/[soft]/drakwizard/trunk/proxy_wizard/scripts/squid.conf.default
ViewVC logotype

Diff of /drakwizard/trunk/proxy_wizard/scripts/squid.conf.default

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 8719 by dmorgan, Tue Feb 8 00:14:32 2011 UTC revision 8720 by djennings, Fri Aug 23 23:53:27 2013 UTC
# Line 1  Line 1 
1    #       WELCOME TO SQUID 3.2.10
2    #       ----------------------------
3    #      
4    #       This is the documentation for the Squid configuration file.
5    #       This documentation can also be found online at:
6    #               http://www.squid-cache.org/Doc/config/
7    #      
8    #       You may wish to look at the Squid home page and wiki for the
9    #       FAQ and other documentation:
10    #               http://www.squid-cache.org/
11    #               http://wiki.squid-cache.org/SquidFaq
12    #               http://wiki.squid-cache.org/ConfigExamples
13    #      
14    #       This documentation shows what the defaults for various directives
15    #       happen to be.  If you don't need to change the default, you should
16    #       leave the line out of your squid.conf in most cases.
17    #      
18    #       In some cases "none" refers to no default setting at all,
19    #       while in other cases it refers to the value of the option
20    #       - the comments for that keyword indicate if this is the case.
21    #
22    
23    #  Configuration options can be included using the "include" directive.
24    #  Include takes a list of files to include. Quoting and wildcards are
25    #  supported.
26    #
27    #  For example,
28    #
29    #  include /path/to/included/file/squid.acl.config
30    #
31    #  Includes can be nested up to a hard-coded depth of 16 levels.
32    #  This arbitrary restriction is to prevent recursive include references
33    #  from causing Squid entering an infinite loop whilst trying to load
34    #  configuration files.
35    #
36    #
37    #  Conditional configuration
38    #
39    #       If-statements can be used to make configuration directives
40    #       depend on conditions:
41    #
42    #           if <CONDITION>
43    #               ... regular configuration directives ...
44    #           [else
45    #               ... regular configuration directives ...]
46    #           endif
47    #
48    #       The else part is optional. The keywords "if", "else", and "endif"
49    #       must be typed on their own lines, as if they were regular
50    #       configuration directives.
51    #
52    #       NOTE: An else-if condition is not supported.
53    #
54    #       These individual conditions types are supported:
55    #
56    #           true
57    #               Always evaluates to true.
58    #           false
59    #               Always evaluates to false.
60    #           <integer> = <integer>
61    #               Equality comparison of two integer numbers.
62    #
63    #
64    #  SMP-Related Macros
65    #
66    #       The following SMP-related preprocessor macros can be used.
67    #
68    #       ${process_name} expands to the current Squid process "name"
69    #       (e.g., squid1, squid2, or cache1).
70    #
71    #       ${process_number} expands to the current Squid process
72    #       identifier, which is an integer number (e.g., 1, 2, 3) unique
73    #       across all Squid processes.
74    
75    #  TAG: broken_vary_encoding
76    #       This option is not yet supported by Squid-3.
77    #Default:
78    # none
79    
80    #  TAG: cache_vary
81    #       This option is not yet supported by Squid-3.
82    #Default:
83    # none
84    
85    #  TAG: collapsed_forwarding
86    #       This option is not yet supported by Squid-3. see http://bugs.squid-cache.org/show_bug.cgi?id=3495
87    #Default:
88    # none
89    
90    #  TAG: error_map
91    #       This option is not yet supported by Squid-3.
92    #Default:
93    # none
94    
95    #  TAG: external_refresh_check
96    #       This option is not yet supported by Squid-3.
97    #Default:
98    # none
99    
100    #  TAG: ignore_ims_on_miss
101    #       This option is not yet supported by Squid-3.
102    #Default:
103    # none
104    
105    #  TAG: location_rewrite_program
106    #       This option is not yet supported by Squid-3.
107    #Default:
108    # none
109    
110    #  TAG: refresh_stale_hit
111    #       This option is not yet supported by Squid-3.
112    #Default:
113    # none
114    
115    #  TAG: storeurl_access
116    #       This option is not yet supported by this version of Squid-3. Please try a later release.
117    #Default:
118    # none
119    
120    #  TAG: ignore_expect_100
121    #       Remove this line. The HTTP/1.1 feature is now fully supported by default.
122    #Default:
123    # none
124    
125    #  TAG: dns_v4_fallback
126    #       Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant.
127    #Default:
128    # none
129    
130    #  TAG: ftp_list_width
131    #       Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead.
132    #Default:
133    # none
134    
135    #  TAG: maximum_single_addr_tries
136    #       Replaced by connect_retries. The behaviour has changed, please read the documentation before altering.
137    #Default:
138    # none
139    
140    #  TAG: update_headers
141    #       Remove this line. The feature is supported by default in storage types where update is implemented.
142    #Default:
143    # none
144    
145    #  TAG: url_rewrite_concurrency
146    #       Remove this line. Set the 'concurrency=' option of url_rewrite_children instead.
147    #Default:
148    # none
149    
150    #  TAG: dns_testnames
151    #       Remove this line. DNS is no longer tested on startup.
152    #Default:
153    # none
154    
155    #  TAG: extension_methods
156    #       Remove this line. All valid methods for HTTP are accepted by default.
157    #Default:
158    # none
159    
160    #  TAG: zero_buffers
161    #Default:
162    # none
163    
164    #  TAG: incoming_rate
165    #Default:
166    # none
167    
168    #  TAG: server_http11
169    #       Remove this line. HTTP/1.1 is supported by default.
170    #Default:
171    # none
172    
173    #  TAG: upgrade_http0.9
174    #       Remove this line. ICY/1.0 streaming protocol is supported by default.
175    #Default:
176    # none
177    
178    #  TAG: zph_local
179    #       Alter these entries. Use the qos_flows directive instead.
180    #Default:
181    # none
182    
183    #  TAG: header_access
184    #       Since squid-3.0 replace with request_header_access or reply_header_access
185    #       depending on whether you wish to match client requests or server replies.
186    #Default:
187    # none
188    
189    #  TAG: httpd_accel_no_pmtu_disc
190    #       Since squid-3.0 use the 'disable-pmtu-discovery' flag on http_port instead.
191    #Default:
192    # none
193    
194    #  TAG: wais_relay_host
195    #       Replace this line with 'cache_peer' configuration.
196    #Default:
197    # none
198    
199    #  TAG: wais_relay_port
200    #       Replace this line with 'cache_peer' configuration.
201    #Default:
202    # none
203    
204    # OPTIONS FOR AUTHENTICATION
205    # -----------------------------------------------------------------------------
206    
207    #  TAG: auth_param
208    #       This is used to define parameters for the various authentication
209    #       schemes supported by Squid.
210    #
211    #       format: auth_param scheme parameter [setting]
212    #
213    #       The order in which authentication schemes are presented to the client is
214    #       dependent on the order the scheme first appears in config file. IE
215    #       has a bug (it's not RFC 2617 compliant) in that it will use the basic
216    #       scheme if basic is the first entry presented, even if more secure
217    #       schemes are presented. For now use the order in the recommended
218    #       settings section below. If other browsers have difficulties (don't
219    #       recognize the schemes offered even if you are using basic) either
220    #       put basic first, or disable the other schemes (by commenting out their
221    #       program entry).
222    #
223    #       Once an authentication scheme is fully configured, it can only be
224    #       shutdown by shutting squid down and restarting. Changes can be made on
225    #       the fly and activated with a reconfigure. I.E. You can change to a
226    #       different helper, but not unconfigure the helper completely.
227    #
228    #       Please note that while this directive defines how Squid processes
229    #       authentication it does not automatically activate authentication.
230    #       To use authentication you must in addition make use of ACLs based
231    #       on login name in http_access (proxy_auth, proxy_auth_regex or
232    #       external with %LOGIN used in the format tag). The browser will be
233    #       challenged for authentication on the first such acl encountered
234    #       in http_access processing and will also be re-challenged for new
235    #       login credentials if the request is being denied by a proxy_auth
236    #       type acl.
237    #
238    #       WARNING: authentication can't be used in a transparently intercepting
239    #       proxy as the client then thinks it is talking to an origin server and
240    #       not the proxy. This is a limitation of bending the TCP/IP protocol to
241    #       transparently intercepting port 80, not a limitation in Squid.
242    #       Ports flagged 'transparent', 'intercept', or 'tproxy' have
243    #       authentication disabled.
244    #
245    #       === Parameters for the basic scheme follow. ===
246    #
247    #       "program" cmdline
248    #       Specify the command for the external authenticator.  Such a program
249    #       reads a line containing "username password" and replies "OK" or
250    #       "ERR" in an endless loop. "ERR" responses may optionally be followed
251    #       by a error description available as %m in the returned error page.
252    #       If you use an authenticator, make sure you have 1 acl of type
253    #       proxy_auth.
254    #
255    #       By default, the basic authentication scheme is not used unless a
256    #       program is specified.
257    #
258    #       If you want to use the traditional NCSA proxy authentication, set
259    #       this line to something like
260    #
261    #       auth_param basic program /usr/libexec/ncsa_auth /usr/etc/passwd
262    #
263    #       "utf8" on|off
264    #       HTTP uses iso-latin-1 as character set, while some authentication
265    #       backends such as LDAP expects UTF-8. If this is set to on Squid will
266    #       translate the HTTP iso-latin-1 charset to UTF-8 before sending the
267    #       username & password to the helper.
268    #
269    #       "children" numberofchildren [startup=N] [idle=N] [concurrency=N]
270    #       The maximum number of authenticator processes to spawn. If you start too few
271    #       Squid will have to wait for them to process a backlog of credential
272    #       verifications, slowing it down. When password verifications are
273    #       done via a (slow) network you are likely to need lots of
274    #       authenticator processes.
275    #
276    #       The startup= and idle= options permit some skew in the exact amount
277    #       run. A minimum of startup=N will begin during startup and reconfigure.
278    #       Squid will start more in groups of up to idle=N in an attempt to meet
279    #       traffic needs and to keep idle=N free above those traffic needs up to
280    #       the maximum.
281    #
282    #       The concurrency= option sets the number of concurrent requests the
283    #       helper can process.  The default of 0 is used for helpers who only
284    #       supports one request at a time. Setting this to a number greater than
285    #       0 changes the protocol used to include a channel number first on the
286    #       request/response line, allowing multiple requests to be sent to the
287    #       same helper in parallel without waiting for the response.
288    #       Must not be set unless it's known the helper supports this.
289    #
290    #       auth_param basic children 20 startup=0 idle=1
291    #
292    #       "realm" realmstring
293    #       Specifies the realm name which is to be reported to the
294    #       client for the basic proxy authentication scheme (part of
295    #       the text the user will see when prompted their username and
296    #       password). There is no default.
297    #       auth_param basic realm Squid proxy-caching web server
298    #
299    #       "credentialsttl" timetolive
300    #       Specifies how long squid assumes an externally validated
301    #       username:password pair is valid for - in other words how
302    #       often the helper program is called for that user. Set this
303    #       low to force revalidation with short lived passwords.  Note
304    #       setting this high does not impact your susceptibility
305    #       to replay attacks unless you are using an one-time password
306    #       system (such as SecureID).  If you are using such a system,
307    #       you will be vulnerable to replay attacks unless you also
308    #       use the max_user_ip ACL in an http_access rule.
309    #
310    #       "casesensitive" on|off
311    #       Specifies if usernames are case sensitive. Most user databases are
312    #       case insensitive allowing the same username to be spelled using both
313    #       lower and upper case letters, but some are case sensitive. This
314    #       makes a big difference for user_max_ip ACL processing and similar.
315    #       auth_param basic casesensitive off
316    #
317    #       === Parameters for the digest scheme follow ===
318    #
319    #       "program" cmdline
320    #       Specify the command for the external authenticator.  Such
321    #       a program reads a line containing "username":"realm" and
322    #       replies with the appropriate H(A1) value hex encoded or
323    #       ERR if the user (or his H(A1) hash) does not exists.
324    #       See rfc 2616 for the definition of H(A1).
325    #       "ERR" responses may optionally be followed by a error description
326    #       available as %m in the returned error page.
327    #
328    #       By default, the digest authentication scheme is not used unless a
329    #       program is specified.
330    #
331    #       If you want to use a digest authenticator, set this line to
332    #       something like
333    #
334    #       auth_param digest program /usr/bin/digest_pw_auth /usr/etc/digpass
335    #
336    #       "utf8" on|off
337    #       HTTP uses iso-latin-1 as character set, while some authentication
338    #       backends such as LDAP expects UTF-8. If this is set to on Squid will
339    #       translate the HTTP iso-latin-1 charset to UTF-8 before sending the
340    #       username & password to the helper.
341    #
342    #       "children" numberofchildren [startup=N] [idle=N] [concurrency=N]
343    #       The maximum number of authenticator processes to spawn (default 5).
344    #       If you start too few Squid will have to wait for them to
345    #       process a backlog of H(A1) calculations, slowing it down.
346    #       When the H(A1) calculations are done via a (slow) network
347    #       you are likely to need lots of authenticator processes.
348    #
349    #       The startup= and idle= options permit some skew in the exact amount
350    #       run. A minimum of startup=N will begin during startup and reconfigure.
351    #       Squid will start more in groups of up to idle=N in an attempt to meet
352    #       traffic needs and to keep idle=N free above those traffic needs up to
353    #       the maximum.
354    #
355    #       The concurrency= option sets the number of concurrent requests the
356    #       helper can process.  The default of 0 is used for helpers who only
357    #       supports one request at a time. Setting this to a number greater than
358    #       0 changes the protocol used to include a channel number first on the
359    #       request/response line, allowing multiple requests to be sent to the
360    #       same helper in parallel without waiting for the response.
361    #       Must not be set unless it's known the helper supports this.
362    #
363    #       auth_param digest children 20 startup=0 idle=1
364    #
365    #       "realm" realmstring
366    #       Specifies the realm name which is to be reported to the
367    #       client for the digest proxy authentication scheme (part of
368    #       the text the user will see when prompted their username and
369    #       password). There is no default.
370    #       auth_param digest realm Squid proxy-caching web server
371    #
372    #       "nonce_garbage_interval" timeinterval
373    #       Specifies the interval that nonces that have been issued
374    #       to client_agent's are checked for validity.
375    #
376    #       "nonce_max_duration" timeinterval
377    #       Specifies the maximum length of time a given nonce will be
378    #       valid for.
379    #
380    #       "nonce_max_count" number
381    #       Specifies the maximum number of times a given nonce can be
382    #       used.
383    #
384    #       "nonce_strictness" on|off
385    #       Determines if squid requires strict increment-by-1 behavior
386    #       for nonce counts, or just incrementing (off - for use when
387    #       user agents generate nonce counts that occasionally miss 1
388    #       (ie, 1,2,4,6)). Default off.
389    #
390    #       "check_nonce_count" on|off
391    #       This directive if set to off can disable the nonce count check
392    #       completely to work around buggy digest qop implementations in
393    #       certain mainstream browser versions. Default on to check the
394    #       nonce count to protect from authentication replay attacks.
395    #
396    #       "post_workaround" on|off
397    #       This is a workaround to certain buggy browsers who sends
398    #       an incorrect request digest in POST requests when reusing
399    #       the same nonce as acquired earlier on a GET request.
400    #
401    #       === NTLM scheme options follow ===
402    #
403    #       "program" cmdline
404    #       Specify the command for the external NTLM authenticator.
405    #       Such a program reads exchanged NTLMSSP packets with
406    #       the browser via Squid until authentication is completed.
407    #       If you use an NTLM authenticator, make sure you have 1 acl
408    #       of type proxy_auth.  By default, the NTLM authenticator_program
409    #       is not used.
410    #
411    #       auth_param ntlm program /usr/bin/ntlm_auth
412    #
413    #       "children" numberofchildren [startup=N] [idle=N]
414    #       The maximum number of authenticator processes to spawn (default 5).
415    #       If you start too few Squid will have to wait for them to
416    #       process a backlog of credential verifications, slowing it
417    #       down. When credential verifications are done via a (slow)
418    #       network you are likely to need lots of authenticator
419    #       processes.
420    #
421    #       The startup= and idle= options permit some skew in the exact amount
422    #       run. A minimum of startup=N will begin during startup and reconfigure.
423    #       Squid will start more in groups of up to idle=N in an attempt to meet
424    #       traffic needs and to keep idle=N free above those traffic needs up to
425    #       the maximum.
426    #
427    #       auth_param ntlm children 20 startup=0 idle=1
428    #
429    #       "keep_alive" on|off
430    #       If you experience problems with PUT/POST requests when using the
431    #       Negotiate authentication scheme then you can try setting this to
432    #       off. This will cause Squid to forcibly close the connection on
433    #       the initial requests where the browser asks which schemes are
434    #       supported by the proxy.
435    #
436    #       auth_param ntlm keep_alive on
437    #
438    #       === Options for configuring the NEGOTIATE auth-scheme follow ===
439    #
440    #       "program" cmdline
441    #       Specify the command for the external Negotiate authenticator.
442    #       This protocol is used in Microsoft Active-Directory enabled setups with
443    #       the Microsoft Internet Explorer or Mozilla Firefox browsers.
444    #       Its main purpose is to exchange credentials with the Squid proxy
445    #       using the Kerberos mechanisms.
446    #       If you use a Negotiate authenticator, make sure you have at least
447    #       one acl of type proxy_auth active. By default, the negotiate
448    #       authenticator_program is not used.
