sibling .com .net |
# neighbor_type_domain cache.foo.org sibling .com .net |
2358 |
# neighbor_type_domain cache.foo.org sibling .au .de |
# neighbor_type_domain cache.foo.org sibling .au .de |
|
# |
|
2359 |
#Default: |
#Default: |
2360 |
# none |
# none |
2361 |
|
|
|
# TAG: icp_query_timeout (msec) |
|
|
# Normally Squid will automatically determine an optimal ICP |
|
|
# query timeout value based on the round-trip-time of recent ICP |
|
|
# queries. If you want to override the value determined by |
|
|
# Squid, set this 'icp_query_timeout' to a non-zero value. This |
|
|
# value is specified in MILLISECONDS, so, to use a 2-second |
|
|
# timeout (the old default), you would write: |
|
|
# |
|
|
# icp_query_timeout 2000 |
|
|
# |
|
|
#Default: |
|
|
# icp_query_timeout 0 |
|
|
|
|
|
# TAG: maximum_icp_query_timeout (msec) |
|
|
# Normally the ICP query timeout is determined dynamically. But |
|
|
# sometimes it can lead to very large values (say 5 seconds). |
|
|
# Use this option to put an upper limit on the dynamic timeout |
|
|
# value. Do NOT use this option to always use a fixed (instead |
|
|
# of a dynamic) timeout value. To set a fixed timeout see the |
|
|
# 'icp_query_timeout' directive. |
|
|
# |
|
|
#Default: |
|
|
# maximum_icp_query_timeout 2000 |
|
|
|
|
|
# TAG: mcast_icp_query_timeout (msec) |
|
|
# For Multicast peers, Squid regularly sends out ICP "probes" to |
|
|
# count how many other peers are listening on the given multicast |
|
|
# address. This value specifies how long Squid should wait to |
|
|
# count all the replies. The default is 2000 msec, or 2 |
|
|
# seconds. |
|
|
# |
|
|
#Default: |
|
|
# mcast_icp_query_timeout 2000 |
|
|
|
|
2362 |
# TAG: dead_peer_timeout (seconds) |
# TAG: dead_peer_timeout (seconds) |
2363 |
# This controls how long Squid waits to declare a peer cache |
# This controls how long Squid waits to declare a peer cache |
2364 |
# as "dead." If there are no ICP replies received in this |
# as "dead." If there are no ICP replies received in this |
2374 |
# your time between requests is greater than this timeout, you |
# your time between requests is greater than this timeout, you |
2375 |
# will see a lot of requests sent DIRECT to origin servers |
# will see a lot of requests sent DIRECT to origin servers |
2376 |
# instead of to your parents. |
# instead of to your parents. |
|
# |
|
2377 |
#Default: |
#Default: |
2378 |
# dead_peer_timeout 10 seconds |
# dead_peer_timeout 10 seconds |
2379 |
|
|
2380 |
|
# TAG: forward_max_tries |
2381 |
|
# Controls how many different forward paths Squid will try |
2382 |
|
# before giving up. See also forward_timeout. |
2383 |
|
# |
2384 |
|
# NOTE: connect_retries (default: none) can make each of these |
2385 |
|
# possible forwarding paths be tried multiple times. |
2386 |
|
#Default: |
2387 |
|
# forward_max_tries 10 |
2388 |
|
|
2389 |
# TAG: hierarchy_stoplist |
# TAG: hierarchy_stoplist |
2390 |
# A list of words which, if found in a URL, cause the object to |
# A list of words which, if found in a URL, cause the object to |
2391 |
# be handled directly by this cache. In other words, use this |
# be handled directly by this cache. In other words, use this |
2392 |
# to not query neighbor caches for certain objects. You may |
# to not query neighbor caches for certain objects. You may |
2393 |
# list this option multiple times. |
# list this option multiple times. |
2394 |
# |
# |
2395 |
#We recommend you to use at least the following line. |
# Example: |
2396 |
hierarchy_stoplist cgi-bin ? |
# hierarchy_stoplist cgi-bin ? |
|
|
|
|
# TAG: no_cache |
|
|
# A list of ACL elements which, if matched, cause the reply to |
|
|
# immediately removed from the cache. In other words, use this |
|
|
# to force certain objects to never be cached. |
|
|
# |
|
|
# You must use the word 'DENY' to indicate the ACL names which should |
|
|
# NOT be cached. |
|
2397 |
# |
# |
2398 |
#We recommend you to use the following two lines. |
# Note: never_direct overrides this option. |
2399 |
acl QUERY urlpath_regex cgi-bin \? |
#Default: |
2400 |
no_cache deny QUERY |
# none |
|
|
|
2401 |
|
|
2402 |
# OPTIONS WHICH AFFECT THE CACHE SIZE |
# MEMORY CACHE OPTIONS |
2403 |
# ----------------------------------------------------------------------------- |
# ----------------------------------------------------------------------------- |
2404 |
|
|
2405 |
# TAG: cache_mem (bytes) |
# TAG: cache_mem (bytes) |
2406 |
# NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS |
# NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE. |
2407 |
# SIZE. IT PLACES A LIMIT ON ONE ASPECT OF SQUID'S MEMORY |
# IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL |
2408 |
# USAGE. SQUID USES MEMORY FOR OTHER THINGS AS WELL. |
# USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER |
2409 |
# YOUR PROCESS WILL PROBABLY BECOME TWICE OR THREE TIMES |
# THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS. |
|
# BIGGER THAN THE VALUE YOU PUT HERE |
|
2410 |
# |
# |
2411 |
# 'cache_mem' specifies the ideal amount of memory to be used |
# 'cache_mem' specifies the ideal amount of memory to be used |
2412 |
# for: |
# for: |
2433 |
# reached. Thereafter, blocks will be used to store hot |
# reached. Thereafter, blocks will be used to store hot |
2434 |
# objects. |
# objects. |
2435 |
# |
# |
2436 |
|
# If shared memory caching is enabled, Squid does not use the shared |
2437 |
|
# cache space for in-transit objects, but they still consume as much |
2438 |
|
# local memory as they need. For more details about the shared memory |
2439 |
|
# cache, see memory_cache_shared. |
2440 |
#Default: |
#Default: |
2441 |
# cache_mem 8 MB |
# cache_mem 256 MB |
2442 |
|
|
2443 |
# TAG: cache_swap_low (percent, 0-100) |
# TAG: maximum_object_size_in_memory (bytes) |
2444 |
# TAG: cache_swap_high (percent, 0-100) |
# Objects greater than this size will not be attempted to kept in |
2445 |
# |
# the memory cache. This should be set high enough to keep objects |
2446 |
# The low- and high-water marks for cache object replacement. |
# accessed frequently in memory to improve performance whilst low |
2447 |
# Replacement begins when the swap (disk) usage is above the |
# enough to keep larger objects from hoarding cache_mem. |
|
# low-water mark and attempts to maintain utilization near the |
|
|
# low-water mark. As swap utilization gets close to high-water |
|
|
# mark object eviction becomes more aggressive. If utilization is |
|
|
# close to the low-water mark less replacement is done each time. |
|
|
# |
|
|
# Defaults are 90% and 95%. If you have a large cache, 5% could be |
|
|
# hundreds of MB. If this is the case you may wish to set these |
|
|
# numbers closer together. |
|
|
# |
|
2448 |
#Default: |
#Default: |
2449 |
# cache_swap_low 90 |
# maximum_object_size_in_memory 512 KB |
|
# cache_swap_high 95 |
|
2450 |
|
|
2451 |
# TAG: maximum_object_size (bytes) |
# TAG: memory_cache_shared on|off |
2452 |
# Objects larger than this size will NOT be saved on disk. The |
# Controls whether the memory cache is shared among SMP workers. |
|
# value is specified in kilobytes, and the default is 4MB. If |
|
|
# you wish to get a high BYTES hit ratio, you should probably |
|
|
# increase this (one 32 MB object hit counts for 3200 10KB |
|
|
# hits). If you wish to increase speed more than your want to |
|
|
# save bandwidth you should leave this low. |
|
2453 |
# |
# |
2454 |
# NOTE: if using the LFUDA replacement policy you should increase |
# The shared memory cache is meant to occupy cache_mem bytes and replace |
2455 |
# this value to maximize the byte hit rate improvement of LFUDA! |
# the non-shared memory cache, although some entities may still be |
2456 |
# See replacement_policy below for a discussion of this policy. |
# cached locally by workers for now (e.g., internal and in-transit |
2457 |
|
# objects may be served from a local memory cache even if shared memory |
2458 |
|
# caching is enabled). |
2459 |
# |
# |
2460 |
#Default: |
# By default, the memory cache is shared if and only if all of the |
2461 |
# maximum_object_size 4096 KB |
# following conditions are satisfied: Squid runs in SMP mode with |
2462 |
|
# multiple workers, cache_mem is positive, and Squid environment |
2463 |
# TAG: minimum_object_size (bytes) |
# supports required IPC primitives (e.g., POSIX shared memory segments |
2464 |
# Objects smaller than this size will NOT be saved on disk. The |
# and GCC-style atomic operations). |
|
# value is specified in kilobytes, and the default is 0 KB, which |
|
|
# means there is no minimum. |
|
2465 |
# |
# |
2466 |
#Default: |
# To avoid blocking locks, shared memory uses opportunistic algorithms |
2467 |
# minimum_object_size 0 KB |
# that do not guarantee that every cachable entity that could have been |
2468 |
|
# shared among SMP workers will actually be shared. |
|
# TAG: maximum_object_size_in_memory (bytes) |
|
|
# Objects greater than this size will not be attempted to kept in |
|
|
# the memory cache. This should be set high enough to keep objects |
|
|
# accessed frequently in memory to improve performance whilst low |
|
|
# enough to keep larger objects from hoarding cache_mem . |
|
2469 |
# |
# |
2470 |
|
# Currently, entities exceeding 32KB in size cannot be shared. |
2471 |
#Default: |
#Default: |
2472 |
# maximum_object_size_in_memory 8 KB |
# "on" where supported if doing memory caching with multiple SMP workers. |
2473 |
|
|
2474 |
# TAG: ipcache_size (number of entries) |
# TAG: memory_cache_mode |
2475 |
# TAG: ipcache_low (percent) |
# Controls which objects to keep in the memory cache (cache_mem) |
|
# TAG: ipcache_high (percent) |
|
|
# The size, low-, and high-water marks for the IP cache. |
|
2476 |
# |
# |
2477 |
|
# always Keep most recently fetched objects in memory (default) |
2478 |
|
# |
2479 |
|
# disk Only disk cache hits are kept in memory, which means |
2480 |
|
# an object must first be cached on disk and then hit |
2481 |
|
# a second time before cached in memory. |
2482 |
|
# |
2483 |
|
# network Only objects fetched from network is kept in memory |
2484 |
#Default: |
#Default: |
2485 |
# ipcache_size 1024 |
# memory_cache_mode always |
|
# ipcache_low 90 |
|
|
# ipcache_high 95 |
|
2486 |
|
|
2487 |
# TAG: fqdncache_size (number of entries) |
# TAG: memory_replacement_policy |
2488 |
# Maximum number of FQDN cache entries. |
# The memory replacement policy parameter determines which |
2489 |
|
# objects are purged from memory when memory space is needed. |
2490 |
# |
# |
2491 |
|
# See cache_replacement_policy for details. |
2492 |
#Default: |
#Default: |
2493 |
# fqdncache_size 1024 |
# memory_replacement_policy lru |
2494 |
|
|
2495 |
|
# DISK CACHE OPTIONS |
2496 |
|
# ----------------------------------------------------------------------------- |
2497 |
|
|
2498 |
# TAG: cache_replacement_policy |
# TAG: cache_replacement_policy |
2499 |
# The cache replacement policy parameter determines which |
# The cache replacement policy parameter determines which |
2523 |
# replacement policies. |
# replacement policies. |
2524 |
# |
# |
2525 |
# NOTE: if using the LFUDA replacement policy you should increase |
# NOTE: if using the LFUDA replacement policy you should increase |
2526 |
# the value of maximum_object_size above its default of 4096 KB to |
# the value of maximum_object_size above its default of 4 MB to |
2527 |
# to maximize the potential byte hit rate improvement of LFUDA. |
# to maximize the potential byte hit rate improvement of LFUDA. |
2528 |
# |
# |
2529 |
# For more information about the GDSF and LFUDA cache replacement |
# For more information about the GDSF and LFUDA cache replacement |
2530 |
# policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html |
# policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html |
2531 |
# and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html. |
# and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html. |
|
# |
|
2532 |
#Default: |
#Default: |
2533 |
# cache_replacement_policy lru |
# cache_replacement_policy lru |
2534 |
|
|
|
# TAG: memory_replacement_policy |
|
|
# The memory replacement policy parameter determines which |
|
|
# objects are purged from memory when memory space is needed. |
|
|
# |
|
|
# See cache_replacement_policy for details. |
|
|
# |
|
|
#Default: |
|
|
# memory_replacement_policy lru |
|
|
|
|
|
|
|
|
# LOGFILE PATHNAMES AND CACHE DIRECTORIES |
|
|
# ----------------------------------------------------------------------------- |
|
|
|
|
2535 |
# TAG: cache_dir |
# TAG: cache_dir |
2536 |
# Usage: |
# Usage: |
2537 |
# |
# |
2538 |
# cache_dir Type Directory-Name Fs-specific-data [options] |
# cache_dir Type Directory-Name Fs-specific-data [options] |
2539 |
# |
# |
2540 |
# You can specify multiple cache_dir lines to spread the |
# You can specify multiple cache_dir lines to spread the |
2541 |
# cache among different disk partitions. |
# cache among different disk partitions. |
2542 |
# |
# |
2543 |
# Type specifies the kind of storage system to use. Most |
# Type specifies the kind of storage system to use. Only "ufs" |
2544 |
# everyone will want to use "ufs" as the type. If you are using |
# is built by default. To enable any of the other storage systems |
2545 |
# Async I/O (--enable async-io) on Linux or Solaris, then you may |
# see the --enable-storeio configure option. |
|
# want to try "aufs" as the type. Async IO support may be |
|
|
# buggy, however, so beware. |
|
2546 |
# |
# |
2547 |
# 'Directory' is a top-level directory where cache swap |
# 'Directory' is a top-level directory where cache swap |
2548 |
# files will be stored. If you want to use an entire disk |
# files will be stored. If you want to use an entire disk |
2549 |
# for caching, then this can be the mount-point directory. |
# for caching, this can be the mount-point directory. |
2550 |
# The directory must exist and be writable by the Squid |
# The directory must exist and be writable by the Squid |
2551 |
# process. Squid will NOT create this directory for you. |
# process. Squid will NOT create this directory for you. |
2552 |
# |
# |
2553 |
|
# In SMP configurations, cache_dir must not precede the workers option |
2554 |
|
# and should use configuration macros or conditionals to give each |
2555 |
|
# worker interested in disk caching a dedicated cache directory. |
2556 |
|
# |
2557 |
# The ufs store type: |
# The ufs store type: |
2558 |
# |
# |
2559 |
# "ufs" is the old well-known Squid storage format that has always |
# "ufs" is the old well-known Squid storage format that has always |
2563 |
# |
# |
2564 |
# 'Mbytes' is the amount of disk space (MB) to use under this |
# 'Mbytes' is the amount of disk space (MB) to use under this |
2565 |
# directory. The default is 100 MB. Change this to suit your |
# directory. The default is 100 MB. Change this to suit your |
2566 |
# configuration. |
# configuration. Do NOT put the size of your disk drive here. |
2567 |
|
# Instead, if you want Squid to use the entire disk drive, |
2568 |
|
# subtract 20% and use that value. |
2569 |
# |
# |
2570 |
# 'Level-1' is the number of first-level subdirectories which |
# 'L1' is the number of first-level subdirectories which |
2571 |
# will be created under the 'Directory'. The default is 16. |
# will be created under the 'Directory'. The default is 16. |
2572 |
# |
# |
2573 |
# 'Level-2' is the number of second-level subdirectories which |
# 'L2' is the number of second-level subdirectories which |
2574 |
# will be created under each first-level directory. The default |
# will be created under each first-level directory. The default |
2575 |
# is 256. |
# is 256. |
2576 |
# |
# |
2600 |
# |
# |
2601 |
# Q2 specifies the number of unacknowledged messages when Squid |
# Q2 specifies the number of unacknowledged messages when Squid |
2602 |
# starts blocking. If this many messages are in the queues, |
# starts blocking. If this many messages are in the queues, |
2603 |
# Squid blocks until it recevies some replies. Default is 72 |
# Squid blocks until it receives some replies. Default is 72 |
2604 |
|
# |
2605 |
|
# When Q1 < Q2 (the default), the cache directory is optimized |
2606 |
|
# for lower response time at the expense of a decrease in hit |
2607 |
|
# ratio. If Q1 > Q2, the cache directory is optimized for |
2608 |
|
# higher hit ratio at the expense of an increase in response |
2609 |
|
# time. |
2610 |
|
# |
2611 |
|
# The rock store type: |
2612 |
|
# |
2613 |
|
# cache_dir rock Directory-Name Mbytes <max-size=bytes> [options] |
2614 |
|
# |
2615 |
|
# The Rock Store type is a database-style storage. All cached |
2616 |
|
# entries are stored in a "database" file, using fixed-size slots, |
2617 |
|
# one entry per slot. The database size is specified in MB. The |
2618 |
|
# slot size is specified in bytes using the max-size option. See |
2619 |
|
# below for more info on the max-size option. |
2620 |
|
# |
2621 |
|
# If possible, Squid using Rock Store creates a dedicated kid |
2622 |
|
# process called "disker" to avoid blocking Squid worker(s) on disk |
2623 |
|
# I/O. One disker kid is created for each rock cache_dir. Diskers |
2624 |
|
# are created only when Squid, running in daemon mode, has support |
2625 |
|
# for the IpcIo disk I/O module. |
2626 |
|
# |
2627 |
|
# swap-timeout=msec: Squid will not start writing a miss to or |
2628 |
|
# reading a hit from disk if it estimates that the swap operation |
2629 |
|
# will take more than the specified number of milliseconds. By |
2630 |
|
# default and when set to zero, disables the disk I/O time limit |
2631 |
|
# enforcement. Ignored when using blocking I/O module because |
2632 |
|
# blocking synchronous I/O does not allow Squid to estimate the |
2633 |
|
# expected swap wait time. |
2634 |
|
# |
2635 |
|
# max-swap-rate=swaps/sec: Artificially limits disk access using |
2636 |
|
# the specified I/O rate limit. Swap out requests that |
2637 |
|
# would cause the average I/O rate to exceed the limit are |
2638 |
|
# delayed. Individual swap in requests (i.e., hits or reads) are |
2639 |
|
# not delayed, but they do contribute to measured swap rate and |
2640 |
|
# since they are placed in the same FIFO queue as swap out |
2641 |
|
# requests, they may wait longer if max-swap-rate is smaller. |
2642 |
|
# This is necessary on file systems that buffer "too |
2643 |
|
# many" writes and then start blocking Squid and other processes |
2644 |
|
# while committing those writes to disk. Usually used together |
2645 |
|
# with swap-timeout to avoid excessive delays and queue overflows |
2646 |
|
# when disk demand exceeds available disk "bandwidth". By default |
2647 |
|
# and when set to zero, disables the disk I/O rate limit |
2648 |
|
# enforcement. Currently supported by IpcIo module only. |
2649 |
|
# |
2650 |
|
# |
2651 |
|
# The coss store type: |
2652 |
|
# |
2653 |
|
# NP: COSS filesystem in Squid-3 has been deemed too unstable for |
2654 |
|
# production use and has thus been removed from this release. |
2655 |
|
# We hope that it can be made usable again soon. |
2656 |
|
# |
2657 |
|
# block-size=n defines the "block size" for COSS cache_dir's. |
2658 |
|
# Squid uses file numbers as block numbers. Since file numbers |
2659 |
|
# are limited to 24 bits, the block size determines the maximum |
2660 |
|
# size of the COSS partition. The default is 512 bytes, which |
2661 |
|
# leads to a maximum cache_dir size of 512<<24, or 8 GB. Note |
2662 |
|
# you should not change the coss block size after Squid |
2663 |
|
# has written some objects to the cache_dir. |
2664 |
|
# |
2665 |
|
# The coss file store has changed from 2.5. Now it uses a file |
2666 |
|
# called 'stripe' in the directory names in the config - and |
2667 |
|
# this will be created by squid -z. |
2668 |
# |
# |
2669 |
# Common options: |
# Common options: |
2670 |
# |
# |
2671 |
# read-only, this cache_dir is read only. |
# no-store, no new objects should be stored to this cache_dir |
2672 |
|
# |
2673 |
|
# min-size=n, refers to the min object size in bytes this cache_dir |
2674 |
|
# will accept. It's used to restrict a cache_dir to only store |
2675 |
|
# large objects (e.g. aufs) while other storedirs are optimized |
2676 |
|
# for smaller objects (e.g. COSS). Defaults to 0. |
2677 |
# |
# |
2678 |
# max-size=n, refers to the max object size this storedir supports. |
# max-size=n, refers to the max object size in bytes this cache_dir |
2679 |
# It is used to initially choose the storedir to dump the object. |
# supports. It is used to select the cache_dir to store the object. |
2680 |
# Note: To make optimal use of the max-size limits you should order |
# Note: To make optimal use of the max-size limits you should order |
2681 |
# the cache_dir lines with the smallest max-size value first and the |
# the cache_dir lines with the smallest max-size value first and the |
2682 |
# ones with no max-size specification last. |
# ones with no max-size specification last. |
2683 |
# |
# |
2684 |
|
# Note for coss, max-size must be less than COSS_MEMBUF_SZ, |
2685 |
|
# which can be changed with the --with-coss-membuf-size=N configure |
2686 |
|
# option. |
2687 |
|
# |
2688 |
|
|
2689 |
|
# Uncomment and adjust the following to add a disk cache directory. |
2690 |
|
#cache_dir ufs /var/spool/squid 100 16 256 |
2691 |
|
|
2692 |
|
# TAG: store_dir_select_algorithm |
2693 |
|
# Set this to 'round-robin' as an alternative. |
2694 |
#Default: |
#Default: |
2695 |
# cache_dir ufs /var/spool/squid 100 16 256 |
# store_dir_select_algorithm least-load |
2696 |
|
|
2697 |
# TAG: cache_access_log |
# TAG: max_open_disk_fds |
2698 |
# Logs the client request activity. Contains an entry for |
# To avoid having disk as the I/O bottleneck Squid can optionally |
2699 |
# every HTTP and ICP queries received. |
# bypass the on-disk cache if more than this amount of disk file |
2700 |
|
# descriptors are open. |
2701 |
# |
# |
2702 |
|
# A value of 0 indicates no limit. |
2703 |
#Default: |
#Default: |
2704 |
# cache_access_log /var/log/squid/access.log |
# max_open_disk_fds 0 |
2705 |
|
|
2706 |
# TAG: cache_log |
# TAG: minimum_object_size (bytes) |
2707 |
# Cache logging file. This is where general information about |
# Objects smaller than this size will NOT be saved on disk. The |
2708 |
# your cache's behavior goes. You can increase the amount of data |
# value is specified in kilobytes, and the default is 0 KB, which |
2709 |
# logged to this file with the "debug_options" tag below. |
# means there is no minimum. |
2710 |
|
#Default: |
2711 |
|
# minimum_object_size 0 KB |
2712 |
|
|
2713 |
|
# TAG: maximum_object_size (bytes) |
2714 |
|
# The default limit on size of objects stored to disk. |
2715 |
|
# This size is used for cache_dir where max-size is not set. |
2716 |
|
# The value is specified in bytes, and the default is 4 MB. |
2717 |
|
# |
2718 |
|
# If you wish to get a high BYTES hit ratio, you should probably |
2719 |
|
# increase this (one 32 MB object hit counts for 3200 10KB |
2720 |
|
# hits). |
2721 |
|
# |
2722 |
|
# If you wish to increase hit ratio more than you want to |
2723 |
|
# save bandwidth you should leave this low. |
2724 |
# |
# |
2725 |
|
# NOTE: if using the LFUDA replacement policy you should increase |
2726 |
|
# this value to maximize the byte hit rate improvement of LFUDA! |
2727 |
|
# See replacement_policy below for a discussion of this policy. |
2728 |
#Default: |
#Default: |
2729 |
# cache_log /var/log/squid/cache.log |
# maximum_object_size 4 MB |
2730 |
|
|
2731 |
|
# TAG: cache_swap_low (percent, 0-100) |
2732 |
|
#Default: |
2733 |
|
# cache_swap_low 90 |
2734 |
|
|
2735 |
|
# TAG: cache_swap_high (percent, 0-100) |
2736 |
|
# |
2737 |
|
# The low- and high-water marks for cache object replacement. |
2738 |
|
# Replacement begins when the swap (disk) usage is above the |
2739 |
|
# low-water mark and attempts to maintain utilization near the |
2740 |
|
# low-water mark. As swap utilization gets close to high-water |
2741 |
|
# mark object eviction becomes more aggressive. If utilization is |
2742 |
|
# close to the low-water mark less replacement is done each time. |
2743 |
|
# |
2744 |
|
# Defaults are 90% and 95%. If you have a large cache, 5% could be |
2745 |
|
# hundreds of MB. If this is the case you may wish to set these |
2746 |
|
# numbers closer together. |
2747 |
|
#Default: |
2748 |
|
# cache_swap_high 95 |
2749 |
|
|
2750 |
|
# LOGFILE OPTIONS |
2751 |
|
# ----------------------------------------------------------------------------- |
2752 |
|
|
2753 |
|
# TAG: logformat |
2754 |
|
# Usage: |
2755 |
|
# |
2756 |
|
# logformat <name> <format specification> |
2757 |
|
# |
2758 |
|
# Defines an access log format. |
2759 |
|
# |
2760 |
|
# The <format specification> is a string with embedded % format codes |
2761 |
|
# |
2762 |
|
# % format codes all follow the same basic structure where all but |
2763 |
|
# the formatcode is optional. Output strings are automatically escaped |
2764 |
|
# as required according to their context and the output format |
2765 |
|
# modifiers are usually not needed, but can be specified if an explicit |
2766 |
|
# output format is desired. |
2767 |
|
# |
2768 |
|
# % ["|[|'|#] [-] [[0]width] [{argument}] formatcode |
2769 |
|
# |
2770 |
|
# " output in quoted string format |
2771 |
|
# [ output in squid text log format as used by log_mime_hdrs |
2772 |
|
# # output in URL quoted format |
2773 |
|
# ' output as-is |
2774 |
|
# |
2775 |
|
# - left aligned |
2776 |
|
# |
2777 |
|
# width minimum and/or maximum field width: |
2778 |
|
# [width_min][.width_max] |
2779 |
|
# When minimum starts with 0, the field is zero-padded. |
2780 |
|
# String values exceeding maximum width are truncated. |
2781 |
|
# |
2782 |
|
# {arg} argument such as header name etc |
2783 |
|
# |
2784 |
|
# Format codes: |
2785 |
|
# |
2786 |
|
# % a literal % character |
2787 |
|
# sn Unique sequence number per log line entry |
2788 |
|
# err_code The ID of an error response served by Squid or |
2789 |
|
# a similar internal error identifier. |
2790 |
|
# err_detail Additional err_code-dependent error information. |
2791 |
|
# |
2792 |
|
# Connection related format codes: |
2793 |
|
# |
2794 |
|
# >a Client source IP address |
2795 |
|
# >A Client FQDN |
2796 |
|
# >p Client source port |
2797 |
|
# >eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) |
2798 |
|
# >la Local IP address the client connected to |
2799 |
|
# >lp Local port number the client connected to |
2800 |
|
# |
2801 |
|
# la Local listening IP address the client connection was connected to. |
2802 |
|
# lp Local listening port number the client connection was connected to. |
2803 |
|
# |
2804 |
|
# <a Server IP address of the last server or peer connection |
2805 |
|
# <A Server FQDN or peer name |
2806 |
|
# <p Server port number of the last server or peer connection |
2807 |
|
# <la Local IP address of the last server or peer connection |
2808 |
|
# <lp Local port number of the last server or peer connection |
2809 |
|
# |
2810 |
|
# Time related format codes: |
2811 |
|
# |
2812 |
|
# ts Seconds since epoch |
2813 |
|
# tu subsecond time (milliseconds) |
2814 |
|
# tl Local time. Optional strftime format argument |
2815 |
|
# default %d/%b/%Y:%H:%M:%S %z |
2816 |
|
# tg GMT time. Optional strftime format argument |
2817 |
|
# default %d/%b/%Y:%H:%M:%S %z |
2818 |
|
# tr Response time (milliseconds) |
2819 |
|
# dt Total time spent making DNS lookups (milliseconds) |
2820 |
|
# |
2821 |
|
# Access Control related format codes: |
2822 |
|
# |
2823 |
|
# et Tag returned by external acl |
2824 |
|
# ea Log string returned by external acl |
2825 |
|
# un User name (any available) |
2826 |
|
# ul User name from authentication |
2827 |
|
# ue User name from external acl helper |
2828 |
|
# ui User name from ident |
2829 |
|
# us User name from SSL |
2830 |
|
# |
2831 |
|
# HTTP related format codes: |
2832 |
|
# |
2833 |
|
# [http::]>h Original request header. Optional header name argument |
2834 |
|
# on the format header[:[separator]element] |
2835 |
|
# [http::]>ha The HTTP request headers after adaptation and redirection. |
2836 |
|
# Optional header name argument as for >h |
2837 |
|
# [http::]<h Reply header. Optional header name argument |
2838 |
|
# as for >h |
2839 |
|
# [http::]>Hs HTTP status code sent to the client |
2840 |
|
# [http::]<Hs HTTP status code received from the next hop |
2841 |
|
# [http::]<bs Number of HTTP-equivalent message body bytes |
2842 |
|
# received from the next hop, excluding chunked |
2843 |
|
# transfer encoding and control messages. |
2844 |
|
# Generated FTP/Gopher listings are treated as |
2845 |
|
# received bodies. |
2846 |
|
# [http::]mt MIME content type |
2847 |
|
# [http::]rm Request method (GET/POST etc) |
2848 |
|
# [http::]>rm Request method from client |
2849 |
|
# [http::]<rm Request method sent to server or peer |
2850 |
|
# [http::]ru Request URL from client (historic, filtered for logging) |
2851 |
|
# [http::]>ru Request URL from client |
2852 |
|
# [http::]<ru Request URL sent to server or peer |
2853 |
|
# [http::]rp Request URL-Path excluding hostname |
2854 |
|
# [http::]>rp Request URL-Path excluding hostname from client |
2855 |
|
# [http::]<rp Request URL-Path excluding hostname sento to server or peer |
2856 |
|
# [http::]rv Request protocol version |
2857 |
|
# [http::]>rv Request protocol version from client |
2858 |
|
# [http::]<rv Request protocol version sent to server or peer |
2859 |
|
# [http::]<st Sent reply size including HTTP headers |
2860 |
|
# [http::]>st Received request size including HTTP headers. In the |
2861 |
|
# case of chunked requests the chunked encoding metadata |
2862 |
|
# are not included |
2863 |
|
# [http::]>sh Received HTTP request headers size |
2864 |
|
# [http::]<sh Sent HTTP reply headers size |
2865 |
|
# [http::]st Request+Reply size including HTTP headers |
2866 |
|
# [http::]<sH Reply high offset sent |
2867 |
|
# [http::]<sS Upstream object size |
2868 |
|
# [http::]<pt Peer response time in milliseconds. The timer starts |
2869 |
|
# when the last request byte is sent to the next hop |
2870 |
|
# and stops when the last response byte is received. |
2871 |
|
# [http::]<tt Total server-side time in milliseconds. The timer |
2872 |
|
# starts with the first connect request (or write I/O) |
2873 |
|
# sent to the first selected peer. The timer stops |
2874 |
|
# with the last I/O with the last peer. |
2875 |
|
# |
2876 |
|
# Squid handling related format codes: |
2877 |
|
# |
2878 |
|
# Ss Squid request status (TCP_MISS etc) |
2879 |
|
# Sh Squid hierarchy status (DEFAULT_PARENT etc) |
2880 |
|
# |
2881 |
|
# If ICAP is enabled, the following code becomes available (as |
2882 |
|
# well as ICAP log codes documented with the icap_log option): |
2883 |
|
# |
2884 |
|
# icap::tt Total ICAP processing time for the HTTP |
2885 |
|
# transaction. The timer ticks when ICAP |
2886 |
|
# ACLs are checked and when ICAP |
2887 |
|
# transaction is in progress. |
2888 |
|
# |
2889 |
|
# If adaptation is enabled the following three codes become available: |
2890 |
|
# |
2891 |
|
# adapt::<last_h The header of the last ICAP response or |
2892 |
|
# meta-information from the last eCAP |
2893 |
|
# transaction related to the HTTP transaction. |
2894 |
|
# Like <h, accepts an optional header name |
2895 |
|
# argument. |
2896 |
|
# |
2897 |
|
# adapt::sum_trs Summed adaptation transaction response |
2898 |
|
# times recorded as a comma-separated list in |
2899 |
|
# the order of transaction start time. Each time |
2900 |
|
# value is recorded as an integer number, |
2901 |
|
# representing response time of one or more |
2902 |
|
# adaptation (ICAP or eCAP) transaction in |
2903 |
|
# milliseconds. When a failed transaction is |
2904 |
|
# being retried or repeated, its time is not |
2905 |
|
# logged individually but added to the |
2906 |
|
# replacement (next) transaction. See also: |
2907 |
|
# adapt::all_trs. |
2908 |
|
# |
2909 |
|
# adapt::all_trs All adaptation transaction response times. |
2910 |
|
# Same as adaptation_strs but response times of |
2911 |
|
# individual transactions are never added |
2912 |
|
# together. Instead, all transaction response |
2913 |
|
# times are recorded individually. |
2914 |
|
# |
2915 |
|
# You can prefix adapt::*_trs format codes with adaptation |
2916 |
|
# service name in curly braces to record response time(s) specific |
2917 |
|
# to that service. For example: %{my_service}adapt::sum_trs |
2918 |
|
# |
2919 |
|
# The default formats available (which do not need re-defining) are: |
2920 |
|
# |
2921 |
|
#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt |
2922 |
|
#logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh |
2923 |
|
#logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh |
2924 |
|
#logformat referrer %ts.%03tu %>a %{Referer}>h %ru |
2925 |
|
#logformat useragent %>a [%tl] "%{User-Agent}>h" |
2926 |
|
# |
2927 |
|
# NOTE: When the log_mime_hdrs directive is set to ON. |
2928 |
|
# The squid, common and combined formats have a safely encoded copy |
2929 |
|
# of the mime headers appended to each line within a pair of brackets. |
2930 |
|
# |
2931 |
|
# NOTE: The common and combined formats are not quite true to the Apache definition. |
2932 |
|
# The logs from Squid contain an extra status and hierarchy code appended. |
2933 |
|
# |
2934 |
|
#Default: |
2935 |
|
# none |
2936 |
|
|
2937 |
|
# TAG: access_log |
2938 |
|
# These files log client request activities. Has a line every HTTP or |
2939 |
