/[soft]/drakwizard/trunk/proxy_wizard/scripts/squid.conf.default
ViewVC logotype

Contents of /drakwizard/trunk/proxy_wizard/scripts/squid.conf.default

Parent Directory Parent Directory | Revision Log Revision Log


Revision 8720 - (show annotations) (download)
Fri Aug 23 23:53:27 2013 UTC (11 years ago) by djennings
File size: 240247 byte(s)
- fix race condition checking service status (mga#10934)
- fix directory definition in proxy wizard
- fix parameter format in proxy wizard
- updated default proxy config file

1 # WELCOME TO SQUID 3.2.10
2 # ----------------------------
3 #
4 # This is the documentation for the Squid configuration file.
5 # This documentation can also be found online at:
6 # http://www.squid-cache.org/Doc/config/
7 #
8 # You may wish to look at the Squid home page and wiki for the
9 # FAQ and other documentation:
10 # http://www.squid-cache.org/
11 # http://wiki.squid-cache.org/SquidFaq
12 # http://wiki.squid-cache.org/ConfigExamples
13 #
14 # This documentation shows what the defaults for various directives
15 # happen to be. If you don't need to change the default, you should
16 # leave the line out of your squid.conf in most cases.
17 #
18 # In some cases "none" refers to no default setting at all,
19 # while in other cases it refers to the value of the option
20 # - the comments for that keyword indicate if this is the case.
21 #
22
23 # Configuration options can be included using the "include" directive.
24 # Include takes a list of files to include. Quoting and wildcards are
25 # supported.
26 #
27 # For example,
28 #
29 # include /path/to/included/file/squid.acl.config
30 #
31 # Includes can be nested up to a hard-coded depth of 16 levels.
32 # This arbitrary restriction is to prevent recursive include references
33 # from causing Squid entering an infinite loop whilst trying to load
34 # configuration files.
35 #
36 #
37 # Conditional configuration
38 #
39 # If-statements can be used to make configuration directives
40 # depend on conditions:
41 #
42 # if <CONDITION>
43 # ... regular configuration directives ...
44 # [else
45 # ... regular configuration directives ...]
46 # endif
47 #
48 # The else part is optional. The keywords "if", "else", and "endif"
49 # must be typed on their own lines, as if they were regular
50 # configuration directives.
51 #
52 # NOTE: An else-if condition is not supported.
53 #
54 # These individual conditions types are supported:
55 #
56 # true
57 # Always evaluates to true.
58 # false
59 # Always evaluates to false.
60 # <integer> = <integer>
61 # Equality comparison of two integer numbers.
62 #
63 #
64 # SMP-Related Macros
65 #
66 # The following SMP-related preprocessor macros can be used.
67 #
68 # ${process_name} expands to the current Squid process "name"
69 # (e.g., squid1, squid2, or cache1).
70 #
71 # ${process_number} expands to the current Squid process
72 # identifier, which is an integer number (e.g., 1, 2, 3) unique
73 # across all Squid processes.
74
75 # TAG: broken_vary_encoding
76 # This option is not yet supported by Squid-3.
77 #Default:
78 # none
79
80 # TAG: cache_vary
81 # This option is not yet supported by Squid-3.
82 #Default:
83 # none
84
85 # TAG: collapsed_forwarding
86 # This option is not yet supported by Squid-3. see http://bugs.squid-cache.org/show_bug.cgi?id=3495
87 #Default:
88 # none
89
90 # TAG: error_map
91 # This option is not yet supported by Squid-3.
92 #Default:
93 # none
94
95 # TAG: external_refresh_check
96 # This option is not yet supported by Squid-3.
97 #Default:
98 # none
99
100 # TAG: ignore_ims_on_miss
101 # This option is not yet supported by Squid-3.
102 #Default:
103 # none
104
105 # TAG: location_rewrite_program
106 # This option is not yet supported by Squid-3.
107 #Default:
108 # none
109
110 # TAG: refresh_stale_hit
111 # This option is not yet supported by Squid-3.
112 #Default:
113 # none
114
115 # TAG: storeurl_access
116 # This option is not yet supported by this version of Squid-3. Please try a later release.
117 #Default:
118 # none
119
120 # TAG: ignore_expect_100
121 # Remove this line. The HTTP/1.1 feature is now fully supported by default.
122 #Default:
123 # none
124
125 # TAG: dns_v4_fallback
126 # Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant.
127 #Default:
128 # none
129
130 # TAG: ftp_list_width
131 # Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead.
132 #Default:
133 # none
134
135 # TAG: maximum_single_addr_tries
136 # Replaced by connect_retries. The behaviour has changed, please read the documentation before altering.
137 #Default:
138 # none
139
140 # TAG: update_headers
141 # Remove this line. The feature is supported by default in storage types where update is implemented.
142 #Default:
143 # none
144
145 # TAG: url_rewrite_concurrency
146 # Remove this line. Set the 'concurrency=' option of url_rewrite_children instead.
147 #Default:
148 # none
149
150 # TAG: dns_testnames
151 # Remove this line. DNS is no longer tested on startup.
152 #Default:
153 # none
154
155 # TAG: extension_methods
156 # Remove this line. All valid methods for HTTP are accepted by default.
157 #Default:
158 # none
159
160 # TAG: zero_buffers
161 #Default:
162 # none
163
164 # TAG: incoming_rate
165 #Default:
166 # none
167
168 # TAG: server_http11
169 # Remove this line. HTTP/1.1 is supported by default.
170 #Default:
171 # none
172
173 # TAG: upgrade_http0.9
174 # Remove this line. ICY/1.0 streaming protocol is supported by default.
175 #Default:
176 # none
177
178 # TAG: zph_local
179 # Alter these entries. Use the qos_flows directive instead.
180 #Default:
181 # none
182
183 # TAG: header_access
184 # Since squid-3.0 replace with request_header_access or reply_header_access
185 # depending on whether you wish to match client requests or server replies.
186 #Default:
187 # none
188
189 # TAG: httpd_accel_no_pmtu_disc
190 # Since squid-3.0 use the 'disable-pmtu-discovery' flag on http_port instead.
191 #Default:
192 # none
193
194 # TAG: wais_relay_host
195 # Replace this line with 'cache_peer' configuration.
196 #Default:
197 # none
198
199 # TAG: wais_relay_port
200 # Replace this line with 'cache_peer' configuration.
201 #Default:
202 # none
203
204 # OPTIONS FOR AUTHENTICATION
205 # -----------------------------------------------------------------------------
206
207 # TAG: auth_param
208 # This is used to define parameters for the various authentication
209 # schemes supported by Squid.
210 #
211 # format: auth_param scheme parameter [setting]
212 #
213 # The order in which authentication schemes are presented to the client is
214 # dependent on the order the scheme first appears in config file. IE
215 # has a bug (it's not RFC 2617 compliant) in that it will use the basic
216 # scheme if basic is the first entry presented, even if more secure
217 # schemes are presented. For now use the order in the recommended
218 # settings section below. If other browsers have difficulties (don't
219 # recognize the schemes offered even if you are using basic) either
220 # put basic first, or disable the other schemes (by commenting out their
221 # program entry).
222 #
223 # Once an authentication scheme is fully configured, it can only be
224 # shutdown by shutting squid down and restarting. Changes can be made on
225 # the fly and activated with a reconfigure. I.E. You can change to a
226 # different helper, but not unconfigure the helper completely.
227 #
228 # Please note that while this directive defines how Squid processes
229 # authentication it does not automatically activate authentication.
230 # To use authentication you must in addition make use of ACLs based
231 # on login name in http_access (proxy_auth, proxy_auth_regex or
232 # external with %LOGIN used in the format tag). The browser will be
233 # challenged for authentication on the first such acl encountered
234 # in http_access processing and will also be re-challenged for new
235 # login credentials if the request is being denied by a proxy_auth
236 # type acl.
237 #
238 # WARNING: authentication can't be used in a transparently intercepting
239 # proxy as the client then thinks it is talking to an origin server and
240 # not the proxy. This is a limitation of bending the TCP/IP protocol to
241 # transparently intercepting port 80, not a limitation in Squid.
242 # Ports flagged 'transparent', 'intercept', or 'tproxy' have
243 # authentication disabled.
244 #
245 # === Parameters for the basic scheme follow. ===
246 #
247 # "program" cmdline
248 # Specify the command for the external authenticator. Such a program
249 # reads a line containing "username password" and replies "OK" or
250 # "ERR" in an endless loop. "ERR" responses may optionally be followed
251 # by a error description available as %m in the returned error page.
252 # If you use an authenticator, make sure you have 1 acl of type
253 # proxy_auth.
254 #
255 # By default, the basic authentication scheme is not used unless a
256 # program is specified.
257 #
258 # If you want to use the traditional NCSA proxy authentication, set
259 # this line to something like
260 #
261 # auth_param basic program /usr/libexec/ncsa_auth /usr/etc/passwd
262 #
263 # "utf8" on|off
264 # HTTP uses iso-latin-1 as character set, while some authentication
265 # backends such as LDAP expects UTF-8. If this is set to on Squid will
266 # translate the HTTP iso-latin-1 charset to UTF-8 before sending the
267 # username & password to the helper.
268 #
269 # "children" numberofchildren [startup=N] [idle=N] [concurrency=N]
270 # The maximum number of authenticator processes to spawn. If you start too few
271 # Squid will have to wait for them to process a backlog of credential
272 # verifications, slowing it down. When password verifications are
273 # done via a (slow) network you are likely to need lots of
274 # authenticator processes.
275 #
276 # The startup= and idle= options permit some skew in the exact amount
277 # run. A minimum of startup=N will begin during startup and reconfigure.
278 # Squid will start more in groups of up to idle=N in an attempt to meet
279 # traffic needs and to keep idle=N free above those traffic needs up to
280 # the maximum.
281 #
282 # The concurrency= option sets the number of concurrent requests the
283 # helper can process. The default of 0 is used for helpers who only
284 # supports one request at a time. Setting this to a number greater than
285 # 0 changes the protocol used to include a channel number first on the
286 # request/response line, allowing multiple requests to be sent to the
287 # same helper in parallel without waiting for the response.
288 # Must not be set unless it's known the helper supports this.
289 #
290 # auth_param basic children 20 startup=0 idle=1
291 #
292 # "realm" realmstring
293 # Specifies the realm name which is to be reported to the
294 # client for the basic proxy authentication scheme (part of
295 # the text the user will see when prompted their username and
296 # password). There is no default.
297 # auth_param basic realm Squid proxy-caching web server
298 #
299 # "credentialsttl" timetolive
300 # Specifies how long squid assumes an externally validated
301 # username:password pair is valid for - in other words how
302 # often the helper program is called for that user. Set this
303 # low to force revalidation with short lived passwords. Note
304 # setting this high does not impact your susceptibility
305 # to replay attacks unless you are using an one-time password
306 # system (such as SecureID). If you are using such a system,
307 # you will be vulnerable to replay attacks unless you also
308 # use the max_user_ip ACL in an http_access rule.
309 #
310 # "casesensitive" on|off
311 # Specifies if usernames are case sensitive. Most user databases are
312 # case insensitive allowing the same username to be spelled using both
313 # lower and upper case letters, but some are case sensitive. This
314 # makes a big difference for user_max_ip ACL processing and similar.
315 # auth_param basic casesensitive off
316 #
317 # === Parameters for the digest scheme follow ===
318 #
319 # "program" cmdline
320 # Specify the command for the external authenticator. Such
321 # a program reads a line containing "username":"realm" and
322 # replies with the appropriate H(A1) value hex encoded or
323 # ERR if the user (or his H(A1) hash) does not exists.
324 # See rfc 2616 for the definition of H(A1).
325 # "ERR" responses may optionally be followed by a error description
326 # available as %m in the returned error page.
327 #
328 # By default, the digest authentication scheme is not used unless a
329 # program is specified.
330 #
331 # If you want to use a digest authenticator, set this line to
332 # something like
333 #
334 # auth_param digest program /usr/bin/digest_pw_auth /usr/etc/digpass
335 #
336 # "utf8" on|off
337 # HTTP uses iso-latin-1 as character set, while some authentication
338 # backends such as LDAP expects UTF-8. If this is set to on Squid will
339 # translate the HTTP iso-latin-1 charset to UTF-8 before sending the
340 # username & password to the helper.
341 #
342 # "children" numberofchildren [startup=N] [idle=N] [concurrency=N]
343 # The maximum number of authenticator processes to spawn (default 5).
344 # If you start too few Squid will have to wait for them to
345 # process a backlog of H(A1) calculations, slowing it down.
346 # When the H(A1) calculations are done via a (slow) network
347 # you are likely to need lots of authenticator processes.
348 #
349 # The startup= and idle= options permit some skew in the exact amount
350 # run. A minimum of startup=N will begin during startup and reconfigure.
351 # Squid will start more in groups of up to idle=N in an attempt to meet
352 # traffic needs and to keep idle=N free above those traffic needs up to
353 # the maximum.
354 #
355 # The concurrency= option sets the number of concurrent requests the
356 # helper can process. The default of 0 is used for helpers who only
357 # supports one request at a time. Setting this to a number greater than
358 # 0 changes the protocol used to include a channel number first on the
359 # request/response line, allowing multiple requests to be sent to the
360 # same helper in parallel without waiting for the response.
361 # Must not be set unless it's known the helper supports this.
362 #
363 # auth_param digest children 20 startup=0 idle=1
364 #
365 # "realm" realmstring
366 # Specifies the realm name which is to be reported to the
367 # client for the digest proxy authentication scheme (part of
368 # the text the user will see when prompted their username and
369 # password). There is no default.
370 # auth_param digest realm Squid proxy-caching web server
371 #
372 # "nonce_garbage_interval" timeinterval
373 # Specifies the interval that nonces that have been issued
374 # to client_agent's are checked for validity.
375 #
376 # "nonce_max_duration" timeinterval
377 # Specifies the maximum length of time a given nonce will be
378 # valid for.
379 #
380 # "nonce_max_count" number
381 # Specifies the maximum number of times a given nonce can be
382 # used.
383 #
384 # "nonce_strictness" on|off
385 # Determines if squid requires strict increment-by-1 behavior
386 # for nonce counts, or just incrementing (off - for use when
387 # user agents generate nonce counts that occasionally miss 1
388 # (ie, 1,2,4,6)). Default off.
389 #
390 # "check_nonce_count" on|off
391 # This directive if set to off can disable the nonce count check
392 # completely to work around buggy digest qop implementations in
393 # certain mainstream browser versions. Default on to check the
394 # nonce count to protect from authentication replay attacks.
395 #
396 # "post_workaround" on|off
397 # This is a workaround to certain buggy browsers who sends
398 # an incorrect request digest in POST requests when reusing
399 # the same nonce as acquired earlier on a GET request.
400 #
401 # === NTLM scheme options follow ===
402 #
403 # "program" cmdline
404 # Specify the command for the external NTLM authenticator.
405 # Such a program reads exchanged NTLMSSP packets with
406 # the browser via Squid until authentication is completed.
407 # If you use an NTLM authenticator, make sure you have 1 acl
408 # of type proxy_auth. By default, the NTLM authenticator_program
409 # is not used.
410 #
411 # auth_param ntlm program /usr/bin/ntlm_auth
412 #
413 # "children" numberofchildren [startup=N] [idle=N]
414 # The maximum number of authenticator processes to spawn (default 5).
415 # If you start too few Squid will have to wait for them to
416 # process a backlog of credential verifications, slowing it
417 # down. When credential verifications are done via a (slow)
418 # network you are likely to need lots of authenticator
419 # processes.
420 #
421 # The startup= and idle= options permit some skew in the exact amount
422 # run. A minimum of startup=N will begin during startup and reconfigure.
423 # Squid will start more in groups of up to idle=N in an attempt to meet
424 # traffic needs and to keep idle=N free above those traffic needs up to
425 # the maximum.
426 #
427 # auth_param ntlm children 20 startup=0 idle=1
428 #
429 # "keep_alive" on|off
430 # If you experience problems with PUT/POST requests when using the
431 # Negotiate authentication scheme then you can try setting this to
432 # off. This will cause Squid to forcibly close the connection on
433 # the initial requests where the browser asks which schemes are
434 # supported by the proxy.
435 #
436 # auth_param ntlm keep_alive on
437 #
438 # === Options for configuring the NEGOTIATE auth-scheme follow ===
439 #
440 # "program" cmdline
441 # Specify the command for the external Negotiate authenticator.
442 # This protocol is used in Microsoft Active-Directory enabled setups with
443 # the Microsoft Internet Explorer or Mozilla Firefox browsers.
444 # Its main purpose is to exchange credentials with the Squid proxy
445 # using the Kerberos mechanisms.
446 # If you use a Negotiate authenticator, make sure you have at least
447 # one acl of type proxy_auth active. By default, the negotiate
448 # authenticator_program is not used.
449 # The only supported program for this role is the ntlm_auth
450 # program distributed as part of Samba, version 4 or later.
451 #
452 # auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego
453 #
454 # "children" numberofchildren [startup=N] [idle=N]
455 # The maximum number of authenticator processes to spawn (default 5).
456 # If you start too few Squid will have to wait for them to
457 # process a backlog of credential verifications, slowing it
458 # down. When credential verifications are done via a (slow)
459 # network you are likely to need lots of authenticator
460 # processes.
461 #
462 # The startup= and idle= options permit some skew in the exact amount
463 # run. A minimum of startup=N will begin during startup and reconfigure.
464 # Squid will start more in groups of up to idle=N in an attempt to meet
465 # traffic needs and to keep idle=N free above those traffic needs up to
466 # the maximum.
467 #
468 # auth_param negotiate children 20 startup=0 idle=1
469 #
470 # "keep_alive" on|off
471 # If you experience problems with PUT/POST requests when using the
472 # Negotiate authentication scheme then you can try setting this to
473 # off. This will cause Squid to forcibly close the connection on
474 # the initial requests where the browser asks which schemes are
475 # supported by the proxy.
476 #
477 # auth_param negotiate keep_alive on
478 #
479 #
480 # Examples:
481 #
482 ##Recommended minimum configuration per scheme:
483 ##auth_param negotiate program <uncomment and complete this line to activate>
484 ##auth_param negotiate children 20 startup=0 idle=1
485 ##auth_param negotiate keep_alive on
486 ##
487 ##auth_param ntlm program <uncomment and complete this line to activate>
488 ##auth_param ntlm children 20 startup=0 idle=1
489 ##auth_param ntlm keep_alive on
490 ##
491 ##auth_param digest program <uncomment and complete this line>
492 ##auth_param digest children 20 startup=0 idle=1
493 ##auth_param digest realm Squid proxy-caching web server
494 ##auth_param digest nonce_garbage_interval 5 minutes
495 ##auth_param digest nonce_max_duration 30 minutes
496 ##auth_param digest nonce_max_count 50
497 ##
498 ##auth_param basic program <uncomment and complete this line>
499 ##auth_param basic children 5 startup=5 idle=1
500 ##auth_param basic realm Squid proxy-caching web server
501 ##auth_param basic credentialsttl 2 hours
502 #Default:
503 # none
504
505 # TAG: authenticate_cache_garbage_interval
506 # The time period between garbage collection across the username cache.