449    #       The only supported program for this role is the ntlm_auth
450    #       program distributed as part of Samba, version 4 or later.
451    #
452    #       auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego
453    #
454    #       "children" numberofchildren [startup=N] [idle=N]
455    #       The maximum number of authenticator processes to spawn (default 5).
456    #       If you start too few Squid will have to wait for them to
457    #       process a backlog of credential verifications, slowing it
458    #       down. When credential verifications are done via a (slow)
459    #       network you are likely to need lots of authenticator
460    #       processes.
461    #
462    #       The startup= and idle= options permit some skew in the exact amount
463    #       run. A minimum of startup=N will begin during startup and reconfigure.
464    #       Squid will start more in groups of up to idle=N in an attempt to meet
465    #       traffic needs and to keep idle=N free above those traffic needs up to
466    #       the maximum.
467    #
468    #       auth_param negotiate children 20 startup=0 idle=1
469    #
470    #       "keep_alive" on|off
471    #       If you experience problems with PUT/POST requests when using the
472    #       Negotiate authentication scheme then you can try setting this to
473    #       off. This will cause Squid to forcibly close the connection on
474    #       the initial requests where the browser asks which schemes are
475    #       supported by the proxy.
476    #
477    #       auth_param negotiate keep_alive on
478    #
479    #      
480    #       Examples:
481    #
482    ##Recommended minimum configuration per scheme:
483    ##auth_param negotiate program <uncomment and complete this line to activate>
484    ##auth_param negotiate children 20 startup=0 idle=1
485    ##auth_param negotiate keep_alive on
486    ##
487    ##auth_param ntlm program <uncomment and complete this line to activate>
488    ##auth_param ntlm children 20 startup=0 idle=1
489    ##auth_param ntlm keep_alive on
490    ##
491    ##auth_param digest program <uncomment and complete this line>
492    ##auth_param digest children 20 startup=0 idle=1
493    ##auth_param digest realm Squid proxy-caching web server
494    ##auth_param digest nonce_garbage_interval 5 minutes
495    ##auth_param digest nonce_max_duration 30 minutes
496    ##auth_param digest nonce_max_count 50
497    ##
498    ##auth_param basic program <uncomment and complete this line>
499    ##auth_param basic children 5 startup=5 idle=1
500    ##auth_param basic realm Squid proxy-caching web server
501    ##auth_param basic credentialsttl 2 hours
502    #Default:
503    # none
504    
505    #  TAG: authenticate_cache_garbage_interval
506    #       The time period between garbage collection across the username cache.
507    #       This is a trade-off between memory utilization (long intervals - say
508    #       2 days) and CPU (short intervals - say 1 minute). Only change if you
509    #       have good reason to.
510    #Default:
511    # authenticate_cache_garbage_interval 1 hour
512    
513    #  TAG: authenticate_ttl
514    #       The time a user & their credentials stay in the logged in
515    #       user cache since their last request. When the garbage
516    #       interval passes, all user credentials that have passed their
517    #       TTL are removed from memory.
518    #Default:
519    # authenticate_ttl 1 hour
520    
521    #  TAG: authenticate_ip_ttl
522    #       If you use proxy authentication and the 'max_user_ip' ACL,
523    #       this directive controls how long Squid remembers the IP
524    #       addresses associated with each user.  Use a small value
525    #       (e.g., 60 seconds) if your users might change addresses
526    #       quickly, as is the case with dialup.   You might be safe
527    #       using a larger value (e.g., 2 hours) in a corporate LAN
528    #       environment with relatively static address assignments.
529    #Default:
530    # authenticate_ip_ttl 0 seconds
531    
532    # ACCESS CONTROLS
533    # -----------------------------------------------------------------------------
534    
535    #  TAG: external_acl_type
536    #       This option defines external acl classes using a helper program
537    #       to look up the status
538    #
539    #         external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
540    #
541    #       Options:
542    #
543    #         ttl=n         TTL in seconds for cached results (defaults to 3600
544    #                       for 1 hour)
545    #         negative_ttl=n
546    #                       TTL for cached negative lookups (default same
547    #                       as ttl)
548    #         children-max=n
549    #                       Maximum number of acl helper processes spawned to service
550    #                       external acl lookups of this type. (default 20)
551    #         children-startup=n
552    #                       Minimum number of acl helper processes to spawn during
553    #                       startup and reconfigure to service external acl lookups
554    #                       of this type. (default 0)
555    #         children-idle=n
556    #                       Number of acl helper processes to keep ahead of traffic
557    #                       loads. Squid will spawn this many at once whenever load
558    #                       rises above the capabilities of existing processes.
559    #                       Up to the value of children-max. (default 1)
560    #         concurrency=n concurrency level per process. Only used with helpers
561    #                       capable of processing more than one query at a time.
562    #         cache=n       limit the result cache size, default is unbounded.
563    #         grace=n       Percentage remaining of TTL where a refresh of a
564    #                       cached entry should be initiated without needing to
565    #                       wait for a new reply. (default is for no grace period)
566    #         protocol=2.5  Compatibility mode for Squid-2.5 external acl helpers
567    #         ipv4 / ipv6   IP protocol used to communicate with this helper.
568    #                       The default is to auto-detect IPv6 and use it when available.
569    #
570    #       FORMAT specifications
571    #
572    #         %LOGIN        Authenticated user login name
573    #         %EXT_USER     Username from previous external acl
574    #         %EXT_LOG      Log details from previous external acl
575    #         %EXT_TAG      Tag from previous external acl
576    #         %IDENT        Ident user name
577    #         %SRC          Client IP
578    #         %SRCPORT      Client source port
579    #         %URI          Requested URI
580    #         %DST          Requested host
581    #         %PROTO        Requested protocol
582    #         %PORT         Requested port
583    #         %PATH         Requested URL path
584    #         %METHOD       Request method
585    #         %MYADDR       Squid interface address
586    #         %MYPORT       Squid http_port number
587    #         %PATH         Requested URL-path (including query-string if any)
588    #         %USER_CERT    SSL User certificate in PEM format
589    #         %USER_CERTCHAIN SSL User certificate chain in PEM format
590    #         %USER_CERT_xx SSL User certificate subject attribute xx
591    #         %USER_CA_xx   SSL User certificate issuer attribute xx
592    #
593    #         %>{Header}    HTTP request header "Header"
594    #         %>{Hdr:member}
595    #                       HTTP request header "Hdr" list member "member"
596    #         %>{Hdr:;member}
597    #                       HTTP request header list member using ; as
598    #                       list separator. ; can be any non-alphanumeric
599    #                       character.
600    #
601    #         %<{Header}    HTTP reply header "Header"
602    #         %<{Hdr:member}
603    #                       HTTP reply header "Hdr" list member "member"
604    #         %<{Hdr:;member}
605    #                       HTTP reply header list member using ; as
606    #                       list separator. ; can be any non-alphanumeric
607    #                       character.
608    #
609    #         %%            The percent sign. Useful for helpers which need
610    #                       an unchanging input format.
611    #
612    #       In addition to the above, any string specified in the referencing
613    #       acl will also be included in the helper request line, after the
614    #       specified formats (see the "acl external" directive)
615    #
616    #       The helper receives lines per the above format specification,
617    #       and returns lines starting with OK or ERR indicating the validity
618    #       of the request and optionally followed by additional keywords with
619    #       more details.
620    #
621    #       General result syntax:
622    #
623    #         OK/ERR keyword=value ...
624    #
625    #       Defined keywords:
626    #
627    #         user=         The users name (login)
628    #         password=     The users password (for login= cache_peer option)
629    #         message=      Message describing the reason. Available as %o
630    #                       in error pages
631    #         tag=          Apply a tag to a request (for both ERR and OK results)
632    #                       Only sets a tag, does not alter existing tags.
633    #         log=          String to be logged in access.log. Available as
634    #                       %ea in logformat specifications
635    #
636    #       If protocol=3.0 (the default) then URL escaping is used to protect
637    #       each value in both requests and responses.
638    #
639    #       If using protocol=2.5 then all values need to be enclosed in quotes
640    #       if they may contain whitespace, or the whitespace escaped using \.
641    #       And quotes or \ characters within the keyword value must be \ escaped.
642    #
643    #       When using the concurrency= option the protocol is changed by
644    #       introducing a query channel tag infront of the request/response.
645    #       The query channel tag is a number between 0 and concurrency-1.
646    #Default:
647    # none
648    
649    #  TAG: acl
650    #       Defining an Access List
651    #
652    #       Every access list definition must begin with an aclname and acltype,
653    #       followed by either type-specific arguments or a quoted filename that
654    #       they are read from.
655    #
656    #          acl aclname acltype argument ...
657    #          acl aclname acltype "file" ...
658    #
659    #       When using "file", the file should contain one item per line.
660    #
661    #       By default, regular expressions are CASE-SENSITIVE.
662    #       To make them case-insensitive, use the -i option. To return case-sensitive
663    #       use the +i option between patterns, or make a new ACL line without -i.
664    #
665    #       Some acl types require suspending the current request in order
666    #       to access some external data source.
667    #       Those which do are marked with the tag [slow], those which
668    #       don't are marked as [fast].
669    #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl
670    #       for further information
671    #
672    #       ***** ACL TYPES AVAILABLE *****
673    #
674    #       acl aclname src ip-address/netmask ...  # clients IP address [fast]
675    #       acl aclname src addr1-addr2/netmask ... # range of addresses [fast]
676    #       acl aclname dst ip-address/netmask ...  # URL host's IP address [slow]
677    #       acl aclname myip ip-address/netmask ... # local socket IP address [fast]
678    #
679    #       acl aclname arp      mac-address ... (xx:xx:xx:xx:xx:xx notation)
680    #         # The arp ACL requires the special configure option --enable-arp-acl.
681    #         # Furthermore, the ARP ACL code is not portable to all operating systems.
682    #         # It works on Linux, Solaris, Windows, FreeBSD, and some
683    #         # other *BSD variants.
684    #         # [fast]
685    #         #
686    #         # NOTE: Squid can only determine the MAC address for clients that are on
687    #         # the same subnet. If the client is on a different subnet,
688    #         # then Squid cannot find out its MAC address.
689    #
690    #       acl aclname srcdomain   .foo.com ...
691    #         # reverse lookup, from client IP [slow]
692    #       acl aclname dstdomain   .foo.com ...
693    #         # Destination server from URL [fast]
694    #       acl aclname srcdom_regex [-i] \.foo\.com ...
695    #         # regex matching client name [slow]
696    #       acl aclname dstdom_regex [-i] \.foo\.com ...
697    #         # regex matching server [fast]
698    #         #
699    #         # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
700    #         # based URL is used and no match is found. The name "none" is used
701    #         # if the reverse lookup fails.
702    #
703    #       acl aclname src_as number ...
704    #       acl aclname dst_as number ...
705    #         # [fast]
706    #         # Except for access control, AS numbers can be used for
707    #         # routing of requests to specific caches. Here's an
708    #         # example for routing all requests for AS#1241 and only
709    #         # those to mycache.mydomain.net:
710    #         # acl asexample dst_as 1241
711    #         # cache_peer_access mycache.mydomain.net allow asexample
712    #         # cache_peer_access mycache_mydomain.net deny all
713    #
714    #       acl aclname peername myPeer ...
715    #         # [fast]
716    #         # match against a named cache_peer entry
717    #         # set unique name= on cache_peer lines for reliable use.
718    #
719    #       acl aclname time [day-abbrevs] [h1:m1-h2:m2]
720    #         # [fast]
721    #         #  day-abbrevs:
722    #         #     S - Sunday
723    #         #     M - Monday
724    #         #     T - Tuesday
725    #         #     W - Wednesday
726    #         #     H - Thursday
727    #         #     F - Friday
728    #         #     A - Saturday
729    #         #  h1:m1 must be less than h2:m2
730    #
731    #       acl aclname url_regex [-i] ^http:// ...
732    #         # regex matching on whole URL [fast]
733    #       acl aclname urllogin [-i] [^a-zA-Z0-9] ...
734    #         # regex matching on URL login field
735    #       acl aclname urlpath_regex [-i] \.gif$ ...
736    #         # regex matching on URL path [fast]
737    #
738    #       acl aclname port 80 70 21 0-1024...   # destination TCP port [fast]
739    #                                             # ranges are alloed
740    #       acl aclname myport 3128 ...               # local socket TCP port [fast]
741    #       acl aclname myportname 3128 ...       # http(s)_port name [fast]
742    #
743    #       acl aclname proto HTTP FTP ...        # request protocol [fast]
744    #
745    #       acl aclname method GET POST ...       # HTTP request method [fast]
746    #
747    #       acl aclname http_status 200 301 500- 400-403 ...
748    #         # status code in reply [fast]
749    #
750    #       acl aclname browser [-i] regexp ...
751    #         # pattern match on User-Agent header (see also req_header below) [fast]
752    #
753    #       acl aclname referer_regex [-i] regexp ...
754    #         # pattern match on Referer header [fast]
755    #         # Referer is highly unreliable, so use with care
756    #
757    #       acl aclname ident username ...
758    #       acl aclname ident_regex [-i] pattern ...
759    #         # string match on ident output [slow]
760    #         # use REQUIRED to accept any non-null ident.
761    #
762    #       acl aclname proxy_auth [-i] username ...
763    #       acl aclname proxy_auth_regex [-i] pattern ...
764    #         # perform http authentication challenge to the client and match against
765    #         # supplied credentials [slow]
766    #         #
767    #         # takes a list of allowed usernames.
768    #         # use REQUIRED to accept any valid username.
769    #         #
770    #         # Will use proxy authentication in forward-proxy scenarios, and plain
771    #         # http authenticaiton in reverse-proxy scenarios
772    #         #
773    #         # NOTE: when a Proxy-Authentication header is sent but it is not
774    #         # needed during ACL checking the username is NOT logged
775    #         # in access.log.
776    #         #
777    #         # NOTE: proxy_auth requires a EXTERNAL authentication program
778    #         # to check username/password combinations (see
779    #         # auth_param directive).
780    #         #
781    #         # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
782    #         # as the browser needs to be configured for using a proxy in order
783    #         # to respond to proxy authentication.
784    #
785    #       acl aclname snmp_community string ...
786    #         # A community string to limit access to your SNMP Agent [fast]
787    #         # Example:
788    #         #
789    #         #     acl snmppublic snmp_community public
790    #
791    #       acl aclname maxconn number
792    #         # This will be matched when the client's IP address has
793    #         # more than <number> TCP connections established. [fast]
794    #         # NOTE: This only measures direct TCP links so X-Forwarded-For
795    #         # indirect clients are not counted.
796    #
797    #       acl aclname max_user_ip [-s] number
798    #         # This will be matched when the user attempts to log in from more
799    #         # than <number> different ip addresses. The authenticate_ip_ttl
800    #         # parameter controls the timeout on the ip entries. [fast]
801    #         # If -s is specified the limit is strict, denying browsing
802    #         # from any further IP addresses until the ttl has expired. Without
803    #         # -s Squid will just annoy the user by "randomly" denying requests.
804    #         # (the counter is reset each time the limit is reached and a
805    #         # request is denied)
806    #         # NOTE: in acceleration mode or where there is mesh of child proxies,
807    #         # clients may appear to come from multiple addresses if they are
808    #         # going through proxy farms, so a limit of 1 may cause user problems.
809    #
810    #       acl aclname random probability
811    #         # Pseudo-randomly match requests. Based on the probability given.
812    #         # Probability may be written as a decimal (0.333), fraction (1/3)
813    #         # or ratio of matches:non-matches (3:5).
814    #
815    #       acl aclname req_mime_type [-i] mime-type ...
816    #         # regex match against the mime type of the request generated
817    #         # by the client. Can be used to detect file upload or some
818    #         # types HTTP tunneling requests [fast]
819    #         # NOTE: This does NOT match the reply. You cannot use this
820    #         # to match the returned file type.
821    #
822    #       acl aclname req_header header-name [-i] any\.regex\.here
823    #         # regex match against any of the known request headers.  May be
824    #         # thought of as a superset of "browser", "referer" and "mime-type"
825    #         # ACL [fast]
826    #
827    #       acl aclname rep_mime_type [-i] mime-type ...
828    #         # regex match against the mime type of the reply received by
829    #         # squid. Can be used to detect file download or some
830    #         # types HTTP tunneling requests. [fast]
831    #         # NOTE: This has no effect in http_access rules. It only has
832    #         # effect in rules that affect the reply data stream such as
833    #         # http_reply_access.
834    #
835    #       acl aclname rep_header header-name [-i] any\.regex\.here
836    #         # regex match against any of the known reply headers. May be
837    #         # thought of as a superset of "browser", "referer" and "mime-type"
838    #         # ACLs [fast]
839    #
840    #       acl aclname external class_name [arguments...]
841    #         # external ACL lookup via a helper class defined by the
842    #         # external_acl_type directive [slow]
843    #
844    #       acl aclname user_cert attribute values...
845    #         # match against attributes in a user SSL certificate
846    #         # attribute is one of DN/C/O/CN/L/ST [fast]
847    #
848    #       acl aclname ca_cert attribute values...
849    #         # match against attributes a users issuing CA SSL certificate
850    #         # attribute is one of DN/C/O/CN/L/ST [fast]
851    #
852    #       acl aclname ext_user username ...
853    #       acl aclname ext_user_regex [-i] pattern ...
854    #         # string match on username returned by external acl helper [slow]
855    #         # use REQUIRED to accept any non-null user name.