|
# ICP request. The format is: |
2940 |
|
# access_log <module>:<place> [<logformat name> [acl acl ...]] |
2941 |
|
# access_log none [acl acl ...]] |
2942 |
|
# |
2943 |
|
# Will log to the specified module:place using the specified format (which |
2944 |
|
# must be defined in a logformat directive) those entries which match |
2945 |
|
# ALL the acl's specified (which must be defined in acl clauses). |
2946 |
|
# If no acl is specified, all requests will be logged to this destination. |
2947 |
|
# |
2948 |
|
# ===== Modules Currently available ===== |
2949 |
|
# |
2950 |
|
# none Do not log any requests matching these ACL. |
2951 |
|
# Do not specify Place or logformat name. |
2952 |
|
# |
2953 |
|
# stdio Write each log line to disk immediately at the completion of |
2954 |
|
# each request. |
2955 |
|
# Place: the filename and path to be written. |
2956 |
|
# |
2957 |
|
# daemon Very similar to stdio. But instead of writing to disk the log |
2958 |
|
# line is passed to a daemon helper for asychronous handling instead. |
2959 |
|
# Place: varies depending on the daemon. |
2960 |
|
# |
2961 |
|
# log_file_daemon Place: the file name and path to be written. |
2962 |
|
# |
2963 |
|
# syslog To log each request via syslog facility. |
2964 |
|
# Place: The syslog facility and priority level for these entries. |
2965 |
|
# Place Format: facility.priority |
2966 |
|
# |
2967 |
|
# where facility could be any of: |
2968 |
|
# authpriv, daemon, local0 ... local7 or user. |
2969 |
|
# |
2970 |
|
# And priority could be any of: |
2971 |
|
# err, warning, notice, info, debug. |
2972 |
|
# |
2973 |
|
# udp To send each log line as text data to a UDP receiver. |
2974 |
|
# Place: The destination host name or IP and port. |
2975 |
|
# Place Format: //host:port |
2976 |
|
# |
2977 |
|
# tcp To send each log line as text data to a TCP receiver. |
2978 |
|
# Place: The destination host name or IP and port. |
2979 |
|
# Place Format: //host:port |
2980 |
|
# |
2981 |
|
# Default: |
2982 |
|
# access_log daemon:/var/log/squid/access.log squid |
2983 |
|
#Default: |
2984 |
|
# access_log daemon:/var/log/squid/access.log squid |
2985 |
|
|
2986 |
|
# TAG: icap_log |
2987 |
|
# ICAP log files record ICAP transaction summaries, one line per |
2988 |
|
# transaction. |
2989 |
|
# |
2990 |
|
# The icap_log option format is: |
2991 |
|
# icap_log <filepath> [<logformat name> [acl acl ...]] |
2992 |
|
# icap_log none [acl acl ...]] |
2993 |
|
# |
2994 |
|
# Please see access_log option documentation for details. The two |
2995 |
|
# kinds of logs share the overall configuration approach and many |
2996 |
|
# features. |
2997 |
|
# |
2998 |
|
# ICAP processing of a single HTTP message or transaction may |
2999 |
|
# require multiple ICAP transactions. In such cases, multiple |
3000 |
|
# ICAP transaction log lines will correspond to a single access |
3001 |
|
# log line. |
3002 |
|
# |
3003 |
|
# ICAP log uses logformat codes that make sense for an ICAP |
3004 |
|
# transaction. Header-related codes are applied to the HTTP header |
3005 |
|
# embedded in an ICAP server response, with the following caveats: |
3006 |
|
# For REQMOD, there is no HTTP response header unless the ICAP |
3007 |
|
# server performed request satisfaction. For RESPMOD, the HTTP |
3008 |
|
# request header is the header sent to the ICAP server. For |
3009 |
|
# OPTIONS, there are no HTTP headers. |
3010 |
|
# |
3011 |
|
# The following format codes are also available for ICAP logs: |
3012 |
|
# |
3013 |
|
# icap::<A ICAP server IP address. Similar to <A. |
3014 |
|
# |
3015 |
|
# icap::<service_name ICAP service name from the icap_service |
3016 |
|
# option in Squid configuration file. |
3017 |
|
# |
3018 |
|
# icap::ru ICAP Request-URI. Similar to ru. |
3019 |
|
# |
3020 |
|
# icap::rm ICAP request method (REQMOD, RESPMOD, or |
3021 |
|
# OPTIONS). Similar to existing rm. |
3022 |
|
# |
3023 |
|
# icap::>st Bytes sent to the ICAP server (TCP payload |
3024 |
|
# only; i.e., what Squid writes to the socket). |
3025 |
|
# |
3026 |
|
# icap::<st Bytes received from the ICAP server (TCP |
3027 |
|
# payload only; i.e., what Squid reads from |
3028 |
|
# the socket). |
3029 |
|
# |
3030 |
|
# icap::<bs Number of message body bytes received from the |
3031 |
|
# ICAP server. ICAP message body, if any, usually |
3032 |
|
# includes encapsulated HTTP message headers and |
3033 |
|
# possibly encapsulated HTTP message body. The |
3034 |
|
# HTTP body part is dechunked before its size is |
3035 |
|
# computed. |
3036 |
|
# |
3037 |
|
# icap::tr Transaction response time (in |
3038 |
|
# milliseconds). The timer starts when |
3039 |
|
# the ICAP transaction is created and |
3040 |
|
# stops when the transaction is completed. |
3041 |
|
# Similar to tr. |
3042 |
|
# |
3043 |
|
# icap::tio Transaction I/O time (in milliseconds). The |
3044 |
|
# timer starts when the first ICAP request |
3045 |
|
# byte is scheduled for sending. The timers |
3046 |
|
# stops when the last byte of the ICAP response |
3047 |
|
# is received. |
3048 |
|
# |
3049 |
|
# icap::to Transaction outcome: ICAP_ERR* for all |
3050 |
|
# transaction errors, ICAP_OPT for OPTION |
3051 |
|
# transactions, ICAP_ECHO for 204 |
3052 |
|
# responses, ICAP_MOD for message |
3053 |
|
# modification, and ICAP_SAT for request |
3054 |
|
# satisfaction. Similar to Ss. |
3055 |
|
# |
3056 |
|
# icap::Hs ICAP response status code. Similar to Hs. |
3057 |
|
# |
3058 |
|
# icap::>h ICAP request header(s). Similar to >h. |
3059 |
|
# |
3060 |
|
# icap::<h ICAP response header(s). Similar to <h. |
3061 |
|
# |
3062 |
|
# The default ICAP log format, which can be used without an explicit |
3063 |
|
# definition, is called icap_squid: |
3064 |
|
# |
3065 |
|
#logformat icap_squid %ts.%03tu %6icap::tr %>a %icap::to/%03icap::Hs %icap::<size %icap::rm %icap::ru% %un -/%icap::<A - |
3066 |
|
# |
3067 |
|
# See also: logformat, log_icap, and %adapt::<last_h |
3068 |
|
#Default: |
3069 |
|
# none |
3070 |
|
|
3071 |
|
# TAG: logfile_daemon |
3072 |
|
# Specify the path to the logfile-writing daemon. This daemon is |
3073 |
|
# used to write the access and store logs, if configured. |
3074 |
|
# |
3075 |
|
# Squid sends a number of commands to the log daemon: |
3076 |
|
# L<data>\n - logfile data |
3077 |
|
# R\n - rotate file |
3078 |
|
# T\n - truncate file |
3079 |
|
# O\n - reopen file |
3080 |
|
# F\n - flush file |
3081 |
|
# r<n>\n - set rotate count to <n> |
3082 |
|
# b<n>\n - 1 = buffer output, 0 = don't buffer output |
3083 |
|
# |
3084 |
|
# No responses is expected. |
3085 |
|
#Default: |
3086 |
|
# logfile_daemon /usr/lib64/squid/log_file_daemon |
3087 |
|
|
3088 |
|
# TAG: log_access allow|deny acl acl... |
3089 |
|
# This options allows you to control which requests gets logged |
3090 |
|
# to access.log (see access_log directive). Requests denied for |
3091 |
|
# logging will also not be accounted for in performance counters. |
3092 |
|
# |
3093 |
|
# This clause only supports fast acl types. |
3094 |
|
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
3095 |
|
#Default: |
3096 |
|
# none |
3097 |
|
|
3098 |
|
# TAG: log_icap |
3099 |
|
# This options allows you to control which requests get logged |
3100 |
|
# to icap.log. See the icap_log directive for ICAP log details. |
3101 |
|
#Default: |
3102 |
|
# none |
3103 |
|
|
3104 |
# TAG: cache_store_log |
# TAG: cache_store_log |
3105 |
# Logs the activities of the storage manager. Shows which |
# Logs the activities of the storage manager. Shows which |
3106 |
# objects are ejected from the cache, and which objects are |
# objects are ejected from the cache, and which objects are |
3107 |
# saved and for how long. To disable, enter "none". There are |
# saved and for how long. |
3108 |
# not really utilities to analyze this data, so you can safely |
# There are not really utilities to analyze this data, so you can safely |
3109 |
# disable it. |
# disable it (the default). |
3110 |
# |
# |
3111 |
|
# Store log uses modular logging outputs. See access_log for the list |
3112 |
|
# of modules supported. |
3113 |
|
# |
3114 |
|
# Example: |
3115 |
|
# cache_store_log stdio:/var/log/squid/store.log |
3116 |
|
# cache_store_log daemon:/var/log/squid/store.log |
3117 |
#Default: |
#Default: |
3118 |
# cache_store_log /var/log/squid/store.log |
# none |
3119 |
|
|
3120 |
# TAG: cache_swap_log |
# TAG: cache_swap_state |
3121 |
# Location for the cache "swap.log." This log file holds the |
# Location for the cache "swap.state" file. This index file holds |
3122 |
# metadata of objects saved on disk. It is used to rebuild the |
# the metadata of objects saved on disk. It is used to rebuild |
3123 |
# cache during startup. Normally this file resides in each |
# the cache during startup. Normally this file resides in each |
3124 |
# 'cache_dir' directory, but you may specify an alternate |
# 'cache_dir' directory, but you may specify an alternate |
3125 |
# pathname here. Note you must give a full filename, not just |
# pathname here. Note you must give a full filename, not just |
3126 |
# a directory. Since this is the index for the whole object |
# a directory. Since this is the index for the whole object |
3127 |
# list you CANNOT periodically rotate it! |
# list you CANNOT periodically rotate it! |
3128 |
# |
# |
3129 |
# If %s can be used in the file name then it will be replaced with a |
# If %s can be used in the file name it will be replaced with a |
3130 |
# a representation of the cache_dir name where each / is replaced |
# a representation of the cache_dir name where each / is replaced |
3131 |
# with '.'. This is needed to allow adding/removing cache_dir |
# with '.'. This is needed to allow adding/removing cache_dir |
3132 |
# lines when cache_swap_log is being used. |
# lines when cache_swap_log is being used. |
3133 |
# |
# |
3134 |
# If have more than one 'cache_dir', and %s is not used in the name |
# If have more than one 'cache_dir', and %s is not used in the name |
3135 |
# then these swap logs will have names such as: |
# these swap logs will have names such as: |
3136 |
# |
# |
3137 |
# cache_swap_log.00 |
# cache_swap_log.00 |
3138 |
# cache_swap_log.01 |
# cache_swap_log.01 |
3141 |
# The numbered extension (which is added automatically) |
# The numbered extension (which is added automatically) |
3142 |
# corresponds to the order of the 'cache_dir' lines in this |
# corresponds to the order of the 'cache_dir' lines in this |
3143 |
# configuration file. If you change the order of the 'cache_dir' |
# configuration file. If you change the order of the 'cache_dir' |
3144 |
# lines in this file, then these log files will NOT correspond to |
# lines in this file, these index files will NOT correspond to |
3145 |
# the correct 'cache_dir' entry (unless you manually rename |
# the correct 'cache_dir' entry (unless you manually rename |
3146 |
# them). We recommend that you do NOT use this option. It is |
# them). We recommend you do NOT use this option. It is |
3147 |
# better to keep these log files in each 'cache_dir' directory. |
# better to keep these index files in each 'cache_dir' directory. |
|
# |
|
3148 |
#Default: |
#Default: |
3149 |
# none |
# none |
3150 |
|
|
3151 |
# TAG: emulate_httpd_log on|off |
# TAG: logfile_rotate |
3152 |
# The Cache can emulate the log file format which many 'httpd' |
# Specifies the number of logfile rotations to make when you |
3153 |
# programs use. To disable/enable this emulation, set |
# type 'squid -k rotate'. The default is 10, which will rotate |
3154 |
# emulate_httpd_log to 'off' or 'on'. The default |
# with extensions 0 through 9. Setting logfile_rotate to 0 will |
3155 |
# is to use the native log format since it includes useful |
# disable the file name rotation, but the logfiles are still closed |
3156 |
# information that Squid-specific log analyzers use. |
# and re-opened. This will enable you to rename the logfiles |
3157 |
|
# yourself just before sending the rotate signal. |
3158 |
|
# |
3159 |
|
# Note, the 'squid -k rotate' command normally sends a USR1 |
3160 |
|
# signal to the running squid process. In certain situations |
3161 |
|
# (e.g. on Linux with Async I/O), USR1 is used for other |
3162 |
|
# purposes, so -k rotate uses another signal. It is best to get |
3163 |
|
# in the habit of using 'squid -k rotate' instead of 'kill -USR1 |
3164 |
|
# <pid>'. |
3165 |
# |
# |
3166 |
|
# Note, from Squid-3.1 this option has no effect on the cache.log, |
3167 |
|
# that log can be rotated separately by using debug_options |
3168 |
#Default: |
#Default: |
3169 |
# emulate_httpd_log off |
# logfile_rotate 0 |
3170 |
|
|
3171 |
# TAG: log_ip_on_direct on|off |
# TAG: emulate_httpd_log |
3172 |
# Log the destination IP address in the hierarchy log tag when going |
# Replace this with an access_log directive using the format 'common' or 'combined'. |
|
# direct. Earlier Squid versions logged the hostname here. If you |
|
|
# prefer the old way set this to off. |
|
|
# |
|
3173 |
#Default: |
#Default: |
3174 |
# log_ip_on_direct on |
# none |
3175 |
|
|
3176 |
|
# TAG: log_ip_on_direct |
3177 |
|
# Remove this option from your config. To log server or peer names use %<A in the log format. |
3178 |
|
#Default: |
3179 |
|
# none |
3180 |
|
|
3181 |
# TAG: mime_table |
# TAG: mime_table |
3182 |
# Pathname to Squid's MIME table. You shouldn't need to change |
# Pathname to Squid's MIME table. You shouldn't need to change |
3183 |
# this, but the default file contains examples and formatting |
# this, but the default file contains examples and formatting |
3184 |
# information if you do. |
# information if you do. |
|
# |
|
3185 |
#Default: |
#Default: |
3186 |
# mime_table /etc/squid/mime.conf |
# mime_table /etc/squid/mime.conf |
3187 |
|
|
3191 |
# safely and will appear as two bracketed fields at the end of |
# safely and will appear as two bracketed fields at the end of |
3192 |
# the access log (for either the native or httpd-emulated log |
# the access log (for either the native or httpd-emulated log |
3193 |
# formats). To enable this logging set log_mime_hdrs to 'on'. |
# formats). To enable this logging set log_mime_hdrs to 'on'. |
|
# |
|
3194 |
#Default: |
#Default: |
3195 |
# log_mime_hdrs off |
# log_mime_hdrs off |
3196 |
|
|
3197 |
# TAG: useragent_log |
# TAG: useragent_log |
3198 |
# Squid will write the User-Agent field from HTTP requests |
# Replace this with an access_log directive using the format 'useragent'. |
|
# to the filename specified here. By default useragent_log |
|
|
# is disabled. |
|
|
# |
|
3199 |
#Default: |
#Default: |
3200 |
# none |
# none |
3201 |
|
|
3202 |
# TAG: referer_log |
# TAG: referer_log |
3203 |
# Note: This option is only available if Squid is rebuilt with the |
# Replace this with an access_log directive using the format 'referrer'. |
|
# --enable-referer-log option |
|
|
# |
|
|
# Squid will write the Referer field from HTTP requests to the |
|
|
# filename specified here. By default referer_log is disabled. |
|
|
# |
|
3204 |
#Default: |
#Default: |
3205 |
# none |
# none |
3206 |
|
|
3207 |
# TAG: pid_filename |
# TAG: pid_filename |
3208 |
# A filename to write the process-id to. To disable, enter "none". |
# A filename to write the process-id to. To disable, enter "none". |
|
# |
|
3209 |
#Default: |
#Default: |
3210 |
# pid_filename /var/run/squid.pid |
# pid_filename /var/run/squid.pid |
3211 |
|
|
3212 |
|
# TAG: log_fqdn |
3213 |
|
# Remove this option from your config. To log FQDN use %>A in the log format. |
3214 |
|
#Default: |
3215 |
|
# none |
3216 |
|
|
3217 |
|
# TAG: client_netmask |
3218 |
|
# A netmask for client addresses in logfiles and cachemgr output. |
3219 |
|
# Change this to protect the privacy of your cache clients. |
3220 |
|
# A netmask of 255.255.255.0 will log all IP's in that range with |
3221 |
|
# the last digit set to '0'. |
3222 |
|
#Default: |
3223 |
|
# client_netmask no_addr |
3224 |
|
|
3225 |
|
# TAG: forward_log |
3226 |
|
# Use a regular access.log with ACL limiting it to MISS events. |
3227 |
|
#Default: |
3228 |
|
# none |
3229 |
|
|
3230 |
|
# TAG: strip_query_terms |
3231 |
|
# By default, Squid strips query terms from requested URLs before |
3232 |
|
# logging. This protects your user's privacy. |
3233 |
|
#Default: |
3234 |
|
# strip_query_terms on |
3235 |
|
|
3236 |
|
# TAG: buffered_logs on|off |
3237 |
|
# cache.log log file is written with stdio functions, and as such |
3238 |
|
# it can be buffered or unbuffered. By default it will be unbuffered. |
3239 |
|
# Buffering it can speed up the writing slightly (though you are |
3240 |
|
# unlikely to need to worry unless you run with tons of debugging |
3241 |
|
# enabled in which case performance will suffer badly anyway..). |
3242 |
|
#Default: |
3243 |
|
# buffered_logs off |
3244 |
|
|
3245 |
|
# TAG: netdb_filename |
3246 |
|
# A filename where Squid stores it's netdb state between restarts. |
3247 |
|
# To disable, enter "none". |
3248 |
|
#Default: |
3249 |
|
# netdb_filename stdio:/var/log/squid/netdb.state |
3250 |
|
|
3251 |
|
# OPTIONS FOR TROUBLESHOOTING |
3252 |
|
# ----------------------------------------------------------------------------- |
3253 |
|
|
3254 |
|
# TAG: cache_log |
3255 |
|
# Cache logging file. This is where general information about |
3256 |
|
# your cache's behavior goes. You can increase the amount of data |
3257 |
|
# logged to this file and how often its rotated with "debug_options" |
3258 |
|
#Default: |
3259 |
|
# cache_log /var/log/squid/cache.log |
3260 |
|
|
3261 |
# TAG: debug_options |
# TAG: debug_options |
3262 |
# Logging options are set as section,level where each source file |
# Logging options are set as section,level where each source file |
3263 |
# is assigned a unique section. Lower levels result in less |
# is assigned a unique section. Lower levels result in less |
3264 |
# output, Full debugging (level 9) can result in a very large |
# output, Full debugging (level 9) can result in a very large |
3265 |
# log file, so be careful. The magic word "ALL" sets debugging |
# log file, so be careful. |
|
# levels for all sections. We recommend normally running with |
|
|
# "ALL,1". |
|
3266 |
# |
# |
3267 |
|
# The magic word "ALL" sets debugging levels for all sections. |
3268 |
|
# We recommend normally running with "ALL,1". |
3269 |
|
# |
3270 |
|
# The rotate=N option can be used to keep more or less of these logs |
3271 |
|
# than would otherwise be kept by logfile_rotate. |
3272 |
|
# For most uses a single log should be enough to monitor current |
3273 |
|
# events affecting Squid. |
3274 |
#Default: |
#Default: |
3275 |
# debug_options ALL,1 |
# debug_options ALL,1 |
3276 |
|
|
3277 |
# TAG: log_fqdn on|off |
# TAG: coredump_dir |
3278 |
# Turn this on if you wish to log fully qualified domain names |
# By default Squid leaves core files in the directory from where |
3279 |
# in the access.log. To do this Squid does a DNS lookup of all |
# it was started. If you set 'coredump_dir' to a directory |
3280 |
# IP's connecting to it. This can (in some situations) increase |
# that exists, Squid will chdir() to that directory at startup |
3281 |
# latency, which makes your cache seem slower for interactive |
# and coredump files will be left there. |
|
# browsing. |
|
3282 |
# |
# |
3283 |
#Default: |
#Default: |
3284 |
# log_fqdn off |
# coredump_dir none |
|
|
|
|
# TAG: client_netmask |
|
|
# A netmask for client addresses in logfiles and cachemgr output. |
|
|
# Change this to protect the privacy of your cache clients. |
|
|
# A netmask of 255.255.255.0 will log all IP's in that range with |
|
|
# the last digit set to '0'. |
|
3285 |
# |
# |
|
#Default: |
|
|
# client_netmask 255.255.255.255 |
|
3286 |
|
|
3287 |
|
# Leave coredumps in the first cache dir |
3288 |
|
coredump_dir /var/spool/squid |
3289 |
|
|
3290 |
# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS |
# OPTIONS FOR FTP GATEWAYING |
3291 |
# ----------------------------------------------------------------------------- |
# ----------------------------------------------------------------------------- |
3292 |
|
|
3293 |
# TAG: ftp_user |
# TAG: ftp_user |
3295 |
# (and enable the use of picky ftp servers), set this to something |
# (and enable the use of picky ftp servers), set this to something |
3296 |
# reasonable for your domain, like wwwuser@somewhere.net |
# reasonable for your domain, like wwwuser@somewhere.net |
3297 |
# |
# |
3298 |
# The reason why this is domainless by default is that the |
# The reason why this is domainless by default is the |
3299 |
# request can be made on the behalf of a user in any domain, |
# request can be made on the behalf of a user in any domain, |
3300 |
# depending on how the cache is used. |
# depending on how the cache is used. |
3301 |
# Some ftp server also validate that the email address is valid |
# Some ftp server also validate the email address is valid |
3302 |
# (for example perl.com). |
# (for example perl.com). |
|
# |
|
3303 |
#Default: |
#Default: |
3304 |
# ftp_user Squid@ |
# ftp_user Squid@ |
3305 |
|
|
|
# TAG: ftp_list_width |
|
|
# Sets the width of ftp listings. This should be set to fit in |
|
|
# the width of a standard browser. Setting this too small |
|
|
# can cut off long filenames when browsing ftp sites. |
|
|
# |
|
|
#Default: |
|
|
# ftp_list_width 32 |
|
|
|
|
3306 |
# TAG: ftp_passive |
# TAG: ftp_passive |
3307 |
# If your firewall does not allow Squid to use passive |
# If your firewall does not allow Squid to use passive |
3308 |
# connections, then turn off this option. |
# connections, turn off this option. |
3309 |
# |
# |
3310 |
|
# Use of ftp_epsv_all option requires this to be ON. |
3311 |
#Default: |
#Default: |
3312 |
# ftp_passive on |
# ftp_passive on |
3313 |
|
|
3314 |
# TAG: cache_dns_program |
# TAG: ftp_epsv_all |
3315 |
# Note: This option is only available if Squid is rebuilt with the |
# FTP Protocol extensions permit the use of a special "EPSV ALL" command. |
|
# --disable-internal-dns option |
|
3316 |
# |
# |
3317 |
# Specify the location of the executable for dnslookup process. |
# NATs may be able to put the connection on a "fast path" through the |
3318 |
|
# translator, as the EPRT command will never be used and therefore, |
3319 |
|
# translation of the data portion of the segments will never be needed. |
3320 |
|
# |
3321 |
|
# When a client only expects to do two-way FTP transfers this may be |
3322 |
|
# useful. |
3323 |
|
# If squid finds that it must do a three-way FTP transfer after issuing |
3324 |
|
# an EPSV ALL command, the FTP session will fail. |
3325 |
|
# |
3326 |
|
# If you have any doubts about this option do not use it. |
3327 |
|
# Squid will nicely attempt all other connection methods. |
3328 |
# |
# |
3329 |
|
# Requires ftp_passive to be ON (default) for any effect. |
3330 |
#Default: |
#Default: |
3331 |
# cache_dns_program /usr/lib/squid/ |
# ftp_epsv_all off |
3332 |
|
|
3333 |
# TAG: dns_children |
# TAG: ftp_epsv |
3334 |
# Note: This option is only available if Squid is rebuilt with the |
# FTP Protocol extensions permit the use of a special "EPSV" command. |
|
# --disable-internal-dns option |
|
3335 |
# |
# |
3336 |
# The number of processes spawn to service DNS name lookups. |
# NATs may be able to put the connection on a "fast path" through the |
3337 |
# For heavily loaded caches on large servers, you should |
# translator using EPSV, as the EPRT command will never be used |
3338 |
# probably increase this value to at least 10. The maximum |
# and therefore, translation of the data portion of the segments |
3339 |
# is 32. The default is 5. |
# will never be needed. |
3340 |
# |
# |
3341 |
# You must have at least one dnsserver process. |
# Turning this OFF will prevent EPSV being attempted. |
3342 |
|
# WARNING: Doing so will convert Squid back to the old behavior with all |
3343 |
|
# the related problems with external NAT devices/layers. |
3344 |
# |
# |
3345 |
|
# Requires ftp_passive to be ON (default) for any effect. |
3346 |
#Default: |
#Default: |
3347 |
# dns_children 5 |
# ftp_epsv on |
3348 |
|
|
3349 |
# TAG: dns_retransmit_interval |
# TAG: ftp_eprt |
3350 |
# Initial retransmit interval for DNS queries. The interval is |
# FTP Protocol extensions permit the use of a special "EPRT" command. |
|
# doubled each time all configured DNS servers have been tried. |
|
3351 |
# |
# |
3352 |
|
# This extension provides a protocol neutral alternative to the |
3353 |
|
# IPv4-only PORT command. When supported it enables active FTP data |
3354 |
|
# channels over IPv6 and efficient NAT handling. |
3355 |
# |
# |
3356 |
#Default: |
# Turning this OFF will prevent EPRT being attempted and will skip |
3357 |
# dns_retransmit_interval 5 seconds |
# straight to using PORT for IPv4 servers. |
|
|
|
|
# TAG: dns_timeout |
|
|
# DNS Query timeout. If no response is received to a DNS query |
|
|
# within this time then all DNS servers for the queried domain |
|
|
# is assumed to be unavailable. |
|
3358 |
# |
# |
3359 |
|
# Some devices are known to not handle this extension correctly and |
3360 |
|
# may result in crashes. Devices which suport EPRT enough to fail |
3361 |
|
# cleanly will result in Squid attempting PORT anyway. This directive |
3362 |
|
# should only be disabled when EPRT results in device failures. |
3363 |
|
# |
3364 |
|
# WARNING: Doing so will convert Squid back to the old behavior with all |
3365 |
|
# the related problems with external NAT devices/layers and IPv4-only FTP. |
3366 |
#Default: |
#Default: |
3367 |
# dns_timeout 5 minutes |
# ftp_eprt on |
3368 |
|
|
3369 |
# TAG: dns_defnames on|off |
# TAG: ftp_sanitycheck |
3370 |
# Note: This option is only available if Squid is rebuilt with the |
# For security and data integrity reasons Squid by default performs |
3371 |
# --disable-internal-dns option |
# sanity checks of the addresses of FTP data connections ensure the |
3372 |
# |
# data connection is to the requested server. If you need to allow |
3373 |
# Normally the 'dnsserver' disables the RES_DEFNAMES resolver |
# FTP connections to servers using another IP address for the data |
3374 |
# option (see res_init(3)). This prevents caches in a hierarchy |
# connection turn this off. |
|
# from interpreting single-component hostnames locally. To allow |
|
|
# dnsserver to handle single-component names, enable this |
|
|
# option. |
|
|
# |
|
3375 |
#Default: |
#Default: |
3376 |
# dns_defnames off |
# ftp_sanitycheck on |
3377 |
|
|
3378 |
# TAG: dns_nameservers |
# TAG: ftp_telnet_protocol |
3379 |
# Use this if you want to specify a list of DNS name servers |
# The FTP protocol is officially defined to use the telnet protocol |
3380 |
# (IP addresses) to use instead of those given in your |
# as transport channel for the control connection. However, many |
3381 |
# /etc/resolv.conf file. |
# implementations are broken and does not respect this aspect of |
3382 |
# |
# the FTP protocol. |
|
# Example: dns_nameservers 10.0.0.1 192.172.0.4 |
|
3383 |
# |
# |
3384 |
|
# If you have trouble accessing files with ASCII code 255 in the |
3385 |
|
# path or similar problems involving this ASCII code you can |
3386 |
|
# try setting this directive to off. If that helps, report to the |
3387 |
|
# operator of the FTP server in question that their FTP server |
3388 |
|
# is broken and does not follow the FTP standard. |
3389 |
#Default: |
#Default: |
3390 |
# none |
# ftp_telnet_protocol on |
3391 |
|
|
3392 |
|
# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS |
3393 |
|
# ----------------------------------------------------------------------------- |
3394 |
|
|
3395 |
# TAG: diskd_program |
# TAG: diskd_program |
3396 |
# Specify the location of the diskd executable. |
# Specify the location of the diskd executable. |
3397 |
# Note that this is only useful if you have compiled in |
# Note this is only useful if you have compiled in |
3398 |
# diskd as one of the store io modules. |
# diskd as one of the store io modules. |
|
# |
|
3399 |
#Default: |
#Default: |
3400 |
# diskd_program /usr/lib/squid/diskd |
# diskd_program /usr/lib64/squid/diskd |
3401 |
|
|
3402 |
# TAG: unlinkd_program |
# TAG: unlinkd_program |
3403 |
# Specify the location of the executable for file deletion process. |
# Specify the location of the executable for file deletion process. |
|
# |
|
3404 |
#Default: |
#Default: |
3405 |
# unlinkd_program /usr/lib/squid/unlinkd |
# unlinkd_program /usr/lib64/squid/unlinkd |
3406 |
|
|
3407 |
# TAG: pinger_program |
# TAG: pinger_program |
|
# Note: This option is only available if Squid is rebuilt with the |
|
|
# --enable-icmp option |
|
|
# |
|
3408 |
# Specify the location of the executable for the pinger process. |
# Specify the location of the executable for the pinger process. |
|
# This is only useful if you configured Squid (during compilation) |
|
|
# with the '--enable-icmp' option. |
|
|
# |
|
3409 |
#Default: |
#Default: |
3410 |
# pinger_program /usr/lib/squid/ |
# pinger_program /usr/lib64/squid/pinger |
3411 |
|
|
3412 |
# TAG: redirect_program |
# TAG: pinger_enable |
3413 |
# Specify the location of the executable for the URL redirector. |
# Control whether the pinger is active at run-time. |
3414 |
# Since they can perform almost any function there isn't one included. |
# Enables turning ICMP pinger on and off with a simple |
3415 |
# See the Release-Notes for information on how to write one. |
# squid -k reconfigure. |
|
# By default, a redirector is not used. |
|
|
# |
|
3416 |
#Default: |
#Default: |
3417 |
# none |
# pinger_enable on |
3418 |
|
|
3419 |
# TAG: redirect_children |
# OPTIONS FOR URL REWRITING |
3420 |
# The number of redirector processes to spawn. If you start |
# ----------------------------------------------------------------------------- |
|
# too few Squid will have to wait for them to process a backlog of |
|
|
# URLs, slowing it down. If you start too many they will use RAM |
|
|
# and other system resources. |
|
|
# |
|
|
#Default: |
|
|
# redirect_children 5 |
|
3421 |
|
|
3422 |
# TAG: redirect_rewrites_host_header |
# TAG: url_rewrite_program |
3423 |
# By default Squid rewrites any Host: header in redirected |
# Specify the location of the executable URL rewriter to use. |
3424 |
# requests. If you are running a accelerator then this may |
# Since they can perform almost any function there isn't one included. |
|
# not be a wanted effect of a redirector. |
|
3425 |
# |
# |
3426 |
#Default: |
# For each requested URL, the rewriter will receive on line with the format |
|
# redirect_rewrites_host_header on |
|
|
|
|
|
# TAG: redirector_access |
|
|
# If defined, this access list specifies which requests are |
|
|
# sent to the redirector processes. By default all requests |
|
|
# are sent. |
|
3427 |
# |
# |
3428 |
#Default: |
# URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kvpairs]<NL> |
|
# none |
|
|
|
|
|
# TAG: authenticate_program |
|
|
# Specify the command for the external authenticator. Such a |
|
|
# program reads a line containing "username password" and replies |
|
|
# "OK" or "ERR" in an endless loop. If you use an authenticator, |
|
|
# make sure you have 1 acl of type proxy_auth. By default, the |
|
|
# authenticator_program is not used. |
|
3429 |
# |
# |
3430 |
# If you want to use the traditional proxy authentication, |
# In the future, the rewriter interface will be extended with |
3431 |
# jump over to the ../auth_modules/NCSA directory and |
# key=value pairs ("kvpairs" shown above). Rewriter programs |
3432 |
# type: |
# should be prepared to receive and possibly ignore additional |
3433 |
# % make |
# whitespace-separated tokens on each input line. |
|
# % make install |
|
3434 |
# |
# |
3435 |
# Then, set this line to something like |
# And the rewriter may return a rewritten URL. The other components of |
3436 |
|
# the request line does not need to be returned (ignored if they are). |
3437 |
# |
# |
3438 |
# authenticate_program /usr/bin/ncsa_auth /usr/etc/passwd |
# The rewriter can also indicate that a client-side redirect should |
3439 |
|
# be performed to the new URL. This is done by prefixing the returned |
3440 |
|
# URL with "301:" (moved permanently) or 302: (moved temporarily), etc. |
3441 |
# |
# |
3442 |
|
# By default, a URL rewriter is not used. |
3443 |
#Default: |
#Default: |
3444 |
# none |
# none |
3445 |
|
|
3446 |
# TAG: authenticate_children |
# TAG: url_rewrite_children |
3447 |
# The number of authenticator processes to spawn (default 5). If you |
# The maximum number of redirector processes to spawn. If you limit |
3448 |
# start too few Squid will have to wait for them to process a backlog |
# it too few Squid will have to wait for them to process a backlog of |
3449 |
# of usercode/password verifications, slowing it down. When password |
# URLs, slowing it down. If you allow too many they will use RAM |
3450 |
# verifications are done via a (slow) network you are likely to need |
# and other system resources noticably. |
3451 |
# lots of authenticator processes. |
# |
3452 |
# |
# The startup= and idle= options allow some measure of skew in your |
3453 |
#Default: |
# tuning. |
3454 |
# authenticate_children 5 |
# |
3455 |
|
# startup= |
3456 |
# TAG: authenticate_ttl |
# |
3457 |
# The time a checked username/password combination remains cached. |
# Sets a minimum of how many processes are to be spawned when Squid |
3458 |
# If a wrong password is given for a cached user, the user gets |
# starts or reconfigures. When set to zero the first request will |
3459 |
