Parent Directory | Revision Log | Patch
revision 8719 by dmorgan, Tue Feb 8 00:14:32 2011 UTC | revision 8720 by djennings, Fri Aug 23 23:53:27 2013 UTC | |
---|---|---|
# | Line 1 | Line 1 |
1 | # WELCOME TO SQUID 3.2.10 | |
2 | # ---------------------------- | |
3 | # | |
4 | # This is the documentation for the Squid configuration file. | |
5 | # This documentation can also be found online at: | |
6 | # http://www.squid-cache.org/Doc/config/ | |
7 | # | |
8 | # You may wish to look at the Squid home page and wiki for the | |
9 | # FAQ and other documentation: | |
10 | # http://www.squid-cache.org/ | |
11 | # http://wiki.squid-cache.org/SquidFaq | |
12 | # http://wiki.squid-cache.org/ConfigExamples | |
13 | # | |
14 | # This documentation shows what the defaults for various directives | |
15 | # happen to be. If you don't need to change the default, you should | |
16 | # leave the line out of your squid.conf in most cases. | |
17 | # | |
18 | # In some cases "none" refers to no default setting at all, | |
19 | # while in other cases it refers to the value of the option | |
20 | # - the comments for that keyword indicate if this is the case. | |
21 | # | |
22 | ||
23 | # Configuration options can be included using the "include" directive. | |
24 | # Include takes a list of files to include. Quoting and wildcards are | |
25 | # supported. | |
26 | # | |
27 | # For example, | |
28 | # | |
29 | # include /path/to/included/file/squid.acl.config | |
30 | # | |
31 | # Includes can be nested up to a hard-coded depth of 16 levels. | |
32 | # This arbitrary restriction is to prevent recursive include references | |
33 | # from causing Squid entering an infinite loop whilst trying to load | |
34 | # configuration files. | |
35 | # | |
36 | # | |
37 | # Conditional configuration | |
38 | # | |
39 | # If-statements can be used to make configuration directives | |
40 | # depend on conditions: | |
41 | # | |
42 | # if <CONDITION> | |
43 | # ... regular configuration directives ... | |
44 | # [else | |
45 | # ... regular configuration directives ...] | |
46 | # endif | |
47 | # | |
48 | # The else part is optional. The keywords "if", "else", and "endif" | |
49 | # must be typed on their own lines, as if they were regular | |
50 | # configuration directives. | |
51 | # | |
52 | # NOTE: An else-if condition is not supported. | |
53 | # | |
54 | # These individual conditions types are supported: | |
55 | # | |
56 | # true | |
57 | # Always evaluates to true. | |
58 | # false | |
59 | # Always evaluates to false. | |
60 | # <integer> = <integer> | |
61 | # Equality comparison of two integer numbers. | |
62 | # | |
63 | # | |
64 | # SMP-Related Macros | |
65 | # | |
66 | # The following SMP-related preprocessor macros can be used. | |
67 | # | |
68 | # ${process_name} expands to the current Squid process "name" | |
69 | # (e.g., squid1, squid2, or cache1). | |
70 | # | |
71 | # ${process_number} expands to the current Squid process | |
72 | # identifier, which is an integer number (e.g., 1, 2, 3) unique | |
73 | # across all Squid processes. | |
74 | ||
75 | # TAG: broken_vary_encoding | |
76 | # This option is not yet supported by Squid-3. | |
77 | #Default: | |
78 | # none | |
79 | ||
80 | # TAG: cache_vary | |
81 | # This option is not yet supported by Squid-3. | |
82 | #Default: | |
83 | # none | |
84 | ||
85 | # TAG: collapsed_forwarding | |
86 | # This option is not yet supported by Squid-3. see http://bugs.squid-cache.org/show_bug.cgi?id=3495 | |
87 | #Default: | |
88 | # none | |
89 | ||
90 | # TAG: error_map | |
91 | # This option is not yet supported by Squid-3. | |
92 | #Default: | |
93 | # none | |
94 | ||
95 | # TAG: external_refresh_check | |
96 | # This option is not yet supported by Squid-3. | |
97 | #Default: | |
98 | # none | |
99 | ||
100 | # TAG: ignore_ims_on_miss | |
101 | # This option is not yet supported by Squid-3. | |
102 | #Default: | |
103 | # none | |
104 | ||
105 | # TAG: location_rewrite_program | |
106 | # This option is not yet supported by Squid-3. | |
107 | #Default: | |
108 | # none | |
109 | ||
110 | # TAG: refresh_stale_hit | |
111 | # This option is not yet supported by Squid-3. | |
112 | #Default: | |
113 | # none | |
114 | ||
115 | # TAG: storeurl_access | |
116 | # This option is not yet supported by this version of Squid-3. Please try a later release. | |
117 | #Default: | |
118 | # none | |
119 | ||
120 | # TAG: ignore_expect_100 | |
121 | # Remove this line. The HTTP/1.1 feature is now fully supported by default. | |
122 | #Default: | |
123 | # none | |
124 | ||
125 | # TAG: dns_v4_fallback | |
126 | # Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. | |
127 | #Default: | |
128 | # none | |
129 | ||
130 | # TAG: ftp_list_width | |
131 | # Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead. | |
132 | #Default: | |
133 | # none | |
134 | ||
135 | # TAG: maximum_single_addr_tries | |
136 | # Replaced by connect_retries. The behaviour has changed, please read the documentation before altering. | |
137 | #Default: | |
138 | # none | |
139 | ||
140 | # TAG: update_headers | |
141 | # Remove this line. The feature is supported by default in storage types where update is implemented. | |
142 | #Default: | |
143 | # none | |
144 | ||
145 | # TAG: url_rewrite_concurrency | |
146 | # Remove this line. Set the 'concurrency=' option of url_rewrite_children instead. | |
147 | #Default: | |
148 | # none | |
149 | ||
150 | # TAG: dns_testnames | |
151 | # Remove this line. DNS is no longer tested on startup. | |
152 | #Default: | |
153 | # none | |
154 | ||
155 | # TAG: extension_methods | |
156 | # Remove this line. All valid methods for HTTP are accepted by default. | |
157 | #Default: | |
158 | # none | |
159 | ||
160 | # TAG: zero_buffers | |
161 | #Default: | |
162 | # none | |
163 | ||
164 | # TAG: incoming_rate | |
165 | #Default: | |
166 | # none | |
167 | ||
168 | # TAG: server_http11 | |
169 | # Remove this line. HTTP/1.1 is supported by default. | |
170 | #Default: | |
171 | # none | |
172 | ||
173 | # TAG: upgrade_http0.9 | |
174 | # Remove this line. ICY/1.0 streaming protocol is supported by default. | |
175 | #Default: | |
176 | # none | |
177 | ||
178 | # TAG: zph_local | |
179 | # Alter these entries. Use the qos_flows directive instead. | |
180 | #Default: | |
181 | # none | |
182 | ||
183 | # TAG: header_access | |
184 | # Since squid-3.0 replace with request_header_access or reply_header_access | |
185 | # depending on whether you wish to match client requests or server replies. | |
186 | #Default: | |
187 | # none | |
188 | ||
189 | # TAG: httpd_accel_no_pmtu_disc | |
190 | # Since squid-3.0 use the 'disable-pmtu-discovery' flag on http_port instead. | |
191 | #Default: | |
192 | # none | |
193 | ||
194 | # TAG: wais_relay_host | |
195 | # Replace this line with 'cache_peer' configuration. | |
196 | #Default: | |
197 | # none | |
198 | ||
199 | # TAG: wais_relay_port | |
200 | # Replace this line with 'cache_peer' configuration. | |
201 | #Default: | |
202 | # none | |
203 | ||
204 | # OPTIONS FOR AUTHENTICATION | |
205 | # ----------------------------------------------------------------------------- | |
206 | ||
207 | # TAG: auth_param | |
208 | # This is used to define parameters for the various authentication | |
209 | # schemes supported by Squid. | |
210 | # | |
211 | # format: auth_param scheme parameter [setting] | |
212 | # | |
213 | # The order in which authentication schemes are presented to the client is | |
214 | # dependent on the order the scheme first appears in config file. IE | |
215 | # has a bug (it's not RFC 2617 compliant) in that it will use the basic | |
216 | # scheme if basic is the first entry presented, even if more secure | |
217 | # schemes are presented. For now use the order in the recommended | |
218 | # settings section below. If other browsers have difficulties (don't | |
219 | # recognize the schemes offered even if you are using basic) either | |
220 | # put basic first, or disable the other schemes (by commenting out their | |
221 | # program entry). | |
222 | # | |
223 | # Once an authentication scheme is fully configured, it can only be | |
224 | # shutdown by shutting squid down and restarting. Changes can be made on | |
225 | # the fly and activated with a reconfigure. I.E. You can change to a | |
226 | # different helper, but not unconfigure the helper completely. | |
227 | # | |
228 | # Please note that while this directive defines how Squid processes | |
229 | # authentication it does not automatically activate authentication. | |
230 | # To use authentication you must in addition make use of ACLs based | |
231 | # on login name in http_access (proxy_auth, proxy_auth_regex or | |
232 | # external with %LOGIN used in the format tag). The browser will be | |
233 | # challenged for authentication on the first such acl encountered | |
234 | # in http_access processing and will also be re-challenged for new | |
235 | # login credentials if the request is being denied by a proxy_auth | |
236 | # type acl. | |
237 | # | |
238 | # WARNING: authentication can't be used in a transparently intercepting | |
239 | # proxy as the client then thinks it is talking to an origin server and | |
240 | # not the proxy. This is a limitation of bending the TCP/IP protocol to | |
241 | # transparently intercepting port 80, not a limitation in Squid. | |
242 | # Ports flagged 'transparent', 'intercept', or 'tproxy' have | |
243 | # authentication disabled. | |
244 | # | |
245 | # === Parameters for the basic scheme follow. === | |
246 | # | |
247 | # "program" cmdline | |
248 | # Specify the command for the external authenticator. Such a program | |
249 | # reads a line containing "username password" and replies "OK" or | |
250 | # "ERR" in an endless loop. "ERR" responses may optionally be followed | |
251 | # by a error description available as %m in the returned error page. | |
252 | # If you use an authenticator, make sure you have 1 acl of type | |
253 | # proxy_auth. | |
254 | # | |
255 | # By default, the basic authentication scheme is not used unless a | |
256 | # program is specified. | |
257 | # | |
258 | # If you want to use the traditional NCSA proxy authentication, set | |
259 | # this line to something like | |
260 | # | |
261 | # auth_param basic program /usr/libexec/ncsa_auth /usr/etc/passwd | |
262 | # | |
263 | # "utf8" on|off | |
264 | # HTTP uses iso-latin-1 as character set, while some authentication | |
265 | # backends such as LDAP expects UTF-8. If this is set to on Squid will | |
266 | # translate the HTTP iso-latin-1 charset to UTF-8 before sending the | |
267 | # username & password to the helper. | |
268 | # | |
269 | # "children" numberofchildren [startup=N] [idle=N] [concurrency=N] | |
270 | # The maximum number of authenticator processes to spawn. If you start too few | |
271 | # Squid will have to wait for them to process a backlog of credential | |
272 | # verifications, slowing it down. When password verifications are | |
273 | # done via a (slow) network you are likely to need lots of | |
274 | # authenticator processes. | |
275 | # | |
276 | # The startup= and idle= options permit some skew in the exact amount | |
277 | # run. A minimum of startup=N will begin during startup and reconfigure. | |
278 | # Squid will start more in groups of up to idle=N in an attempt to meet | |
279 | # traffic needs and to keep idle=N free above those traffic needs up to | |
280 | # the maximum. | |
281 | # | |
282 | # The concurrency= option sets the number of concurrent requests the | |
283 | # helper can process. The default of 0 is used for helpers who only | |
284 | # supports one request at a time. Setting this to a number greater than | |
285 | # 0 changes the protocol used to include a channel number first on the | |
286 | # request/response line, allowing multiple requests to be sent to the | |
287 | # same helper in parallel without waiting for the response. | |
288 | # Must not be set unless it's known the helper supports this. | |
289 | # | |
290 | # auth_param basic children 20 startup=0 idle=1 | |
291 | # | |
292 | # "realm" realmstring | |
293 | # Specifies the realm name which is to be reported to the | |
294 | # client for the basic proxy authentication scheme (part of | |
295 | # the text the user will see when prompted their username and | |
296 | # password). There is no default. | |
297 | # auth_param basic realm Squid proxy-caching web server | |
298 | # | |
299 | # "credentialsttl" timetolive | |
300 | # Specifies how long squid assumes an externally validated | |
301 | # username:password pair is valid for - in other words how | |
302 | # often the helper program is called for that user. Set this | |
303 | # low to force revalidation with short lived passwords. Note | |
304 | # setting this high does not impact your susceptibility | |
305 | # to replay attacks unless you are using an one-time password | |
306 | # system (such as SecureID). If you are using such a system, | |
307 | # you will be vulnerable to replay attacks unless you also | |
308 | # use the max_user_ip ACL in an http_access rule. | |
309 | # | |
310 | # "casesensitive" on|off | |
311 | # Specifies if usernames are case sensitive. Most user databases are | |
312 | # case insensitive allowing the same username to be spelled using both | |
313 | # lower and upper case letters, but some are case sensitive. This | |
314 | # makes a big difference for user_max_ip ACL processing and similar. | |
315 | # auth_param basic casesensitive off | |
316 | # | |
317 | # === Parameters for the digest scheme follow === | |
318 | # | |
319 | # "program" cmdline | |
320 | # Specify the command for the external authenticator. Such | |
321 | # a program reads a line containing "username":"realm" and | |
322 | # replies with the appropriate H(A1) value hex encoded or | |
323 | # ERR if the user (or his H(A1) hash) does not exists. | |
324 | # See rfc 2616 for the definition of H(A1). | |
325 | # "ERR" responses may optionally be followed by a error description | |
326 | # available as %m in the returned error page. | |
327 | # | |
328 | # By default, the digest authentication scheme is not used unless a | |
329 | # program is specified. | |
330 | # | |
331 | # If you want to use a digest authenticator, set this line to | |
332 | # something like | |
333 | # | |
334 | # auth_param digest program /usr/bin/digest_pw_auth /usr/etc/digpass | |
335 | # | |
336 | # "utf8" on|off | |
337 | # HTTP uses iso-latin-1 as character set, while some authentication | |
338 | # backends such as LDAP expects UTF-8. If this is set to on Squid will | |
339 | # translate the HTTP iso-latin-1 charset to UTF-8 before sending the | |
340 | # username & password to the helper. | |
341 | # | |
342 | # "children" numberofchildren [startup=N] [idle=N] [concurrency=N] | |
343 | # The maximum number of authenticator processes to spawn (default 5). | |
344 | # If you start too few Squid will have to wait for them to | |
345 | # process a backlog of H(A1) calculations, slowing it down. | |
346 | # When the H(A1) calculations are done via a (slow) network | |
347 | # you are likely to need lots of authenticator processes. | |
348 | # | |
349 | # The startup= and idle= options permit some skew in the exact amount | |
350 | # run. A minimum of startup=N will begin during startup and reconfigure. | |
351 | # Squid will start more in groups of up to idle=N in an attempt to meet | |
352 | # traffic needs and to keep idle=N free above those traffic needs up to | |
353 | # the maximum. | |
354 | # | |
355 | # The concurrency= option sets the number of concurrent requests the | |
356 | # helper can process. The default of 0 is used for helpers who only | |
357 | # supports one request at a time. Setting this to a number greater than | |
358 | # 0 changes the protocol used to include a channel number first on the | |
359 | # request/response line, allowing multiple requests to be sent to the | |
360 | # same helper in parallel without waiting for the response. | |
361 | # Must not be set unless it's known the helper supports this. | |
362 | # | |
363 | # auth_param digest children 20 startup=0 idle=1 | |
364 | # | |
365 | # "realm" realmstring | |
366 | # Specifies the realm name which is to be reported to the | |
367 | # client for the digest proxy authentication scheme (part of | |
368 | # the text the user will see when prompted their username and | |
369 | # password). There is no default. | |
370 | # auth_param digest realm Squid proxy-caching web server | |
371 | # | |
372 | # "nonce_garbage_interval" timeinterval | |
373 | # Specifies the interval that nonces that have been issued | |
374 | # to client_agent's are checked for validity. | |
375 | # | |
376 | # "nonce_max_duration" timeinterval | |
377 | # Specifies the maximum length of time a given nonce will be | |
378 | # valid for. | |
379 | # | |
380 | # "nonce_max_count" number | |
381 | # Specifies the maximum number of times a given nonce can be | |
382 | # used. | |
383 | # | |
384 | # "nonce_strictness" on|off | |
385 | # Determines if squid requires strict increment-by-1 behavior | |
386 | # for nonce counts, or just incrementing (off - for use when | |
387 | # user agents generate nonce counts that occasionally miss 1 | |
388 | # (ie, 1,2,4,6)). Default off. | |
389 | # | |
390 | # "check_nonce_count" on|off | |
391 | # This directive if set to off can disable the nonce count check | |
392 | # completely to work around buggy digest qop implementations in | |
393 | # certain mainstream browser versions. Default on to check the | |
394 | # nonce count to protect from authentication replay attacks. | |
395 | # | |
396 | # "post_workaround" on|off | |
397 | # This is a workaround to certain buggy browsers who sends | |
398 | # an incorrect request digest in POST requests when reusing | |
399 | # the same nonce as acquired earlier on a GET request. | |
400 | # | |
401 | # === NTLM scheme options follow === | |
402 | # | |
403 | # "program" cmdline | |
404 | # Specify the command for the external NTLM authenticator. | |
405 | # Such a program reads exchanged NTLMSSP packets with | |
406 | # the browser via Squid until authentication is completed. | |
407 | # If you use an NTLM authenticator, make sure you have 1 acl | |
408 | # of type proxy_auth. By default, the NTLM authenticator_program | |
409 | # is not used. | |
410 | # | |
411 | # auth_param ntlm program /usr/bin/ntlm_auth | |
412 | # | |
413 | # "children" numberofchildren [startup=N] [idle=N] | |
414 | # The maximum number of authenticator processes to spawn (default 5). | |
415 | # If you start too few Squid will have to wait for them to | |
416 | # process a backlog of credential verifications, slowing it | |
417 | # down. When credential verifications are done via a (slow) | |
418 | # network you are likely to need lots of authenticator | |
419 | # processes. | |
420 | # | |
421 | # The startup= and idle= options permit some skew in the exact amount | |
422 | # run. A minimum of startup=N will begin during startup and reconfigure. | |
423 | # Squid will start more in groups of up to idle=N in an attempt to meet | |