856    #
857    #       acl aclname tag tagvalue ...
858    #         # string match on tag returned by external acl helper [slow]
859    #
860    #       acl aclname hier_code codename ...
861    #         # string match against squid hierarchy code(s); [fast]
862    #         #  e.g., DIRECT, PARENT_HIT, NONE, etc.
863    #         #
864    #         # NOTE: This has no effect in http_access rules. It only has
865    #         # effect in rules that affect the reply data stream such as
866    #         # http_reply_access.
867    #
868    #       Examples:
869    #               acl macaddress arp 09:00:2b:23:45:67
870    #               acl myexample dst_as 1241
871    #               acl password proxy_auth REQUIRED
872    #               acl fileupload req_mime_type -i ^multipart/form-data$
873    #               acl javascript rep_mime_type -i ^application/x-javascript$
874    #
875    #Default:
876    # ACLs all, manager, localhost, and to_localhost are predefined.
877    #
878    #
879    # Recommended minimum configuration:
880    #
881    
882    # Example rule allowing access from your local networks.
883    # Adapt to list your (internal) IP networks from where browsing
884    # should be allowed
885    acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
886    acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
887    acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
888    acl localnet src fc00::/7       # RFC 4193 local private network range
889    acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
890    
891    acl SSL_ports port 443
892    acl Safe_ports port 80          # http
893    acl Safe_ports port 21          # ftp
894    acl Safe_ports port 443         # https
895    acl Safe_ports port 70          # gopher
896    acl Safe_ports port 210         # wais
897    acl Safe_ports port 1025-65535  # unregistered ports
898    acl Safe_ports port 280         # http-mgmt
899    acl Safe_ports port 488         # gss-http
900    acl Safe_ports port 591         # filemaker
901    acl Safe_ports port 777         # multiling http
902    acl CONNECT method CONNECT
903    
904  #       WELCOME TO SQUID 2  #  TAG: follow_x_forwarded_for
905  #       ------------------  #       Allowing or Denying the X-Forwarded-For header to be followed to
906    #       find the original source of a request.
907    #
908    #       Requests may pass through a chain of several other proxies
909    #       before reaching us.  The X-Forwarded-For header will contain a
910    #       comma-separated list of the IP addresses in the chain, with the
911    #       rightmost address being the most recent.
912    #
913    #       If a request reaches us from a source that is allowed by this
914    #       configuration item, then we consult the X-Forwarded-For header
915    #       to see where that host received the request from.  If the
916    #       X-Forwarded-For header contains multiple addresses, we continue
917    #       backtracking until we reach an address for which we are not allowed
918    #       to follow the X-Forwarded-For header, or until we reach the first
919    #       address in the list. For the purpose of ACL used in the
920    #       follow_x_forwarded_for directive the src ACL type always matches
921    #       the address we are testing and srcdomain matches its rDNS.
922    #
923    #       The end result of this process is an IP address that we will
924    #       refer to as the indirect client address.  This address may
925    #       be treated as the client address for access control, ICAP, delay
926    #       pools and logging, depending on the acl_uses_indirect_client,
927    #       icap_uses_indirect_client, delay_pool_uses_indirect_client,
928    #       log_uses_indirect_client and tproxy_uses_indirect_client options.
929    #
930    #       This clause only supports fast acl types.
931    #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
932    #
933    #       SECURITY CONSIDERATIONS:
934    #
935    #               Any host for which we follow the X-Forwarded-For header
936    #               can place incorrect information in the header, and Squid
937    #               will use the incorrect information as if it were the
938    #               source address of the request.  This may enable remote
939    #               hosts to bypass any access control restrictions that are
940    #               based on the client's source addresses.
941    #
942    #       For example:
943    #
944    #               acl localhost src 127.0.0.1
945    #               acl my_other_proxy srcdomain .proxy.example.com
946    #               follow_x_forwarded_for allow localhost
947    #               follow_x_forwarded_for allow my_other_proxy
948    #Default:
949    # follow_x_forwarded_for deny all
950    
951    #  TAG: acl_uses_indirect_client        on|off
952    #       Controls whether the indirect client address
953    #       (see follow_x_forwarded_for) is used instead of the
954    #       direct client address in acl matching.
955    #
956    #       NOTE: maxconn ACL considers direct TCP links and indirect
957    #             clients will always have zero. So no match.
958    #Default:
959    # acl_uses_indirect_client on
960    
961    #  TAG: delay_pool_uses_indirect_client on|off
962    #       Controls whether the indirect client address
963    #       (see follow_x_forwarded_for) is used instead of the
964    #       direct client address in delay pools.
965    #Default:
966    # delay_pool_uses_indirect_client on
967    
968    #  TAG: log_uses_indirect_client        on|off
969    #       Controls whether the indirect client address
970    #       (see follow_x_forwarded_for) is used instead of the
971    #       direct client address in the access log.
972    #Default:
973    # log_uses_indirect_client on
974    
975    #  TAG: tproxy_uses_indirect_client     on|off
976    #       Controls whether the indirect client address
977    #       (see follow_x_forwarded_for) is used instead of the
978    #       direct client address when spoofing the outgoing client.
979    #
980    #       This has no effect on requests arriving in non-tproxy
981    #       mode ports.
982    #
983    #       SECURITY WARNING: Usage of this option is dangerous
984    #       and should not be used trivially. Correct configuration
985    #       of follow_x_forewarded_for with a limited set of trusted
986    #       sources is required to prevent abuse of your proxy.
987    #Default:
988    # tproxy_uses_indirect_client off
989    
990    #  TAG: http_access
991    #       Allowing or Denying access based on defined access lists
992    #
993    #       Access to the HTTP port:
994    #       http_access allow|deny [!]aclname ...
995    #
996    #       NOTE on default values:
997    #
998    #       If there are no "access" lines present, the default is to deny
999    #       the request.
1000    #
1001    #       If none of the "access" lines cause a match, the default is the
1002    #       opposite of the last line in the list.  If the last line was
1003    #       deny, the default is allow.  Conversely, if the last line
1004    #       is allow, the default will be deny.  For these reasons, it is a
1005    #       good idea to have an "deny all" entry at the end of your access
1006    #       lists to avoid potential confusion.
1007    #
1008    #       This clause supports both fast and slow acl types.
1009    #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1010    #
1011    #Default:
1012    # http_access deny all
1013  #  #
1014  #       This is the default Squid configuration file. You may wish  
1015  #       to look at the Squid home page (http://www.squid-cache.org/)  #
1016  #       for the FAQ and other documentation.  # Recommended minimum Access Permission configuration:
1017  #  #
1018  #       The default Squid config file shows what the defaults for  # Only allow cachemgr access from localhost
1019  #       various options happen to be.  If you don't need to change the  http_access allow localhost manager
1020  #       default, you shouldn't uncomment the line.  Doing so may cause  http_access deny manager
1021  #       run-time problems.  In some cases "none" refers to no default  
1022  #       setting at all, while in other cases it refers to a valid  # Deny requests to certain unsafe ports
1023  #       option - the comments for that keyword indicate if this is the  http_access deny !Safe_ports
1024  #       case.  
1025    # Deny CONNECT to other than secure SSL ports
1026    http_access deny CONNECT !SSL_ports
1027    
1028    # We strongly recommend the following be uncommented to protect innocent
1029    # web applications running on the proxy server who think the only
1030    # one who can access services on "localhost" is a local user
1031    #http_access deny to_localhost
1032    
1033    #
1034    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
1035  #  #
1036    
1037    # Example rule allowing access from your local networks.
1038    # Adapt localnet in the ACL section to list your (internal) IP networks
1039    # from where browsing should be allowed
1040    http_access allow localnet
1041    http_access allow localhost
1042    
1043    # And finally deny all other access to this proxy
1044    http_access allow localhost
1045    
1046    #  TAG: adapted_http_access
1047    #       Allowing or Denying access based on defined access lists
1048    #
1049    #       Essentially identical to http_access, but runs after redirectors
1050    #       and ICAP/eCAP adaptation. Allowing access control based on their
1051    #       output.
1052    #
1053    #       If not set then only http_access is used.
1054    #Default:
1055    # none
1056    
1057    #  TAG: http_reply_access
1058    #       Allow replies to client requests. This is complementary to http_access.
1059    #
1060    #       http_reply_access allow|deny [!] aclname ...
1061    #
1062    #       NOTE: if there are no access lines present, the default is to allow
1063    #       all replies
1064    #
1065    #       If none of the access lines cause a match the opposite of the
1066    #       last line will apply. Thus it is good practice to end the rules
1067    #       with an "allow all" or "deny all" entry.
1068    #
1069    #       This clause supports both fast and slow acl types.
1070    #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1071    #Default:
1072    # none
1073    
1074    #  TAG: icp_access
1075    #       Allowing or Denying access to the ICP port based on defined
1076    #       access lists
1077    #
1078    #       icp_access  allow|deny [!]aclname ...
1079    #
1080    #       See http_access for details
1081    #
1082    #       This clause only supports fast acl types.
1083    #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1084    #
1085    ## Allow ICP queries from local networks only
1086    ##icp_access allow localnet
1087    ##icp_access deny all
1088    #Default:
1089    # icp_access deny all
1090    
1091    #  TAG: htcp_access
1092    #       Allowing or Denying access to the HTCP port based on defined
1093    #       access lists
1094    #
1095    #       htcp_access  allow|deny [!]aclname ...
1096    #
1097    #       See http_access for details
1098    #
1099    #       NOTE: The default if no htcp_access lines are present is to
1100    #       deny all traffic. This default may cause problems with peers
1101    #       using the htcp option.
1102    #
1103    #       This clause only supports fast acl types.
1104    #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1105    #
1106    ## Allow HTCP queries from local networks only
1107    ##htcp_access allow localnet
1108    ##htcp_access deny all
1109    #Default:
1110    # htcp_access deny all
1111    
1112    #  TAG: htcp_clr_access
1113    #       Allowing or Denying access to purge content using HTCP based
1114    #       on defined access lists
1115    #
1116    #       htcp_clr_access  allow|deny [!]aclname ...
1117    #
1118    #       See http_access for details
1119    #
1120    #       This clause only supports fast acl types.
1121    #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1122    #
1123    ## Allow HTCP CLR requests from trusted peers
1124    #acl htcp_clr_peer src 172.16.1.2
1125    #htcp_clr_access allow htcp_clr_peer
1126    #Default:
1127    # htcp_clr_access deny all
1128    
1129    #  TAG: miss_access
1130    #       Determins whether network access is permitted when satisfying a request.
1131    #
1132    #       For example;
1133    #           to force your neighbors to use you as a sibling instead of
1134    #           a parent.
1135    #
1136    #               acl localclients src 172.16.0.0/16
1137    #               miss_access allow localclients
1138    #               miss_access deny  !localclients
1139    #
1140    #       This means only your local clients are allowed to fetch relayed/MISS
1141    #       replies from the network and all other clients can only fetch cached
1142    #       objects (HITs).
1143    #
1144    #
1145    #       The default for this setting allows all clients who passed the
1146    #       http_access rules to relay via this proxy.
1147    #
1148    #       This clause only supports fast acl types.
1149    #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1150    #Default:
1151    # none
1152    
1153    #  TAG: ident_lookup_access
1154    # Note: This option is only available if Squid is rebuilt with the
1155    #       --enable-ident-lookups
1156    #
1157    #       A list of ACL elements which, if matched, cause an ident
1158    #       (RFC 931) lookup to be performed for this request.  For
1159    #       example, you might choose to always perform ident lookups
1160    #       for your main multi-user Unix boxes, but not for your Macs
1161    #       and PCs.  By default, ident lookups are not performed for
1162    #       any requests.
1163    #
1164    #       To enable ident lookups for specific client addresses, you
1165    #       can follow this example:
1166    #
1167    #       acl ident_aware_hosts src 198.168.1.0/24
1168    #       ident_lookup_access allow ident_aware_hosts
1169    #       ident_lookup_access deny all
1170    #
1171    #       Only src type ACL checks are fully supported.  A srcdomain
1172    #       ACL might work at times, but it will not always provide
1173    #       the correct result.
1174    #
1175    #       This clause only supports fast acl types.
1176    #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1177    #Default:
1178    # ident_lookup_access deny all
1179    
1180    #  TAG: reply_body_max_size     size [acl acl...]
1181    #       This option specifies the maximum size of a reply body. It can be
1182    #       used to prevent users from downloading very large files, such as
1183    #       MP3's and movies. When the reply headers are received, the
1184    #       reply_body_max_size lines are processed, and the first line where
1185    #       all (if any) listed ACLs are true is used as the maximum body size
1186    #       for this reply.
1187    #
1188    #       This size is checked twice. First when we get the reply headers,
1189    #       we check the content-length value.  If the content length value exists
1190    #       and is larger than the allowed size, the request is denied and the
1191    #       user receives an error message that says "the request or reply
1192    #       is too large." If there is no content-length, and the reply
1193    #       size exceeds this limit, the client's connection is just closed
1194    #       and they will receive a partial reply.
1195    #
1196    #       WARNING: downstream caches probably can not detect a partial reply
1197    #       if there is no content-length header, so they will cache
1198    #       partial responses and give them out as hits.  You should NOT
1199    #       use this option if you have downstream caches.
1200    #
1201    #       WARNING: A maximum size smaller than the size of squid's error messages
1202    #       will cause an infinite loop and crash squid. Ensure that the smallest
1203    #       non-zero value you use is greater that the maximum header size plus
1204    #       the size of your largest error page.
1205    #
1206    #       If you set this parameter none (the default), there will be
1207    #       no limit imposed.
1208    #
1209    #       Configuration Format is:
1210    #               reply_body_max_size SIZE UNITS [acl ...]
1211    #       ie.
1212    #               reply_body_max_size 10 MB
1213    #
1214    #Default:
1215    # none
1216    
1217  # NETWORK OPTIONS  # NETWORK OPTIONS
1218  # -----------------------------------------------------------------------------  # -----------------------------------------------------------------------------
1219    
1220  #  TAG: http_port  #  TAG: http_port
1221  #       Usage:  port  #       Usage:  port [mode] [options]
1222  #               hostname:port  #               hostname:port [mode] [options]
1223  #               1.2.3.4:port  #               1.2.3.4:port [mode] [options]
1224  #  #
1225  #       The socket addresses where Squid will listen for HTTP client  #       The socket addresses where Squid will listen for HTTP client
1226  #       requests.  You may specify multiple socket addresses.  #       requests.  You may specify multiple socket addresses.
1227  #       There are three forms: port alone, hostname with port, and  #       There are three forms: port alone, hostname with port, and
1228  #       IP address with port.  If you specify a hostname or IP  #       IP address with port.  If you specify a hostname or IP
1229  #       address, then Squid binds the socket to that specific  #       address, Squid binds the socket to that specific
1230  #       address.  This replaces the old 'tcp_incoming_address'  #       address. Most likely, you do not need to bind to a specific
 #       option.  Most likely, you do not need to bind to a specific  
1231  #       address, so you can use the port number alone.  #       address, so you can use the port number alone.
1232  #  #
1233  #       The default port number is 3128.  #       If you are running Squid in accelerator mode, you
 #  
 #       If you are running Squid in accelerator mode, then you  
1234  #       probably want to listen on port 80 also, or instead.  #       probably want to listen on port 80 also, or instead.
1235  #  #
1236  #       The -a command line option will override the *first* port  #       The -a command line option may be used to specify additional
1237  #       number listed here.   That option will NOT override an IP  #       port(s) where Squid listens for proxy request. Such ports will
1238  #       address, however.  #       be plain proxy ports with no options.
1239  #  #
1240  #       You may specify multiple socket addresses on multiple lines.  #       You may specify multiple socket addresses on multiple lines.
1241  #  #
1242    #       Modes:
1243    #
1244    #          intercept    Support for IP-Layer interception of
1245    #                       outgoing requests without browser settings.
1246    #                       NP: disables authentication and IPv6 on the port.
1247    #
1248    #          tproxy       Support Linux TPROXY for spoofing outgoing
1249    #                       connections using the client IP address.
1250    #                       NP: disables authentication and maybe IPv6 on the port.
1251    #
1252    #          accel        Accelerator / reverse proxy mode
1253    #
1254    #          ssl-bump     Intercept each CONNECT request matching ssl_bump ACL,
1255    #                       establish secure connection with the client and with
1256    #                       the server, decrypt HTTP messages as they pass through
1257    #                       Squid, and treat them as unencrypted HTTP messages,
1258    #                       becoming the man-in-the-middle.
1259    #
1260    #                       The ssl_bump option is required to fully enable
1261    #                       the SslBump feature.
1262    #
1263    #       Omitting the mode flag causes default forward proxy mode to be used.
1264    #
1265    #
1266    #       Accelerator Mode Options:
1267    #
1268    #          defaultsite=domainname
1269    #                       What to use for the Host: header if it is not present
1270    #                       in a request. Determines what site (not origin server)
1271    #                       accelerators should consider the default.
1272    #
1273    #          no-vhost     Disable using HTTP/1.1 Host header for virtual domain support.
1274    #
1275    #          protocol=    Protocol to reconstruct accelerated requests with.
1276    #                       Defaults to http for http_port and https for
1277    #                       https_port
1278    #
1279    #          vport        Virtual host port support. Using the http_port number
1280    #                       instead of the port passed on Host: headers.
1281    #
1282    #          vport=NN     Virtual host port support. Using the specified port
1283    #                       number instead of the port passed on Host: headers.