# removed from the username/password cache forcing a revalidation. |
# cause spawning of the first child process to handle it. |
3460 |
# |
# |
3461 |
|
# Starting too few will cause an initial slowdown in traffic as Squid |
3462 |
|
# attempts to simultaneously spawn enough processes to cope. |
3463 |
|
# |
3464 |
|
# idle= |
3465 |
|
# |
3466 |
|
# Sets a minimum of how many processes Squid is to try and keep available |
3467 |
|
# at all times. When traffic begins to rise above what the existing |
3468 |
|
# processes can handle this many more will be spawned up to the maximum |
3469 |
|
# configured. A minimum setting of 1 is required. |
3470 |
|
# |
3471 |
|
# concurrency= |
3472 |
|
# |
3473 |
|
# The number of requests each redirector helper can handle in |
3474 |
|
# parallel. Defaults to 0 which indicates the redirector |
3475 |
|
# is a old-style single threaded redirector. |
3476 |
|
# |
3477 |
|
# When this directive is set to a value >= 1 then the protocol |
3478 |
|
# used to communicate with the helper is modified to include |
3479 |
|
# a request ID in front of the request/response. The request |
3480 |
|
# ID from the request must be echoed back with the response |
3481 |
|
# to that request. |
3482 |
|
#Default: |
3483 |
|
# url_rewrite_children 20 startup=0 idle=1 concurrency=0 |
3484 |
|
|
3485 |
|
# TAG: url_rewrite_host_header |
3486 |
|
# To preserve same-origin security policies in browsers and |
3487 |
|
# prevent Host: header forgery by redirectors Squid rewrites |
3488 |
|
# any Host: header in redirected requests. |
3489 |
|
# |
3490 |
|
# If you are running an accelerator this may not be a wanted |
3491 |
|
# effect of a redirector. This directive enables you disable |
3492 |
|
# Host: alteration in reverse-proxy traffic. |
3493 |
|
# |
3494 |
|
# WARNING: Entries are cached on the result of the URL rewriting |
3495 |
|
# process, so be careful if you have domain-virtual hosts. |
3496 |
|
# |
3497 |
|
# WARNING: Squid and other software verifies the URL and Host |
3498 |
|
# are matching, so be careful not to relay through other proxies |
3499 |
|
# or inspecting firewalls with this disabled. |
3500 |
#Default: |
#Default: |
3501 |
# authenticate_ttl 1 hour |
# url_rewrite_host_header on |
3502 |
|
|
3503 |
# TAG: authenticate_ip_ttl |
# TAG: url_rewrite_access |
3504 |
# With this option you control how long a proxy authentication |
# If defined, this access list specifies which requests are |
3505 |
# will be bound to a specific IP address. If a request using |
# sent to the redirector processes. By default all requests |
3506 |
# the same user name is received during this time then access |
# are sent. |
|
# will be denied and both users are required to reauthenticate |
|
|
# them selves. The idea behind this is to make it annoying |
|
|
# for people to share their password to their friends, but |
|
|
# yet allow a dialup user to reconnect on a different dialup |
|
|
# port. |
|
|
# |
|
|
# The default is 0 to disable the check. Recommended value |
|
|
# if you have dialup users are no more than 60 seconds to allow |
|
|
# the user to redial without hassle. If all your users are |
|
|
# stationary then higher values may be used. |
|
|
# |
|
|
# See also authenticate_ip_ttl_is_strict |
|
3507 |
# |
# |
3508 |
|
# This clause supports both fast and slow acl types. |
3509 |
|
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
3510 |
#Default: |
#Default: |
3511 |
# authenticate_ip_ttl 0 seconds |
# none |
3512 |
|
|
3513 |
# TAG: authenticate_ip_ttl_is_strict |
# TAG: url_rewrite_bypass |
3514 |
# This option makes authenticate_ip_ttl a bit stricted. With this |
# When this is 'on', a request will not go through the |
3515 |
# enabled authenticate_ip_ttl will deny all access from other IP |
# redirector if all redirectors are busy. If this is 'off' |
3516 |
# addresses until the TTL has expired, and the IP address "owning" |
# and the redirector queue grows too large, Squid will exit |
3517 |
# the userid will not be forced to reauthenticate. |
# with a FATAL error and ask you to increase the number of |
3518 |
# |
# redirectors. You should only enable this if the redirectors |
3519 |
|
# are not critical to your caching system. If you use |
3520 |
|
# redirectors for access control, and you enable this option, |
3521 |
|
# users may have access to pages they should not |
3522 |
|
# be allowed to request. |
3523 |
#Default: |
#Default: |
3524 |
# authenticate_ip_ttl_is_strict on |
# url_rewrite_bypass off |
|
|
|
3525 |
|
|
3526 |
# OPTIONS FOR TUNING THE CACHE |
# OPTIONS FOR TUNING THE CACHE |
3527 |
# ----------------------------------------------------------------------------- |
# ----------------------------------------------------------------------------- |
3528 |
|
|
3529 |
# TAG: wais_relay_host |
# TAG: cache |
3530 |
# TAG: wais_relay_port |
# A list of ACL elements which, if matched and denied, cause the request to |
3531 |
# Relay WAIS request to host (1st arg) at port (2 arg). |
# not be satisfied from the cache and the reply to not be cached. |
3532 |
|
# In other words, use this to force certain objects to never be cached. |
3533 |
# |
# |
3534 |
#Default: |
# You must use the words 'allow' or 'deny' to indicate whether items |
3535 |
# wais_relay_port 0 |
# matching the ACL should be allowed or denied into the cache. |
|
|
|
|
# TAG: request_header_max_size (KB) |
|
|
# This specifies the maximum size for HTTP headers in a request. |
|
|
# Request headers are usually relatively small (about 512 bytes). |
|
|
# Placing a limit on the request header size will catch certain |
|
|
# bugs (for example with persistent connections) and possibly |
|
|
# buffer-overflow or denial-of-service attacks. |
|
3536 |
# |
# |
3537 |
#Default: |
# Default is to allow all to be cached. |
|
# request_header_max_size 10 KB |
|
|
|
|
|
# TAG: request_body_max_size (KB) |
|
|
# This specifies the maximum size for an HTTP request body. |
|
|
# In other words, the maximum size of a PUT/POST request. |
|
|
# A user who attempts to send a request with a body larger |
|
|
# than this limit receives an "Invalid Request" error message. |
|
|
# If you set this parameter to a zero, there will be no limit |
|
|
# imposed. |
|
3538 |
# |
# |
3539 |
|
# This clause supports both fast and slow acl types. |
3540 |
|
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
3541 |
#Default: |
#Default: |
3542 |
# request_body_max_size 1 MB |
# none |
3543 |
|
|
3544 |
# TAG: reply_body_max_size (KB) |
# TAG: max_stale time-units |
3545 |
# This option specifies the maximum size of a reply body. It |
# This option puts an upper limit on how stale content Squid |
3546 |
# can be used to prevent users from downloading very large files, |
# will serve from the cache if cache validation fails. |
3547 |
# such as MP3's and movies. The reply size is checked twice. |
# Can be overriden by the refresh_pattern max-stale option. |
|
# First when we get the reply headers, we check the |
|
|
# content-length value. If the content length value exists and |
|
|
# is larger than this parameter, the request is denied and the |
|
|
# user receives an error message that says "the request or reply |
|
|
# is too large." If there is no content-length, and the reply |
|
|
# size exceeds this limit, the client's connection is just closed |
|
|
# and they will receive a partial reply. |
|
|
# |
|
|
# NOTE: downstream caches probably can not detect a partial reply |
|
|
# if there is no content-length header, so they will cache |
|
|
# partial responses and give them out as hits. You should NOT |
|
|
# use this option if you have downstream caches. |
|
|
# |
|
|
# If you set this parameter to zero (the default), there will be |
|
|
# no limit imposed. |
|
|
# |
|
3548 |
#Default: |
#Default: |
3549 |
# reply_body_max_size 0 |
# max_stale 1 week |
3550 |
|
|
3551 |
# TAG: refresh_pattern |
# TAG: refresh_pattern |
3552 |
# usage: refresh_pattern [-i] regex min percent max [options] |
# usage: refresh_pattern [-i] regex min percent max [options] |
3567 |
# 'Max' is an upper limit on how long objects without an explicit |
# 'Max' is an upper limit on how long objects without an explicit |
3568 |
# expiry time will be considered fresh. |
# expiry time will be considered fresh. |
3569 |
# |
# |
3570 |
# options: overrsde-expire |
# options: override-expire |
3571 |
# override-lastmod |
# override-lastmod |
3572 |
# reload-into-ims |
# reload-into-ims |
3573 |
# ignore-reload |
# ignore-reload |
3574 |
|
# ignore-no-store |
3575 |
|
# ignore-must-revalidate |
3576 |
|
# ignore-private |
3577 |
|
# ignore-auth |
3578 |
|
# max-stale=NN |
3579 |
|
# refresh-ims |
3580 |
|
# store-stale |
3581 |
# |
# |
3582 |
# override-expire enforces min age even if the server |
# override-expire enforces min age even if the server |
3583 |
# sent a Expires: header. Doing this VIOLATES the HTTP |
# sent an explicit expiry time (e.g., with the |
3584 |
# standard. Enabling this feature could make you liable |
# Expires: header or Cache-Control: max-age). Doing this |
3585 |
# for problems which it causes. |
# VIOLATES the HTTP standard. Enabling this feature |
3586 |
|
# could make you liable for problems which it causes. |
3587 |
|
# |
3588 |
|
# Note: override-expire does not enforce staleness - it only extends |
3589 |
|
# freshness / min. If the server returns a Expires time which |
3590 |
|
# is longer than your max time, Squid will still consider |
3591 |
|
# the object fresh for that period of time. |
3592 |
# |
# |
3593 |
# override-lastmod enforces min age even on objects |
# override-lastmod enforces min age even on objects |
3594 |
# that was modified recently. |
# that were modified recently. |
3595 |
# |
# |
3596 |
# reload-into-ims changes client no-cache or ``reload'' |
# reload-into-ims changes client no-cache or ``reload'' |
3597 |
# to If-Modified-Since requests. Doing this VIOLATES the |
# to If-Modified-Since requests. Doing this VIOLATES the |
3602 |
# header. Doing this VIOLATES the HTTP standard. Enabling |
# header. Doing this VIOLATES the HTTP standard. Enabling |
3603 |
# this feature could make you liable for problems which |
# this feature could make you liable for problems which |
3604 |
# it causes. |
# it causes. |
3605 |
# |
# |
3606 |
# Please see the file doc/Release-Notes-1.1.txt for a full |
# ignore-no-store ignores any ``Cache-control: no-store'' |
3607 |
# description of Squid's refresh algorithm. Basically a |
# headers received from a server. Doing this VIOLATES |
3608 |
# cached object is: (the order is changed from 1.1.X) |
# the HTTP standard. Enabling this feature could make you |
3609 |
|
# liable for problems which it causes. |
3610 |
|
# |
3611 |
|
# ignore-must-revalidate ignores any ``Cache-Control: must-revalidate`` |
3612 |
|
# headers received from a server. Doing this VIOLATES |
3613 |
|
# the HTTP standard. Enabling this feature could make you |
3614 |
|
# liable for problems which it causes. |
3615 |
|
# |
3616 |
|
# ignore-private ignores any ``Cache-control: private'' |
3617 |
|
# headers received from a server. Doing this VIOLATES |
3618 |
|
# the HTTP standard. Enabling this feature could make you |
3619 |
|
# liable for problems which it causes. |
3620 |
|
# |
3621 |
|
# ignore-auth caches responses to requests with authorization, |
3622 |
|
# as if the originserver had sent ``Cache-control: public'' |
3623 |
|
# in the response header. Doing this VIOLATES the HTTP standard. |
3624 |
|
# Enabling this feature could make you liable for problems which |
3625 |
|
# it causes. |
3626 |
|
# |
3627 |
|
# refresh-ims causes squid to contact the origin server |
3628 |
|
# when a client issues an If-Modified-Since request. This |
3629 |
|
# ensures that the client will receive an updated version |
3630 |
|
# if one is available. |
3631 |
|
# |
3632 |
|
# store-stale stores responses even if they don't have explicit |
3633 |
|
# freshness or a validator (i.e., Last-Modified or an ETag) |
3634 |
|
# present, or if they're already stale. By default, Squid will |
3635 |
|
# not cache such responses because they usually can't be |
3636 |
|
# reused. Note that such responses will be stale by default. |
3637 |
|
# |
3638 |
|
# max-stale=NN provide a maximum staleness factor. Squid won't |
3639 |
|
# serve objects more stale than this even if it failed to |
3640 |
|
# validate the object. Default: use the max_stale global limit. |
3641 |
|
# |
3642 |
|
# Basically a cached object is: |
3643 |
# |
# |
3644 |
# FRESH if expires < now, else STALE |
# FRESH if expires < now, else STALE |
3645 |
# STALE if age > max |
# STALE if age > max |
3649 |
# |
# |
3650 |
# The refresh_pattern lines are checked in the order listed here. |
# The refresh_pattern lines are checked in the order listed here. |
3651 |
# The first entry which matches is used. If none of the entries |
# The first entry which matches is used. If none of the entries |
3652 |
# match, then the default will be used. |
# match the default will be used. |
3653 |
# |
# |
3654 |
# Note, you must uncomment all the default lines if you want |
# Note, you must uncomment all the default lines if you want |
3655 |
# to change one. The default setting is only active if none is |
# to change one. The default setting is only active if none is |
3656 |
# used. |
# used. |
3657 |
# |
# |
|
#Default: |
|
|
# refresh_pattern ^ftp: 1440 20% 10080 |
|
|
# refresh_pattern ^gopher: 1440 0% 1440 |
|
|
# refresh_pattern . 0 20% 4320 |
|
|
|
|
|
# TAG: reference_age |
|
|
# As a part of normal operation, Squid performs Least Recently |
|
|
# Used removal of cached objects. The LRU age for removal is |
|
|
# computed dynamically, based on the amount of disk space in |
|
|
# use. The dynamic value can be seen in the Cache Manager 'info' |
|
|
# output. |
|
|
# |
|
|
# The 'reference_age' parameter defines the maximum LRU age. For |
|
|
# example, setting reference_age to '1 week' will cause objects |
|
|
# to be removed if they have not been accessed for a week or |
|
|
# more. The default value is one year. |
|
|
# |
|
|
# Specify a number here, followed by units of time. For example: |
|
|
# 1 week |
|
|
# 3.5 days |
|
|
# 4 months |
|
|
# 2.2 hours |
|
|
# |
|
|
# NOTE: this parameter is not used when using the enhanced |
|
|
# replacement policies, GDSH or LFUDA. |
|
3658 |
# |
# |
3659 |
#Default: |
|
3660 |
# reference_age 1 year |
# Add any of your own refresh_pattern entries above these. |
3661 |
|
refresh_pattern ^ftp: 1440 20% 10080 |
3662 |
|
refresh_pattern ^gopher: 1440 0% 1440 |
3663 |
|
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 |
3664 |
|
refresh_pattern . 0 20% 4320 |
3665 |
|
|
3666 |
# TAG: quick_abort_min (KB) |
# TAG: quick_abort_min (KB) |
3667 |
|
#Default: |
3668 |
|
# quick_abort_min 16 KB |
3669 |
|
|
3670 |
# TAG: quick_abort_max (KB) |
# TAG: quick_abort_max (KB) |
3671 |
|
#Default: |
3672 |
|
# quick_abort_max 16 KB |
3673 |
|
|
3674 |
# TAG: quick_abort_pct (percent) |
# TAG: quick_abort_pct (percent) |
3675 |
# The cache can be configured to continue downloading aborted |
# The cache by default continues downloading aborted requests |
3676 |
# requests. This may be undesirable on slow (e.g. SLIP) links |
# which are almost completed (less than 16 KB remaining). This |
3677 |
# and/or very busy caches. Impatient users may tie up file |
# may be undesirable on slow (e.g. SLIP) links and/or very busy |
3678 |
# descriptors and bandwidth by repeatedly requesting and |
# caches. Impatient users may tie up file descriptors and |
3679 |
# immediately aborting downloads. |
# bandwidth by repeatedly requesting and immediately aborting |
3680 |
|
# downloads. |
3681 |
# |
# |
3682 |
# When the user aborts a request, Squid will check the |
# When the user aborts a request, Squid will check the |
3683 |
# quick_abort values to the amount of data transfered until |
# quick_abort values to the amount of data transfered until |
3684 |
# then. |
# then. |
3685 |
# |
# |
3686 |
# If the transfer has less than 'quick_abort_min' KB remaining, |
# If the transfer has less than 'quick_abort_min' KB remaining, |
3687 |
# it will finish the retrieval. Setting 'quick_abort_min' to -1 |
# it will finish the retrieval. |
|
# will disable the quick_abort feature. |
|
3688 |
# |
# |
3689 |
# If the transfer has more than 'quick_abort_max' KB remaining, |
# If the transfer has more than 'quick_abort_max' KB remaining, |
3690 |
# it will abort the retrieval. |
# it will abort the retrieval. |
3692 |
# If more than 'quick_abort_pct' of the transfer has completed, |
# If more than 'quick_abort_pct' of the transfer has completed, |
3693 |
# it will finish the retrieval. |
# it will finish the retrieval. |
3694 |
# |
# |
3695 |
|
# If you do not want any retrieval to continue after the client |
3696 |
|
# has aborted, set both 'quick_abort_min' and 'quick_abort_max' |
3697 |
|
# to '0 KB'. |
3698 |
|
# |
3699 |
|
# If you want retrievals to always continue if they are being |
3700 |
|
# cached set 'quick_abort_min' to '-1 KB'. |
3701 |
#Default: |
#Default: |
|
# quick_abort_min 16 KB |
|
|
# quick_abort_max 16 KB |
|
3702 |
# quick_abort_pct 95 |
# quick_abort_pct 95 |
3703 |
|
|
3704 |
|
# TAG: read_ahead_gap buffer-size |
3705 |
|
# The amount of data the cache will buffer ahead of what has been |
3706 |
|
# sent to the client when retrieving an object from another server. |
3707 |
|
#Default: |
3708 |
|
# read_ahead_gap 16 KB |
3709 |
|
|
3710 |
# TAG: negative_ttl time-units |
# TAG: negative_ttl time-units |
3711 |
# Time-to-Live (TTL) for failed requests. Certain types of |
# Set the Default Time-to-Live (TTL) for failed requests. |
3712 |
# failures (such as "connection refused" and "404 Not Found") are |
# Certain types of failures (such as "connection refused" and |
3713 |
# negatively-cached for a configurable amount of time. The |
# "404 Not Found") are able to be negatively-cached for a short time. |
3714 |
# default is 5 minutes. Note that this is different from |
# Modern web servers should provide Expires: header, however if they |
3715 |
# negative caching of DNS lookups. |
# do not this can provide a minimum TTL. |
3716 |
|
# The default is not to cache errors with unknown expiry details. |
3717 |
|
# |
3718 |
|
# Note that this is different from negative caching of DNS lookups. |
3719 |
# |
# |
3720 |
|
# WARNING: Doing this VIOLATES the HTTP standard. Enabling |
3721 |
|
# this feature could make you liable for problems which it |
3722 |
|
# causes. |
3723 |
#Default: |
#Default: |
3724 |
# negative_ttl 5 minutes |
# negative_ttl 0 seconds |
3725 |
|
|
3726 |
# TAG: positive_dns_ttl time-units |
# TAG: positive_dns_ttl time-units |
3727 |
# Time-to-Live (TTL) for positive caching of successful DNS lookups. |
# Upper limit on how long Squid will cache positive DNS responses. |
3728 |
# Default is 6 hours (360 minutes). If you want to minimize the |
# Default is 6 hours (360 minutes). This directive must be set |
3729 |
# use of Squid's ipcache, set this to 1, not 0. |
# larger than negative_dns_ttl. |
|
# |
|
3730 |
#Default: |
#Default: |
3731 |
# positive_dns_ttl 6 hours |
# positive_dns_ttl 6 hours |
3732 |
|
|
3733 |
# TAG: negative_dns_ttl time-units |
# TAG: negative_dns_ttl time-units |
3734 |
# Time-to-Live (TTL) for negative caching of failed DNS lookups. |
# Time-to-Live (TTL) for negative caching of failed DNS lookups. |
3735 |
# |
# This also sets the lower cache limit on positive lookups. |
3736 |
|
# Minimum value is 1 second, and it is not recommendable to go |
3737 |
|
# much below 10 seconds. |
3738 |
#Default: |
#Default: |
3739 |
# negative_dns_ttl 5 minutes |
# negative_dns_ttl 1 minutes |
3740 |
|
|
3741 |
# TAG: range_offset_limit (bytes) |
# TAG: range_offset_limit size [acl acl...] |
3742 |
# Sets a upper limit on how far into the the file a Range request |
# usage: (size) [units] [[!]aclname] |
3743 |
# may be to cause Squid to prefetch the whole file. If beyond this |
# |
3744 |
# limit then Squid forwards the Range request as it is and the result |
# Sets an upper limit on how far (number of bytes) into the file |
3745 |
# is NOT cached. |
# a Range request may be to cause Squid to prefetch the whole file. |
3746 |
# |
# If beyond this limit, Squid forwards the Range request as it is and |
3747 |
|
# the result is NOT cached. |
3748 |
|
# |
3749 |
# This is to stop a far ahead range request (lets say start at 17MB) |
# This is to stop a far ahead range request (lets say start at 17MB) |
3750 |
# from making Squid fetch the whole object up to that point before |
# from making Squid fetch the whole object up to that point before |
3751 |
# sending anything to the client. |
# sending anything to the client. |
3752 |
|
# |
3753 |
|
# Multiple range_offset_limit lines may be specified, and they will |
3754 |
|
# be searched from top to bottom on each request until a match is found. |
3755 |
|
# The first match found will be used. If no line matches a request, the |
3756 |
|
# default limit of 0 bytes will be used. |
3757 |
|
# |
3758 |
|
# 'size' is the limit specified as a number of units. |
3759 |
|
# |
3760 |
|
# 'units' specifies whether to use bytes, KB, MB, etc. |
3761 |
|
# If no units are specified bytes are assumed. |
3762 |
|
# |
3763 |
|
# A size of 0 causes Squid to never fetch more than the |
3764 |
|
# client requested. (default) |
3765 |
|
# |
3766 |
|
# A size of 'none' causes Squid to always fetch the object from the |
3767 |
|
# beginning so it may cache the result. (2.0 style) |
3768 |
|
# |
3769 |
|
# 'aclname' is the name of a defined ACL. |
3770 |
|
# |
3771 |
|
# NP: Using 'none' as the byte value here will override any quick_abort settings |
3772 |
|
# that may otherwise apply to the range request. The range request will |
3773 |
|
# be fully fetched from start to finish regardless of the client |
3774 |
|
# actions. This affects bandwidth usage. |
3775 |
|
#Default: |
3776 |
|
# none |
3777 |
|
|
3778 |
|
# TAG: minimum_expiry_time (seconds) |
3779 |
|
# The minimum caching time according to (Expires - Date) |
3780 |
|
# Headers Squid honors if the object can't be revalidated |
3781 |
|
# defaults to 60 seconds. In reverse proxy environments it |
3782 |
|
# might be desirable to honor shorter object lifetimes. It |
3783 |
|
# is most likely better to make your server return a |
3784 |
|
# meaningful Last-Modified header however. In ESI environments |
3785 |
|
# where page fragments often have short lifetimes, this will |
3786 |
|
# often be best set to 0. |
3787 |
|
#Default: |
3788 |
|
# minimum_expiry_time 60 seconds |
3789 |
|
|
3790 |
|
# TAG: store_avg_object_size (bytes) |
3791 |
|
# Average object size, used to estimate number of objects your |
3792 |
|
# cache can hold. The default is 13 KB. |
3793 |
|
#Default: |
3794 |
|
# store_avg_object_size 13 KB |
3795 |
|
|
3796 |
|
# TAG: store_objects_per_bucket |
3797 |
|
# Target number of objects per bucket in the store hash table. |
3798 |
|
# Lowering this value increases the total number of buckets and |
3799 |
|
# also the storage maintenance rate. The default is 20. |
3800 |
|
#Default: |
3801 |
|
# store_objects_per_bucket 20 |
3802 |
|
|
3803 |
|
# HTTP OPTIONS |
3804 |
|
# ----------------------------------------------------------------------------- |
3805 |
|
|
3806 |
|
# TAG: request_header_max_size (KB) |
3807 |
|
# This specifies the maximum size for HTTP headers in a request. |
3808 |
|
# Request headers are usually relatively small (about 512 bytes). |
3809 |
|
# Placing a limit on the request header size will catch certain |
3810 |
|
# bugs (for example with persistent connections) and possibly |
3811 |
|
# buffer-overflow or denial-of-service attacks. |
3812 |
|
#Default: |
3813 |
|
# request_header_max_size 64 KB |
3814 |
|
|
3815 |
|
# TAG: reply_header_max_size (KB) |
3816 |
|
# This specifies the maximum size for HTTP headers in a reply. |
3817 |
|
# Reply headers are usually relatively small (about 512 bytes). |
3818 |
|
# Placing a limit on the reply header size will catch certain |
3819 |
|
# bugs (for example with persistent connections) and possibly |
3820 |
|
# buffer-overflow or denial-of-service attacks. |
3821 |
|
#Default: |
3822 |
|
# reply_header_max_size 64 KB |
3823 |
|
|
3824 |
|
# TAG: request_body_max_size (bytes) |
3825 |
|
# This specifies the maximum size for an HTTP request body. |
3826 |
|
# In other words, the maximum size of a PUT/POST request. |
3827 |
|
# A user who attempts to send a request with a body larger |
3828 |
|
# than this limit receives an "Invalid Request" error message. |
3829 |
|
# If you set this parameter to a zero (the default), there will |
3830 |
|
# be no limit imposed. |
3831 |
|
#Default: |
3832 |
|
# request_body_max_size 0 KB |
3833 |
|
|
3834 |
|
# TAG: client_request_buffer_max_size (bytes) |
3835 |
|
# This specifies the maximum buffer size of a client request. |
3836 |
|
# It prevents squid eating too much memory when somebody uploads |
3837 |
|
# a large file. |
3838 |
|
#Default: |
3839 |
|
# client_request_buffer_max_size 512 KB |
3840 |
|
|
3841 |
|
# TAG: chunked_request_body_max_size (bytes) |
3842 |
|
# A broken or confused HTTP/1.1 client may send a chunked HTTP |
3843 |
|
# request to Squid. Squid does not have full support for that |
3844 |
|
# feature yet. To cope with such requests, Squid buffers the |
3845 |
|
# entire request and then dechunks request body to create a |
3846 |
|
# plain HTTP/1.0 request with a known content length. The plain |
3847 |
|
# request is then used by the rest of Squid code as usual. |
3848 |
|
# |
3849 |
|
# The option value specifies the maximum size of the buffer used |
3850 |
|
# to hold the request before the conversion. If the chunked |
3851 |
|
# request size exceeds the specified limit, the conversion |
3852 |
|
# fails, and the client receives an "unsupported request" error, |
3853 |
|
# as if dechunking was disabled. |
3854 |
|
# |
3855 |
|
# Dechunking is enabled by default. To disable conversion of |
3856 |
|
# chunked requests, set the maximum to zero. |
3857 |
|
# |
3858 |
|
# Request dechunking feature and this option in particular are a |
3859 |
|
# temporary hack. When chunking requests and responses are fully |
3860 |
|
# supported, there will be no need to buffer a chunked request. |
3861 |
|
#Default: |
3862 |
|
# chunked_request_body_max_size 64 KB |
3863 |
|
|
3864 |
|
# TAG: broken_posts |
3865 |
|
# A list of ACL elements which, if matched, causes Squid to send |
3866 |
|
# an extra CRLF pair after the body of a PUT/POST request. |
3867 |
# |
# |
3868 |
# A value of -1 causes Squid to always fetch the object from the |
# Some HTTP servers has broken implementations of PUT/POST, |
3869 |
# beginning so that it may cache the result. (2.0 style) |
# and rely on an extra CRLF pair sent by some WWW clients. |
3870 |
# |
# |
3871 |
# A value of 0 causes Squid to never fetch more than the |
# Quote from RFC2616 section 4.1 on this matter: |
3872 |
# client requested. (default) |
# |
3873 |
|
# Note: certain buggy HTTP/1.0 client implementations generate an |
3874 |
|
# extra CRLF's after a POST request. To restate what is explicitly |
3875 |
|
# forbidden by the BNF, an HTTP/1.1 client must not preface or follow |
3876 |
|
# a request with an extra CRLF. |
3877 |
|
# |
3878 |
|
# This clause only supports fast acl types. |
3879 |
|
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
3880 |
|
# |
3881 |
|
#Example: |
3882 |
|
# acl buggy_server url_regex ^http://.... |
3883 |
|
# broken_posts allow buggy_server |
3884 |
|
#Default: |
3885 |
|
# none |
3886 |
|
|
3887 |
|
# TAG: adaptation_uses_indirect_client on|off |
3888 |
|
# Controls whether the indirect client IP address (instead of the direct |
3889 |
|
# client IP address) is passed to adaptation services. |
3890 |
# |
# |
3891 |
|
# See also: follow_x_forwarded_for adaptation_send_client_ip |
3892 |
|
#Default: |
3893 |
|
# adaptation_uses_indirect_client on |
3894 |
|
|
3895 |
|
# TAG: via on|off |
3896 |
|
# If set (default), Squid will include a Via header in requests and |
3897 |
|
# replies as required by RFC2616. |
3898 |
|
#Default: |
3899 |
|
# via on |
3900 |
|
|
3901 |
|
# TAG: ie_refresh on|off |
3902 |
|
# Microsoft Internet Explorer up until version 5.5 Service |
3903 |
|
# Pack 1 has an issue with transparent proxies, wherein it |
3904 |
|
# is impossible to force a refresh. Turning this on provides |
3905 |
|
# a partial fix to the problem, by causing all IMS-REFRESH |
3906 |
|
# requests from older IE versions to check the origin server |
3907 |
|
# for fresh content. This reduces hit ratio by some amount |
3908 |
|
# (~10% in my experience), but allows users to actually get |
3909 |
|
# fresh content when they want it. Note because Squid |
3910 |
|
# cannot tell if the user is using 5.5 or 5.5SP1, the behavior |
3911 |
|
# of 5.5 is unchanged from old versions of Squid (i.e. a |
3912 |
|
# forced refresh is impossible). Newer versions of IE will, |
3913 |
|
# hopefully, continue to have the new behavior and will be |
3914 |
|
# handled based on that assumption. This option defaults to |
3915 |
|
# the old Squid behavior, which is better for hit ratios but |
3916 |
|
# worse for clients using IE, if they need to be able to |
3917 |
|
# force fresh content. |
3918 |
#Default: |
#Default: |
3919 |
# range_offset_limit 0 KB |
# ie_refresh off |
3920 |
|
|
3921 |
|
# TAG: vary_ignore_expire on|off |
3922 |
|
# Many HTTP servers supporting Vary gives such objects |
3923 |
|
# immediate expiry time with no cache-control header |
3924 |
|
# when requested by a HTTP/1.0 client. This option |
3925 |
|
# enables Squid to ignore such expiry times until |
3926 |
|
# HTTP/1.1 is fully implemented. |
3927 |
|
# |
3928 |
|
# WARNING: If turned on this may eventually cause some |
3929 |
|
# varying objects not intended for caching to get cached. |
3930 |
|
#Default: |
3931 |
|
# vary_ignore_expire off |
3932 |
|
|
3933 |
|
# TAG: request_entities |
3934 |
|
# Squid defaults to deny GET and HEAD requests with request entities, |
3935 |
|
# as the meaning of such requests are undefined in the HTTP standard |
3936 |
|
# even if not explicitly forbidden. |
3937 |
|
# |
3938 |
|
# Set this directive to on if you have clients which insists |
3939 |
|
# on sending request entities in GET or HEAD requests. But be warned |
3940 |
|
# that there is server software (both proxies and web servers) which |
3941 |
|
# can fail to properly process this kind of request which may make you |
3942 |
|
# vulnerable to cache pollution attacks if enabled. |
3943 |
|
#Default: |
3944 |
|
# request_entities off |
3945 |
|
|
3946 |
|
# TAG: request_header_access |
3947 |
|
# Usage: request_header_access header_name allow|deny [!]aclname ... |
3948 |
|
# |
3949 |
|
# WARNING: Doing this VIOLATES the HTTP standard. Enabling |
3950 |
|
# this feature could make you liable for problems which it |
3951 |
|
# causes. |
3952 |
|
# |
3953 |
|
# This option replaces the old 'anonymize_headers' and the |
3954 |
|
# older 'http_anonymizer' option with something that is much |
3955 |
|
# more configurable. A list of ACLs for each header name allows |
3956 |
|
# removal of specific header fields under specific conditions. |
3957 |
|
# |
3958 |
|
# This option only applies to outgoing HTTP request headers (i.e., |
3959 |
|
# headers sent by Squid to the next HTTP hop such as a cache peer |
3960 |
|
# or an origin server). The option has no effect during cache hit |
3961 |
|
# detection. The equivalent adaptation vectoring point in ICAP |
3962 |
|
# terminology is post-cache REQMOD. |
3963 |
|
# |
3964 |
|
# The option is applied to individual outgoing request header |
3965 |
|
# fields. For each request header field F, Squid uses the first |
3966 |
|
# qualifying sets of request_header_access rules: |
3967 |
|
# |
3968 |
|
# 1. Rules with header_name equal to F's name. |
3969 |
|
# 2. Rules with header_name 'Other', provided F's name is not |
3970 |
|
# on the hard-coded list of commonly used HTTP header names. |
3971 |
|
# 3. Rules with header_name 'All'. |
3972 |
|
# |
3973 |
|
# Within that qualifying rule set, rule ACLs are checked as usual. |
3974 |
|
# If ACLs of an "allow" rule match, the header field is allowed to |
3975 |
|
# go through as is. If ACLs of a "deny" rule match, the header is |
3976 |
|
# removed and request_header_replace is then checked to identify |
3977 |
|
# if the removed header has a replacement. If no rules within the |
3978 |
|
# set have matching ACLs, the header field is left as is. |
3979 |
|
# |
3980 |
|
# For example, to achieve the same behavior as the old |
3981 |
|
# 'http_anonymizer standard' option, you should use: |
3982 |
|
# |
3983 |
|
# request_header_access From deny all |
3984 |
|
# request_header_access Referer deny all |
3985 |
|
# request_header_access Server deny all |
3986 |
|
# request_header_access User-Agent deny all |
3987 |
|
# request_header_access WWW-Authenticate deny all |
3988 |
|
# request_header_access Link deny all |
3989 |
|
# |
3990 |
|
# Or, to reproduce the old 'http_anonymizer paranoid' feature |
3991 |
|
# you should use: |
3992 |
|
# |
3993 |
|
# request_header_access Allow allow all |
3994 |
|
# request_header_access Authorization allow all |
3995 |
|
# request_header_access WWW-Authenticate allow all |
3996 |
|
# request_header_access Proxy-Authorization allow all |
3997 |
|
# request_header_access Proxy-Authenticate allow all |
3998 |
|
# request_header_access Cache-Control allow all |
3999 |
|
# request_header_access Content-Encoding allow all |
4000 |
|