424 | # traffic needs and to keep idle=N free above those traffic needs up to | |
425 | # the maximum. | |
426 | # | |
427 | # auth_param ntlm children 20 startup=0 idle=1 | |
428 | # | |
429 | # "keep_alive" on|off | |
430 | # If you experience problems with PUT/POST requests when using the | |
431 | # Negotiate authentication scheme then you can try setting this to | |
432 | # off. This will cause Squid to forcibly close the connection on | |
433 | # the initial requests where the browser asks which schemes are | |
434 | # supported by the proxy. | |
435 | # | |
436 | # auth_param ntlm keep_alive on | |
437 | # | |
438 | # === Options for configuring the NEGOTIATE auth-scheme follow === | |
439 | # | |
440 | # "program" cmdline | |
441 | # Specify the command for the external Negotiate authenticator. | |
442 | # This protocol is used in Microsoft Active-Directory enabled setups with | |
443 | # the Microsoft Internet Explorer or Mozilla Firefox browsers. | |
444 | # Its main purpose is to exchange credentials with the Squid proxy | |
445 | # using the Kerberos mechanisms. | |
446 | # If you use a Negotiate authenticator, make sure you have at least | |
447 | # one acl of type proxy_auth active. By default, the negotiate | |
448 | # authenticator_program is not used. | |
449 | # The only supported program for this role is the ntlm_auth | |
450 | # program distributed as part of Samba, version 4 or later. | |
451 | # | |
452 | # auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego | |
453 | # | |
454 | # "children" numberofchildren [startup=N] [idle=N] | |
455 | # The maximum number of authenticator processes to spawn (default 5). | |
456 | # If you start too few Squid will have to wait for them to | |
457 | # process a backlog of credential verifications, slowing it | |
458 | # down. When credential verifications are done via a (slow) | |
459 | # network you are likely to need lots of authenticator | |
460 | # processes. | |
461 | # | |
462 | # The startup= and idle= options permit some skew in the exact amount | |
463 | # run. A minimum of startup=N will begin during startup and reconfigure. | |
464 | # Squid will start more in groups of up to idle=N in an attempt to meet | |
465 | # traffic needs and to keep idle=N free above those traffic needs up to | |
466 | # the maximum. | |
467 | # | |
468 | # auth_param negotiate children 20 startup=0 idle=1 | |
469 | # | |
470 | # "keep_alive" on|off | |
471 | # If you experience problems with PUT/POST requests when using the | |
472 | # Negotiate authentication scheme then you can try setting this to | |
473 | # off. This will cause Squid to forcibly close the connection on | |
474 | # the initial requests where the browser asks which schemes are | |
475 | # supported by the proxy. | |
476 | # | |
477 | # auth_param negotiate keep_alive on | |
478 | # | |
479 | # | |
480 | # Examples: | |
481 | # | |
482 | ##Recommended minimum configuration per scheme: | |
483 | ##auth_param negotiate program <uncomment and complete this line to activate> | |
484 | ##auth_param negotiate children 20 startup=0 idle=1 | |
485 | ##auth_param negotiate keep_alive on | |
486 | ## | |
487 | ##auth_param ntlm program <uncomment and complete this line to activate> | |
488 | ##auth_param ntlm children 20 startup=0 idle=1 | |
489 | ##auth_param ntlm keep_alive on | |
490 | ## | |
491 | ##auth_param digest program <uncomment and complete this line> | |
492 | ##auth_param digest children 20 startup=0 idle=1 | |
493 | ##auth_param digest realm Squid proxy-caching web server | |
494 | ##auth_param digest nonce_garbage_interval 5 minutes | |
495 | ##auth_param digest nonce_max_duration 30 minutes | |
496 | ##auth_param digest nonce_max_count 50 | |
497 | ## | |
498 | ##auth_param basic program <uncomment and complete this line> | |
499 | ##auth_param basic children 5 startup=5 idle=1 | |
500 | ##auth_param basic realm Squid proxy-caching web server | |
501 | ##auth_param basic credentialsttl 2 hours | |
502 | #Default: | |
503 | # none | |
504 | ||
505 | # TAG: authenticate_cache_garbage_interval | |
506 | # The time period between garbage collection across the username cache. | |
507 | # This is a trade-off between memory utilization (long intervals - say | |
508 | # 2 days) and CPU (short intervals - say 1 minute). Only change if you | |
509 | # have good reason to. | |
510 | #Default: | |
511 | # authenticate_cache_garbage_interval 1 hour | |
512 | ||
513 | # TAG: authenticate_ttl | |
514 | # The time a user & their credentials stay in the logged in | |
515 | # user cache since their last request. When the garbage | |
516 | # interval passes, all user credentials that have passed their | |
517 | # TTL are removed from memory. | |
518 | #Default: | |
519 | # authenticate_ttl 1 hour | |
520 | ||
521 | # TAG: authenticate_ip_ttl | |
522 | # If you use proxy authentication and the 'max_user_ip' ACL, | |
523 | # this directive controls how long Squid remembers the IP | |
524 | # addresses associated with each user. Use a small value | |
525 | # (e.g., 60 seconds) if your users might change addresses | |
526 | # quickly, as is the case with dialup. You might be safe | |
527 | # using a larger value (e.g., 2 hours) in a corporate LAN | |
528 | # environment with relatively static address assignments. | |
529 | #Default: | |
530 | # authenticate_ip_ttl 0 seconds | |
531 | ||
532 | # ACCESS CONTROLS | |
533 | # ----------------------------------------------------------------------------- | |
534 | ||
535 | # TAG: external_acl_type | |
536 | # This option defines external acl classes using a helper program | |
537 | # to look up the status | |
538 | # | |
539 | # external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..] | |
540 | # | |
541 | # Options: | |
542 | # | |
543 | # ttl=n TTL in seconds for cached results (defaults to 3600 | |
544 | # for 1 hour) | |
545 | # negative_ttl=n | |
546 | # TTL for cached negative lookups (default same | |
547 | # as ttl) | |
548 | # children-max=n | |
549 | # Maximum number of acl helper processes spawned to service | |
550 | # external acl lookups of this type. (default 20) | |
551 | # children-startup=n | |
552 | # Minimum number of acl helper processes to spawn during | |
553 | # startup and reconfigure to service external acl lookups | |
554 | # of this type. (default 0) | |
555 | # children-idle=n | |
556 | # Number of acl helper processes to keep ahead of traffic | |
557 | # loads. Squid will spawn this many at once whenever load | |
558 | # rises above the capabilities of existing processes. | |
559 | # Up to the value of children-max. (default 1) | |
560 | # concurrency=n concurrency level per process. Only used with helpers | |
561 | # capable of processing more than one query at a time. | |
562 | # cache=n limit the result cache size, default is unbounded. | |
563 | # grace=n Percentage remaining of TTL where a refresh of a | |
564 | # cached entry should be initiated without needing to | |
565 | # wait for a new reply. (default is for no grace period) | |
566 | # protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers | |
567 | # ipv4 / ipv6 IP protocol used to communicate with this helper. | |
568 | # The default is to auto-detect IPv6 and use it when available. | |
569 | # | |
570 | # FORMAT specifications | |
571 | # | |
572 | # %LOGIN Authenticated user login name | |
573 | # %EXT_USER Username from previous external acl | |
574 | # %EXT_LOG Log details from previous external acl | |
575 | # %EXT_TAG Tag from previous external acl | |
576 | # %IDENT Ident user name | |
577 | # %SRC Client IP | |
578 | # %SRCPORT Client source port | |
579 | # %URI Requested URI | |
580 | # %DST Requested host | |
581 | # %PROTO Requested protocol | |
582 | # %PORT Requested port | |
583 | # %PATH Requested URL path | |
584 | # %METHOD Request method | |
585 | # %MYADDR Squid interface address | |
586 | # %MYPORT Squid http_port number | |
587 | # %PATH Requested URL-path (including query-string if any) | |
588 | # %USER_CERT SSL User certificate in PEM format | |
589 | # %USER_CERTCHAIN SSL User certificate chain in PEM format | |
590 | # %USER_CERT_xx SSL User certificate subject attribute xx | |
591 | # %USER_CA_xx SSL User certificate issuer attribute xx | |
592 | # | |
593 | # %>{Header} HTTP request header "Header" | |
594 | # %>{Hdr:member} | |
595 | # HTTP request header "Hdr" list member "member" | |
596 | # %>{Hdr:;member} | |
597 | # HTTP request header list member using ; as | |
598 | # list separator. ; can be any non-alphanumeric | |
599 | # character. | |
600 | # | |
601 | # %<{Header} HTTP reply header "Header" | |
602 | # %<{Hdr:member} | |
603 | # HTTP reply header "Hdr" list member "member" | |
604 | # %<{Hdr:;member} | |
605 | # HTTP reply header list member using ; as | |
606 | # list separator. ; can be any non-alphanumeric | |
607 | # character. | |
608 | # | |
609 | # %% The percent sign. Useful for helpers which need | |
610 | # an unchanging input format. | |
611 | # | |
612 | # In addition to the above, any string specified in the referencing | |
613 | # acl will also be included in the helper request line, after the | |
614 | # specified formats (see the "acl external" directive) | |
615 | # | |
616 | # The helper receives lines per the above format specification, | |
617 | # and returns lines starting with OK or ERR indicating the validity | |
618 | # of the request and optionally followed by additional keywords with | |
619 | # more details. | |
620 | # | |
621 | # General result syntax: | |
622 | # | |
623 | # OK/ERR keyword=value ... | |
624 | # | |
625 | # Defined keywords: | |
626 | # | |
627 | # user= The users name (login) | |
628 | # password= The users password (for login= cache_peer option) | |
629 | # message= Message describing the reason. Available as %o | |
630 | # in error pages | |
631 | # tag= Apply a tag to a request (for both ERR and OK results) | |
632 | # Only sets a tag, does not alter existing tags. | |
633 | # log= String to be logged in access.log. Available as | |
634 | # %ea in logformat specifications | |
635 | # | |
636 | # If protocol=3.0 (the default) then URL escaping is used to protect | |
637 | # each value in both requests and responses. | |
638 | # | |
639 | # If using protocol=2.5 then all values need to be enclosed in quotes | |
640 | # if they may contain whitespace, or the whitespace escaped using \. | |
641 | # And quotes or \ characters within the keyword value must be \ escaped. | |
642 | # | |
643 | # When using the concurrency= option the protocol is changed by | |
644 | # introducing a query channel tag infront of the request/response. | |
645 | # The query channel tag is a number between 0 and concurrency-1. | |
646 | #Default: | |
647 | # none | |
648 | ||
649 | # TAG: acl | |
650 | # Defining an Access List | |
651 | # | |
652 | # Every access list definition must begin with an aclname and acltype, | |
653 | # followed by either type-specific arguments or a quoted filename that | |
654 | # they are read from. | |
655 | # | |
656 | # acl aclname acltype argument ... | |
657 | # acl aclname acltype "file" ... | |
658 | # | |
659 | # When using "file", the file should contain one item per line. | |
660 | # | |
661 | # By default, regular expressions are CASE-SENSITIVE. | |
662 | # To make them case-insensitive, use the -i option. To return case-sensitive | |
663 | # use the +i option between patterns, or make a new ACL line without -i. | |
664 | # | |
665 | # Some acl types require suspending the current request in order | |
666 | # to access some external data source. | |
667 | # Those which do are marked with the tag [slow], those which | |
668 | # don't are marked as [fast]. | |
669 | # See http://wiki.squid-cache.org/SquidFaq/SquidAcl | |
670 | # for further information | |
671 | # | |
672 | # ***** ACL TYPES AVAILABLE ***** | |
673 | # | |
674 | # acl aclname src ip-address/netmask ... # clients IP address [fast] | |
675 | # acl aclname src addr1-addr2/netmask ... # range of addresses [fast] | |
676 | # acl aclname dst ip-address/netmask ... # URL host's IP address [slow] | |
677 | # acl aclname myip ip-address/netmask ... # local socket IP address [fast] | |
678 | # | |
679 | # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) | |
680 | # # The arp ACL requires the special configure option --enable-arp-acl. | |
681 | # # Furthermore, the ARP ACL code is not portable to all operating systems. | |
682 | # # It works on Linux, Solaris, Windows, FreeBSD, and some | |
683 | # # other *BSD variants. | |
684 | # # [fast] | |
685 | # # | |
686 | # # NOTE: Squid can only determine the MAC address for clients that are on | |
687 | # # the same subnet. If the client is on a different subnet, | |
688 | # # then Squid cannot find out its MAC address. | |
689 | # | |
690 | # acl aclname srcdomain .foo.com ... | |
691 | # # reverse lookup, from client IP [slow] | |
692 | # acl aclname dstdomain .foo.com ... | |
693 | # # Destination server from URL [fast] | |
694 | # acl aclname srcdom_regex [-i] \.foo\.com ... | |
695 | # # regex matching client name [slow] | |
696 | # acl aclname dstdom_regex [-i] \.foo\.com ... | |
697 | # # regex matching server [fast] | |
698 | # # | |
699 | # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP | |
700 | # # based URL is used and no match is found. The name "none" is used | |
701 | # # if the reverse lookup fails. | |
702 | # | |
703 | # acl aclname src_as number ... | |
704 | # acl aclname dst_as number ... | |
705 | # # [fast] | |
706 | # # Except for access control, AS numbers can be used for | |
707 | # # routing of requests to specific caches. Here's an | |
708 | # # example for routing all requests for AS#1241 and only | |
709 | # # those to mycache.mydomain.net: | |
710 | # # acl asexample dst_as 1241 | |
711 | # # cache_peer_access mycache.mydomain.net allow asexample | |
712 | # # cache_peer_access mycache_mydomain.net deny all | |
713 | # | |
714 | # acl aclname peername myPeer ... | |
715 | # # [fast] | |
716 | # # match against a named cache_peer entry | |
717 | # # set unique name= on cache_peer lines for reliable use. | |
718 | # | |
719 | # acl aclname time [day-abbrevs] [h1:m1-h2:m2] | |
720 | # # [fast] | |
721 | # # day-abbrevs: | |
722 | # # S - Sunday | |
723 | # # M - Monday | |
724 | # # T - Tuesday | |
725 | # # W - Wednesday | |
726 | # # H - Thursday | |
727 | # # F - Friday | |
728 | # # A - Saturday | |
729 | # # h1:m1 must be less than h2:m2 | |
730 | # | |
731 | # acl aclname url_regex [-i] ^http:// ... | |
732 | # # regex matching on whole URL [fast] | |
733 | # acl aclname urllogin [-i] [^a-zA-Z0-9] ... | |
734 | # # regex matching on URL login field | |
735 | # acl aclname urlpath_regex [-i] \.gif$ ... | |
736 | # # regex matching on URL path [fast] | |
737 | # | |
738 | # acl aclname port 80 70 21 0-1024... # destination TCP port [fast] | |
739 | # # ranges are alloed | |
740 | # acl aclname myport 3128 ... # local socket TCP port [fast] | |
741 | # acl aclname myportname 3128 ... # http(s)_port name [fast] | |
742 | # | |
743 | # acl aclname proto HTTP FTP ... # request protocol [fast] | |
744 | # | |
745 | # acl aclname method GET POST ... # HTTP request method [fast] | |
746 | # | |
747 | # acl aclname http_status 200 301 500- 400-403 ... | |
748 | # # status code in reply [fast] | |
749 | # | |
750 | # acl aclname browser [-i] regexp ... | |
751 | # # pattern match on User-Agent header (see also req_header below) [fast] | |
752 | # | |
753 | # acl aclname referer_regex [-i] regexp ... | |
754 | # # pattern match on Referer header [fast] | |
755 | # # Referer is highly unreliable, so use with care | |
756 | # | |
757 | # acl aclname ident username ... | |
758 | # acl aclname ident_regex [-i] pattern ... | |
759 | # # string match on ident output [slow] | |
760 | # # use REQUIRED to accept any non-null ident. | |
761 | # | |
762 | # acl aclname proxy_auth [-i] username ... | |
763 | # acl aclname proxy_auth_regex [-i] pattern ... | |
764 | # # perform http authentication challenge to the client and match against | |
765 | # # supplied credentials [slow] | |
766 | # # | |
767 | # # takes a list of allowed usernames. | |
768 | # # use REQUIRED to accept any valid username. | |
769 | # # | |
770 | # # Will use proxy authentication in forward-proxy scenarios, and plain | |
771 | # # http authenticaiton in reverse-proxy scenarios | |
772 | # # | |
773 | # # NOTE: when a Proxy-Authentication header is sent but it is not | |
774 | # # needed during ACL checking the username is NOT logged | |
775 | # # in access.log. | |
776 | # # | |
777 | # # NOTE: proxy_auth requires a EXTERNAL authentication program | |
778 | # # to check username/password combinations (see | |
779 | # # auth_param directive). | |
780 | # # | |
781 | # # NOTE: proxy_auth can't be used in a transparent/intercepting proxy | |
782 | # # as the browser needs to be configured for using a proxy in order | |
783 | # # to respond to proxy authentication. | |
784 | # | |
785 | # acl aclname snmp_community string ... | |
786 | # # A community string to limit access to your SNMP Agent [fast] | |
787 | # # Example: | |
788 | # # | |
789 | # # acl snmppublic snmp_community public | |
790 | # | |
791 | # acl aclname maxconn number | |
792 | # # This will be matched when the client's IP address has | |
793 | # # more than <number> TCP connections established. [fast] | |
794 | # # NOTE: This only measures direct TCP links so X-Forwarded-For | |
795 | # # indirect clients are not counted. | |
796 | # | |
797 | # acl aclname max_user_ip [-s] number | |
798 | # # This will be matched when the user attempts to log in from more | |
799 | # # than <number> different ip addresses. The authenticate_ip_ttl | |
800 | # # parameter controls the timeout on the ip entries. [fast] | |
801 | # # If -s is specified the limit is strict, denying browsing | |
802 | # # from any further IP addresses until the ttl has expired. Without | |
803 | # # -s Squid will just annoy the user by "randomly" denying requests. | |
804 | # # (the counter is reset each time the limit is reached and a | |
805 | # # request is denied) | |
806 | # # NOTE: in acceleration mode or where there is mesh of child proxies, | |
807 | # # clients may appear to come from multiple addresses if they are | |
808 | # # going through proxy farms, so a limit of 1 may cause user problems. | |
809 | # | |
810 | # acl aclname random probability | |
811 | # # Pseudo-randomly match requests. Based on the probability given. | |
812 | # # Probability may be written as a decimal (0.333), fraction (1/3) | |
813 | # # or ratio of matches:non-matches (3:5). | |
814 | # | |
815 | # acl aclname req_mime_type [-i] mime-type ... | |
816 | # # regex match against the mime type of the request generated | |
817 | # # by the client. Can be used to detect file upload or some | |
818 | # # types HTTP tunneling requests [fast] | |
819 | # # NOTE: This does NOT match the reply. You cannot use this | |
820 | # # to match the returned file type. | |
821 | # | |
822 | # acl aclname req_header header-name [-i] any\.regex\.here | |
823 | # # regex match against any of the known request headers. May be | |