507 # This is a trade-off between memory utilization (long intervals - say
508 # 2 days) and CPU (short intervals - say 1 minute). Only change if you
509 # have good reason to.
510 #Default:
511 # authenticate_cache_garbage_interval 1 hour
512
513 # TAG: authenticate_ttl
514 # The time a user & their credentials stay in the logged in
515 # user cache since their last request. When the garbage
516 # interval passes, all user credentials that have passed their
517 # TTL are removed from memory.
518 #Default:
519 # authenticate_ttl 1 hour
520
521 # TAG: authenticate_ip_ttl
522 # If you use proxy authentication and the 'max_user_ip' ACL,
523 # this directive controls how long Squid remembers the IP
524 # addresses associated with each user. Use a small value
525 # (e.g., 60 seconds) if your users might change addresses
526 # quickly, as is the case with dialup. You might be safe
527 # using a larger value (e.g., 2 hours) in a corporate LAN
528 # environment with relatively static address assignments.
529 #Default:
530 # authenticate_ip_ttl 0 seconds
531
532 # ACCESS CONTROLS
533 # -----------------------------------------------------------------------------
534
535 # TAG: external_acl_type
536 # This option defines external acl classes using a helper program
537 # to look up the status
538 #
539 # external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
540 #
541 # Options:
542 #
543 # ttl=n TTL in seconds for cached results (defaults to 3600
544 # for 1 hour)
545 # negative_ttl=n
546 # TTL for cached negative lookups (default same
547 # as ttl)
548 # children-max=n
549 # Maximum number of acl helper processes spawned to service
550 # external acl lookups of this type. (default 20)
551 # children-startup=n
552 # Minimum number of acl helper processes to spawn during
553 # startup and reconfigure to service external acl lookups
554 # of this type. (default 0)
555 # children-idle=n
556 # Number of acl helper processes to keep ahead of traffic
557 # loads. Squid will spawn this many at once whenever load
558 # rises above the capabilities of existing processes.
559 # Up to the value of children-max. (default 1)
560 # concurrency=n concurrency level per process. Only used with helpers
561 # capable of processing more than one query at a time.
562 # cache=n limit the result cache size, default is unbounded.
563 # grace=n Percentage remaining of TTL where a refresh of a
564 # cached entry should be initiated without needing to
565 # wait for a new reply. (default is for no grace period)
566 # protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
567 # ipv4 / ipv6 IP protocol used to communicate with this helper.
568 # The default is to auto-detect IPv6 and use it when available.
569 #
570 # FORMAT specifications
571 #
572 # %LOGIN Authenticated user login name
573 # %EXT_USER Username from previous external acl
574 # %EXT_LOG Log details from previous external acl
575 # %EXT_TAG Tag from previous external acl
576 # %IDENT Ident user name
577 # %SRC Client IP
578 # %SRCPORT Client source port
579 # %URI Requested URI
580 # %DST Requested host
581 # %PROTO Requested protocol
582 # %PORT Requested port
583 # %PATH Requested URL path
584 # %METHOD Request method
585 # %MYADDR Squid interface address
586 # %MYPORT Squid http_port number
587 # %PATH Requested URL-path (including query-string if any)
588 # %USER_CERT SSL User certificate in PEM format
589 # %USER_CERTCHAIN SSL User certificate chain in PEM format
590 # %USER_CERT_xx SSL User certificate subject attribute xx
591 # %USER_CA_xx SSL User certificate issuer attribute xx
592 #
593 # %>{Header} HTTP request header "Header"
594 # %>{Hdr:member}
595 # HTTP request header "Hdr" list member "member"
596 # %>{Hdr:;member}
597 # HTTP request header list member using ; as
598 # list separator. ; can be any non-alphanumeric
599 # character.
600 #
601 # %<{Header} HTTP reply header "Header"
602 # %<{Hdr:member}
603 # HTTP reply header "Hdr" list member "member"
604 # %<{Hdr:;member}
605 # HTTP reply header list member using ; as
606 # list separator. ; can be any non-alphanumeric
607 # character.
608 #
609 # %% The percent sign. Useful for helpers which need
610 # an unchanging input format.
611 #
612 # In addition to the above, any string specified in the referencing
613 # acl will also be included in the helper request line, after the
614 # specified formats (see the "acl external" directive)
615 #
616 # The helper receives lines per the above format specification,
617 # and returns lines starting with OK or ERR indicating the validity
618 # of the request and optionally followed by additional keywords with
619 # more details.
620 #
621 # General result syntax:
622 #
623 # OK/ERR keyword=value ...
624 #
625 # Defined keywords:
626 #
627 # user= The users name (login)
628 # password= The users password (for login= cache_peer option)
629 # message= Message describing the reason. Available as %o
630 # in error pages
631 # tag= Apply a tag to a request (for both ERR and OK results)
632 # Only sets a tag, does not alter existing tags.
633 # log= String to be logged in access.log. Available as
634 # %ea in logformat specifications
635 #
636 # If protocol=3.0 (the default) then URL escaping is used to protect
637 # each value in both requests and responses.
638 #
639 # If using protocol=2.5 then all values need to be enclosed in quotes
640 # if they may contain whitespace, or the whitespace escaped using \.
641 # And quotes or \ characters within the keyword value must be \ escaped.
642 #
643 # When using the concurrency= option the protocol is changed by
644 # introducing a query channel tag infront of the request/response.
645 # The query channel tag is a number between 0 and concurrency-1.
646 #Default:
647 # none
648
649 # TAG: acl
650 # Defining an Access List
651 #
652 # Every access list definition must begin with an aclname and acltype,
653 # followed by either type-specific arguments or a quoted filename that
654 # they are read from.
655 #
656 # acl aclname acltype argument ...
657 # acl aclname acltype "file" ...
658 #
659 # When using "file", the file should contain one item per line.
660 #
661 # By default, regular expressions are CASE-SENSITIVE.
662 # To make them case-insensitive, use the -i option. To return case-sensitive
663 # use the +i option between patterns, or make a new ACL line without -i.
664 #
665 # Some acl types require suspending the current request in order
666 # to access some external data source.
667 # Those which do are marked with the tag [slow], those which
668 # don't are marked as [fast].
669 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl
670 # for further information
671 #
672 # ***** ACL TYPES AVAILABLE *****
673 #
674 # acl aclname src ip-address/netmask ... # clients IP address [fast]
675 # acl aclname src addr1-addr2/netmask ... # range of addresses [fast]
676 # acl aclname dst ip-address/netmask ... # URL host's IP address [slow]
677 # acl aclname myip ip-address/netmask ... # local socket IP address [fast]
678 #
679 # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
680 # # The arp ACL requires the special configure option --enable-arp-acl.
681 # # Furthermore, the ARP ACL code is not portable to all operating systems.
682 # # It works on Linux, Solaris, Windows, FreeBSD, and some
683 # # other *BSD variants.
684 # # [fast]
685 # #
686 # # NOTE: Squid can only determine the MAC address for clients that are on
687 # # the same subnet. If the client is on a different subnet,
688 # # then Squid cannot find out its MAC address.
689 #
690 # acl aclname srcdomain .foo.com ...
691 # # reverse lookup, from client IP [slow]
692 # acl aclname dstdomain .foo.com ...
693 # # Destination server from URL [fast]
694 # acl aclname srcdom_regex [-i] \.foo\.com ...
695 # # regex matching client name [slow]
696 # acl aclname dstdom_regex [-i] \.foo\.com ...
697 # # regex matching server [fast]
698 # #
699 # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
700 # # based URL is used and no match is found. The name "none" is used
701 # # if the reverse lookup fails.
702 #
703 # acl aclname src_as number ...
704 # acl aclname dst_as number ...
705 # # [fast]
706 # # Except for access control, AS numbers can be used for
707 # # routing of requests to specific caches. Here's an
708 # # example for routing all requests for AS#1241 and only
709 # # those to mycache.mydomain.net:
710 # # acl asexample dst_as 1241
711 # # cache_peer_access mycache.mydomain.net allow asexample
712 # # cache_peer_access mycache_mydomain.net deny all
713 #
714 # acl aclname peername myPeer ...
715 # # [fast]
716 # # match against a named cache_peer entry
717 # # set unique name= on cache_peer lines for reliable use.
718 #
719 # acl aclname time [day-abbrevs] [h1:m1-h2:m2]
720 # # [fast]
721 # # day-abbrevs:
722 # # S - Sunday
723 # # M - Monday
724 # # T - Tuesday
725 # # W - Wednesday
726 # # H - Thursday
727 # # F - Friday
728 # # A - Saturday
729 # # h1:m1 must be less than h2:m2
730 #
731 # acl aclname url_regex [-i] ^http:// ...
732 # # regex matching on whole URL [fast]
733 # acl aclname urllogin [-i] [^a-zA-Z0-9] ...
734 # # regex matching on URL login field
735 # acl aclname urlpath_regex [-i] \.gif$ ...
736 # # regex matching on URL path [fast]
737 #
738 # acl aclname port 80 70 21 0-1024... # destination TCP port [fast]
739 # # ranges are alloed
740 # acl aclname myport 3128 ... # local socket TCP port [fast]
741 # acl aclname myportname 3128 ... # http(s)_port name [fast]
742 #
743 # acl aclname proto HTTP FTP ... # request protocol [fast]
744 #
745 # acl aclname method GET POST ... # HTTP request method [fast]
746 #
747 # acl aclname http_status 200 301 500- 400-403 ...
748 # # status code in reply [fast]
749 #
750 # acl aclname browser [-i] regexp ...
751 # # pattern match on User-Agent header (see also req_header below) [fast]
752 #
753 # acl aclname referer_regex [-i] regexp ...
754 # # pattern match on Referer header [fast]
755 # # Referer is highly unreliable, so use with care
756 #
757 # acl aclname ident username ...
758 # acl aclname ident_regex [-i] pattern ...
759 # # string match on ident output [slow]
760 # # use REQUIRED to accept any non-null ident.
761 #
762 # acl aclname proxy_auth [-i] username ...
763 # acl aclname proxy_auth_regex [-i] pattern ...
764 # # perform http authentication challenge to the client and match against
765 # # supplied credentials [slow]
766 # #
767 # # takes a list of allowed usernames.
768 # # use REQUIRED to accept any valid username.
769 # #
770 # # Will use proxy authentication in forward-proxy scenarios, and plain
771 # # http authenticaiton in reverse-proxy scenarios
772 # #
773 # # NOTE: when a Proxy-Authentication header is sent but it is not
774 # # needed during ACL checking the username is NOT logged
775 # # in access.log.
776 # #
777 # # NOTE: proxy_auth requires a EXTERNAL authentication program
778 # # to check username/password combinations (see
779 # # auth_param directive).
780 # #
781 # # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
782 # # as the browser needs to be configured for using a proxy in order
783 # # to respond to proxy authentication.
784 #
785 # acl aclname snmp_community string ...
786 # # A community string to limit access to your SNMP Agent [fast]
787 # # Example:
788 # #
789 # # acl snmppublic snmp_community public
790 #
791 # acl aclname maxconn number
792 # # This will be matched when the client's IP address has
793 # # more than <number> TCP connections established. [fast]
794 # # NOTE: This only measures direct TCP links so X-Forwarded-For
795 # # indirect clients are not counted.
796 #
797 # acl aclname max_user_ip [-s] number
798 # # This will be matched when the user attempts to log in from more
799 # # than <number> different ip addresses. The authenticate_ip_ttl
800 # # parameter controls the timeout on the ip entries. [fast]
801 # # If -s is specified the limit is strict, denying browsing
802 # # from any further IP addresses until the ttl has expired. Without
803 # # -s Squid will just annoy the user by "randomly" denying requests.
804 # # (the counter is reset each time the limit is reached and a
805 # # request is denied)
806 # # NOTE: in acceleration mode or where there is mesh of child proxies,
807 # # clients may appear to come from multiple addresses if they are
808 # # going through proxy farms, so a limit of 1 may cause user problems.
809 #
810 # acl aclname random probability
811 # # Pseudo-randomly match requests. Based on the probability given.
812 # # Probability may be written as a decimal (0.333), fraction (1/3)
813 # # or ratio of matches:non-matches (3:5).
814 #
815 # acl aclname req_mime_type [-i] mime-type ...
816 # # regex match against the mime type of the request generated
817 # # by the client. Can be used to detect file upload or some
818 # # types HTTP tunneling requests [fast]
819 # # NOTE: This does NOT match the reply. You cannot use this
820 # # to match the returned file type.
821 #
822 # acl aclname req_header header-name [-i] any\.regex\.here
823 # # regex match against any of the known request headers. May be
824 # # thought of as a superset of "browser", "referer" and "mime-type"
825 # # ACL [fast]
826 #
827 # acl aclname rep_mime_type [-i] mime-type ...
828 # # regex match against the mime type of the reply received by
829 # # squid. Can be used to detect file download or some
830 # # types HTTP tunneling requests. [fast]
831 # # NOTE: This has no effect in http_access rules. It only has
832 # # effect in rules that affect the reply data stream such as
833 # # http_reply_access.
834 #
835 # acl aclname rep_header header-name [-i] any\.regex\.here
836 # # regex match against any of the known reply headers. May be
837 # # thought of as a superset of "browser", "referer" and "mime-type"
838 # # ACLs [fast]
839 #
840 # acl aclname external class_name [arguments...]
841 # # external ACL lookup via a helper class defined by the
842 # # external_acl_type directive [slow]
843 #
844 # acl aclname user_cert attribute values...
845 # # match against attributes in a user SSL certificate
846 # # attribute is one of DN/C/O/CN/L/ST [fast]
847 #
848 # acl aclname ca_cert attribute values...
849 # # match against attributes a users issuing CA SSL certificate
850 # # attribute is one of DN/C/O/CN/L/ST [fast]
851 #
852 # acl aclname ext_user username ...
853 # acl aclname ext_user_regex [-i] pattern ...
854 # # string match on username returned by external acl helper [slow]
855 # # use REQUIRED to accept any non-null user name.
856 #
857 # acl aclname tag tagvalue ...
858 # # string match on tag returned by external acl helper [slow]
859 #
860 # acl aclname hier_code codename ...
861 # # string match against squid hierarchy code(s); [fast]
862 # # e.g., DIRECT, PARENT_HIT, NONE, etc.
863 # #
864 # # NOTE: This has no effect in http_access rules. It only has
865 # # effect in rules that affect the reply data stream such as
866 # # http_reply_access.
867 #
868 # Examples:
869 # acl macaddress arp 09:00:2b:23:45:67
870 # acl myexample dst_as 1241
871 # acl password proxy_auth REQUIRED
872 # acl fileupload req_mime_type -i ^multipart/form-data$
873 # acl javascript rep_mime_type -i ^application/x-javascript$
874 #
875 #Default:
876 # ACLs all, manager, localhost, and to_localhost are predefined.
877 #
878 #
879 # Recommended minimum configuration:
880 #
881
882 # Example rule allowing access from your local networks.
883 # Adapt to list your (internal) IP networks from where browsing
884 # should be allowed
885 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
886 acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
887 acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
888 acl localnet src fc00::/7 # RFC 4193 local private network range
889 acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
890
891 acl SSL_ports port 443
892 acl Safe_ports port 80 # http
893 acl Safe_ports port 21 # ftp
894 acl Safe_ports port 443 # https
895 acl Safe_ports port 70 # gopher
896 acl Safe_ports port 210 # wais
897 acl Safe_ports port 1025-65535 # unregistered ports
898 acl Safe_ports port 280 # http-mgmt
899 acl Safe_ports port 488 # gss-http
900 acl Safe_ports port 591 # filemaker
901 acl Safe_ports port 777 # multiling http
902 acl CONNECT method CONNECT
903
904 # TAG: follow_x_forwarded_for
905 # Allowing or Denying the X-Forwarded-For header to be followed to
906 # find the original source of a request.
907 #
908 # Requests may pass through a chain of several other proxies
909 # before reaching us. The X-Forwarded-For header will contain a
910 # comma-separated list of the IP addresses in the chain, with the
911 # rightmost address being the most recent.
912 #
913 # If a request reaches us from a source that is allowed by this
914 # configuration item, then we consult the X-Forwarded-For header
915 # to see where that host received the request from. If the
916 # X-Forwarded-For header contains multiple addresses, we continue
917 # backtracking until we reach an address for which we are not allowed
918 # to follow the X-Forwarded-For header, or until we reach the first
919 # address in the list. For the purpose of ACL used in the
920 # follow_x_forwarded_for directive the src ACL type always matches
921 # the address we are testing and srcdomain matches its rDNS.
922 #
923 # The end result of this process is an IP address that we will
924 # refer to as the indirect client address. This address may
925 # be treated as the client address for access control, ICAP, delay
926 # pools and logging, depending on the acl_uses_indirect_client,
927 # icap_uses_indirect_client, delay_pool_uses_indirect_client,
928 # log_uses_indirect_client and tproxy_uses_indirect_client options.
929 #
930 # This clause only supports fast acl types.
931 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
932 #
933 # SECURITY CONSIDERATIONS:
934 #
935 # Any host for which we follow the X-Forwarded-For header
936 # can place incorrect information in the header, and Squid
937 # will use the incorrect information as if it were the
938 # source address of the request. This may enable remote
939 # hosts to bypass any access control restrictions that are
940 # based on the client's source addresses.
941 #
942 # For example:
943 #
944 # acl localhost src 127.0.0.1
945 # acl my_other_proxy srcdomain .proxy.example.com
946 # follow_x_forwarded_for allow localhost
947 # follow_x_forwarded_for allow my_other_proxy
948 #Default:
949 # follow_x_forwarded_for deny all
950
951 # TAG: acl_uses_indirect_client on|off
952 # Controls whether the indirect client address
953 # (see follow_x_forwarded_for) is used instead of the
954 # direct client address in acl matching.
955 #
956 # NOTE: maxconn ACL considers direct TCP links and indirect
957 # clients will always have zero. So no match.
958 #Default:
959 # acl_uses_indirect_client on
960
961 # TAG: delay_pool_uses_indirect_client on|off
962 # Controls whether the indirect client address
963 # (see follow_x_forwarded_for) is used instead of the
964 # direct client address in delay pools.
965 #Default:
966 # delay_pool_uses_indirect_client on
967
968 # TAG: log_uses_indirect_client on|off
969 # Controls whether the indirect client address
970 # (see follow_x_forwarded_for) is used instead of the
971 # direct client address in the access log.
972 #Default:
973 # log_uses_indirect_client on
974
975 # TAG: tproxy_uses_indirect_client on|off
976 # Controls whether the indirect client address
977 # (see follow_x_forwarded_for) is used instead of the
978 # direct client address when spoofing the outgoing client.
979 #
980 # This has no effect on requests arriving in non-tproxy
981 # mode ports.
982 #
983 # SECURITY WARNING: Usage of this option is dangerous
984 # and should not be used trivially. Correct configuration
985 # of follow_x_forewarded_for with a limited set of trusted
986 # sources is required to prevent abuse of your proxy.