# request_header_access Content-Length allow all |
4001 |
|
# request_header_access Content-Type allow all |
4002 |
|
# request_header_access Date allow all |
4003 |
|
# request_header_access Expires allow all |
4004 |
|
# request_header_access Host allow all |
4005 |
|
# request_header_access If-Modified-Since allow all |
4006 |
|
# request_header_access Last-Modified allow all |
4007 |
|
# request_header_access Location allow all |
4008 |
|
# request_header_access Pragma allow all |
4009 |
|
# request_header_access Accept allow all |
4010 |
|
# request_header_access Accept-Charset allow all |
4011 |
|
# request_header_access Accept-Encoding allow all |
4012 |
|
# request_header_access Accept-Language allow all |
4013 |
|
# request_header_access Content-Language allow all |
4014 |
|
# request_header_access Mime-Version allow all |
4015 |
|
# request_header_access Retry-After allow all |
4016 |
|
# request_header_access Title allow all |
4017 |
|
# request_header_access Connection allow all |
4018 |
|
# request_header_access All deny all |
4019 |
|
# |
4020 |
|
# although many of those are HTTP reply headers, and so should be |
4021 |
|
# controlled with the reply_header_access directive. |
4022 |
|
# |
4023 |
|
# By default, all headers are allowed (no anonymizing is |
4024 |
|
# performed). |
4025 |
|
#Default: |
4026 |
|
# none |
4027 |
|
|
4028 |
|
# TAG: reply_header_access |
4029 |
|
# Usage: reply_header_access header_name allow|deny [!]aclname ... |
4030 |
|
# |
4031 |
|
# WARNING: Doing this VIOLATES the HTTP standard. Enabling |
4032 |
|
# this feature could make you liable for problems which it |
4033 |
|
# causes. |
4034 |
|
# |
4035 |
|
# This option only applies to reply headers, i.e., from the |
4036 |
|
# server to the client. |
4037 |
|
# |
4038 |
|
# This is the same as request_header_access, but in the other |
4039 |
|
# direction. Please see request_header_access for detailed |
4040 |
|
# documentation. |
4041 |
|
# |
4042 |
|
# For example, to achieve the same behavior as the old |
4043 |
|
# 'http_anonymizer standard' option, you should use: |
4044 |
|
# |
4045 |
|
# reply_header_access From deny all |
4046 |
|
# reply_header_access Referer deny all |
4047 |
|
# reply_header_access Server deny all |
4048 |
|
# reply_header_access User-Agent deny all |
4049 |
|
# reply_header_access WWW-Authenticate deny all |
4050 |
|
# reply_header_access Link deny all |
4051 |
|
# |
4052 |
|
# Or, to reproduce the old 'http_anonymizer paranoid' feature |
4053 |
|
# you should use: |
4054 |
|
# |
4055 |
|
# reply_header_access Allow allow all |
4056 |
|
# reply_header_access Authorization allow all |
4057 |
|
# reply_header_access WWW-Authenticate allow all |
4058 |
|
# reply_header_access Proxy-Authorization allow all |
4059 |
|
# reply_header_access Proxy-Authenticate allow all |
4060 |
|
# reply_header_access Cache-Control allow all |
4061 |
|
# reply_header_access Content-Encoding allow all |
4062 |
|
# reply_header_access Content-Length allow all |
4063 |
|
# reply_header_access Content-Type allow all |
4064 |
|
# reply_header_access Date allow all |
4065 |
|
# reply_header_access Expires allow all |
4066 |
|
# reply_header_access Host allow all |
4067 |
|
# reply_header_access If-Modified-Since allow all |
4068 |
|
# reply_header_access Last-Modified allow all |
4069 |
|
# reply_header_access Location allow all |
4070 |
|
# reply_header_access Pragma allow all |
4071 |
|
# reply_header_access Accept allow all |
4072 |
|
# reply_header_access Accept-Charset allow all |
4073 |
|
# reply_header_access Accept-Encoding allow all |
4074 |
|
# reply_header_access Accept-Language allow all |
4075 |
|
# reply_header_access Content-Language allow all |
4076 |
|
# reply_header_access Mime-Version allow all |
4077 |
|
# reply_header_access Retry-After allow all |
4078 |
|
# reply_header_access Title allow all |
4079 |
|
# reply_header_access Connection allow all |
4080 |
|
# reply_header_access All deny all |
4081 |
|
# |
4082 |
|
# although the HTTP request headers won't be usefully controlled |
4083 |
|
# by this directive -- see request_header_access for details. |
4084 |
|
# |
4085 |
|
# By default, all headers are allowed (no anonymizing is |
4086 |
|
# performed). |
4087 |
|
#Default: |
4088 |
|
# none |
4089 |
|
|
4090 |
|
# TAG: request_header_replace |
4091 |
|
# Usage: request_header_replace header_name message |
4092 |
|
# Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit) |
4093 |
|
# |
4094 |
|
# This option allows you to change the contents of headers |
4095 |
|
# denied with request_header_access above, by replacing them |
4096 |
|
# with some fixed string. This replaces the old fake_user_agent |
4097 |
|
# option. |
4098 |
|
# |
4099 |
|
# This only applies to request headers, not reply headers. |
4100 |
|
# |
4101 |
|
# By default, headers are removed if denied. |
4102 |
|
#Default: |
4103 |
|
# none |
4104 |
|
|
4105 |
|
# TAG: reply_header_replace |
4106 |
|
# Usage: reply_header_replace header_name message |
4107 |
|
# Example: reply_header_replace Server Foo/1.0 |
4108 |
|
# |
4109 |
|
# This option allows you to change the contents of headers |
4110 |
|
# denied with reply_header_access above, by replacing them |
4111 |
|
# with some fixed string. |
4112 |
|
# |
4113 |
|
# This only applies to reply headers, not request headers. |
4114 |
|
# |
4115 |
|
# By default, headers are removed if denied. |
4116 |
|
#Default: |
4117 |
|
# none |
4118 |
|
|
4119 |
|
# TAG: relaxed_header_parser on|off|warn |
4120 |
|
# In the default "on" setting Squid accepts certain forms |
4121 |
|
# of non-compliant HTTP messages where it is unambiguous |
4122 |
|
# what the sending application intended even if the message |
4123 |
|
# is not correctly formatted. The messages is then normalized |
4124 |
|
# to the correct form when forwarded by Squid. |
4125 |
|
# |
4126 |
|
# If set to "warn" then a warning will be emitted in cache.log |
4127 |
|
# each time such HTTP error is encountered. |
4128 |
|
# |
4129 |
|
# If set to "off" then such HTTP errors will cause the request |
4130 |
|
# or response to be rejected. |
4131 |
|
#Default: |
4132 |
|
# relaxed_header_parser on |
4133 |
|
|
4134 |
# TIMEOUTS |
# TIMEOUTS |
4135 |
# ----------------------------------------------------------------------------- |
# ----------------------------------------------------------------------------- |
4136 |
|
|
4137 |
|
# TAG: forward_timeout time-units |
4138 |
|
# This parameter specifies how long Squid should at most attempt in |
4139 |
|
# finding a forwarding path for the request before giving up. |
4140 |
|
#Default: |
4141 |
|
# forward_timeout 4 minutes |
4142 |
|
|
4143 |
# TAG: connect_timeout time-units |
# TAG: connect_timeout time-units |
4144 |
# Some systems (notably Linux) can not be relied upon to properly |
# This parameter specifies how long to wait for the TCP connect to |
4145 |
# time out connect(2) requests. Therefore the Squid process |
# the requested server or peer to complete before Squid should |
4146 |
# enforces its own timeout on server connections. This parameter |
# attempt to find another path where to forward the request. |
|
# specifies how long to wait for the connect to complete. The |
|
|
# default is two minutes (120 seconds). |
|
|
# |
|
4147 |
#Default: |
#Default: |
4148 |
# connect_timeout 2 minutes |
# connect_timeout 1 minute |
4149 |
|
|
4150 |
# TAG: peer_connect_timeout time-units |
# TAG: peer_connect_timeout time-units |
4151 |
# This parameter specifies how long to wait for a pending TCP |
# This parameter specifies how long to wait for a pending TCP |
4152 |
# connection to a peer cache. The default is 30 seconds. You |
# connection to a peer cache. The default is 30 seconds. You |
4153 |
# may also set different timeout values for individual neighbors |
# may also set different timeout values for individual neighbors |
4154 |
# with the 'connect-timeout' option on a 'cache_peer' line. |
# with the 'connect-timeout' option on a 'cache_peer' line. |
|
# |
|
4155 |
#Default: |
#Default: |
4156 |
# peer_connect_timeout 30 seconds |
# peer_connect_timeout 30 seconds |
4157 |
|
|
|
# TAG: siteselect_timeout time-units |
|
|
# For URN to multiple URL's URL selection |
|
|
# |
|
|
#Default: |
|
|
# siteselect_timeout 4 seconds |
|
|
|
|
4158 |
# TAG: read_timeout time-units |
# TAG: read_timeout time-units |
4159 |
# The read_timeout is applied on server-side connections. After |
# The read_timeout is applied on server-side connections. After |
4160 |
# each successful read(), the timeout will be extended by this |
# each successful read(), the timeout will be extended by this |
4161 |
# amount. If no data is read again after this amount of time, |
# amount. If no data is read again after this amount of time, |
4162 |
# the request is aborted and logged with ERR_READ_TIMEOUT. The |
# the request is aborted and logged with ERR_READ_TIMEOUT. The |
4163 |
# default is 15 minutes. |
# default is 15 minutes. |
|
# |
|
4164 |
#Default: |
#Default: |
4165 |
# read_timeout 15 minutes |
# read_timeout 15 minutes |
4166 |
|
|
4167 |
|
# TAG: write_timeout time-units |
4168 |
|
# This timeout is tracked for all connections that have data |
4169 |
|
# available for writing and are waiting for the socket to become |
4170 |
|
# ready. After each successful write, the timeout is extended by |
4171 |
|
# the configured amount. If Squid has data to write but the |
4172 |
|
# connection is not ready for the configured duration, the |
4173 |
|
# transaction associated with the connection is terminated. The |
4174 |
|
# default is 15 minutes. |
4175 |
|
#Default: |
4176 |
|
# write_timeout 15 minutes |
4177 |
|
|
4178 |
# TAG: request_timeout |
# TAG: request_timeout |
4179 |
# How long to wait for an HTTP request after connection |
# How long to wait for complete HTTP request headers after initial |
4180 |
# establishment. For persistent connections, wait this long |
# connection establishment. |
4181 |
# after the previous request completes. |
#Default: |
4182 |
# |
# request_timeout 5 minutes |
4183 |
|
|
4184 |
|
# TAG: client_idle_pconn_timeout |
4185 |
|
# How long to wait for the next HTTP request on a persistent |
4186 |
|
# client connection after the previous request completes. |
4187 |
#Default: |
#Default: |
4188 |
# request_timeout 30 seconds |
# client_idle_pconn_timeout 2 minutes |
4189 |
|
|
4190 |
# TAG: client_lifetime time-units |
# TAG: client_lifetime time-units |
4191 |
# The maximum amount of time that a client (browser) is allowed to |
# The maximum amount of time a client (browser) is allowed to |
4192 |
# remain connected to the cache process. This protects the Cache |
# remain connected to the cache process. This protects the Cache |
4193 |
# from having a lot of sockets (and hence file descriptors) tied up |
# from having a lot of sockets (and hence file descriptors) tied up |
4194 |
# in a CLOSE_WAIT state from remote clients that go away without |
# in a CLOSE_WAIT state from remote clients that go away without |
4201 |
# should probably change client_lifetime only as a last resort. |
# should probably change client_lifetime only as a last resort. |
4202 |
# If you seem to have many client connections tying up |
# If you seem to have many client connections tying up |
4203 |
# filedescriptors, we recommend first tuning the read_timeout, |
# filedescriptors, we recommend first tuning the read_timeout, |
4204 |
# request_timeout, pconn_timeout and quick_abort values. |
# request_timeout, persistent_request_timeout and quick_abort values. |
|
# |
|
4205 |
#Default: |
#Default: |
4206 |
# client_lifetime 1 day |
# client_lifetime 1 day |
4207 |
|
|
4209 |
# Some clients may shutdown the sending side of their TCP |
# Some clients may shutdown the sending side of their TCP |
4210 |
# connections, while leaving their receiving sides open. Sometimes, |
# connections, while leaving their receiving sides open. Sometimes, |
4211 |
# Squid can not tell the difference between a half-closed and a |
# Squid can not tell the difference between a half-closed and a |
4212 |
# fully-closed TCP connection. By default, half-closed client |
# fully-closed TCP connection. |
4213 |
# connections are kept open until a read(2) or write(2) on the |
# |
4214 |
# socket returns an error. Change this option to 'off' and Squid |
# By default, Squid will immediately close client connections when |
4215 |
# will immediately close client connections when read(2) returns |
# read(2) returns "no more data to read." |
|
# "no more data to read." |
|
4216 |
# |
# |
4217 |
|
# Change this option to 'on' and Squid will keep open connections |
4218 |
|
# until a read(2) or write(2) on the socket returns an error. |
4219 |
|
# This may show some benefits for reverse proxies. But if not |
4220 |
|
# it is recommended to leave OFF. |
4221 |
#Default: |
#Default: |
4222 |
# half_closed_clients on |
# half_closed_clients off |
4223 |
|
|
4224 |
# TAG: pconn_timeout |
# TAG: server_idle_pconn_timeout |
4225 |
# Timeout for idle persistent connections to servers and other |
# Timeout for idle persistent connections to servers and other |
4226 |
# proxies. |
# proxies. |
|
# |
|
4227 |
#Default: |
#Default: |
4228 |
# pconn_timeout 120 seconds |
# server_idle_pconn_timeout 1 minute |
4229 |
|
|
4230 |
# TAG: ident_timeout |
# TAG: ident_timeout |
4231 |
# Maximum time to wait for IDENT requests. If this is too high, |
# Note: This option is only available if Squid is rebuilt with the |
4232 |
# and you enabled 'ident_lookup', then you might be susceptible |
# --enable-ident-lookups |
|
# to denial-of-service by having many ident requests going at |
|
|
# once. |
|
|
# |
|
|
# Only src type ACL checks are fully supported. A src_domain |
|
|
# ACL might work at times, but it will not always provide |
|
|
# the correct result. |
|
4233 |
# |
# |
4234 |
# This option may be disabled by using --disable-ident with |
# Maximum time to wait for IDENT lookups to complete. |
|
# the configure script. |
|
4235 |
# |
# |
4236 |
|
# If this is too high, and you enabled IDENT lookups from untrusted |
4237 |
|
# users, you might be susceptible to denial-of-service by having |
4238 |
|
# many ident requests going at once. |
4239 |
#Default: |
#Default: |
4240 |
# ident_timeout 10 seconds |
# ident_timeout 10 seconds |
4241 |
|
|
4245 |
# This value is the lifetime to set for all open descriptors |
# This value is the lifetime to set for all open descriptors |
4246 |
# during shutdown mode. Any active clients after this many |
# during shutdown mode. Any active clients after this many |
4247 |
# seconds will receive a 'timeout' message. |
# seconds will receive a 'timeout' message. |
|
# |
|
4248 |
#Default: |
#Default: |
4249 |
# shutdown_lifetime 30 seconds |
# shutdown_lifetime 30 seconds |
4250 |
# https://qa.mandriva.com/show_bug.cgi?id=37801 |
# |
4251 |
shutdown_lifetime 5 seconds |
shutdown_lifetime 5 seconds |
4252 |
|
|
4253 |
# ACCESS CONTROLS |
# ADMINISTRATIVE PARAMETERS |
4254 |
# ----------------------------------------------------------------------------- |
# ----------------------------------------------------------------------------- |
4255 |
|
|
4256 |
# TAG: acl |
# TAG: cache_mgr |
4257 |
# Defining an Access List |
# Email-address of local cache manager who will receive |
4258 |
# |
# mail if the cache dies. The default is "webmaster." |
|
# acl aclname acltype string1 ... |
|
|
# acl aclname acltype "file" ... |
|
|
# |
|
|
# when using "file", the file should contain one item per line |
|
|
# |
|
|
# acltype is one of src dst srcdomain dstdomain url_pattern |
|
|
# urlpath_pattern time port proto method browser user |
|
|
# |
|
|
# By default, regular expressions are CASE-SENSITIVE. To make |
|
|
# them case-insensitive, use the -i option. |
|
|
# |
|
|
# acl aclname src ip-address/netmask ... (clients IP address) |
|
|
# acl aclname src addr1-addr2/netmask ... (range of addresses) |
|
|
# acl aclname dst ip-address/netmask ... (URL host's IP address) |
|
|
# acl aclname myip ip-address/netmask ... (local socket IP address) |
|
|
# |
|
|
# acl aclname srcdomain .foo.com ... # reverse lookup, client IP |
|
|
# acl aclname dstdomain .foo.com ... # Destination server from URL |
|
|
# acl aclname srcdom_regex [-i] xxx ... # regex matching client name |
|
|
# acl aclname dstdom_regex [-i] xxx ... # regex matching server |
|
|
# # For dstdomain and dstdom_regex a reverse lookup is tried if a IP |
|
|
# # based URL is used. The name "none" is used if the reverse lookup |
|
|
# # fails. |
|
|
# |
|
|
# acl aclname time [day-abbrevs] [h1:m1-h2:m2] |
|
|
# day-abbrevs: |
|
|
# S - Sunday |
|
|
# M - Monday |
|
|
# T - Tuesday |
|
|
# W - Wednesday |
|
|
# H - Thursday |
|
|
# F - Friday |
|
|
# A - Saturday |
|
|
# h1:m1 must be less than h2:m2 |
|
|
# acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL |
|
|
# acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path |
|
|
# acl aclname port 80 70 21 ... |
|
|
# acl aclname port 0-1024 ... # ranges allowed |
|
|
# acl aclname myport 3128 ... # (local socket TCP port) |
|
|
# acl aclname proto HTTP FTP ... |
|
|
# acl aclname method GET POST ... |
|
|
# acl aclname browser [-i] regexp |
|
|
# # pattern match on User-Agent header |
|
|
# acl aclname ident username ... |
|
|
# acl aclname ident_regex [-i] pattern ... |
|
|
# # string match on ident output. |
|
|
# # use REQUIRED to accept any non-null ident. |
|
|
# acl aclname src_as number ... |
|
|
# acl aclname dst_as number ... |
|
|
# # Except for access control, AS numbers can be used for |
|
|
# # routing of requests to specific caches. Here's an |
|
|
# # example for routing all requests for AS#1241 and only |
|
|
# # those to mycache.mydomain.net: |
|
|
# # acl asexample dst_as 1241 |
|
|
# # cache_peer_access mycache.mydomain.net allow asexample |
|
|
# # cache_peer_access mycache_mydomain.net deny all |
|
|
# |
|
|
# acl aclname proxy_auth username ... |
|
|
# acl aclname proxy_auth_regex [-i] pattern ... |
|
|
# # list of valid usernames |
|
|
# # use REQUIRED to accept any valid username. |
|
|
# # |
|
|
# # NOTE: when a Proxy-Authentication header is sent but it is not |
|
|
# # needed during ACL checking the username is NOT logged |
|
|
# # in access.log. |
|
|
# # |
|
|
# # NOTE: proxy_auth requires a EXTERNAL authentication program |
|
|
# # to check username/password combinations (see |
|
|
# # authenticate_program). |
|
|
# # |
|
|
# # WARNING: proxy_auth can't be used in a transparent proxy. It |
|
|
# # collides with any authentication done by origin servers. It may |
|
|
# # seem like it works at first, but it doesn't. |
|
|
# |
|
|
# acl aclname snmp_community string ... |
|
|
# # A community string to limit access to your SNMP Agent |
|
|
# # Example: |
|
|
# # |
|
|
# # acl snmppublic snmp_community public |
|
|
# |
|
|
# acl aclname maxconn number |
|
|
# # This will be matched when the client's IP address has |
|
|
# # more than <number> HTTP connections established. |
|
|
# |
|
|
# acl req_mime_type mime-type1 ... |
|
|
# # regex match agains the mime type of the request generated |
|
|
# # by the client. Can be used to detect file upload or some |
|
|
# # types HTTP tunelling requests. |
|
|
# # NOTE: This does NOT match the reply. You cannot use this |
|
|
# # to match the returned file type. |
|
|
# |
|
|
#Examples: |
|
|
#acl myexample dst_as 1241 |
|
|
#acl mynetwork src |
|
|
#acl password proxy_auth REQUIRED |
|
|
#acl fileupload req_mime_type -i ^multipart/form-data$ |
|
|
# |
|
|
#Recommended minimum configuration: |
|
|
acl all src 0.0.0.0/0.0.0.0 |
|
|
acl manager proto cache_object |
|
|
acl localhost src 127.0.0.1/255.255.255.255 |
|
|
acl SSL_ports port 443 563 |
|
|
acl Safe_ports port 80 # http |
|
|
acl Safe_ports port 21 # ftp |
|
|
acl Safe_ports port 443 563 # https, snews |
|
|
acl Safe_ports port 70 # gopher |
|
|
acl Safe_ports port 210 # wais |
|
|
acl Safe_ports port 1025-65535 # unregistered ports |
|
|
acl Safe_ports port 280 # http-mgmt |
|
|
acl Safe_ports port 488 # gss-http |
|
|
acl Safe_ports port 591 # filemaker |
|
|
acl Safe_ports port 777 # multiling http |
|
|
acl CONNECT method CONNECT |
|
|
|
|
|
# TAG: http_access |
|
|
# Allowing or Denying access based on defined access lists |
|
|
# |
|
|
# Access to the HTTP port: |
|
|
# http_access allow|deny [!]aclname ... |
|
|
# |
|
|
# NOTE on default values: |
|
|
# |
|
|
# If there are no "access" lines present, the default is to deny |
|
|
# the request. |
|
|
# |
|
|
# If none of the "access" lines cause a match, the default is the |
|
|
# opposite of the last line in the list. If the last line was |
|
|
# deny, then the default is allow. Conversely, if the last line |
|
|
# is allow, the default will be deny. For these reasons, it is a |
|
|
# good idea to have an "deny all" or "allow all" entry at the end |
|
|
# of your access lists to avoid potential confusion. |
|
|
# |
|
4259 |
#Default: |
#Default: |
4260 |
# http_access deny all |
# cache_mgr root |
|
# |
|
|
#Recommended minimum configuration: |
|
|
# |
|
|
# Only allow cachemgr access from localhost |
|
|
http_access allow manager localhost |
|
|
http_access deny manager |
|
|
# Deny requests to unknown ports |
|
|
http_access deny !Safe_ports |
|
|
# Deny CONNECT to other than SSL ports |
|
|
http_access deny CONNECT !SSL_ports |
|
|
# |
|
|
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS |
|
|
# |
|
|
# And finally deny all other access to this proxy |
|
|
http_access allow localhost |
|
|
http_access deny all |
|
4261 |
|
|
4262 |
# TAG: icp_access |
# TAG: mail_from |
4263 |
# Allowing or Denying access to the ICP port based on defined |
# From: email-address for mail sent when the cache dies. |
4264 |
# access lists |
# The default is to use 'appname@unique_hostname'. |
4265 |
# |
# Default appname value is "squid", can be changed into |
4266 |
# icp_access allow|deny [!]aclname ... |
# src/globals.h before building squid. |
|
# |
|
|
# See http_access for details |
|
|
# |
|
|
#Default: |
|
|
# icp_access deny all |
|
|
# |
|
|
#Allow ICP queries from eveyone |
|
|
icp_access allow all |
|
|
|
|
|
# TAG: miss_access |
|
|
# Use to force your neighbors to use you as a sibling instead of |
|
|
# a parent. For example: |
|
|
# |
|
|
# acl localclients src 172.16.0.0/16 |
|
|
# miss_access allow localclients |
|
|
# miss_access deny !localclients |
|
|
# |
|
|
# This means that only your local clients are allowed to fetch |
|
|
# MISSES and all other clients can only fetch HITS. |
|
|
# |
|
|
# By default, allow all clients who passed the http_access rules |
|
|
# to fetch MISSES from us. |
|
|
# |
|
|
#Default setting: |
|
|
# miss_access allow all |
|
|
|
|
|
# TAG: cache_peer_access |
|
|
# Similar to 'cache_peer_domain' but provides more flexibility by |
|
|
# using ACL elements. |
|
|
# |
|
|
# cache_peer_access cache-host allow|deny [!]aclname ... |
|
|
# |
|
|
# The syntax is identical to 'http_access' and the other lists of |
|
|
# ACL elements. See the comments for 'http_access' below, or |
|
|
# the Squid FAQ (http://www.squid-cache.org/FAQ/FAQ-10.html). |
|
|
# |
|
4267 |
#Default: |
#Default: |
4268 |
# none |
# none |
4269 |
|
|
4270 |
# TAG: proxy_auth_realm |
# TAG: mail_program |
4271 |
# Specifies the realm name which is to be reported to the client for |
# Email program used to send mail if the cache dies. |
4272 |
# proxy authentication (part of the text the user will see when |
# The default is "mail". The specified program must comply |
4273 |
# prompted their username and password). |
# with the standard Unix mail syntax: |
4274 |
|
# mail-program recipient < mailfile |
4275 |
# |
# |
4276 |
|
# Optional command line options can be specified. |
4277 |
#Default: |
#Default: |
4278 |
# proxy_auth_realm Squid proxy-caching web server |
# mail_program mail |
4279 |
|
|
4280 |
# TAG: ident_lookup_access |
# TAG: cache_effective_user |
4281 |
# A list of ACL elements which, if matched, cause an ident |
# If you start Squid as root, it will change its effective/real |
4282 |
# (RFC 931) lookup to be performed for this request. For |
# UID/GID to the user specified below. The default is to change |
4283 |
# example, you might choose to always perform ident lookups |
# to UID of squid. |
4284 |
# for your main multi-user Unix boxes, but not for your Macs |
# see also; cache_effective_group |
|
# and PCs. By default, ident lookups are not performed for |
|
|
# any requests. |
|
|
# |
|
|
# To enable ident lookups for specific client addresses, you |
|
|
# can follow this example: |
|
|
# |
|
|
# acl ident_aware_hosts src 198.168.1.0/255.255.255.0 |
|
|
# ident_lookup_access allow ident_aware_hosts |
|
|
# ident_lookup_access deny all |
|
|
# |
|
|
# This option may be disabled by using --disable-ident with |
|
|
# the configure script. |
|
|
# |
|
4285 |
#Default: |
#Default: |
4286 |
# ident_lookup_access deny all |
# cache_effective_user squid |
|
|
|
|
|
|
|
# ADMINISTRATIVE PARAMETERS |
|
|
# ----------------------------------------------------------------------------- |
|
|
|
|
|
# TAG: cache_mgr |
|
|
# Email-address of local cache manager who will receive |
|
|
# mail if the cache dies. The default is "webmaster." |
|
4287 |
# |
# |
4288 |
#Default: |
cache_effective_user squid |
|
# cache_mgr root |
|
4289 |
|
|
|
# TAG: cache_effective_user |
|
4290 |
# TAG: cache_effective_group |
# TAG: cache_effective_group |
4291 |
|
# Squid sets the GID to the effective user's default group ID |
4292 |
|
# (taken from the password file) and supplementary group list |
4293 |
|
# from the groups membership. |
4294 |
|
# |
4295 |
|
# If you want Squid to run with a specific GID regardless of |
4296 |
|
# the group memberships of the effective user then set this |
4297 |
|
# to the group (or GID) you want Squid to run as. When set |
4298 |
|
# all other group privileges of the effective user are ignored |
4299 |
|
# and only this GID is effective. If Squid is not started as |
4300 |
|
# root the user starting Squid MUST be member of the specified |
4301 |
|
# group. |
4302 |
|
# |
4303 |
|
# This option is not recommended by the Squid Team. |
4304 |
|
# Our preference is for administrators to configure a secure |
4305 |
|
# user account for squid with UID/GID matching system policies. |
4306 |
|
#Default: |
4307 |
|
# cache_effective_group squid |
4308 |
# |
# |
4309 |
# If the cache is run as root, it will change its effective/real |
cache_effective_group squid |
4310 |
# UID/GID to the UID/GID specified below. The default is to |
|
4311 |
# change to UID to nobody and GID to nobody. |
# TAG: httpd_suppress_version_string on|off |
4312 |
# |
# Suppress Squid version string info in HTTP headers and HTML error pages. |
|
# If Squid is not started as root, the default is to keep the |
|
|
# current UID/GID. Note that if Squid is not started as root then |
|
|
# you cannot set http_port to a value lower than 1024. |
|
|
# |
|
4313 |
#Default: |
#Default: |
4314 |
# cache_effective_user nobody |
# httpd_suppress_version_string off |
|
# cache_effective_group nobody |
|
4315 |
|
|
4316 |
# TAG: visible_hostname |
# TAG: visible_hostname |
4317 |
# If you want to present a special hostname in error messages, etc, |
# If you want to present a special hostname in error messages, etc, |
4318 |
# then define this. Otherwise, the return value of gethostname() |
# define this. Otherwise, the return value of gethostname() |
4319 |
# will be used. If you have multiple caches in a cluster and |
# will be used. If you have multiple caches in a cluster and |
4320 |
# get errors about IP-forwarding you must set them to have individual |
# get errors about IP-forwarding you must set them to have individual |
4321 |
# names with this setting. |
# names with this setting. |
|
# |
|
4322 |
#Default: |
#Default: |
4323 |
# none |
# visible_hostname unconfigured |
4324 |
|
|
4325 |
# TAG: unique_hostname |
# TAG: unique_hostname |
4326 |
# If you want to have multiple machines with the same |
# If you want to have multiple machines with the same |
4327 |
# 'visible_hostname' then you must give each machine a different |
# 'visible_hostname' you must give each machine a different |
4328 |
# 'unique_hostname' so that forwarding loops can be detected. |
# 'unique_hostname' so forwarding loops can be detected. |
|
# |
|
4329 |
#Default: |
#Default: |
4330 |
# none |
# none |
4331 |
|
|
4332 |
# TAG: hostname_aliases |
# TAG: hostname_aliases |
4333 |
# A list of other DNS names that your cache has. |
# A list of other DNS names your cache has. |
|
# |
|
4334 |
#Default: |
#Default: |
4335 |
# none |
# none |
4336 |
|
|
4337 |
|
# TAG: umask |
4338 |
|
# Minimum umask which should be enforced while the proxy |
4339 |
|
# is running, in addition to the umask set at startup. |
4340 |
|
# |
4341 |
|
# For a traditional octal representation of umasks, start |
4342 |
|
# your value with 0. |
4343 |
|
#Default: |
4344 |
|
# umask 027 |
4345 |
|
|
4346 |
# OPTIONS FOR THE CACHE REGISTRATION SERVICE |
# OPTIONS FOR THE CACHE REGISTRATION SERVICE |
4347 |
# ----------------------------------------------------------------------------- |
# ----------------------------------------------------------------------------- |
4370 |
# default is `0' which disables sending the announcement |
# default is `0' which disables sending the announcement |
4371 |
# messages. |
# messages. |
4372 |
# |
# |
4373 |
# To enable announcing your cache, just uncomment the line |
# To enable announcing your cache, just set an announce period. |
|
# below. |
|
4374 |
# |
# |
4375 |
|
# Example: |
4376 |
|
# announce_period 1 day |
4377 |
#Default: |
#Default: |
4378 |
# announce_period 0 |
# announce_period 0 |
|
# |
|
|
#To enable announcing your cache, just uncomment the line below. |
|
|
#announce_period 1 day |
|
4379 |
|
|
4380 |
# TAG: announce_host |
# TAG: announce_host |
4381 |
|
#Default: |
4382 |
|
# announce_host tracker.ircache.net |
4383 |
|
|
4384 |
# TAG: announce_file |
# TAG: announce_file |
4385 |
|
#Default: |
4386 |
|
# none |
4387 |
|
|
4388 |
# TAG: announce_port |
# TAG: announce_port |
4389 |
# announce_host and announce_port set the hostname and port |
# announce_host and announce_port set the hostname and port |
4390 |
# number where the registration message will be sent. |
# number where the registration message will be sent. |
4393 |
# default default to 3131. If the 'filename' argument is given, |
# default default to 3131. If the 'filename' argument is given, |
4394 |
# the contents of that file will be included in the announce |
# the contents of that file will be included in the announce |
4395 |
# message. |
# message. |
|
# |
|
4396 |
#Default: |
#Default: |
|
# announce_host tracker.ircache.net |
|
4397 |
# announce_port 3131 |
# announce_port 3131 |
4398 |
|
|
|
|
|
4399 |
# HTTPD-ACCELERATOR OPTIONS |
# HTTPD-ACCELERATOR OPTIONS |
4400 |
# ----------------------------------------------------------------------------- |
# ----------------------------------------------------------------------------- |
4401 |
|
|
4402 |
# TAG: httpd_accel_host |
# TAG: httpd_accel_surrogate_id |
4403 |
# TAG: httpd_accel_port |
# Surrogates (http://www.esi.org/architecture_spec_1.0.html) |
4404 |
# If you want to run Squid as an httpd accelerator, define the |
# need an identification token to allow control targeting. Because |
4405 |
# host name and port number where the real HTTP server is. |
# a farm of surrogates may all perform the same tasks, they may share |
4406 |
# |
# an identification token. |
|
# If you want virtual host support then specify the hostname |
|
|
# as "virtual". |
|
4407 |
# |
# |
4408 |
# If you want virtual port support then specify the port as "0". |
# The default ID is the visible_hostname |
4409 |
# |
#Default: |
4410 |
# NOTE: enabling httpd_accel_host disables proxy-caching and |
# none |
4411 |
# ICP. If you want these features enabled also, then set |
|
4412 |
# the 'httpd_accel_with_proxy' option. |
# TAG: http_accel_surrogate_remote on|off |
4413 |
|
# Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. |
4414 |
|
# Set this to on to have squid behave as a remote surrogate. |
4415 |
|
#Default: |
4416 |
|
# http_accel_surrogate_remote off |
4417 |
|
|
4418 |
|
# TAG: esi_parser libxml2|expat|custom |
4419 |
|
# Note: This option is only available if Squid is rebuilt with the |
4420 |
|
# --enable-esi |
4421 |
# |
# |
4422 |
|
# ESI markup is not strictly XML compatible. The custom ESI parser |
4423 |
|
# will give higher performance, but cannot handle non ASCII character |
4424 |
|
# encodings. |
4425 |
|
#Default: |
4426 |
|
# esi_parser custom |
4427 |
|
|
4428 |
|
# DELAY POOL PARAMETERS |
4429 |
|
# ----------------------------------------------------------------------------- |
4430 |
|
|
4431 |
|
# TAG: delay_pools |
4432 |
|
# This represents the number of delay pools to be used. For example, |
4433 |
|
# if you have one class 2 delay pool and one class 3 delays pool, you |
4434 |
|
# have a total of 2 delay pools. |
4435 |
#Default: |
#Default: |
4436 |
# httpd_accel_port 80 |
# delay_pools 0 |
4437 |
|
|
4438 |
# TAG: httpd_accel_single_host on|off |
# TAG: delay_class |
4439 |
# If you are running Squid as a accelerator and have a single backend |
# This defines the class of each delay pool. There must be exactly one |
4440 |
# server then set this to on. This causes Squid to forward the request |
# delay_class line for each delay pool. For example, to define two |
4441 |
# to this server irregardles of what any redirectors or Host headers |
# delay pools, one of class 2 and one of class 3, the settings above |
4442 |