1284    #
1285    #          act-as-origin
1286    #                       Act as if this Squid is the origin server.
1287    #                       This currently means generate new Date: and Expires:
1288    #                       headers on HIT instead of adding Age:.
1289    #
1290    #          ignore-cc    Ignore request Cache-Control headers.
1291    #
1292    #                       WARNING: This option violates HTTP specifications if
1293    #                       used in non-accelerator setups.
1294    #
1295    #          allow-direct Allow direct forwarding in accelerator mode. Normally
1296    #                       accelerated requests are denied direct forwarding as if
1297    #                       never_direct was used.
1298    #
1299    #                       WARNING: this option opens accelerator mode to security
1300    #                       vulnerabilities usually only affecting in interception
1301    #                       mode. Make sure to protect forwarding with suitable
1302    #                       http_access rules when using this.
1303    #
1304    #
1305    #       SSL Bump Mode Options:
1306    #           In addition to these options ssl-bump requires TLS/SSL options.
1307    #
1308    #          generate-host-certificates[=<on|off>]
1309    #                       Dynamically create SSL server certificates for the
1310    #                       destination hosts of bumped CONNECT requests.When
1311    #                       enabled, the cert and key options are used to sign
1312    #                       generated certificates. Otherwise generated
1313    #                       certificate will be selfsigned.
1314    #                       If there is a CA certificate lifetime of the generated
1315    #                       certificate equals lifetime of the CA certificate. If
1316    #                       generated certificate is selfsigned lifetime is three
1317    #                       years.
1318    #                       This option is enabled by default when ssl-bump is used.
1319    #                       See the ssl-bump option above for more information.
1320    #                      
1321    #          dynamic_cert_mem_cache_size=SIZE
1322    #                       Approximate total RAM size spent on cached generated
1323    #                       certificates. If set to zero, caching is disabled. The
1324    #                       default value is 4MB. An average XXX-bit certificate
1325    #                       consumes about XXX bytes of RAM.
1326    #
1327    #       TLS / SSL Options:
1328    #
1329    #          cert=        Path to SSL certificate (PEM format).
1330    #
1331    #          key=         Path to SSL private key file (PEM format)
1332    #                       if not specified, the certificate file is
1333    #                       assumed to be a combined certificate and
1334    #                       key file.
1335    #
1336    #          version=     The version of SSL/TLS supported
1337    #                           1   automatic (default)
1338    #                           2   SSLv2 only
1339    #                           3   SSLv3 only
1340    #                           4   TLSv1.0 only
1341    #                           5   TLSv1.1 only
1342    #                           6   TLSv1.2 only
1343    #
1344    #          cipher=      Colon separated list of supported ciphers.
1345    #                       NOTE: some ciphers such as EDH ciphers depend on
1346    #                             additional settings. If those settings are
1347    #                             omitted the ciphers may be silently ignored
1348    #                             by the OpenSSL library.
1349    #
1350    #          options=     Various SSL implementation options. The most important
1351    #                       being:
1352    #                           NO_SSLv2    Disallow the use of SSLv2
1353    #                           NO_SSLv3    Disallow the use of SSLv3
1354    #                           NO_TLSv1    Disallow the use of TLSv1.0
1355    #                           NO_TLSv1_1  Disallow the use of TLSv1.1
1356    #                           NO_TLSv1_2  Disallow the use of TLSv1.2
1357    #                           SINGLE_DH_USE Always create a new key when using
1358    #                                     temporary/ephemeral DH key exchanges
1359    #                           ALL       Enable various bug workarounds
1360    #                                     suggested as "harmless" by OpenSSL
1361    #                                     Be warned that this reduces SSL/TLS
1362    #                                     strength to some attacks.
1363    #                       See OpenSSL SSL_CTX_set_options documentation for a
1364    #                       complete list of options.
1365    #
1366    #          clientca=    File containing the list of CAs to use when
1367    #                       requesting a client certificate.
1368    #
1369    #          cafile=      File containing additional CA certificates to
1370    #                       use when verifying client certificates. If unset
1371    #                       clientca will be used.
1372    #
1373    #          capath=      Directory containing additional CA certificates
1374    #                       and CRL lists to use when verifying client certificates.
1375    #
1376    #          crlfile=     File of additional CRL lists to use when verifying
1377    #                       the client certificate, in addition to CRLs stored in
1378    #                       the capath. Implies VERIFY_CRL flag below.
1379    #
1380    #          dhparams=    File containing DH parameters for temporary/ephemeral
1381    #                       DH key exchanges. See OpenSSL documentation for details
1382    #                       on how to create this file.
1383    #                       WARNING: EDH ciphers will be silently disabled if this
1384    #                                option is not set.
1385    #
1386    #          sslflags=    Various flags modifying the use of SSL:
1387    #                           DELAYED_AUTH
1388    #                               Don't request client certificates
1389    #                               immediately, but wait until acl processing
1390    #                               requires a certificate (not yet implemented).
1391    #                           NO_DEFAULT_CA
1392    #                               Don't use the default CA lists built in
1393    #                               to OpenSSL.
1394    #                           NO_SESSION_REUSE
1395    #                               Don't allow for session reuse. Each connection
1396    #                               will result in a new SSL session.
1397    #                           VERIFY_CRL
1398    #                               Verify CRL lists when accepting client
1399    #                               certificates.
1400    #                           VERIFY_CRL_ALL
1401    #                               Verify CRL lists for all certificates in the
1402    #                               client certificate chain.
1403    #
1404    #          sslcontext=  SSL session ID context identifier.
1405    #
1406    #       Other Options:
1407    #
1408    #          connection-auth[=on|off]
1409    #                       use connection-auth=off to tell Squid to prevent
1410    #                       forwarding Microsoft connection oriented authentication
1411    #                       (NTLM, Negotiate and Kerberos)
1412    #
1413    #          disable-pmtu-discovery=
1414    #                       Control Path-MTU discovery usage:
1415    #                           off         lets OS decide on what to do (default).
1416    #                           transparent disable PMTU discovery when transparent
1417    #                                       support is enabled.
1418    #                           always      disable always PMTU discovery.
1419    #
1420    #                       In many setups of transparently intercepting proxies
1421    #                       Path-MTU discovery can not work on traffic towards the
1422    #                       clients. This is the case when the intercepting device
1423    #                       does not fully track connections and fails to forward
1424    #                       ICMP must fragment messages to the cache server. If you
1425    #                       have such setup and experience that certain clients
1426    #                       sporadically hang or never complete requests set
1427    #                       disable-pmtu-discovery option to 'transparent'.
1428    #
1429    #          name=        Specifies a internal name for the port. Defaults to
1430    #                       the port specification (port or addr:port)
1431    #
1432    #          tcpkeepalive[=idle,interval,timeout]
1433    #                       Enable TCP keepalive probes of idle connections.
1434    #                       In seconds; idle is the initial time before TCP starts
1435    #                       probing the connection, interval how often to probe, and
1436    #                       timeout the time before giving up.
1437    #
1438    #       If you run Squid on a dual-homed machine with an internal
1439    #       and an external interface we recommend you to specify the
1440    #       internal address:port in http_port. This way Squid will only be
1441    #       visible on the internal address.
1442    #
1443    #
1444    
1445    # Squid normally listens to port 3128
1446    http_port 3128
1447    
1448    #  TAG: https_port
1449    #       Usage:  [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...]
1450    #
1451    #       The socket address where Squid will listen for client requests made
1452    #       over TLS or SSL connections. Commonly referred to as HTTPS.
1453    #
1454    #       This is most useful for situations where you are running squid in
1455    #       accelerator mode and you want to do the SSL work at the accelerator level.
1456    #
1457    #       You may specify multiple socket addresses on multiple lines,
1458    #       each with their own SSL certificate and/or options.
1459    #
1460    #       See http_port for a list of available options.
1461  #Default:  #Default:
1462  # http_port 3128  # none
1463    
1464  #  TAG: icp_port  #  TAG: tcp_outgoing_tos
1465  #       The port number where Squid sends and receives ICP queries to  #       Allows you to select a TOS/Diffserv value for packets outgoing
1466  #       and from neighbor caches.  Default is 3130.  To disable use  #       on the server side, based on an ACL.
1467  #       "0".  May be overridden with -u on the command line.  #
1468    #       tcp_outgoing_tos ds-field [!]aclname ...
1469    #
1470    #       Example where normal_service_net uses the TOS value 0x00
1471    #       and good_service_net uses 0x20
1472    #
1473    #       acl normal_service_net src 10.0.0.0/24
1474    #       acl good_service_net src 10.0.1.0/24
1475    #       tcp_outgoing_tos 0x00 normal_service_net
1476    #       tcp_outgoing_tos 0x20 good_service_net
1477    #
1478    #       TOS/DSCP values really only have local significance - so you should
1479    #       know what you're specifying. For more information, see RFC2474,
1480    #       RFC2475, and RFC3260.
1481    #
1482    #       The TOS/DSCP byte must be exactly that - a octet value  0 - 255, or
1483    #       "default" to use whatever default your host has. Note that in
1484    #       practice often only multiples of 4 is usable as the two rightmost bits
1485    #       have been redefined for use by ECN (RFC 3168 section 23.1).
1486  #  #
1487    #       Processing proceeds in the order specified, and stops at first fully
1488    #       matching line.
1489  #Default:  #Default:
1490  # icp_port 3130  # none
1491    
1492  #  TAG: htcp_port  #  TAG: clientside_tos
1493  #       The port number where Squid sends and receives HTCP queries to  #       Allows you to select a TOS/Diffserv value for packets being transmitted
1494  #       and from neighbor caches.  Default is 4827.  To disable use  #       on the client-side, based on an ACL.
1495  #       "0".  #
1496    #       clientside_tos ds-field [!]aclname ...
1497    #
1498    #       Example where normal_service_net uses the TOS value 0x00
1499    #       and good_service_net uses 0x20
1500    #
1501    #       acl normal_service_net src 10.0.0.0/24
1502    #       acl good_service_net src 10.0.1.0/24
1503    #       clientside_tos 0x00 normal_service_net
1504    #       clientside_tos 0x20 good_service_net
1505  #  #
1506  #       To enable this option, you must use --enable-htcp with the  #       Note: This feature is incompatible with qos_flows. Any TOS values set here
1507  #       configure script.  #       will be overwritten by TOS values in qos_flows.
1508    #Default:
1509    # none
1510    
1511    #  TAG: tcp_outgoing_mark
1512    # Note: This option is only available if Squid is rebuilt with the
1513    #       Packet MARK (Linux)
1514    #
1515    #       Allows you to apply a Netfilter mark value to outgoing packets
1516    #       on the server side, based on an ACL.
1517  #  #
1518    #       tcp_outgoing_mark mark-value [!]aclname ...
1519    #
1520    #       Example where normal_service_net uses the mark value 0x00
1521    #       and good_service_net uses 0x20
1522    #
1523    #       acl normal_service_net src 10.0.0.0/24
1524    #       acl good_service_net src 10.0.1.0/24
1525    #       tcp_outgoing_mark 0x00 normal_service_net
1526    #       tcp_outgoing_mark 0x20 good_service_net
1527  #Default:  #Default:
1528  # htcp_port 4827  # none
1529    
1530  #  TAG: mcast_groups  #  TAG: clientside_mark
1531  #       This tag specifies a list of multicast groups which your server  # Note: This option is only available if Squid is rebuilt with the
1532  #       should join to receive multicasted ICP queries.  #       Packet MARK (Linux)
1533  #  #
1534  #       NOTE!  Be very careful what you put here!  Be sure you  #       Allows you to apply a Netfilter mark value to packets being transmitted
1535  #       understand the difference between an ICP _query_ and an ICP  #       on the client-side, based on an ACL.
 #       _reply_.  This option is to be set only if you want to RECEIVE  
 #       multicast queries.  Do NOT set this option to SEND multicast  
 #       ICP (use cache_peer for that).  ICP replies are always sent via  
 #       unicast, so this option does not affect whether or not you will  
 #       receive replies from multicast group members.  
1536  #  #
1537  #       You must be very careful to NOT use a multicast address which  #       clientside_mark mark-value [!]aclname ...
 #       is already in use by another group of caches.  
1538  #  #
1539  #       If you are unsure about multicast, please read the Multicast  #       Example where normal_service_net uses the mark value 0x00
1540  #       chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).  #       and good_service_net uses 0x20
1541  #  #
1542  #       Usage: mcast_groups 239.128.16.128 224.0.1.20  #       acl normal_service_net src 10.0.0.0/24
1543    #       acl good_service_net src 10.0.1.0/24
1544    #       clientside_mark 0x00 normal_service_net
1545    #       clientside_mark 0x20 good_service_net
1546  #  #
1547  #       By default, Squid doesn't listen on any multicast groups.  #       Note: This feature is incompatible with qos_flows. Any mark values set here
1548    #       will be overwritten by mark values in qos_flows.
1549    #Default:
1550    # none
1551    
1552    #  TAG: qos_flows
1553    #       Allows you to select a TOS/DSCP value to mark outgoing
1554    #       connections with, based on where the reply was sourced. For
1555    #       platforms using netfilter, allows you to set a netfilter mark
1556    #       value instead of, or in addition to, a TOS value.
1557    #
1558    #       TOS values really only have local significance - so you should
1559    #       know what you're specifying. For more information, see RFC2474,
1560    #       RFC2475, and RFC3260.
1561    #
1562    #       The TOS/DSCP byte must be exactly that - a octet value  0 - 255. Note that
1563    #       in practice often only multiples of 4 is usable as the two rightmost bits
1564    #       have been redefined for use by ECN (RFC 3168 section 23.1).
1565    #
1566    #       Mark values can be any unsigned 32-bit integer value.
1567    #
1568    #       This setting is configured by setting the following values:
1569    #
1570    #       tos|mark                Whether to set TOS or netfilter mark values
1571    #
1572    #       local-hit=0xFF          Value to mark local cache hits.
1573    #
1574    #       sibling-hit=0xFF        Value to mark hits from sibling peers.
1575    #
1576    #       parent-hit=0xFF         Value to mark hits from parent peers.
1577    #
1578    #       miss=0xFF[/mask]        Value to mark cache misses. Takes precedence
1579    #                               over the preserve-miss feature (see below), unless
1580    #                               mask is specified, in which case only the bits
1581    #                               specified in the mask are written.
1582    #
1583    #       The TOS variant of the following features are only possible on Linux
1584    #       and require your kernel to be patched with the TOS preserving ZPH
1585    #       patch, available from http://zph.bratcheda.org
1586    #       No patch is needed to preserve the netfilter mark, which will work
1587    #       with all variants of netfilter.
1588    #
1589    #       disable-preserve-miss
1590    #               This option disables the preservation of the TOS or netfilter
1591    #               mark. By default, the existing TOS or netfilter mark value of
1592    #               the response coming from the remote server will be retained
1593    #               and masked with miss-mark.
1594    #               NOTE: in the case of a netfilter mark, the mark must be set on
1595    #               the connection (using the CONNMARK target) not on the packet
1596    #               (MARK target).
1597    #
1598    #       miss-mask=0xFF
1599    #               Allows you to mask certain bits in the TOS or mark value
1600    #               received from the remote server, before copying the value to
1601    #               the TOS sent towards clients.
1602    #               Default for tos: 0xFF (TOS from server is not changed).
1603    #               Default for mark: 0xFFFFFFFF (mark from server is not changed).
1604    #
1605    #       All of these features require the --enable-zph-qos compilation flag
1606    #       (enabled by default). Netfilter marking also requires the
1607    #       libnetfilter_conntrack libraries (--with-netfilter-conntrack) and
1608    #       libcap 2.09+ (--with-libcap).
1609  #  #
1610  #Default:  #Default:
1611  # none  # none
1612    
1613  #  TAG: tcp_outgoing_address  #  TAG: tcp_outgoing_address
1614  #  TAG: udp_incoming_address  #       Allows you to map requests to different outgoing IP addresses
1615  #  TAG: udp_outgoing_address  #       based on the username or source address of the user making
1616  #       Usage: tcp_incoming_address 10.20.30.40  #       the request.
 #              udp_outgoing_address fully.qualified.domain.name  
1617  #  #
1618  #       tcp_outgoing_address    is used for connections made to remote  #       tcp_outgoing_address ipaddr [[!]aclname] ...
 #                               servers and other caches.  
 #       udp_incoming_address    is used for the ICP socket receiving packets  
 #                               from other caches.  
 #       udp_outgoing_address    is used for ICP packets sent out to other  
 #                               caches.  
1619  #  #
1620  #       The default behavior is to not bind to any specific address.  #       For example;
1621    #               Forwarding clients with dedicated IPs for certain subnets.
1622  #  #
1623  #       A *_incoming_address value of 0.0.0.0 indicates that Squid should  #         acl normal_service_net src 10.0.0.0/24
1624  #       listen on all available interfaces.  #         acl good_service_net src 10.0.2.0/24
1625  #  #
1626  #       If udp_outgoing_address is set to 255.255.255.255 (the default)  #         tcp_outgoing_address 2001:db8::c001 good_service_net
1627  #       then it will use the same socket as udp_incoming_address. Only  #         tcp_outgoing_address 10.1.0.2 good_service_net
 #       change this if you want to have ICP queries sent using another  
 #       address than where this Squid listens for ICP queries from other  
 #       caches.  
1628  #  #
1629  #       NOTE, udp_incoming_address and udp_outgoing_address can not  #         tcp_outgoing_address 2001:db8::beef normal_service_net
1630  #       have the same value since they both use port 3130.  #         tcp_outgoing_address 10.1.0.1 normal_service_net
1631    #
1632    #         tcp_outgoing_address 2001:db8::1
1633    #         tcp_outgoing_address 10.1.0.3
1634    #
1635    #       Processing proceeds in the order specified, and stops at first fully
1636    #       matching line.