824 | # # thought of as a superset of "browser", "referer" and "mime-type" | |
825 | # # ACL [fast] | |
826 | # | |
827 | # acl aclname rep_mime_type [-i] mime-type ... | |
828 | # # regex match against the mime type of the reply received by | |
829 | # # squid. Can be used to detect file download or some | |
830 | # # types HTTP tunneling requests. [fast] | |
831 | # # NOTE: This has no effect in http_access rules. It only has | |
832 | # # effect in rules that affect the reply data stream such as | |
833 | # # http_reply_access. | |
834 | # | |
835 | # acl aclname rep_header header-name [-i] any\.regex\.here | |
836 | # # regex match against any of the known reply headers. May be | |
837 | # # thought of as a superset of "browser", "referer" and "mime-type" | |
838 | # # ACLs [fast] | |
839 | # | |
840 | # acl aclname external class_name [arguments...] | |
841 | # # external ACL lookup via a helper class defined by the | |
842 | # # external_acl_type directive [slow] | |
843 | # | |
844 | # acl aclname user_cert attribute values... | |
845 | # # match against attributes in a user SSL certificate | |
846 | # # attribute is one of DN/C/O/CN/L/ST [fast] | |
847 | # | |
848 | # acl aclname ca_cert attribute values... | |
849 | # # match against attributes a users issuing CA SSL certificate | |
850 | # # attribute is one of DN/C/O/CN/L/ST [fast] | |
851 | # | |
852 | # acl aclname ext_user username ... | |
853 | # acl aclname ext_user_regex [-i] pattern ... | |
854 | # # string match on username returned by external acl helper [slow] | |
855 | # # use REQUIRED to accept any non-null user name. | |
856 | # | |
857 | # acl aclname tag tagvalue ... | |
858 | # # string match on tag returned by external acl helper [slow] | |
859 | # | |
860 | # acl aclname hier_code codename ... | |
861 | # # string match against squid hierarchy code(s); [fast] | |
862 | # # e.g., DIRECT, PARENT_HIT, NONE, etc. | |
863 | # # | |
864 | # # NOTE: This has no effect in http_access rules. It only has | |
865 | # # effect in rules that affect the reply data stream such as | |
866 | # # http_reply_access. | |
867 | # | |
868 | # Examples: | |
869 | # acl macaddress arp 09:00:2b:23:45:67 | |
870 | # acl myexample dst_as 1241 | |
871 | # acl password proxy_auth REQUIRED | |
872 | # acl fileupload req_mime_type -i ^multipart/form-data$ | |
873 | # acl javascript rep_mime_type -i ^application/x-javascript$ | |
874 | # | |
875 | #Default: | |
876 | # ACLs all, manager, localhost, and to_localhost are predefined. | |
877 | # | |
878 | # | |
879 | # Recommended minimum configuration: | |
880 | # | |
881 | ||
882 | # Example rule allowing access from your local networks. | |
883 | # Adapt to list your (internal) IP networks from where browsing | |
884 | # should be allowed | |
885 | acl localnet src 10.0.0.0/8 # RFC1918 possible internal network | |
886 | acl localnet src 172.16.0.0/12 # RFC1918 possible internal network | |
887 | acl localnet src 192.168.0.0/16 # RFC1918 possible internal network | |
888 | acl localnet src fc00::/7 # RFC 4193 local private network range | |
889 | acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines | |
890 | ||
891 | acl SSL_ports port 443 | |
892 | acl Safe_ports port 80 # http | |
893 | acl Safe_ports port 21 # ftp | |
894 | acl Safe_ports port 443 # https | |
895 | acl Safe_ports port 70 # gopher | |
896 | acl Safe_ports port 210 # wais | |
897 | acl Safe_ports port 1025-65535 # unregistered ports | |
898 | acl Safe_ports port 280 # http-mgmt | |
899 | acl Safe_ports port 488 # gss-http | |
900 | acl Safe_ports port 591 # filemaker | |
901 | acl Safe_ports port 777 # multiling http | |
902 | acl CONNECT method CONNECT | |
903 | ||
904 | # WELCOME TO SQUID 2 | # TAG: follow_x_forwarded_for |
905 | # ------------------ | # Allowing or Denying the X-Forwarded-For header to be followed to |
906 | # find the original source of a request. | |
907 | # | |
908 | # Requests may pass through a chain of several other proxies | |
909 | # before reaching us. The X-Forwarded-For header will contain a | |
910 | # comma-separated list of the IP addresses in the chain, with the | |
911 | # rightmost address being the most recent. | |
912 | # | |
913 | # If a request reaches us from a source that is allowed by this | |
914 | # configuration item, then we consult the X-Forwarded-For header | |
915 | # to see where that host received the request from. If the | |
916 | # X-Forwarded-For header contains multiple addresses, we continue | |
917 | # backtracking until we reach an address for which we are not allowed | |
918 | # to follow the X-Forwarded-For header, or until we reach the first | |
919 | # address in the list. For the purpose of ACL used in the | |
920 | # follow_x_forwarded_for directive the src ACL type always matches | |
921 | # the address we are testing and srcdomain matches its rDNS. | |
922 | # | |
923 | # The end result of this process is an IP address that we will | |
924 | # refer to as the indirect client address. This address may | |
925 | # be treated as the client address for access control, ICAP, delay | |
926 | # pools and logging, depending on the acl_uses_indirect_client, | |
927 | # icap_uses_indirect_client, delay_pool_uses_indirect_client, | |
928 | # log_uses_indirect_client and tproxy_uses_indirect_client options. | |
929 | # | |
930 | # This clause only supports fast acl types. | |
931 | # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. | |
932 | # | |
933 | # SECURITY CONSIDERATIONS: | |
934 | # | |
935 | # Any host for which we follow the X-Forwarded-For header | |
936 | # can place incorrect information in the header, and Squid | |
937 | # will use the incorrect information as if it were the | |
938 | # source address of the request. This may enable remote | |
939 | # hosts to bypass any access control restrictions that are | |
940 | # based on the client's source addresses. | |
941 | # | |
942 | # For example: | |
943 | # | |
944 | # acl localhost src 127.0.0.1 | |
945 | # acl my_other_proxy srcdomain .proxy.example.com | |
946 | # follow_x_forwarded_for allow localhost | |
947 | # follow_x_forwarded_for allow my_other_proxy | |
948 | #Default: | |
949 | # follow_x_forwarded_for deny all | |
950 | ||
951 | # TAG: acl_uses_indirect_client on|off | |
952 | # Controls whether the indirect client address | |
953 | # (see follow_x_forwarded_for) is used instead of the | |
954 | # direct client address in acl matching. | |
955 | # | |
956 | # NOTE: maxconn ACL considers direct TCP links and indirect | |
957 | # clients will always have zero. So no match. | |
958 | #Default: | |
959 | # acl_uses_indirect_client on | |
960 | ||
961 | # TAG: delay_pool_uses_indirect_client on|off | |
962 | # Controls whether the indirect client address | |
963 | # (see follow_x_forwarded_for) is used instead of the | |
964 | # direct client address in delay pools. | |
965 | #Default: | |
966 | # delay_pool_uses_indirect_client on | |
967 | ||
968 | # TAG: log_uses_indirect_client on|off | |
969 | # Controls whether the indirect client address | |
970 | # (see follow_x_forwarded_for) is used instead of the | |
971 | # direct client address in the access log. | |
972 | #Default: | |
973 | # log_uses_indirect_client on | |
974 | ||
975 | # TAG: tproxy_uses_indirect_client on|off | |
976 | # Controls whether the indirect client address | |
977 | # (see follow_x_forwarded_for) is used instead of the | |
978 | # direct client address when spoofing the outgoing client. | |
979 | # | |
980 | # This has no effect on requests arriving in non-tproxy | |
981 | # mode ports. | |
982 | # | |
983 | # SECURITY WARNING: Usage of this option is dangerous | |
984 | # and should not be used trivially. Correct configuration | |
985 | # of follow_x_forewarded_for with a limited set of trusted | |
986 | # sources is required to prevent abuse of your proxy. | |
987 | #Default: | |
988 | # tproxy_uses_indirect_client off | |
989 | ||
990 | # TAG: http_access | |
991 | # Allowing or Denying access based on defined access lists | |
992 | # | |
993 | # Access to the HTTP port: | |
994 | # http_access allow|deny [!]aclname ... | |
995 | # | |
996 | # NOTE on default values: | |
997 | # | |
998 | # If there are no "access" lines present, the default is to deny | |
999 | # the request. | |
1000 | # | |
1001 | # If none of the "access" lines cause a match, the default is the | |
1002 | # opposite of the last line in the list. If the last line was | |
1003 | # deny, the default is allow. Conversely, if the last line | |
1004 | # is allow, the default will be deny. For these reasons, it is a | |
1005 | # good idea to have an "deny all" entry at the end of your access | |
1006 | # lists to avoid potential confusion. | |
1007 | # | |
1008 | # This clause supports both fast and slow acl types. | |
1009 | # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. | |
1010 | # | |
1011 | #Default: | |
1012 | # http_access deny all | |
1013 | # | # |
1014 | # This is the default Squid configuration file. You may wish | |
1015 | # to look at the Squid home page (http://www.squid-cache.org/) | # |
1016 | # for the FAQ and other documentation. | # Recommended minimum Access Permission configuration: |
1017 | # | # |
1018 | # The default Squid config file shows what the defaults for | # Only allow cachemgr access from localhost |
1019 | # various options happen to be. If you don't need to change the | http_access allow localhost manager |
1020 | # default, you shouldn't uncomment the line. Doing so may cause | http_access deny manager |
1021 | # run-time problems. In some cases "none" refers to no default | |
1022 | # setting at all, while in other cases it refers to a valid | # Deny requests to certain unsafe ports |
1023 | # option - the comments for that keyword indicate if this is the | http_access deny !Safe_ports |
1024 | # case. | |
1025 | # Deny CONNECT to other than secure SSL ports | |
1026 | http_access deny CONNECT !SSL_ports | |
1027 | ||
1028 | # We strongly recommend the following be uncommented to protect innocent | |
1029 | # web applications running on the proxy server who think the only | |
1030 | # one who can access services on "localhost" is a local user | |
1031 | #http_access deny to_localhost | |
1032 | ||
1033 | # | |
1034 | # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS | |
1035 | # | # |
1036 | ||
1037 | # Example rule allowing access from your local networks. | |
1038 | # Adapt localnet in the ACL section to list your (internal) IP networks | |
1039 | # from where browsing should be allowed | |
1040 | http_access allow localnet | |
1041 | http_access allow localhost | |
1042 | ||
1043 | # And finally deny all other access to this proxy | |
1044 | http_access allow localhost | |
1045 | ||
1046 | # TAG: adapted_http_access | |
1047 | # Allowing or Denying access based on defined access lists | |
1048 | # | |
1049 | # Essentially identical to http_access, but runs after redirectors | |
1050 | # and ICAP/eCAP adaptation. Allowing access control based on their | |
1051 | # output. | |
1052 | # | |
1053 | # If not set then only http_access is used. | |
1054 | #Default: | |
1055 | # none | |
1056 | ||
1057 | # TAG: http_reply_access | |
1058 | # Allow replies to client requests. This is complementary to http_access. | |
1059 | # | |
1060 | # http_reply_access allow|deny [!] aclname ... | |
1061 | # | |
1062 | # NOTE: if there are no access lines present, the default is to allow | |
1063 | # all replies | |
1064 | # | |
1065 | # If none of the access lines cause a match the opposite of the | |
1066 | # last line will apply. Thus it is good practice to end the rules | |
1067 | # with an "allow all" or "deny all" entry. | |
1068 | # | |
1069 | # This clause supports both fast and slow acl types. | |
1070 | # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. | |
1071 | #Default: | |
1072 | # none | |
1073 | ||
1074 | # TAG: icp_access | |
1075 | # Allowing or Denying access to the ICP port based on defined | |
1076 | # access lists | |
1077 | # | |
1078 | # icp_access allow|deny [!]aclname ... | |
1079 | # | |
1080 | # See http_access for details | |
1081 | # | |
1082 | # This clause only supports fast acl types. | |
1083 | # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. | |
1084 | # | |
1085 | ## Allow ICP queries from local networks only | |
1086 | ##icp_access allow localnet | |
1087 | ##icp_access deny all | |
1088 | #Default: | |
1089 | # icp_access deny all | |
1090 | ||
1091 | # TAG: htcp_access | |
1092 | # Allowing or Denying access to the HTCP port based on defined | |
1093 | # access lists | |
1094 | # | |
1095 | # htcp_access allow|deny [!]aclname ... | |
1096 | # | |
1097 | # See http_access for details | |
1098 | # | |
1099 | # NOTE: The default if no htcp_access lines are present is to | |
1100 | # deny all traffic. This default may cause problems with peers | |
1101 | # using the htcp option. | |
1102 | # | |
1103 | # This clause only supports fast acl types. | |
1104 | # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. | |
1105 | # | |
1106 | ## Allow HTCP queries from local networks only | |
1107 | ##htcp_access allow localnet | |
1108 | ##htcp_access deny all | |
1109 | #Default: | |
1110 | # htcp_access deny all | |
1111 | ||
1112 | # TAG: htcp_clr_access | |
1113 | # Allowing or Denying access to purge content using HTCP based | |
1114 | # on defined access lists | |
1115 | # | |
1116 | # htcp_clr_access allow|deny [!]aclname ... | |
1117 | # | |
1118 | # See http_access for details | |
1119 | # | |
1120 | # This clause only supports fast acl types. | |
1121 | # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. | |
1122 | # | |
1123 | ## Allow HTCP CLR requests from trusted peers | |
1124 | #acl htcp_clr_peer src 172.16.1.2 | |
1125 | #htcp_clr_access allow htcp_clr_peer | |
1126 | #Default: | |
1127 | # htcp_clr_access deny all | |
1128 | ||
1129 | # TAG: miss_access | |
1130 | # Determins whether network access is permitted when satisfying a request. | |
1131 | # | |
1132 | # For example; | |
1133 | # to force your neighbors to use you as a sibling instead of | |
1134 | # a parent. | |
1135 | # | |
1136 | # acl localclients src 172.16.0.0/16 | |
1137 | # miss_access allow localclients | |
1138 | # miss_access deny !localclients | |
1139 | # | |
1140 | # This means only your local clients are allowed to fetch relayed/MISS | |
1141 | # replies from the network and all other clients can only fetch cached | |
1142 | # objects (HITs). | |
1143 | # | |
1144 | # | |
1145 | # The default for this setting allows all clients who passed the | |
1146 | # http_access rules to relay via this proxy. | |
1147 | # | |
1148 | # This clause only supports fast acl types. | |
1149 | # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. | |
1150 | #Default: | |
1151 | # none | |
1152 | ||
1153 | # TAG: ident_lookup_access | |
1154 | # Note: This option is only available if Squid is rebuilt with the | |
1155 | # --enable-ident-lookups | |
1156 | # | |
1157 | # A list of ACL elements which, if matched, cause an ident | |
1158 | # (RFC 931) lookup to be performed for this request. For | |
1159 | # example, you might choose to always perform ident lookups | |
1160 | # for your main multi-user Unix boxes, but not for your Macs | |
1161 | # and PCs. By default, ident lookups are not performed for | |
1162 | # any requests. | |
1163 | # | |
1164 | # To enable ident lookups for specific client addresses, you | |
1165 | # can follow this example: | |
1166 | # | |
1167 | # acl ident_aware_hosts src 198.168.1.0/24 | |
1168 | # ident_lookup_access allow ident_aware_hosts | |
1169 | # ident_lookup_access deny all | |
1170 | # | |
1171 | # Only src type ACL checks are fully supported. A srcdomain | |
1172 | # ACL might work at times, but it will not always provide | |
1173 | # the correct result. | |
1174 | # | |
1175 | # This clause only supports fast acl types. | |
1176 | # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. | |
1177 | #Default: | |
1178 | # ident_lookup_access deny all | |
1179 | ||
1180 | # TAG: reply_body_max_size size [acl acl...] | |
1181 | # This option specifies the maximum size of a reply body. It can be | |
1182 | # used to prevent users from downloading very large files, such as | |
1183 | # MP3's and movies. When the reply headers are received, the | |
1184 | # reply_body_max_size lines are processed, and the first line where | |
1185 | # all (if any) listed ACLs are true is used as the maximum body size | |
1186 | # for this reply. | |
1187 | # | |
1188 | # This size is checked twice. First when we get the reply headers, | |
1189 | # we check the content-length value. If the content length value exists | |
1190 | # and is larger than the allowed size, the request is denied and the | |
1191 | # user receives an error message that says "the request or reply | |
1192 | # is too large." If there is no content-length, and the reply | |
1193 | # size exceeds this limit, the client's connection is just closed | |
1194 | # and they will receive a partial reply. | |
1195 | # | |
1196 | # WARNING: downstream caches probably can not detect a partial reply | |
1197 | # if there is no content-length header, so they will cache | |
1198 | # partial responses and give them out as hits. You should NOT | |
1199 | # use this option if you have downstream caches. | |
1200 | # | |
1201 | # WARNING: A maximum size smaller than the size of squid's error messages | |
1202 | # will cause an infinite loop and crash squid. Ensure that the smallest | |
1203 | # non-zero value you use is greater that the maximum header size plus | |
1204 | # the size of your largest error page. | |
1205 | # | |
1206 | # If you set this parameter none (the default), there will be | |
1207 | # no limit imposed. | |
1208 | # | |
1209 | # Configuration Format is: | |
1210 | # reply_body_max_size SIZE UNITS [acl ...] | |
1211 | # ie. | |
1212 | # reply_body_max_size 10 MB | |
1213 | # | |
1214 | #Default: | |
1215 | # none | |
1216 | ||
1217 | # NETWORK OPTIONS | # NETWORK OPTIONS |
1218 | # ----------------------------------------------------------------------------- | # ----------------------------------------------------------------------------- |
1219 | ||
1220 | # TAG: http_port | # TAG: http_port |
1221 | # Usage: port | # Usage: port [mode] [options] |
1222 | # hostname:port | # hostname:port [mode] [options] |
1223 | # 1.2.3.4:port | # 1.2.3.4:port [mode] [options] |
1224 | # | # |
1225 | # The socket addresses where Squid will listen for HTTP client | # The socket addresses where Squid will listen for HTTP client |
1226 | # requests. You may specify multiple socket addresses. | # requests. You may specify multiple socket addresses. |
1227 | # There are three forms: port alone, hostname with port, and | # There are three forms: port alone, hostname with port, and |
1228 | # IP address with port. If you specify a hostname or IP | # IP address with port. If you specify a hostname or IP |
1229 | # address, then Squid binds the socket to that specific | # address, Squid binds the socket to that specific |
1230 | # address. This replaces the old 'tcp_incoming_address' | # address. Most likely, you do not need to bind to a specific |