# says. |
# and here would be: |
4443 |
|
# |
4444 |
|
# Example: |
4445 |
|
# delay_pools 4 # 4 delay pools |
4446 |
|
# delay_class 1 2 # pool 1 is a class 2 pool |
4447 |
|
# delay_class 2 3 # pool 2 is a class 3 pool |
4448 |
|
# delay_class 3 4 # pool 3 is a class 4 pool |
4449 |
|
# delay_class 4 5 # pool 4 is a class 5 pool |
4450 |
# |
# |
4451 |
# Leave this at off if you have multiple backend servers, and use a |
# The delay pool classes are: |
|
# redirector (or host table or private DNS) to map the requests to the |
|
|
# appropriate backend servers. Note that the mapping needs to be a |
|
|
# 1-1 mapping between requested and backend (from redirector) domain |
|
|
# names or caching will fail, as cacing is performed using the |
|
|
# URL returned from the redirector. |
|
4452 |
# |
# |
4453 |
# See also redirect_rewrites_host_header. |
# class 1 Everything is limited by a single aggregate |
4454 |
|
# bucket. |
4455 |
# |
# |
4456 |
|
# class 2 Everything is limited by a single aggregate |
4457 |
|
# bucket as well as an "individual" bucket chosen |
4458 |
|
# from bits 25 through 32 of the IPv4 address. |
4459 |
|
# |
4460 |
|
# class 3 Everything is limited by a single aggregate |
4461 |
|
# bucket as well as a "network" bucket chosen |
4462 |
|
# from bits 17 through 24 of the IP address and a |
4463 |
|
# "individual" bucket chosen from bits 17 through |
4464 |
|
# 32 of the IPv4 address. |
4465 |
|
# |
4466 |
|
# class 4 Everything in a class 3 delay pool, with an |
4467 |
|
# additional limit on a per user basis. This |
4468 |
|
# only takes effect if the username is established |
4469 |
|
# in advance - by forcing authentication in your |
4470 |
|
# http_access rules. |
4471 |
|
# |
4472 |
|
# class 5 Requests are grouped according their tag (see |
4473 |
|
# external_acl's tag= reply). |
4474 |
|
# |
4475 |
|
# |
4476 |
|
# Each pool also requires a delay_parameters directive to configure the pool size |
4477 |
|
# and speed limits used whenever the pool is applied to a request. Along with |
4478 |
|
# a set of delay_access directives to determine when it is used. |
4479 |
|
# |
4480 |
|
# NOTE: If an IP address is a.b.c.d |
4481 |
|
# -> bits 25 through 32 are "d" |
4482 |
|
# -> bits 17 through 24 are "c" |
4483 |
|
# -> bits 17 through 32 are "c * 256 + d" |
4484 |
|
# |
4485 |
|
# NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to |
4486 |
|
# IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. |
4487 |
#Default: |
#Default: |
4488 |
# httpd_accel_single_host off |
# none |
4489 |
|
|
4490 |
# TAG: httpd_accel_with_proxy on|off |
# TAG: delay_access |
4491 |
# If you want to use Squid as both a local httpd accelerator |
# This is used to determine which delay pool a request falls into. |
|
# and as a proxy, change this to 'on'. Note however that your |
|
|
# proxy users may have trouble to reach the accelerated domains |
|
|
# unless their browsers are configured not to use this proxy for |
|
|
# those domains (for example via the no_proxy browser configuration |
|
|
# setting) |
|
4492 |
# |
# |
4493 |
|
# delay_access is sorted per pool and the matching starts with pool 1, |
4494 |
|
# then pool 2, ..., and finally pool N. The first delay pool where the |
4495 |
|
# request is allowed is selected for the request. If it does not allow |
4496 |
|
# the request to any pool then the request is not delayed (default). |
4497 |
|
# |
4498 |
|
# For example, if you want some_big_clients in delay |
4499 |
|
# pool 1 and lotsa_little_clients in delay pool 2: |
4500 |
|
# |
4501 |
|
#Example: |
4502 |
|
# delay_access 1 allow some_big_clients |
4503 |
|
# delay_access 1 deny all |
4504 |
|
# delay_access 2 allow lotsa_little_clients |
4505 |
|
# delay_access 2 deny all |
4506 |
|
# delay_access 3 allow authenticated_clients |
4507 |
#Default: |
#Default: |
4508 |
# httpd_accel_with_proxy off |
# none |
4509 |
|
|
4510 |
# TAG: httpd_accel_uses_host_header on|off |
# TAG: delay_parameters |
4511 |
# HTTP/1.1 requests include a Host: header which is basically the |
# This defines the parameters for a delay pool. Each delay pool has |
4512 |
# hostname from the URL. Squid can be an accelerator for |
# a number of "buckets" associated with it, as explained in the |
4513 |
# different HTTP servers by looking at this header. However, |
# description of delay_class. |
4514 |
# Squid does NOT check the value of the Host header, so it opens |
# |
4515 |
# a big security hole. We recommend that this option remain |
# For a class 1 delay pool, the syntax is: |
4516 |
# disabled unless you are sure of what you are doing. |
# delay_pools pool 1 |
4517 |
|
# delay_parameters pool aggregate |
4518 |
|
# |
4519 |
|
# For a class 2 delay pool: |
4520 |
|
# delay_pools pool 2 |
4521 |
|
# delay_parameters pool aggregate individual |
4522 |
|
# |
4523 |
|
# For a class 3 delay pool: |
4524 |
|
# delay_pools pool 3 |
4525 |
|
# delay_parameters pool aggregate network individual |
4526 |
|
# |
4527 |
|
# For a class 4 delay pool: |
4528 |
|
# delay_pools pool 4 |
4529 |
|
# delay_parameters pool aggregate network individual user |
4530 |
|
# |
4531 |
|
# For a class 5 delay pool: |
4532 |
|
# delay_pools pool 5 |
4533 |
|
# delay_parameters pool tagrate |
4534 |
|
# |
4535 |
|
# The option variables are: |
4536 |
|
# |
4537 |
|
# pool a pool number - ie, a number between 1 and the |
4538 |
|
# number specified in delay_pools as used in |
4539 |
|
# delay_class lines. |
4540 |
|
# |
4541 |
|
# aggregate the speed limit parameters for the aggregate bucket |
4542 |
|
# (class 1, 2, 3). |
4543 |
|
# |
4544 |
|
# individual the speed limit parameters for the individual |
4545 |
|
# buckets (class 2, 3). |
4546 |
|
# |
4547 |
|
# network the speed limit parameters for the network buckets |
4548 |
|
# (class 3). |
4549 |
|
# |
4550 |
|
# user the speed limit parameters for the user buckets |
4551 |
|
# (class 4). |
4552 |
|
# |
4553 |
|
# tagrate the speed limit parameters for the tag buckets |
4554 |
|
# (class 5). |
4555 |
|
# |
4556 |
|
# A pair of delay parameters is written restore/maximum, where restore is |
4557 |
|
# the number of bytes (not bits - modem and network speeds are usually |
4558 |
|
# quoted in bits) per second placed into the bucket, and maximum is the |
4559 |
|
# maximum number of bytes which can be in the bucket at any time. |
4560 |
|
# |
4561 |
|
# There must be one delay_parameters line for each delay pool. |
4562 |
|
# |
4563 |
|
# |
4564 |
|
# For example, if delay pool number 1 is a class 2 delay pool as in the |
4565 |
|
# above example, and is being used to strictly limit each host to 64Kbit/sec |
4566 |
|
# (plus overheads), with no overall limit, the line is: |
4567 |
|
# |
4568 |
|
# delay_parameters 1 -1/-1 8000/8000 |
4569 |
|
# |
4570 |
|
# Note that 8 x 8000 KByte/sec -> 64Kbit/sec. |
4571 |
|
# |
4572 |
|
# Note that the figure -1 is used to represent "unlimited". |
4573 |
|
# |
4574 |
|
# |
4575 |
|
# And, if delay pool number 2 is a class 3 delay pool as in the above |
4576 |
|
# example, and you want to limit it to a total of 256Kbit/sec (strict limit) |
4577 |
|
# with each 8-bit network permitted 64Kbit/sec (strict limit) and each |
4578 |
|
# individual host permitted 4800bit/sec with a bucket maximum size of 64Kbits |
4579 |
|
# to permit a decent web page to be downloaded at a decent speed |
4580 |
|
# (if the network is not being limited due to overuse) but slow down |
4581 |
|
# large downloads more significantly: |
4582 |
|
# |
4583 |
|
# delay_parameters 2 32000/32000 8000/8000 600/8000 |
4584 |
|
# |
4585 |
|
# Note that 8 x 32000 KByte/sec -> 256Kbit/sec. |
4586 |
|
# 8 x 8000 KByte/sec -> 64Kbit/sec. |
4587 |
|
# 8 x 600 Byte/sec -> 4800bit/sec. |
4588 |
|
# |
4589 |
# |
# |
4590 |
# However, you will need to enable this option if you run Squid |
# Finally, for a class 4 delay pool as in the example - each user will |
4591 |
# as a transparent proxy. Otherwise, virtual servers which |
# be limited to 128Kbits/sec no matter how many workstations they are logged into.: |
|
# require the Host: header will not be properly cached. |
|
4592 |
# |
# |
4593 |
|
# delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 |
4594 |
#Default: |
#Default: |
4595 |
# httpd_accel_uses_host_header off |
# none |
4596 |
|
|
4597 |
|
# TAG: delay_initial_bucket_level (percent, 0-100) |
4598 |
|
# The initial bucket percentage is used to determine how much is put |
4599 |
|
# in each bucket when squid starts, is reconfigured, or first notices |
4600 |
|
# a host accessing it (in class 2 and class 3, individual hosts and |
4601 |
|
# networks only have buckets associated with them once they have been |
4602 |
|
# "seen" by squid). |
4603 |
|
#Default: |
4604 |
|
# delay_initial_bucket_level 50 |
4605 |
|
|
4606 |
# MISCELLANEOUS |
# CLIENT DELAY POOL PARAMETERS |
4607 |
# ----------------------------------------------------------------------------- |
# ----------------------------------------------------------------------------- |
4608 |
|
|
4609 |
# TAG: dns_testnames |
# TAG: client_delay_pools |
4610 |
# The DNS tests exit as soon as the first site is successfully looked up |
# This option specifies the number of client delay pools used. It must |
4611 |
|
# preceed other client_delay_* options. |
4612 |
# |
# |
4613 |
# This test can be disabled with the -D command line option. |
#Example: |
4614 |
|
# client_delay_pools 2 |
4615 |
|
#Default: |
4616 |
|
# client_delay_pools 0 |
4617 |
|
|
4618 |
|
# TAG: client_delay_initial_bucket_level (percent, 0-no_limit) |
4619 |
|
# This option determines the initial bucket size as a percentage of |
4620 |
|
# max_bucket_size from client_delay_parameters. Buckets are created |
4621 |
|
# at the time of the "first" connection from the matching IP. Idle |
4622 |
|
# buckets are periodically deleted up. |
4623 |
|
# |
4624 |
|
# You can specify more than 100 percent but note that such "oversized" |
4625 |
|
# buckets are not refilled until their size goes down to max_bucket_size |
4626 |
|
# from client_delay_parameters. |
4627 |
# |
# |
4628 |
|
#Example: |
4629 |
|
# client_delay_initial_bucket_level 50 |
4630 |
#Default: |
#Default: |
4631 |
# dns_testnames netscape.com internic.net nlanr.net microsoft.com |
# client_delay_initial_bucket_level 50 |
4632 |
|
|
4633 |
# TAG: logfile_rotate |
# TAG: client_delay_parameters |
|
# Specifies the number of logfile rotations to make when you |
|
|
# type 'squid -k rotate'. The default is 10, which will rotate |
|
|
# with extensions 0 through 9. Setting logfile_rotate to 0 will |
|
|
# disable the rotation, but the logfiles are still closed and |
|
|
# re-opened. This will enable you to rename the logfiles |
|
|
# yourself just before sending the rotate signal. |
|
4634 |
# |
# |
4635 |
# Note, the 'squid -k rotate' command normally sends a USR1 |
# This option configures client-side bandwidth limits using the |
4636 |
# signal to the running squid process. In certain situations |
# following format: |
4637 |
# (e.g. on Linux with Async I/O), USR1 is used for other |
# |
4638 |
# purposes, so -k rotate uses another signal. It is best to get |
# client_delay_parameters pool speed_limit max_bucket_size |
4639 |
# in the habit of using 'squid -k rotate' instead of 'kill -USR1 |
# |
4640 |
# <pid>'. |
# pool is an integer ID used for client_delay_access matching. |
4641 |
# |
# |
4642 |
|
# speed_limit is bytes added to the bucket per second. |
4643 |
|
# |
4644 |
|
# max_bucket_size is the maximum size of a bucket, enforced after any |
4645 |
|
# speed_limit additions. |
4646 |
|
# |
4647 |
|
# Please see the delay_parameters option for more information and |
4648 |
|
# examples. |
4649 |
|
# |
4650 |
|
#Example: |
4651 |
|
# client_delay_parameters 1 1024 2048 |
4652 |
|
# client_delay_parameters 2 51200 16384 |
4653 |
#Default: |
#Default: |
4654 |
# logfile_rotate 0 |
# none |
4655 |
|
|
4656 |
# TAG: append_domain |
# TAG: client_delay_access |
|
# Appends local domain name to hostnames without any dots in |
|
|
# them. append_domain must begin with a period. |
|
4657 |
# |
# |
4658 |
#Example: |
# This option determines the client-side delay pool for the |
4659 |
# append_domain .yourdomain.com |
# request: |
4660 |
|
# |
4661 |
|
# client_delay_access pool_ID allow|deny acl_name |
4662 |
|
# |
4663 |
|
# All client_delay_access options are checked in their pool ID |
4664 |
|
# order, starting with pool 1. The first checked pool with allowed |
4665 |
|
# request is selected for the request. If no ACL matches or there |
4666 |
|
# are no client_delay_access options, the request bandwidth is not |
4667 |
|
# limited. |
4668 |
|
# |
4669 |
|
# The ACL-selected pool is then used to find the |
4670 |
|
# client_delay_parameters for the request. Client-side pools are |
4671 |
|
# not used to aggregate clients. Clients are always aggregated |
4672 |
|
# based on their source IP addresses (one bucket per source IP). |
4673 |
|
# |
4674 |
|
# Please see delay_access for more examples. |
4675 |
# |
# |
4676 |
|
#Example: |
4677 |
|
# client_delay_access 1 allow low_rate_network |
4678 |
|
# client_delay_access 2 allow vips_network |
4679 |
#Default: |
#Default: |
4680 |
# none |
# none |
4681 |
|
|
4682 |
# TAG: tcp_recv_bufsize (bytes) |
# WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS |
4683 |
# Size of receive buffer to set for TCP sockets. Probably just |
# ----------------------------------------------------------------------------- |
4684 |
# as easy to change your kernel's default. Set to zero to use |
|
4685 |
# the default buffer size. |
# TAG: wccp_router |
4686 |
|
# Use this option to define your WCCP ``home'' router for |
4687 |
|
# Squid. |
4688 |
|
# |
4689 |
|
# wccp_router supports a single WCCP(v1) router |
4690 |
# |
# |
4691 |
|
# wccp2_router supports multiple WCCPv2 routers |
4692 |
|
# |
4693 |
|
# only one of the two may be used at the same time and defines |
4694 |
|
# which version of WCCP to use. |
4695 |
#Default: |
#Default: |
4696 |
# tcp_recv_bufsize 0 bytes |
# wccp_router any_addr |
4697 |
|
|
4698 |
# TAG: err_html_text |
# TAG: wccp2_router |
4699 |
# HTML text to include in error messages. Make this a "mailto" |
# Use this option to define your WCCP ``home'' router for |
4700 |
# URL to your admin address, or maybe just a link to your |
# Squid. |
|
# organizations Web page. |
|
4701 |
# |
# |
4702 |
# To include this in your error messages, you must rewrite |
# wccp_router supports a single WCCP(v1) router |
4703 |
# the error template files (found in the "errors" directory). |
# |
4704 |
# Wherever you want the 'err_html_text' line to appear, |
# wccp2_router supports multiple WCCPv2 routers |
|
# insert a %L tag in the error template file. |
|
4705 |
# |
# |
4706 |
|
# only one of the two may be used at the same time and defines |
4707 |
|
# which version of WCCP to use. |
4708 |
#Default: |
#Default: |
4709 |
# none |
# none |
4710 |
|
|
4711 |
# TAG: deny_info |
# TAG: wccp_version |
4712 |
# Usage: deny_info err_page_name acl |
# This directive is only relevant if you need to set up WCCP(v1) |
4713 |
# Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys |
# to some very old and end-of-life Cisco routers. In all other |
4714 |
|
# setups it must be left unset or at the default setting. |
4715 |
|
# It defines an internal version in the WCCP(v1) protocol, |
4716 |
|
# with version 4 being the officially documented protocol. |
4717 |
|
# |
4718 |
|
# According to some users, Cisco IOS 11.2 and earlier only |
4719 |
|
# support WCCP version 3. If you're using that or an earlier |
4720 |
|
# version of IOS, you may need to change this value to 3, otherwise |
4721 |
|
# do not specify this parameter. |
4722 |
|
#Default: |
4723 |
|
# wccp_version 4 |
4724 |
|
|
4725 |
|
# TAG: wccp2_rebuild_wait |
4726 |
|
# If this is enabled Squid will wait for the cache dir rebuild to finish |
4727 |
|
# before sending the first wccp2 HereIAm packet |
4728 |
|
#Default: |
4729 |
|
# wccp2_rebuild_wait on |
4730 |
|
|
4731 |
|
# TAG: wccp2_forwarding_method |
4732 |
|
# WCCP2 allows the setting of forwarding methods between the |
4733 |
|
# router/switch and the cache. Valid values are as follows: |
4734 |
# |
# |
4735 |
# This can be used to return a ERR_ page for requests which |
# gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel) |
4736 |
# do not pass the 'http_access' rules. A single ACL will cause |
# l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting) |
4737 |
# the http_access check to fail. If a 'deny_info' line exists |
# |
4738 |
# for that ACL then Squid returns a corresponding error page. |
# Currently (as of IOS 12.4) cisco routers only support GRE. |
4739 |
|
# Cisco switches only support the L2 redirect assignment method. |
4740 |
|
#Default: |
4741 |
|
# wccp2_forwarding_method gre |
4742 |
|
|
4743 |
|
# TAG: wccp2_return_method |
4744 |
|
# WCCP2 allows the setting of return methods between the |
4745 |
|
# router/switch and the cache for packets that the cache |
4746 |
|
# decides not to handle. Valid values are as follows: |
4747 |
|
# |
4748 |
|
# gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel) |
4749 |
|
# l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting) |
4750 |
# |
# |
4751 |
# You may use ERR_ pages that come with Squid or create your own pages |
# Currently (as of IOS 12.4) cisco routers only support GRE. |
4752 |
# and put them into the configured errors/ directory. |
# Cisco switches only support the L2 redirect assignment. |
4753 |
# |
# |
4754 |
|
# If the "ip wccp redirect exclude in" command has been |
4755 |
|
# enabled on the cache interface, then it is still safe for |
4756 |
|
# the proxy server to use a l2 redirect method even if this |
4757 |
|
# option is set to GRE. |
4758 |
#Default: |
#Default: |
4759 |
# none |
# wccp2_return_method gre |
4760 |
|
|
4761 |
# TAG: memory_pools on|off |
# TAG: wccp2_assignment_method |
4762 |
# If set, Squid will keep pools of allocated (but unused) memory |
# WCCP2 allows the setting of methods to assign the WCCP hash |
4763 |
# available for future use. If memory is a premium on your |
# Valid values are as follows: |
|
# system and you believe your malloc library outperforms Squid |
|
|
# routines, disable this. |
|
4764 |
# |
# |
4765 |
|
# hash - Hash assignment |
4766 |
|
# mask - Mask assignment |
4767 |
|
# |
4768 |
|
# As a general rule, cisco routers support the hash assignment method |
4769 |
|
# and cisco switches support the mask assignment method. |
4770 |
#Default: |
#Default: |
4771 |
# memory_pools on |
# wccp2_assignment_method hash |
4772 |
|
|
4773 |
# TAG: memory_pools_limit (bytes) |
# TAG: wccp2_service |
4774 |
# Used only with memory_pools on: |
# WCCP2 allows for multiple traffic services. There are two |
4775 |
# memory_pools_limit 50 MB |
# types: "standard" and "dynamic". The standard type defines |
4776 |
|
# one service id - http (id 0). The dynamic service ids can be from |
4777 |
|
# 51 to 255 inclusive. In order to use a dynamic service id |
4778 |
|
# one must define the type of traffic to be redirected; this is done |
4779 |
|
# using the wccp2_service_info option. |
4780 |
# |
# |
4781 |
# If set to a non-zero value, Squid will keep at most the specified |
# The "standard" type does not require a wccp2_service_info option, |
4782 |
# limit of allocated (but unused) memory in memory pools. All free() |
# just specifying the service id will suffice. |
|
# requests that exceed this limit will be handled by your malloc |
|
|
# library. Squid does not pre-allocate any memory, just safe-keeps |
|
|
# objects that otherwise would be free()d. Thus, it is safe to set |
|
|
# memory_pools_limit to a reasonably high value even if your |
|
|
# configuration will use less memory. |
|
4783 |
# |
# |
4784 |
# If not set (default) or set to zero, Squid will keep all memory it |
# MD5 service authentication can be enabled by adding |
4785 |
# can. That is, there will be no limit on the total amount of memory |
# "password=<password>" to the end of this service declaration. |
|
# used for safe-keeping. |
|
4786 |
# |
# |
4787 |
# To disable memory allocation optimization, do not set |
# Examples: |
|
# memory_pools_limit to 0. Set memory_pools to "off" instead. |
|
4788 |
# |
# |
4789 |
# An overhead for maintaining memory pools is not taken into account |
# wccp2_service standard 0 # for the 'web-cache' standard service |
4790 |
# when the limit is checked. This overhead is close to four bytes per |
# wccp2_service dynamic 80 # a dynamic service type which will be |
4791 |
# object kept. However, pools may actually _save_ memory because of |
# # fleshed out with subsequent options. |
4792 |
# reduced memory thrashing in your malloc library. |
# wccp2_service standard 0 password=foo |
4793 |
|
#Default: |
4794 |
|
# wccp2_service standard 0 |
4795 |
|
|
4796 |
|
# TAG: wccp2_service_info |
4797 |
|
# Dynamic WCCPv2 services require further information to define the |
4798 |
|
# traffic you wish to have diverted. |
4799 |
|
# |
4800 |
|
# The format is: |
4801 |
|
# |
4802 |
|
# wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>.. |
4803 |
|
# priority=<priority> ports=<port>,<port>.. |
4804 |
|
# |
4805 |
|
# The relevant WCCPv2 flags: |
4806 |
|
# + src_ip_hash, dst_ip_hash |
4807 |
|
# + source_port_hash, dst_port_hash |
4808 |
|
# + src_ip_alt_hash, dst_ip_alt_hash |
4809 |
|
# + src_port_alt_hash, dst_port_alt_hash |
4810 |
|
# + ports_source |
4811 |
|
# |
4812 |
|
# The port list can be one to eight entries. |
4813 |
|
# |
4814 |
|
# Example: |
4815 |
|
# |
4816 |
|
# wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source |
4817 |
|
# priority=240 ports=80 |
4818 |
# |
# |
4819 |
|
# Note: the service id must have been defined by a previous |
4820 |
|
# 'wccp2_service dynamic <id>' entry. |
4821 |
#Default: |
#Default: |
4822 |
# none |
# none |
4823 |
|
|
4824 |
# TAG: forwarded_for on|off |
# TAG: wccp2_weight |
4825 |
# If set, Squid will include your system's IP address or name |
# Each cache server gets assigned a set of the destination |
4826 |
# in the HTTP requests it forwards. By default it looks like |
# hash proportional to their weight. |
4827 |
# this: |
#Default: |
4828 |
|
# wccp2_weight 10000 |
4829 |
|
|
4830 |
|
# TAG: wccp_address |
4831 |
|
#Default: |
4832 |
|
# wccp_address 0.0.0.0 |
4833 |
|
|
4834 |
|
# TAG: wccp2_address |
4835 |
|
# Use this option if you require WCCP to use a specific |
4836 |
|
# interface address. |
4837 |
# |
# |
4838 |
# X-Forwarded-For: 192.1.2.3 |
# The default behavior is to not bind to any specific address. |
4839 |
|
#Default: |
4840 |
|
# wccp2_address 0.0.0.0 |
4841 |
|
|
4842 |
|
# PERSISTENT CONNECTION HANDLING |
4843 |
|
# ----------------------------------------------------------------------------- |
4844 |
# |
# |
4845 |
# If you disable this, it will appear as |
# Also see "pconn_timeout" in the TIMEOUTS section |
4846 |
|
|
4847 |
|
# TAG: client_persistent_connections |
4848 |
|
#Default: |
4849 |
|
# client_persistent_connections on |
4850 |
|
|
4851 |
|
# TAG: server_persistent_connections |
4852 |
|
# Persistent connection support for clients and servers. By |
4853 |
|
# default, Squid uses persistent connections (when allowed) |
4854 |
|
# with its clients and servers. You can use these options to |
4855 |
|
# disable persistent connections with clients and/or servers. |
4856 |
|
#Default: |
4857 |
|
# server_persistent_connections on |
4858 |
|
|
4859 |
|
# TAG: persistent_connection_after_error |
4860 |
|
# With this directive the use of persistent connections after |
4861 |
|
# HTTP errors can be disabled. Useful if you have clients |
4862 |
|
# who fail to handle errors on persistent connections proper. |
4863 |
|
#Default: |
4864 |
|
# persistent_connection_after_error on |
4865 |
|
|
4866 |
|
# TAG: detect_broken_pconn |
4867 |
|
# Some servers have been found to incorrectly signal the use |
4868 |
|
# of HTTP/1.0 persistent connections even on replies not |
4869 |
|
# compatible, causing significant delays. This server problem |
4870 |
|
# has mostly been seen on redirects. |
4871 |
|
# |
4872 |
|
# By enabling this directive Squid attempts to detect such |
4873 |
|
# broken replies and automatically assume the reply is finished |
4874 |
|
# after 10 seconds timeout. |
4875 |
|
#Default: |
4876 |
|
# detect_broken_pconn off |
4877 |
|
|
4878 |
|
# CACHE DIGEST OPTIONS |
4879 |
|
# ----------------------------------------------------------------------------- |
4880 |
|
|
4881 |
|
# TAG: digest_generation |
4882 |
|
# This controls whether the server will generate a Cache Digest |
4883 |
|
# of its contents. By default, Cache Digest generation is |
4884 |
|
# enabled if Squid is compiled with --enable-cache-digests defined. |
4885 |
|
#Default: |
4886 |
|
# digest_generation on |
4887 |
|
|
4888 |
|
# TAG: digest_bits_per_entry |
4889 |
|
# This is the number of bits of the server's Cache Digest which |
4890 |
|
# will be associated with the Digest entry for a given HTTP |
4891 |
|
# Method and URL (public key) combination. The default is 5. |
4892 |
|
#Default: |
4893 |
|
# digest_bits_per_entry 5 |
4894 |
|
|
4895 |
|
# TAG: digest_rebuild_period (seconds) |
4896 |
|
# This is the wait time between Cache Digest rebuilds. |
4897 |
|
#Default: |
4898 |
|
# digest_rebuild_period 1 hour |
4899 |
|
|
4900 |
|
# TAG: digest_rewrite_period (seconds) |
4901 |
|
# This is the wait time between Cache Digest writes to |
4902 |
|
# disk. |
4903 |
|
#Default: |
4904 |
|
# digest_rewrite_period 1 hour |
4905 |
|
|
4906 |
|
# TAG: digest_swapout_chunk_size (bytes) |
4907 |
|
# This is the number of bytes of the Cache Digest to write to |
4908 |
|
# disk at a time. It defaults to 4096 bytes (4KB), the Squid |
4909 |
|
# default swap page. |
4910 |
|
#Default: |
4911 |
|
# digest_swapout_chunk_size 4096 bytes |
4912 |
|
|
4913 |
|
# TAG: digest_rebuild_chunk_percentage (percent, 0-100) |
4914 |
|
# This is the percentage of the Cache Digest to be scanned at a |
4915 |
|
# time. By default it is set to 10% of the Cache Digest. |
4916 |
|
#Default: |
4917 |
|
# digest_rebuild_chunk_percentage 10 |
4918 |
|
|
4919 |
|
# SNMP OPTIONS |
4920 |
|
# ----------------------------------------------------------------------------- |
4921 |
|
|
4922 |
|
# TAG: snmp_port |
4923 |
|
# The port number where Squid listens for SNMP requests. To enable |
4924 |
|
# SNMP support set this to a suitable port number. Port number |
4925 |
|
# 3401 is often used for the Squid SNMP agent. By default it's |
4926 |
|
# set to "0" (disabled) |
4927 |
# |
# |
4928 |
# X-Forwarded-For: unknown |
# Example: |
4929 |
|
# snmp_port 3401 |
4930 |
|
#Default: |
4931 |
|
# snmp_port 0 |
4932 |
|
|
4933 |
|
# TAG: snmp_access |
4934 |
|
# Allowing or denying access to the SNMP port. |
4935 |
# |
# |
4936 |
|
# All access to the agent is denied by default. |
4937 |
|
# usage: |
4938 |
|
# |
4939 |
|
# snmp_access allow|deny [!]aclname ... |
4940 |
|
# |
4941 |
|
# This clause only supports fast acl types. |
4942 |
|
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
4943 |
|
#Example: |
4944 |
|
# snmp_access allow snmppublic localhost |
4945 |
|
# snmp_access deny all |
4946 |
#Default: |
#Default: |
4947 |
# forwarded_for on |
# snmp_access deny all |
4948 |
|
|
4949 |
|
# TAG: snmp_incoming_address |
4950 |
|
#Default: |
4951 |
|
# snmp_incoming_address any_addr |
4952 |
|
|
4953 |
|
# TAG: snmp_outgoing_address |
4954 |
|
# Just like 'udp_incoming_address', but for the SNMP port. |
4955 |
|
# |
4956 |
|
# snmp_incoming_address is used for the SNMP socket receiving |
4957 |
|
# messages from SNMP agents. |
4958 |
|
# snmp_outgoing_address is used for SNMP packets returned to SNMP |
4959 |
|
# agents. |
4960 |
|
# |
4961 |
|
# The default snmp_incoming_address is to listen on all |
4962 |
|
# available network interfaces. |
4963 |
|
# |
4964 |
|
# If snmp_outgoing_address is not set it will use the same socket |
4965 |
|
# as snmp_incoming_address. Only change this if you want to have |
4966 |
|
# SNMP replies sent using another address than where this Squid |
4967 |
|
# listens for SNMP queries. |
4968 |
|
# |
4969 |
|
# NOTE, snmp_incoming_address and snmp_outgoing_address can not have |
4970 |
|
# the same value since they both use port 3401. |
4971 |
|
#Default: |
4972 |
|
# snmp_outgoing_address no_addr |
4973 |
|
|
4974 |
|
# ICP OPTIONS |
4975 |
|
# ----------------------------------------------------------------------------- |
4976 |
|
|
4977 |
|
# TAG: icp_port |
4978 |
|
# The port number where Squid sends and receives ICP queries to |
4979 |
|
# and from neighbor caches. The standard UDP port for ICP is 3130. |
4980 |
|
# Default is disabled (0). |
4981 |
|
# |
4982 |
|
# Example: |
4983 |
|
# icp_port 3130 |
4984 |
|
#Default: |
4985 |
|
# icp_port 0 |
4986 |
|
|
4987 |
|
# TAG: htcp_port |
4988 |
|
# The port number where Squid sends and receives HTCP queries to |
4989 |
|
# and from neighbor caches. To turn it on you want to set it to |
4990 |
|
# 4827. By default it is set to "0" (disabled). |
4991 |
|
# |
4992 |
|
# Example: |
4993 |
|
# htcp_port 4827 |
4994 |
|
#Default: |
4995 |
|
# htcp_port 0 |
4996 |
|
|
4997 |
# TAG: log_icp_queries on|off |
# TAG: log_icp_queries on|off |
4998 |
# If set, ICP queries are logged to access.log. You may wish |
# If set, ICP queries are logged to access.log. You may wish |
4999 |
# do disable this if your ICP load is VERY high to speed things |
# do disable this if your ICP load is VERY high to speed things |
5000 |
# up or to simplify log analysis. |
# up or to simplify log analysis. |
|
# |
|
5001 |
#Default: |
#Default: |
5002 |
# log_icp_queries on |
# log_icp_queries on |
5003 |
|
|
5004 |
|
# TAG: udp_incoming_address |
5005 |
|
# udp_incoming_address is used for UDP packets received from other |
5006 |
|
# caches. |
5007 |
|
# |
5008 |
|
# The default behavior is to not bind to any specific address. |
5009 |
|
# |
5010 |
|
# Only change this if you want to have all UDP queries received on |
5011 |
|
# a specific interface/address. |
5012 |
|
# |
5013 |
|
# NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS |
5014 |
|
# modules. Altering it will affect all of them in the same manner. |
5015 |
|
# |
5016 |
|
# see also; udp_outgoing_address |
5017 |
|
# |
5018 |
|
# NOTE, udp_incoming_address and udp_outgoing_address can not |
5019 |
|
# have the same value since they both use the same port. |
5020 |
|
#Default: |
5021 |
|
# udp_incoming_address any_addr |
5022 |
|
|
5023 |
|
# TAG: udp_outgoing_address |
5024 |
|
# udp_outgoing_address is used for UDP packets sent out to other |
5025 |
|
# caches. |
5026 |
|
# |
5027 |
|
# The default behavior is to not bind to any specific address. |
5028 |
|
# |
5029 |
|
# Instead it will use the same socket as udp_incoming_address. |
5030 |
|
# Only change this if you want to have UDP queries sent using another |
5031 |
|
# address than where this Squid listens for UDP queries from other |
5032 |
|
# caches. |
5033 |
|
# |
5034 |
|
# NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS |
5035 |
|
# modules. Altering it will affect all of them in the same manner. |
5036 |
|
# |
5037 |
|
# see also; udp_incoming_address |
5038 |
|
# |
5039 |
|
# NOTE, udp_incoming_address and udp_outgoing_address can not |
5040 |
|
# have the same value since they both use the same port. |
5041 |
|
#Default: |
5042 |
|
# udp_outgoing_address no_addr |
5043 |
|
|
5044 |
# TAG: icp_hit_stale on|off |
# TAG: icp_hit_stale on|off |
5045 |
# If you want to return ICP_HIT for stale cache objects, set this |
# If you want to return ICP_HIT for stale cache objects, set this |
5046 |
# option to 'on'. If you have sibling relationships with caches |
# option to 'on'. If you have sibling relationships with caches |
5047 |
# in other administrative domains, this should be 'off'. If you only |
# in other administrative domains, this should be 'off'. If you only |
5048 |
# have sibling relationships with caches under your control, then |
# have sibling relationships with caches under your control, |
5049 |
# it is probably okay to set this to 'on'. |
# it is probably okay to set this to 'on'. |
5050 |
# |
# If set to 'on', your siblings should use the option "allow-miss" |
5051 |
|
# on their cache_peer lines for connecting to you. |
5052 |
#Default: |
#Default: |
5053 |
# icp_hit_stale off |
# icp_hit_stale off |
5054 |
|
|
5055 |
# TAG: minimum_direct_hops |
# TAG: minimum_direct_hops |
5056 |
# If using the ICMP pinging stuff, do direct fetches for sites |
# If using the ICMP pinging stuff, do direct fetches for sites |
5057 |
# which are no more than this many hops away. |
# which are no more than this many hops away. |
|
# |
|
5058 |
#Default: |
#Default: |
5059 |
# minimum_direct_hops 4 |
# minimum_direct_hops 4 |
5060 |
|
|
5061 |
# TAG: minimum_direct_rtt |
# TAG: minimum_direct_rtt |
5062 |
# If using the ICMP pinging stuff, do direct fetches for sites |
# If using the ICMP pinging stuff, do direct fetches for sites |
5063 |
# which are no more than this many rtt milliseconds away. |
# which are no more than this many rtt milliseconds away. |
|
# |
|
5064 |
#Default: |
#Default: |
5065 |
# minimum_direct_rtt 400 |
# minimum_direct_rtt 400 |
5066 |
|
|
5067 |
# TAG: cachemgr_passwd |
# TAG: netdb_low |
|
# Specify passwords for cachemgr operations. |
|
|
# |
|
|
# Usage: cachemgr_passwd password action action ... |
|
|
# |
|
|
# Some valid actions are (see cache manager menu for a full list): |
|