1637    #
1638    #       Squid will add an implicit IP version test to each line.
1639    #       Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses.
1640    #       Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses.
1641    #
1642    #
1643    #       NOTE: The use of this directive using client dependent ACLs is
1644    #       incompatible with the use of server side persistent connections. To
1645    #       ensure correct results it is best to set server_persistent_connections
1646    #       to off when using this directive in such configurations.
1647  #  #
1648  #       NOTE, tcp_incoming_address has been removed.  You can now  #       NOTE: The use of this directive to set a local IP on outgoing TCP links
1649  #       specify IP addresses on the 'http_port' line.  #       is incompatible with using TPROXY to set client IP out outbound TCP links.
1650    #       When needing to contact peers use the no-tproxy cache_peer option and the
1651    #       client_dst_passthru directive re-enable normal forwarding such as this.
1652  #  #
1653  #Default:  #Default:
1654  # tcp_outgoing_address 255.255.255.255  # none
 # udp_incoming_address 0.0.0.0  
 # udp_outgoing_address 255.255.255.255  
1655    
1656    #  TAG: host_verify_strict
1657    #       Regardless of this option setting, when dealing with intercepted
1658    #       traffic, Squid always verifies that the destination IP address matches
1659    #       the Host header domain or IP (called 'authority form URL').
1660    #      
1661    #       This enforcement is performed to satisfy a MUST-level requirement in
1662    #       RFC 2616 section 14.23: "The Host field value MUST represent the naming
1663    #       authority of the origin server or gateway given by the original URL".
1664    #      
1665    #       When set to ON:
1666    #               Squid always responds with an HTTP 409 (Conflict) error
1667    #               page and logs a security warning if there is no match.
1668    #      
1669    #               Squid verifies that the destination IP address matches
1670    #               the Host header for forward-proxy and reverse-proxy traffic
1671    #               as well. For those traffic types, Squid also enables the
1672    #               following checks, comparing the corresponding Host header
1673    #               and Request-URI components:
1674    #      
1675    #                * The host names (domain or IP) must be identical,
1676    #                  but valueless or missing Host header disables all checks.
1677    #                  For the two host names to match, both must be either IP
1678    #                  or FQDN.
1679    #      
1680    #                * Port numbers must be identical, but if a port is missing
1681    #                  the scheme-default port is assumed.
1682    #      
1683    #      
1684    #       When set to OFF (the default):
1685    #               Squid allows suspicious requests to continue but logs a
1686    #               security warning and blocks caching of the response.
1687    #      
1688    #                * Forward-proxy traffic is not checked at all.
1689    #      
1690    #                * Reverse-proxy traffic is not checked at all.
1691    #      
1692    #                * Intercepted traffic which passes verification is handled
1693    #                  according to client_dst_passthru.
1694    #      
1695    #                * Intercepted requests which fail verification are sent
1696    #                  to the client original destination instead of DIRECT.
1697    #                  This overrides 'client_dst_passthru off'.
1698    #      
1699    #               For now suspicious intercepted CONNECT requests are always
1700    #               responded to with an HTTP 409 (Conflict) error page.
1701    #      
1702    #      
1703    #       SECURITY NOTE:
1704    #      
1705    #       As described in CVE-2009-0801 when the Host: header alone is used
1706    #       to determine the destination of a request it becomes trivial for
1707    #       malicious scripts on remote websites to bypass browser same-origin
1708    #       security policy and sandboxing protections.
1709    #      
1710    #       The cause of this is that such applets are allowed to perform their
1711    #       own HTTP stack, in which case the same-origin policy of the browser
1712    #       sandbox only verifies that the applet tries to contact the same IP
1713    #       as from where it was loaded at the IP level. The Host: header may
1714    #       be different from the connected IP and approved origin.
1715    #      
1716    #Default:
1717    # host_verify_strict off
1718    
1719    #  TAG: client_dst_passthru
1720    #       With NAT or TPROXY intercepted traffic Squid may pass the request
1721    #       directly to the original client destination IP or seek a faster
1722    #       source using the HTTP Host header.
1723    #      
1724    #       Using Host to locate alternative servers can provide faster
1725    #       connectivity with a range of failure recovery options.
1726    #       But can also lead to connectivity trouble when the client and
1727    #       server are attempting stateful interactions unaware of the proxy.
1728    #      
1729    #       This option (on by default) prevents alternative DNS entries being
1730    #       located to send intercepted traffic DIRECT to an origin server.
1731    #       The clients original destination IP and port will be used instead.
1732    #      
1733    #       Regardless of this option setting, when dealing with intercepted
1734    #       traffic Squid will verify the Host: header and any traffic which
1735    #       fails Host verification will be treated as if this option were ON.
1736    #      
1737    #       see host_verify_strict for details on the verification process.
1738    #Default:
1739    # client_dst_passthru on
1740    
1741    # SSL OPTIONS
1742    # -----------------------------------------------------------------------------
1743    
1744    #  TAG: ssl_unclean_shutdown
1745    #       Some browsers (especially MSIE) bugs out on SSL shutdown
1746    #       messages.
1747    #Default:
1748    # ssl_unclean_shutdown off
1749    
1750    #  TAG: ssl_engine
1751    #       The OpenSSL engine to use. You will need to set this if you
1752    #       would like to use hardware SSL acceleration for example.
1753    #Default:
1754    # none
1755    
1756    #  TAG: sslproxy_client_certificate
1757    #       Client SSL Certificate to use when proxying https:// URLs
1758    #Default:
1759    # none
1760    
1761    #  TAG: sslproxy_client_key
1762    #       Client SSL Key to use when proxying https:// URLs
1763    #Default:
1764    # none
1765    
1766    #  TAG: sslproxy_version
1767    #       SSL version level to use when proxying https:// URLs
1768    #
1769    #       The versions of SSL/TLS supported:
1770    #
1771    #           1   automatic (default)
1772    #           2   SSLv2 only
1773    #           3   SSLv3 only
1774    #           4   TLSv1.0 only
1775    #           5   TLSv1.1 only
1776    #           6   TLSv1.2 only
1777    #Default:
1778    # sslproxy_version 1
1779    
1780    #  TAG: sslproxy_options
1781    #       SSL implementation options to use when proxying https:// URLs
1782    #      
1783    #       The most important being:
1784    #
1785    #           NO_SSLv2    Disallow the use of SSLv2
1786    #           NO_SSLv3    Disallow the use of SSLv3
1787    #           NO_TLSv1    Disallow the use of TLSv1.0
1788    #           NO_TLSv1_1  Disallow the use of TLSv1.1
1789    #           NO_TLSv1_2  Disallow the use of TLSv1.2
1790    #           SINGLE_DH_USE
1791    #                     Always create a new key when using temporary/ephemeral
1792    #                     DH key exchanges
1793    #           SSL_OP_NO_TICKET
1794    #                     Disable use of RFC5077 session tickets. Some servers
1795    #                     may have problems understanding the TLS extension due
1796    #                     to ambiguous specification in RFC4507.
1797    #           ALL       Enable various bug workarounds suggested as "harmless"
1798    #                     by OpenSSL. Be warned that this may reduce SSL/TLS
1799    #                     strength to some attacks.
1800    #      
1801    #       See the OpenSSL SSL_CTX_set_options documentation for a
1802    #       complete list of possible options.
1803    #Default:
1804    # none
1805    
1806    #  TAG: sslproxy_cipher
1807    #       SSL cipher list to use when proxying https:// URLs
1808    #
1809    #       Colon separated list of supported ciphers.
1810    #Default:
1811    # none
1812    
1813    #  TAG: sslproxy_cafile
1814    #       file containing CA certificates to use when verifying server
1815    #       certificates while proxying https:// URLs
1816    #Default:
1817    # none
1818    
1819    #  TAG: sslproxy_capath
1820    #       directory containing CA certificates to use when verifying
1821    #       server certificates while proxying https:// URLs
1822    #Default:
1823    # none
1824    
1825    #  TAG: ssl_bump
1826    #       This ACL controls which CONNECT requests to an http_port
1827    #       marked with an sslBump flag are actually "bumped". Please
1828    #       see the sslBump flag of an http_port option for more details
1829    #       about decoding proxied SSL connections.
1830    #
1831    #       By default, no requests are bumped.
1832    #
1833    #       See also: http_port ssl-bump
1834    #  
1835    #       This clause supports both fast and slow acl types.
1836    #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1837    #
1838    #
1839    #       # Example: Bump all requests except those originating from localhost and
1840    #       # those going to webax.com or example.com sites.
1841    #
1842    #       acl localhost src 127.0.0.1/32
1843    #       acl broken_sites dstdomain .webax.com
1844    #       acl broken_sites dstdomain .example.com
1845    #       ssl_bump deny localhost
1846    #       ssl_bump deny broken_sites
1847    #       ssl_bump allow all
1848    #Default:
1849    # none
1850    
1851    #  TAG: sslproxy_flags
1852    #       Various flags modifying the use of SSL while proxying https:// URLs:
1853    #           DONT_VERIFY_PEER    Accept certificates that fail verification.
1854    #                               For refined control, see sslproxy_cert_error.
1855    #           NO_DEFAULT_CA       Don't use the default CA list built in
1856    #                               to OpenSSL.
1857    #Default:
1858    # none
1859    
1860    #  TAG: sslproxy_cert_error
1861    #       Use this ACL to bypass server certificate validation errors.
1862    #
1863    #       For example, the following lines will bypass all validation errors
1864    #       when talking to servers for example.com. All other
1865    #       validation errors will result in ERR_SECURE_CONNECT_FAIL error.
1866    #
1867    #               acl BrokenButTrustedServers dstdomain example.com
1868    #               sslproxy_cert_error allow BrokenButTrustedServers
1869    #               sslproxy_cert_error deny all
1870    #
1871    #       This clause only supports fast acl types.
1872    #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1873    #       Using slow acl types may result in server crashes
1874    #
1875    #       Without this option, all server certificate validation errors
1876    #       terminate the transaction. Bypassing validation errors is dangerous
1877    #       because an error usually implies that the server cannot be trusted and
1878    #       the connection may be insecure.
1879    #
1880    #       See also: sslproxy_flags and DONT_VERIFY_PEER.
1881    #
1882    #       Default setting:  sslproxy_cert_error deny all
1883    #Default:
1884    # none
1885    
1886    #  TAG: sslpassword_program
1887    #       Specify a program used for entering SSL key passphrases
1888    #       when using encrypted SSL certificate keys. If not specified
1889    #       keys must either be unencrypted, or Squid started with the -N
1890    #       option to allow it to query interactively for the passphrase.
1891    #
1892    #       The key file name is given as argument to the program allowing
1893    #       selection of the right password if you have multiple encrypted
1894    #       keys.
1895    #Default:
1896    # none
1897    
1898    # OPTIONS RELATING TO EXTERNAL SSL_CRTD
1899    # -----------------------------------------------------------------------------
1900    
1901    #  TAG: sslcrtd_program
1902    # Note: This option is only available if Squid is rebuilt with the
1903    #       --enable-ssl-crtd
1904    #
1905    #       Specify the location and options of the executable for ssl_crtd process.
1906    #       /usr/lib64/squid/ssl_crtd program requires -s and -M parameters
1907    #       For more information use:
1908    #               /usr/lib64/squid/ssl_crtd -h
1909    #Default:
1910    # sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
1911    
1912    #  TAG: sslcrtd_children
1913    # Note: This option is only available if Squid is rebuilt with the
1914    #       --enable-ssl-crtd
1915    #
1916    #       The maximum number of processes spawn to service ssl server.
1917    #       The maximum this may be safely set to is 32.
1918    #      
1919    #       The startup= and idle= options allow some measure of skew in your
1920    #       tuning.
1921    #      
1922    #               startup=N
1923    #      
1924    #       Sets the minimum number of processes to spawn when Squid
1925    #       starts or reconfigures. When set to zero the first request will
1926    #       cause spawning of the first child process to handle it.
1927    #      
1928    #       Starting too few children temporary slows Squid under load while it
1929    #       tries to spawn enough additional processes to cope with traffic.
1930    #      
1931    #               idle=N
1932    #      
1933    #       Sets a minimum of how many processes Squid is to try and keep available
1934    #       at all times. When traffic begins to rise above what the existing
1935    #       processes can handle this many more will be spawned up to the maximum
1936    #       configured. A minimum setting of 1 is required.
1937    #      
1938    #       You must have at least one ssl_crtd process.
1939    #Default:
1940    # sslcrtd_children 32 startup=5 idle=1
1941    
1942  # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM  # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
1943  # -----------------------------------------------------------------------------  # -----------------------------------------------------------------------------
1944    
1945  #  TAG: cache_peer  #  TAG: cache_peer
1946  #       To specify other caches in a hierarchy, use the format:  #       To specify other caches in a hierarchy, use the format:
1947  #  #      
1948  #               cache_peer hostname type http_port icp_port  #               cache_peer hostname type http-port icp-port [options]
1949  #  #      
1950  #       For example,  #       For example,
1951  #  #      
1952  #       #                                        proxy  icp  #       #                                        proxy  icp
1953  #       #          hostname             type     port   port  options  #       #          hostname             type     port   port  options
1954  #       #          -------------------- -------- ----- -----  -----------  #       #          -------------------- -------- ----- -----  -----------
1955  #       cache_peer parent.foo.net       parent    3128  3130  [proxy-only]  #       cache_peer parent.foo.net       parent    3128  3130  default
1956  #       cache_peer sib1.foo.net         sibling   3128  3130  [proxy-only]  #       cache_peer sib1.foo.net         sibling   3128  3130  proxy-only
1957  #       cache_peer sib2.foo.net         sibling   3128  3130  [proxy-only]  #       cache_peer sib2.foo.net         sibling   3128  3130  proxy-only
1958  #  #       cache_peer example.com          parent    80       0  default
1959  #             type:  either 'parent', 'sibling', or 'multicast'.  #       cache_peer cdn.example.com      sibling   3128     0  
1960  #  #      
1961  #       proxy_port:  The port number where the cache listens for proxy  #             type:     either 'parent', 'sibling', or 'multicast'.
1962  #                    requests.  #      
1963  #  #       proxy-port:     The port number where the peer accept HTTP requests.
1964  #         icp_port:  Used for querying neighbor caches about  #                       For other Squid proxies this is usually 3128
1965  #                    objects.  To have a non-ICP neighbor  #                       For web servers this is usually 80
1966  #                    specify '7' for the ICP port and make sure the  #      
1967  #                    neighbor machine has the UDP echo port  #         icp-port:     Used for querying neighbor caches about objects.
1968  #                    enabled in its /etc/inetd.conf file.  #                       Set to 0 if the peer does not support ICP or HTCP.
1969  #  #                       See ICP and HTCP options below for additional details.
1970  #           options: proxy-only  #      
1971  #                    weight=n  #      
1972  #                    ttl=n  #       ==== ICP OPTIONS ====
1973  #                    no-query  #      
1974  #                    default  #       You MUST also set icp_port and icp_access explicitly when using these options.
1975  #                    round-robin  #       The defaults will prevent peer traffic using ICP.
1976  #                    multicast-responder  #      
1977  #                    closest-only  #      
1978  #                    no-digest  #       no-query        Disable ICP queries to this neighbor.
1979  #                    no-netdb-exchange  #      
1980  #                    no-delay  #       multicast-responder
1981  #                    login=user:password  #                       Indicates the named peer is a member of a multicast group.
1982  #                    connect-timeout=nn  #                       ICP queries will not be sent directly to the peer, but ICP
1983  #                    digest-url=url  #                       replies will be accepted from it.
1984  #                    allow-miss  #      
1985  #  #       closest-only    Indicates that, for ICP_OP_MISS replies, we'll only forward
1986  #                    use 'proxy-only' to specify that objects fetched  #                       CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.
1987  #                    from this cache should not be saved locally.  #      
1988  #  #       background-ping
1989  #                    use 'weight=n' to specify a weighted parent.  #                       To only send ICP queries to this neighbor infrequently.
1990  #                    The weight must be an integer.  The default weight  #                       This is used to keep the neighbor round trip time updated
1991  #                    is 1, larger weights are favored more.  #                       and is usually used in conjunction with weighted-round-robin.
1992  #  #      
1993  #                    use 'ttl=n' to specify a IP multicast TTL to use  #      
1994  #                    when sending an ICP queries to this address.  #       ==== HTCP OPTIONS ====
1995  #                    Only useful when sending to a multicast group.  #      
1996  #                    Because we don't accept ICP replies from random  #       You MUST also set htcp_port and htcp_access explicitly when using these options.
1997  #                    hosts, you must configure other group members as  #       The defaults will prevent peer traffic using HTCP.
1998  #                    peers with the 'multicast-responder' option below.  #      
1999  #  #      
2000  #                    use 'no-query' to NOT send ICP queries to this  #       htcp            Send HTCP, instead of ICP, queries to the neighbor.
2001  #                    neighbor.  #                       You probably also want to set the "icp-port" to 4827
2002  #  #                       instead of 3130. This directive accepts a comma separated
2003  #                    use 'default' if this is a parent cache which can  #                       list of options described below.