987 #Default:
988 # tproxy_uses_indirect_client off
989
990 # TAG: http_access
991 # Allowing or Denying access based on defined access lists
992 #
993 # Access to the HTTP port:
994 # http_access allow|deny [!]aclname ...
995 #
996 # NOTE on default values:
997 #
998 # If there are no "access" lines present, the default is to deny
999 # the request.
1000 #
1001 # If none of the "access" lines cause a match, the default is the
1002 # opposite of the last line in the list. If the last line was
1003 # deny, the default is allow. Conversely, if the last line
1004 # is allow, the default will be deny. For these reasons, it is a
1005 # good idea to have an "deny all" entry at the end of your access
1006 # lists to avoid potential confusion.
1007 #
1008 # This clause supports both fast and slow acl types.
1009 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1010 #
1011 #Default:
1012 # http_access deny all
1013 #
1014
1015 #
1016 # Recommended minimum Access Permission configuration:
1017 #
1018 # Only allow cachemgr access from localhost
1019 http_access allow localhost manager
1020 http_access deny manager
1021
1022 # Deny requests to certain unsafe ports
1023 http_access deny !Safe_ports
1024
1025 # Deny CONNECT to other than secure SSL ports
1026 http_access deny CONNECT !SSL_ports
1027
1028 # We strongly recommend the following be uncommented to protect innocent
1029 # web applications running on the proxy server who think the only
1030 # one who can access services on "localhost" is a local user
1031 #http_access deny to_localhost
1032
1033 #
1034 # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
1035 #
1036
1037 # Example rule allowing access from your local networks.
1038 # Adapt localnet in the ACL section to list your (internal) IP networks
1039 # from where browsing should be allowed
1040 http_access allow localnet
1041 http_access allow localhost
1042
1043 # And finally deny all other access to this proxy
1044 http_access allow localhost
1045
1046 # TAG: adapted_http_access
1047 # Allowing or Denying access based on defined access lists
1048 #
1049 # Essentially identical to http_access, but runs after redirectors
1050 # and ICAP/eCAP adaptation. Allowing access control based on their
1051 # output.
1052 #
1053 # If not set then only http_access is used.
1054 #Default:
1055 # none
1056
1057 # TAG: http_reply_access
1058 # Allow replies to client requests. This is complementary to http_access.
1059 #
1060 # http_reply_access allow|deny [!] aclname ...
1061 #
1062 # NOTE: if there are no access lines present, the default is to allow
1063 # all replies
1064 #
1065 # If none of the access lines cause a match the opposite of the
1066 # last line will apply. Thus it is good practice to end the rules
1067 # with an "allow all" or "deny all" entry.
1068 #
1069 # This clause supports both fast and slow acl types.
1070 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1071 #Default:
1072 # none
1073
1074 # TAG: icp_access
1075 # Allowing or Denying access to the ICP port based on defined
1076 # access lists
1077 #
1078 # icp_access allow|deny [!]aclname ...
1079 #
1080 # See http_access for details
1081 #
1082 # This clause only supports fast acl types.
1083 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1084 #
1085 ## Allow ICP queries from local networks only
1086 ##icp_access allow localnet
1087 ##icp_access deny all
1088 #Default:
1089 # icp_access deny all
1090
1091 # TAG: htcp_access
1092 # Allowing or Denying access to the HTCP port based on defined
1093 # access lists
1094 #
1095 # htcp_access allow|deny [!]aclname ...
1096 #
1097 # See http_access for details
1098 #
1099 # NOTE: The default if no htcp_access lines are present is to
1100 # deny all traffic. This default may cause problems with peers
1101 # using the htcp option.
1102 #
1103 # This clause only supports fast acl types.
1104 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1105 #
1106 ## Allow HTCP queries from local networks only
1107 ##htcp_access allow localnet
1108 ##htcp_access deny all
1109 #Default:
1110 # htcp_access deny all
1111
1112 # TAG: htcp_clr_access
1113 # Allowing or Denying access to purge content using HTCP based
1114 # on defined access lists
1115 #
1116 # htcp_clr_access allow|deny [!]aclname ...
1117 #
1118 # See http_access for details
1119 #
1120 # This clause only supports fast acl types.
1121 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1122 #
1123 ## Allow HTCP CLR requests from trusted peers
1124 #acl htcp_clr_peer src 172.16.1.2
1125 #htcp_clr_access allow htcp_clr_peer
1126 #Default:
1127 # htcp_clr_access deny all
1128
1129 # TAG: miss_access
1130 # Determins whether network access is permitted when satisfying a request.
1131 #
1132 # For example;
1133 # to force your neighbors to use you as a sibling instead of
1134 # a parent.
1135 #
1136 # acl localclients src 172.16.0.0/16
1137 # miss_access allow localclients
1138 # miss_access deny !localclients
1139 #
1140 # This means only your local clients are allowed to fetch relayed/MISS
1141 # replies from the network and all other clients can only fetch cached
1142 # objects (HITs).
1143 #
1144 #
1145 # The default for this setting allows all clients who passed the
1146 # http_access rules to relay via this proxy.
1147 #
1148 # This clause only supports fast acl types.
1149 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1150 #Default:
1151 # none
1152
1153 # TAG: ident_lookup_access
1154 # Note: This option is only available if Squid is rebuilt with the
1155 # --enable-ident-lookups
1156 #
1157 # A list of ACL elements which, if matched, cause an ident
1158 # (RFC 931) lookup to be performed for this request. For
1159 # example, you might choose to always perform ident lookups
1160 # for your main multi-user Unix boxes, but not for your Macs
1161 # and PCs. By default, ident lookups are not performed for
1162 # any requests.
1163 #
1164 # To enable ident lookups for specific client addresses, you
1165 # can follow this example:
1166 #
1167 # acl ident_aware_hosts src 198.168.1.0/24
1168 # ident_lookup_access allow ident_aware_hosts
1169 # ident_lookup_access deny all
1170 #
1171 # Only src type ACL checks are fully supported. A srcdomain
1172 # ACL might work at times, but it will not always provide
1173 # the correct result.
1174 #
1175 # This clause only supports fast acl types.
1176 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1177 #Default:
1178 # ident_lookup_access deny all
1179
1180 # TAG: reply_body_max_size size [acl acl...]
1181 # This option specifies the maximum size of a reply body. It can be
1182 # used to prevent users from downloading very large files, such as
1183 # MP3's and movies. When the reply headers are received, the
1184 # reply_body_max_size lines are processed, and the first line where
1185 # all (if any) listed ACLs are true is used as the maximum body size
1186 # for this reply.
1187 #
1188 # This size is checked twice. First when we get the reply headers,
1189 # we check the content-length value. If the content length value exists
1190 # and is larger than the allowed size, the request is denied and the
1191 # user receives an error message that says "the request or reply
1192 # is too large." If there is no content-length, and the reply
1193 # size exceeds this limit, the client's connection is just closed
1194 # and they will receive a partial reply.
1195 #
1196 # WARNING: downstream caches probably can not detect a partial reply
1197 # if there is no content-length header, so they will cache
1198 # partial responses and give them out as hits. You should NOT
1199 # use this option if you have downstream caches.
1200 #
1201 # WARNING: A maximum size smaller than the size of squid's error messages
1202 # will cause an infinite loop and crash squid. Ensure that the smallest
1203 # non-zero value you use is greater that the maximum header size plus
1204 # the size of your largest error page.
1205 #
1206 # If you set this parameter none (the default), there will be
1207 # no limit imposed.
1208 #
1209 # Configuration Format is:
1210 # reply_body_max_size SIZE UNITS [acl ...]
1211 # ie.
1212 # reply_body_max_size 10 MB
1213 #
1214 #Default:
1215 # none
1216
1217 # NETWORK OPTIONS
1218 # -----------------------------------------------------------------------------
1219
1220 # TAG: http_port
1221 # Usage: port [mode] [options]
1222 # hostname:port [mode] [options]
1223 # 1.2.3.4:port [mode] [options]
1224 #
1225 # The socket addresses where Squid will listen for HTTP client
1226 # requests. You may specify multiple socket addresses.
1227 # There are three forms: port alone, hostname with port, and
1228 # IP address with port. If you specify a hostname or IP
1229 # address, Squid binds the socket to that specific
1230 # address. Most likely, you do not need to bind to a specific
1231 # address, so you can use the port number alone.
1232 #
1233 # If you are running Squid in accelerator mode, you
1234 # probably want to listen on port 80 also, or instead.
1235 #
1236 # The -a command line option may be used to specify additional
1237 # port(s) where Squid listens for proxy request. Such ports will
1238 # be plain proxy ports with no options.
1239 #
1240 # You may specify multiple socket addresses on multiple lines.
1241 #
1242 # Modes:
1243 #
1244 # intercept Support for IP-Layer interception of
1245 # outgoing requests without browser settings.
1246 # NP: disables authentication and IPv6 on the port.
1247 #
1248 # tproxy Support Linux TPROXY for spoofing outgoing
1249 # connections using the client IP address.
1250 # NP: disables authentication and maybe IPv6 on the port.
1251 #
1252 # accel Accelerator / reverse proxy mode
1253 #
1254 # ssl-bump Intercept each CONNECT request matching ssl_bump ACL,
1255 # establish secure connection with the client and with
1256 # the server, decrypt HTTP messages as they pass through
1257 # Squid, and treat them as unencrypted HTTP messages,
1258 # becoming the man-in-the-middle.
1259 #
1260 # The ssl_bump option is required to fully enable
1261 # the SslBump feature.
1262 #
1263 # Omitting the mode flag causes default forward proxy mode to be used.
1264 #
1265 #
1266 # Accelerator Mode Options:
1267 #
1268 # defaultsite=domainname
1269 # What to use for the Host: header if it is not present
1270 # in a request. Determines what site (not origin server)
1271 # accelerators should consider the default.
1272 #
1273 # no-vhost Disable using HTTP/1.1 Host header for virtual domain support.
1274 #
1275 # protocol= Protocol to reconstruct accelerated requests with.
1276 # Defaults to http for http_port and https for
1277 # https_port
1278 #
1279 # vport Virtual host port support. Using the http_port number
1280 # instead of the port passed on Host: headers.
1281 #
1282 # vport=NN Virtual host port support. Using the specified port
1283 # number instead of the port passed on Host: headers.
1284 #
1285 # act-as-origin
1286 # Act as if this Squid is the origin server.
1287 # This currently means generate new Date: and Expires:
1288 # headers on HIT instead of adding Age:.
1289 #
1290 # ignore-cc Ignore request Cache-Control headers.
1291 #
1292 # WARNING: This option violates HTTP specifications if
1293 # used in non-accelerator setups.
1294 #
1295 # allow-direct Allow direct forwarding in accelerator mode. Normally
1296 # accelerated requests are denied direct forwarding as if
1297 # never_direct was used.
1298 #
1299 # WARNING: this option opens accelerator mode to security
1300 # vulnerabilities usually only affecting in interception
1301 # mode. Make sure to protect forwarding with suitable
1302 # http_access rules when using this.
1303 #
1304 #
1305 # SSL Bump Mode Options:
1306 # In addition to these options ssl-bump requires TLS/SSL options.
1307 #
1308 # generate-host-certificates[=<on|off>]
1309 # Dynamically create SSL server certificates for the
1310 # destination hosts of bumped CONNECT requests.When
1311 # enabled, the cert and key options are used to sign
1312 # generated certificates. Otherwise generated
1313 # certificate will be selfsigned.
1314 # If there is a CA certificate lifetime of the generated
1315 # certificate equals lifetime of the CA certificate. If
1316 # generated certificate is selfsigned lifetime is three
1317 # years.
1318 # This option is enabled by default when ssl-bump is used.
1319 # See the ssl-bump option above for more information.
1320 #
1321 # dynamic_cert_mem_cache_size=SIZE
1322 # Approximate total RAM size spent on cached generated
1323 # certificates. If set to zero, caching is disabled. The
1324 # default value is 4MB. An average XXX-bit certificate
1325 # consumes about XXX bytes of RAM.
1326 #
1327 # TLS / SSL Options:
1328 #
1329 # cert= Path to SSL certificate (PEM format).
1330 #
1331 # key= Path to SSL private key file (PEM format)
1332 # if not specified, the certificate file is
1333 # assumed to be a combined certificate and
1334 # key file.
1335 #
1336 # version= The version of SSL/TLS supported
1337 # 1 automatic (default)
1338 # 2 SSLv2 only
1339 # 3 SSLv3 only
1340 # 4 TLSv1.0 only
1341 # 5 TLSv1.1 only
1342 # 6 TLSv1.2 only
1343 #
1344 # cipher= Colon separated list of supported ciphers.
1345 # NOTE: some ciphers such as EDH ciphers depend on
1346 # additional settings. If those settings are
1347 # omitted the ciphers may be silently ignored
1348 # by the OpenSSL library.
1349 #
1350 # options= Various SSL implementation options. The most important
1351 # being:
1352 # NO_SSLv2 Disallow the use of SSLv2
1353 # NO_SSLv3 Disallow the use of SSLv3
1354 # NO_TLSv1 Disallow the use of TLSv1.0
1355 # NO_TLSv1_1 Disallow the use of TLSv1.1
1356 # NO_TLSv1_2 Disallow the use of TLSv1.2
1357 # SINGLE_DH_USE Always create a new key when using
1358 # temporary/ephemeral DH key exchanges
1359 # ALL Enable various bug workarounds
1360 # suggested as "harmless" by OpenSSL
1361 # Be warned that this reduces SSL/TLS
1362 # strength to some attacks.
1363 # See OpenSSL SSL_CTX_set_options documentation for a
1364 # complete list of options.
1365 #
1366 # clientca= File containing the list of CAs to use when
1367 # requesting a client certificate.
1368 #
1369 # cafile= File containing additional CA certificates to
1370 # use when verifying client certificates. If unset
1371 # clientca will be used.
1372 #
1373 # capath= Directory containing additional CA certificates
1374 # and CRL lists to use when verifying client certificates.
1375 #
1376 # crlfile= File of additional CRL lists to use when verifying
1377 # the client certificate, in addition to CRLs stored in
1378 # the capath. Implies VERIFY_CRL flag below.
1379 #
1380 # dhparams= File containing DH parameters for temporary/ephemeral
1381 # DH key exchanges. See OpenSSL documentation for details
1382 # on how to create this file.
1383 # WARNING: EDH ciphers will be silently disabled if this
1384 # option is not set.
1385 #
1386 # sslflags= Various flags modifying the use of SSL:
1387 # DELAYED_AUTH
1388 # Don't request client certificates
1389 # immediately, but wait until acl processing
1390 # requires a certificate (not yet implemented).
1391 # NO_DEFAULT_CA
1392 # Don't use the default CA lists built in
1393 # to OpenSSL.
1394 # NO_SESSION_REUSE
1395 # Don't allow for session reuse. Each connection
1396 # will result in a new SSL session.
1397 # VERIFY_CRL
1398 # Verify CRL lists when accepting client
1399 # certificates.
1400 # VERIFY_CRL_ALL
1401 # Verify CRL lists for all certificates in the
1402 # client certificate chain.
1403 #
1404 # sslcontext= SSL session ID context identifier.
1405 #
1406 # Other Options:
1407 #
1408 # connection-auth[=on|off]
1409 # use connection-auth=off to tell Squid to prevent
1410 # forwarding Microsoft connection oriented authentication
1411 # (NTLM, Negotiate and Kerberos)
1412 #
1413 # disable-pmtu-discovery=
1414 # Control Path-MTU discovery usage:
1415 # off lets OS decide on what to do (default).
1416 # transparent disable PMTU discovery when transparent
1417 # support is enabled.
1418 # always disable always PMTU discovery.
1419 #
1420 # In many setups of transparently intercepting proxies
1421 # Path-MTU discovery can not work on traffic towards the
1422 # clients. This is the case when the intercepting device
1423 # does not fully track connections and fails to forward
1424 # ICMP must fragment messages to the cache server. If you
1425 # have such setup and experience that certain clients
1426 # sporadically hang or never complete requests set
1427 # disable-pmtu-discovery option to 'transparent'.
1428 #
1429 # name= Specifies a internal name for the port. Defaults to
1430 # the port specification (port or addr:port)
1431 #
1432 # tcpkeepalive[=idle,interval,timeout]
1433 # Enable TCP keepalive probes of idle connections.
1434 # In seconds; idle is the initial time before TCP starts
1435 # probing the connection, interval how often to probe, and
1436 # timeout the time before giving up.
1437 #
1438 # If you run Squid on a dual-homed machine with an internal
1439 # and an external interface we recommend you to specify the
1440 # internal address:port in http_port. This way Squid will only be
1441 # visible on the internal address.
1442 #
1443 #
1444
1445 # Squid normally listens to port 3128
1446 http_port 3128
1447
1448 # TAG: https_port
1449 # Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...]
1450 #
1451 # The socket address where Squid will listen for client requests made
1452 # over TLS or SSL connections. Commonly referred to as HTTPS.
1453 #
1454 # This is most useful for situations where you are running squid in
1455 # accelerator mode and you want to do the SSL work at the accelerator level.
1456 #
1457 # You may specify multiple socket addresses on multiple lines,
1458 # each with their own SSL certificate and/or options.
1459 #
1460 # See http_port for a list of available options.
1461 #Default:
1462 # none
1463
1464 # TAG: tcp_outgoing_tos
1465 # Allows you to select a TOS/Diffserv value for packets outgoing
1466 # on the server side, based on an ACL.
1467 #
1468 # tcp_outgoing_tos ds-field [!]aclname ...
1469 #
1470 # Example where normal_service_net uses the TOS value 0x00
1471 # and good_service_net uses 0x20
1472 #
1473 # acl normal_service_net src 10.0.0.0/24
1474 # acl good_service_net src 10.0.1.0/24
1475 # tcp_outgoing_tos 0x00 normal_service_net
1476 # tcp_outgoing_tos 0x20 good_service_net
1477 #
1478 # TOS/DSCP values really only have local significance - so you should
1479 # know what you're specifying. For more information, see RFC2474,
1480 # RFC2475, and RFC3260.
1481 #
1482 # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
1483 # "default" to use whatever default your host has. Note that in
1484 # practice often only multiples of 4 is usable as the two rightmost bits
1485 # have been redefined for use by ECN (RFC 3168 section 23.1).
1486 #
1487 # Processing proceeds in the order specified, and stops at first fully
1488 # matching line.
1489 #Default:
1490 # none
1491
1492 # TAG: clientside_tos
1493 # Allows you to select a TOS/Diffserv value for packets being transmitted
1494 # on the client-side, based on an ACL.
1495 #
1496 # clientside_tos ds-field [!]aclname ...
1497 #
1498 # Example where normal_service_net uses the TOS value 0x00
1499 # and good_service_net uses 0x20
1500 #
1501 # acl normal_service_net src 10.0.0.0/24
1502 # acl good_service_net src 10.0.1.0/24
1503 # clientside_tos 0x00 normal_service_net
1504 # clientside_tos 0x20 good_service_net
1505 #
1506 # Note: This feature is incompatible with qos_flows. Any TOS values set here
1507 # will be overwritten by TOS values in qos_flows.