|
# 5min |
|
|
# 60min |
|
|
# asndb |
|
|
# authenticator |
|
|
# cbdata |
|
|
# client_list |
|
|
# comm_incoming |
|
|
# config * |
|
|
# counters |
|
|
# delay |
|
|
# digest_stats |
|
|
# dns |
|
|
# events |
|
|
# filedescriptors |
|
|
# fqdncache |
|
|
# histograms |
|
|
# http_headers |
|
|
# info |
|
|
# io |
|
|
# ipcache |
|
|
# mem |
|
|
# menu |
|
|
# netdb |
|
|
# non_peers |
|
|
# objects |
|
|
# pconn |
|
|
# peer_select |
|
|
# redirector |
|
|
# refresh |
|
|
# server_list |
|
|
# shutdown * |
|
|
# store_digest |
|
|
# storedir |
|
|
# utilization |
|
|
# via_headers |
|
|
# vm_objects |
|
|
# |
|
|
# * Indicates actions which will not be performed without a |
|
|
# valid password, others can be performed if not listed here. |
|
|
# |
|
|
# To disable an action, set the password to "disable". |
|
|
# To allow performing an action without a password, set the |
|
|
# password to "none". |
|
|
# |
|
|
# Use the keyword "all" to set the same password for all actions. |
|
|
# |
|
|
#Example: |
|
|
# cachemgr_passwd secret shutdown |
|
|
# cachemgr_passwd lesssssssecret info stats/objects |
|
|
# cachemgr_passwd disable all |
|
|
# |
|
|
#Default: |
|
|
# none |
|
|
|
|
|
# TAG: store_avg_object_size (kbytes) |
|
|
# Average object size, used to estimate number of objects your |
|
|
# cache can hold. See doc/Release-Notes-1.1.txt. The default is |
|
|
# 13 KB. |
|
|
# |
|
|
#Default: |
|
|
# store_avg_object_size 13 KB |
|
|
|
|
|
# TAG: store_objects_per_bucket |
|
|
# Target number of objects per bucket in the store hash table. |
|
|
# Lowering this value increases the total number of buckets and |
|
|
# also the storage maintenance rate. The default is 50. |
|
|
# |
|
|
#Default: |
|
|
# store_objects_per_bucket 20 |
|
|
|
|
|
# TAG: client_db on|off |
|
|
# If you want to disable collecting per-client statistics, then |
|
|
# turn off client_db here. |
|
|
# |
|
5068 |
#Default: |
#Default: |
5069 |
# client_db on |
# netdb_low 900 |
5070 |
|
|
|
# TAG: netdb_low |
|
5071 |
# TAG: netdb_high |
# TAG: netdb_high |
5072 |
# The low and high water marks for the ICMP measurement |
# The low and high water marks for the ICMP measurement |
5073 |
# database. These are counts, not percents. The defaults are |
# database. These are counts, not percents. The defaults are |
5074 |
# 900 and 1000. When the high water mark is reached, database |
# 900 and 1000. When the high water mark is reached, database |
5075 |
# entries will be deleted until the low mark is reached. |
# entries will be deleted until the low mark is reached. |
|
# |
|
5076 |
#Default: |
#Default: |
|
# netdb_low 900 |
|
5077 |
# netdb_high 1000 |
# netdb_high 1000 |
5078 |
|
|
5079 |
# TAG: netdb_ping_period |
# TAG: netdb_ping_period |
5080 |
# The minimum period for measuring a site. There will be at |
# The minimum period for measuring a site. There will be at |
5081 |
# least this much delay between successive pings to the same |
# least this much delay between successive pings to the same |
5082 |
# network. The default is five minutes. |
# network. The default is five minutes. |
|
# |
|
5083 |
#Default: |
#Default: |
5084 |
# netdb_ping_period 5 minutes |
# netdb_ping_period 5 minutes |
5085 |
|
|
5088 |
# replies, enable this option. |
# replies, enable this option. |
5089 |
# |
# |
5090 |
# If your peer has configured Squid (during compilation) with |
# If your peer has configured Squid (during compilation) with |
5091 |
# '--enable-icmp' then that peer will send ICMP pings to origin server |
# '--enable-icmp' that peer will send ICMP pings to origin server |
5092 |
# sites of the URLs it receives. If you enable this option then the |
# sites of the URLs it receives. If you enable this option the |
5093 |
# ICP replies from that peer will include the ICMP data (if available). |
# ICP replies from that peer will include the ICMP data (if available). |
5094 |
# Then, when choosing a parent cache, Squid will choose the parent with |
# Then, when choosing a parent cache, Squid will choose the parent with |
5095 |
# the minimal RTT to the origin server. When this happens, the |
# the minimal RTT to the origin server. When this happens, the |
5096 |
# hierarchy field of the access.log will be |
# hierarchy field of the access.log will be |
5097 |
# "CLOSEST_PARENT_MISS". This option is off by default. |
# "CLOSEST_PARENT_MISS". This option is off by default. |
|
# |
|
5098 |
#Default: |
#Default: |
5099 |
# query_icmp off |
# query_icmp off |
5100 |
|
|
5102 |
# When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH |
# When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH |
5103 |
# instead of ICP_MISS if the target host is NOT in the ICMP |
# instead of ICP_MISS if the target host is NOT in the ICMP |
5104 |
# database, or has a zero RTT. |
# database, or has a zero RTT. |
|
# |
|
5105 |
#Default: |
#Default: |
5106 |
# test_reachability off |
# test_reachability off |
5107 |
|
|
5108 |
# TAG: buffered_logs on|off |
# TAG: icp_query_timeout (msec) |
5109 |
# Some log files (cache.log, useragent.log) are written with |
# Normally Squid will automatically determine an optimal ICP |
5110 |
# stdio functions, and as such they can be buffered or |
# query timeout value based on the round-trip-time of recent ICP |
5111 |
# unbuffered. By default they will be unbuffered. Buffering them |
# queries. If you want to override the value determined by |
5112 |
# can speed up the writing slightly (though you are unlikely to |
# Squid, set this 'icp_query_timeout' to a non-zero value. This |
5113 |
# need to worry). |
# value is specified in MILLISECONDS, so, to use a 2-second |
5114 |
|
# timeout (the old default), you would write: |
5115 |
# |
# |
5116 |
|
# icp_query_timeout 2000 |
5117 |
#Default: |
#Default: |
5118 |
# buffered_logs off |
# icp_query_timeout 0 |
5119 |
|
|
5120 |
# TAG: reload_into_ims on|off |
# TAG: maximum_icp_query_timeout (msec) |
5121 |
# When you enable this option, client no-cache or ``reload'' |
# Normally the ICP query timeout is determined dynamically. But |
5122 |
# requests will be changed to If-Modified-Since requests. |
# sometimes it can lead to very large values (say 5 seconds). |
5123 |
# Doing this VIOLATES the HTTP standard. Enabling this |
# Use this option to put an upper limit on the dynamic timeout |
5124 |
# feature could make you liable for problems which it |
# value. Do NOT use this option to always use a fixed (instead |
5125 |
# causes. |
# of a dynamic) timeout value. To set a fixed timeout see the |
5126 |
# |
# 'icp_query_timeout' directive. |
5127 |
# see also refresh_pattern for a more selective approach. |
#Default: |
5128 |
|
# maximum_icp_query_timeout 2000 |
5129 |
|
|
5130 |
|
# TAG: minimum_icp_query_timeout (msec) |
5131 |
|
# Normally the ICP query timeout is determined dynamically. But |
5132 |
|
# sometimes it can lead to very small timeouts, even lower than |
5133 |
|
# the normal latency variance on your link due to traffic. |
5134 |
|
# Use this option to put an lower limit on the dynamic timeout |
5135 |
|
# value. Do NOT use this option to always use a fixed (instead |
5136 |
|
# of a dynamic) timeout value. To set a fixed timeout see the |
5137 |
|
# 'icp_query_timeout' directive. |
5138 |
|
#Default: |
5139 |
|
# minimum_icp_query_timeout 5 |
5140 |
|
|
5141 |
|
# TAG: background_ping_rate time-units |
5142 |
|
# Controls how often the ICP pings are sent to siblings that |
5143 |
|
# have background-ping set. |
5144 |
|
#Default: |
5145 |
|
# background_ping_rate 10 seconds |
5146 |
|
|
5147 |
|
# MULTICAST ICP OPTIONS |
5148 |
|
# ----------------------------------------------------------------------------- |
5149 |
|
|
5150 |
|
# TAG: mcast_groups |
5151 |
|
# This tag specifies a list of multicast groups which your server |
5152 |
|
# should join to receive multicasted ICP queries. |
5153 |
# |
# |
5154 |
# This option may be disabled by using --disable-http-violations |
# NOTE! Be very careful what you put here! Be sure you |
5155 |
# with the configure script. |
# understand the difference between an ICP _query_ and an ICP |
5156 |
|
# _reply_. This option is to be set only if you want to RECEIVE |
5157 |
|
# multicast queries. Do NOT set this option to SEND multicast |
5158 |
|
# ICP (use cache_peer for that). ICP replies are always sent via |
5159 |
|
# unicast, so this option does not affect whether or not you will |
5160 |
|
# receive replies from multicast group members. |
5161 |
|
# |
5162 |
|
# You must be very careful to NOT use a multicast address which |
5163 |
|
# is already in use by another group of caches. |
5164 |
# |
# |
5165 |
|
# If you are unsure about multicast, please read the Multicast |
5166 |
|
# chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/). |
5167 |
|
# |
5168 |
|
# Usage: mcast_groups 239.128.16.128 224.0.1.20 |
5169 |
|
# |
5170 |
|
# By default, Squid doesn't listen on any multicast groups. |
5171 |
#Default: |
#Default: |
5172 |
# reload_into_ims off |
# none |
5173 |
|
|
5174 |
|
# TAG: mcast_miss_addr |
5175 |
|
# Note: This option is only available if Squid is rebuilt with the |
5176 |
|
# -DMULTICAST_MISS_STREAM define |
5177 |
|
# |
5178 |
|
# If you enable this option, every "cache miss" URL will |
5179 |
|
# be sent out on the specified multicast address. |
5180 |
|
# |
5181 |
|
# Do not enable this option unless you are are absolutely |
5182 |
|
# certain you understand what you are doing. |
5183 |
|
#Default: |
5184 |
|
# mcast_miss_addr no_addr |
5185 |
|
|
5186 |
|
# TAG: mcast_miss_ttl |
5187 |
|
# Note: This option is only available if Squid is rebuilt with the |
5188 |
|
# -DMULTICAST_MISS_STREAM define |
5189 |
|
# |
5190 |
|
# This is the time-to-live value for packets multicasted |
5191 |
|
# when multicasting off cache miss URLs is enabled. By |
5192 |
|
# default this is set to 'site scope', i.e. 16. |
5193 |
|
#Default: |
5194 |
|
# mcast_miss_ttl 16 |
5195 |
|
|
5196 |
|
# TAG: mcast_miss_port |
5197 |
|
# Note: This option is only available if Squid is rebuilt with the |
5198 |
|
# -DMULTICAST_MISS_STREAM define |
5199 |
|
# |
5200 |
|
# This is the port number to be used in conjunction with |
5201 |
|
# 'mcast_miss_addr'. |
5202 |
|
#Default: |
5203 |
|
# mcast_miss_port 3135 |
5204 |
|
|
5205 |
|
# TAG: mcast_miss_encode_key |
5206 |
|
# Note: This option is only available if Squid is rebuilt with the |
5207 |
|
# -DMULTICAST_MISS_STREAM define |
5208 |
|
# |
5209 |
|
# The URLs that are sent in the multicast miss stream are |
5210 |
|
# encrypted. This is the encryption key. |
5211 |
|
#Default: |
5212 |
|
# mcast_miss_encode_key XXXXXXXXXXXXXXXX |
5213 |
|
|
5214 |
|
# TAG: mcast_icp_query_timeout (msec) |
5215 |
|
# For multicast peers, Squid regularly sends out ICP "probes" to |
5216 |
|
# count how many other peers are listening on the given multicast |
5217 |
|
# address. This value specifies how long Squid should wait to |
5218 |
|
# count all the replies. The default is 2000 msec, or 2 |
5219 |
|
# seconds. |
5220 |
|
#Default: |
5221 |
|
# mcast_icp_query_timeout 2000 |
5222 |
|
|
5223 |
|
# INTERNAL ICON OPTIONS |
5224 |
|
# ----------------------------------------------------------------------------- |
5225 |
|
|
5226 |
|
# TAG: icon_directory |
5227 |
|
# Where the icons are stored. These are normally kept in |
5228 |
|
# /usr/share/squid/icons |
5229 |
|
#Default: |
5230 |
|
# icon_directory /usr/share/squid/icons |
5231 |
|
|
5232 |
|
# TAG: global_internal_static |
5233 |
|
# This directive controls is Squid should intercept all requests for |
5234 |
|
# /squid-internal-static/ no matter which host the URL is requesting |
5235 |
|
# (default on setting), or if nothing special should be done for |
5236 |
|
# such URLs (off setting). The purpose of this directive is to make |
5237 |
|
# icons etc work better in complex cache hierarchies where it may |
5238 |
|
# not always be possible for all corners in the cache mesh to reach |
5239 |
|
# the server generating a directory listing. |
5240 |
|
#Default: |
5241 |
|
# global_internal_static on |
5242 |
|
|
5243 |
|
# TAG: short_icon_urls |
5244 |
|
# If this is enabled Squid will use short URLs for icons. |
5245 |
|
# If disabled it will revert to the old behavior of including |
5246 |
|
# it's own name and port in the URL. |
5247 |
|
# |
5248 |
|
# If you run a complex cache hierarchy with a mix of Squid and |
5249 |
|
# other proxies you may need to disable this directive. |
5250 |
|
#Default: |
5251 |
|
# short_icon_urls on |
5252 |
|
|
5253 |
|
# ERROR PAGE OPTIONS |
5254 |
|
# ----------------------------------------------------------------------------- |
5255 |
|
|
5256 |
|
# TAG: error_directory |
5257 |
|
# If you wish to create your own versions of the default |
5258 |
|
# error files to customize them to suit your company copy |
5259 |
|
# /usr/share/squid/errors contains sets of error files |
5260 |
|
# in different languages. The default error directory |
5261 |
|
# is /etc/squid/errors, which is a link to one of these |
5262 |
|
# error sets. |
5263 |
|
# |
5264 |
|
# WARNING: This option will disable multi-language support |
5265 |
|
# on error pages if used. |
5266 |
|
# |
5267 |
|
# The squid developers are interested in making squid available in |
5268 |
|
# a wide variety of languages. If you are making translations for a |
5269 |
|
# language that Squid does not currently provide please consider |
5270 |
|
# contributing your translation back to the project. |
5271 |
|
# http://wiki.squid-cache.org/Translations |
5272 |
|
# |
5273 |
|
# The squid developers working on translations are happy to supply drop-in |
5274 |
|
# translated error files in exchange for any new language contributions. |
5275 |
|
#Default: |
5276 |
|
# none |
5277 |
|
|
5278 |
|
# TAG: error_default_language |
5279 |
|
# Set the default language which squid will send error pages in |
5280 |
|
# if no existing translation matches the clients language |
5281 |
|
# preferences. |
5282 |
|
# |
5283 |
|
# If unset (default) generic English will be used. |
5284 |
|
# |
5285 |
|
# The squid developers are interested in making squid available in |
5286 |
|
# a wide variety of languages. If you are interested in making |
5287 |
|
# translations for any language see the squid wiki for details. |
5288 |
|
# http://wiki.squid-cache.org/Translations |
5289 |
|
#Default: |
5290 |
|
# none |
5291 |
|
|
5292 |
|
# TAG: error_log_languages |
5293 |
|
# Log to cache.log what languages users are attempting to |
5294 |
|
# auto-negotiate for translations. |
5295 |
|
# |
5296 |
|
# Successful negotiations are not logged. Only failures |
5297 |
|
# have meaning to indicate that Squid may need an upgrade |
5298 |
|
# of its error page translations. |
5299 |
|
#Default: |
5300 |
|
# error_log_languages on |
5301 |
|
|
5302 |
|
# TAG: err_page_stylesheet |
5303 |
|
# CSS Stylesheet to pattern the display of Squid default error pages. |
5304 |
|
# |
5305 |
|
# For information on CSS see http://www.w3.org/Style/CSS/ |
5306 |
|
#Default: |
5307 |
|
# err_page_stylesheet /etc/squid/errorpage.css |
5308 |
|
|
5309 |
|
# TAG: err_html_text |
5310 |
|
# HTML text to include in error messages. Make this a "mailto" |
5311 |
|
# URL to your admin address, or maybe just a link to your |
5312 |
|
# organizations Web page. |
5313 |
|
# |
5314 |
|
# To include this in your error messages, you must rewrite |
5315 |
|
# the error template files (found in the "errors" directory). |
5316 |
|
# Wherever you want the 'err_html_text' line to appear, |
5317 |
|
# insert a %L tag in the error template file. |
5318 |
|
#Default: |
5319 |
|
# none |
5320 |
|
|
5321 |
|
# TAG: email_err_data on|off |
5322 |
|
# If enabled, information about the occurred error will be |
5323 |
|
# included in the mailto links of the ERR pages (if %W is set) |
5324 |
|
# so that the email body contains the data. |
5325 |
|
# Syntax is <A HREF="mailto:%w%W">%w</A> |
5326 |
|
#Default: |
5327 |
|
# email_err_data on |
5328 |
|
|
5329 |
|
# TAG: deny_info |
5330 |
|
# Usage: deny_info err_page_name acl |
5331 |
|
# or deny_info http://... acl |
5332 |
|
# or deny_info TCP_RESET acl |
5333 |
|
# |
5334 |
|
# This can be used to return a ERR_ page for requests which |
5335 |
|
# do not pass the 'http_access' rules. Squid remembers the last |
5336 |
|
# acl it evaluated in http_access, and if a 'deny_info' line exists |
5337 |
|
# for that ACL Squid returns a corresponding error page. |
5338 |
|
# |
5339 |
|
# The acl is typically the last acl on the http_access deny line which |
5340 |
|
# denied access. The exceptions to this rule are: |
5341 |
|
# - When Squid needs to request authentication credentials. It's then |
5342 |
|
# the first authentication related acl encountered |
5343 |
|
# - When none of the http_access lines matches. It's then the last |
5344 |
|
# acl processed on the last http_access line. |
5345 |
|
# - When the decision to deny access was made by an adaptation service, |
5346 |
|
# the acl name is the corresponding eCAP or ICAP service_name. |
5347 |
|
# |
5348 |
|
# NP: If providing your own custom error pages with error_directory |
5349 |
|
# you may also specify them by your custom file name: |
5350 |
|
# Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys |
5351 |
|
# |
5352 |
|
# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx |
5353 |
|
# may be specified by prefixing the file name with the code and a colon. |
5354 |
|
# e.g. 404:ERR_CUSTOM_ACCESS_DENIED |
5355 |
|
# |
5356 |
|
# Alternatively you can tell Squid to reset the TCP connection |
5357 |
|
# by specifying TCP_RESET. |
5358 |
|
# |
5359 |
|
# Or you can specify an error URL or URL pattern. The browsers will |
5360 |
|
# get redirected to the specified URL after formatting tags have |
5361 |
|
# been replaced. Redirect will be done with 302 or 307 according to |
5362 |
|
# HTTP/1.1 specs. A different 3xx code may be specified by prefixing |
5363 |
|
# the URL. e.g. 303:http://example.com/ |
5364 |
|
# |
5365 |
|
# URL FORMAT TAGS: |
5366 |
|
# %a - username (if available. Password NOT included) |
5367 |
|
# %B - FTP path URL |
5368 |
|
# %e - Error number |
5369 |
|
# %E - Error description |
5370 |
|
# %h - Squid hostname |
5371 |
|
# %H - Request domain name |
5372 |
|
# %i - Client IP Address |
5373 |
|
# %M - Request Method |
5374 |
|
# %o - Message result from external ACL helper |
5375 |
|
# %p - Request Port number |
5376 |
|
# %P - Request Protocol name |
5377 |
|
# %R - Request URL path |
5378 |
|
# %T - Timestamp in RFC 1123 format |
5379 |
|
# %U - Full canonical URL from client |
5380 |
|
# (HTTPS URLs terminate with *) |
5381 |
|
# %u - Full canonical URL from client |
5382 |
|
# %w - Admin email from squid.conf |
5383 |
|
# %x - Error name |
5384 |
|
# %% - Literal percent (%) code |
5385 |
|
# |
5386 |
|
#Default: |
5387 |
|
# none |
5388 |
|
|
5389 |
|
# OPTIONS INFLUENCING REQUEST FORWARDING |
5390 |
|
# ----------------------------------------------------------------------------- |
5391 |
|
|
5392 |
|
# TAG: nonhierarchical_direct |
5393 |
|
# By default, Squid will send any non-hierarchical requests |
5394 |
|
# (matching hierarchy_stoplist or not cacheable request type) direct |
5395 |
|
# to origin servers. |
5396 |
|
# |
5397 |
|
# If you set this to off, Squid will prefer to send these |
5398 |
|
# requests to parents. |
5399 |
|
# |
5400 |
|
# Note that in most configurations, by turning this off you will only |
5401 |
|
# add latency to these request without any improvement in global hit |
5402 |
|
# ratio. |
5403 |
|
# |
5404 |
|
# If you are inside an firewall see never_direct instead of |
5405 |
|
# this directive. |
5406 |
|
#Default: |
5407 |
|
# nonhierarchical_direct on |
5408 |
|
|
5409 |
|
# TAG: prefer_direct |
5410 |
|
# Normally Squid tries to use parents for most requests. If you for some |
5411 |
|
# reason like it to first try going direct and only use a parent if |
5412 |
|
# going direct fails set this to on. |
5413 |
|
# |
5414 |
|
# By combining nonhierarchical_direct off and prefer_direct on you |
5415 |
|
# can set up Squid to use a parent as a backup path if going direct |
5416 |
|
# fails. |
5417 |
|
# |
5418 |
|
# Note: If you want Squid to use parents for all requests see |
5419 |
|
# the never_direct directive. prefer_direct only modifies how Squid |
5420 |
|
# acts on cacheable requests. |
5421 |
|
#Default: |
5422 |
|
# prefer_direct off |
5423 |
|
|
5424 |
# TAG: always_direct |
# TAG: always_direct |
5425 |
# Usage: always_direct allow|deny [!]aclname ... |
# Usage: always_direct allow|deny [!]aclname ... |
5426 |
# |
# |
5427 |
# Here you can use ACL elements to specify requests which should |
# Here you can use ACL elements to specify requests which should |
5428 |
# ALWAYS be forwarded directly to origin servers. For example, |
# ALWAYS be forwarded by Squid to the origin servers without using |
5429 |
# to always directly forward requests for local servers use |
# any peers. For example, to always directly forward requests for |
5430 |
|
# local servers ignoring any parents or siblings you may have use |
5431 |
# something like: |
# something like: |
5432 |
# |
# |
5433 |
# acl local-servers dstdomain my.domain.net |
# acl local-servers dstdomain my.domain.net |
5445 |
# some other rule. Example: |
# some other rule. Example: |
5446 |
# |
# |
5447 |
# acl local-external dstdomain external.foo.net |
# acl local-external dstdomain external.foo.net |
5448 |
# acl local-servers dstdomain foo.net |
# acl local-servers dstdomain .foo.net |
5449 |
# always_direct deny local-external |
# always_direct deny local-external |
5450 |
# always_direct allow local-servers |
# always_direct allow local-servers |
5451 |
# |
# |
5452 |
# This option replaces some v1.1 options such as local_domain |
# NOTE: If your goal is to make the client forward the request |
5453 |
# and local_ip. |
# directly to the origin server bypassing Squid then this needs |
5454 |
|
# to be done in the client configuration. Squid configuration |
5455 |
|
# can only tell Squid how Squid should fetch the object. |
5456 |
|
# |
5457 |
|
# NOTE: This directive is not related to caching. The replies |
5458 |
|
# is cached as usual even if you use always_direct. To not cache |
5459 |
|
# the replies see the 'cache' directive. |
5460 |
# |
# |
5461 |
|
# This clause supports both fast and slow acl types. |
5462 |
|
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
5463 |
#Default: |
#Default: |
5464 |
# none |
# none |
5465 |
|
|
5474 |
# servers. For example, to force the use of a proxy for all |
# servers. For example, to force the use of a proxy for all |
5475 |
# requests, except those in your local domain use something like: |
# requests, except those in your local domain use something like: |
5476 |
# |
# |
5477 |
# acl local-servers dstdomain foo.net |
# acl local-servers dstdomain .foo.net |
|
# acl all src 0.0.0.0/0.0.0.0 |
|
5478 |
# never_direct deny local-servers |
# never_direct deny local-servers |
5479 |
# never_direct allow all |
# never_direct allow all |
|
# |
|
|
# or if squid is inside a firewall and there is local intranet |
|
|
# servers inside the firewall then use something like: |
|
5480 |
# |
# |
5481 |
# acl local-intranet dstdomain foo.net |
# or if Squid is inside a firewall and there are local intranet |
5482 |
|
# servers inside the firewall use something like: |
5483 |
|
# |
5484 |
|
# acl local-intranet dstdomain .foo.net |
5485 |
# acl local-external dstdomain external.foo.net |
# acl local-external dstdomain external.foo.net |
5486 |
# always_direct deny local-external |
# always_direct deny local-external |
5487 |
# always_direct allow local-intranet |
# always_direct allow local-intranet |
5488 |
# never_direct allow all |
# never_direct allow all |
|
# |
|
|
# This option replaces some v1.1 options such as inside_firewall |
|
|
# and firewall_ip. |
|
5489 |
# |
# |
5490 |
|
# This clause supports both fast and slow acl types. |
5491 |
|
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
5492 |
#Default: |
#Default: |
5493 |
# none |
# none |
5494 |
|
|
5495 |
# TAG: anonymize_headers |
# ADVANCED NETWORKING OPTIONS |
5496 |
# Usage: anonymize_headers allow|deny header_name ... |
# ----------------------------------------------------------------------------- |
5497 |
# |
|
5498 |
# This option replaces the old 'http_anonymizer' option with |
# TAG: incoming_udp_average |
5499 |
# something that is much more configurable. You may now |
# Heavy voodoo here. I can't even believe you are reading this. |
5500 |
# specify exactly which headers are to be allowed, or which |
# Are you crazy? Don't even think about adjusting these unless |
5501 |
# are to be removed from outgoing requests. |
# you understand the algorithms in comm_select.c first! |
5502 |
|
#Default: |
5503 |
|
# incoming_udp_average 6 |
5504 |
|
|
5505 |
|
# TAG: incoming_tcp_average |
5506 |
|
# Heavy voodoo here. I can't even believe you are reading this. |
5507 |
|
# Are you crazy? Don't even think about adjusting these unless |
5508 |
|
# you understand the algorithms in comm_select.c first! |
5509 |
|
#Default: |
5510 |
|
# incoming_tcp_average 4 |
5511 |
|
|
5512 |
|
# TAG: incoming_dns_average |
5513 |
|
# Heavy voodoo here. I can't even believe you are reading this. |
5514 |
|
# Are you crazy? Don't even think about adjusting these unless |
5515 |
|
# you understand the algorithms in comm_select.c first! |
5516 |
|
#Default: |
5517 |
|
# incoming_dns_average 4 |
5518 |
|
|
5519 |
|
# TAG: min_udp_poll_cnt |
5520 |
|
# Heavy voodoo here. I can't even believe you are reading this. |
5521 |
|
# Are you crazy? Don't even think about adjusting these unless |
5522 |
|
# you understand the algorithms in comm_select.c first! |
5523 |
|
#Default: |
5524 |
|
# min_udp_poll_cnt 8 |
5525 |
|
|
5526 |
|
# TAG: min_dns_poll_cnt |
5527 |
|
# Heavy voodoo here. I can't even believe you are reading this. |
5528 |
|
# Are you crazy? Don't even think about adjusting these unless |
5529 |
|
# you understand the algorithms in comm_select.c first! |
5530 |
|
#Default: |
5531 |
|
# min_dns_poll_cnt 8 |
5532 |
|
|
5533 |
|
# TAG: min_tcp_poll_cnt |
5534 |
|
# Heavy voodoo here. I can't even believe you are reading this. |
5535 |
|
# Are you crazy? Don't even think about adjusting these unless |
5536 |
|
# you understand the algorithms in comm_select.c first! |
5537 |
|
#Default: |
5538 |
|
# min_tcp_poll_cnt 8 |
5539 |
|
|
5540 |
|
# TAG: accept_filter |
5541 |
|
# FreeBSD: |
5542 |
# |
# |
5543 |
# There are two methods of using this option. You may either |
# The name of an accept(2) filter to install on Squid's |
5544 |
# allow specific headers (thus denying all others), or you |
# listen socket(s). This feature is perhaps specific to |
5545 |
# may deny specific headers (thus allowing all others). |
# FreeBSD and requires support in the kernel. |
5546 |
# |
# |
5547 |
# For example, to achieve the same behavior as the old |
# The 'httpready' filter delays delivering new connections |
5548 |
# 'http_anonymizer standard' option, you should use: |
# to Squid until a full HTTP request has been received. |
5549 |
|
# See the accf_http(9) man page for details. |
5550 |
# |
# |
5551 |
# anonymize_headers deny From Referer Server |
# The 'dataready' filter delays delivering new connections |
5552 |
# anonymize_headers deny User-Agent WWW-Authenticate Link |
# to Squid until there is some data to process. |
5553 |
# |
# See the accf_dataready(9) man page for details. |
|
# Or, to reproduce the old 'http_anonymizer paranoid' feature |
|
|
# you should use: |
|
5554 |
# |
# |
5555 |
# anonymize_headers allow Allow Authorization Cache-Control |
# Linux: |
5556 |
# anonymize_headers allow Content-Encoding Content-Length |
# |
5557 |
# anonymize_headers allow Content-Type Date Expires Host |
# The 'data' filter delays delivering of new connections |
5558 |
# anonymize_headers allow If-Modified-Since Last-Modified |
# to Squid until there is some data to process by TCP_ACCEPT_DEFER. |
5559 |
# anonymize_headers allow Location Pragma Accept |
# You may optionally specify a number of seconds to wait by |
5560 |
# anonymize_headers allow Accept-Encoding Accept-Language |
# 'data=N' where N is the number of seconds. Defaults to 30 |
5561 |
# anonymize_headers allow Content-Language Mime-Version |
# if not specified. See the tcp(7) man page for details. |
5562 |
# anonymize_headers allow Retry-After Title Connection |
#EXAMPLE: |
5563 |
# anonymize_headers allow Proxy-Connection |
## FreeBSD |
5564 |
|
#accept_filter httpready |
5565 |
|
## Linux |
5566 |
|
#accept_filter data |
5567 |
|
#Default: |
5568 |
|
# none |
5569 |
|
|
5570 |
|
# TAG: client_ip_max_connections |
5571 |
|
# Set an absolute limit on the number of connections a single |
5572 |
|
# client IP can use. Any more than this and Squid will begin to drop |
5573 |
|
# new connections from the client until it closes some links. |
5574 |
# |
# |
5575 |
# NOTE: You can not mix "allow" and "deny". All 'anonymize_headers' |
# Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP |
5576 |
# lines must have the same second argument. |
# connections from the client. For finer control use the ACL access controls. |
5577 |
# |
# |
5578 |
# By default, all headers are allowed (no anonymizing is |
# Requires client_db to be enabled (the default). |
|
# performed). |
|
5579 |
# |
# |
5580 |
|
# WARNING: This may noticably slow down traffic received via external proxies |
5581 |
|
# or NAT devices and cause them to rebound error messages back to their clients. |
5582 |
|
#Default: |
5583 |
|
# client_ip_max_connections -1 |
5584 |
|
|
5585 |
|
# TAG: tcp_recv_bufsize (bytes) |
5586 |
|
# Size of receive buffer to set for TCP sockets. Probably just |
5587 |
|
# as easy to change your kernel's default. Set to zero to use |
5588 |
|
# the default buffer size. |
5589 |
|
#Default: |
5590 |
|
# tcp_recv_bufsize 0 bytes |
5591 |
|
|
5592 |
|
# ICAP OPTIONS |
5593 |
|
# ----------------------------------------------------------------------------- |
5594 |
|
|
5595 |
|
# TAG: icap_enable on|off |
5596 |
|
# If you want to enable the ICAP module support, set this to on. |
5597 |
|
#Default: |
5598 |
|
# icap_enable off |
5599 |
|
|
5600 |
|
# TAG: icap_connect_timeout |
5601 |
|
# This parameter specifies how long to wait for the TCP connect to |
5602 |
|
# the requested ICAP server to complete before giving up and either |
5603 |
|
# terminating the HTTP transaction or bypassing the failure. |
5604 |
|
# |
5605 |
|
# The default for optional services is peer_connect_timeout. |
5606 |
|
# The default for essential services is connect_timeout. |
5607 |
|
# If this option is explicitly set, its value applies to all services. |
5608 |
#Default: |
#Default: |
5609 |
# none |
# none |
5610 |
|
|
5611 |
# TAG: fake_user_agent |
# TAG: icap_io_timeout time-units |
5612 |
# If you filter the User-Agent header with 'anonymize_headers' it |
# This parameter specifies how long to wait for an I/O activity on |
5613 |
# may cause some Web servers to refuse your request. Use this to |
# an established, active ICAP connection before giving up and |
5614 |
# fake one up. For example: |
# either terminating the HTTP transaction or bypassing the |
5615 |
# |
# failure. |
|
# fake_user_agent Nutscrape/1.0 (CP/M; 8-bit) |
|
|
# (credit to Paul Southworth pauls@etext.org for this one!) |
|
5616 |
# |
# |
5617 |
|
# The default is read_timeout. |
5618 |
#Default: |
#Default: |
5619 |
# none |
# none |
5620 |
|
|
5621 |
# TAG: icon_directory |
# TAG: icap_service_failure_limit limit [in memory-depth time-units] |
5622 |
# Where the icons are stored. These are normally kept in |
# The limit specifies the number of failures that Squid tolerates |
5623 |
# /usr/lib/squid/icons |
# when establishing a new TCP connection with an ICAP service. If |
5624 |
|
# the number of failures exceeds the limit, the ICAP service is |
5625 |
|
# not used for new ICAP requests until it is time to refresh its |
5626 |
|
# OPTIONS. |
5627 |
|
# |
5628 |
|
# A negative value disables the limit. Without the limit, an ICAP |
5629 |
|
# service will not be considered down due to connectivity failures |
5630 |
|
# between ICAP OPTIONS requests. |
5631 |
|
# |
5632 |
|
# Squid forgets ICAP service failures older than the specified |
5633 |
|
# value of memory-depth. The memory fading algorithm |
5634 |
|
# is approximate because Squid does not remember individual |
5635 |
|
# errors but groups them instead, splitting the option |
5636 |
|
# value into ten time slots of equal length. |
5637 |
|
# |
5638 |
|
# When memory-depth is 0 and by default this option has no |
5639 |
|
# effect on service failure expiration. |
5640 |
|
# |
5641 |
|
# Squid always forgets failures when updating service settings |
5642 |
|
# using an ICAP OPTIONS transaction, regardless of this option |
5643 |
|
# setting. |
5644 |
# |
# |
5645 |
|
# For example, |
5646 |
|
# # suspend service usage after 10 failures in 5 seconds: |
5647 |
|
# icap_service_failure_limit 10 in 5 seconds |
5648 |
#Default: |
#Default: |
5649 |
# icon_directory /usr/lib/squid/icons |
# icap_service_failure_limit 10 |
5650 |
|
|
5651 |
# TAG: error_directory |
# TAG: icap_service_revival_delay |
5652 |
# Directory where the error files are read from. |
# The delay specifies the number of seconds to wait after an ICAP |
5653 |
# /usr/lib/squid/errors contains sets of error files |
# OPTIONS request failure before requesting the options again. The |
5654 |
# in different languages. The default error directory |
# failed ICAP service is considered "down" until fresh OPTIONS are |
5655 |