# option. Most likely, you do not need to bind to a specific | ||
1231 | # address, so you can use the port number alone. | # address, so you can use the port number alone. |
1232 | # | # |
1233 | # The default port number is 3128. | # If you are running Squid in accelerator mode, you |
# | ||
# If you are running Squid in accelerator mode, then you | ||
1234 | # probably want to listen on port 80 also, or instead. | # probably want to listen on port 80 also, or instead. |
1235 | # | # |
1236 | # The -a command line option will override the *first* port | # The -a command line option may be used to specify additional |
1237 | # number listed here. That option will NOT override an IP | # port(s) where Squid listens for proxy request. Such ports will |
1238 | # address, however. | # be plain proxy ports with no options. |
1239 | # | # |
1240 | # You may specify multiple socket addresses on multiple lines. | # You may specify multiple socket addresses on multiple lines. |
1241 | # | # |
1242 | # Modes: | |
1243 | # | |
1244 | # intercept Support for IP-Layer interception of | |
1245 | # outgoing requests without browser settings. | |
1246 | # NP: disables authentication and IPv6 on the port. | |
1247 | # | |
1248 | # tproxy Support Linux TPROXY for spoofing outgoing | |
1249 | # connections using the client IP address. | |
1250 | # NP: disables authentication and maybe IPv6 on the port. | |
1251 | # | |
1252 | # accel Accelerator / reverse proxy mode | |
1253 | # | |
1254 | # ssl-bump Intercept each CONNECT request matching ssl_bump ACL, | |
1255 | # establish secure connection with the client and with | |
1256 | # the server, decrypt HTTP messages as they pass through | |
1257 | # Squid, and treat them as unencrypted HTTP messages, | |
1258 | # becoming the man-in-the-middle. | |
1259 | # | |
1260 | # The ssl_bump option is required to fully enable | |
1261 | # the SslBump feature. | |
1262 | # | |
1263 | # Omitting the mode flag causes default forward proxy mode to be used. | |
1264 | # | |
1265 | # | |
1266 | # Accelerator Mode Options: | |
1267 | # | |
1268 | # defaultsite=domainname | |
1269 | # What to use for the Host: header if it is not present | |
1270 | # in a request. Determines what site (not origin server) | |
1271 | # accelerators should consider the default. | |
1272 | # | |
1273 | # no-vhost Disable using HTTP/1.1 Host header for virtual domain support. | |
1274 | # | |
1275 | # protocol= Protocol to reconstruct accelerated requests with. | |
1276 | # Defaults to http for http_port and https for | |
1277 | # https_port | |
1278 | # | |
1279 | # vport Virtual host port support. Using the http_port number | |
1280 | # instead of the port passed on Host: headers. | |
1281 | # | |
1282 | # vport=NN Virtual host port support. Using the specified port | |
1283 | # number instead of the port passed on Host: headers. | |
1284 | # | |
1285 | # act-as-origin | |
1286 | # Act as if this Squid is the origin server. | |
1287 | # This currently means generate new Date: and Expires: | |
1288 | # headers on HIT instead of adding Age:. | |
1289 | # | |
1290 | # ignore-cc Ignore request Cache-Control headers. | |
1291 | # | |
1292 | # WARNING: This option violates HTTP specifications if | |
1293 | # used in non-accelerator setups. | |
1294 | # | |
1295 | # allow-direct Allow direct forwarding in accelerator mode. Normally | |
1296 | # accelerated requests are denied direct forwarding as if | |
1297 | # never_direct was used. | |
1298 | # | |
1299 | # WARNING: this option opens accelerator mode to security | |
1300 | # vulnerabilities usually only affecting in interception | |
1301 | # mode. Make sure to protect forwarding with suitable | |
1302 | # http_access rules when using this. | |
1303 | # | |
1304 | # | |
1305 | # SSL Bump Mode Options: | |
1306 | # In addition to these options ssl-bump requires TLS/SSL options. | |
1307 | # | |
1308 | # generate-host-certificates[=<on|off>] | |
1309 | # Dynamically create SSL server certificates for the | |
1310 | # destination hosts of bumped CONNECT requests.When | |
1311 | # enabled, the cert and key options are used to sign | |
1312 | # generated certificates. Otherwise generated | |
1313 | # certificate will be selfsigned. | |
1314 | # If there is a CA certificate lifetime of the generated | |
1315 | # certificate equals lifetime of the CA certificate. If | |
1316 | # generated certificate is selfsigned lifetime is three | |
1317 | # years. | |
1318 | # This option is enabled by default when ssl-bump is used. | |
1319 | # See the ssl-bump option above for more information. | |
1320 | # | |
1321 | # dynamic_cert_mem_cache_size=SIZE | |
1322 | # Approximate total RAM size spent on cached generated | |
1323 | # certificates. If set to zero, caching is disabled. The | |
1324 | # default value is 4MB. An average XXX-bit certificate | |
1325 | # consumes about XXX bytes of RAM. | |
1326 | # | |
1327 | # TLS / SSL Options: | |
1328 | # | |
1329 | # cert= Path to SSL certificate (PEM format). | |
1330 | # | |
1331 | # key= Path to SSL private key file (PEM format) | |
1332 | # if not specified, the certificate file is | |
1333 | # assumed to be a combined certificate and | |
1334 | # key file. | |
1335 | # | |
1336 | # version= The version of SSL/TLS supported | |
1337 | # 1 automatic (default) | |
1338 | # 2 SSLv2 only | |
1339 | # 3 SSLv3 only | |
1340 | # 4 TLSv1.0 only | |
1341 | # 5 TLSv1.1 only | |
1342 | # 6 TLSv1.2 only | |
1343 | # | |
1344 | # cipher= Colon separated list of supported ciphers. | |
1345 | # NOTE: some ciphers such as EDH ciphers depend on | |
1346 | # additional settings. If those settings are | |
1347 | # omitted the ciphers may be silently ignored | |
1348 | # by the OpenSSL library. | |
1349 | # | |
1350 | # options= Various SSL implementation options. The most important | |
1351 | # being: | |
1352 | # NO_SSLv2 Disallow the use of SSLv2 | |
1353 | # NO_SSLv3 Disallow the use of SSLv3 | |
1354 | # NO_TLSv1 Disallow the use of TLSv1.0 | |
1355 | # NO_TLSv1_1 Disallow the use of TLSv1.1 | |
1356 | # NO_TLSv1_2 Disallow the use of TLSv1.2 | |
1357 | # SINGLE_DH_USE Always create a new key when using | |
1358 | # temporary/ephemeral DH key exchanges | |
1359 | # ALL Enable various bug workarounds | |
1360 | # suggested as "harmless" by OpenSSL | |
1361 | # Be warned that this reduces SSL/TLS | |
1362 | # strength to some attacks. | |
1363 | # See OpenSSL SSL_CTX_set_options documentation for a | |
1364 | # complete list of options. | |
1365 | # | |
1366 | # clientca= File containing the list of CAs to use when | |
1367 | # requesting a client certificate. | |
1368 | # | |
1369 | # cafile= File containing additional CA certificates to | |
1370 | # use when verifying client certificates. If unset | |
1371 | # clientca will be used. | |
1372 | # | |
1373 | # capath= Directory containing additional CA certificates | |
1374 | # and CRL lists to use when verifying client certificates. | |
1375 | # | |
1376 | # crlfile= File of additional CRL lists to use when verifying | |
1377 | # the client certificate, in addition to CRLs stored in | |
1378 | # the capath. Implies VERIFY_CRL flag below. | |
1379 | # | |
1380 | # dhparams= File containing DH parameters for temporary/ephemeral | |
1381 | # DH key exchanges. See OpenSSL documentation for details | |
1382 | # on how to create this file. | |
1383 | # WARNING: EDH ciphers will be silently disabled if this | |
1384 | # option is not set. | |
1385 | # | |
1386 | # sslflags= Various flags modifying the use of SSL: | |
1387 | # DELAYED_AUTH | |
1388 | # Don't request client certificates | |
1389 | # immediately, but wait until acl processing | |
1390 | # requires a certificate (not yet implemented). | |
1391 | # NO_DEFAULT_CA | |
1392 | # Don't use the default CA lists built in | |
1393 | # to OpenSSL. | |
1394 | # NO_SESSION_REUSE | |
1395 | # Don't allow for session reuse. Each connection | |
1396 | # will result in a new SSL session. | |
1397 | # VERIFY_CRL | |
1398 | # Verify CRL lists when accepting client | |
1399 | # certificates. | |
1400 | # VERIFY_CRL_ALL | |
1401 | # Verify CRL lists for all certificates in the | |
1402 | # client certificate chain. | |
1403 | # | |
1404 | # sslcontext= SSL session ID context identifier. | |
1405 | # | |
1406 | # Other Options: | |
1407 | # | |
1408 | # connection-auth[=on|off] | |
1409 | # use connection-auth=off to tell Squid to prevent | |
1410 | # forwarding Microsoft connection oriented authentication | |
1411 | # (NTLM, Negotiate and Kerberos) | |
1412 | # | |
1413 | # disable-pmtu-discovery= | |
1414 | # Control Path-MTU discovery usage: | |
1415 | # off lets OS decide on what to do (default). | |
1416 | # transparent disable PMTU discovery when transparent | |
1417 | # support is enabled. | |
1418 | # always disable always PMTU discovery. | |
1419 | # | |
1420 | # In many setups of transparently intercepting proxies | |
1421 | # Path-MTU discovery can not work on traffic towards the | |
1422 | # clients. This is the case when the intercepting device | |
1423 | # does not fully track connections and fails to forward | |
1424 | # ICMP must fragment messages to the cache server. If you | |
1425 | # have such setup and experience that certain clients | |
1426 | # sporadically hang or never complete requests set | |
1427 | # disable-pmtu-discovery option to 'transparent'. | |
1428 | # | |
1429 | # name= Specifies a internal name for the port. Defaults to | |
1430 | # the port specification (port or addr:port) | |
1431 | # | |
1432 | # tcpkeepalive[=idle,interval,timeout] | |
1433 | # Enable TCP keepalive probes of idle connections. | |
1434 | # In seconds; idle is the initial time before TCP starts | |
1435 | # probing the connection, interval how often to probe, and | |
1436 | # timeout the time before giving up. | |
1437 | # | |
1438 | # If you run Squid on a dual-homed machine with an internal | |
1439 | # and an external interface we recommend you to specify the | |
1440 | # internal address:port in http_port. This way Squid will only be | |
1441 | # visible on the internal address. | |
1442 | # | |
1443 | # | |
1444 | ||
1445 | # Squid normally listens to port 3128 | |
1446 | http_port 3128 | |
1447 | ||
1448 | # TAG: https_port | |
1449 | # Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] | |
1450 | # | |
1451 | # The socket address where Squid will listen for client requests made | |
1452 | # over TLS or SSL connections. Commonly referred to as HTTPS. | |
1453 | # | |
1454 | # This is most useful for situations where you are running squid in | |
1455 | # accelerator mode and you want to do the SSL work at the accelerator level. | |
1456 | # | |
1457 | # You may specify multiple socket addresses on multiple lines, | |
1458 | # each with their own SSL certificate and/or options. | |
1459 | # | |
1460 | # See http_port for a list of available options. | |
1461 | #Default: | #Default: |
1462 | # http_port 3128 | # none |
1463 | ||
1464 | # TAG: icp_port | # TAG: tcp_outgoing_tos |
1465 | # The port number where Squid sends and receives ICP queries to | # Allows you to select a TOS/Diffserv value for packets outgoing |
1466 | # and from neighbor caches. Default is 3130. To disable use | # on the server side, based on an ACL. |
1467 | # "0". May be overridden with -u on the command line. | # |
1468 | # tcp_outgoing_tos ds-field [!]aclname ... | |
1469 | # | |
1470 | # Example where normal_service_net uses the TOS value 0x00 | |
1471 | # and good_service_net uses 0x20 | |
1472 | # | |
1473 | # acl normal_service_net src 10.0.0.0/24 | |
1474 | # acl good_service_net src 10.0.1.0/24 | |
1475 | # tcp_outgoing_tos 0x00 normal_service_net | |
1476 | # tcp_outgoing_tos 0x20 good_service_net | |
1477 | # | |
1478 | # TOS/DSCP values really only have local significance - so you should | |
1479 | # know what you're specifying. For more information, see RFC2474, | |
1480 | # RFC2475, and RFC3260. | |
1481 | # | |
1482 | # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or | |
1483 | # "default" to use whatever default your host has. Note that in | |
1484 | # practice often only multiples of 4 is usable as the two rightmost bits | |
1485 | # have been redefined for use by ECN (RFC 3168 section 23.1). | |
1486 | # | # |
1487 | # Processing proceeds in the order specified, and stops at first fully | |
1488 | # matching line. | |
1489 | #Default: | #Default: |
1490 | # icp_port 3130 | # none |
1491 | ||
1492 | # TAG: htcp_port | # TAG: clientside_tos |
1493 | # The port number where Squid sends and receives HTCP queries to | # Allows you to select a TOS/Diffserv value for packets being transmitted |
1494 | # and from neighbor caches. Default is 4827. To disable use | # on the client-side, based on an ACL. |
1495 | # "0". | # |
1496 | # clientside_tos ds-field [!]aclname ... | |
1497 | # | |
1498 | # Example where normal_service_net uses the TOS value 0x00 | |
1499 | # and good_service_net uses 0x20 | |
1500 | # | |
1501 | # acl normal_service_net src 10.0.0.0/24 | |
1502 | # acl good_service_net src 10.0.1.0/24 | |
1503 | # clientside_tos 0x00 normal_service_net | |
1504 | # clientside_tos 0x20 good_service_net | |
1505 | # | # |
1506 | # To enable this option, you must use --enable-htcp with the | # Note: This feature is incompatible with qos_flows. Any TOS values set here |
1507 | # configure script. | # will be overwritten by TOS values in qos_flows. |
1508 | #Default: | |
1509 | # none | |
1510 | ||
1511 | # TAG: tcp_outgoing_mark | |
1512 | # Note: This option is only available if Squid is rebuilt with the | |
1513 | # Packet MARK (Linux) | |
1514 | # | |
1515 | # Allows you to apply a Netfilter mark value to outgoing packets | |
1516 | # on the server side, based on an ACL. | |
1517 | # | # |
1518 | # tcp_outgoing_mark mark-value [!]aclname ... | |
1519 | # | |
1520 | # Example where normal_service_net uses the mark value 0x00 | |
1521 | # and good_service_net uses 0x20 | |
1522 | # | |
1523 | # acl normal_service_net src 10.0.0.0/24 | |
1524 | # acl good_service_net src 10.0.1.0/24 | |
1525 | # tcp_outgoing_mark 0x00 normal_service_net | |
1526 | # tcp_outgoing_mark 0x20 good_service_net | |
1527 | #Default: | #Default: |
1528 | # htcp_port 4827 | # none |
1529 | ||
1530 | # TAG: mcast_groups | # TAG: clientside_mark |
1531 | # This tag specifies a list of multicast groups which your server | # Note: This option is only available if Squid is rebuilt with the |
1532 | # should join to receive multicasted ICP queries. | # Packet MARK (Linux) |
1533 | # | # |
1534 | # NOTE! Be very careful what you put here! Be sure you | # Allows you to apply a Netfilter mark value to packets being transmitted |
1535 | # understand the difference between an ICP _query_ and an ICP | # on the client-side, based on an ACL. |
# _reply_. This option is to be set only if you want to RECEIVE | ||
# multicast queries. Do NOT set this option to SEND multicast | ||
# ICP (use cache_peer for that). ICP replies are always sent via | ||
# unicast, so this option does not affect whether or not you will | ||
# receive replies from multicast group members. | ||
1536 | # | # |
1537 | # You must be very careful to NOT use a multicast address which | # clientside_mark mark-value [!]aclname ... |
# is already in use by another group of caches. | ||
1538 | # | # |
1539 | # If you are unsure about multicast, please read the Multicast | # Example where normal_service_net uses the mark value 0x00 |
1540 | # chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/). | # and good_service_net uses 0x20 |
1541 | # | # |
1542 | # Usage: mcast_groups 239.128.16.128 224.0.1.20 | # acl normal_service_net src 10.0.0.0/24 |
1543 | # acl good_service_net src 10.0.1.0/24 | |
1544 | # clientside_mark 0x00 normal_service_net | |
1545 | # clientside_mark 0x20 good_service_net | |
1546 | # | # |
1547 | # By default, Squid doesn't listen on any multicast groups. | # Note: This feature is incompatible with qos_flows. Any mark values set here |
1548 | # will be overwritten by mark values in qos_flows. | |
1549 | #Default: | |
1550 | # none | |
1551 | ||
1552 | # TAG: qos_flows | |
1553 | # Allows you to select a TOS/DSCP value to mark outgoing | |
1554 | # connections with, based on where the reply was sourced. For | |
1555 | # platforms using netfilter, allows you to set a netfilter mark | |
1556 | # value instead of, or in addition to, a TOS value. | |
1557 | # | |
1558 | # TOS values really only have local significance - so you should | |
1559 | # know what you're specifying. For more information, see RFC2474, | |
1560 | # RFC2475, and RFC3260. | |
1561 | # | |
1562 | # The TOS/DSCP byte must be exactly that - a octet value 0 - 255. Note that | |
1563 | # in practice often only multiples of 4 is usable as the two rightmost bits | |
1564 | # have been redefined for use by ECN (RFC 3168 section 23.1). | |
1565 | # | |
1566 | # Mark values can be any unsigned 32-bit integer value. | |
1567 | # | |
1568 | # This setting is configured by setting the following values: | |
1569 | # | |
1570 | # tos|mark Whether to set TOS or netfilter mark values | |
1571 | # | |
1572 | # local-hit=0xFF Value to mark local cache hits. | |
1573 | # | |
1574 | # sibling-hit=0xFF Value to mark hits from sibling peers. | |
1575 | # | |
1576 | # parent-hit=0xFF Value to mark hits from parent peers. | |
1577 | # | |
1578 | # miss=0xFF[/mask] Value to mark cache misses. Takes precedence | |
1579 | # over the preserve-miss feature (see below), unless | |
1580 | # mask is specified, in which case only the bits | |
1581 | # specified in the mask are written. | |
1582 | # | |
1583 | # The TOS variant of the following features are only possible on Linux | |
1584 | # and require your kernel to be patched with the TOS preserving ZPH | |
1585 | # patch, available from http://zph.bratcheda.org | |
1586 | # No patch is needed to preserve the netfilter mark, which will work | |
1587 | # with all variants of netfilter. | |
1588 | # | |
1589 | # disable-preserve-miss | |
1590 | # This option disables the preservation of the TOS or netfilter | |
1591 | # mark. By default, the existing TOS or netfilter mark value of | |
1592 | # the response coming from the remote server will be retained | |
1593 | # and masked with miss-mark. | |
1594 | # NOTE: in the case of a netfilter mark, the mark must be set on | |
1595 | # the connection (using the CONNMARK target) not on the packet | |
1596 | # (MARK target). | |
1597 | # | |
1598 | # miss-mask=0xFF | |
1599 | # Allows you to mask certain bits in the TOS or mark value | |
1600 | # received from the remote server, before copying the value to | |
1601 | # the TOS sent towards clients. | |
1602 | # Default for tos: 0xFF (TOS from server is not changed). | |
1603 | # Default for mark: 0xFFFFFFFF (mark from server is not changed). | |
1604 | # | |
1605 | # All of these features require the --enable-zph-qos compilation flag | |
1606 | # (enabled by default). Netfilter marking also requires the | |
1607 | # libnetfilter_conntrack libraries (--with-netfilter-conntrack) and | |
1608 | # libcap 2.09+ (--with-libcap). | |
1609 | # | # |