1508 #Default:
1509 # none
1510
1511 # TAG: tcp_outgoing_mark
1512 # Note: This option is only available if Squid is rebuilt with the
1513 # Packet MARK (Linux)
1514 #
1515 # Allows you to apply a Netfilter mark value to outgoing packets
1516 # on the server side, based on an ACL.
1517 #
1518 # tcp_outgoing_mark mark-value [!]aclname ...
1519 #
1520 # Example where normal_service_net uses the mark value 0x00
1521 # and good_service_net uses 0x20
1522 #
1523 # acl normal_service_net src 10.0.0.0/24
1524 # acl good_service_net src 10.0.1.0/24
1525 # tcp_outgoing_mark 0x00 normal_service_net
1526 # tcp_outgoing_mark 0x20 good_service_net
1527 #Default:
1528 # none
1529
1530 # TAG: clientside_mark
1531 # Note: This option is only available if Squid is rebuilt with the
1532 # Packet MARK (Linux)
1533 #
1534 # Allows you to apply a Netfilter mark value to packets being transmitted
1535 # on the client-side, based on an ACL.
1536 #
1537 # clientside_mark mark-value [!]aclname ...
1538 #
1539 # Example where normal_service_net uses the mark value 0x00
1540 # and good_service_net uses 0x20
1541 #
1542 # acl normal_service_net src 10.0.0.0/24
1543 # acl good_service_net src 10.0.1.0/24
1544 # clientside_mark 0x00 normal_service_net
1545 # clientside_mark 0x20 good_service_net
1546 #
1547 # Note: This feature is incompatible with qos_flows. Any mark values set here
1548 # will be overwritten by mark values in qos_flows.
1549 #Default:
1550 # none
1551
1552 # TAG: qos_flows
1553 # Allows you to select a TOS/DSCP value to mark outgoing
1554 # connections with, based on where the reply was sourced. For
1555 # platforms using netfilter, allows you to set a netfilter mark
1556 # value instead of, or in addition to, a TOS value.
1557 #
1558 # TOS values really only have local significance - so you should
1559 # know what you're specifying. For more information, see RFC2474,
1560 # RFC2475, and RFC3260.
1561 #
1562 # The TOS/DSCP byte must be exactly that - a octet value 0 - 255. Note that
1563 # in practice often only multiples of 4 is usable as the two rightmost bits
1564 # have been redefined for use by ECN (RFC 3168 section 23.1).
1565 #
1566 # Mark values can be any unsigned 32-bit integer value.
1567 #
1568 # This setting is configured by setting the following values:
1569 #
1570 # tos|mark Whether to set TOS or netfilter mark values
1571 #
1572 # local-hit=0xFF Value to mark local cache hits.
1573 #
1574 # sibling-hit=0xFF Value to mark hits from sibling peers.
1575 #
1576 # parent-hit=0xFF Value to mark hits from parent peers.
1577 #
1578 # miss=0xFF[/mask] Value to mark cache misses. Takes precedence
1579 # over the preserve-miss feature (see below), unless
1580 # mask is specified, in which case only the bits
1581 # specified in the mask are written.
1582 #
1583 # The TOS variant of the following features are only possible on Linux
1584 # and require your kernel to be patched with the TOS preserving ZPH
1585 # patch, available from http://zph.bratcheda.org
1586 # No patch is needed to preserve the netfilter mark, which will work
1587 # with all variants of netfilter.
1588 #
1589 # disable-preserve-miss
1590 # This option disables the preservation of the TOS or netfilter
1591 # mark. By default, the existing TOS or netfilter mark value of
1592 # the response coming from the remote server will be retained
1593 # and masked with miss-mark.
1594 # NOTE: in the case of a netfilter mark, the mark must be set on
1595 # the connection (using the CONNMARK target) not on the packet
1596 # (MARK target).
1597 #
1598 # miss-mask=0xFF
1599 # Allows you to mask certain bits in the TOS or mark value
1600 # received from the remote server, before copying the value to
1601 # the TOS sent towards clients.
1602 # Default for tos: 0xFF (TOS from server is not changed).
1603 # Default for mark: 0xFFFFFFFF (mark from server is not changed).
1604 #
1605 # All of these features require the --enable-zph-qos compilation flag
1606 # (enabled by default). Netfilter marking also requires the
1607 # libnetfilter_conntrack libraries (--with-netfilter-conntrack) and
1608 # libcap 2.09+ (--with-libcap).
1609 #
1610 #Default:
1611 # none
1612
1613 # TAG: tcp_outgoing_address
1614 # Allows you to map requests to different outgoing IP addresses
1615 # based on the username or source address of the user making
1616 # the request.
1617 #
1618 # tcp_outgoing_address ipaddr [[!]aclname] ...
1619 #
1620 # For example;
1621 # Forwarding clients with dedicated IPs for certain subnets.
1622 #
1623 # acl normal_service_net src 10.0.0.0/24
1624 # acl good_service_net src 10.0.2.0/24
1625 #
1626 # tcp_outgoing_address 2001:db8::c001 good_service_net
1627 # tcp_outgoing_address 10.1.0.2 good_service_net
1628 #
1629 # tcp_outgoing_address 2001:db8::beef normal_service_net
1630 # tcp_outgoing_address 10.1.0.1 normal_service_net
1631 #
1632 # tcp_outgoing_address 2001:db8::1
1633 # tcp_outgoing_address 10.1.0.3
1634 #
1635 # Processing proceeds in the order specified, and stops at first fully
1636 # matching line.
1637 #
1638 # Squid will add an implicit IP version test to each line.
1639 # Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses.
1640 # Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses.
1641 #
1642 #
1643 # NOTE: The use of this directive using client dependent ACLs is
1644 # incompatible with the use of server side persistent connections. To
1645 # ensure correct results it is best to set server_persistent_connections
1646 # to off when using this directive in such configurations.
1647 #
1648 # NOTE: The use of this directive to set a local IP on outgoing TCP links
1649 # is incompatible with using TPROXY to set client IP out outbound TCP links.
1650 # When needing to contact peers use the no-tproxy cache_peer option and the
1651 # client_dst_passthru directive re-enable normal forwarding such as this.
1652 #
1653 #Default:
1654 # none
1655
1656 # TAG: host_verify_strict
1657 # Regardless of this option setting, when dealing with intercepted
1658 # traffic, Squid always verifies that the destination IP address matches
1659 # the Host header domain or IP (called 'authority form URL').
1660 #
1661 # This enforcement is performed to satisfy a MUST-level requirement in
1662 # RFC 2616 section 14.23: "The Host field value MUST represent the naming
1663 # authority of the origin server or gateway given by the original URL".
1664 #
1665 # When set to ON:
1666 # Squid always responds with an HTTP 409 (Conflict) error
1667 # page and logs a security warning if there is no match.
1668 #
1669 # Squid verifies that the destination IP address matches
1670 # the Host header for forward-proxy and reverse-proxy traffic
1671 # as well. For those traffic types, Squid also enables the
1672 # following checks, comparing the corresponding Host header
1673 # and Request-URI components:
1674 #
1675 # * The host names (domain or IP) must be identical,
1676 # but valueless or missing Host header disables all checks.
1677 # For the two host names to match, both must be either IP
1678 # or FQDN.
1679 #
1680 # * Port numbers must be identical, but if a port is missing
1681 # the scheme-default port is assumed.
1682 #
1683 #
1684 # When set to OFF (the default):
1685 # Squid allows suspicious requests to continue but logs a
1686 # security warning and blocks caching of the response.
1687 #
1688 # * Forward-proxy traffic is not checked at all.
1689 #
1690 # * Reverse-proxy traffic is not checked at all.
1691 #
1692 # * Intercepted traffic which passes verification is handled
1693 # according to client_dst_passthru.
1694 #
1695 # * Intercepted requests which fail verification are sent
1696 # to the client original destination instead of DIRECT.
1697 # This overrides 'client_dst_passthru off'.
1698 #
1699 # For now suspicious intercepted CONNECT requests are always
1700 # responded to with an HTTP 409 (Conflict) error page.
1701 #
1702 #
1703 # SECURITY NOTE:
1704 #
1705 # As described in CVE-2009-0801 when the Host: header alone is used
1706 # to determine the destination of a request it becomes trivial for
1707 # malicious scripts on remote websites to bypass browser same-origin
1708 # security policy and sandboxing protections.
1709 #
1710 # The cause of this is that such applets are allowed to perform their
1711 # own HTTP stack, in which case the same-origin policy of the browser
1712 # sandbox only verifies that the applet tries to contact the same IP
1713 # as from where it was loaded at the IP level. The Host: header may
1714 # be different from the connected IP and approved origin.
1715 #
1716 #Default:
1717 # host_verify_strict off
1718
1719 # TAG: client_dst_passthru
1720 # With NAT or TPROXY intercepted traffic Squid may pass the request
1721 # directly to the original client destination IP or seek a faster
1722 # source using the HTTP Host header.
1723 #
1724 # Using Host to locate alternative servers can provide faster
1725 # connectivity with a range of failure recovery options.
1726 # But can also lead to connectivity trouble when the client and
1727 # server are attempting stateful interactions unaware of the proxy.
1728 #
1729 # This option (on by default) prevents alternative DNS entries being
1730 # located to send intercepted traffic DIRECT to an origin server.
1731 # The clients original destination IP and port will be used instead.
1732 #
1733 # Regardless of this option setting, when dealing with intercepted
1734 # traffic Squid will verify the Host: header and any traffic which
1735 # fails Host verification will be treated as if this option were ON.
1736 #
1737 # see host_verify_strict for details on the verification process.
1738 #Default:
1739 # client_dst_passthru on
1740
1741 # SSL OPTIONS
1742 # -----------------------------------------------------------------------------
1743
1744 # TAG: ssl_unclean_shutdown
1745 # Some browsers (especially MSIE) bugs out on SSL shutdown
1746 # messages.
1747 #Default:
1748 # ssl_unclean_shutdown off
1749
1750 # TAG: ssl_engine
1751 # The OpenSSL engine to use. You will need to set this if you
1752 # would like to use hardware SSL acceleration for example.
1753 #Default:
1754 # none
1755
1756 # TAG: sslproxy_client_certificate
1757 # Client SSL Certificate to use when proxying https:// URLs
1758 #Default:
1759 # none
1760
1761 # TAG: sslproxy_client_key
1762 # Client SSL Key to use when proxying https:// URLs
1763 #Default:
1764 # none
1765
1766 # TAG: sslproxy_version
1767 # SSL version level to use when proxying https:// URLs
1768 #
1769 # The versions of SSL/TLS supported:
1770 #
1771 # 1 automatic (default)
1772 # 2 SSLv2 only
1773 # 3 SSLv3 only
1774 # 4 TLSv1.0 only
1775 # 5 TLSv1.1 only
1776 # 6 TLSv1.2 only
1777 #Default:
1778 # sslproxy_version 1
1779
1780 # TAG: sslproxy_options
1781 # SSL implementation options to use when proxying https:// URLs
1782 #
1783 # The most important being:
1784 #
1785 # NO_SSLv2 Disallow the use of SSLv2
1786 # NO_SSLv3 Disallow the use of SSLv3
1787 # NO_TLSv1 Disallow the use of TLSv1.0
1788 # NO_TLSv1_1 Disallow the use of TLSv1.1
1789 # NO_TLSv1_2 Disallow the use of TLSv1.2
1790 # SINGLE_DH_USE
1791 # Always create a new key when using temporary/ephemeral
1792 # DH key exchanges
1793 # SSL_OP_NO_TICKET
1794 # Disable use of RFC5077 session tickets. Some servers
1795 # may have problems understanding the TLS extension due
1796 # to ambiguous specification in RFC4507.
1797 # ALL Enable various bug workarounds suggested as "harmless"
1798 # by OpenSSL. Be warned that this may reduce SSL/TLS
1799 # strength to some attacks.
1800 #
1801 # See the OpenSSL SSL_CTX_set_options documentation for a
1802 # complete list of possible options.
1803 #Default:
1804 # none
1805
1806 # TAG: sslproxy_cipher
1807 # SSL cipher list to use when proxying https:// URLs
1808 #
1809 # Colon separated list of supported ciphers.
1810 #Default:
1811 # none
1812
1813 # TAG: sslproxy_cafile
1814 # file containing CA certificates to use when verifying server
1815 # certificates while proxying https:// URLs
1816 #Default:
1817 # none
1818
1819 # TAG: sslproxy_capath
1820 # directory containing CA certificates to use when verifying
1821 # server certificates while proxying https:// URLs
1822 #Default:
1823 # none
1824
1825 # TAG: ssl_bump
1826 # This ACL controls which CONNECT requests to an http_port
1827 # marked with an sslBump flag are actually "bumped". Please
1828 # see the sslBump flag of an http_port option for more details
1829 # about decoding proxied SSL connections.
1830 #
1831 # By default, no requests are bumped.
1832 #
1833 # See also: http_port ssl-bump
1834 #
1835 # This clause supports both fast and slow acl types.
1836 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1837 #
1838 #
1839 # # Example: Bump all requests except those originating from localhost and
1840 # # those going to webax.com or example.com sites.
1841 #
1842 # acl localhost src 127.0.0.1/32
1843 # acl broken_sites dstdomain .webax.com
1844 # acl broken_sites dstdomain .example.com
1845 # ssl_bump deny localhost
1846 # ssl_bump deny broken_sites
1847 # ssl_bump allow all
1848 #Default:
1849 # none
1850
1851 # TAG: sslproxy_flags
1852 # Various flags modifying the use of SSL while proxying https:// URLs:
1853 # DONT_VERIFY_PEER Accept certificates that fail verification.
1854 # For refined control, see sslproxy_cert_error.
1855 # NO_DEFAULT_CA Don't use the default CA list built in
1856 # to OpenSSL.
1857 #Default:
1858 # none
1859
1860 # TAG: sslproxy_cert_error
1861 # Use this ACL to bypass server certificate validation errors.
1862 #
1863 # For example, the following lines will bypass all validation errors
1864 # when talking to servers for example.com. All other
1865 # validation errors will result in ERR_SECURE_CONNECT_FAIL error.
1866 #
1867 # acl BrokenButTrustedServers dstdomain example.com
1868 # sslproxy_cert_error allow BrokenButTrustedServers
1869 # sslproxy_cert_error deny all
1870 #
1871 # This clause only supports fast acl types.
1872 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
1873 # Using slow acl types may result in server crashes
1874 #
1875 # Without this option, all server certificate validation errors
1876 # terminate the transaction. Bypassing validation errors is dangerous
1877 # because an error usually implies that the server cannot be trusted and
1878 # the connection may be insecure.
1879 #
1880 # See also: sslproxy_flags and DONT_VERIFY_PEER.
1881 #
1882 # Default setting: sslproxy_cert_error deny all
1883 #Default:
1884 # none
1885
1886 # TAG: sslpassword_program
1887 # Specify a program used for entering SSL key passphrases
1888 # when using encrypted SSL certificate keys. If not specified
1889 # keys must either be unencrypted, or Squid started with the -N
1890 # option to allow it to query interactively for the passphrase.
1891 #
1892 # The key file name is given as argument to the program allowing
1893 # selection of the right password if you have multiple encrypted
1894 # keys.
1895 #Default:
1896 # none
1897
1898 # OPTIONS RELATING TO EXTERNAL SSL_CRTD
1899 # -----------------------------------------------------------------------------
1900
1901 # TAG: sslcrtd_program
1902 # Note: This option is only available if Squid is rebuilt with the
1903 # --enable-ssl-crtd
1904 #
1905 # Specify the location and options of the executable for ssl_crtd process.
1906 # /usr/lib64/squid/ssl_crtd program requires -s and -M parameters
1907 # For more information use:
1908 # /usr/lib64/squid/ssl_crtd -h
1909 #Default:
1910 # sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
1911
1912 # TAG: sslcrtd_children
1913 # Note: This option is only available if Squid is rebuilt with the
1914 # --enable-ssl-crtd
1915 #
1916 # The maximum number of processes spawn to service ssl server.
1917 # The maximum this may be safely set to is 32.
1918 #
1919 # The startup= and idle= options allow some measure of skew in your
1920 # tuning.
1921 #
1922 # startup=N
1923 #
1924 # Sets the minimum number of processes to spawn when Squid
1925 # starts or reconfigures. When set to zero the first request will
1926 # cause spawning of the first child process to handle it.
1927 #
1928 # Starting too few children temporary slows Squid under load while it
1929 # tries to spawn enough additional processes to cope with traffic.
1930 #
1931 # idle=N
1932 #
1933 # Sets a minimum of how many processes Squid is to try and keep available
1934 # at all times. When traffic begins to rise above what the existing
1935 # processes can handle this many more will be spawned up to the maximum
1936 # configured. A minimum setting of 1 is required.
1937 #
1938 # You must have at least one ssl_crtd process.
1939 #Default:
1940 # sslcrtd_children 32 startup=5 idle=1
1941
1942 # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
1943 # -----------------------------------------------------------------------------
1944
1945 # TAG: cache_peer
1946 # To specify other caches in a hierarchy, use the format:
1947 #
1948 # cache_peer hostname type http-port icp-port [options]
1949 #
1950 # For example,
1951 #
1952 # # proxy icp
1953 # # hostname type port port options
1954 # # -------------------- -------- ----- ----- -----------
1955 # cache_peer parent.foo.net parent 3128 3130 default
1956 # cache_peer sib1.foo.net sibling 3128 3130 proxy-only
1957 # cache_peer sib2.foo.net sibling 3128 3130 proxy-only
1958 # cache_peer example.com parent 80 0 default
1959 # cache_peer cdn.example.com sibling 3128 0
1960 #
1961 # type: either 'parent', 'sibling', or 'multicast'.
1962 #
1963 # proxy-port: The port number where the peer accept HTTP requests.
1964 # For other Squid proxies this is usually 3128
1965 # For web servers this is usually 80
1966 #
1967 # icp-port: Used for querying neighbor caches about objects.
1968 # Set to 0 if the peer does not support ICP or HTCP.
1969 # See ICP and HTCP options below for additional details.
1970 #
1971 #
1972 # ==== ICP OPTIONS ====
1973 #
1974 # You MUST also set icp_port and icp_access explicitly when using these options.
1975 # The defaults will prevent peer traffic using ICP.
1976 #
1977 #
1978 # no-query Disable ICP queries to this neighbor.
1979 #
1980 # multicast-responder
1981 # Indicates the named peer is a member of a multicast group.
1982 # ICP queries will not be sent directly to the peer, but ICP
1983 # replies will be accepted from it.
1984 #
1985 # closest-only Indicates that, for ICP_OP_MISS replies, we'll only forward
1986 # CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.
1987 #
1988 # background-ping
1989 # To only send ICP queries to this neighbor infrequently.
1990 # This is used to keep the neighbor round trip time updated
1991 # and is usually used in conjunction with weighted-round-robin.
1992 #
1993 #
1994 # ==== HTCP OPTIONS ====
1995 #
1996 # You MUST also set htcp_port and htcp_access explicitly when using these options.
1997 # The defaults will prevent peer traffic using HTCP.
1998 #
1999 #
2000 # htcp Send HTCP, instead of ICP, queries to the neighbor.