# is /etc/squid/errors, which is a link to one of these |
# fetched. |
5656 |
# error sets. |
# |
5657 |
# |
# The actual delay cannot be smaller than the hardcoded minimum |
5658 |
# If you wish to create your own versions of the error files, |
# delay of 30 seconds. |
5659 |
# either to customize them to suit your language or company, |
#Default: |
5660 |
# copy the template English files to another |
# icap_service_revival_delay 180 |
5661 |
# directory and point this tag at them. |
|
5662 |
# |
# TAG: icap_preview_enable on|off |
5663 |
#error_directory /etc/squid/errors |
# The ICAP Preview feature allows the ICAP server to handle the |
5664 |
# |
# HTTP message by looking only at the beginning of the message body |
5665 |
#Default: |
# or even without receiving the body at all. In some environments, |
5666 |
# error_directory /etc/squid/errors |
# previews greatly speedup ICAP processing. |
5667 |
|
# |
5668 |
# TAG: minimum_retry_timeout (seconds) |
# During an ICAP OPTIONS transaction, the server may tell Squid what |
5669 |
# This specifies the minimum connect timeout, for when the |
# HTTP messages should be previewed and how big the preview should be. |
5670 |
# connect timeout is reduced to compensate for the availability |
# Squid will not use Preview if the server did not request one. |
|
# of multiple IP addresses. |
|
|
# |
|
|
# When a connection to a host is initiated, and that host has |
|
|
# several IP addresses, the default connection timeout is reduced |
|
|
# by dividing it by the number of addresses. So, a site with 15 |
|
|
# addresses would then have a timeout of 8 seconds for each |
|
|
# address attempted. To avoid having the timeout reduced to the |
|
|
# point where even a working host would not have a chance to |
|
|
# respond, this setting is provided. The default, and the |
|
|
# minimum value, is five seconds, and the maximum value is sixty |
|
|
# seconds, or half of connect_timeout, whichever is greater and |
|
|
# less than connect_timeout. |
|
5671 |
# |
# |
5672 |
|
# To disable ICAP Preview for all ICAP services, regardless of |
5673 |
|
# individual ICAP server OPTIONS responses, set this option to "off". |
5674 |
|
#Example: |
5675 |
|
#icap_preview_enable off |
5676 |
#Default: |
#Default: |
5677 |
# minimum_retry_timeout 5 seconds |
# icap_preview_enable on |
5678 |
|
|
5679 |
# TAG: maximum_single_addr_tries |
# TAG: icap_preview_size |
5680 |
# This sets the maximum number of connection attempts for a |
# The default size of preview data to be sent to the ICAP server. |
5681 |
# host that only has one address (for multiple-address hosts, |
# -1 means no preview. This value might be overwritten on a per server |
5682 |
# each address is tried once). |
# basis by OPTIONS requests. |
|
# |
|
|
# The default value is three tries, the (not recommended) |
|
|
# maximum is 255 tries. A warning message will be generated |
|
|
# if it is set to a value greater than ten. |
|
|
# |
|
5683 |
#Default: |
#Default: |
5684 |
# maximum_single_addr_tries 3 |
# icap_preview_size -1 |
5685 |
|
|
5686 |
# TAG: snmp_port |
# TAG: icap_206_enable on|off |
5687 |
# Squid can now serve statistics and status information via SNMP. |
# 206 (Partial Content) responses is an ICAP extension that allows the |
5688 |
# By default it listens to port 3401 on the machine. If you don't |
# ICAP agents to optionally combine adapted and original HTTP message |
5689 |
# wish to use SNMP, set this to "0". |
# content. The decision to combine is postponed until the end of the |
5690 |
|
# ICAP response. Squid supports Partial Content extension by default. |
5691 |
# |
# |
5692 |
# NOTE: SNMP support requires use the --enable-snmp configure |
# Activation of the Partial Content extension is negotiated with each |
5693 |
# command line option. |
# ICAP service during OPTIONS exchange. Most ICAP servers should handle |
5694 |
|
# negotation correctly even if they do not support the extension, but |
5695 |
|
# some might fail. To disable Partial Content support for all ICAP |
5696 |
|
# services and to avoid any negotiation, set this option to "off". |
5697 |
# |
# |
5698 |
|
# Example: |
5699 |
|
# icap_206_enable off |
5700 |
#Default: |
#Default: |
5701 |
# snmp_port 3401 |
# icap_206_enable on |
5702 |
|
|
5703 |
# TAG: snmp_access |
# TAG: icap_default_options_ttl |
5704 |
# Allowing or denying access to the SNMP port. |
# The default TTL value for ICAP OPTIONS responses that don't have |
5705 |
# |
# an Options-TTL header. |
|
# All access to the agent is denied by default. |
|
|
# usage: |
|
|
# |
|
|
# snmp_access allow|deny [!]aclname ... |
|
|
# |
|
|
#Example: |
|
|
# snmp_access allow snmppublic localhost |
|
|
# snmp_access deny all |
|
|
# |
|
5706 |
#Default: |
#Default: |
5707 |
# snmp_access deny all |
# icap_default_options_ttl 60 |
5708 |
|
|
5709 |
# TAG: snmp_incoming_address |
# TAG: icap_persistent_connections on|off |
5710 |
# TAG: snmp_outgoing_address |
# Whether or not Squid should use persistent connections to |
5711 |
# Just like 'udp_incoming_address' above, but for the SNMP port. |
# an ICAP server. |
|
# |
|
|
# snmp_incoming_address is used for the SNMP socket receiving |
|
|
# messages from SNMP agents. |
|
|
# snmp_outgoing_address is used for SNMP packets returned to SNMP |
|
|
# agents. |
|
|
# |
|
|
# The default snmp_incoming_address (0.0.0.0) is to listen on all |
|
|
# available network interfaces. |
|
|
# |
|
|
# If snmp_outgoing_address is set to 255.255.255.255 (the default) |
|
|
# then it will use the same socket as snmp_incoming_address. Only |
|
|
# change this if you want to have SNMP replies sent using another |
|
|
# address than where this Squid listens for SNMP queries. |
|
|
# |
|
|
# NOTE, snmp_incoming_address and snmp_outgoing_address can not have |
|
|
# the same value since they both use port 3401. |
|
|
# |
|
5712 |
#Default: |
#Default: |
5713 |
# snmp_incoming_address 0.0.0.0 |
# icap_persistent_connections on |
|
# snmp_outgoing_address 255.255.255.255 |
|
5714 |
|
|
5715 |
# TAG: as_whois_server |
# TAG: adaptation_send_client_ip on|off |
5716 |
# WHOIS server to query for AS numbers. NOTE: AS numbers are |
# If enabled, Squid shares HTTP client IP information with adaptation |
5717 |
# queried only when Squid starts up, not for every request. |
# services. For ICAP, Squid adds the X-Client-IP header to ICAP requests. |
5718 |
|
# For eCAP, Squid sets the libecap::metaClientIp transaction option. |
5719 |
# |
# |
5720 |
|
# See also: adaptation_uses_indirect_client |
5721 |
#Default: |
#Default: |
5722 |
# as_whois_server whois.ra.net |
# adaptation_send_client_ip off |
|
# as_whois_server whois.ra.net |
|
5723 |
|
|
5724 |
# TAG: wccp_router |
# TAG: adaptation_send_username on|off |
5725 |
# Use this option to define your WCCP ``home'' router for |
# This sends authenticated HTTP client username (if available) to |
5726 |
# Squid. Setting the 'wccp_router' to 0.0.0.0 (the default) |
# the adaptation service. |
|
# disables WCCP. |
|
5727 |
# |
# |
5728 |
|
# For ICAP, the username value is encoded based on the |
5729 |
|
# icap_client_username_encode option and is sent using the header |
5730 |
|
# specified by the icap_client_username_header option. |
5731 |
#Default: |
#Default: |
5732 |
# wccp_router 0.0.0.0 |
# adaptation_send_username off |
5733 |
|
|
5734 |
# TAG: wccp_version |
# TAG: icap_client_username_header |
5735 |
# According to some users, Cisco IOS 11.2 only supports WCCP |
# ICAP request header name to use for send_username. |
|
# version 3. If you're using that version of IOS, change |
|
|
# this value to 3. |
|
|
# |
|
5736 |
#Default: |
#Default: |
5737 |
# wccp_version 4 |
# icap_client_username_header X-Client-Username |
5738 |
|
|
5739 |
# TAG: wccp_incoming_address |
# TAG: icap_client_username_encode on|off |
5740 |
# TAG: wccp_outgoing_address |
# Whether to base64 encode the authenticated client username. |
5741 |
# wccp_incoming_address Use this option if you require WCCP |
#Default: |
5742 |
# messages to be received on only one |
# icap_client_username_encode off |
5743 |
# interface. Do NOT use this option if |
|
5744 |
# you're unsure how many interfaces you |
# TAG: icap_service |
5745 |
# have, or if you know you have only one |
# Defines a single ICAP service using the following format: |
|
# interface. |
|
5746 |
# |
# |
5747 |
# wccp_outgoing_address Use this option if you require WCCP |
# icap_service id vectoring_point uri [option ...] |
|
# messages to be sent out on only one |
|
|
# interface. Do NOT use this option if |
|
|
# you're unsure how many interfaces you |
|
|
# have, or if you know you have only one |
|
|
# interface. |
|
5748 |
# |
# |
5749 |
# The default behavior is to not bind to any specific address. |
# id: ID |
5750 |
|
# an opaque identifier or name which is used to direct traffic to |
5751 |
|
# this specific service. Must be unique among all adaptation |
5752 |
|
# services in squid.conf. |
5753 |
# |
# |
5754 |
# NOTE, wccp_incoming_address and wccp_outgoing_address can not have |
# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache |
5755 |
# the same value since they both use port 2048. |
# This specifies at which point of transaction processing the |
5756 |
|
# ICAP service should be activated. *_postcache vectoring points |
5757 |
|
# are not yet supported. |
5758 |
# |
# |
5759 |
#Default: |
# uri: icap://servername:port/servicepath |
5760 |
# wccp_incoming_address 0.0.0.0 |
# ICAP server and service location. |
|
# wccp_outgoing_address 255.255.255.255 |
|
|
|
|
|
|
|
|
# DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option) |
|
|
# ----------------------------------------------------------------------------- |
|
|
|
|
|
# TAG: delay_pools |
|
|
# This represents the number of delay pools to be used. For example, |
|
|
# if you have one class 2 delay pool and one class 3 delays pool, you |
|
|
# have a total of 2 delay pools. |
|
5761 |
# |
# |
5762 |
# To enable this option, you must use --enable-delay-pools with the |
# ICAP does not allow a single service to handle both REQMOD and RESPMOD |
5763 |
# configure script. |
# transactions. Squid does not enforce that requirement. You can specify |
5764 |
|
# services with the same service_url and different vectoring_points. You |
5765 |
|
# can even specify multiple identical services as long as their |
5766 |
|
# service_names differ. |
5767 |
# |
# |
|
#Default: |
|
|
# delay_pools 0 |
|
|
|
|
|
# TAG: delay_class |
|
|
# This defines the class of each delay pool. There must be exactly one |
|
|
# delay_class line for each delay pool. For example, to define two |
|
|
# delay pools, one of class 2 and one of class 3, the settings above |
|
|
# and here would be: |
|
5768 |
# |
# |
5769 |
#Example: |
# Service options are separated by white space. ICAP services support |
5770 |
# delay_pools 2 # 2 delay pools |
# the following name=value options: |
|
# delay_class 1 2 # pool 1 is a class 2 pool |
|
|
# delay_class 2 3 # pool 2 is a class 3 pool |
|
5771 |
# |
# |
5772 |
# The delay pool classes are: |
# bypass=on|off|1|0 |
5773 |
|
# If set to 'on' or '1', the ICAP service is treated as |
5774 |
|
# optional. If the service cannot be reached or malfunctions, |
5775 |
|
# Squid will try to ignore any errors and process the message as |
5776 |
|
# if the service was not enabled. No all ICAP errors can be |
5777 |
|
# bypassed. If set to 0, the ICAP service is treated as |
5778 |
|
# essential and all ICAP errors will result in an error page |
5779 |
|
# returned to the HTTP client. |
5780 |
# |
# |
5781 |
# class 1 Everything is limited by a single aggregate |
# Bypass is off by default: services are treated as essential. |
|
# bucket. |
|
5782 |
# |
# |
5783 |
# class 2 Everything is limited by a single aggregate |
# routing=on|off|1|0 |
5784 |
# bucket as well as an "individual" bucket chosen |
# If set to 'on' or '1', the ICAP service is allowed to |
5785 |
# from bits 25 through 32 of the IP address. |
# dynamically change the current message adaptation plan by |
5786 |
|
# returning a chain of services to be used next. The services |
5787 |
|
# are specified using the X-Next-Services ICAP response header |
5788 |
|
# value, formatted as a comma-separated list of service names. |
5789 |
|
# Each named service should be configured in squid.conf. Other |
5790 |
|
# services are ignored. An empty X-Next-Services value results |
5791 |
|
# in an empty plan which ends the current adaptation. |
5792 |
# |
# |
5793 |
# class 3 Everything is limited by a single aggregate |
# Dynamic adaptation plan may cross or cover multiple supported |
5794 |
# bucket as well as a "network" bucket chosen |
# vectoring points in their natural processing order. |
|
# from bits 17 through 24 of the IP address and a |
|
|
# "individual" bucket chosen from bits 17 through |
|
|
# 32 of the IP address. |
|
5795 |
# |
# |
5796 |
# NOTE: If an IP address is a.b.c.d |
# Routing is not allowed by default: the ICAP X-Next-Services |
5797 |
# -> bits 25 through 32 are "d" |
# response header is ignored. |
|
# -> bits 17 through 24 are "c" |
|
|
# -> bits 17 through 32 are "c * 256 + d" |
|
5798 |
# |
# |
5799 |
|
# ipv6=on|off |
5800 |
|
# Only has effect on split-stack systems. The default on those systems |
5801 |
|
# is to use IPv4-only connections. When set to 'on' this option will |
5802 |
|
# make Squid use IPv6-only connections to contact this ICAP service. |
5803 |
|
# |
5804 |
|
# on-overload=block|bypass|wait|force |
5805 |
|
# If the service Max-Connections limit has been reached, do |
5806 |
|
# one of the following for each new ICAP transaction: |
5807 |
|
# * block: send an HTTP error response to the client |
5808 |
|
# * bypass: ignore the "over-connected" ICAP service |
5809 |
|
# * wait: wait (in a FIFO queue) for an ICAP connection slot |
5810 |
|
# * force: proceed, ignoring the Max-Connections limit |
5811 |
|
# |
5812 |
|
# In SMP mode with N workers, each worker assumes the service |
5813 |
|
# connection limit is Max-Connections/N, even though not all |
5814 |
|
# workers may use a given service. |
5815 |
|
# |
5816 |
|
# The default value is "bypass" if service is bypassable, |
5817 |
|
# otherwise it is set to "wait". |
5818 |
|
# |
5819 |
|
# |
5820 |
|
# max-conn=number |
5821 |
|
# Use the given number as the Max-Connections limit, regardless |
5822 |
|
# of the Max-Connections value given by the service, if any. |
5823 |
|
# |
5824 |
|
# Older icap_service format without optional named parameters is |
5825 |
|
# deprecated but supported for backward compatibility. |
5826 |
|
# |
5827 |
|
#Example: |
5828 |
|
#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0 |
5829 |
|
#icap_service svcLogger reqmod_precache icap://icap2.mydomain.net:1344/respmod routing=on |
5830 |
#Default: |
#Default: |
5831 |
# none |
# none |
5832 |
|
|
5833 |
# TAG: delay_access |
# TAG: icap_class |
5834 |
# This is used to determine which delay pool a request falls into. |
# This deprecated option was documented to define an ICAP service |
5835 |
# The first matched delay pool is always used, i.e., if a request falls |
# chain, even though it actually defined a set of similar, redundant |
5836 |
# into delay pool number one, no more delay are checked, otherwise the |
# services, and the chains were not supported. |
5837 |
# rest are checked in order of their delay pool number until they have |
# |
5838 |
# all been checked. For example, if you want some_big_clients in delay |
# To define a set of redundant services, please use the |
5839 |
# pool 1 and lotsa_little_clients in delay pool 2: |
# adaptation_service_set directive. For service chains, use |
5840 |
# |
# adaptation_service_chain. |
|
#Example: |
|
|
# delay_access 1 allow some_big_clients |
|
|
# delay_access 1 deny all |
|
|
# delay_access 2 allow lotsa_little_clients |
|
|
# delay_access 2 deny all |
|
|
# |
|
5841 |
#Default: |
#Default: |
5842 |
# none |
# none |
5843 |
|
|
5844 |
# TAG: delay_parameters |
# TAG: icap_access |
5845 |
# This defines the parameters for a delay pool. Each delay pool has |
# This option is deprecated. Please use adaptation_access, which |
5846 |
# a number of "buckets" associated with it, as explained in the |
# has the same ICAP functionality, but comes with better |
5847 |
# description of delay_class. For a class 1 delay pool, the syntax is: |
# documentation, and eCAP support. |
5848 |
|
#Default: |
5849 |
|
# none |
5850 |
|
|
5851 |
|
# eCAP OPTIONS |
5852 |
|
# ----------------------------------------------------------------------------- |
5853 |
|
|
5854 |
|
# TAG: ecap_enable on|off |
5855 |
|
# Controls whether eCAP support is enabled. |
5856 |
|
#Default: |
5857 |
|
# ecap_enable off |
5858 |
|
|
5859 |
|
# TAG: ecap_service |
5860 |
|
# Defines a single eCAP service |
5861 |
# |
# |
5862 |
#delay_parameters pool aggregate |
# ecap_service id vectoring_point uri [option ...] |
5863 |
# |
# |
5864 |
# For a class 2 delay pool: |
# id: ID |
5865 |
|
# an opaque identifier or name which is used to direct traffic to |
5866 |
|
# this specific service. Must be unique among all adaptation |
5867 |
|
# services in squid.conf. |
5868 |
# |
# |
5869 |
#delay_parameters pool aggregate individual |
# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache |
5870 |
|
# This specifies at which point of transaction processing the |
5871 |
|
# eCAP service should be activated. *_postcache vectoring points |
5872 |
|
# are not yet supported. |
5873 |
# |
# |
5874 |
# For a class 3 delay pool: |
# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional |
5875 |
|
# Squid uses the eCAP service URI to match this configuration |
5876 |
|
# line with one of the dynamically loaded services. Each loaded |
5877 |
|
# eCAP service must have a unique URI. Obtain the right URI from |
5878 |
|
# the service provider. |
5879 |
# |
# |
|
#delay_parameters pool aggregate network individual |
|
5880 |
# |
# |
5881 |
# The variables here are: |
# Service options are separated by white space. eCAP services support |
5882 |
|
# the following name=value options: |
5883 |
# |
# |
5884 |
# pool a pool number - ie, a number between 1 and the |
# bypass=on|off|1|0 |
5885 |
# number specified in delay_pools as used in |
# If set to 'on' or '1', the eCAP service is treated as optional. |
5886 |
# delay_class lines. |
# If the service cannot be reached or malfunctions, Squid will try |
5887 |
|
# to ignore any errors and process the message as if the service |
5888 |
|
# was not enabled. No all eCAP errors can be bypassed. |
5889 |
|
# If set to 'off' or '0', the eCAP service is treated as essential |
5890 |
|
# and all eCAP errors will result in an error page returned to the |
5891 |
|
# HTTP client. |
5892 |
# |
# |
5893 |
# aggregate the "delay parameters" for the aggregate bucket |
# Bypass is off by default: services are treated as essential. |
|
# (class 1, 2, 3). |
|
5894 |
# |
# |
5895 |
# individual the "delay parameters" for the individual |
# routing=on|off|1|0 |
5896 |
# buckets (class 2, 3). |
# If set to 'on' or '1', the eCAP service is allowed to |
5897 |
|
# dynamically change the current message adaptation plan by |
5898 |
|
# returning a chain of services to be used next. |
5899 |
# |
# |
5900 |
# network the "delay parameters" for the network buckets |
# Dynamic adaptation plan may cross or cover multiple supported |
5901 |
# (class 3). |
# vectoring points in their natural processing order. |
5902 |
# |
# |
5903 |
# A pair of delay parameters is written restore/maximum, where restore is |
# Routing is not allowed by default. |
|
# the number of bytes (not bits - modem and network speeds are usually |
|
|
# quoted in bits) per second placed into the bucket, and maximum is the |
|
|
# maximum number of bytes which can be in the bucket at any time. |
|
5904 |
# |
# |
5905 |
# For example, if delay pool number 1 is a class 2 delay pool as in the |
# Older ecap_service format without optional named parameters is |
5906 |
# above example, and is being used to strictly limit each host to 64kbps |
# deprecated but supported for backward compatibility. |
|
# (plus overheads), with no overall limit, the line is: |
|
5907 |
# |
# |
|
#delay_parameters 1 -1/-1 8000/8000 |
|
5908 |
# |
# |
5909 |
# Note that the figure -1 is used to represent "unlimited". |
#Example: |
5910 |
|
#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off |
5911 |
|
#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on |
5912 |
|
#Default: |
5913 |
|
# none |
5914 |
|
|
5915 |
|
# TAG: loadable_modules |
5916 |
|
# Instructs Squid to load the specified dynamic module(s) or activate |
5917 |
|
# preloaded module(s). |
5918 |
|
#Example: |
5919 |
|
#loadable_modules /usr/lib/MinimalAdapter.so |
5920 |
|
#Default: |
5921 |
|
# none |
5922 |
|
|
5923 |
|
# MESSAGE ADAPTATION OPTIONS |
5924 |
|
# ----------------------------------------------------------------------------- |
5925 |
|
|
5926 |
|
# TAG: adaptation_service_set |
5927 |
# |
# |
5928 |
# And, if delay pool number 2 is a class 3 delay pool as in the above |
# Configures an ordered set of similar, redundant services. This is |
5929 |
# example, and you want to limit it to a total of 256kbps (strict limit) |
# useful when hot standby or backup adaptation servers are available. |
|
# with each 8-bit network permitted 64kbps (strict limit) and each |
|
|
# individual host permitted 4800bps with a bucket maximum size of 64kb |
|
|
# to permit a decent web page to be downloaded at a decent speed |
|
|
# (if the network is not being limited due to overuse) but slow down |
|
|
# large downloads more significantly: |
|
5930 |
# |
# |
5931 |
#delay_parameters 2 32000/32000 8000/8000 600/64000 |
# adaptation_service_set set_name service_name1 service_name2 ... |
5932 |
# |
# |
5933 |
# There must be one delay_parameters line for each delay pool. |
# The named services are used in the set declaration order. The first |
5934 |
|
# applicable adaptation service from the set is used first. The next |
5935 |
|
# applicable service is tried if and only if the transaction with the |
5936 |
|
# previous service fails and the message waiting to be adapted is still |
5937 |
|
# intact. |
5938 |
|
# |
5939 |
|
# When adaptation starts, broken services are ignored as if they were |
5940 |
|
# not a part of the set. A broken service is a down optional service. |
5941 |
|
# |
5942 |
|
# The services in a set must be attached to the same vectoring point |
5943 |
|
# (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD). |
5944 |
|
# |
5945 |
|
# If all services in a set are optional then adaptation failures are |
5946 |
|
# bypassable. If all services in the set are essential, then a |
5947 |
|
# transaction failure with one service may still be retried using |
5948 |
|
# another service from the set, but when all services fail, the master |
5949 |
|
# transaction fails as well. |
5950 |
|
# |
5951 |
|
# A set may contain a mix of optional and essential services, but that |
5952 |
|
# is likely to lead to surprising results because broken services become |
5953 |
|
# ignored (see above), making previously bypassable failures fatal. |
5954 |
|
# Technically, it is the bypassability of the last failed service that |
5955 |
|
# matters. |
5956 |
|
# |
5957 |
|
# See also: adaptation_access adaptation_service_chain |
5958 |
# |
# |
5959 |
|
#Example: |
5960 |
|
#adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup |
5961 |
|
#adaptation service_set svcLogger loggerLocal loggerRemote |
5962 |
#Default: |
#Default: |
5963 |
# none |
# none |
5964 |
|
|
5965 |
# TAG: delay_initial_bucket_level (percent, 0-100) |
# TAG: adaptation_service_chain |
|
# The initial bucket percentage is used to determine how much is put |
|
|
# in each bucket when squid starts, is reconfigured, or first notices |
|
|
# a host accessing it (in class 2 and class 3, individual hosts and |
|
|
# networks only have buckets associated with them once they have been |
|
|
# "seen" by squid). |
|
5966 |
# |
# |
5967 |
#Default: |
# Configures a list of complementary services that will be applied |
5968 |
# delay_initial_bucket_level 50 |
# one-by-one, forming an adaptation chain or pipeline. This is useful |
5969 |
|
# when Squid must perform different adaptations on the same message. |
|
# TAG: incoming_icp_average |
|
|
# TAG: incoming_http_average |
|
|
# TAG: incoming_dns_average |
|
|
# TAG: min_icp_poll_cnt |
|
|
# TAG: min_dns_poll_cnt |
|
|
# TAG: min_http_poll_cnt |
|
|
# Heavy voodoo here. I can't even believe you are reading this. |
|
|
# Are you crazy? Don't even think about adjusting these unless |
|
|
# you understand the algorithms in comm_select.c first! |
|
5970 |
# |
# |
5971 |
#Default: |
# adaptation_service_chain chain_name service_name1 svc_name2 ... |
|
# incoming_icp_average 6 |
|
|
# incoming_http_average 4 |
|
|
# incoming_dns_average 4 |
|
|
# min_icp_poll_cnt 8 |
|
|
# min_dns_poll_cnt 8 |
|
|
# min_http_poll_cnt 8 |
|
|
|
|
|
# TAG: max_open_disk_fds |
|
|
# To avoid having disk as the I/O bottleneck Squid can optionally |
|
|
# bypass the on-disk cache if more than this amount of disk file |
|
|
# descriptors are open. |
|
5972 |
# |
# |
5973 |
# A value of 0 indicates no limit. |
# The named services are used in the chain declaration order. The first |
5974 |
|
# applicable adaptation service from the chain is used first. The next |
5975 |
|
# applicable service is applied to the successful adaptation results of |
5976 |
|
# the previous service in the chain. |
5977 |
# |
# |
5978 |
#Default: |
# When adaptation starts, broken services are ignored as if they were |
5979 |
# max_open_disk_fds 0 |
# not a part of the chain. A broken service is a down optional service. |
|
|
|
|
# TAG: offline_mode |
|
|
# Enable this option and Squid will never try to validate cached |
|
|
# objects. |
|
5980 |
# |
# |
5981 |
#Default: |
# Request satisfaction terminates the adaptation chain because Squid |
5982 |
# offline_mode off |
# does not currently allow declaration of RESPMOD services at the |
5983 |
|
# "reqmod_precache" vectoring point (see icap_service or ecap_service). |
|
# TAG: uri_whitespace |
|
|
# What to do with requests that have whitespace characters in the |
|
|
# URI. Options: |
|
5984 |
# |
# |
5985 |
# strip: The whitespace characters are stripped out of the URL. |
# The services in a chain must be attached to the same vectoring point |
5986 |
# This is the behavior recommended by RFC2616. |
# (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD). |
5987 |
# deny: The request is denied. The user receives an "Invalid |
# |
5988 |
# Request" message. |
# A chain may contain a mix of optional and essential services. If an |
5989 |
# allow: The request is allowed and the URI is not changed. The |
# essential adaptation fails (or the failure cannot be bypassed for |
5990 |
# whitespace characters remain in the URI. Note the |
# other reasons), the master transaction fails. Otherwise, the failure |
5991 |
# whitespace is passed to redirector processes if they |
# is bypassed as if the failed adaptation service was not in the chain. |
5992 |
# are in use. |
# |
5993 |
# encode: The request is allowed and the whitespace characters are |
# See also: adaptation_access adaptation_service_set |
|
# encoded according to RFC1738. This could be considered |
|
|
# a violation of the HTTP/1.1 |
|
|
# RFC because proxies are not allowed to rewrite URI's. |
|
|
# chop: The request is allowed and the URI is chopped at the |
|
|
# first whitespace. This might also be considered a |
|
|
# violation. |
|
5994 |
# |
# |
5995 |
|
#Example: |
5996 |
|
#adaptation_service_chain svcRequest requestLogger urlFilter leakDetector |
5997 |
#Default: |
#Default: |
5998 |
# uri_whitespace strip |
# none |
5999 |
|
|
6000 |
# TAG: broken_posts |
# TAG: adaptation_access |
6001 |
# A list of ACL elements which, if matched, causes Squid to send |
# Sends an HTTP transaction to an ICAP or eCAP adaptation service. |
|
# a extra CRLF pair after the body of a PUT/POST request. |
|
6002 |
# |
# |
6003 |
# Some HTTP servers has broken implementations of PUT/POST, |
# adaptation_access service_name allow|deny [!]aclname... |
6004 |
# and rely on a extra CRLF pair sent by some WWW clients. |
# adaptation_access set_name allow|deny [!]aclname... |
6005 |
# |
# |
6006 |
# Quote from RFC 2068 section 4.1 on this matter: |
# At each supported vectoring point, the adaptation_access |
6007 |
|
# statements are processed in the order they appear in this |
6008 |
|
# configuration file. Statements pointing to the following services |
6009 |
|
# are ignored (i.e., skipped without checking their ACL): |
6010 |
|
# |
6011 |
|
# - services serving different vectoring points |
6012 |
|
# - "broken-but-bypassable" services |
6013 |
|
# - "up" services configured to ignore such transactions |
6014 |
|
# (e.g., based on the ICAP Transfer-Ignore header). |
6015 |
|
# |
6016 |
|
# When a set_name is used, all services in the set are checked |
6017 |
|
# using the same rules, to find the first applicable one. See |
6018 |
|
# adaptation_service_set for details. |
6019 |
|
# |
6020 |
|
# If an access list is checked and there is a match, the |
6021 |
|
# processing stops: For an "allow" rule, the corresponding |
6022 |
|
# adaptation service is used for the transaction. For a "deny" |
6023 |
|
# rule, no adaptation service is activated. |
6024 |
# |
# |
6025 |
# Note: certain buggy HTTP/1.0 client implementations generate an |
# It is currently not possible to apply more than one adaptation |
6026 |
# extra CRLF's after a POST request. To restate what is explicitly |
# service at the same vectoring point to the same HTTP transaction. |
|
# forbidden by the BNF, an HTTP/1.1 client must not preface or follow |
|
|
# a request with an extra CRLF. |
|
6027 |
# |
# |
6028 |
#Example: |
# See also: icap_service and ecap_service |
|
# acl buggy_server url_regex ^http://.... |
|
|
# broken_posts allow buggy_server |
|
6029 |
# |
# |
6030 |
|
#Example: |
6031 |
|
#adaptation_access service_1 allow all |
6032 |
#Default: |
#Default: |
6033 |
# none |
# none |
6034 |
|
|
6035 |
# TAG: mcast_miss_addr |
# TAG: adaptation_service_iteration_limit |
6036 |
# Note: This option is only available if Squid is rebuilt with the |
# Limits the number of iterations allowed when applying adaptation |
6037 |
# -DMULTICAST_MISS_STREAM option |
# services to a message. If your longest adaptation set or chain |
6038 |
|
# may have more than 16 services, increase the limit beyond its |
6039 |
|
# default value of 16. If detecting infinite iteration loops sooner |
6040 |
|
# is critical, make the iteration limit match the actual number |
6041 |
|
# of services in your longest adaptation set or chain. |
6042 |
|
# |
6043 |
|
# Infinite adaptation loops are most likely with routing services. |
6044 |
|
# |
6045 |
|
# See also: icap_service routing=1 |
6046 |
|
#Default: |
6047 |
|
# adaptation_service_iteration_limit 16 |
6048 |
|
|
6049 |
|
# TAG: adaptation_masterx_shared_names |
6050 |
|
# For each master transaction (i.e., the HTTP request and response |
6051 |
|
# sequence, including all related ICAP and eCAP exchanges), Squid |
6052 |
|
# maintains a table of metadata. The table entries are (name, value) |
6053 |
|
# pairs shared among eCAP and ICAP exchanges. The table is destroyed |
6054 |
|
# with the master transaction. |
6055 |
|
# |
6056 |
|
# This option specifies the table entry names that Squid must accept |
6057 |
|
# from and forward to the adaptation transactions. |
6058 |
|
# |
6059 |
|
# An ICAP REQMOD or RESPMOD transaction may set an entry in the |
6060 |
|
# shared table by returning an ICAP header field with a name |
6061 |
|
# specified in adaptation_masterx_shared_names. |
6062 |
|
# |
6063 |
|
# An eCAP REQMOD or RESPMOD transaction may set an entry in the |
6064 |
|
# shared table by implementing the libecap::visitEachOption() API |
6065 |
|
# to provide an option with a name specified in |
6066 |
|
# adaptation_masterx_shared_names. |
6067 |
# |
# |
6068 |
# If you enable this option, every "cache miss" URL will |
# Squid will store and forward the set entry to subsequent adaptation |
6069 |
# be sent out on the specified multicast address. |
# transactions within the same master transaction scope. |
6070 |
# |
# |
6071 |
# Do not enable this option unless you are are absolutely |
# Only one shared entry name is supported at this time. |
|
# certain you understand what you are doing. |
|
6072 |
# |
# |
6073 |
|
#Example: |
6074 |
|
## share authentication information among ICAP services |
6075 |
|
#adaptation_masterx_shared_names X-Subscriber-ID |
6076 |
#Default: |
#Default: |
6077 |
# mcast_miss_addr 255.255.255.255 |
# none |
6078 |
|
|
6079 |
# TAG: mcast_miss_ttl |
# TAG: adaptation_meta |
6080 |
# Note: This option is only available if Squid is rebuilt with the |
# This option allows Squid administrator to add custom ICAP request |
6081 |
# -DMULTICAST_MISS_TTL option |
# headers or eCAP options to Squid ICAP requests or eCAP transactions. |
6082 |
|
# Use it to pass custom authentication tokens and other |
6083 |
|
# transaction-state related meta information to an ICAP/eCAP service. |
6084 |
|
# |
6085 |
|
# The addition of a meta header is ACL-driven: |
6086 |
|
# adaptation_meta name value [!]aclname ... |
6087 |
|
# |
6088 |
|
# Processing for a given header name stops after the first ACL list match. |
6089 |
|
# Thus, it is impossible to add two headers with the same name. If no ACL |
6090 |