1610 | #Default: | #Default: |
1611 | # none | # none |
1612 | ||
1613 | # TAG: tcp_outgoing_address | # TAG: tcp_outgoing_address |
1614 | # TAG: udp_incoming_address | # Allows you to map requests to different outgoing IP addresses |
1615 | # TAG: udp_outgoing_address | # based on the username or source address of the user making |
1616 | # Usage: tcp_incoming_address 10.20.30.40 | # the request. |
# udp_outgoing_address fully.qualified.domain.name | ||
1617 | # | # |
1618 | # tcp_outgoing_address is used for connections made to remote | # tcp_outgoing_address ipaddr [[!]aclname] ... |
# servers and other caches. | ||
# udp_incoming_address is used for the ICP socket receiving packets | ||
# from other caches. | ||
# udp_outgoing_address is used for ICP packets sent out to other | ||
# caches. | ||
1619 | # | # |
1620 | # The default behavior is to not bind to any specific address. | # For example; |
1621 | # Forwarding clients with dedicated IPs for certain subnets. | |
1622 | # | # |
1623 | # A *_incoming_address value of 0.0.0.0 indicates that Squid should | # acl normal_service_net src 10.0.0.0/24 |
1624 | # listen on all available interfaces. | # acl good_service_net src 10.0.2.0/24 |
1625 | # | # |
1626 | # If udp_outgoing_address is set to 255.255.255.255 (the default) | # tcp_outgoing_address 2001:db8::c001 good_service_net |
1627 | # then it will use the same socket as udp_incoming_address. Only | # tcp_outgoing_address 10.1.0.2 good_service_net |
# change this if you want to have ICP queries sent using another | ||
# address than where this Squid listens for ICP queries from other | ||
# caches. | ||
1628 | # | # |
1629 | # NOTE, udp_incoming_address and udp_outgoing_address can not | # tcp_outgoing_address 2001:db8::beef normal_service_net |
1630 | # have the same value since they both use port 3130. | # tcp_outgoing_address 10.1.0.1 normal_service_net |
1631 | # | |
1632 | # tcp_outgoing_address 2001:db8::1 | |
1633 | # tcp_outgoing_address 10.1.0.3 | |
1634 | # | |
1635 | # Processing proceeds in the order specified, and stops at first fully | |
1636 | # matching line. | |
1637 | # | |
1638 | # Squid will add an implicit IP version test to each line. | |
1639 | # Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. | |
1640 | # Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. | |
1641 | # | |
1642 | # | |
1643 | # NOTE: The use of this directive using client dependent ACLs is | |
1644 | # incompatible with the use of server side persistent connections. To | |
1645 | # ensure correct results it is best to set server_persistent_connections | |
1646 | # to off when using this directive in such configurations. | |
1647 | # | # |
1648 | # NOTE, tcp_incoming_address has been removed. You can now | # NOTE: The use of this directive to set a local IP on outgoing TCP links |
1649 | # specify IP addresses on the 'http_port' line. | # is incompatible with using TPROXY to set client IP out outbound TCP links. |
1650 | # When needing to contact peers use the no-tproxy cache_peer option and the | |
1651 | # client_dst_passthru directive re-enable normal forwarding such as this. | |
1652 | # | # |
1653 | #Default: | #Default: |
1654 | # tcp_outgoing_address 255.255.255.255 | # none |
# udp_incoming_address 0.0.0.0 | ||
# udp_outgoing_address 255.255.255.255 | ||
1655 | ||
1656 | # TAG: host_verify_strict | |
1657 | # Regardless of this option setting, when dealing with intercepted | |
1658 | # traffic, Squid always verifies that the destination IP address matches | |
1659 | # the Host header domain or IP (called 'authority form URL'). | |
1660 | # | |
1661 | # This enforcement is performed to satisfy a MUST-level requirement in | |
1662 | # RFC 2616 section 14.23: "The Host field value MUST represent the naming | |
1663 | # authority of the origin server or gateway given by the original URL". | |
1664 | # | |
1665 | # When set to ON: | |
1666 | # Squid always responds with an HTTP 409 (Conflict) error | |
1667 | # page and logs a security warning if there is no match. | |
1668 | # | |
1669 | # Squid verifies that the destination IP address matches | |
1670 | # the Host header for forward-proxy and reverse-proxy traffic | |
1671 | # as well. For those traffic types, Squid also enables the | |
1672 | # following checks, comparing the corresponding Host header | |
1673 | # and Request-URI components: | |
1674 | # | |
1675 | # * The host names (domain or IP) must be identical, | |
1676 | # but valueless or missing Host header disables all checks. | |
1677 | # For the two host names to match, both must be either IP | |
1678 | # or FQDN. | |
1679 | # | |
1680 | # * Port numbers must be identical, but if a port is missing | |
1681 | # the scheme-default port is assumed. | |
1682 | # | |
1683 | # | |
1684 | # When set to OFF (the default): | |
1685 | # Squid allows suspicious requests to continue but logs a | |
1686 | # security warning and blocks caching of the response. | |
1687 | # | |
1688 | # * Forward-proxy traffic is not checked at all. | |
1689 | # | |
1690 | # * Reverse-proxy traffic is not checked at all. | |
1691 | # | |
1692 | # * Intercepted traffic which passes verification is handled | |
1693 | # according to client_dst_passthru. | |
1694 | # | |
1695 | # * Intercepted requests which fail verification are sent | |
1696 | # to the client original destination instead of DIRECT. | |
1697 | # This overrides 'client_dst_passthru off'. | |
1698 | # | |
1699 | # For now suspicious intercepted CONNECT requests are always | |
1700 | # responded to with an HTTP 409 (Conflict) error page. | |
1701 | # | |
1702 | # | |
1703 | # SECURITY NOTE: | |
1704 | # | |
1705 | # As described in CVE-2009-0801 when the Host: header alone is used | |
1706 | # to determine the destination of a request it becomes trivial for | |
1707 | # malicious scripts on remote websites to bypass browser same-origin | |
1708 | # security policy and sandboxing protections. | |
1709 | # | |
1710 | # The cause of this is that such applets are allowed to perform their | |
1711 | # own HTTP stack, in which case the same-origin policy of the browser | |
1712 | # sandbox only verifies that the applet tries to contact the same IP | |
1713 | # as from where it was loaded at the IP level. The Host: header may | |
1714 | # be different from the connected IP and approved origin. | |
1715 | # | |
1716 | #Default: | |
1717 | # host_verify_strict off | |
1718 | ||
1719 | # TAG: client_dst_passthru | |
1720 | # With NAT or TPROXY intercepted traffic Squid may pass the request | |
1721 | # directly to the original client destination IP or seek a faster | |
1722 | # source using the HTTP Host header. | |
1723 | # | |
1724 | # Using Host to locate alternative servers can provide faster | |
1725 | # connectivity with a range of failure recovery options. | |
1726 | # But can also lead to connectivity trouble when the client and | |
1727 | # server are attempting stateful interactions unaware of the proxy. | |
1728 | # | |
1729 | # This option (on by default) prevents alternative DNS entries being | |
1730 | # located to send intercepted traffic DIRECT to an origin server. | |
1731 | # The clients original destination IP and port will be used instead. | |
1732 | # | |
1733 | # Regardless of this option setting, when dealing with intercepted | |
1734 | # traffic Squid will verify the Host: header and any traffic which | |
1735 | # fails Host verification will be treated as if this option were ON. | |
1736 | # | |
1737 | # see host_verify_strict for details on the verification process. | |
1738 | #Default: | |
1739 | # client_dst_passthru on | |
1740 | ||
1741 | # SSL OPTIONS | |
1742 | # ----------------------------------------------------------------------------- | |
1743 | ||
1744 | # TAG: ssl_unclean_shutdown | |
1745 | # Some browsers (especially MSIE) bugs out on SSL shutdown | |
1746 | # messages. | |
1747 | #Default: | |
1748 | # ssl_unclean_shutdown off | |
1749 | ||
1750 | # TAG: ssl_engine | |
1751 | # The OpenSSL engine to use. You will need to set this if you | |
1752 | # would like to use hardware SSL acceleration for example. | |
1753 | #Default: | |
1754 | # none | |
1755 | ||
1756 | # TAG: sslproxy_client_certificate | |
1757 | # Client SSL Certificate to use when proxying https:// URLs | |
1758 | #Default: | |
1759 | # none | |
1760 | ||
1761 | # TAG: sslproxy_client_key | |
1762 | # Client SSL Key to use when proxying https:// URLs | |
1763 | #Default: | |
1764 | # none | |
1765 | ||
1766 | # TAG: sslproxy_version | |
1767 | # SSL version level to use when proxying https:// URLs | |
1768 | # | |
1769 | # The versions of SSL/TLS supported: | |
1770 | # | |
1771 | # 1 automatic (default) | |
1772 | # 2 SSLv2 only | |
1773 | # 3 SSLv3 only | |
1774 | # 4 TLSv1.0 only | |
1775 | # 5 TLSv1.1 only | |
1776 | # 6 TLSv1.2 only | |
1777 | #Default: | |
1778 | # sslproxy_version 1 | |
1779 | ||
1780 | # TAG: sslproxy_options | |
1781 | # SSL implementation options to use when proxying https:// URLs | |
1782 | # | |
1783 | # The most important being: | |
1784 | # | |
1785 | # NO_SSLv2 Disallow the use of SSLv2 | |
1786 | # NO_SSLv3 Disallow the use of SSLv3 | |
1787 | # NO_TLSv1 Disallow the use of TLSv1.0 | |
1788 | # NO_TLSv1_1 Disallow the use of TLSv1.1 | |
1789 | # NO_TLSv1_2 Disallow the use of TLSv1.2 | |
1790 | # SINGLE_DH_USE | |
1791 | # Always create a new key when using temporary/ephemeral | |
1792 | # DH key exchanges | |
1793 | # SSL_OP_NO_TICKET | |
1794 | # Disable use of RFC5077 session tickets. Some servers | |
1795 | # may have problems understanding the TLS extension due | |
1796 | # to ambiguous specification in RFC4507. | |
1797 | # ALL Enable various bug workarounds suggested as "harmless" | |
1798 | # by OpenSSL. Be warned that this may reduce SSL/TLS | |
1799 | # strength to some attacks. | |
1800 | # | |
1801 | # See the OpenSSL SSL_CTX_set_options documentation for a | |
1802 | # complete list of possible options. | |
1803 | #Default: | |
1804 | # none | |
1805 | ||
1806 | # TAG: sslproxy_cipher | |
1807 | # SSL cipher list to use when proxying https:// URLs | |
1808 | # | |
1809 | # Colon separated list of supported ciphers. | |
1810 | #Default: | |
1811 | # none | |
1812 | ||
1813 | # TAG: sslproxy_cafile | |
1814 | # file containing CA certificates to use when verifying server | |
1815 | # certificates while proxying https:// URLs | |
1816 | #Default: | |
1817 | # none | |
1818 | ||
1819 | # TAG: sslproxy_capath | |
1820 | # directory containing CA certificates to use when verifying | |
1821 | # server certificates while proxying https:// URLs | |
1822 | #Default: | |
1823 | # none | |
1824 | ||
1825 | # TAG: ssl_bump | |
1826 | # This ACL controls which CONNECT requests to an http_port | |
1827 | # marked with an sslBump flag are actually "bumped". Please | |
1828 | # see the sslBump flag of an http_port option for more details | |
1829 | # about decoding proxied SSL connections. | |
1830 | # | |
1831 | # By default, no requests are bumped. | |
1832 | # | |
1833 | # See also: http_port ssl-bump | |
1834 | # | |
1835 | # This clause supports both fast and slow acl types. | |
1836 | # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. | |
1837 | # | |
1838 | # | |
1839 | # # Example: Bump all requests except those originating from localhost and | |
1840 | # # those going to webax.com or example.com sites. | |
1841 | # | |
1842 | # acl localhost src 127.0.0.1/32 | |
1843 | # acl broken_sites dstdomain .webax.com | |
1844 | # acl broken_sites dstdomain .example.com | |
1845 | # ssl_bump deny localhost | |
1846 | # ssl_bump deny broken_sites | |
1847 | # ssl_bump allow all | |
1848 | #Default: | |
1849 | # none | |
1850 | ||
1851 | # TAG: sslproxy_flags | |
1852 | # Various flags modifying the use of SSL while proxying https:// URLs: | |
1853 | # DONT_VERIFY_PEER Accept certificates that fail verification. | |
1854 | # For refined control, see sslproxy_cert_error. | |
1855 | # NO_DEFAULT_CA Don't use the default CA list built in | |
1856 | # to OpenSSL. | |
1857 | #Default: | |
1858 | # none | |
1859 | ||
1860 | # TAG: sslproxy_cert_error | |
1861 | # Use this ACL to bypass server certificate validation errors. | |
1862 | # | |
1863 | # For example, the following lines will bypass all validation errors | |
1864 | # when talking to servers for example.com. All other | |
1865 | # validation errors will result in ERR_SECURE_CONNECT_FAIL error. | |
1866 | # | |
1867 | # acl BrokenButTrustedServers dstdomain example.com | |
1868 | # sslproxy_cert_error allow BrokenButTrustedServers | |
1869 | # sslproxy_cert_error deny all | |
1870 | # | |
1871 | # This clause only supports fast acl types. | |
1872 | # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. | |
1873 | # Using slow acl types may result in server crashes | |
1874 | # | |
1875 | # Without this option, all server certificate validation errors | |
1876 | # terminate the transaction. Bypassing validation errors is dangerous | |
1877 | # because an error usually implies that the server cannot be trusted and | |
1878 | # the connection may be insecure. | |
1879 | # | |
1880 | # See also: sslproxy_flags and DONT_VERIFY_PEER. | |
1881 | # | |
1882 | # Default setting: sslproxy_cert_error deny all | |
1883 | #Default: | |
1884 | # none | |
1885 | ||
1886 | # TAG: sslpassword_program | |
1887 | # Specify a program used for entering SSL key passphrases | |
1888 | # when using encrypted SSL certificate keys. If not specified | |
1889 | # keys must either be unencrypted, or Squid started with the -N | |
1890 | # option to allow it to query interactively for the passphrase. | |
1891 | # | |
1892 | # The key file name is given as argument to the program allowing | |
1893 | # selection of the right password if you have multiple encrypted | |
1894 | # keys. | |
1895 | #Default: | |
1896 | # none | |
1897 | ||
1898 | # OPTIONS RELATING TO EXTERNAL SSL_CRTD | |
1899 | # ----------------------------------------------------------------------------- | |
1900 | ||
1901 | # TAG: sslcrtd_program | |
1902 | # Note: This option is only available if Squid is rebuilt with the | |
1903 | # --enable-ssl-crtd | |
1904 | # | |
1905 | # Specify the location and options of the executable for ssl_crtd process. | |
1906 | # /usr/lib64/squid/ssl_crtd program requires -s and -M parameters | |
1907 | # For more information use: | |
1908 | # /usr/lib64/squid/ssl_crtd -h | |
1909 | #Default: | |
1910 | # sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB | |
1911 | ||
1912 | # TAG: sslcrtd_children | |
1913 | # Note: This option is only available if Squid is rebuilt with the | |
1914 | # --enable-ssl-crtd | |
1915 | # | |
1916 | # The maximum number of processes spawn to service ssl server. | |
1917 | # The maximum this may be safely set to is 32. | |
1918 | # | |
1919 | # The startup= and idle= options allow some measure of skew in your | |
1920 | # tuning. | |
1921 | # | |
1922 | # startup=N | |
1923 | # | |
1924 | # Sets the minimum number of processes to spawn when Squid | |
1925 | # starts or reconfigures. When set to zero the first request will | |
1926 | # cause spawning of the first child process to handle it. | |
1927 | # | |
1928 | # Starting too few children temporary slows Squid under load while it | |
1929 | # tries to spawn enough additional processes to cope with traffic. | |
1930 | # | |
1931 | # idle=N | |
1932 | # | |
1933 | # Sets a minimum of how many processes Squid is to try and keep available | |
1934 | # at all times. When traffic begins to rise above what the existing | |
1935 | # processes can handle this many more will be spawned up to the maximum | |
1936 | # configured. A minimum setting of 1 is required. | |
1937 | # | |
1938 | # You must have at least one ssl_crtd process. | |
1939 | #Default: | |
1940 | # sslcrtd_children 32 startup=5 idle=1 | |
1941 | ||
1942 | # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM | # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM |
1943 | # ----------------------------------------------------------------------------- | # ----------------------------------------------------------------------------- |
1944 | ||
1945 | # TAG: cache_peer | # TAG: cache_peer |
1946 | # To specify other caches in a hierarchy, use the format: | # To specify other caches in a hierarchy, use the format: |
1947 | # | # |
1948 | # cache_peer hostname type http_port icp_port | # cache_peer hostname type http-port icp-port [options] |
1949 | # | # |
1950 | # For example, | # For example, |
1951 | # | # |
1952 | # # proxy icp | # # proxy icp |
1953 | # # hostname type port port options | # # hostname type port port options |
1954 | # # -------------------- -------- ----- ----- ----------- | # # -------------------- -------- ----- ----- ----------- |
1955 | # cache_peer parent.foo.net parent 3128 3130 [proxy-only] | # cache_peer parent.foo.net parent 3128 3130 default |
1956 | # cache_peer sib1.foo.net sibling 3128 3130 [proxy-only] | # cache_peer sib1.foo.net sibling 3128 3130 proxy-only |
1957 | # cache_peer sib2.foo.net sibling 3128 3130 [proxy-only] | # cache_peer sib2.foo.net sibling 3128 3130 proxy-only |
1958 | # | # cache_peer example.com parent 80 0 default |
1959 | # type: either 'parent', 'sibling', or 'multicast'. | # cache_peer cdn.example.com sibling 3128 0 |
1960 | # | # |
1961 | # proxy_port: The port number where the cache listens for proxy | # type: either 'parent', 'sibling', or 'multicast'. |
1962 | # requests. | # |
1963 | # | # proxy-port: The port number where the peer accept HTTP requests. |
1964 | # icp_port: Used for querying neighbor caches about | # For other Squid proxies this is usually 3128 |
1965 | # objects. To have a non-ICP neighbor | # For web servers this is usually 80 |
1966 | # specify '7' for the ICP port and make sure the | # |
1967 | # neighbor machine has the UDP echo port | # icp-port: Used for querying neighbor caches about objects. |
1968 | # enabled in its /etc/inetd.conf file. | # Set to 0 if the peer does not support ICP or HTCP. |
1969 | # | # See ICP and HTCP options below for additional details. |
1970 | # options: proxy-only | # |
1971 | # weight=n | # |
1972 | # ttl=n | # ==== ICP OPTIONS ==== |
1973 | # no-query | # |
1974 | # default | # You MUST also set icp_port and icp_access explicitly when using these options. |
1975 | # round-robin | # The defaults will prevent peer traffic using ICP. |
1976 | # multicast-responder | # |
1977 | # closest-only | # |
1978 | # no-digest | # no-query Disable ICP queries to this neighbor. |
1979 | # no-netdb-exchange | # |
1980 | # no-delay | # multicast-responder |
1981 | # login=user:password | # Indicates the named peer is a member of a multicast group. |
1982 | # connect-timeout=nn | # ICP queries will not be sent directly to the peer, but ICP |
1983 | # digest-url=url | # replies will be accepted from it. |
1984 | # allow-miss | # |
1985 | # | # closest-only Indicates that, for ICP_OP_MISS replies, we'll only forward |
1986 | # use 'proxy-only' to specify that objects fetched | # CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes. |
1987 | # from this cache should not be saved locally. | # |