2001 # You probably also want to set the "icp-port" to 4827
2002 # instead of 3130. This directive accepts a comma separated
2003 # list of options described below.
2004 #
2005 # htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier).
2006 #
2007 # htcp=no-clr Send HTCP to the neighbor but without
2008 # sending any CLR requests. This cannot be used with
2009 # only-clr.
2010 #
2011 # htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests.
2012 # This cannot be used with no-clr.
2013 #
2014 # htcp=no-purge-clr
2015 # Send HTCP to the neighbor including CLRs but only when
2016 # they do not result from PURGE requests.
2017 #
2018 # htcp=forward-clr
2019 # Forward any HTCP CLR requests this proxy receives to the peer.
2020 #
2021 #
2022 # ==== PEER SELECTION METHODS ====
2023 #
2024 # The default peer selection method is ICP, with the first responding peer
2025 # being used as source. These options can be used for better load balancing.
2026 #
2027 #
2028 # default This is a parent cache which can be used as a "last-resort"
2029 # if a peer cannot be located by any of the peer-selection methods.
2030 # If specified more than once, only the first is used.
2031 #
2032 # round-robin Load-Balance parents which should be used in a round-robin
2033 # fashion in the absence of any ICP queries.
2034 # weight=N can be used to add bias.
2035 #
2036 # weighted-round-robin
2037 # Load-Balance parents which should be used in a round-robin
2038 # fashion with the frequency of each parent being based on the
2039 # round trip time. Closer parents are used more often.
2040 # Usually used for background-ping parents.
2041 # weight=N can be used to add bias.
2042 #
2043 # carp Load-Balance parents which should be used as a CARP array.
2044 # The requests will be distributed among the parents based on the
2045 # CARP load balancing hash function based on their weight.
2046 #
2047 # userhash Load-balance parents based on the client proxy_auth or ident username.
2048 #
2049 # sourcehash Load-balance parents based on the client source IP.
2050 #
2051 # multicast-siblings
2052 # To be used only for cache peers of type "multicast".
2053 # ALL members of this multicast group have "sibling"
2054 # relationship with it, not "parent". This is to a multicast
2055 # group when the requested object would be fetched only from
2056 # a "parent" cache, anyway. It's useful, e.g., when
2057 # configuring a pool of redundant Squid proxies, being
2058 # members of the same multicast group.
2059 #
2060 #
2061 # ==== PEER SELECTION OPTIONS ====
2062 #
2063 # weight=N use to affect the selection of a peer during any weighted
2064 # peer-selection mechanisms.
2065 # The weight must be an integer; default is 1,
2066 # larger weights are favored more.
2067 # This option does not affect parent selection if a peering
2068 # protocol is not in use.
2069 #
2070 # basetime=N Specify a base amount to be subtracted from round trip
2071 # times of parents.
2072 # It is subtracted before division by weight in calculating
2073 # which parent to fectch from. If the rtt is less than the
2074 # base time the rtt is set to a minimal value.
2075 #
2076 # ttl=N Specify a TTL to use when sending multicast ICP queries
2077 # to this address.
2078 # Only useful when sending to a multicast group.
2079 # Because we don't accept ICP replies from random
2080 # hosts, you must configure other group members as
2081 # peers with the 'multicast-responder' option.
2082 #
2083 # no-delay To prevent access to this neighbor from influencing the
2084 # delay pools.
2085 #
2086 # digest-url=URL Tell Squid to fetch the cache digest (if digests are
2087 # enabled) for this host from the specified URL rather
2088 # than the Squid default location.
2089 #
2090 #
2091 # ==== CARP OPTIONS ====
2092 #
2093 # carp-key=key-specification
2094 # use a different key than the full URL to hash against the peer.
2095 # the key-specification is a comma-separated list of the keywords
2096 # scheme, host, port, path, params
2097 # Order is not important.
2098 #
2099 # ==== ACCELERATOR / REVERSE-PROXY OPTIONS ====
2100 #
2101 # originserver Causes this parent to be contacted as an origin server.
2102 # Meant to be used in accelerator setups when the peer
2103 # is a web server.
2104 #
2105 # forceddomain=name
2106 # Set the Host header of requests forwarded to this peer.
2107 # Useful in accelerator setups where the server (peer)
2108 # expects a certain domain name but clients may request
2109 # others. ie example.com or www.example.com
2110 #
2111 # no-digest Disable request of cache digests.
2112 #
2113 # no-netdb-exchange
2114 # Disables requesting ICMP RTT database (NetDB).
2115 #
2116 #
2117 # ==== AUTHENTICATION OPTIONS ====
2118 #
2119 # login=user:password
2120 # If this is a personal/workgroup proxy and your parent
2121 # requires proxy authentication.
2122 #
2123 # Note: The string can include URL escapes (i.e. %20 for
2124 # spaces). This also means % must be written as %%.
2125 #
2126 # login=PASSTHRU
2127 # Send login details received from client to this peer.
2128 # Both Proxy- and WWW-Authorization headers are passed
2129 # without alteration to the peer.
2130 # Authentication is not required by Squid for this to work.
2131 #
2132 # Note: This will pass any form of authentication but
2133 # only Basic auth will work through a proxy unless the
2134 # connection-auth options are also used.
2135 #
2136 # login=PASS Send login details received from client to this peer.
2137 # Authentication is not required by this option.
2138 #
2139 # If there are no client-provided authentication headers
2140 # to pass on, but username and password are available
2141 # from an external ACL user= and password= result tags
2142 # they may be sent instead.
2143 #
2144 # Note: To combine this with proxy_auth both proxies must
2145 # share the same user database as HTTP only allows for
2146 # a single login (one for proxy, one for origin server).
2147 # Also be warned this will expose your users proxy
2148 # password to the peer. USE WITH CAUTION
2149 #
2150 # login=*:password
2151 # Send the username to the upstream cache, but with a
2152 # fixed password. This is meant to be used when the peer
2153 # is in another administrative domain, but it is still
2154 # needed to identify each user.
2155 # The star can optionally be followed by some extra
2156 # information which is added to the username. This can
2157 # be used to identify this proxy to the peer, similar to
2158 # the login=username:password option above.
2159 #
2160 # login=NEGOTIATE
2161 # If this is a personal/workgroup proxy and your parent
2162 # requires a secure proxy authentication.
2163 # The first principal from the default keytab or defined by
2164 # the environment variable KRB5_KTNAME will be used.
2165 #
2166 # WARNING: The connection may transmit requests from multiple
2167 # clients. Negotiate often assumes end-to-end authentication
2168 # and a single-client. Which is not strictly true here.
2169 #
2170 # login=NEGOTIATE:principal_name
2171 # If this is a personal/workgroup proxy and your parent
2172 # requires a secure proxy authentication.
2173 # The principal principal_name from the default keytab or
2174 # defined by the environment variable KRB5_KTNAME will be
2175 # used.
2176 #
2177 # WARNING: The connection may transmit requests from multiple
2178 # clients. Negotiate often assumes end-to-end authentication
2179 # and a single-client. Which is not strictly true here.
2180 #
2181 # connection-auth=on|off
2182 # Tell Squid that this peer does or not support Microsoft
2183 # connection oriented authentication, and any such
2184 # challenges received from there should be ignored.
2185 # Default is auto to automatically determine the status
2186 # of the peer.
2187 #
2188 #
2189 # ==== SSL / HTTPS / TLS OPTIONS ====
2190 #
2191 # ssl Encrypt connections to this peer with SSL/TLS.
2192 #
2193 # sslcert=/path/to/ssl/certificate
2194 # A client SSL certificate to use when connecting to
2195 # this peer.
2196 #
2197 # sslkey=/path/to/ssl/key
2198 # The private SSL key corresponding to sslcert above.
2199 # If 'sslkey' is not specified 'sslcert' is assumed to
2200 # reference a combined file containing both the
2201 # certificate and the key.
2202 #
2203 # sslversion=1|2|3|4|5|6
2204 # The SSL version to use when connecting to this peer
2205 # 1 = automatic (default)
2206 # 2 = SSL v2 only
2207 # 3 = SSL v3 only
2208 # 4 = TLS v1.0 only
2209 # 5 = TLS v1.1 only
2210 # 6 = TLS v1.2 only
2211 #
2212 # sslcipher=... The list of valid SSL ciphers to use when connecting
2213 # to this peer.
2214 #
2215 # ssloptions=... Specify various SSL implementation options:
2216 #
2217 # NO_SSLv2 Disallow the use of SSLv2
2218 # NO_SSLv3 Disallow the use of SSLv3
2219 # NO_TLSv1 Disallow the use of TLSv1.0
2220 # NO_TLSv1_1 Disallow the use of TLSv1.1
2221 # NO_TLSv1_2 Disallow the use of TLSv1.2
2222 # SINGLE_DH_USE
2223 # Always create a new key when using
2224 # temporary/ephemeral DH key exchanges
2225 # ALL Enable various bug workarounds
2226 # suggested as "harmless" by OpenSSL
2227 # Be warned that this reduces SSL/TLS
2228 # strength to some attacks.
2229 #
2230 # See the OpenSSL SSL_CTX_set_options documentation for a
2231 # more complete list.
2232 #
2233 # sslcafile=... A file containing additional CA certificates to use
2234 # when verifying the peer certificate.
2235 #
2236 # sslcapath=... A directory containing additional CA certificates to
2237 # use when verifying the peer certificate.
2238 #
2239 # sslcrlfile=... A certificate revocation list file to use when
2240 # verifying the peer certificate.
2241 #
2242 # sslflags=... Specify various flags modifying the SSL implementation:
2243 #
2244 # DONT_VERIFY_PEER
2245 # Accept certificates even if they fail to
2246 # verify.
2247 # NO_DEFAULT_CA
2248 # Don't use the default CA list built in
2249 # to OpenSSL.
2250 # DONT_VERIFY_DOMAIN
2251 # Don't verify the peer certificate
2252 # matches the server name
2253 #
2254 # ssldomain= The peer name as advertised in it's certificate.
2255 # Used for verifying the correctness of the received peer
2256 # certificate. If not specified the peer hostname will be
2257 # used.
2258 #
2259 # front-end-https
2260 # Enable the "Front-End-Https: On" header needed when
2261 # using Squid as a SSL frontend in front of Microsoft OWA.
2262 # See MS KB document Q307347 for details on this header.
2263 # If set to auto the header will only be added if the
2264 # request is forwarded as a https:// URL.
2265 #
2266 #
2267 # ==== GENERAL OPTIONS ====
2268 #
2269 # connect-timeout=N
2270 # A peer-specific connect timeout.
2271 # Also see the peer_connect_timeout directive.
2272 #
2273 # connect-fail-limit=N
2274 # How many times connecting to a peer must fail before
2275 # it is marked as down. Default is 10.
2276 #
2277 # allow-miss Disable Squid's use of only-if-cached when forwarding
2278 # requests to siblings. This is primarily useful when
2279 # icp_hit_stale is used by the sibling. To extensive use
2280 # of this option may result in forwarding loops, and you
2281 # should avoid having two-way peerings with this option.
2282 # For example to deny peer usage on requests from peer
2283 # by denying cache_peer_access if the source is a peer.
2284 #
2285 # max-conn=N Limit the amount of connections Squid may open to this
2286 # peer. see also
2287 #
2288 # name=xxx Unique name for the peer.
2289 # Required if you have multiple peers on the same host
2290 # but different ports.
2291 # This name can be used in cache_peer_access and similar
2292 # directives to dentify the peer.
2293 # Can be used by outgoing access controls through the
2294 # peername ACL type.
2295 #
2296 # no-tproxy Do not use the client-spoof TPROXY support when forwarding
2297 # requests to this peer. Use normal address selection instead.
2298 #
2299 # proxy-only objects fetched from the peer will not be stored locally.
2300 #
2301 #Default:
2302 # none
2303
2304 # TAG: cache_peer_domain
2305 # Use to limit the domains for which a neighbor cache will be
2306 # queried. Usage:
2307 #
2308 # cache_peer_domain cache-host domain [domain ...]
2309 # cache_peer_domain cache-host !domain
2310 #
2311 # For example, specifying
2312 #
2313 # cache_peer_domain parent.foo.net .edu
2314 #
2315 # has the effect such that UDP query packets are sent to
2316 # 'bigserver' only when the requested object exists on a
2317 # server in the .edu domain. Prefixing the domainname
2318 # with '!' means the cache will be queried for objects
2319 # NOT in that domain.
2320 #
2321 # NOTE: * Any number of domains may be given for a cache-host,
2322 # either on the same or separate lines.
2323 # * When multiple domains are given for a particular
2324 # cache-host, the first matched domain is applied.
2325 # * Cache hosts with no domain restrictions are queried
2326 # for all requests.
2327 # * There are no defaults.
2328 # * There is also a 'cache_peer_access' tag in the ACL
2329 # section.
2330 #Default:
2331 # none
2332
2333 # TAG: cache_peer_access
2334 # Similar to 'cache_peer_domain' but provides more flexibility by
2335 # using ACL elements.
2336 #
2337 # cache_peer_access cache-host allow|deny [!]aclname ...
2338 #
2339 # The syntax is identical to 'http_access' and the other lists of
2340 # ACL elements. See the comments for 'http_access' below, or
2341 # the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl).
2342 #Default:
2343 # none
2344
2345 # TAG: neighbor_type_domain
2346 # usage: neighbor_type_domain neighbor parent|sibling domain domain ...
2347 #
2348 # Modifying the neighbor type for specific domains is now
2349 # possible. You can treat some domains differently than the
2350 # default neighbor type specified on the 'cache_peer' line.
2351 # Normally it should only be necessary to list domains which
2352 # should be treated differently because the default neighbor type
2353 # applies for hostnames which do not match domains listed here.
2354 #
2355 #EXAMPLE:
2356 # cache_peer cache.foo.org parent 3128 3130
2357 # neighbor_type_domain cache.foo.org sibling .com .net
2358 # neighbor_type_domain cache.foo.org sibling .au .de
2359 #Default:
2360 # none
2361
2362 # TAG: dead_peer_timeout (seconds)
2363 # This controls how long Squid waits to declare a peer cache
2364 # as "dead." If there are no ICP replies received in this
2365 # amount of time, Squid will declare the peer dead and not
2366 # expect to receive any further ICP replies. However, it
2367 # continues to send ICP queries, and will mark the peer as
2368 # alive upon receipt of the first subsequent ICP reply.
2369 #
2370 # This timeout also affects when Squid expects to receive ICP
2371 # replies from peers. If more than 'dead_peer' seconds have
2372 # passed since the last ICP reply was received, Squid will not
2373 # expect to receive an ICP reply on the next query. Thus, if
2374 # your time between requests is greater than this timeout, you
2375 # will see a lot of requests sent DIRECT to origin servers
2376 # instead of to your parents.
2377 #Default:
2378 # dead_peer_timeout 10 seconds
2379
2380 # TAG: forward_max_tries
2381 # Controls how many different forward paths Squid will try
2382 # before giving up. See also forward_timeout.
2383 #
2384 # NOTE: connect_retries (default: none) can make each of these
2385 # possible forwarding paths be tried multiple times.
2386 #Default:
2387 # forward_max_tries 10
2388
2389 # TAG: hierarchy_stoplist
2390 # A list of words which, if found in a URL, cause the object to
2391 # be handled directly by this cache. In other words, use this
2392 # to not query neighbor caches for certain objects. You may
2393 # list this option multiple times.
2394 #
2395 # Example:
2396 # hierarchy_stoplist cgi-bin ?
2397 #
2398 # Note: never_direct overrides this option.
2399 #Default:
2400 # none
2401
2402 # MEMORY CACHE OPTIONS
2403 # -----------------------------------------------------------------------------
2404
2405 # TAG: cache_mem (bytes)
2406 # NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
2407 # IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
2408 # USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
2409 # THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
2410 #
2411 # 'cache_mem' specifies the ideal amount of memory to be used
2412 # for:
2413 # * In-Transit objects
2414 # * Hot Objects
2415 # * Negative-Cached objects
2416 #
2417 # Data for these objects are stored in 4 KB blocks. This
2418 # parameter specifies the ideal upper limit on the total size of
2419 # 4 KB blocks allocated. In-Transit objects take the highest
2420 # priority.
2421 #
2422 # In-transit objects have priority over the others. When
2423 # additional space is needed for incoming data, negative-cached
2424 # and hot objects will be released. In other words, the
2425 # negative-cached and hot objects will fill up any unused space
2426 # not needed for in-transit objects.
2427 #
2428 # If circumstances require, this limit will be exceeded.
2429 # Specifically, if your incoming request rate requires more than
2430 # 'cache_mem' of memory to hold in-transit objects, Squid will
2431 # exceed this limit to satisfy the new requests. When the load
2432 # decreases, blocks will be freed until the high-water mark is
2433 # reached. Thereafter, blocks will be used to store hot
2434 # objects.
2435 #
2436 # If shared memory caching is enabled, Squid does not use the shared
2437 # cache space for in-transit objects, but they still consume as much
2438 # local memory as they need. For more details about the shared memory
2439 # cache, see memory_cache_shared.
2440 #Default:
2441 # cache_mem 256 MB
2442
2443 # TAG: maximum_object_size_in_memory (bytes)
2444 # Objects greater than this size will not be attempted to kept in
2445 # the memory cache. This should be set high enough to keep objects
2446 # accessed frequently in memory to improve performance whilst low
2447 # enough to keep larger objects from hoarding cache_mem.
2448 #Default:
2449 # maximum_object_size_in_memory 512 KB
2450
2451 # TAG: memory_cache_shared on|off
2452 # Controls whether the memory cache is shared among SMP workers.
2453 #
2454 # The shared memory cache is meant to occupy cache_mem bytes and replace
2455 # the non-shared memory cache, although some entities may still be
2456 # cached locally by workers for now (e.g., internal and in-transit
2457 # objects may be served from a local memory cache even if shared memory
2458 # caching is enabled).
2459 #
2460 # By default, the memory cache is shared if and only if all of the
2461 # following conditions are satisfied: Squid runs in SMP mode with
2462 # multiple workers, cache_mem is positive, and Squid environment
2463 # supports required IPC primitives (e.g., POSIX shared memory segments
2464 # and GCC-style atomic operations).
2465 #
2466 # To avoid blocking locks, shared memory uses opportunistic algorithms
2467 # that do not guarantee that every cachable entity that could have been
2468 # shared among SMP workers will actually be shared.
2469 #
2470 # Currently, entities exceeding 32KB in size cannot be shared.
2471 #Default:
2472 # "on" where supported if doing memory caching with multiple SMP workers.
2473
2474 # TAG: memory_cache_mode
2475 # Controls which objects to keep in the memory cache (cache_mem)
2476 #
2477 # always Keep most recently fetched objects in memory (default)
2478 #
2479 # disk Only disk cache hits are kept in memory, which means
2480 # an object must first be cached on disk and then hit
2481 # a second time before cached in memory.
2482 #
2483 # network Only objects fetched from network is kept in memory
2484 #Default:
2485 # memory_cache_mode always
2486
2487 # TAG: memory_replacement_policy
2488 # The memory replacement policy parameter determines which
2489 # objects are purged from memory when memory space is needed.