2004  #                    be used as a "last-resort." You should probably  #      
2005  #                    only use 'default' in situations where you cannot  #       htcp=oldsquid   Send HTCP to old Squid versions (2.5 or earlier).
2006  #                    use ICP with your parent cache(s).  #      
2007  #  #       htcp=no-clr     Send HTCP to the neighbor but without
2008  #                    use 'round-robin' to define a set of parents which  #                       sending any CLR requests.  This cannot be used with
2009  #                    should be used in a round-robin fashion in the  #                       only-clr.
2010  #                    absence of any ICP queries.  #      
2011  #  #       htcp=only-clr   Send HTCP to the neighbor but ONLY CLR requests.
2012  #                    'multicast-responder' indicates that the named peer  #                       This cannot be used with no-clr.
2013  #                    is a member of a multicast group.  ICP queries will  #      
2014  #                    not be sent directly to the peer, but ICP replies  #       htcp=no-purge-clr
2015  #                    will be accepted from it.  #                       Send HTCP to the neighbor including CLRs but only when
2016  #  #                       they do not result from PURGE requests.
2017  #                    'closest-only' indicates that, for ICP_OP_MISS  #      
2018  #                    replies, we'll only forward CLOSEST_PARENT_MISSes  #       htcp=forward-clr
2019  #                    and never FIRST_PARENT_MISSes.  #                       Forward any HTCP CLR requests this proxy receives to the peer.
2020  #  #      
2021  #                    use 'no-digest' to NOT request cache digests from  #      
2022  #                    this neighbor.  #       ==== PEER SELECTION METHODS ====
2023  #  #      
2024  #                    'no-netdb-exchange' disables requesting ICMP  #       The default peer selection method is ICP, with the first responding peer
2025  #                    RTT database (NetDB) from the neighbor.  #       being used as source. These options can be used for better load balancing.
2026  #  #      
2027  #                    use 'no-delay' to prevent access to this neighbor  #      
2028  #                    from influencing the delay pools.  #       default         This is a parent cache which can be used as a "last-resort"
2029  #  #                       if a peer cannot be located by any of the peer-selection methods.
2030  #                    use 'login=user:password' if this is a personal/workgroup  #                       If specified more than once, only the first is used.
2031  #                    proxy and your parent requires proxy authentication.  #      
2032  #  #       round-robin     Load-Balance parents which should be used in a round-robin
2033  #                    use 'connect-timeout=nn' to specify a peer  #                       fashion in the absence of any ICP queries.
2034  #                    specific connect timeout (also see the  #                       weight=N can be used to add bias.
2035  #                    peer_connect_timeout directive)  #      
2036  #  #       weighted-round-robin
2037  #                    use 'digest-url=url' to tell Squid to fetch the cache  #                       Load-Balance parents which should be used in a round-robin
2038  #                    digest (if digests are enabled) for this host from  #                       fashion with the frequency of each parent being based on the
2039  #                    the specified URL rather than the Squid default  #                       round trip time. Closer parents are used more often.
2040  #                    location.  #                       Usually used for background-ping parents.
2041  #  #                       weight=N can be used to add bias.
2042  #                    use 'allow-miss' to disable Squid's use of only-if-cached  #      
2043  #                    when forwarding requests to siblings. This is primarily  #       carp            Load-Balance parents which should be used as a CARP array.
2044  #                    useful when icp_hit_stale is used by the sibling. To  #                       The requests will be distributed among the parents based on the
2045  #                    extensive use of this option may result in forwarding  #                       CARP load balancing hash function based on their weight.
2046  #                    loops, and you should avoid having two-way peerings  #      
2047  #                    with this option. (for example to deny peer usage on  #       userhash        Load-balance parents based on the client proxy_auth or ident username.
2048  #                    requests from peer by denying cache_peer_access if the  #      
2049  #                    source is a peer)  #       sourcehash      Load-balance parents based on the client source IP.
2050  #  #
2051  #       NOTE: non-ICP neighbors must be specified as 'parent'.  #       multicast-siblings
2052    #                       To be used only for cache peers of type "multicast".
2053    #                       ALL members of this multicast group have "sibling"
2054    #                       relationship with it, not "parent".  This is to a multicast
2055    #                       group when the requested object would be fetched only from
2056    #                       a "parent" cache, anyway.  It's useful, e.g., when
2057    #                       configuring a pool of redundant Squid proxies, being
2058    #                       members of the same multicast group.
2059    #      
2060    #      
2061    #       ==== PEER SELECTION OPTIONS ====
2062    #      
2063    #       weight=N        use to affect the selection of a peer during any weighted
2064    #                       peer-selection mechanisms.
2065    #                       The weight must be an integer; default is 1,
2066    #                       larger weights are favored more.
2067    #                       This option does not affect parent selection if a peering
2068    #                       protocol is not in use.
2069    #      
2070    #       basetime=N      Specify a base amount to be subtracted from round trip
2071    #                       times of parents.
2072    #                       It is subtracted before division by weight in calculating
2073    #                       which parent to fectch from. If the rtt is less than the
2074    #                       base time the rtt is set to a minimal value.
2075    #      
2076    #       ttl=N           Specify a TTL to use when sending multicast ICP queries
2077    #                       to this address.
2078    #                       Only useful when sending to a multicast group.
2079    #                       Because we don't accept ICP replies from random
2080    #                       hosts, you must configure other group members as
2081    #                       peers with the 'multicast-responder' option.
2082    #      
2083    #       no-delay        To prevent access to this neighbor from influencing the
2084    #                       delay pools.
2085    #      
2086    #       digest-url=URL  Tell Squid to fetch the cache digest (if digests are
2087    #                       enabled) for this host from the specified URL rather
2088    #                       than the Squid default location.
2089    #      
2090    #      
2091    #       ==== CARP OPTIONS ====
2092    #      
2093    #       carp-key=key-specification
2094    #                       use a different key than the full URL to hash against the peer.
2095    #                       the key-specification is a comma-separated list of the keywords                
2096    #                       scheme, host, port, path, params
2097    #                       Order is not important.
2098    #      
2099    #       ==== ACCELERATOR / REVERSE-PROXY OPTIONS ====
2100    #      
2101    #       originserver    Causes this parent to be contacted as an origin server.
2102    #                       Meant to be used in accelerator setups when the peer
2103    #                       is a web server.
2104    #      
2105    #       forceddomain=name
2106    #                       Set the Host header of requests forwarded to this peer.
2107    #                       Useful in accelerator setups where the server (peer)
2108    #                       expects a certain domain name but clients may request
2109    #                       others. ie example.com or www.example.com
2110    #      
2111    #       no-digest       Disable request of cache digests.
2112    #      
2113    #       no-netdb-exchange
2114    #                       Disables requesting ICMP RTT database (NetDB).
2115    #      
2116    #      
2117    #       ==== AUTHENTICATION OPTIONS ====
2118    #      
2119    #       login=user:password
2120    #                       If this is a personal/workgroup proxy and your parent
2121    #                       requires proxy authentication.
2122    #                      
2123    #                       Note: The string can include URL escapes (i.e. %20 for
2124    #                       spaces). This also means % must be written as %%.
2125    #      
2126    #       login=PASSTHRU
2127    #                       Send login details received from client to this peer.
2128    #                       Both Proxy- and WWW-Authorization headers are passed
2129    #                       without alteration to the peer.
2130    #                       Authentication is not required by Squid for this to work.
2131    #                      
2132    #                       Note: This will pass any form of authentication but
2133    #                       only Basic auth will work through a proxy unless the
2134    #                       connection-auth options are also used.
2135    #
2136    #       login=PASS      Send login details received from client to this peer.
2137    #                       Authentication is not required by this option.
2138    #                      
2139    #                       If there are no client-provided authentication headers
2140    #                       to pass on, but username and password are available
2141    #                       from an external ACL user= and password= result tags
2142    #                       they may be sent instead.
2143    #                      
2144    #                       Note: To combine this with proxy_auth both proxies must
2145    #                       share the same user database as HTTP only allows for
2146    #                       a single login (one for proxy, one for origin server).
2147    #                       Also be warned this will expose your users proxy
2148    #                       password to the peer. USE WITH CAUTION
2149    #      
2150    #       login=*:password
2151    #                       Send the username to the upstream cache, but with a
2152    #                       fixed password. This is meant to be used when the peer
2153    #                       is in another administrative domain, but it is still
2154    #                       needed to identify each user.
2155    #                       The star can optionally be followed by some extra
2156    #                       information which is added to the username. This can
2157    #                       be used to identify this proxy to the peer, similar to
2158    #                       the login=username:password option above.
2159    #      
2160    #       login=NEGOTIATE
2161    #                       If this is a personal/workgroup proxy and your parent
2162    #                       requires a secure proxy authentication.
2163    #                       The first principal from the default keytab or defined by
2164    #                       the environment variable KRB5_KTNAME will be used.
2165    #      
2166    #                       WARNING: The connection may transmit requests from multiple
2167    #                       clients. Negotiate often assumes end-to-end authentication
2168    #                       and a single-client. Which is not strictly true here.
2169    #      
2170    #       login=NEGOTIATE:principal_name
2171    #                       If this is a personal/workgroup proxy and your parent
2172    #                       requires a secure proxy authentication.
2173    #                       The principal principal_name from the default keytab or
2174    #                       defined by the environment variable KRB5_KTNAME will be
2175    #                       used.
2176    #      
2177    #                       WARNING: The connection may transmit requests from multiple
2178    #                       clients. Negotiate often assumes end-to-end authentication
2179    #                       and a single-client. Which is not strictly true here.
2180    #      
2181    #       connection-auth=on|off
2182    #                       Tell Squid that this peer does or not support Microsoft
2183    #                       connection oriented authentication, and any such
2184    #                       challenges received from there should be ignored.
2185    #                       Default is auto to automatically determine the status
2186    #                       of the peer.
2187    #      
2188    #      
2189    #       ==== SSL / HTTPS / TLS OPTIONS ====
2190    #      
2191    #       ssl             Encrypt connections to this peer with SSL/TLS.
2192    #      
2193    #       sslcert=/path/to/ssl/certificate
2194    #                       A client SSL certificate to use when connecting to
2195    #                       this peer.
2196    #      
2197    #       sslkey=/path/to/ssl/key
2198    #                       The private SSL key corresponding to sslcert above.
2199    #                       If 'sslkey' is not specified 'sslcert' is assumed to
2200    #                       reference a combined file containing both the
2201    #                       certificate and the key.
2202    #      
2203    #       sslversion=1|2|3|4|5|6
2204    #                       The SSL version to use when connecting to this peer
2205    #                               1 = automatic (default)
2206    #                               2 = SSL v2 only
2207    #                               3 = SSL v3 only
2208    #                               4 = TLS v1.0 only
2209    #                               5 = TLS v1.1 only
2210    #                               6 = TLS v1.2 only
2211    #      
2212    #       sslcipher=...   The list of valid SSL ciphers to use when connecting
2213    #                       to this peer.
2214    #      
2215    #       ssloptions=...  Specify various SSL implementation options:
2216  #  #
2217    #                           NO_SSLv2    Disallow the use of SSLv2
2218    #                           NO_SSLv3    Disallow the use of SSLv3
2219    #                           NO_TLSv1    Disallow the use of TLSv1.0
2220    #                           NO_TLSv1_1  Disallow the use of TLSv1.1
2221    #                           NO_TLSv1_2  Disallow the use of TLSv1.2
2222    #                           SINGLE_DH_USE
2223    #                                     Always create a new key when using
2224    #                                     temporary/ephemeral DH key exchanges
2225    #                           ALL       Enable various bug workarounds
2226    #                                     suggested as "harmless" by OpenSSL
2227    #                                     Be warned that this reduces SSL/TLS
2228    #                                     strength to some attacks.
2229    #
2230    #                       See the OpenSSL SSL_CTX_set_options documentation for a
2231    #                       more complete list.
2232    #      
2233    #       sslcafile=...   A file containing additional CA certificates to use
2234    #                       when verifying the peer certificate.
2235    #      
2236    #       sslcapath=...   A directory containing additional CA certificates to
2237    #                       use when verifying the peer certificate.
2238    #      
2239    #       sslcrlfile=...  A certificate revocation list file to use when
2240    #                       verifying the peer certificate.
2241    #      
2242    #       sslflags=...    Specify various flags modifying the SSL implementation:
2243    #      
2244    #                       DONT_VERIFY_PEER
2245    #                               Accept certificates even if they fail to
2246    #                               verify.
2247    #                       NO_DEFAULT_CA
2248    #                               Don't use the default CA list built in
2249    #                               to OpenSSL.
2250    #                       DONT_VERIFY_DOMAIN
2251    #                               Don't verify the peer certificate
2252    #                               matches the server name
2253    #      
2254    #       ssldomain=      The peer name as advertised in it's certificate.
2255    #                       Used for verifying the correctness of the received peer
2256    #                       certificate. If not specified the peer hostname will be
2257    #                       used.
2258    #      
2259    #       front-end-https
2260    #                       Enable the "Front-End-Https: On" header needed when
2261    #                       using Squid as a SSL frontend in front of Microsoft OWA.
2262    #                       See MS KB document Q307347 for details on this header.
2263    #                       If set to auto the header will only be added if the
2264    #                       request is forwarded as a https:// URL.
2265    #      
2266    #      
2267    #       ==== GENERAL OPTIONS ====
2268    #      
2269    #       connect-timeout=N
2270    #                       A peer-specific connect timeout.
2271    #                       Also see the peer_connect_timeout directive.
2272    #      
2273    #       connect-fail-limit=N
2274    #                       How many times connecting to a peer must fail before
2275    #                       it is marked as down. Default is 10.
2276    #      
2277    #       allow-miss      Disable Squid's use of only-if-cached when forwarding
2278    #                       requests to siblings. This is primarily useful when
2279    #                       icp_hit_stale is used by the sibling. To extensive use
2280    #                       of this option may result in forwarding loops, and you
2281    #                       should avoid having two-way peerings with this option.
2282    #                       For example to deny peer usage on requests from peer
2283    #                       by denying cache_peer_access if the source is a peer.
2284    #      
2285    #       max-conn=N      Limit the amount of connections Squid may open to this
2286    #                       peer. see also
2287    #      
2288    #       name=xxx        Unique name for the peer.
2289    #                       Required if you have multiple peers on the same host
2290    #                       but different ports.
2291    #                       This name can be used in cache_peer_access and similar
2292    #                       directives to dentify the peer.
2293    #                       Can be used by outgoing access controls through the
2294    #                       peername ACL type.
2295    #      
2296    #       no-tproxy       Do not use the client-spoof TPROXY support when forwarding
2297    #                       requests to this peer. Use normal address selection instead.
2298    #      
2299    #       proxy-only      objects fetched from the peer will not be stored locally.
2300    #      
2301  #Default:  #Default:
2302  # none  # none
2303    
# Line 255  Line 2315 
2315  #       has the effect such that UDP query packets are sent to  #       has the effect such that UDP query packets are sent to
2316  #       'bigserver' only when the requested object exists on a  #       'bigserver' only when the requested object exists on a
2317  #       server in the .edu domain.  Prefixing the domainname  #       server in the .edu domain.  Prefixing the domainname
2318  #       with '!' means that the cache will be queried for objects  #       with '!' means the cache will be queried for objects
2319  #       NOT in that domain.  #       NOT in that domain.
2320  #  #
2321  #       NOTE:   * Any number of domains may be given for a cache-host,  #       NOTE:   * Any number of domains may be given for a cache-host,
# Line 267  Line 2327 
2327  #               * There are no defaults.  #               * There are no defaults.
2328  #               * There is also a 'cache_peer_access' tag in the ACL  #               * There is also a 'cache_peer_access' tag in the ACL
2329  #                 section.  #                 section.
2330    #Default:
2331    # none
2332    
2333    #  TAG: cache_peer_access
2334    #       Similar to 'cache_peer_domain' but provides more flexibility by
2335    #       using ACL elements.
2336  #  #
2337    #       cache_peer_access cache-host allow|deny [!]aclname ...
2338    #
2339    #       The syntax is identical to 'http_access' and the other lists of
2340    #       ACL elements.  See the comments for 'http_access' below, or
2341    #       the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl).
2342  #Default:  #Default:
2343  # none  # none
2344    
2345  #  TAG: neighbor_type_domain  #  TAG: neighbor_type_domain
2346  #       usage: neighbor_type_domain parent|sibling domain domain ...  #       usage: neighbor_type_domain neighbor parent|sibling domain domain ...
2347  #  #
2348  #       Modifying the neighbor type for specific domains is now  #       Modifying the neighbor type for specific domains is now
2349  #       possible.  You can treat some domains differently than the the  #       possible.  You can treat some domains differently than the
2350  #       default neighbor type specified on the 'cache_peer' line.  #       default neighbor type specified on the 'cache_peer' line.
2351  #       Normally it should only be necessary to list domains which  #       Normally it should only be necessary to list domains which
2352  #       should be treated differently because the default neighbor type  #       should be treated differently because the default neighbor type
2353  #       applies for hostnames which do not match domains listed here.  #       applies for hostnames which do not match domains listed here.