1988 | # | # background-ping |
1989 | # use 'weight=n' to specify a weighted parent. | # To only send ICP queries to this neighbor infrequently. |
1990 | # The weight must be an integer. The default weight | # This is used to keep the neighbor round trip time updated |
1991 | # is 1, larger weights are favored more. | # and is usually used in conjunction with weighted-round-robin. |
1992 | # | # |
1993 | # use 'ttl=n' to specify a IP multicast TTL to use | # |
1994 | # when sending an ICP queries to this address. | # ==== HTCP OPTIONS ==== |
1995 | # Only useful when sending to a multicast group. | # |
1996 | # Because we don't accept ICP replies from random | # You MUST also set htcp_port and htcp_access explicitly when using these options. |
1997 | # hosts, you must configure other group members as | # The defaults will prevent peer traffic using HTCP. |
1998 | # peers with the 'multicast-responder' option below. | # |
1999 | # | # |
2000 | # use 'no-query' to NOT send ICP queries to this | # htcp Send HTCP, instead of ICP, queries to the neighbor. |
2001 | # neighbor. | # You probably also want to set the "icp-port" to 4827 |
2002 | # | # instead of 3130. This directive accepts a comma separated |
2003 | # use 'default' if this is a parent cache which can | # list of options described below. |
2004 | # be used as a "last-resort." You should probably | # |
2005 | # only use 'default' in situations where you cannot | # htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier). |
2006 | # use ICP with your parent cache(s). | # |
2007 | # | # htcp=no-clr Send HTCP to the neighbor but without |
2008 | # use 'round-robin' to define a set of parents which | # sending any CLR requests. This cannot be used with |
2009 | # should be used in a round-robin fashion in the | # only-clr. |
2010 | # absence of any ICP queries. | # |
2011 | # | # htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests. |
2012 | # 'multicast-responder' indicates that the named peer | # This cannot be used with no-clr. |
2013 | # is a member of a multicast group. ICP queries will | # |
2014 | # not be sent directly to the peer, but ICP replies | # htcp=no-purge-clr |
2015 | # will be accepted from it. | # Send HTCP to the neighbor including CLRs but only when |
2016 | # | # they do not result from PURGE requests. |
2017 | # 'closest-only' indicates that, for ICP_OP_MISS | # |
2018 | # replies, we'll only forward CLOSEST_PARENT_MISSes | # htcp=forward-clr |
2019 | # and never FIRST_PARENT_MISSes. | # Forward any HTCP CLR requests this proxy receives to the peer. |
2020 | # | # |
2021 | # use 'no-digest' to NOT request cache digests from | # |
2022 | # this neighbor. | # ==== PEER SELECTION METHODS ==== |
2023 | # | # |
2024 | # 'no-netdb-exchange' disables requesting ICMP | # The default peer selection method is ICP, with the first responding peer |
2025 | # RTT database (NetDB) from the neighbor. | # being used as source. These options can be used for better load balancing. |
2026 | # | # |
2027 | # use 'no-delay' to prevent access to this neighbor | # |
2028 | # from influencing the delay pools. | # default This is a parent cache which can be used as a "last-resort" |
2029 | # | # if a peer cannot be located by any of the peer-selection methods. |
2030 | # use 'login=user:password' if this is a personal/workgroup | # If specified more than once, only the first is used. |
2031 | # proxy and your parent requires proxy authentication. | # |
2032 | # | # round-robin Load-Balance parents which should be used in a round-robin |
2033 | # use 'connect-timeout=nn' to specify a peer | # fashion in the absence of any ICP queries. |
2034 | # specific connect timeout (also see the | # weight=N can be used to add bias. |
2035 | # peer_connect_timeout directive) | # |
2036 | # | # weighted-round-robin |
2037 | # use 'digest-url=url' to tell Squid to fetch the cache | # Load-Balance parents which should be used in a round-robin |
2038 | # digest (if digests are enabled) for this host from | # fashion with the frequency of each parent being based on the |
2039 | # the specified URL rather than the Squid default | # round trip time. Closer parents are used more often. |
2040 | # location. | # Usually used for background-ping parents. |
2041 | # | # weight=N can be used to add bias. |
2042 | # use 'allow-miss' to disable Squid's use of only-if-cached | # |
2043 | # when forwarding requests to siblings. This is primarily | # carp Load-Balance parents which should be used as a CARP array. |
2044 | # useful when icp_hit_stale is used by the sibling. To | # The requests will be distributed among the parents based on the |
2045 | # extensive use of this option may result in forwarding | # CARP load balancing hash function based on their weight. |
2046 | # loops, and you should avoid having two-way peerings | # |
2047 | # with this option. (for example to deny peer usage on | # userhash Load-balance parents based on the client proxy_auth or ident username. |
2048 | # requests from peer by denying cache_peer_access if the | # |
2049 | # source is a peer) | # sourcehash Load-balance parents based on the client source IP. |
2050 | # | # |
2051 | # NOTE: non-ICP neighbors must be specified as 'parent'. | # multicast-siblings |
2052 | # To be used only for cache peers of type "multicast". | |
2053 | # ALL members of this multicast group have "sibling" | |
2054 | # relationship with it, not "parent". This is to a multicast | |
2055 | # group when the requested object would be fetched only from | |
2056 | # a "parent" cache, anyway. It's useful, e.g., when | |
2057 | # configuring a pool of redundant Squid proxies, being | |
2058 | # members of the same multicast group. | |
2059 | # | |
2060 | # | |
2061 | # ==== PEER SELECTION OPTIONS ==== | |
2062 | # | |
2063 | # weight=N use to affect the selection of a peer during any weighted | |
2064 | # peer-selection mechanisms. | |
2065 | # The weight must be an integer; default is 1, | |
2066 | # larger weights are favored more. | |
2067 | # This option does not affect parent selection if a peering | |
2068 | # protocol is not in use. | |
2069 | # | |
2070 | # basetime=N Specify a base amount to be subtracted from round trip | |
2071 | # times of parents. | |
2072 | # It is subtracted before division by weight in calculating | |
2073 | # which parent to fectch from. If the rtt is less than the | |
2074 | # base time the rtt is set to a minimal value. | |
2075 | # | |
2076 | # ttl=N Specify a TTL to use when sending multicast ICP queries | |
2077 | # to this address. | |
2078 | # Only useful when sending to a multicast group. | |
2079 | # Because we don't accept ICP replies from random | |
2080 | # hosts, you must configure other group members as | |
2081 | # peers with the 'multicast-responder' option. | |
2082 | # | |
2083 | # no-delay To prevent access to this neighbor from influencing the | |
2084 | # delay pools. | |
2085 | # | |
2086 | # digest-url=URL Tell Squid to fetch the cache digest (if digests are | |
2087 | # enabled) for this host from the specified URL rather | |
2088 | # than the Squid default location. | |
2089 | # | |
2090 | # | |
2091 | # ==== CARP OPTIONS ==== | |
2092 | # | |
2093 | # carp-key=key-specification | |
2094 | # use a different key than the full URL to hash against the peer. | |
2095 | # the key-specification is a comma-separated list of the keywords | |
2096 | # scheme, host, port, path, params | |
2097 | # Order is not important. | |
2098 | # | |
2099 | # ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== | |
2100 | # | |
2101 | # originserver Causes this parent to be contacted as an origin server. | |
2102 | # Meant to be used in accelerator setups when the peer | |
2103 | # is a web server. | |
2104 | # | |
2105 | # forceddomain=name | |
2106 | # Set the Host header of requests forwarded to this peer. | |
2107 | # Useful in accelerator setups where the server (peer) | |
2108 | # expects a certain domain name but clients may request | |
2109 | # others. ie example.com or www.example.com | |
2110 | # | |
2111 | # no-digest Disable request of cache digests. | |
2112 | # | |
2113 | # no-netdb-exchange | |
2114 | # Disables requesting ICMP RTT database (NetDB). | |
2115 | # | |
2116 | # | |
2117 | # ==== AUTHENTICATION OPTIONS ==== | |
2118 | # | |
2119 | # login=user:password | |
2120 | # If this is a personal/workgroup proxy and your parent | |
2121 | # requires proxy authentication. | |
2122 | # | |
2123 | # Note: The string can include URL escapes (i.e. %20 for | |
2124 | # spaces). This also means % must be written as %%. | |
2125 | # | |
2126 | # login=PASSTHRU | |
2127 | # Send login details received from client to this peer. | |
2128 | # Both Proxy- and WWW-Authorization headers are passed | |
2129 | # without alteration to the peer. | |
2130 | # Authentication is not required by Squid for this to work. | |
2131 | # | |
2132 | # Note: This will pass any form of authentication but | |
2133 | # only Basic auth will work through a proxy unless the | |
2134 | # connection-auth options are also used. | |
2135 | # | |
2136 | # login=PASS Send login details received from client to this peer. | |
2137 | # Authentication is not required by this option. | |
2138 | # | |
2139 | # If there are no client-provided authentication headers | |
2140 | # to pass on, but username and password are available | |
2141 | # from an external ACL user= and password= result tags | |
2142 | # they may be sent instead. | |
2143 | # | |
2144 | # Note: To combine this with proxy_auth both proxies must | |
2145 | # share the same user database as HTTP only allows for | |
2146 | # a single login (one for proxy, one for origin server). | |
2147 | # Also be warned this will expose your users proxy | |
2148 | # password to the peer. USE WITH CAUTION | |
2149 | # | |
2150 | # login=*:password | |
2151 | # Send the username to the upstream cache, but with a | |
2152 | # fixed password. This is meant to be used when the peer | |
2153 | # is in another administrative domain, but it is still | |
2154 | # needed to identify each user. | |
2155 | # The star can optionally be followed by some extra | |
2156 | # information which is added to the username. This can | |
2157 | # be used to identify this proxy to the peer, similar to | |
2158 | # the login=username:password option above. | |
2159 | # | |
2160 | # login=NEGOTIATE | |
2161 | # If this is a personal/workgroup proxy and your parent | |
2162 | # requires a secure proxy authentication. | |
2163 | # The first principal from the default keytab or defined by | |
2164 | # the environment variable KRB5_KTNAME will be used. | |
2165 | # | |
2166 | # WARNING: The connection may transmit requests from multiple | |
2167 | # clients. Negotiate often assumes end-to-end authentication | |
2168 | # and a single-client. Which is not strictly true here. | |
2169 | # | |
2170 | # login=NEGOTIATE:principal_name | |
2171 | # If this is a personal/workgroup proxy and your parent | |
2172 | # requires a secure proxy authentication. | |
2173 | # The principal principal_name from the default keytab or | |
2174 | # defined by the environment variable KRB5_KTNAME will be | |
2175 | # used. | |
2176 | # | |
2177 | # WARNING: The connection may transmit requests from multiple | |
2178 | # clients. Negotiate often assumes end-to-end authentication | |
2179 | # and a single-client. Which is not strictly true here. | |
2180 | # | |
2181 | # connection-auth=on|off | |
2182 | # Tell Squid that this peer does or not support Microsoft | |
2183 | # connection oriented authentication, and any such | |
2184 | # challenges received from there should be ignored. | |
2185 | # Default is auto to automatically determine the status | |
2186 | # of the peer. | |
2187 | # | |
2188 | # | |
2189 | # ==== SSL / HTTPS / TLS OPTIONS ==== | |
2190 | # | |
2191 | # ssl Encrypt connections to this peer with SSL/TLS. | |
2192 | # | |
2193 | # sslcert=/path/to/ssl/certificate | |
2194 | # A client SSL certificate to use when connecting to | |
2195 | # this peer. | |
2196 | # | |
2197 | # sslkey=/path/to/ssl/key | |
2198 | # The private SSL key corresponding to sslcert above. | |
2199 | # If 'sslkey' is not specified 'sslcert' is assumed to | |
2200 | # reference a combined file containing both the | |
2201 | # certificate and the key. | |
2202 | # | |
2203 | # sslversion=1|2|3|4|5|6 | |
2204 | # The SSL version to use when connecting to this peer | |
2205 | # 1 = automatic (default) | |
2206 | # 2 = SSL v2 only | |
2207 | # 3 = SSL v3 only | |
2208 | # 4 = TLS v1.0 only | |
2209 | # 5 = TLS v1.1 only | |
2210 | # 6 = TLS v1.2 only | |
2211 | # | |
2212 | # sslcipher=... The list of valid SSL ciphers to use when connecting | |
2213 | # to this peer. | |
2214 | # | |
2215 | # ssloptions=... Specify various SSL implementation options: | |
2216 | # | # |
2217 | # NO_SSLv2 Disallow the use of SSLv2 | |
2218 | # NO_SSLv3 Disallow the use of SSLv3 | |
2219 | # NO_TLSv1 Disallow the use of TLSv1.0 | |
2220 | # NO_TLSv1_1 Disallow the use of TLSv1.1 | |
2221 | # NO_TLSv1_2 Disallow the use of TLSv1.2 | |
2222 | # SINGLE_DH_USE | |
2223 | # Always create a new key when using | |
2224 | # temporary/ephemeral DH key exchanges | |
2225 | # ALL Enable various bug workarounds | |
2226 | # suggested as "harmless" by OpenSSL | |
2227 | # Be warned that this reduces SSL/TLS | |
2228 | # strength to some attacks. | |
2229 | # | |
2230 | # See the OpenSSL SSL_CTX_set_options documentation for a | |
2231 | # more complete list. | |
2232 | # | |
2233 | # sslcafile=... A file containing additional CA certificates to use | |
2234 | # when verifying the peer certificate. | |
2235 | # | |
2236 | # sslcapath=... A directory containing additional CA certificates to | |
2237 | # use when verifying the peer certificate. | |
2238 | # | |
2239 | # sslcrlfile=... A certificate revocation list file to use when | |
2240 | # verifying the peer certificate. | |
2241 | # | |
2242 | # sslflags=... Specify various flags modifying the SSL implementation: | |
2243 | # | |
2244 | # DONT_VERIFY_PEER | |
2245 | # Accept certificates even if they fail to | |
2246 | # verify. | |
2247 | # NO_DEFAULT_CA | |
2248 | # Don't use the default CA list built in | |
2249 | # to OpenSSL. | |
2250 | # DONT_VERIFY_DOMAIN | |
2251 | # Don't verify the peer certificate | |
2252 | # matches the server name | |
2253 | # | |
2254 | # ssldomain= The peer name as advertised in it's certificate. | |
2255 | # Used for verifying the correctness of the received peer | |
2256 | # certificate. If not specified the peer hostname will be | |
2257 | # used. | |
2258 | # | |
2259 | # front-end-https | |
2260 | # Enable the "Front-End-Https: On" header needed when | |
2261 | # using Squid as a SSL frontend in front of Microsoft OWA. | |
2262 | # See MS KB document Q307347 for details on this header. | |
2263 | # If set to auto the header will only be added if the | |
2264 | # request is forwarded as a https:// URL. | |
2265 | # | |
2266 | # | |
2267 | # ==== GENERAL OPTIONS ==== | |
2268 | # | |
2269 | # connect-timeout=N | |
2270 | # A peer-specific connect timeout. | |
2271 | # Also see the peer_connect_timeout directive. | |
2272 | # | |
2273 | # connect-fail-limit=N | |
2274 | # How many times connecting to a peer must fail before | |
2275 | # it is marked as down. Default is 10. | |
2276 | # | |
2277 | # allow-miss Disable Squid's use of only-if-cached when forwarding | |
2278 | # requests to siblings. This is primarily useful when | |
2279 | # icp_hit_stale is used by the sibling. To extensive use | |
2280 | # of this option may result in forwarding loops, and you | |
2281 | # should avoid having two-way peerings with this option. | |
2282 | # For example to deny peer usage on requests from peer | |
2283 | # by denying cache_peer_access if the source is a peer. | |
2284 | # | |
2285 | # max-conn=N Limit the amount of connections Squid may open to this | |
2286 | # peer. see also | |
2287 | # | |
2288 | # name=xxx Unique name for the peer. | |
2289 | # Required if you have multiple peers on the same host | |
2290 | # but different ports. | |
2291 | # This name can be used in cache_peer_access and similar | |
2292 | # directives to dentify the peer. | |
2293 | # Can be used by outgoing access controls through the | |
2294 | # peername ACL type. | |
2295 | # | |
2296 | # no-tproxy Do not use the client-spoof TPROXY support when forwarding | |
2297 | # requests to this peer. Use normal address selection instead. | |
2298 | # | |
2299 | # proxy-only objects fetched from the peer will not be stored locally. | |
2300 | # | |
2301 | #Default: | #Default: |
2302 | # none | # none |
2303 | ||
# | Line 255 | Line 2315 |
2315 | # has the effect such that UDP query packets are sent to | # has the effect such that UDP query packets are sent to |
2316 | # 'bigserver' only when the requested object exists on a | # 'bigserver' only when the requested object exists on a |
2317 | # server in the .edu domain. Prefixing the domainname | # server in the .edu domain. Prefixing the domainname |
2318 | # with '!' means that the cache will be queried for objects | # with '!' means the cache will be queried for objects |
2319 | # NOT in that domain. | # NOT in that domain. |
2320 | # | # |
2321 | # NOTE: * Any number of domains may be given for a cache-host, | # NOTE: * Any number of domains may be given for a cache-host, |
# | Line 267 | Line 2327 |
2327 | # * There are no defaults. | # * There are no defaults. |
2328 | # * There is also a 'cache_peer_access' tag in the ACL | # * There is also a 'cache_peer_access' tag in the ACL |
2329 | # section. | # section. |
2330 | #Default: | |
2331 | # none | |
2332 | ||
2333 | # TAG: cache_peer_access | |
2334 | # Similar to 'cache_peer_domain' but provides more flexibility by | |
2335 | # using ACL elements. | |
2336 | # | # |
2337 | # cache_peer_access cache-host allow|deny [!]aclname ... | |
2338 | # | |
2339 | # The syntax is identical to 'http_access' and the other lists of | |
2340 | # ACL elements. See the comments for 'http_access' below, or | |
2341 | # the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl). | |
2342 | #Default: | #Default: |
2343 | # none | # none |
2344 | ||
2345 | # TAG: neighbor_type_domain | # TAG: neighbor_type_domain |
2346 | # usage: neighbor_type_domain parent|sibling domain domain ... | # usage: neighbor_type_domain neighbor parent|sibling domain domain ... |
2347 | # | # |
2348 | # Modifying the neighbor type for specific domains is now | # Modifying the neighbor type for specific domains is now |
2349 | # possible. You can treat some domains differently than the the | # possible. You can treat some domains differently than the |
2350 | # default neighbor type specified on the 'cache_peer' line. | # default neighbor type specified on the 'cache_peer' line. |
2351 | # Normally it should only be necessary to list domains which | # Normally it should only be necessary to list domains which |
2352 | # should be treated differently because the default neighbor type | # should be treated differently because the default neighbor type |