|
# lists match for a given header name, no such header is added. For |
6091 |
|
# example: |
6092 |
|
# |
6093 |
|
# # do not debug transactions except for those that need debugging |
6094 |
|
# adaptation_meta X-Debug 1 needs_debugging |
6095 |
|
# |
6096 |
|
# # log all transactions except for those that must remain secret |
6097 |
|
# adaptation_meta X-Log 1 !keep_secret |
6098 |
|
# |
6099 |
|
# # mark transactions from users in the "G 1" group |
6100 |
|
# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1 |
6101 |
|
# |
6102 |
|
# The "value" parameter may be a regular squid.conf token or a "double |
6103 |
|
# quoted string". Within the quoted string, use backslash (\) to escape |
6104 |
|
# any character, which is currently only useful for escaping backslashes |
6105 |
|
# and double quotes. For example, |
6106 |
|
# "this string has one backslash (\\) and two \"quotes\"" |
6107 |
|
#Default: |
6108 |
|
# none |
6109 |
|
|
6110 |
|
# TAG: icap_retry |
6111 |
|
# This ACL determines which retriable ICAP transactions are |
6112 |
|
# retried. Transactions that received a complete ICAP response |
6113 |
|
# and did not have to consume or produce HTTP bodies to receive |
6114 |
|
# that response are usually retriable. |
6115 |
# |
# |
6116 |
# This is the time-to-live value for packets multicasted |
# icap_retry allow|deny [!]aclname ... |
6117 |
# when multicasting off cache miss URLs is enabled. By |
# |
6118 |
# default this is set to 'site scope', i.e. 16. |
# Squid automatically retries some ICAP I/O timeouts and errors |
6119 |
|
# due to persistent connection race conditions. |
6120 |
# |
# |
6121 |
|
# See also: icap_retry_limit |
6122 |
#Default: |
#Default: |
6123 |
# mcast_miss_ttl 16 |
# icap_retry deny all |
6124 |
|
|
6125 |
# TAG: mcast_miss_port |
# TAG: icap_retry_limit |
6126 |
# Note: This option is only available if Squid is rebuilt with the |
# Limits the number of retries allowed. When set to zero (default), |
6127 |
# -DMULTICAST_MISS_STREAM option |
# no retries are allowed. |
6128 |
# |
# |
6129 |
# This is the port number to be used in conjunction with |
# Communication errors due to persistent connection race |
6130 |
# 'mcast_miss_addr'. |
# conditions are unavoidable, automatically retried, and do not |
6131 |
|
# count against this limit. |
6132 |
# |
# |
6133 |
|
# See also: icap_retry |
6134 |
#Default: |
#Default: |
6135 |
# mcast_miss_port 3135 |
# icap_retry_limit 0 |
6136 |
|
|
6137 |
# TAG: mcast_miss_encode_key |
# DNS OPTIONS |
6138 |
|
# ----------------------------------------------------------------------------- |
6139 |
|
|
6140 |
|
# TAG: check_hostnames |
6141 |
|
# For security and stability reasons Squid can check |
6142 |
|
# hostnames for Internet standard RFC compliance. If you want |
6143 |
|
# Squid to perform these checks turn this directive on. |
6144 |
|
#Default: |
6145 |
|
# check_hostnames off |
6146 |
|
|
6147 |
|
# TAG: allow_underscore |
6148 |
|
# Underscore characters is not strictly allowed in Internet hostnames |
6149 |
|
# but nevertheless used by many sites. Set this to off if you want |
6150 |
|
# Squid to be strict about the standard. |
6151 |
|
# This check is performed only when check_hostnames is set to on. |
6152 |
|
#Default: |
6153 |
|
# allow_underscore on |
6154 |
|
|
6155 |
|
# TAG: cache_dns_program |
6156 |
# Note: This option is only available if Squid is rebuilt with the |
# Note: This option is only available if Squid is rebuilt with the |
6157 |
# -DMULTICAST_MISS_STREAM option |
# --disable-internal-dns |
|
# |
|
|
# The URLs that are sent in the multicast miss stream are |
|
|
# encrypted. This is the encryption key. |
|
6158 |
# |
# |
6159 |
|
# Specify the location of the executable for dnslookup process. |
6160 |
#Default: |
#Default: |
6161 |
# mcast_miss_encode_key XXXXXXXXXXXXXXXX |
# cache_dns_program /usr/lib64/squid/dnsserver |
6162 |
|
|
6163 |
# TAG: nonhierarchical_direct |
# TAG: dns_children |
6164 |
# By default, Squid will send any non-hierarchical requests |
# Note: This option is only available if Squid is rebuilt with the |
6165 |
# (matching hierarchy_stoplist or not cachable request type) direct |
# --disable-internal-dns |
|
# to origin servers. |
|
|
# |
|
|
# If you set this to off, then Squid will prefer to send these |
|
|
# requests to parents. |
|
|
# |
|
|
# Note that in most configurations, by turning this off you will only |
|
|
# add latency to these request without any improvement in global hit |
|
|
# ratio. |
|
|
# |
|
|
# If you are inside an firewall then see never_direct instead of |
|
|
# this directive. |
|
6166 |
# |
# |
6167 |
|
# The maximum number of processes spawn to service DNS name lookups. |
6168 |
|
# If you limit it too few Squid will have to wait for them to process |
6169 |
|
# a backlog of requests, slowing it down. If you allow too many they |
6170 |
|
# will use RAM and other system resources noticably. |
6171 |
|
# The maximum this may be safely set to is 32. |
6172 |
|
# |
6173 |
|
# The startup= and idle= options allow some measure of skew in your |
6174 |
|
# tuning. |
6175 |
|
# |
6176 |
|
# startup= |
6177 |
|
# |
6178 |
|
# Sets a minimum of how many processes are to be spawned when Squid |
6179 |
|
# starts or reconfigures. When set to zero the first request will |
6180 |
|
# cause spawning of the first child process to handle it. |
6181 |
|
# |
6182 |
|
# Starting too few will cause an initial slowdown in traffic as Squid |
6183 |
|
# attempts to simultaneously spawn enough processes to cope. |
6184 |
|
# |
6185 |
|
# idle= |
6186 |
|
# |
6187 |
|
# Sets a minimum of how many processes Squid is to try and keep available |
6188 |
|
# at all times. When traffic begins to rise above what the existing |
6189 |
|
# processes can handle this many more will be spawned up to the maximum |
6190 |
|
# configured. A minimum setting of 1 is required. |
6191 |
#Default: |
#Default: |
6192 |
# nonhierarchical_direct on |
# dns_children 32 startup=1 idle=1 |
6193 |
|
|
6194 |
# TAG: prefer_direct |
# TAG: dns_retransmit_interval |
6195 |
# Normally Squid tries to use parents for most requests. If you by some |
# Initial retransmit interval for DNS queries. The interval is |
6196 |
# reason like it to first try going direct and only use a parent if |
# doubled each time all configured DNS servers have been tried. |
|
# going direct fails then set this to off. |
|
|
# |
|
|
# By combining nonhierarchical_direct off and prefer_direct on you |
|
|
# can set up Squid to use a parent as a backup path if going direct |
|
|
# fails. |
|
|
# |
|
6197 |
#Default: |
#Default: |
6198 |
# prefer_direct off |
# dns_retransmit_interval 5 seconds |
6199 |
|
|
6200 |
# TAG: strip_query_terms |
# TAG: dns_timeout |
6201 |
# By default, Squid strips query terms from requested URLs before |
# DNS Query timeout. If no response is received to a DNS query |
6202 |
# logging. This protects your user's privacy. |
# within this time all DNS servers for the queried domain |
6203 |
# |
# are assumed to be unavailable. |
6204 |
#Default: |
#Default: |
6205 |
# strip_query_terms on |
# dns_timeout 30 seconds |
6206 |
|
|
6207 |
# TAG: coredump_dir |
# TAG: dns_packet_max |
6208 |
# By default Squid leaves core files in the first cache_dir |
# Maximum number of bytes packet size to advertise via EDNS. |
6209 |
# directory. If you set 'coredump_dir' to a directory |
# Set to "none" to disable EDNS large packet support. |
6210 |
# that exists, Squid will chdir() to that directory at startup |
# |
6211 |
# and coredump files will be left there. |
# For legacy reasons DNS UDP replies will default to 512 bytes which |
6212 |
|
# is too small for many responses. EDNS provides a means for Squid to |
6213 |
|
# negotiate receiving larger responses back immediately without having |
6214 |
|
# to failover with repeat requests. Responses larger than this limit |
6215 |
|
# will retain the old behaviour of failover to TCP DNS. |
6216 |
|
# |
6217 |
|
# Squid has no real fixed limit internally, but allowing packet sizes |
6218 |
|
# over 1500 bytes requires network jumbogram support and is usually not |
6219 |
|
# necessary. |
6220 |
|
# |
6221 |
|
# WARNING: The RFC also indicates that some older resolvers will reply |
6222 |
|
# with failure of the whole request if the extension is added. Some |
6223 |
|
# resolvers have already been identified which will reply with mangled |
6224 |
|
# EDNS response on occasion. Usually in response to many-KB jumbogram |
6225 |
|
# sizes being advertised by Squid. |
6226 |
|
# Squid will currently treat these both as an unable-to-resolve domain |
6227 |
|
# even if it would be resolvable without EDNS. |
6228 |
|
#Default: |
6229 |
|
# none |
6230 |
|
|
6231 |
|
# TAG: dns_defnames on|off |
6232 |
|
# Normally the RES_DEFNAMES resolver option is disabled |
6233 |
|
# (see res_init(3)). This prevents caches in a hierarchy |
6234 |
|
# from interpreting single-component hostnames locally. To allow |
6235 |
|
# Squid to handle single-component names, enable this option. |
6236 |
|
#Default: |
6237 |
|
# dns_defnames off |
6238 |
|
|
6239 |
|
# TAG: dns_nameservers |
6240 |
|
# Use this if you want to specify a list of DNS name servers |
6241 |
|
# (IP addresses) to use instead of those given in your |
6242 |
|
# /etc/resolv.conf file. |
6243 |
|
# On Windows platforms, if no value is specified here or in |
6244 |
|
# the /etc/resolv.conf file, the list of DNS name servers are |
6245 |
|
# taken from the Windows registry, both static and dynamic DHCP |
6246 |
|
# configurations are supported. |
6247 |
# |
# |
6248 |
|
# Example: dns_nameservers 10.0.0.1 192.172.0.4 |
6249 |
#Default: |
#Default: |
6250 |
# none |
# none |
6251 |
|
|
6252 |
# TAG: redirector_bypass |
# TAG: hosts_file |
6253 |
# When this is 'on', a request will not go through the |
# Location of the host-local IP name-address associations |
6254 |
# redirector if all redirectors are busy. If this is 'off' |
# database. Most Operating Systems have such a file on different |
6255 |
# and the redirector queue grows too large, Squid will exit |
# default locations: |
6256 |
# with a FATAL error and ask you to increase the number of |
# - Un*X & Linux: /etc/hosts |
6257 |
# redirectors. You should only enable this if the redirectors |
# - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts |
6258 |
# are not critical to your caching system. If you use |
# (%SystemRoot% value install default is c:\winnt) |
6259 |
# redirectors for access control, and you enable this option, |
# - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts |
6260 |
# then users may have access to pages that they should not |
# (%SystemRoot% value install default is c:\windows) |
6261 |
# be allowed to request. |
# - Windows 9x/Me: %windir%\hosts |
6262 |
|
# (%windir% value is usually c:\windows) |
6263 |
|
# - Cygwin: /etc/hosts |
6264 |
|
# |
6265 |
|
# The file contains newline-separated definitions, in the |
6266 |
|
# form ip_address_in_dotted_form name [name ...] names are |
6267 |
|
# whitespace-separated. Lines beginning with an hash (#) |
6268 |
|
# character are comments. |
6269 |
|
# |
6270 |
|
# The file is checked at startup and upon configuration. |
6271 |
|
# If set to 'none', it won't be checked. |
6272 |
|
# If append_domain is used, that domain will be added to |
6273 |
|
# domain-local (i.e. not containing any dot character) host |
6274 |
|
# definitions. |
6275 |
|
#Default: |
6276 |
|
# hosts_file /etc/hosts |
6277 |
|
|
6278 |
|
# TAG: append_domain |
6279 |
|
# Appends local domain name to hostnames without any dots in |
6280 |
|
# them. append_domain must begin with a period. |
6281 |
|
# |
6282 |
|
# Be warned there are now Internet names with no dots in |
6283 |
|
# them using only top-domain names, so setting this may |
6284 |
|
# cause some Internet sites to become unavailable. |
6285 |
# |
# |
6286 |
|
#Example: |
6287 |
|
# append_domain .yourdomain.com |
6288 |
#Default: |
#Default: |
6289 |
# redirector_bypass off |
# none |
6290 |
|
|
6291 |
# TAG: ignore_unknown_nameservers |
# TAG: ignore_unknown_nameservers |
6292 |
# By default Squid checks that DNS responses are received |
# By default Squid checks that DNS responses are received |
6293 |
# from the same IP addresses that they are sent to. If they |
# from the same IP addresses they are sent to. If they |
6294 |
# don't match, Squid ignores the response and writes a warning |
# don't match, Squid ignores the response and writes a warning |
6295 |
# message to cache.log. You can allow responses from unknown |
# message to cache.log. You can allow responses from unknown |
6296 |
# nameservers by setting this option to 'off'. |
# nameservers by setting this option to 'off'. |
|
# |
|
6297 |
#Default: |
#Default: |
6298 |
# ignore_unknown_nameservers on |
# ignore_unknown_nameservers on |
6299 |
|
|
6300 |
# TAG: digest_generation |
# TAG: dns_v4_first |
6301 |
# Note: This option is only available if Squid is rebuilt with the |
# With the IPv6 Internet being as fast or faster than IPv4 Internet |
6302 |
# --enable-cache-digests option |
# for most networks Squid prefers to contact websites over IPv6. |
6303 |
# |
# |
6304 |
# This controls whether the server will generate a Cache Digest |
# This option reverses the order of preference to make Squid contact |
6305 |
# of its contents. By default, Cache Digest generation is |
# dual-stack websites over IPv4 first. Squid will still perform both |
6306 |
# enabled if Squid is compiled with USE_CACHE_DIGESTS defined. |
# IPv6 and IPv4 DNS lookups before connecting. |
6307 |
# |
# |
6308 |
|
# WARNING: |
6309 |
|
# This option will restrict the situations under which IPv6 |
6310 |
|
# connectivity is used (and tested). Hiding network problems |
6311 |
|
# which would otherwise be detected and warned about. |
6312 |
#Default: |
#Default: |
6313 |
# digest_generation on |
# dns_v4_first off |
6314 |
|
|
6315 |
# TAG: digest_bits_per_entry |
# TAG: ipcache_size (number of entries) |
6316 |
# Note: This option is only available if Squid is rebuilt with the |
#Default: |
6317 |
# --enable-cache-digests option |
# ipcache_size 1024 |
6318 |
|
|
6319 |
|
# TAG: ipcache_low (percent) |
6320 |
|
#Default: |
6321 |
|
# ipcache_low 90 |
6322 |
|
|
6323 |
|
# TAG: ipcache_high (percent) |
6324 |
|
# The size, low-, and high-water marks for the IP cache. |
6325 |
|
#Default: |
6326 |
|
# ipcache_high 95 |
6327 |
|
|
6328 |
|
# TAG: fqdncache_size (number of entries) |
6329 |
|
# Maximum number of FQDN cache entries. |
6330 |
|
#Default: |
6331 |
|
# fqdncache_size 1024 |
6332 |
|
|
6333 |
|
# MISCELLANEOUS |
6334 |
|
# ----------------------------------------------------------------------------- |
6335 |
|
|
6336 |
|
# TAG: memory_pools on|off |
6337 |
|
# If set, Squid will keep pools of allocated (but unused) memory |
6338 |
|
# available for future use. If memory is a premium on your |
6339 |
|
# system and you believe your malloc library outperforms Squid |
6340 |
|
# routines, disable this. |
6341 |
|
#Default: |
6342 |
|
# memory_pools on |
6343 |
|
|
6344 |
|
# TAG: memory_pools_limit (bytes) |
6345 |
|
# Used only with memory_pools on: |
6346 |
|
# memory_pools_limit 50 MB |
6347 |
# |
# |
6348 |
# This is the number of bits of the server's Cache Digest which |
# If set to a non-zero value, Squid will keep at most the specified |
6349 |
# will be associated with the Digest entry for a given HTTP |
# limit of allocated (but unused) memory in memory pools. All free() |
6350 |
# Method and URL (public key) combination. The default is 5. |
# requests that exceed this limit will be handled by your malloc |
6351 |
|
# library. Squid does not pre-allocate any memory, just safe-keeps |
6352 |
|
# objects that otherwise would be free()d. Thus, it is safe to set |
6353 |
|
# memory_pools_limit to a reasonably high value even if your |
6354 |
|
# configuration will use less memory. |
6355 |
|
# |
6356 |
|
# If set to none, Squid will keep all memory it can. That is, there |
6357 |
|
# will be no limit on the total amount of memory used for safe-keeping. |
6358 |
# |
# |
6359 |
|
# To disable memory allocation optimization, do not set |
6360 |
|
# memory_pools_limit to 0 or none. Set memory_pools to "off" instead. |
6361 |
|
# |
6362 |
|
# An overhead for maintaining memory pools is not taken into account |
6363 |
|
# when the limit is checked. This overhead is close to four bytes per |
6364 |
|
# object kept. However, pools may actually _save_ memory because of |
6365 |
|
# reduced memory thrashing in your malloc library. |
6366 |
#Default: |
#Default: |
6367 |
# digest_bits_per_entry 5 |
# memory_pools_limit 5 MB |
6368 |
|
|
6369 |
# TAG: digest_rebuild_period (seconds) |
# TAG: forwarded_for on|off|transparent|truncate|delete |
6370 |
# Note: This option is only available if Squid is rebuilt with the |
# If set to "on", Squid will append your client's IP address |
6371 |
# --enable-cache-digests option |
# in the HTTP requests it forwards. By default it looks like: |
6372 |
|
# |
6373 |
|
# X-Forwarded-For: 192.1.2.3 |
6374 |
|
# |
6375 |
|
# If set to "off", it will appear as |
6376 |
|
# |
6377 |
|
# X-Forwarded-For: unknown |
6378 |
|
# |
6379 |
|
# If set to "transparent", Squid will not alter the |
6380 |
|
# X-Forwarded-For header in any way. |
6381 |
# |
# |
6382 |
# This is the number of seconds between Cache Digest rebuilds. |
# If set to "delete", Squid will delete the entire |
6383 |
|
# X-Forwarded-For header. |
6384 |
# |
# |
6385 |
|
# If set to "truncate", Squid will remove all existing |
6386 |
|
# X-Forwarded-For entries, and place the client IP as the sole entry. |
6387 |
#Default: |
#Default: |
6388 |
# digest_rebuild_period 1 hour |
# forwarded_for on |
6389 |
|
|
6390 |
# TAG: digest_rewrite_period (seconds) |
# TAG: cachemgr_passwd |
6391 |
# Note: This option is only available if Squid is rebuilt with the |
# Specify passwords for cachemgr operations. |
|
# --enable-cache-digests option |
|
6392 |
# |
# |
6393 |
# This is the number of seconds between Cache Digest writes to |
# Usage: cachemgr_passwd password action action ... |
|
# disk. |
|
6394 |
# |
# |
6395 |
|
# Some valid actions are (see cache manager menu for a full list): |
6396 |
|
# 5min |
6397 |
|
# 60min |
6398 |
|
# asndb |
6399 |
|
# authenticator |
6400 |
|
# cbdata |
6401 |
|
# client_list |
6402 |
|
# comm_incoming |
6403 |
|
# config * |
6404 |
|
# counters |
6405 |
|
# delay |
6406 |
|
# digest_stats |
6407 |
|
# dns |
6408 |
|
# events |
6409 |
|
# filedescriptors |
6410 |
|
# fqdncache |
6411 |
|
# histograms |
6412 |
|
# http_headers |
6413 |
|
# info |
6414 |
|
# io |
6415 |
|
# ipcache |
6416 |
|
# mem |
6417 |
|
# menu |
6418 |
|
# netdb |
6419 |
|
# non_peers |
6420 |
|
# objects |
6421 |
|
# offline_toggle * |
6422 |
|
# pconn |
6423 |
|
# peer_select |
6424 |
|
# reconfigure * |
6425 |
|
# redirector |
6426 |
|
# refresh |
6427 |
|
# server_list |
6428 |
|
# shutdown * |
6429 |
|
# store_digest |
6430 |
|
# storedir |
6431 |
|
# utilization |
6432 |
|
# via_headers |
6433 |
|
# vm_objects |
6434 |
|
# |
6435 |
|
# * Indicates actions which will not be performed without a |
6436 |
|
# valid password, others can be performed if not listed here. |
6437 |
|
# |
6438 |
|
# To disable an action, set the password to "disable". |
6439 |
|
# To allow performing an action without a password, set the |
6440 |
|
# password to "none". |
6441 |
|
# |
6442 |
|
# Use the keyword "all" to set the same password for all actions. |
6443 |
|
# |
6444 |
|
#Example: |
6445 |
|
# cachemgr_passwd secret shutdown |
6446 |
|
# cachemgr_passwd lesssssssecret info stats/objects |
6447 |
|
# cachemgr_passwd disable all |
6448 |
#Default: |
#Default: |
6449 |
# digest_rewrite_period 1 hour |
# none |
6450 |
|
|
6451 |
# TAG: digest_swapout_chunk_size (bytes) |
# TAG: client_db on|off |
6452 |
# Note: This option is only available if Squid is rebuilt with the |
# If you want to disable collecting per-client statistics, |
6453 |
# --enable-cache-digests option |
# turn off client_db here. |
6454 |
# |
#Default: |
6455 |
# This is the number of bytes of the Cache Digest to write to |
# client_db on |
6456 |
# disk at a time. It defaults to 4096 bytes (4KB), the Squid |
|
6457 |
# default swap page. |
# TAG: refresh_all_ims on|off |
6458 |
|
# When you enable this option, squid will always check |
6459 |
|
# the origin server for an update when a client sends an |
6460 |
|
# If-Modified-Since request. Many browsers use IMS |
6461 |
|
# requests when the user requests a reload, and this |
6462 |
|
# ensures those clients receive the latest version. |
6463 |
# |
# |
6464 |
|
# By default (off), squid may return a Not Modified response |
6465 |
|
# based on the age of the cached version. |
6466 |
#Default: |
#Default: |
6467 |
# digest_swapout_chunk_size 4096 bytes |
# refresh_all_ims off |
6468 |
|
|
6469 |
# TAG: digest_rebuild_chunk_percentage (percent, 0-100) |
# TAG: reload_into_ims on|off |
6470 |
# Note: This option is only available if Squid is rebuilt with the |
# When you enable this option, client no-cache or ``reload'' |
6471 |
# --enable-cache-digests option |
# requests will be changed to If-Modified-Since requests. |
6472 |
|
# Doing this VIOLATES the HTTP standard. Enabling this |
6473 |
|
# feature could make you liable for problems which it |
6474 |
|
# causes. |
6475 |
# |
# |
6476 |
# This is the percentage of the Cache Digest to be scanned at a |
# see also refresh_pattern for a more selective approach. |
6477 |
# time. By default it is set to 10% of the Cache Digest. |
#Default: |
6478 |
|
# reload_into_ims off |
6479 |
|
|
6480 |
|
# TAG: connect_retries |
6481 |
|
# This sets the maximum number of connection attempts made for each |
6482 |
|
# TCP connection. The connect_retries attempts must all still |
6483 |
|
# complete within the connection timeout period. |
6484 |
|
# |
6485 |
|
# The default is not to re-try if the first connection attempt fails. |
6486 |
|
# The (not recommended) maximum is 10 tries. |
6487 |
|
# |
6488 |
|
# A warning message will be generated if it is set to a too-high |
6489 |
|
# value and the configured value will be over-ridden. |
6490 |
|
# |
6491 |
|
# Note: These re-tries are in addition to forward_max_tries |
6492 |
|
# which limit how many different addresses may be tried to find |
6493 |
|
# a useful server. |
6494 |
|
#Default: |
6495 |
|
# connect_retries 0 |
6496 |
|
|
6497 |
|
# TAG: retry_on_error |
6498 |
|
# If set to ON Squid will automatically retry requests when |
6499 |
|
# receiving an error response with status 403 (Forbidden), |
6500 |
|
# 500 (Internal Error), 501 or 503 (Service not available). |
6501 |
|
# Status 502 and 504 (Gateway errors) are always retried. |
6502 |
|
# |
6503 |
|
# This is mainly useful if you are in a complex cache hierarchy to |
6504 |
|
# work around access control errors. |
6505 |
|
# |
6506 |
|
# NOTE: This retry will attempt to find another working destination. |
6507 |
|
# Which is different from the server which just failed. |
6508 |
|
#Default: |
6509 |
|
# retry_on_error off |
6510 |
|
|
6511 |
|
# TAG: as_whois_server |
6512 |
|
# WHOIS server to query for AS numbers. NOTE: AS numbers are |
6513 |
|
# queried only when Squid starts up, not for every request. |
6514 |
|
#Default: |
6515 |
|
# as_whois_server whois.ra.net |
6516 |
|
|
6517 |
|
# TAG: offline_mode |
6518 |
|
# Enable this option and Squid will never try to validate cached |
6519 |
|
# objects. |
6520 |
|
#Default: |
6521 |
|
# offline_mode off |
6522 |
|
|
6523 |
|
# TAG: uri_whitespace |
6524 |
|
# What to do with requests that have whitespace characters in the |
6525 |
|
# URI. Options: |
6526 |
# |
# |
6527 |
|
# strip: The whitespace characters are stripped out of the URL. |
6528 |
|
# This is the behavior recommended by RFC2396. |
6529 |
|
# deny: The request is denied. The user receives an "Invalid |
6530 |
|
# Request" message. |
6531 |
|
# allow: The request is allowed and the URI is not changed. The |
6532 |
|
# whitespace characters remain in the URI. Note the |
6533 |
|
# whitespace is passed to redirector processes if they |
6534 |
|
# are in use. |
6535 |
|
# encode: The request is allowed and the whitespace characters are |
6536 |
|
# encoded according to RFC1738. This could be considered |
6537 |
|
# a violation of the HTTP/1.1 |
6538 |
|
# RFC because proxies are not allowed to rewrite URI's. |
6539 |
|
# chop: The request is allowed and the URI is chopped at the |
6540 |
|
# first whitespace. This might also be considered a |
6541 |
|
# violation. |
6542 |
#Default: |
#Default: |
6543 |
# digest_rebuild_chunk_percentage 10 |
# uri_whitespace strip |
6544 |
|
|
6545 |
# TAG: chroot |
# TAG: chroot |
6546 |
# Use this to have Squid do a chroot() while initializing. This |
# Specifies a directory where Squid should do a chroot() while |
6547 |
# also causes Squid to fully drop root privileges after |
# initializing. This also causes Squid to fully drop root |
6548 |
# initializing. This means, for example, that if you use a HTTP |
# privileges after initializing. This means, for example, if you |
6549 |
# port less than 1024 and try to reconfigure, you will get an |
# use a HTTP port less than 1024 and try to reconfigure, you may |
6550 |
# error. |
# get an error saying that Squid can not open the port. |
|
# |
|
6551 |
#Default: |
#Default: |
6552 |
# none |
# none |
6553 |
|
|
6554 |
# TAG: client_persistent_connections |
# TAG: balance_on_multiple_ip |
6555 |
# TAG: server_persistent_connections |
# Modern IP resolvers in squid sort lookup results by preferred access. |
6556 |
# Persistent connection support for clients and servers. By |
# By default squid will use these IP in order and only rotates to |
6557 |
# default, Squid uses persistent connections (when allowed) |
# the next listed when the most preffered fails. |
6558 |
# with its clients and servers. You can use these options to |
# |
6559 |
# disable persistent connections with clients and/or servers. |
# Some load balancing servers based on round robin DNS have been |
6560 |
|
# found not to preserve user session state across requests |
6561 |
|
# to different IP addresses. |
6562 |
# |
# |
6563 |
|
# Enabling this directive Squid rotates IP's per request. |
6564 |
#Default: |
#Default: |
6565 |
# client_persistent_connections on |
# balance_on_multiple_ip off |
|
# server_persistent_connections on |
|
6566 |
|
|
6567 |
# TAG: pipeline_prefetch |
# TAG: pipeline_prefetch |
6568 |
# To boost the performance of pipelined requests to closer |
# To boost the performance of pipelined requests to closer |
6569 |
# match that of a non-proxied environment Squid tries to fetch |
# match that of a non-proxied environment Squid can try to fetch |
6570 |
# up to two requests in parallell from a pipeline. |
# up to two requests in parallel from a pipeline. |
6571 |
# |
# |
6572 |
#Default: |
# Defaults to off for bandwidth management and access logging |
6573 |
# pipeline_prefetch on |
# reasons. |
|
|
|
|
# TAG: extension_methods |
|
|
# Squid only knows about standardized HTTP request methods. |
|
|
# You can add up to 20 additional "extension" methods here. |
|
6574 |
# |
# |
6575 |
|
# WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication. |
6576 |
#Default: |
#Default: |
6577 |
# none |
# pipeline_prefetch off |
6578 |
|
|
6579 |
# TAG: high_response_time_warning (msec) |
# TAG: high_response_time_warning (msec) |
6580 |
# If the one-minute median response time exceeds this value, |
# If the one-minute median response time exceeds this value, |
6581 |
# Squid prints a WARNING with debug level 0 to get the |
# Squid prints a WARNING with debug level 0 to get the |
6582 |
# administrators attention. The value is in milliseconds. |
# administrators attention. The value is in milliseconds. |
|
# |
|
6583 |
#Default: |
#Default: |
6584 |
# high_response_time_warning 0 |
# high_response_time_warning 0 |
6585 |
|
|
6588 |
# value, Squid prints a WARNING with debug level 0 to get |
# value, Squid prints a WARNING with debug level 0 to get |
6589 |
# the administrators attention. The value is in page faults |
# the administrators attention. The value is in page faults |
6590 |
# per second. |
# per second. |
|
# |
|
6591 |
#Default: |
#Default: |
6592 |
# high_page_fault_warning 0 |
# high_page_fault_warning 0 |
6593 |
|
|
6594 |
# TAG: high_memory_warning |
# TAG: high_memory_warning |
6595 |
# If the memory usage (as determined by mallinfo) exceeds |
# If the memory usage (as determined by mallinfo) exceeds |
6596 |
# value, Squid prints a WARNING with debug level 0 to get |
# this amount, Squid prints a WARNING with debug level 0 to get |
6597 |
# the administrators attention. |
# the administrators attention. |
|
# |
|
6598 |
#Default: |
#Default: |
6599 |
# high_memory_warning 0 |
# high_memory_warning 0 KB |
6600 |
|
|
6601 |
# TAG: store_dir_select_algorithm |
# TAG: sleep_after_fork (microseconds) |
6602 |
# Set this to 'round-robin' as an alternative. |
# When this is set to a non-zero value, the main Squid process |
6603 |
# |
# sleeps the specified number of microseconds after a fork() |
6604 |
|
# system call. This sleep may help the situation where your |
6605 |
|
# system reports fork() failures due to lack of (virtual) |
6606 |
|
# memory. Note, however, if you have a lot of child |
6607 |
|
# processes, these sleep delays will add up and your |
6608 |
|
# Squid will not service requests for some amount of time |
6609 |
|
# until all the child processes have been started. |
6610 |
|
# On Windows value less then 1000 (1 milliseconds) are |
6611 |
|
# rounded to 1000. |
6612 |
#Default: |
#Default: |
6613 |
# store_dir_select_algorithm least-load |
# sleep_after_fork 0 |
6614 |
|
|
6615 |
# TAG: forward_log |
# TAG: windows_ipaddrchangemonitor on|off |
6616 |
# Note: This option is only available if Squid is rebuilt with the |
# Note: This option is only available if Squid is rebuilt with the |
6617 |
# -DWIP_FWD_LOG option |
# MS Windows |
6618 |
# |
# |
6619 |
# Logs the server-side requests. |
# On Windows Squid by default will monitor IP address changes and will |
6620 |
|
# reconfigure itself after any detected event. This is very useful for |
6621 |
|
# proxies connected to internet with dial-up interfaces. |
6622 |
|
# In some cases (a Proxy server acting as VPN gateway is one) it could be |
6623 |
|
# desiderable to disable this behaviour setting this to 'off'. |
6624 |
|
# Note: after changing this, Squid service must be restarted. |
6625 |
|
#Default: |
6626 |
|
# windows_ipaddrchangemonitor on |
6627 |
|
|
6628 |
|
# TAG: eui_lookup |
6629 |
|
# Whether to lookup the EUI or MAC address of a connected client. |
6630 |
|
#Default: |
6631 |
|
# eui_lookup on |
6632 |
|
|
6633 |
|
# TAG: max_filedescriptors |
6634 |
|
# The maximum number of filedescriptors supported. |
6635 |
# |
# |
6636 |
# This is currently work in progress. |
# The default "0" means Squid inherits the current ulimit setting. |
6637 |
# |
# |
6638 |
|
# Note: Changing this requires a restart of Squid. Also |
6639 |
|
# not all comm loops supports large values. |
6640 |
#Default: |
#Default: |
6641 |
# none |
# max_filedescriptors 0 |
6642 |
|
|
6643 |
# TAG: ie_refresh on|off |
# TAG: workers |
6644 |
# Microsoft Internet Explorer up until version 5.5 Service |
# Number of main Squid processes or "workers" to fork and maintain. |
6645 |
# Pack 1 has an issue with transparent proxies, wherein it |
# 0: "no daemon" mode, like running "squid -N ..." |
6646 |
# is impossible to force a refresh. Turning this on provides |
# 1: "no SMP" mode, start one main Squid process daemon (default) |
6647 |
# a partial fix to the problem, by causing all IMS-REFRESH |
# N: start N main Squid process daemons (i.e., SMP mode) |
|
# requests from older IE versions to check the origin server |
|
|
# for fresh content. This reduces hit ratio by some amount |
|
|
# (~10% in my experience), but allows users to actually get |
|
|
# fresh content when they want it. Note that because Squid |
|
|
# cannot tell if the user is using 5.5 or 5.5SP1, the behavior |
|
|
# of 5.5 is unchanged from old versions of Squid (i.e. a |
|
|
# forced refresh is impossible). Newer versions of IE will, |
|
|
# hopefully, continue to have the new behavior and will be |
|
|
# handled based on that assumption. This option defaults to |
|
|
# the old Squid behavior, which is better for hit ratios but |
|
|
# worse for clients using IE, if they need to be able to |
|
|
# force fresh content. |
|
6648 |
# |
# |
6649 |
|
# In SMP mode, each worker does nearly all what a single Squid daemon |
6650 |
|
# does (e.g., listen on http_port and forward HTTP requests). |
6651 |
#Default: |
#Default: |
6652 |
# ie_refresh off |
# workers 1 |
6653 |
|
|
6654 |
|
# TAG: cpu_affinity_map |
6655 |
|
# Usage: cpu_affinity_map process_numbers=P1,P2,... cores=C1,C2,... |
6656 |
|
# |
6657 |
|
# Sets 1:1 mapping between Squid processes and CPU cores. For example, |
6658 |
|
# |
6659 |
|
# cpu_affinity_map process_numbers=1,2,3,4 cores=1,3,5,7 |
6660 |
|
# |
6661 |
|
# affects processes 1 through 4 only and places them on the first |
6662 |
|
# four even cores, starting with core #1. |
6663 |
|
# |
6664 |
|
# CPU cores are numbered starting from 1. Requires support for |
6665 |
|
# sched_getaffinity(2) and sched_setaffinity(2) system calls. |
6666 |
|
# |
6667 |
|
# Multiple cpu_affinity_map options are merged. |
6668 |
|
# |
6669 |
|
# See also: workers |
6670 |
|
#Default: |
6671 |
|
# none |
6672 |
|
|