2490 #
2491 # See cache_replacement_policy for details.
2492 #Default:
2493 # memory_replacement_policy lru
2494
2495 # DISK CACHE OPTIONS
2496 # -----------------------------------------------------------------------------
2497
2498 # TAG: cache_replacement_policy
2499 # The cache replacement policy parameter determines which
2500 # objects are evicted (replaced) when disk space is needed.
2501 #
2502 # lru : Squid's original list based LRU policy
2503 # heap GDSF : Greedy-Dual Size Frequency
2504 # heap LFUDA: Least Frequently Used with Dynamic Aging
2505 # heap LRU : LRU policy implemented using a heap
2506 #
2507 # Applies to any cache_dir lines listed below this.
2508 #
2509 # The LRU policies keeps recently referenced objects.
2510 #
2511 # The heap GDSF policy optimizes object hit rate by keeping smaller
2512 # popular objects in cache so it has a better chance of getting a
2513 # hit. It achieves a lower byte hit rate than LFUDA though since
2514 # it evicts larger (possibly popular) objects.
2515 #
2516 # The heap LFUDA policy keeps popular objects in cache regardless of
2517 # their size and thus optimizes byte hit rate at the expense of
2518 # hit rate since one large, popular object will prevent many
2519 # smaller, slightly less popular objects from being cached.
2520 #
2521 # Both policies utilize a dynamic aging mechanism that prevents
2522 # cache pollution that can otherwise occur with frequency-based
2523 # replacement policies.
2524 #
2525 # NOTE: if using the LFUDA replacement policy you should increase
2526 # the value of maximum_object_size above its default of 4 MB to
2527 # to maximize the potential byte hit rate improvement of LFUDA.
2528 #
2529 # For more information about the GDSF and LFUDA cache replacement
2530 # policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
2531 # and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
2532 #Default:
2533 # cache_replacement_policy lru
2534
2535 # TAG: cache_dir
2536 # Usage:
2537 #
2538 # cache_dir Type Directory-Name Fs-specific-data [options]
2539 #
2540 # You can specify multiple cache_dir lines to spread the
2541 # cache among different disk partitions.
2542 #
2543 # Type specifies the kind of storage system to use. Only "ufs"
2544 # is built by default. To enable any of the other storage systems
2545 # see the --enable-storeio configure option.
2546 #
2547 # 'Directory' is a top-level directory where cache swap
2548 # files will be stored. If you want to use an entire disk
2549 # for caching, this can be the mount-point directory.
2550 # The directory must exist and be writable by the Squid
2551 # process. Squid will NOT create this directory for you.
2552 #
2553 # In SMP configurations, cache_dir must not precede the workers option
2554 # and should use configuration macros or conditionals to give each
2555 # worker interested in disk caching a dedicated cache directory.
2556 #
2557 # The ufs store type:
2558 #
2559 # "ufs" is the old well-known Squid storage format that has always
2560 # been there.
2561 #
2562 # cache_dir ufs Directory-Name Mbytes L1 L2 [options]
2563 #
2564 # 'Mbytes' is the amount of disk space (MB) to use under this
2565 # directory. The default is 100 MB. Change this to suit your
2566 # configuration. Do NOT put the size of your disk drive here.
2567 # Instead, if you want Squid to use the entire disk drive,
2568 # subtract 20% and use that value.
2569 #
2570 # 'L1' is the number of first-level subdirectories which
2571 # will be created under the 'Directory'. The default is 16.
2572 #
2573 # 'L2' is the number of second-level subdirectories which
2574 # will be created under each first-level directory. The default
2575 # is 256.
2576 #
2577 # The aufs store type:
2578 #
2579 # "aufs" uses the same storage format as "ufs", utilizing
2580 # POSIX-threads to avoid blocking the main Squid process on
2581 # disk-I/O. This was formerly known in Squid as async-io.
2582 #
2583 # cache_dir aufs Directory-Name Mbytes L1 L2 [options]
2584 #
2585 # see argument descriptions under ufs above
2586 #
2587 # The diskd store type:
2588 #
2589 # "diskd" uses the same storage format as "ufs", utilizing a
2590 # separate process to avoid blocking the main Squid process on
2591 # disk-I/O.
2592 #
2593 # cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
2594 #
2595 # see argument descriptions under ufs above
2596 #
2597 # Q1 specifies the number of unacknowledged I/O requests when Squid
2598 # stops opening new files. If this many messages are in the queues,
2599 # Squid won't open new files. Default is 64
2600 #
2601 # Q2 specifies the number of unacknowledged messages when Squid
2602 # starts blocking. If this many messages are in the queues,
2603 # Squid blocks until it receives some replies. Default is 72
2604 #
2605 # When Q1 < Q2 (the default), the cache directory is optimized
2606 # for lower response time at the expense of a decrease in hit
2607 # ratio. If Q1 > Q2, the cache directory is optimized for
2608 # higher hit ratio at the expense of an increase in response
2609 # time.
2610 #
2611 # The rock store type:
2612 #
2613 # cache_dir rock Directory-Name Mbytes <max-size=bytes> [options]
2614 #
2615 # The Rock Store type is a database-style storage. All cached
2616 # entries are stored in a "database" file, using fixed-size slots,
2617 # one entry per slot. The database size is specified in MB. The
2618 # slot size is specified in bytes using the max-size option. See
2619 # below for more info on the max-size option.
2620 #
2621 # If possible, Squid using Rock Store creates a dedicated kid
2622 # process called "disker" to avoid blocking Squid worker(s) on disk
2623 # I/O. One disker kid is created for each rock cache_dir. Diskers
2624 # are created only when Squid, running in daemon mode, has support
2625 # for the IpcIo disk I/O module.
2626 #
2627 # swap-timeout=msec: Squid will not start writing a miss to or
2628 # reading a hit from disk if it estimates that the swap operation
2629 # will take more than the specified number of milliseconds. By
2630 # default and when set to zero, disables the disk I/O time limit
2631 # enforcement. Ignored when using blocking I/O module because
2632 # blocking synchronous I/O does not allow Squid to estimate the
2633 # expected swap wait time.
2634 #
2635 # max-swap-rate=swaps/sec: Artificially limits disk access using
2636 # the specified I/O rate limit. Swap out requests that
2637 # would cause the average I/O rate to exceed the limit are
2638 # delayed. Individual swap in requests (i.e., hits or reads) are
2639 # not delayed, but they do contribute to measured swap rate and
2640 # since they are placed in the same FIFO queue as swap out
2641 # requests, they may wait longer if max-swap-rate is smaller.
2642 # This is necessary on file systems that buffer "too
2643 # many" writes and then start blocking Squid and other processes
2644 # while committing those writes to disk. Usually used together
2645 # with swap-timeout to avoid excessive delays and queue overflows
2646 # when disk demand exceeds available disk "bandwidth". By default
2647 # and when set to zero, disables the disk I/O rate limit
2648 # enforcement. Currently supported by IpcIo module only.
2649 #
2650 #
2651 # The coss store type:
2652 #
2653 # NP: COSS filesystem in Squid-3 has been deemed too unstable for
2654 # production use and has thus been removed from this release.
2655 # We hope that it can be made usable again soon.
2656 #
2657 # block-size=n defines the "block size" for COSS cache_dir's.
2658 # Squid uses file numbers as block numbers. Since file numbers
2659 # are limited to 24 bits, the block size determines the maximum
2660 # size of the COSS partition. The default is 512 bytes, which
2661 # leads to a maximum cache_dir size of 512<<24, or 8 GB. Note
2662 # you should not change the coss block size after Squid
2663 # has written some objects to the cache_dir.
2664 #
2665 # The coss file store has changed from 2.5. Now it uses a file
2666 # called 'stripe' in the directory names in the config - and
2667 # this will be created by squid -z.
2668 #
2669 # Common options:
2670 #
2671 # no-store, no new objects should be stored to this cache_dir
2672 #
2673 # min-size=n, refers to the min object size in bytes this cache_dir
2674 # will accept. It's used to restrict a cache_dir to only store
2675 # large objects (e.g. aufs) while other storedirs are optimized
2676 # for smaller objects (e.g. COSS). Defaults to 0.
2677 #
2678 # max-size=n, refers to the max object size in bytes this cache_dir
2679 # supports. It is used to select the cache_dir to store the object.
2680 # Note: To make optimal use of the max-size limits you should order
2681 # the cache_dir lines with the smallest max-size value first and the
2682 # ones with no max-size specification last.
2683 #
2684 # Note for coss, max-size must be less than COSS_MEMBUF_SZ,
2685 # which can be changed with the --with-coss-membuf-size=N configure
2686 # option.
2687 #
2688
2689 # Uncomment and adjust the following to add a disk cache directory.
2690 #cache_dir ufs /var/spool/squid 100 16 256
2691
2692 # TAG: store_dir_select_algorithm
2693 # Set this to 'round-robin' as an alternative.
2694 #Default:
2695 # store_dir_select_algorithm least-load
2696
2697 # TAG: max_open_disk_fds
2698 # To avoid having disk as the I/O bottleneck Squid can optionally
2699 # bypass the on-disk cache if more than this amount of disk file
2700 # descriptors are open.
2701 #
2702 # A value of 0 indicates no limit.
2703 #Default:
2704 # max_open_disk_fds 0
2705
2706 # TAG: minimum_object_size (bytes)
2707 # Objects smaller than this size will NOT be saved on disk. The
2708 # value is specified in kilobytes, and the default is 0 KB, which
2709 # means there is no minimum.
2710 #Default:
2711 # minimum_object_size 0 KB
2712
2713 # TAG: maximum_object_size (bytes)
2714 # The default limit on size of objects stored to disk.
2715 # This size is used for cache_dir where max-size is not set.
2716 # The value is specified in bytes, and the default is 4 MB.
2717 #
2718 # If you wish to get a high BYTES hit ratio, you should probably
2719 # increase this (one 32 MB object hit counts for 3200 10KB
2720 # hits).
2721 #
2722 # If you wish to increase hit ratio more than you want to
2723 # save bandwidth you should leave this low.
2724 #
2725 # NOTE: if using the LFUDA replacement policy you should increase
2726 # this value to maximize the byte hit rate improvement of LFUDA!
2727 # See replacement_policy below for a discussion of this policy.
2728 #Default:
2729 # maximum_object_size 4 MB
2730
2731 # TAG: cache_swap_low (percent, 0-100)
2732 #Default:
2733 # cache_swap_low 90
2734
2735 # TAG: cache_swap_high (percent, 0-100)
2736 #
2737 # The low- and high-water marks for cache object replacement.
2738 # Replacement begins when the swap (disk) usage is above the
2739 # low-water mark and attempts to maintain utilization near the
2740 # low-water mark. As swap utilization gets close to high-water
2741 # mark object eviction becomes more aggressive. If utilization is
2742 # close to the low-water mark less replacement is done each time.
2743 #
2744 # Defaults are 90% and 95%. If you have a large cache, 5% could be
2745 # hundreds of MB. If this is the case you may wish to set these
2746 # numbers closer together.
2747 #Default:
2748 # cache_swap_high 95
2749
2750 # LOGFILE OPTIONS
2751 # -----------------------------------------------------------------------------
2752
2753 # TAG: logformat
2754 # Usage:
2755 #
2756 # logformat <name> <format specification>
2757 #
2758 # Defines an access log format.
2759 #
2760 # The <format specification> is a string with embedded % format codes
2761 #
2762 # % format codes all follow the same basic structure where all but
2763 # the formatcode is optional. Output strings are automatically escaped
2764 # as required according to their context and the output format
2765 # modifiers are usually not needed, but can be specified if an explicit
2766 # output format is desired.
2767 #
2768 # % ["|[|'|#] [-] [[0]width] [{argument}] formatcode
2769 #
2770 # " output in quoted string format
2771 # [ output in squid text log format as used by log_mime_hdrs
2772 # # output in URL quoted format
2773 # ' output as-is
2774 #
2775 # - left aligned
2776 #
2777 # width minimum and/or maximum field width:
2778 # [width_min][.width_max]
2779 # When minimum starts with 0, the field is zero-padded.
2780 # String values exceeding maximum width are truncated.
2781 #
2782 # {arg} argument such as header name etc
2783 #
2784 # Format codes:
2785 #
2786 # % a literal % character
2787 # sn Unique sequence number per log line entry
2788 # err_code The ID of an error response served by Squid or
2789 # a similar internal error identifier.
2790 # err_detail Additional err_code-dependent error information.
2791 #
2792 # Connection related format codes:
2793 #
2794 # >a Client source IP address
2795 # >A Client FQDN
2796 # >p Client source port
2797 # >eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier)
2798 # >la Local IP address the client connected to
2799 # >lp Local port number the client connected to
2800 #
2801 # la Local listening IP address the client connection was connected to.
2802 # lp Local listening port number the client connection was connected to.
2803 #
2804 # <a Server IP address of the last server or peer connection
2805 # <A Server FQDN or peer name
2806 # <p Server port number of the last server or peer connection
2807 # <la Local IP address of the last server or peer connection
2808 # <lp Local port number of the last server or peer connection
2809 #
2810 # Time related format codes:
2811 #
2812 # ts Seconds since epoch
2813 # tu subsecond time (milliseconds)
2814 # tl Local time. Optional strftime format argument
2815 # default %d/%b/%Y:%H:%M:%S %z
2816 # tg GMT time. Optional strftime format argument
2817 # default %d/%b/%Y:%H:%M:%S %z
2818 # tr Response time (milliseconds)
2819 # dt Total time spent making DNS lookups (milliseconds)
2820 #
2821 # Access Control related format codes:
2822 #
2823 # et Tag returned by external acl
2824 # ea Log string returned by external acl
2825 # un User name (any available)
2826 # ul User name from authentication
2827 # ue User name from external acl helper
2828 # ui User name from ident
2829 # us User name from SSL
2830 #
2831 # HTTP related format codes:
2832 #
2833 # [http::]>h Original request header. Optional header name argument
2834 # on the format header[:[separator]element]
2835 # [http::]>ha The HTTP request headers after adaptation and redirection.
2836 # Optional header name argument as for >h
2837 # [http::]<h Reply header. Optional header name argument
2838 # as for >h
2839 # [http::]>Hs HTTP status code sent to the client
2840 # [http::]<Hs HTTP status code received from the next hop
2841 # [http::]<bs Number of HTTP-equivalent message body bytes
2842 # received from the next hop, excluding chunked
2843 # transfer encoding and control messages.
2844 # Generated FTP/Gopher listings are treated as
2845 # received bodies.
2846 # [http::]mt MIME content type
2847 # [http::]rm Request method (GET/POST etc)
2848 # [http::]>rm Request method from client
2849 # [http::]<rm Request method sent to server or peer
2850 # [http::]ru Request URL from client (historic, filtered for logging)
2851 # [http::]>ru Request URL from client
2852 # [http::]<ru Request URL sent to server or peer
2853 # [http::]rp Request URL-Path excluding hostname
2854 # [http::]>rp Request URL-Path excluding hostname from client
2855 # [http::]<rp Request URL-Path excluding hostname sento to server or peer
2856 # [http::]rv Request protocol version
2857 # [http::]>rv Request protocol version from client
2858 # [http::]<rv Request protocol version sent to server or peer
2859 # [http::]<st Sent reply size including HTTP headers
2860 # [http::]>st Received request size including HTTP headers. In the
2861 # case of chunked requests the chunked encoding metadata
2862 # are not included
2863 # [http::]>sh Received HTTP request headers size
2864 # [http::]<sh Sent HTTP reply headers size
2865 # [http::]st Request+Reply size including HTTP headers
2866 # [http::]<sH Reply high offset sent
2867 # [http::]<sS Upstream object size
2868 # [http::]<pt Peer response time in milliseconds. The timer starts
2869 # when the last request byte is sent to the next hop
2870 # and stops when the last response byte is received.
2871 # [http::]<tt Total server-side time in milliseconds. The timer
2872 # starts with the first connect request (or write I/O)
2873 # sent to the first selected peer. The timer stops
2874 # with the last I/O with the last peer.
2875 #
2876 # Squid handling related format codes:
2877 #
2878 # Ss Squid request status (TCP_MISS etc)
2879 # Sh Squid hierarchy status (DEFAULT_PARENT etc)
2880 #
2881 # If ICAP is enabled, the following code becomes available (as
2882 # well as ICAP log codes documented with the icap_log option):
2883 #
2884 # icap::tt Total ICAP processing time for the HTTP
2885 # transaction. The timer ticks when ICAP
2886 # ACLs are checked and when ICAP
2887 # transaction is in progress.
2888 #
2889 # If adaptation is enabled the following three codes become available:
2890 #
2891 # adapt::<last_h The header of the last ICAP response or
2892 # meta-information from the last eCAP
2893 # transaction related to the HTTP transaction.
2894 # Like <h, accepts an optional header name
2895 # argument.
2896 #
2897 # adapt::sum_trs Summed adaptation transaction response
2898 # times recorded as a comma-separated list in
2899 # the order of transaction start time. Each time
2900 # value is recorded as an integer number,
2901 # representing response time of one or more
2902 # adaptation (ICAP or eCAP) transaction in
2903 # milliseconds. When a failed transaction is
2904 # being retried or repeated, its time is not
2905 # logged individually but added to the
2906 # replacement (next) transaction. See also:
2907 # adapt::all_trs.
2908 #
2909 # adapt::all_trs All adaptation transaction response times.
2910 # Same as adaptation_strs but response times of
2911 # individual transactions are never added
2912 # together. Instead, all transaction response
2913 # times are recorded individually.
2914 #
2915 # You can prefix adapt::*_trs format codes with adaptation
2916 # service name in curly braces to record response time(s) specific
2917 # to that service. For example: %{my_service}adapt::sum_trs
2918 #
2919 # The default formats available (which do not need re-defining) are:
2920 #
2921 #logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
2922 #logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
2923 #logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
2924 #logformat referrer %ts.%03tu %>a %{Referer}>h %ru
2925 #logformat useragent %>a [%tl] "%{User-Agent}>h"
2926 #
2927 # NOTE: When the log_mime_hdrs directive is set to ON.
2928 # The squid, common and combined formats have a safely encoded copy
2929 # of the mime headers appended to each line within a pair of brackets.
2930 #
2931 # NOTE: The common and combined formats are not quite true to the Apache definition.
2932 # The logs from Squid contain an extra status and hierarchy code appended.
2933 #
2934 #Default:
2935 # none
2936
2937 # TAG: access_log
2938 # These files log client request activities. Has a line every HTTP or
2939 # ICP request. The format is:
2940 # access_log <module>:<place> [<logformat name> [acl acl ...]]
2941 # access_log none [acl acl ...]]
2942 #
2943 # Will log to the specified module:place using the specified format (which
2944 # must be defined in a logformat directive) those entries which match
2945 # ALL the acl's specified (which must be defined in acl clauses).
2946 # If no acl is specified, all requests will be logged to this destination.
2947 #
2948 # ===== Modules Currently available =====
2949 #
2950 # none Do not log any requests matching these ACL.