2353 | # applies for hostnames which do not match domains listed here. | # applies for hostnames which do not match domains listed here. |
2354 | # | # |
2355 | #EXAMPLE: | #EXAMPLE: |
2356 | # cache_peer parent cache.foo.org 3128 3130 | # cache_peer cache.foo.org parent 3128 3130 |
2357 | # neighbor_type_domain cache.foo.org sibling .com .net | # neighbor_type_domain cache.foo.org sibling .com .net |
2358 | # neighbor_type_domain cache.foo.org sibling .au .de | # neighbor_type_domain cache.foo.org sibling .au .de |
# | ||
2359 | #Default: | #Default: |
2360 | # none | # none |
2361 | ||
# TAG: icp_query_timeout (msec) | ||
# Normally Squid will automatically determine an optimal ICP | ||
# query timeout value based on the round-trip-time of recent ICP | ||
# queries. If you want to override the value determined by | ||
# Squid, set this 'icp_query_timeout' to a non-zero value. This | ||
# value is specified in MILLISECONDS, so, to use a 2-second | ||
# timeout (the old default), you would write: | ||
# | ||
# icp_query_timeout 2000 | ||
# | ||
#Default: | ||
# icp_query_timeout 0 | ||
# TAG: maximum_icp_query_timeout (msec) | ||
# Normally the ICP query timeout is determined dynamically. But | ||
# sometimes it can lead to very large values (say 5 seconds). | ||
# Use this option to put an upper limit on the dynamic timeout | ||
# value. Do NOT use this option to always use a fixed (instead | ||
# of a dynamic) timeout value. To set a fixed timeout see the | ||
# 'icp_query_timeout' directive. | ||
# | ||
#Default: | ||
# maximum_icp_query_timeout 2000 | ||
# TAG: mcast_icp_query_timeout (msec) | ||
# For Multicast peers, Squid regularly sends out ICP "probes" to | ||
# count how many other peers are listening on the given multicast | ||
# address. This value specifies how long Squid should wait to | ||
# count all the replies. The default is 2000 msec, or 2 | ||
# seconds. | ||
# | ||
#Default: | ||
# mcast_icp_query_timeout 2000 | ||
2362 | # TAG: dead_peer_timeout (seconds) | # TAG: dead_peer_timeout (seconds) |
2363 | # This controls how long Squid waits to declare a peer cache | # This controls how long Squid waits to declare a peer cache |
2364 | # as "dead." If there are no ICP replies received in this | # as "dead." If there are no ICP replies received in this |
# | Line 338 | Line 2374 |
2374 | # your time between requests is greater than this timeout, you | # your time between requests is greater than this timeout, you |
2375 | # will see a lot of requests sent DIRECT to origin servers | # will see a lot of requests sent DIRECT to origin servers |
2376 | # instead of to your parents. | # instead of to your parents. |
# | ||
2377 | #Default: | #Default: |
2378 | # dead_peer_timeout 10 seconds | # dead_peer_timeout 10 seconds |
2379 | ||
2380 | # TAG: forward_max_tries | |
2381 | # Controls how many different forward paths Squid will try | |
2382 | # before giving up. See also forward_timeout. | |
2383 | # | |
2384 | # NOTE: connect_retries (default: none) can make each of these | |
2385 | # possible forwarding paths be tried multiple times. | |
2386 | #Default: | |
2387 | # forward_max_tries 10 | |
2388 | ||
2389 | # TAG: hierarchy_stoplist | # TAG: hierarchy_stoplist |
2390 | # A list of words which, if found in a URL, cause the object to | # A list of words which, if found in a URL, cause the object to |
2391 | # be handled directly by this cache. In other words, use this | # be handled directly by this cache. In other words, use this |
2392 | # to not query neighbor caches for certain objects. You may | # to not query neighbor caches for certain objects. You may |
2393 | # list this option multiple times. | # list this option multiple times. |
2394 | # | # |
2395 | #We recommend you to use at least the following line. | # Example: |
2396 | hierarchy_stoplist cgi-bin ? | # hierarchy_stoplist cgi-bin ? |
# TAG: no_cache | ||
# A list of ACL elements which, if matched, cause the reply to | ||
# immediately removed from the cache. In other words, use this | ||
# to force certain objects to never be cached. | ||
# | ||
# You must use the word 'DENY' to indicate the ACL names which should | ||
# NOT be cached. | ||
2397 | # | # |
2398 | #We recommend you to use the following two lines. | # Note: never_direct overrides this option. |
2399 | acl QUERY urlpath_regex cgi-bin \? | #Default: |
2400 | no_cache deny QUERY | # none |
2401 | ||
2402 | # OPTIONS WHICH AFFECT THE CACHE SIZE | # MEMORY CACHE OPTIONS |
2403 | # ----------------------------------------------------------------------------- | # ----------------------------------------------------------------------------- |
2404 | ||
2405 | # TAG: cache_mem (bytes) | # TAG: cache_mem (bytes) |
2406 | # NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS | # NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE. |
2407 | # SIZE. IT PLACES A LIMIT ON ONE ASPECT OF SQUID'S MEMORY | # IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL |
2408 | # USAGE. SQUID USES MEMORY FOR OTHER THINGS AS WELL. | # USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER |
2409 | # YOUR PROCESS WILL PROBABLY BECOME TWICE OR THREE TIMES | # THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS. |
# BIGGER THAN THE VALUE YOU PUT HERE | ||
2410 | # | # |
2411 | # 'cache_mem' specifies the ideal amount of memory to be used | # 'cache_mem' specifies the ideal amount of memory to be used |
2412 | # for: | # for: |
# | Line 399 no_cache deny QUERY | Line 2433 no_cache deny QUERY |
2433 | # reached. Thereafter, blocks will be used to store hot | # reached. Thereafter, blocks will be used to store hot |
2434 | # objects. | # objects. |
2435 | # | # |
2436 | # If shared memory caching is enabled, Squid does not use the shared | |
2437 | # cache space for in-transit objects, but they still consume as much | |
2438 | # local memory as they need. For more details about the shared memory | |
2439 | # cache, see memory_cache_shared. | |
2440 | #Default: | #Default: |
2441 | # cache_mem 8 MB | # cache_mem 256 MB |
2442 | ||
2443 | # TAG: cache_swap_low (percent, 0-100) | # TAG: maximum_object_size_in_memory (bytes) |
2444 | # TAG: cache_swap_high (percent, 0-100) | # Objects greater than this size will not be attempted to kept in |
2445 | # | # the memory cache. This should be set high enough to keep objects |
2446 | # The low- and high-water marks for cache object replacement. | # accessed frequently in memory to improve performance whilst low |
2447 | # Replacement begins when the swap (disk) usage is above the | # enough to keep larger objects from hoarding cache_mem. |
# low-water mark and attempts to maintain utilization near the | ||
# low-water mark. As swap utilization gets close to high-water | ||
# mark object eviction becomes more aggressive. If utilization is | ||
# close to the low-water mark less replacement is done each time. | ||
# | ||
# Defaults are 90% and 95%. If you have a large cache, 5% could be | ||
# hundreds of MB. If this is the case you may wish to set these | ||
# numbers closer together. | ||
# | ||
2448 | #Default: | #Default: |
2449 | # cache_swap_low 90 | # maximum_object_size_in_memory 512 KB |
# cache_swap_high 95 | ||
2450 | ||
2451 | # TAG: maximum_object_size (bytes) | # TAG: memory_cache_shared on|off |
2452 | # Objects larger than this size will NOT be saved on disk. The | # Controls whether the memory cache is shared among SMP workers. |
# value is specified in kilobytes, and the default is 4MB. If | ||
# you wish to get a high BYTES hit ratio, you should probably | ||
# increase this (one 32 MB object hit counts for 3200 10KB | ||
# hits). If you wish to increase speed more than your want to | ||
# save bandwidth you should leave this low. | ||
2453 | # | # |
2454 | # NOTE: if using the LFUDA replacement policy you should increase | # The shared memory cache is meant to occupy cache_mem bytes and replace |
2455 | # this value to maximize the byte hit rate improvement of LFUDA! | # the non-shared memory cache, although some entities may still be |
2456 | # See replacement_policy below for a discussion of this policy. | # cached locally by workers for now (e.g., internal and in-transit |
2457 | # objects may be served from a local memory cache even if shared memory | |
2458 | # caching is enabled). | |
2459 | # | # |
2460 | #Default: | # By default, the memory cache is shared if and only if all of the |
2461 | # maximum_object_size 4096 KB | # following conditions are satisfied: Squid runs in SMP mode with |
2462 | # multiple workers, cache_mem is positive, and Squid environment | |
2463 | # TAG: minimum_object_size (bytes) | # supports required IPC primitives (e.g., POSIX shared memory segments |
2464 | # Objects smaller than this size will NOT be saved on disk. The | # and GCC-style atomic operations). |
# value is specified in kilobytes, and the default is 0 KB, which | ||
# means there is no minimum. | ||
2465 | # | # |
2466 | #Default: | # To avoid blocking locks, shared memory uses opportunistic algorithms |
2467 | # minimum_object_size 0 KB | # that do not guarantee that every cachable entity that could have been |
2468 | # shared among SMP workers will actually be shared. | |
# TAG: maximum_object_size_in_memory (bytes) | ||
# Objects greater than this size will not be attempted to kept in | ||
# the memory cache. This should be set high enough to keep objects | ||
# accessed frequently in memory to improve performance whilst low | ||
# enough to keep larger objects from hoarding cache_mem . | ||
2469 | # | # |
2470 | # Currently, entities exceeding 32KB in size cannot be shared. | |
2471 | #Default: | #Default: |
2472 | # maximum_object_size_in_memory 8 KB | # "on" where supported if doing memory caching with multiple SMP workers. |
2473 | ||
2474 | # TAG: ipcache_size (number of entries) | # TAG: memory_cache_mode |
2475 | # TAG: ipcache_low (percent) | # Controls which objects to keep in the memory cache (cache_mem) |
# TAG: ipcache_high (percent) | ||
# The size, low-, and high-water marks for the IP cache. | ||
2476 | # | # |
2477 | # always Keep most recently fetched objects in memory (default) | |
2478 | # | |
2479 | # disk Only disk cache hits are kept in memory, which means | |
2480 | # an object must first be cached on disk and then hit | |
2481 | # a second time before cached in memory. | |
2482 | # | |
2483 | # network Only objects fetched from network is kept in memory | |
2484 | #Default: | #Default: |
2485 | # ipcache_size 1024 | # memory_cache_mode always |
# ipcache_low 90 | ||
# ipcache_high 95 | ||
2486 | ||
2487 | # TAG: fqdncache_size (number of entries) | # TAG: memory_replacement_policy |
2488 | # Maximum number of FQDN cache entries. | # The memory replacement policy parameter determines which |
2489 | # objects are purged from memory when memory space is needed. | |
2490 | # | # |
2491 | # See cache_replacement_policy for details. | |
2492 | #Default: | #Default: |
2493 | # fqdncache_size 1024 | # memory_replacement_policy lru |
2494 | ||
2495 | # DISK CACHE OPTIONS | |
2496 | # ----------------------------------------------------------------------------- | |
2497 | ||
2498 | # TAG: cache_replacement_policy | # TAG: cache_replacement_policy |
2499 | # The cache replacement policy parameter determines which | # The cache replacement policy parameter determines which |
# | Line 496 no_cache deny QUERY | Line 2523 no_cache deny QUERY |
2523 | # replacement policies. | # replacement policies. |
2524 | # | # |
2525 | # NOTE: if using the LFUDA replacement policy you should increase | # NOTE: if using the LFUDA replacement policy you should increase |
2526 | # the value of maximum_object_size above its default of 4096 KB to | # the value of maximum_object_size above its default of 4 MB to |
2527 | # to maximize the potential byte hit rate improvement of LFUDA. | # to maximize the potential byte hit rate improvement of LFUDA. |
2528 | # | # |
2529 | # For more information about the GDSF and LFUDA cache replacement | # For more information about the GDSF and LFUDA cache replacement |
2530 | # policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html | # policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html |
2531 | # and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html. | # and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html. |
# | ||
2532 | #Default: | #Default: |
2533 | # cache_replacement_policy lru | # cache_replacement_policy lru |
2534 | ||
# TAG: memory_replacement_policy | ||
# The memory replacement policy parameter determines which | ||
# objects are purged from memory when memory space is needed. | ||
# | ||
# See cache_replacement_policy for details. | ||
# | ||
#Default: | ||
# memory_replacement_policy lru | ||
# LOGFILE PATHNAMES AND CACHE DIRECTORIES | ||
# ----------------------------------------------------------------------------- | ||
2535 | # TAG: cache_dir | # TAG: cache_dir |
2536 | # Usage: | # Usage: |
2537 | # | # |
2538 | # cache_dir Type Directory-Name Fs-specific-data [options] | # cache_dir Type Directory-Name Fs-specific-data [options] |
2539 | # | # |
2540 | # You can specify multiple cache_dir lines to spread the | # You can specify multiple cache_dir lines to spread the |
2541 | # cache among different disk partitions. | # cache among different disk partitions. |
2542 | # | # |
2543 | # Type specifies the kind of storage system to use. Most | # Type specifies the kind of storage system to use. Only "ufs" |
2544 | # everyone will want to use "ufs" as the type. If you are using | # is built by default. To enable any of the other storage systems |
2545 | # Async I/O (--enable async-io) on Linux or Solaris, then you may | # see the --enable-storeio configure option. |
# want to try "aufs" as the type. Async IO support may be | ||
# buggy, however, so beware. | ||
2546 | # | # |
2547 | # 'Directory' is a top-level directory where cache swap | # 'Directory' is a top-level directory where cache swap |
2548 | # files will be stored. If you want to use an entire disk | # files will be stored. If you want to use an entire disk |
2549 | # for caching, then this can be the mount-point directory. | # for caching, this can be the mount-point directory. |
2550 | # The directory must exist and be writable by the Squid | # The directory must exist and be writable by the Squid |
2551 | # process. Squid will NOT create this directory for you. | # process. Squid will NOT create this directory for you. |
2552 | # | # |
2553 | # In SMP configurations, cache_dir must not precede the workers option | |
2554 | # and should use configuration macros or conditionals to give each | |
2555 | # worker interested in disk caching a dedicated cache directory. | |
2556 | # | |
2557 | # The ufs store type: | # The ufs store type: |
2558 | # | # |
2559 | # "ufs" is the old well-known Squid storage format that has always | # "ufs" is the old well-known Squid storage format that has always |
# | Line 548 no_cache deny QUERY | Line 2563 no_cache deny QUERY |
2563 | # | # |
2564 | # 'Mbytes' is the amount of disk space (MB) to use under this | # 'Mbytes' is the amount of disk space (MB) to use under this |
2565 | # directory. The default is 100 MB. Change this to suit your | # directory. The default is 100 MB. Change this to suit your |
2566 | # configuration. | # configuration. Do NOT put the size of your disk drive here. |
2567 | # Instead, if you want Squid to use the entire disk drive, | |
2568 | # subtract 20% and use that value. | |
2569 | # | # |
2570 | # 'Level-1' is the number of first-level subdirectories which | # 'L1' is the number of first-level subdirectories which |
2571 | # will be created under the 'Directory'. The default is 16. | # will be created under the 'Directory'. The default is 16. |
2572 | # | # |
2573 | # 'Level-2' is the number of second-level subdirectories which | # 'L2' is the number of second-level subdirectories which |
2574 | # will be created under each first-level directory. The default | # will be created under each first-level directory. The default |
2575 | # is 256. | # is 256. |
2576 | # | # |
# | Line 583 no_cache deny QUERY | Line 2600 no_cache deny QUERY |
2600 | # | # |
2601 | # Q2 specifies the number of unacknowledged messages when Squid | # Q2 specifies the number of unacknowledged messages when Squid |
2602 | # starts blocking. If this many messages are in the queues, | # starts blocking. If this many messages are in the queues, |
2603 | # Squid blocks until it recevies some replies. Default is 72 | # Squid blocks until it receives some replies. Default is 72 |
2604 | # | |
2605 | # When Q1 < Q2 (the default), the cache directory is optimized | |
2606 | # for lower response time at the expense of a decrease in hit | |
2607 | # ratio. If Q1 > Q2, the cache directory is optimized for | |
2608 | # higher hit ratio at the expense of an increase in response | |
2609 | # time. | |
2610 | # | |
2611 | # The rock store type: | |
2612 | # | |
2613 | # cache_dir rock Directory-Name Mbytes <max-size=bytes> [options] | |
2614 | # | |
2615 | # The Rock Store type is a database-style storage. All cached | |
2616 | # entries are stored in a "database" file, using fixed-size slots, | |
2617 | # one entry per slot. The database size is specified in MB. The | |
2618 | # slot size is specified in bytes using the max-size option. See | |
2619 | # below for more info on the max-size option. | |
2620 | # | |
2621 | # If possible, Squid using Rock Store creates a dedicated kid | |
2622 | # process called "disker" to avoid blocking Squid worker(s) on disk | |
2623 | # I/O. One disker kid is created for each rock cache_dir. Diskers | |
2624 | # are created only when Squid, running in daemon mode, has support | |
2625 | # for the IpcIo disk I/O module. | |
2626 | # | |
2627 | # swap-timeout=msec: Squid will not start writing a miss to or | |
2628 | # reading a hit from disk if it estimates that the swap operation | |
2629 | # will take more than the specified number of milliseconds. By | |
2630 | # default and when set to zero, disables the disk I/O time limit | |
2631 | # enforcement. Ignored when using blocking I/O module because | |
2632 | # blocking synchronous I/O does not allow Squid to estimate the | |
2633 | # expected swap wait time. | |
2634 | # | |
2635 | # max-swap-rate=swaps/sec: Artificially limits disk access using | |
2636 | # the specified I/O rate limit. Swap out requests that | |
2637 | # would cause the average I/O rate to exceed the limit are | |
2638 | # delayed. Individual swap in requests (i.e., hits or reads) are | |
2639 | # not delayed, but they do contribute to measured swap rate and | |
2640 | # since they are placed in the same FIFO queue as swap out | |
2641 | # requests, they may wait longer if max-swap-rate is smaller. | |
2642 | # This is necessary on file systems that buffer "too | |
2643 | # many" writes and then start blocking Squid and other processes | |
2644 | # while committing those writes to disk. Usually used together | |
2645 | # with swap-timeout to avoid excessive delays and queue overflows | |
2646 | # when disk demand exceeds available disk "bandwidth". By default | |
2647 | # and when set to zero, disables the disk I/O rate limit | |