2354  #  #
2355  #EXAMPLE:  #EXAMPLE:
2356  #       cache_peer  parent cache.foo.org 3128 3130  #       cache_peer cache.foo.org parent 3128 3130
2357  #       neighbor_type_domain cache.foo.org sibling .com .net  #       neighbor_type_domain cache.foo.org sibling .com .net
2358  #       neighbor_type_domain cache.foo.org sibling .au .de  #       neighbor_type_domain cache.foo.org sibling .au .de
 #  
2359  #Default:  #Default:
2360  # none  # none
2361    
 #  TAG: icp_query_timeout       (msec)  
 #       Normally Squid will automatically determine an optimal ICP  
 #       query timeout value based on the round-trip-time of recent ICP  
 #       queries.  If you want to override the value determined by  
 #       Squid, set this 'icp_query_timeout' to a non-zero value.  This  
 #       value is specified in MILLISECONDS, so, to use a 2-second  
 #       timeout (the old default), you would write:  
 #  
 #               icp_query_timeout 2000  
 #  
 #Default:  
 # icp_query_timeout 0  
   
 #  TAG: maximum_icp_query_timeout       (msec)  
 #       Normally the ICP query timeout is determined dynamically.  But  
 #       sometimes it can lead to very large values (say 5 seconds).  
 #       Use this option to put an upper limit on the dynamic timeout  
 #       value.  Do NOT use this option to always use a fixed (instead  
 #       of a dynamic) timeout value. To set a fixed timeout see the  
 #       'icp_query_timeout' directive.  
 #  
 #Default:  
 # maximum_icp_query_timeout 2000  
   
 #  TAG: mcast_icp_query_timeout (msec)  
 #       For Multicast peers, Squid regularly sends out ICP "probes" to  
 #       count how many other peers are listening on the given multicast  
 #       address.  This value specifies how long Squid should wait to  
 #       count all the replies.  The default is 2000 msec, or 2  
 #       seconds.  
 #  
 #Default:  
 # mcast_icp_query_timeout 2000  
   
2362  #  TAG: dead_peer_timeout       (seconds)  #  TAG: dead_peer_timeout       (seconds)
2363  #       This controls how long Squid waits to declare a peer cache  #       This controls how long Squid waits to declare a peer cache
2364  #       as "dead."  If there are no ICP replies received in this  #       as "dead."  If there are no ICP replies received in this
# Line 338  Line 2374 
2374  #       your time between requests is greater than this timeout, you  #       your time between requests is greater than this timeout, you
2375  #       will see a lot of requests sent DIRECT to origin servers  #       will see a lot of requests sent DIRECT to origin servers
2376  #       instead of to your parents.  #       instead of to your parents.
 #  
2377  #Default:  #Default:
2378  # dead_peer_timeout 10 seconds  # dead_peer_timeout 10 seconds
2379    
2380    #  TAG: forward_max_tries
2381    #       Controls how many different forward paths Squid will try
2382    #       before giving up. See also forward_timeout.
2383    #      
2384    #       NOTE: connect_retries (default: none) can make each of these
2385    #       possible forwarding paths be tried multiple times.
2386    #Default:
2387    # forward_max_tries 10
2388    
2389  #  TAG: hierarchy_stoplist  #  TAG: hierarchy_stoplist
2390  #       A list of words which, if found in a URL, cause the object to  #       A list of words which, if found in a URL, cause the object to
2391  #       be handled directly by this cache.  In other words, use this  #       be handled directly by this cache.  In other words, use this
2392  #       to not query neighbor caches for certain objects.  You may  #       to not query neighbor caches for certain objects.  You may
2393  #       list this option multiple times.  #       list this option multiple times.
2394  #  #
2395  #We recommend you to use at least the following line.  #       Example:
2396  hierarchy_stoplist cgi-bin ?  #               hierarchy_stoplist cgi-bin ?
   
 #  TAG: no_cache  
 #       A list of ACL elements which, if matched, cause the reply to  
 #       immediately removed from the cache.  In other words, use this  
 #       to force certain objects to never be cached.  
 #  
 #       You must use the word 'DENY' to indicate the ACL names which should  
 #       NOT be cached.  
2397  #  #
2398  #We recommend you to use the following two lines.  #       Note: never_direct overrides this option.
2399  acl QUERY urlpath_regex cgi-bin \?  #Default:
2400  no_cache deny QUERY  # none
   
2401    
2402  # OPTIONS WHICH AFFECT THE CACHE SIZE  # MEMORY CACHE OPTIONS
2403  # -----------------------------------------------------------------------------  # -----------------------------------------------------------------------------
2404    
2405  #  TAG: cache_mem       (bytes)  #  TAG: cache_mem       (bytes)
2406  #       NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS  #       NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
2407  #       SIZE.  IT PLACES A LIMIT ON ONE ASPECT OF SQUID'S MEMORY  #       IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
2408  #       USAGE.  SQUID USES MEMORY FOR OTHER THINGS AS WELL.  #       USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
2409  #       YOUR PROCESS WILL PROBABLY BECOME TWICE OR THREE TIMES  #       THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
 #       BIGGER THAN THE VALUE YOU PUT HERE  
2410  #  #
2411  #       'cache_mem' specifies the ideal amount of memory to be used  #       'cache_mem' specifies the ideal amount of memory to be used
2412  #       for:  #       for:
# Line 399  no_cache deny QUERY Line 2433  no_cache deny QUERY
2433  #       reached.  Thereafter, blocks will be used to store hot  #       reached.  Thereafter, blocks will be used to store hot
2434  #       objects.  #       objects.
2435  #  #
2436    #       If shared memory caching is enabled, Squid does not use the shared
2437    #       cache space for in-transit objects, but they still consume as much
2438    #       local memory as they need. For more details about the shared memory
2439    #       cache, see memory_cache_shared.
2440  #Default:  #Default:
2441  # cache_mem 8 MB  # cache_mem 256 MB
2442    
2443  #  TAG: cache_swap_low  (percent, 0-100)  #  TAG: maximum_object_size_in_memory   (bytes)
2444  #  TAG: cache_swap_high (percent, 0-100)  #       Objects greater than this size will not be attempted to kept in
2445  #  #       the memory cache. This should be set high enough to keep objects
2446  #       The low- and high-water marks for cache object replacement.  #       accessed frequently in memory to improve performance whilst low
2447  #       Replacement begins when the swap (disk) usage is above the  #       enough to keep larger objects from hoarding cache_mem.
 #       low-water mark and attempts to maintain utilization near the  
 #       low-water mark.  As swap utilization gets close to high-water  
 #       mark object eviction becomes more aggressive.  If utilization is  
 #       close to the low-water mark less replacement is done each time.  
 #        
 #       Defaults are 90% and 95%. If you have a large cache, 5% could be  
 #       hundreds of MB. If this is the case you may wish to set these  
 #       numbers closer together.  
 #  
2448  #Default:  #Default:
2449  # cache_swap_low 90  # maximum_object_size_in_memory 512 KB
 # cache_swap_high 95  
2450    
2451  #  TAG: maximum_object_size     (bytes)  #  TAG: memory_cache_shared     on|off
2452  #       Objects larger than this size will NOT be saved on disk.  The  #       Controls whether the memory cache is shared among SMP workers.
 #       value is specified in kilobytes, and the default is 4MB.  If  
 #       you wish to get a high BYTES hit ratio, you should probably  
 #       increase this (one 32 MB object hit counts for 3200 10KB  
 #       hits).  If you wish to increase speed more than your want to  
 #       save bandwidth you should leave this low.  
2453  #  #
2454  #       NOTE: if using the LFUDA replacement policy you should increase  #       The shared memory cache is meant to occupy cache_mem bytes and replace
2455  #       this value to maximize the byte hit rate improvement of LFUDA!  #       the non-shared memory cache, although some entities may still be
2456  #       See replacement_policy below for a discussion of this policy.  #       cached locally by workers for now (e.g., internal and in-transit
2457    #       objects may be served from a local memory cache even if shared memory
2458    #       caching is enabled).
2459  #  #
2460  #Default:  #       By default, the memory cache is shared if and only if all of the
2461  # maximum_object_size 4096 KB  #       following conditions are satisfied: Squid runs in SMP mode with
2462    #       multiple workers, cache_mem is positive, and Squid environment
2463  #  TAG: minimum_object_size     (bytes)  #       supports required IPC primitives (e.g., POSIX shared memory segments
2464  #       Objects smaller than this size will NOT be saved on disk.  The  #       and GCC-style atomic operations).
 #       value is specified in kilobytes, and the default is 0 KB, which  
 #       means there is no minimum.  
2465  #  #
2466  #Default:  #       To avoid blocking locks, shared memory uses opportunistic algorithms
2467  # minimum_object_size 0 KB  #       that do not guarantee that every cachable entity that could have been
2468    #       shared among SMP workers will actually be shared.
 #  TAG: maximum_object_size_in_memory   (bytes)  
 #        Objects greater than this size will not be attempted to kept in  
 #        the memory cache. This should be set high enough to keep objects  
 #        accessed frequently in memory to improve performance whilst low  
 #        enough to keep larger objects from hoarding cache_mem .  
2469  #  #
2470    #       Currently, entities exceeding 32KB in size cannot be shared.
2471  #Default:  #Default:
2472  # maximum_object_size_in_memory 8 KB  # "on" where supported if doing memory caching with multiple SMP workers.
2473    
2474  #  TAG: ipcache_size    (number of entries)  #  TAG: memory_cache_mode
2475  #  TAG: ipcache_low     (percent)  #       Controls which objects to keep in the memory cache (cache_mem)
 #  TAG: ipcache_high    (percent)  
 #       The size, low-, and high-water marks for the IP cache.  
2476  #  #
2477    #       always  Keep most recently fetched objects in memory (default)
2478    #
2479    #       disk    Only disk cache hits are kept in memory, which means
2480    #               an object must first be cached on disk and then hit
2481    #               a second time before cached in memory.
2482    #
2483    #       network Only objects fetched from network is kept in memory
2484  #Default:  #Default:
2485  # ipcache_size 1024  # memory_cache_mode always
 # ipcache_low 90  
 # ipcache_high 95  
2486    
2487  #  TAG: fqdncache_size  (number of entries)  #  TAG: memory_replacement_policy
2488  #       Maximum number of FQDN cache entries.  #       The memory replacement policy parameter determines which
2489    #       objects are purged from memory when memory space is needed.
2490  #  #
2491    #       See cache_replacement_policy for details.
2492  #Default:  #Default:
2493  # fqdncache_size 1024  # memory_replacement_policy lru
2494    
2495    # DISK CACHE OPTIONS
2496    # -----------------------------------------------------------------------------
2497    
2498  #  TAG: cache_replacement_policy  #  TAG: cache_replacement_policy
2499  #       The cache replacement policy parameter determines which  #       The cache replacement policy parameter determines which
# Line 496  no_cache deny QUERY Line 2523  no_cache deny QUERY
2523  #       replacement policies.  #       replacement policies.
2524  #  #
2525  #       NOTE: if using the LFUDA replacement policy you should increase  #       NOTE: if using the LFUDA replacement policy you should increase
2526  #       the value of maximum_object_size above its default of 4096 KB to  #       the value of maximum_object_size above its default of 4 MB to
2527  #       to maximize the potential byte hit rate improvement of LFUDA.    #       to maximize the potential byte hit rate improvement of LFUDA.
2528  #  #
2529  #       For more information about the GDSF and LFUDA cache replacement  #       For more information about the GDSF and LFUDA cache replacement
2530  #       policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html  #       policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
2531  #       and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.  #       and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
 #  
2532  #Default:  #Default:
2533  # cache_replacement_policy lru  # cache_replacement_policy lru
2534    
 #  TAG: memory_replacement_policy  
 #       The memory replacement policy parameter determines which  
 #       objects are purged from memory when memory space is needed.  
 #  
 #       See cache_replacement_policy for details.  
 #  
 #Default:  
 # memory_replacement_policy lru  
   
   
 # LOGFILE PATHNAMES AND CACHE DIRECTORIES  
 # -----------------------------------------------------------------------------  
   
2535  #  TAG: cache_dir  #  TAG: cache_dir
2536  #       Usage:  #       Usage:
2537  #        #
2538  #       cache_dir Type Directory-Name Fs-specific-data [options]  #       cache_dir Type Directory-Name Fs-specific-data [options]
2539  #  #
2540  #       You can specify multiple cache_dir lines to spread the  #       You can specify multiple cache_dir lines to spread the
2541  #       cache among different disk partitions.  #       cache among different disk partitions.
2542  #  #
2543  #       Type specifies the kind of storage system to use.  Most  #       Type specifies the kind of storage system to use. Only "ufs"
2544  #       everyone will want to use "ufs" as the type.  If you are using  #       is built by default. To enable any of the other storage systems
2545  #       Async I/O (--enable async-io) on Linux or Solaris, then you may  #       see the --enable-storeio configure option.
 #       want to try "aufs" as the type.  Async IO support may be  
 #       buggy, however, so beware.  
2546  #  #
2547  #       'Directory' is a top-level directory where cache swap  #       'Directory' is a top-level directory where cache swap
2548  #       files will be stored.  If you want to use an entire disk  #       files will be stored.  If you want to use an entire disk
2549  #       for caching, then this can be the mount-point directory.  #       for caching, this can be the mount-point directory.
2550  #       The directory must exist and be writable by the Squid  #       The directory must exist and be writable by the Squid
2551  #       process.  Squid will NOT create this directory for you.  #       process.  Squid will NOT create this directory for you.
2552  #  #
2553    #       In SMP configurations, cache_dir must not precede the workers option
2554    #       and should use configuration macros or conditionals to give each
2555    #       worker interested in disk caching a dedicated cache directory.
2556    #
2557  #       The ufs store type:  #       The ufs store type:
2558  #  #
2559  #       "ufs" is the old well-known Squid storage format that has always  #       "ufs" is the old well-known Squid storage format that has always
# Line 548  no_cache deny QUERY Line 2563  no_cache deny QUERY
2563  #  #
2564  #       'Mbytes' is the amount of disk space (MB) to use under this  #       'Mbytes' is the amount of disk space (MB) to use under this
2565  #       directory.  The default is 100 MB.  Change this to suit your  #       directory.  The default is 100 MB.  Change this to suit your
2566  #       configuration.  #       configuration.  Do NOT put the size of your disk drive here.
2567    #       Instead, if you want Squid to use the entire disk drive,
2568    #       subtract 20% and use that value.
2569  #  #
2570  #       'Level-1' is the number of first-level subdirectories which  #       'L1' is the number of first-level subdirectories which
2571  #       will be created under the 'Directory'.  The default is 16.  #       will be created under the 'Directory'.  The default is 16.
2572  #  #
2573  #       'Level-2' is the number of second-level subdirectories which  #       'L2' is the number of second-level subdirectories which
2574  #       will be created under each first-level directory.  The default  #       will be created under each first-level directory.  The default
2575  #       is 256.  #       is 256.
2576  #  #
# Line 583  no_cache deny QUERY Line 2600  no_cache deny QUERY
2600  #  #
2601  #       Q2 specifies the number of unacknowledged messages when Squid  #       Q2 specifies the number of unacknowledged messages when Squid
2602  #       starts blocking.  If this many messages are in the queues,  #       starts blocking.  If this many messages are in the queues,
2603  #       Squid blocks until it recevies some replies. Default is 72  #       Squid blocks until it receives some replies. Default is 72
2604    #
2605    #       When Q1 < Q2 (the default), the cache directory is optimized
2606    #       for lower response time at the expense of a decrease in hit
2607    #       ratio.  If Q1 > Q2, the cache directory is optimized for
2608    #       higher hit ratio at the expense of an increase in response
2609    #       time.
2610    #
2611    #       The rock store type:
2612    #
2613    #           cache_dir rock Directory-Name Mbytes <max-size=bytes> [options]
2614    #
2615    #       The Rock Store type is a database-style storage. All cached
2616    #       entries are stored in a "database" file, using fixed-size slots,
2617    #       one entry per slot. The database size is specified in MB. The
2618    #       slot size is specified in bytes using the max-size option. See
2619    #       below for more info on the max-size option.
2620    #
2621    #       If possible, Squid using Rock Store creates a dedicated kid
2622    #       process called "disker" to avoid blocking Squid worker(s) on disk
2623    #       I/O. One disker kid is created for each rock cache_dir.  Diskers
2624    #       are created only when Squid, running in daemon mode, has support
2625    #       for the IpcIo disk I/O module.
2626    #
2627    #       swap-timeout=msec: Squid will not start writing a miss to or
2628    #       reading a hit from disk if it estimates that the swap operation
2629    #       will take more than the specified number of milliseconds. By
2630    #       default and when set to zero, disables the disk I/O time limit
2631    #       enforcement. Ignored when using blocking I/O module because
2632    #       blocking synchronous I/O does not allow Squid to estimate the
2633    #       expected swap wait time.
2634    #
2635    #       max-swap-rate=swaps/sec: Artificially limits disk access using
2636    #       the specified I/O rate limit. Swap out requests that
2637    #       would cause the average I/O rate to exceed the limit are
2638    #       delayed. Individual swap in requests (i.e., hits or reads) are
2639    #       not delayed, but they do contribute to measured swap rate and
2640    #       since they are placed in the same FIFO queue as swap out
2641    #       requests, they may wait longer if max-swap-rate is smaller.
2642    #       This is necessary on file systems that buffer "too
2643    #       many" writes and then start blocking Squid and other processes
2644    #       while committing those writes to disk.  Usually used together
2645    #       with swap-timeout to avoid excessive delays and queue overflows
2646    #       when disk demand exceeds available disk "bandwidth". By default
2647    #       and when set to zero, disables the disk I/O rate limit
2648    #       enforcement. Currently supported by IpcIo module only.