2951 # Do not specify Place or logformat name.
2952 #
2953 # stdio Write each log line to disk immediately at the completion of
2954 # each request.
2955 # Place: the filename and path to be written.
2956 #
2957 # daemon Very similar to stdio. But instead of writing to disk the log
2958 # line is passed to a daemon helper for asychronous handling instead.
2959 # Place: varies depending on the daemon.
2960 #
2961 # log_file_daemon Place: the file name and path to be written.
2962 #
2963 # syslog To log each request via syslog facility.
2964 # Place: The syslog facility and priority level for these entries.
2965 # Place Format: facility.priority
2966 #
2967 # where facility could be any of:
2968 # authpriv, daemon, local0 ... local7 or user.
2969 #
2970 # And priority could be any of:
2971 # err, warning, notice, info, debug.
2972 #
2973 # udp To send each log line as text data to a UDP receiver.
2974 # Place: The destination host name or IP and port.
2975 # Place Format: //host:port
2976 #
2977 # tcp To send each log line as text data to a TCP receiver.
2978 # Place: The destination host name or IP and port.
2979 # Place Format: //host:port
2980 #
2981 # Default:
2982 # access_log daemon:/var/log/squid/access.log squid
2983 #Default:
2984 # access_log daemon:/var/log/squid/access.log squid
2985
2986 # TAG: icap_log
2987 # ICAP log files record ICAP transaction summaries, one line per
2988 # transaction.
2989 #
2990 # The icap_log option format is:
2991 # icap_log <filepath> [<logformat name> [acl acl ...]]
2992 # icap_log none [acl acl ...]]
2993 #
2994 # Please see access_log option documentation for details. The two
2995 # kinds of logs share the overall configuration approach and many
2996 # features.
2997 #
2998 # ICAP processing of a single HTTP message or transaction may
2999 # require multiple ICAP transactions. In such cases, multiple
3000 # ICAP transaction log lines will correspond to a single access
3001 # log line.
3002 #
3003 # ICAP log uses logformat codes that make sense for an ICAP
3004 # transaction. Header-related codes are applied to the HTTP header
3005 # embedded in an ICAP server response, with the following caveats:
3006 # For REQMOD, there is no HTTP response header unless the ICAP
3007 # server performed request satisfaction. For RESPMOD, the HTTP
3008 # request header is the header sent to the ICAP server. For
3009 # OPTIONS, there are no HTTP headers.
3010 #
3011 # The following format codes are also available for ICAP logs:
3012 #
3013 # icap::<A ICAP server IP address. Similar to <A.
3014 #
3015 # icap::<service_name ICAP service name from the icap_service
3016 # option in Squid configuration file.
3017 #
3018 # icap::ru ICAP Request-URI. Similar to ru.
3019 #
3020 # icap::rm ICAP request method (REQMOD, RESPMOD, or
3021 # OPTIONS). Similar to existing rm.
3022 #
3023 # icap::>st Bytes sent to the ICAP server (TCP payload
3024 # only; i.e., what Squid writes to the socket).
3025 #
3026 # icap::<st Bytes received from the ICAP server (TCP
3027 # payload only; i.e., what Squid reads from
3028 # the socket).
3029 #
3030 # icap::<bs Number of message body bytes received from the
3031 # ICAP server. ICAP message body, if any, usually
3032 # includes encapsulated HTTP message headers and
3033 # possibly encapsulated HTTP message body. The
3034 # HTTP body part is dechunked before its size is
3035 # computed.
3036 #
3037 # icap::tr Transaction response time (in
3038 # milliseconds). The timer starts when
3039 # the ICAP transaction is created and
3040 # stops when the transaction is completed.
3041 # Similar to tr.
3042 #
3043 # icap::tio Transaction I/O time (in milliseconds). The
3044 # timer starts when the first ICAP request
3045 # byte is scheduled for sending. The timers
3046 # stops when the last byte of the ICAP response
3047 # is received.
3048 #
3049 # icap::to Transaction outcome: ICAP_ERR* for all
3050 # transaction errors, ICAP_OPT for OPTION
3051 # transactions, ICAP_ECHO for 204
3052 # responses, ICAP_MOD for message
3053 # modification, and ICAP_SAT for request
3054 # satisfaction. Similar to Ss.
3055 #
3056 # icap::Hs ICAP response status code. Similar to Hs.
3057 #
3058 # icap::>h ICAP request header(s). Similar to >h.
3059 #
3060 # icap::<h ICAP response header(s). Similar to <h.
3061 #
3062 # The default ICAP log format, which can be used without an explicit
3063 # definition, is called icap_squid:
3064 #
3065 #logformat icap_squid %ts.%03tu %6icap::tr %>a %icap::to/%03icap::Hs %icap::<size %icap::rm %icap::ru% %un -/%icap::<A -
3066 #
3067 # See also: logformat, log_icap, and %adapt::<last_h
3068 #Default:
3069 # none
3070
3071 # TAG: logfile_daemon
3072 # Specify the path to the logfile-writing daemon. This daemon is
3073 # used to write the access and store logs, if configured.
3074 #
3075 # Squid sends a number of commands to the log daemon:
3076 # L<data>\n - logfile data
3077 # R\n - rotate file
3078 # T\n - truncate file
3079 # O\n - reopen file
3080 # F\n - flush file
3081 # r<n>\n - set rotate count to <n>
3082 # b<n>\n - 1 = buffer output, 0 = don't buffer output
3083 #
3084 # No responses is expected.
3085 #Default:
3086 # logfile_daemon /usr/lib64/squid/log_file_daemon
3087
3088 # TAG: log_access allow|deny acl acl...
3089 # This options allows you to control which requests gets logged
3090 # to access.log (see access_log directive). Requests denied for
3091 # logging will also not be accounted for in performance counters.
3092 #
3093 # This clause only supports fast acl types.
3094 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
3095 #Default:
3096 # none
3097
3098 # TAG: log_icap
3099 # This options allows you to control which requests get logged
3100 # to icap.log. See the icap_log directive for ICAP log details.
3101 #Default:
3102 # none
3103
3104 # TAG: cache_store_log
3105 # Logs the activities of the storage manager. Shows which
3106 # objects are ejected from the cache, and which objects are
3107 # saved and for how long.
3108 # There are not really utilities to analyze this data, so you can safely
3109 # disable it (the default).
3110 #
3111 # Store log uses modular logging outputs. See access_log for the list
3112 # of modules supported.
3113 #
3114 # Example:
3115 # cache_store_log stdio:/var/log/squid/store.log
3116 # cache_store_log daemon:/var/log/squid/store.log
3117 #Default:
3118 # none
3119
3120 # TAG: cache_swap_state
3121 # Location for the cache "swap.state" file. This index file holds
3122 # the metadata of objects saved on disk. It is used to rebuild
3123 # the cache during startup. Normally this file resides in each
3124 # 'cache_dir' directory, but you may specify an alternate
3125 # pathname here. Note you must give a full filename, not just
3126 # a directory. Since this is the index for the whole object
3127 # list you CANNOT periodically rotate it!
3128 #
3129 # If %s can be used in the file name it will be replaced with a
3130 # a representation of the cache_dir name where each / is replaced
3131 # with '.'. This is needed to allow adding/removing cache_dir
3132 # lines when cache_swap_log is being used.
3133 #
3134 # If have more than one 'cache_dir', and %s is not used in the name
3135 # these swap logs will have names such as:
3136 #
3137 # cache_swap_log.00
3138 # cache_swap_log.01
3139 # cache_swap_log.02
3140 #
3141 # The numbered extension (which is added automatically)
3142 # corresponds to the order of the 'cache_dir' lines in this
3143 # configuration file. If you change the order of the 'cache_dir'
3144 # lines in this file, these index files will NOT correspond to
3145 # the correct 'cache_dir' entry (unless you manually rename
3146 # them). We recommend you do NOT use this option. It is
3147 # better to keep these index files in each 'cache_dir' directory.
3148 #Default:
3149 # none
3150
3151 # TAG: logfile_rotate
3152 # Specifies the number of logfile rotations to make when you
3153 # type 'squid -k rotate'. The default is 10, which will rotate
3154 # with extensions 0 through 9. Setting logfile_rotate to 0 will
3155 # disable the file name rotation, but the logfiles are still closed
3156 # and re-opened. This will enable you to rename the logfiles
3157 # yourself just before sending the rotate signal.
3158 #
3159 # Note, the 'squid -k rotate' command normally sends a USR1
3160 # signal to the running squid process. In certain situations
3161 # (e.g. on Linux with Async I/O), USR1 is used for other
3162 # purposes, so -k rotate uses another signal. It is best to get
3163 # in the habit of using 'squid -k rotate' instead of 'kill -USR1
3164 # <pid>'.
3165 #
3166 # Note, from Squid-3.1 this option has no effect on the cache.log,
3167 # that log can be rotated separately by using debug_options
3168 #Default:
3169 # logfile_rotate 0
3170
3171 # TAG: emulate_httpd_log
3172 # Replace this with an access_log directive using the format 'common' or 'combined'.
3173 #Default:
3174 # none
3175
3176 # TAG: log_ip_on_direct
3177 # Remove this option from your config. To log server or peer names use %<A in the log format.
3178 #Default:
3179 # none
3180
3181 # TAG: mime_table
3182 # Pathname to Squid's MIME table. You shouldn't need to change
3183 # this, but the default file contains examples and formatting
3184 # information if you do.
3185 #Default:
3186 # mime_table /etc/squid/mime.conf
3187
3188 # TAG: log_mime_hdrs on|off
3189 # The Cache can record both the request and the response MIME
3190 # headers for each HTTP transaction. The headers are encoded
3191 # safely and will appear as two bracketed fields at the end of
3192 # the access log (for either the native or httpd-emulated log
3193 # formats). To enable this logging set log_mime_hdrs to 'on'.
3194 #Default:
3195 # log_mime_hdrs off
3196
3197 # TAG: useragent_log
3198 # Replace this with an access_log directive using the format 'useragent'.
3199 #Default:
3200 # none
3201
3202 # TAG: referer_log
3203 # Replace this with an access_log directive using the format 'referrer'.
3204 #Default:
3205 # none
3206
3207 # TAG: pid_filename
3208 # A filename to write the process-id to. To disable, enter "none".
3209 #Default:
3210 # pid_filename /var/run/squid.pid
3211
3212 # TAG: log_fqdn
3213 # Remove this option from your config. To log FQDN use %>A in the log format.
3214 #Default:
3215 # none
3216
3217 # TAG: client_netmask
3218 # A netmask for client addresses in logfiles and cachemgr output.
3219 # Change this to protect the privacy of your cache clients.
3220 # A netmask of 255.255.255.0 will log all IP's in that range with
3221 # the last digit set to '0'.
3222 #Default:
3223 # client_netmask no_addr
3224
3225 # TAG: forward_log
3226 # Use a regular access.log with ACL limiting it to MISS events.
3227 #Default:
3228 # none
3229
3230 # TAG: strip_query_terms
3231 # By default, Squid strips query terms from requested URLs before
3232 # logging. This protects your user's privacy.
3233 #Default:
3234 # strip_query_terms on
3235
3236 # TAG: buffered_logs on|off
3237 # cache.log log file is written with stdio functions, and as such
3238 # it can be buffered or unbuffered. By default it will be unbuffered.
3239 # Buffering it can speed up the writing slightly (though you are
3240 # unlikely to need to worry unless you run with tons of debugging
3241 # enabled in which case performance will suffer badly anyway..).
3242 #Default:
3243 # buffered_logs off
3244
3245 # TAG: netdb_filename
3246 # A filename where Squid stores it's netdb state between restarts.
3247 # To disable, enter "none".
3248 #Default:
3249 # netdb_filename stdio:/var/log/squid/netdb.state
3250
3251 # OPTIONS FOR TROUBLESHOOTING
3252 # -----------------------------------------------------------------------------
3253
3254 # TAG: cache_log
3255 # Cache logging file. This is where general information about
3256 # your cache's behavior goes. You can increase the amount of data
3257 # logged to this file and how often its rotated with "debug_options"
3258 #Default:
3259 # cache_log /var/log/squid/cache.log
3260
3261 # TAG: debug_options
3262 # Logging options are set as section,level where each source file
3263 # is assigned a unique section. Lower levels result in less
3264 # output, Full debugging (level 9) can result in a very large
3265 # log file, so be careful.
3266 #
3267 # The magic word "ALL" sets debugging levels for all sections.
3268 # We recommend normally running with "ALL,1".
3269 #
3270 # The rotate=N option can be used to keep more or less of these logs
3271 # than would otherwise be kept by logfile_rotate.
3272 # For most uses a single log should be enough to monitor current
3273 # events affecting Squid.
3274 #Default:
3275 # debug_options ALL,1
3276
3277 # TAG: coredump_dir
3278 # By default Squid leaves core files in the directory from where
3279 # it was started. If you set 'coredump_dir' to a directory
3280 # that exists, Squid will chdir() to that directory at startup
3281 # and coredump files will be left there.
3282 #
3283 #Default:
3284 # coredump_dir none
3285 #
3286
3287 # Leave coredumps in the first cache dir
3288 coredump_dir /var/spool/squid
3289
3290 # OPTIONS FOR FTP GATEWAYING
3291 # -----------------------------------------------------------------------------
3292
3293 # TAG: ftp_user
3294 # If you want the anonymous login password to be more informative
3295 # (and enable the use of picky ftp servers), set this to something
3296 # reasonable for your domain, like wwwuser@somewhere.net
3297 #
3298 # The reason why this is domainless by default is the
3299 # request can be made on the behalf of a user in any domain,
3300 # depending on how the cache is used.
3301 # Some ftp server also validate the email address is valid
3302 # (for example perl.com).
3303 #Default:
3304 # ftp_user Squid@
3305
3306 # TAG: ftp_passive
3307 # If your firewall does not allow Squid to use passive
3308 # connections, turn off this option.
3309 #
3310 # Use of ftp_epsv_all option requires this to be ON.
3311 #Default:
3312 # ftp_passive on
3313
3314 # TAG: ftp_epsv_all
3315 # FTP Protocol extensions permit the use of a special "EPSV ALL" command.
3316 #
3317 # NATs may be able to put the connection on a "fast path" through the
3318 # translator, as the EPRT command will never be used and therefore,
3319 # translation of the data portion of the segments will never be needed.
3320 #
3321 # When a client only expects to do two-way FTP transfers this may be
3322 # useful.
3323 # If squid finds that it must do a three-way FTP transfer after issuing
3324 # an EPSV ALL command, the FTP session will fail.
3325 #
3326 # If you have any doubts about this option do not use it.
3327 # Squid will nicely attempt all other connection methods.
3328 #
3329 # Requires ftp_passive to be ON (default) for any effect.
3330 #Default:
3331 # ftp_epsv_all off
3332
3333 # TAG: ftp_epsv
3334 # FTP Protocol extensions permit the use of a special "EPSV" command.
3335 #
3336 # NATs may be able to put the connection on a "fast path" through the
3337 # translator using EPSV, as the EPRT command will never be used
3338 # and therefore, translation of the data portion of the segments
3339 # will never be needed.
3340 #
3341 # Turning this OFF will prevent EPSV being attempted.
3342 # WARNING: Doing so will convert Squid back to the old behavior with all
3343 # the related problems with external NAT devices/layers.
3344 #
3345 # Requires ftp_passive to be ON (default) for any effect.
3346 #Default:
3347 # ftp_epsv on
3348
3349 # TAG: ftp_eprt
3350 # FTP Protocol extensions permit the use of a special "EPRT" command.
3351 #
3352 # This extension provides a protocol neutral alternative to the
3353 # IPv4-only PORT command. When supported it enables active FTP data
3354 # channels over IPv6 and efficient NAT handling.
3355 #
3356 # Turning this OFF will prevent EPRT being attempted and will skip
3357 # straight to using PORT for IPv4 servers.
3358 #
3359 # Some devices are known to not handle this extension correctly and
3360 # may result in crashes. Devices which suport EPRT enough to fail
3361 # cleanly will result in Squid attempting PORT anyway. This directive
3362 # should only be disabled when EPRT results in device failures.
3363 #
3364 # WARNING: Doing so will convert Squid back to the old behavior with all
3365 # the related problems with external NAT devices/layers and IPv4-only FTP.
3366 #Default:
3367 # ftp_eprt on
3368
3369 # TAG: ftp_sanitycheck
3370 # For security and data integrity reasons Squid by default performs
3371 # sanity checks of the addresses of FTP data connections ensure the
3372 # data connection is to the requested server. If you need to allow
3373 # FTP connections to servers using another IP address for the data
3374 # connection turn this off.
3375 #Default:
3376 # ftp_sanitycheck on
3377
3378 # TAG: ftp_telnet_protocol
3379 # The FTP protocol is officially defined to use the telnet protocol
3380 # as transport channel for the control connection. However, many
3381 # implementations are broken and does not respect this aspect of
3382 # the FTP protocol.
3383 #
3384 # If you have trouble accessing files with ASCII code 255 in the
3385 # path or similar problems involving this ASCII code you can
3386 # try setting this directive to off. If that helps, report to the
3387 # operator of the FTP server in question that their FTP server
3388 # is broken and does not follow the FTP standard.
3389 #Default:
3390 # ftp_telnet_protocol on
3391
3392 # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
3393 # -----------------------------------------------------------------------------
3394
3395 # TAG: diskd_program
3396 # Specify the location of the diskd executable.
3397 # Note this is only useful if you have compiled in
3398 # diskd as one of the store io modules.
3399 #Default:
3400 # diskd_program /usr/lib64/squid/diskd
3401
3402 # TAG: unlinkd_program
3403 # Specify the location of the executable for file deletion process.
3404 #Default:
3405 # unlinkd_program /usr/lib64/squid/unlinkd
3406
3407 # TAG: pinger_program
3408 # Specify the location of the executable for the pinger process.
3409 #Default:
3410 # pinger_program /usr/lib64/squid/pinger
3411
3412 # TAG: pinger_enable
3413 # Control whether the pinger is active at run-time.
3414 # Enables turning ICMP pinger on and off with a simple
3415 # squid -k reconfigure.
3416 #Default:
3417 # pinger_enable on
3418
3419 # OPTIONS FOR URL REWRITING
3420 # -----------------------------------------------------------------------------
3421
3422 # TAG: url_rewrite_program
3423 # Specify the location of the executable URL rewriter to use.
3424 # Since they can perform almost any function there isn't one included.
3425 #
3426 # For each requested URL, the rewriter will receive on line with the format
3427 #
3428 # URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kvpairs]<NL>
3429 #
3430 # In the future, the rewriter interface will be extended with
3431 # key=value pairs ("kvpairs" shown above). Rewriter programs
3432 # should be prepared to receive and possibly ignore additional
3433 # whitespace-separated tokens on each input line.
3434 #
3435 # And the rewriter may return a rewritten URL. The other components of
3436 # the request line does not need to be returned (ignored if they are).
3437 #
3438 # The rewriter can also indicate that a client-side redirect should
3439 # be performed to the new URL. This is done by prefixing the returned
3440 # URL with "301:" (moved permanently) or 302: (moved temporarily), etc.