2648 | # enforcement. Currently supported by IpcIo module only. | |
2649 | # | |
2650 | # | |
2651 | # The coss store type: | |
2652 | # | |
2653 | # NP: COSS filesystem in Squid-3 has been deemed too unstable for | |
2654 | # production use and has thus been removed from this release. | |
2655 | # We hope that it can be made usable again soon. | |
2656 | # | |
2657 | # block-size=n defines the "block size" for COSS cache_dir's. | |
2658 | # Squid uses file numbers as block numbers. Since file numbers | |
2659 | # are limited to 24 bits, the block size determines the maximum | |
2660 | # size of the COSS partition. The default is 512 bytes, which | |
2661 | # leads to a maximum cache_dir size of 512<<24, or 8 GB. Note | |
2662 | # you should not change the coss block size after Squid | |
2663 | # has written some objects to the cache_dir. | |
2664 | # | |
2665 | # The coss file store has changed from 2.5. Now it uses a file | |
2666 | # called 'stripe' in the directory names in the config - and | |
2667 | # this will be created by squid -z. | |
2668 | # | # |
2669 | # Common options: | # Common options: |
2670 | # | # |
2671 | # read-only, this cache_dir is read only. | # no-store, no new objects should be stored to this cache_dir |
2672 | # | |
2673 | # min-size=n, refers to the min object size in bytes this cache_dir | |
2674 | # will accept. It's used to restrict a cache_dir to only store | |
2675 | # large objects (e.g. aufs) while other storedirs are optimized | |
2676 | # for smaller objects (e.g. COSS). Defaults to 0. | |
2677 | # | # |
2678 | # max-size=n, refers to the max object size this storedir supports. | # max-size=n, refers to the max object size in bytes this cache_dir |
2679 | # It is used to initially choose the storedir to dump the object. | # supports. It is used to select the cache_dir to store the object. |
2680 | # Note: To make optimal use of the max-size limits you should order | # Note: To make optimal use of the max-size limits you should order |
2681 | # the cache_dir lines with the smallest max-size value first and the | # the cache_dir lines with the smallest max-size value first and the |
2682 | # ones with no max-size specification last. | # ones with no max-size specification last. |
2683 | # | # |
2684 | # Note for coss, max-size must be less than COSS_MEMBUF_SZ, | |
2685 | # which can be changed with the --with-coss-membuf-size=N configure | |
2686 | # option. | |
2687 | # | |
2688 | ||
2689 | # Uncomment and adjust the following to add a disk cache directory. | |
2690 | #cache_dir ufs /var/spool/squid 100 16 256 | |
2691 | ||
2692 | # TAG: store_dir_select_algorithm | |
2693 | # Set this to 'round-robin' as an alternative. | |
2694 | #Default: | #Default: |
2695 | # cache_dir ufs /var/spool/squid 100 16 256 | # store_dir_select_algorithm least-load |
2696 | ||
2697 | # TAG: cache_access_log | # TAG: max_open_disk_fds |
2698 | # Logs the client request activity. Contains an entry for | # To avoid having disk as the I/O bottleneck Squid can optionally |
2699 | # every HTTP and ICP queries received. | # bypass the on-disk cache if more than this amount of disk file |
2700 | # descriptors are open. | |
2701 | # | # |
2702 | # A value of 0 indicates no limit. | |
2703 | #Default: | #Default: |
2704 | # cache_access_log /var/log/squid/access.log | # max_open_disk_fds 0 |
2705 | ||
2706 | # TAG: cache_log | # TAG: minimum_object_size (bytes) |
2707 | # Cache logging file. This is where general information about | # Objects smaller than this size will NOT be saved on disk. The |
2708 | # your cache's behavior goes. You can increase the amount of data | # value is specified in kilobytes, and the default is 0 KB, which |
2709 | # logged to this file with the "debug_options" tag below. | # means there is no minimum. |
2710 | #Default: | |
2711 | # minimum_object_size 0 KB | |
2712 | ||
2713 | # TAG: maximum_object_size (bytes) | |
2714 | # The default limit on size of objects stored to disk. | |
2715 | # This size is used for cache_dir where max-size is not set. | |
2716 | # The value is specified in bytes, and the default is 4 MB. | |
2717 | # | |
2718 | # If you wish to get a high BYTES hit ratio, you should probably | |
2719 | # increase this (one 32 MB object hit counts for 3200 10KB | |
2720 | # hits). | |
2721 | # | |
2722 | # If you wish to increase hit ratio more than you want to | |
2723 | # save bandwidth you should leave this low. | |
2724 | # | # |
2725 | # NOTE: if using the LFUDA replacement policy you should increase | |
2726 | # this value to maximize the byte hit rate improvement of LFUDA! | |
2727 | # See replacement_policy below for a discussion of this policy. | |
2728 | #Default: | #Default: |
2729 | # cache_log /var/log/squid/cache.log | # maximum_object_size 4 MB |
2730 | ||
2731 | # TAG: cache_swap_low (percent, 0-100) | |
2732 | #Default: | |
2733 | # cache_swap_low 90 | |
2734 | ||
2735 | # TAG: cache_swap_high (percent, 0-100) | |
2736 | # | |
2737 | # The low- and high-water marks for cache object replacement. | |
2738 | # Replacement begins when the swap (disk) usage is above the | |
2739 | # low-water mark and attempts to maintain utilization near the | |
2740 | # low-water mark. As swap utilization gets close to high-water | |
2741 | # mark object eviction becomes more aggressive. If utilization is | |
2742 | # close to the low-water mark less replacement is done each time. | |
2743 | # | |
2744 | # Defaults are 90% and 95%. If you have a large cache, 5% could be | |
2745 | # hundreds of MB. If this is the case you may wish to set these | |
2746 | # numbers closer together. | |
2747 | #Default: | |
2748 | # cache_swap_high 95 | |
2749 | ||
2750 | # LOGFILE OPTIONS | |
2751 | # ----------------------------------------------------------------------------- | |
2752 | ||
2753 | # TAG: logformat | |
2754 | # Usage: | |
2755 | # | |
2756 | # logformat <name> <format specification> | |
2757 | # | |
2758 | # Defines an access log format. | |
2759 | # | |
2760 | # The <format specification> is a string with embedded % format codes | |
2761 | # | |
2762 | # % format codes all follow the same basic structure where all but | |
2763 | # the formatcode is optional. Output strings are automatically escaped | |
2764 | # as required according to their context and the output format | |
2765 | # modifiers are usually not needed, but can be specified if an explicit | |
2766 | # output format is desired. | |
2767 | # | |
2768 | # % ["|[|'|#] [-] [[0]width] [{argument}] formatcode | |
2769 | # | |
2770 | # " output in quoted string format | |
2771 | # [ output in squid text log format as used by log_mime_hdrs | |
2772 | # # output in URL quoted format | |
2773 | # ' output as-is | |
2774 | # | |
2775 | # - left aligned | |
2776 | # | |
2777 | # width minimum and/or maximum field width: | |
2778 | # [width_min][.width_max] | |
2779 | # When minimum starts with 0, the field is zero-padded. | |
2780 | # String values exceeding maximum width are truncated. | |
2781 | # | |
2782 | # {arg} argument such as header name etc | |
2783 | # | |
2784 | # Format codes: | |
2785 | # | |
2786 | # % a literal % character | |
2787 | # sn Unique sequence number per log line entry | |
2788 | # err_code The ID of an error response served by Squid or | |
2789 | # a similar internal error identifier. | |
2790 | # err_detail Additional err_code-dependent error information. | |
2791 | # | |
2792 | # Connection related format codes: | |
2793 | # | |
2794 | # >a Client source IP address | |
2795 | # >A Client FQDN | |
2796 | # >p Client source port | |
2797 | # >eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) | |
2798 | # >la Local IP address the client connected to | |
2799 | # >lp Local port number the client connected to | |
2800 | # | |
2801 | # la Local listening IP address the client connection was connected to. | |
2802 | # lp Local listening port number the client connection was connected to. | |
2803 | # | |
2804 | # <a Server IP address of the last server or peer connection | |
2805 | # <A Server FQDN or peer name | |
2806 | # <p Server port number of the last server or peer connection | |
2807 | # <la Local IP address of the last server or peer connection | |
2808 | # <lp Local port number of the last server or peer connection | |
2809 | # | |
2810 | # Time related format codes: | |
2811 | # | |
2812 | # ts Seconds since epoch | |
2813 | # tu subsecond time (milliseconds) | |
2814 | # tl Local time. Optional strftime format argument | |
2815 | # default %d/%b/%Y:%H:%M:%S %z | |
2816 | # tg GMT time. Optional strftime format argument | |
2817 | # default %d/%b/%Y:%H:%M:%S %z | |
2818 | # tr Response time (milliseconds) | |
2819 | # dt Total time spent making DNS lookups (milliseconds) | |
2820 | # | |
2821 | # Access Control related format codes: | |
2822 | # | |
2823 | # et Tag returned by external acl | |
2824 | # ea Log string returned by external acl | |
2825 | # un User name (any available) | |
2826 | # ul User name from authentication | |
2827 | # ue User name from external acl helper | |
2828 | # ui User name from ident | |
2829 | # us User name from SSL | |
2830 | # | |
2831 | # HTTP related format codes: | |
2832 | # | |
2833 | # [http::]>h Original request header. Optional header name argument | |
2834 | # on the format header[:[separator]element] | |
2835 | # [http::]>ha The HTTP request headers after adaptation and redirection. | |
2836 | # Optional header name argument as for >h | |
2837 | # [http::]<h Reply header. Optional header name argument | |
2838 | # as for >h | |
2839 | # [http::]>Hs HTTP status code sent to the client | |
2840 | # [http::]<Hs HTTP status code received from the next hop | |
2841 | # [http::]<bs Number of HTTP-equivalent message body bytes | |
2842 | # received from the next hop, excluding chunked | |
2843 | # transfer encoding and control messages. | |
2844 | # Generated FTP/Gopher listings are treated as | |
2845 | # received bodies. | |
2846 | # [http::]mt MIME content type | |
2847 | # [http::]rm Request method (GET/POST etc) | |
2848 | # [http::]>rm Request method from client | |
2849 | # [http::]<rm Request method sent to server or peer | |
2850 | # [http::]ru Request URL from client (historic, filtered for logging) | |
2851 | # [http::]>ru Request URL from client | |
2852 | # [http::]<ru Request URL sent to server or peer | |
2853 | # [http::]rp Request URL-Path excluding hostname | |
2854 | # [http::]>rp Request URL-Path excluding hostname from client | |
2855 | # [http::]<rp Request URL-Path excluding hostname sento to server or peer | |
2856 | # [http::]rv Request protocol version | |
2857 | # [http::]>rv Request protocol version from client | |
2858 | # [http::]<rv Request protocol version sent to server or peer | |
2859 | # [http::]<st Sent reply size including HTTP headers | |
2860 | # [http::]>st Received request size including HTTP headers. In the | |
2861 | # case of chunked requests the chunked encoding metadata | |
2862 | # are not included | |
2863 | # [http::]>sh Received HTTP request headers size | |
2864 | # [http::]<sh Sent HTTP reply headers size | |
2865 | # [http::]st Request+Reply size including HTTP headers | |
2866 | # [http::]<sH Reply high offset sent | |
2867 | # [http::]<sS Upstream object size | |
2868 | # [http::]<pt Peer response time in milliseconds. The timer starts | |
2869 | # when the last request byte is sent to the next hop | |
2870 | # and stops when the last response byte is received. | |
2871 | # [http::]<tt Total server-side time in milliseconds. The timer | |
2872 | # starts with the first connect request (or write I/O) | |
2873 | # sent to the first selected peer. The timer stops | |
2874 | # with the last I/O with the last peer. | |
2875 | # | |
2876 | # Squid handling related format codes: | |
2877 | # | |
2878 | # Ss Squid request status (TCP_MISS etc) | |
2879 | # Sh Squid hierarchy status (DEFAULT_PARENT etc) | |
2880 | # | |
2881 | # If ICAP is enabled, the following code becomes available (as | |
2882 | # well as ICAP log codes documented with the icap_log option): | |
2883 | # | |
2884 | # icap::tt Total ICAP processing time for the HTTP | |
2885 | # transaction. The timer ticks when ICAP | |
2886 | # ACLs are checked and when ICAP | |
2887 | # transaction is in progress. | |
2888 | # | |
2889 | # If adaptation is enabled the following three codes become available: | |
2890 | # | |
2891 | # adapt::<last_h The header of the last ICAP response or | |
2892 | # meta-information from the last eCAP | |
2893 | # transaction related to the HTTP transaction. | |
2894 | # Like <h, accepts an optional header name | |
2895 | # argument. | |
2896 | # | |
2897 | # adapt::sum_trs Summed adaptation transaction response | |
2898 | # times recorded as a comma-separated list in | |
2899 | # the order of transaction start time. Each time | |
2900 | # value is recorded as an integer number, | |
2901 | # representing response time of one or more | |
2902 | # adaptation (ICAP or eCAP) transaction in | |
2903 | # milliseconds. When a failed transaction is | |
2904 | # being retried or repeated, its time is not | |
2905 | # logged individually but added to the | |
2906 | # replacement (next) transaction. See also: | |
2907 | # adapt::all_trs. | |
2908 | # | |
2909 | # adapt::all_trs All adaptation transaction response times. | |
2910 | # Same as adaptation_strs but response times of | |
2911 | # individual transactions are never added | |
2912 | # together. Instead, all transaction response | |
2913 | # times are recorded individually. | |
2914 | # | |
2915 | # You can prefix adapt::*_trs format codes with adaptation | |
2916 | # service name in curly braces to record response time(s) specific | |
2917 | # to that service. For example: %{my_service}adapt::sum_trs | |
2918 | # | |
2919 | # The default formats available (which do not need re-defining) are: | |
2920 | # | |
2921 | #logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt | |
2922 | #logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh | |
2923 | #logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh | |
2924 | #logformat referrer %ts.%03tu %>a %{Referer}>h %ru | |
2925 | #logformat useragent %>a [%tl] "%{User-Agent}>h" | |
2926 | # | |
2927 | # NOTE: When the log_mime_hdrs directive is set to ON. | |
2928 | # The squid, common and combined formats have a safely encoded copy | |
2929 | # of the mime headers appended to each line within a pair of brackets. | |
2930 | # | |
2931 | # NOTE: The common and combined formats are not quite true to the Apache definition. | |
2932 | # The logs from Squid contain an extra status and hierarchy code appended. | |
2933 | # | |
2934 | #Default: | |
2935 | # none | |
2936 | ||
2937 | # TAG: access_log | |
2938 | # These files log client request activities. Has a line every HTTP or | |
2939 | # ICP request. The format is: | |
2940 | # access_log <module>:<place> [<logformat name> [acl acl ...]] | |
2941 | # access_log none [acl acl ...]] | |
2942 | # | |
2943 | # Will log to the specified module:place using the specified format (which | |
2944 | # must be defined in a logformat directive) those entries which match | |
2945 | # ALL the acl's specified (which must be defined in acl clauses). | |
2946 | # If no acl is specified, all requests will be logged to this destination. | |
2947 | # | |
2948 | # ===== Modules Currently available ===== | |
2949 | # | |
2950 | # none Do not log any requests matching these ACL. | |
2951 | # Do not specify Place or logformat name. | |
2952 | # | |
2953 | # stdio Write each log line to disk immediately at the completion of | |
2954 | # each request. | |
2955 | # Place: the filename and path to be written. | |
2956 | # | |
2957 | # daemon Very similar to stdio. But instead of writing to disk the log | |
2958 | # line is passed to a daemon helper for asychronous handling instead. | |
2959 | # Place: varies depending on the daemon. | |
2960 | # | |
2961 | # log_file_daemon Place: the file name and path to be written. | |
2962 | # | |
2963 | # syslog To log each request via syslog facility. | |
2964 | # Place: The syslog facility and priority level for these entries. | |
2965 | # Place Format: facility.priority | |
2966 | # | |
2967 | # where facility could be any of: | |
2968 | # authpriv, daemon, local0 ... local7 or user. | |
2969 | # | |
2970 | # And priority could be any of: | |
2971 | # err, warning, notice, info, debug. | |
2972 | # | |
2973 | # udp To send each log line as text data to a UDP receiver. | |
2974 | # Place: The destination host name or IP and port. | |
2975 | # Place Format: //host:port | |
2976 | # | |
2977 | # tcp To send each log line as text data to a TCP receiver. | |
2978 | # Place: The destination host name or IP and port. | |
2979 | # Place Format: //host:port | |
2980 | # | |
2981 | # Default: | |
2982 | # access_log daemon:/var/log/squid/access.log squid | |
2983 | #Default: | |
2984 | # access_log daemon:/var/log/squid/access.log squid | |
2985 | ||
2986 | # TAG: icap_log | |
2987 | # ICAP log files record ICAP transaction summaries, one line per | |
2988 | # transaction. | |
2989 | # | |
2990 | # The icap_log option format is: | |
2991 | # icap_log <filepath> [<logformat name> [acl acl ...]] | |
2992 | # icap_log none [acl acl ...]] | |
2993 | # | |
2994 | # Please see access_log option documentation for details. The two | |
2995 | # kinds of logs share the overall configuration approach and many | |
2996 | # features. | |
2997 | # | |
2998 | # ICAP processing of a single HTTP message or transaction may | |
2999 | # require multiple ICAP transactions. In such cases, multiple | |
3000 | # ICAP transaction log lines will correspond to a single access | |
3001 | # log line. | |
3002 | # | |
3003 | # ICAP log uses logformat codes that make sense for an ICAP | |
3004 | # transaction. Header-related codes are applied to the HTTP header | |
3005 | # embedded in an ICAP server response, with the following caveats: | |
3006 | # For REQMOD, there is no HTTP response header unless the ICAP | |
3007 | # server performed request satisfaction. For RESPMOD, the HTTP | |
3008 | # request header is the header sent to the ICAP server. For | |
3009 | # OPTIONS, there are no HTTP headers. | |
3010 | # | |
3011 | # The following format codes are also available for ICAP logs: | |
3012 | # | |
3013 | # icap::<A ICAP server IP address. Similar to <A. | |
3014 | # | |
3015 | # icap::<service_name ICAP service name from the icap_service | |
3016 | # option in Squid configuration file. | |
3017 | # | |
3018 | # icap::ru ICAP Request-URI. Similar to ru. | |
3019 | # | |
3020 | # icap::rm ICAP request method (REQMOD, RESPMOD, or | |
3021 | # OPTIONS). Similar to existing rm. | |
3022 | # | |
3023 | # icap::>st Bytes sent to the ICAP server (TCP payload | |
3024 | # only; i.e., what Squid writes to the socket). | |
3025 | # | |
3026 | # icap::<st Bytes received from the ICAP server (TCP | |
3027 | # payload only; i.e., what Squid reads from | |
3028 | # the socket). | |
3029 | # | |
3030 | # icap::<bs Number of message body bytes received from the | |
3031 | # ICAP server. ICAP message body, if any, usually | |
3032 | #   |