2649    #
2650    #
2651    #       The coss store type:
2652    #
2653    #       NP: COSS filesystem in Squid-3 has been deemed too unstable for
2654    #           production use and has thus been removed from this release.
2655    #           We hope that it can be made usable again soon.
2656    #
2657    #       block-size=n defines the "block size" for COSS cache_dir's.
2658    #       Squid uses file numbers as block numbers.  Since file numbers
2659    #       are limited to 24 bits, the block size determines the maximum
2660    #       size of the COSS partition.  The default is 512 bytes, which
2661    #       leads to a maximum cache_dir size of 512<<24, or 8 GB.  Note
2662    #       you should not change the coss block size after Squid
2663    #       has written some objects to the cache_dir.
2664    #
2665    #       The coss file store has changed from 2.5. Now it uses a file
2666    #       called 'stripe' in the directory names in the config - and
2667    #       this will be created by squid -z.
2668  #  #
2669  #       Common options:  #       Common options:
2670  #  #
2671  #       read-only, this cache_dir is read only.  #       no-store, no new objects should be stored to this cache_dir
2672    #
2673    #       min-size=n, refers to the min object size in bytes this cache_dir
2674    #       will accept.  It's used to restrict a cache_dir to only store
2675    #       large objects (e.g. aufs) while other storedirs are optimized
2676    #       for smaller objects (e.g. COSS). Defaults to 0.
2677  #  #
2678  #       max-size=n, refers to the max object size this storedir supports.  #       max-size=n, refers to the max object size in bytes this cache_dir
2679  #       It is used to initially choose the storedir to dump the object.  #       supports.  It is used to select the cache_dir to store the object.
2680  #       Note: To make optimal use of the max-size limits you should order  #       Note: To make optimal use of the max-size limits you should order
2681  #       the cache_dir lines with the smallest max-size value first and the  #       the cache_dir lines with the smallest max-size value first and the
2682  #       ones with no max-size specification last.  #       ones with no max-size specification last.
2683  #  #
2684    #       Note for coss, max-size must be less than COSS_MEMBUF_SZ,
2685    #       which can be changed with the --with-coss-membuf-size=N configure
2686    #       option.
2687    #
2688    
2689    # Uncomment and adjust the following to add a disk cache directory.
2690    #cache_dir ufs /var/spool/squid 100 16 256
2691    
2692    #  TAG: store_dir_select_algorithm
2693    #       Set this to 'round-robin' as an alternative.
2694  #Default:  #Default:
2695  # cache_dir ufs /var/spool/squid 100 16 256  # store_dir_select_algorithm least-load
2696    
2697  #  TAG: cache_access_log  #  TAG: max_open_disk_fds
2698  #       Logs the client request activity.  Contains an entry for  #       To avoid having disk as the I/O bottleneck Squid can optionally
2699  #       every HTTP and ICP queries received.  #       bypass the on-disk cache if more than this amount of disk file
2700    #       descriptors are open.
2701  #  #
2702    #       A value of 0 indicates no limit.
2703  #Default:  #Default:
2704  # cache_access_log /var/log/squid/access.log  # max_open_disk_fds 0
2705    
2706  #  TAG: cache_log  #  TAG: minimum_object_size     (bytes)
2707  #       Cache logging file. This is where general information about  #       Objects smaller than this size will NOT be saved on disk.  The
2708  #       your cache's behavior goes. You can increase the amount of data  #       value is specified in kilobytes, and the default is 0 KB, which
2709  #       logged to this file with the "debug_options" tag below.  #       means there is no minimum.
2710    #Default:
2711    # minimum_object_size 0 KB
2712    
2713    #  TAG: maximum_object_size     (bytes)
2714    #       The default limit on size of objects stored to disk.
2715    #       This size is used for cache_dir where max-size is not set.
2716    #       The value is specified in bytes, and the default is 4 MB.
2717    #
2718    #       If you wish to get a high BYTES hit ratio, you should probably
2719    #       increase this (one 32 MB object hit counts for 3200 10KB
2720    #       hits).
2721    #
2722    #       If you wish to increase hit ratio more than you want to
2723    #       save bandwidth you should leave this low.
2724  #  #
2725    #       NOTE: if using the LFUDA replacement policy you should increase
2726    #       this value to maximize the byte hit rate improvement of LFUDA!
2727    #       See replacement_policy below for a discussion of this policy.
2728  #Default:  #Default:
2729  # cache_log /var/log/squid/cache.log  # maximum_object_size 4 MB
2730    
2731    #  TAG: cache_swap_low  (percent, 0-100)
2732    #Default:
2733    # cache_swap_low 90
2734    
2735    #  TAG: cache_swap_high (percent, 0-100)
2736    #
2737    #       The low- and high-water marks for cache object replacement.
2738    #       Replacement begins when the swap (disk) usage is above the
2739    #       low-water mark and attempts to maintain utilization near the
2740    #       low-water mark.  As swap utilization gets close to high-water
2741    #       mark object eviction becomes more aggressive.  If utilization is
2742    #       close to the low-water mark less replacement is done each time.
2743    #
2744    #       Defaults are 90% and 95%. If you have a large cache, 5% could be
2745    #       hundreds of MB. If this is the case you may wish to set these
2746    #       numbers closer together.
2747    #Default:
2748    # cache_swap_high 95
2749    
2750    # LOGFILE OPTIONS
2751    # -----------------------------------------------------------------------------
2752    
2753    #  TAG: logformat
2754    #       Usage:
2755    #
2756    #       logformat <name> <format specification>
2757    #
2758    #       Defines an access log format.
2759    #
2760    #       The <format specification> is a string with embedded % format codes
2761    #
2762    #       % format codes all follow the same basic structure where all but
2763    #       the formatcode is optional. Output strings are automatically escaped
2764    #       as required according to their context and the output format
2765    #       modifiers are usually not needed, but can be specified if an explicit
2766    #       output format is desired.
2767    #
2768    #               % ["|[|'|#] [-] [[0]width] [{argument}] formatcode
2769    #
2770    #               "       output in quoted string format
2771    #               [       output in squid text log format as used by log_mime_hdrs
2772    #               #       output in URL quoted format
2773    #               '       output as-is
2774    #
2775    #               -       left aligned
2776    #
2777    #               width   minimum and/or maximum field width:
2778    #                           [width_min][.width_max]
2779    #                       When minimum starts with 0, the field is zero-padded.
2780    #                       String values exceeding maximum width are truncated.
2781    #
2782    #               {arg}   argument such as header name etc
2783    #
2784    #       Format codes:
2785    #
2786    #               %       a literal % character
2787    #               sn      Unique sequence number per log line entry
2788    #               err_code    The ID of an error response served by Squid or
2789    #                               a similar internal error identifier.
2790    #               err_detail  Additional err_code-dependent error information.
2791    #
2792    #       Connection related format codes:
2793    #
2794    #               >a      Client source IP address
2795    #               >A      Client FQDN
2796    #               >p      Client source port
2797    #               >eui    Client source EUI (MAC address, EUI-48 or EUI-64 identifier)
2798    #               >la     Local IP address the client connected to
2799    #               >lp     Local port number the client connected to
2800    #
2801    #               la      Local listening IP address the client connection was connected to.
2802    #               lp      Local listening port number the client connection was connected to.
2803    #
2804    #               <a      Server IP address of the last server or peer connection
2805    #               <A      Server FQDN or peer name
2806    #               <p      Server port number of the last server or peer connection
2807    #               <la     Local IP address of the last server or peer connection
2808    #               <lp     Local port number of the last server or peer connection
2809    #
2810    #       Time related format codes:
2811    #
2812    #               ts      Seconds since epoch
2813    #               tu      subsecond time (milliseconds)
2814    #               tl      Local time. Optional strftime format argument
2815    #                               default %d/%b/%Y:%H:%M:%S %z
2816    #               tg      GMT time. Optional strftime format argument
2817    #                               default %d/%b/%Y:%H:%M:%S %z
2818    #               tr      Response time (milliseconds)
2819    #               dt      Total time spent making DNS lookups (milliseconds)
2820    #
2821    #       Access Control related format codes:
2822    #
2823    #               et      Tag returned by external acl
2824    #               ea      Log string returned by external acl
2825    #               un      User name (any available)
2826    #               ul      User name from authentication
2827    #               ue      User name from external acl helper
2828    #               ui      User name from ident
2829    #               us      User name from SSL
2830    #
2831    #       HTTP related format codes:
2832    #
2833    #               [http::]>h      Original request header. Optional header name argument
2834    #                               on the format header[:[separator]element]
2835    #               [http::]>ha     The HTTP request headers after adaptation and redirection.
2836    #                               Optional header name argument as for >h
2837    #               [http::]<h      Reply header. Optional header name argument
2838    #                               as for >h
2839    #               [http::]>Hs     HTTP status code sent to the client
2840    #               [http::]<Hs     HTTP status code received from the next hop
2841    #               [http::]<bs     Number of HTTP-equivalent message body bytes
2842    #                               received from the next hop, excluding chunked
2843    #                               transfer encoding and control messages.
2844    #                               Generated FTP/Gopher listings are treated as
2845    #                               received bodies.
2846    #               [http::]mt      MIME content type
2847    #               [http::]rm      Request method (GET/POST etc)
2848    #               [http::]>rm     Request method from client
2849    #               [http::]<rm     Request method sent to server or peer
2850    #               [http::]ru      Request URL from client (historic, filtered for logging)
2851    #               [http::]>ru     Request URL from client
2852    #               [http::]<ru     Request URL sent to server or peer
2853    #               [http::]rp      Request URL-Path excluding hostname
2854    #               [http::]>rp     Request URL-Path excluding hostname from client
2855    #               [http::]<rp     Request URL-Path excluding hostname sento to server or peer
2856    #               [http::]rv      Request protocol version
2857    #               [http::]>rv     Request protocol version from client
2858    #               [http::]<rv     Request protocol version sent to server or peer
2859    #               [http::]<st     Sent reply size including HTTP headers
2860    #               [http::]>st     Received request size including HTTP headers. In the
2861    #                               case of chunked requests the chunked encoding metadata
2862    #                               are not included
2863    #               [http::]>sh     Received HTTP request headers size
2864    #               [http::]<sh     Sent HTTP reply headers size
2865    #               [http::]st      Request+Reply size including HTTP headers
2866    #               [http::]<sH     Reply high offset sent
2867    #               [http::]<sS     Upstream object size
2868    #               [http::]<pt     Peer response time in milliseconds. The timer starts
2869    #                               when the last request byte is sent to the next hop
2870    #                               and stops when the last response byte is received.
2871    #               [http::]<tt     Total server-side time in milliseconds. The timer
2872    #                               starts with the first connect request (or write I/O)
2873    #                               sent to the first selected peer. The timer stops
2874    #                               with the last I/O with the last peer.
2875    #
2876    #       Squid handling related format codes:
2877    #
2878    #               Ss      Squid request status (TCP_MISS etc)
2879    #               Sh      Squid hierarchy status (DEFAULT_PARENT etc)
2880    #
2881    #       If ICAP is enabled, the following code becomes available (as
2882    #       well as ICAP log codes documented with the icap_log option):
2883    #
2884    #               icap::tt        Total ICAP processing time for the HTTP
2885    #                               transaction. The timer ticks when ICAP
2886    #                               ACLs are checked and when ICAP
2887    #                               transaction is in progress.
2888    #
2889    #       If adaptation is enabled the following three codes become available:
2890    #
2891    #               adapt::<last_h  The header of the last ICAP response or
2892    #                               meta-information from the last eCAP
2893    #                               transaction related to the HTTP transaction.
2894    #                               Like <h, accepts an optional header name
2895    #                               argument.
2896    #
2897    #               adapt::sum_trs Summed adaptation transaction response
2898    #                               times recorded as a comma-separated list in
2899    #                               the order of transaction start time. Each time
2900    #                               value is recorded as an integer number,
2901    #                               representing response time of one or more
2902    #                               adaptation (ICAP or eCAP) transaction in
2903    #                               milliseconds.  When a failed transaction is
2904    #                               being retried or repeated, its time is not
2905    #                               logged individually but added to the
2906    #                               replacement (next) transaction. See also:
2907    #                               adapt::all_trs.
2908    #
2909    #               adapt::all_trs All adaptation transaction response times.
2910    #                               Same as adaptation_strs but response times of
2911    #                               individual transactions are never added
2912    #                               together. Instead, all transaction response
2913    #                               times are recorded individually.
2914    #
2915    #       You can prefix adapt::*_trs format codes with adaptation
2916    #       service name in curly braces to record response time(s) specific
2917    #       to that service. For example: %{my_service}adapt::sum_trs
2918    #
2919    #       The default formats available (which do not need re-defining) are:
2920    #
2921    #logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
2922    #logformat common     %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
2923    #logformat combined   %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
2924    #logformat referrer   %ts.%03tu %>a %{Referer}>h %ru
2925    #logformat useragent  %>a [%tl] "%{User-Agent}>h"
2926    #
2927    #       NOTE: When the log_mime_hdrs directive is set to ON.
2928    #               The squid, common and combined formats have a safely encoded copy
2929    #               of the mime headers appended to each line within a pair of brackets.
2930    #
2931    #       NOTE: The common and combined formats are not quite true to the Apache definition.
2932    #               The logs from Squid contain an extra status and hierarchy code appended.
2933    #
2934    #Default:
2935    # none
2936    
2937    #  TAG: access_log
2938    #       These files log client request activities. Has a line every HTTP or
2939    #       ICP request. The format is:
2940    #       access_log <module>:<place> [<logformat name> [acl acl ...]]
2941    #       access_log none [acl acl ...]]
2942    #      
2943    #       Will log to the specified module:place using the specified format (which
2944    #       must be defined in a logformat directive) those entries which match
2945    #       ALL the acl's specified (which must be defined in acl clauses).
2946    #       If no acl is specified, all requests will be logged to this destination.
2947    #      
2948    #       ===== Modules Currently available =====
2949    #      
2950    #       none    Do not log any requests matching these ACL.
2951    #               Do not specify Place or logformat name.
2952    #      
2953    #       stdio   Write each log line to disk immediately at the completion of
2954    #               each request.
2955    #               Place: the filename and path to be written.
2956    #      
2957    #       daemon  Very similar to stdio. But instead of writing to disk the log
2958    #               line is passed to a daemon helper for asychronous handling instead.
2959    #               Place: varies depending on the daemon.
2960    #              
2961    #               log_file_daemon Place: the file name and path to be written.
2962    #      
2963    #       syslog  To log each request via syslog facility.
2964    #               Place: The syslog facility and priority level for these entries.
2965    #               Place Format:  facility.priority
2966    #
2967    #               where facility could be any of:
2968    #                       authpriv, daemon, local0 ... local7 or user.
2969    #
2970    #               And priority could be any of:
2971    #                       err, warning, notice, info, debug.
2972    #      
2973    #       udp     To send each log line as text data to a UDP receiver.
2974    #               Place: The destination host name or IP and port.
2975    #               Place Format:   //host:port
2976    #
2977    #       tcp     To send each log line as text data to a TCP receiver.
2978    #               Place: The destination host name or IP and port.
2979    #               Place Format:   //host:port
2980    #
2981    #       Default:
2982    #               access_log daemon:/var/log/squid/access.log squid
2983    #Default:
2984    # access_log daemon:/var/log/squid/access.log squid
2985    
2986    #  TAG: icap_log
2987    #       ICAP log files record ICAP transaction summaries, one line per
2988    #       transaction.
2989    #
2990    #       The icap_log option format is:
2991    #       icap_log <filepath> [<logformat name> [acl acl ...]]
2992    #       icap_log none [acl acl ...]]
2993    #      
2994    #       Please see access_log option documentation for details. The two
2995    #       kinds of logs share the overall configuration approach and many
2996    #       features.
2997    #
2998    #       ICAP processing of a single HTTP message or transaction may
2999    #       require multiple ICAP transactions.  In such cases, multiple
3000    #       ICAP transaction log lines will correspond to a single access
3001    #       log line.
3002    #
3003    #       ICAP log uses logformat codes that make sense for an ICAP
3004    #       transaction. Header-related codes are applied to the HTTP header
3005    #       embedded in an ICAP server response, with the following caveats:
3006    #       For REQMOD, there is no HTTP response header unless the ICAP
3007    #       server performed request satisfaction. For RESPMOD, the HTTP
3008    #       request header is the header sent to the ICAP server. For
3009    #       OPTIONS, there are no HTTP headers.
3010    #
3011    #       The following format codes are also available for ICAP logs:
3012    #
3013    #               icap::<A        ICAP server IP address. Similar to <A.
3014    #
3015    #               icap::<service_name     ICAP service name from the icap_service
3016    #                               option in Squid configuration file.
3017    #
3018    #               icap::ru        ICAP Request-URI. Similar to ru.
3019    #
3020    #               icap::rm        ICAP request method (REQMOD, RESPMOD, or
3021    #                               OPTIONS). Similar to existing rm.
3022    #
3023    #               icap::>st       Bytes sent to the ICAP server (TCP payload
3024    #                               only; i.e., what Squid writes to the socket).
3025    #
3026    #               icap::<st       Bytes received from the ICAP server (TCP
3027    #                               payload only; i.e., what Squid reads from
3028    #                               the socket).
3029    #
3030    #               icap::<bs       Number of message body bytes received from the
3031    #                               ICAP server. ICAP message body, if any, usually
3032    #