3441 #
3442 # By default, a URL rewriter is not used.
3443 #Default:
3444 # none
3445
3446 # TAG: url_rewrite_children
3447 # The maximum number of redirector processes to spawn. If you limit
3448 # it too few Squid will have to wait for them to process a backlog of
3449 # URLs, slowing it down. If you allow too many they will use RAM
3450 # and other system resources noticably.
3451 #
3452 # The startup= and idle= options allow some measure of skew in your
3453 # tuning.
3454 #
3455 # startup=
3456 #
3457 # Sets a minimum of how many processes are to be spawned when Squid
3458 # starts or reconfigures. When set to zero the first request will
3459 # cause spawning of the first child process to handle it.
3460 #
3461 # Starting too few will cause an initial slowdown in traffic as Squid
3462 # attempts to simultaneously spawn enough processes to cope.
3463 #
3464 # idle=
3465 #
3466 # Sets a minimum of how many processes Squid is to try and keep available
3467 # at all times. When traffic begins to rise above what the existing
3468 # processes can handle this many more will be spawned up to the maximum
3469 # configured. A minimum setting of 1 is required.
3470 #
3471 # concurrency=
3472 #
3473 # The number of requests each redirector helper can handle in
3474 # parallel. Defaults to 0 which indicates the redirector
3475 # is a old-style single threaded redirector.
3476 #
3477 # When this directive is set to a value >= 1 then the protocol
3478 # used to communicate with the helper is modified to include
3479 # a request ID in front of the request/response. The request
3480 # ID from the request must be echoed back with the response
3481 # to that request.
3482 #Default:
3483 # url_rewrite_children 20 startup=0 idle=1 concurrency=0
3484
3485 # TAG: url_rewrite_host_header
3486 # To preserve same-origin security policies in browsers and
3487 # prevent Host: header forgery by redirectors Squid rewrites
3488 # any Host: header in redirected requests.
3489 #
3490 # If you are running an accelerator this may not be a wanted
3491 # effect of a redirector. This directive enables you disable
3492 # Host: alteration in reverse-proxy traffic.
3493 #
3494 # WARNING: Entries are cached on the result of the URL rewriting
3495 # process, so be careful if you have domain-virtual hosts.
3496 #
3497 # WARNING: Squid and other software verifies the URL and Host
3498 # are matching, so be careful not to relay through other proxies
3499 # or inspecting firewalls with this disabled.
3500 #Default:
3501 # url_rewrite_host_header on
3502
3503 # TAG: url_rewrite_access
3504 # If defined, this access list specifies which requests are
3505 # sent to the redirector processes. By default all requests
3506 # are sent.
3507 #
3508 # This clause supports both fast and slow acl types.
3509 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
3510 #Default:
3511 # none
3512
3513 # TAG: url_rewrite_bypass
3514 # When this is 'on', a request will not go through the
3515 # redirector if all redirectors are busy. If this is 'off'
3516 # and the redirector queue grows too large, Squid will exit
3517 # with a FATAL error and ask you to increase the number of
3518 # redirectors. You should only enable this if the redirectors
3519 # are not critical to your caching system. If you use
3520 # redirectors for access control, and you enable this option,
3521 # users may have access to pages they should not
3522 # be allowed to request.
3523 #Default:
3524 # url_rewrite_bypass off
3525
3526 # OPTIONS FOR TUNING THE CACHE
3527 # -----------------------------------------------------------------------------
3528
3529 # TAG: cache
3530 # A list of ACL elements which, if matched and denied, cause the request to
3531 # not be satisfied from the cache and the reply to not be cached.
3532 # In other words, use this to force certain objects to never be cached.
3533 #
3534 # You must use the words 'allow' or 'deny' to indicate whether items
3535 # matching the ACL should be allowed or denied into the cache.
3536 #
3537 # Default is to allow all to be cached.
3538 #
3539 # This clause supports both fast and slow acl types.
3540 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
3541 #Default:
3542 # none
3543
3544 # TAG: max_stale time-units
3545 # This option puts an upper limit on how stale content Squid
3546 # will serve from the cache if cache validation fails.
3547 # Can be overriden by the refresh_pattern max-stale option.
3548 #Default:
3549 # max_stale 1 week
3550
3551 # TAG: refresh_pattern
3552 # usage: refresh_pattern [-i] regex min percent max [options]
3553 #
3554 # By default, regular expressions are CASE-SENSITIVE. To make
3555 # them case-insensitive, use the -i option.
3556 #
3557 # 'Min' is the time (in minutes) an object without an explicit
3558 # expiry time should be considered fresh. The recommended
3559 # value is 0, any higher values may cause dynamic applications
3560 # to be erroneously cached unless the application designer
3561 # has taken the appropriate actions.
3562 #
3563 # 'Percent' is a percentage of the objects age (time since last
3564 # modification age) an object without explicit expiry time
3565 # will be considered fresh.
3566 #
3567 # 'Max' is an upper limit on how long objects without an explicit
3568 # expiry time will be considered fresh.
3569 #
3570 # options: override-expire
3571 # override-lastmod
3572 # reload-into-ims
3573 # ignore-reload
3574 # ignore-no-store
3575 # ignore-must-revalidate
3576 # ignore-private
3577 # ignore-auth
3578 # max-stale=NN
3579 # refresh-ims
3580 # store-stale
3581 #
3582 # override-expire enforces min age even if the server
3583 # sent an explicit expiry time (e.g., with the
3584 # Expires: header or Cache-Control: max-age). Doing this
3585 # VIOLATES the HTTP standard. Enabling this feature
3586 # could make you liable for problems which it causes.
3587 #
3588 # Note: override-expire does not enforce staleness - it only extends
3589 # freshness / min. If the server returns a Expires time which
3590 # is longer than your max time, Squid will still consider
3591 # the object fresh for that period of time.
3592 #
3593 # override-lastmod enforces min age even on objects
3594 # that were modified recently.
3595 #
3596 # reload-into-ims changes client no-cache or ``reload''
3597 # to If-Modified-Since requests. Doing this VIOLATES the
3598 # HTTP standard. Enabling this feature could make you
3599 # liable for problems which it causes.
3600 #
3601 # ignore-reload ignores a client no-cache or ``reload''
3602 # header. Doing this VIOLATES the HTTP standard. Enabling
3603 # this feature could make you liable for problems which
3604 # it causes.
3605 #
3606 # ignore-no-store ignores any ``Cache-control: no-store''
3607 # headers received from a server. Doing this VIOLATES
3608 # the HTTP standard. Enabling this feature could make you
3609 # liable for problems which it causes.
3610 #
3611 # ignore-must-revalidate ignores any ``Cache-Control: must-revalidate``
3612 # headers received from a server. Doing this VIOLATES
3613 # the HTTP standard. Enabling this feature could make you
3614 # liable for problems which it causes.
3615 #
3616 # ignore-private ignores any ``Cache-control: private''
3617 # headers received from a server. Doing this VIOLATES
3618 # the HTTP standard. Enabling this feature could make you
3619 # liable for problems which it causes.
3620 #
3621 # ignore-auth caches responses to requests with authorization,
3622 # as if the originserver had sent ``Cache-control: public''
3623 # in the response header. Doing this VIOLATES the HTTP standard.
3624 # Enabling this feature could make you liable for problems which
3625 # it causes.
3626 #
3627 # refresh-ims causes squid to contact the origin server
3628 # when a client issues an If-Modified-Since request. This
3629 # ensures that the client will receive an updated version
3630 # if one is available.
3631 #
3632 # store-stale stores responses even if they don't have explicit
3633 # freshness or a validator (i.e., Last-Modified or an ETag)
3634 # present, or if they're already stale. By default, Squid will
3635 # not cache such responses because they usually can't be
3636 # reused. Note that such responses will be stale by default.
3637 #
3638 # max-stale=NN provide a maximum staleness factor. Squid won't
3639 # serve objects more stale than this even if it failed to
3640 # validate the object. Default: use the max_stale global limit.
3641 #
3642 # Basically a cached object is:
3643 #
3644 # FRESH if expires < now, else STALE
3645 # STALE if age > max
3646 # FRESH if lm-factor < percent, else STALE
3647 # FRESH if age < min
3648 # else STALE
3649 #
3650 # The refresh_pattern lines are checked in the order listed here.
3651 # The first entry which matches is used. If none of the entries
3652 # match the default will be used.
3653 #
3654 # Note, you must uncomment all the default lines if you want
3655 # to change one. The default setting is only active if none is
3656 # used.
3657 #
3658 #
3659
3660 # Add any of your own refresh_pattern entries above these.
3661 refresh_pattern ^ftp: 1440 20% 10080
3662 refresh_pattern ^gopher: 1440 0% 1440
3663 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
3664 refresh_pattern . 0 20% 4320
3665
3666 # TAG: quick_abort_min (KB)
3667 #Default:
3668 # quick_abort_min 16 KB
3669
3670 # TAG: quick_abort_max (KB)
3671 #Default:
3672 # quick_abort_max 16 KB
3673
3674 # TAG: quick_abort_pct (percent)
3675 # The cache by default continues downloading aborted requests
3676 # which are almost completed (less than 16 KB remaining). This
3677 # may be undesirable on slow (e.g. SLIP) links and/or very busy
3678 # caches. Impatient users may tie up file descriptors and
3679 # bandwidth by repeatedly requesting and immediately aborting
3680 # downloads.
3681 #
3682 # When the user aborts a request, Squid will check the
3683 # quick_abort values to the amount of data transfered until
3684 # then.
3685 #
3686 # If the transfer has less than 'quick_abort_min' KB remaining,
3687 # it will finish the retrieval.
3688 #
3689 # If the transfer has more than 'quick_abort_max' KB remaining,
3690 # it will abort the retrieval.
3691 #
3692 # If more than 'quick_abort_pct' of the transfer has completed,
3693 # it will finish the retrieval.
3694 #
3695 # If you do not want any retrieval to continue after the client
3696 # has aborted, set both 'quick_abort_min' and 'quick_abort_max'
3697 # to '0 KB'.
3698 #
3699 # If you want retrievals to always continue if they are being
3700 # cached set 'quick_abort_min' to '-1 KB'.
3701 #Default:
3702 # quick_abort_pct 95
3703
3704 # TAG: read_ahead_gap buffer-size
3705 # The amount of data the cache will buffer ahead of what has been
3706 # sent to the client when retrieving an object from another server.
3707 #Default:
3708 # read_ahead_gap 16 KB
3709
3710 # TAG: negative_ttl time-units
3711 # Set the Default Time-to-Live (TTL) for failed requests.
3712 # Certain types of failures (such as "connection refused" and
3713 # "404 Not Found") are able to be negatively-cached for a short time.
3714 # Modern web servers should provide Expires: header, however if they
3715 # do not this can provide a minimum TTL.
3716 # The default is not to cache errors with unknown expiry details.
3717 #
3718 # Note that this is different from negative caching of DNS lookups.
3719 #
3720 # WARNING: Doing this VIOLATES the HTTP standard. Enabling
3721 # this feature could make you liable for problems which it
3722 # causes.
3723 #Default:
3724 # negative_ttl 0 seconds
3725
3726 # TAG: positive_dns_ttl time-units
3727 # Upper limit on how long Squid will cache positive DNS responses.
3728 # Default is 6 hours (360 minutes). This directive must be set
3729 # larger than negative_dns_ttl.
3730 #Default:
3731 # positive_dns_ttl 6 hours
3732
3733 # TAG: negative_dns_ttl time-units
3734 # Time-to-Live (TTL) for negative caching of failed DNS lookups.
3735 # This also sets the lower cache limit on positive lookups.
3736 # Minimum value is 1 second, and it is not recommendable to go
3737 # much below 10 seconds.
3738 #Default:
3739 # negative_dns_ttl 1 minutes
3740
3741 # TAG: range_offset_limit size [acl acl...]
3742 # usage: (size) [units] [[!]aclname]
3743 #
3744 # Sets an upper limit on how far (number of bytes) into the file
3745 # a Range request may be to cause Squid to prefetch the whole file.
3746 # If beyond this limit, Squid forwards the Range request as it is and
3747 # the result is NOT cached.
3748 #
3749 # This is to stop a far ahead range request (lets say start at 17MB)
3750 # from making Squid fetch the whole object up to that point before
3751 # sending anything to the client.
3752 #
3753 # Multiple range_offset_limit lines may be specified, and they will
3754 # be searched from top to bottom on each request until a match is found.
3755 # The first match found will be used. If no line matches a request, the
3756 # default limit of 0 bytes will be used.
3757 #
3758 # 'size' is the limit specified as a number of units.
3759 #
3760 # 'units' specifies whether to use bytes, KB, MB, etc.
3761 # If no units are specified bytes are assumed.
3762 #
3763 # A size of 0 causes Squid to never fetch more than the
3764 # client requested. (default)
3765 #
3766 # A size of 'none' causes Squid to always fetch the object from the
3767 # beginning so it may cache the result. (2.0 style)
3768 #
3769 # 'aclname' is the name of a defined ACL.
3770 #
3771 # NP: Using 'none' as the byte value here will override any quick_abort settings
3772 # that may otherwise apply to the range request. The range request will
3773 # be fully fetched from start to finish regardless of the client
3774 # actions. This affects bandwidth usage.
3775 #Default:
3776 # none
3777
3778 # TAG: minimum_expiry_time (seconds)
3779 # The minimum caching time according to (Expires - Date)
3780 # Headers Squid honors if the object can't be revalidated
3781 # defaults to 60 seconds. In reverse proxy environments it
3782 # might be desirable to honor shorter object lifetimes. It
3783 # is most likely better to make your server return a
3784 # meaningful Last-Modified header however. In ESI environments
3785 # where page fragments often have short lifetimes, this will
3786 # often be best set to 0.
3787 #Default:
3788 # minimum_expiry_time 60 seconds
3789
3790 # TAG: store_avg_object_size (bytes)
3791 # Average object size, used to estimate number of objects your
3792 # cache can hold. The default is 13 KB.
3793 #Default:
3794 # store_avg_object_size 13 KB
3795
3796 # TAG: store_objects_per_bucket
3797 # Target number of objects per bucket in the store hash table.
3798 # Lowering this value increases the total number of buckets and
3799 # also the storage maintenance rate. The default is 20.
3800 #Default:
3801 # store_objects_per_bucket 20
3802
3803 # HTTP OPTIONS
3804 # -----------------------------------------------------------------------------
3805
3806 # TAG: request_header_max_size (KB)
3807 # This specifies the maximum size for HTTP headers in a request.
3808 # Request headers are usually relatively small (about 512 bytes).
3809 # Placing a limit on the request header size will catch certain
3810 # bugs (for example with persistent connections) and possibly
3811 # buffer-overflow or denial-of-service attacks.
3812 #Default:
3813 # request_header_max_size 64 KB
3814
3815 # TAG: reply_header_max_size (KB)
3816 # This specifies the maximum size for HTTP headers in a reply.
3817 # Reply headers are usually relatively small (about 512 bytes).
3818 # Placing a limit on the reply header size will catch certain
3819 # bugs (for example with persistent connections) and possibly
3820 # buffer-overflow or denial-of-service attacks.
3821 #Default:
3822 # reply_header_max_size 64 KB
3823
3824 # TAG: request_body_max_size (bytes)
3825 # This specifies the maximum size for an HTTP request body.
3826 # In other words, the maximum size of a PUT/POST request.
3827 # A user who attempts to send a request with a body larger
3828 # than this limit receives an "Invalid Request" error message.
3829 # If you set this parameter to a zero (the default), there will
3830 # be no limit imposed.
3831 #Default:
3832 # request_body_max_size 0 KB
3833
3834 # TAG: client_request_buffer_max_size (bytes)
3835 # This specifies the maximum buffer size of a client request.
3836 # It prevents squid eating too much memory when somebody uploads
3837 # a large file.
3838 #Default:
3839 # client_request_buffer_max_size 512 KB
3840
3841 # TAG: chunked_request_body_max_size (bytes)
3842 # A broken or confused HTTP/1.1 client may send a chunked HTTP
3843 # request to Squid. Squid does not have full support for that
3844 # feature yet. To cope with such requests, Squid buffers the
3845 # entire request and then dechunks request body to create a
3846 # plain HTTP/1.0 request with a known content length. The plain
3847 # request is then used by the rest of Squid code as usual.
3848 #
3849 # The option value specifies the maximum size of the buffer used
3850 # to hold the request before the conversion. If the chunked
3851 # request size exceeds the specified limit, the conversion
3852 # fails, and the client receives an "unsupported request" error,
3853 # as if dechunking was disabled.
3854 #
3855 # Dechunking is enabled by default. To disable conversion of
3856 # chunked requests, set the maximum to zero.
3857 #
3858 # Request dechunking feature and this option in particular are a
3859 # temporary hack. When chunking requests and responses are fully
3860 # supported, there will be no need to buffer a chunked request.
3861 #Default:
3862 # chunked_request_body_max_size 64 KB
3863
3864 # TAG: broken_posts
3865 # A list of ACL elements which, if matched, causes Squid to send
3866 # an extra CRLF pair after the body of a PUT/POST request.
3867 #
3868 # Some HTTP servers has broken implementations of PUT/POST,
3869 # and rely on an extra CRLF pair sent by some WWW clients.
3870 #
3871 # Quote from RFC2616 section 4.1 on this matter:
3872 #
3873 # Note: certain buggy HTTP/1.0 client implementations generate an
3874 # extra CRLF's after a POST request. To restate what is explicitly
3875 # forbidden by the BNF, an HTTP/1.1 client must not preface or follow
3876 # a request with an extra CRLF.
3877 #
3878 # This clause only supports fast acl types.
3879 # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
3880 #
3881 #Example:
3882 # acl buggy_server url_regex ^http://....
3883 # broken_posts allow buggy_server
3884 #Default:
3885 # none
3886
3887 # TAG: adaptation_uses_indirect_client on|off
3888 # Controls whether the indirect client IP address (instead of the direct
3889 # client IP address) is passed to adaptation services.
3890 #
3891 # See also: follow_x_forwarded_for adaptation_send_client_ip
3892 #Default:
3893 # adaptation_uses_indirect_client on
3894
3895 # TAG: via on|off
3896 # If set (default), Squid will include a Via header in requests and
3897 # replies as required by RFC2616.
3898 #Default:
3899 # via on
3900
3901 # TAG: ie_refresh on|off
3902 # Microsoft Internet Explorer up until version 5.5 Service
3903 # Pack 1 has an issue with transparent proxies, wherein it
3904 # is impossible to force a refresh. Turning this on provides
3905 # a partial fix to the problem, by causing all IMS-REFRESH
3906 # requests from older IE versions to check the origin server
3907 # for fresh content. This reduces hit ratio by some amount
3908 # (~10% in my experience), but allows users to actually get
3909 # fresh content when they want it. Note because Squid
3910 # cannot tell if the user is using 5.5 or 5.5SP1, the behavior
3911 # of 5.5 is unchanged from old versions of Squid (i.e. a
3912 # forced refresh is impossible). Newer versions of IE will,
3913 # hopefully, continue to have the new behavior and will be
3914 # handled based on that assumption. This option defaults to
3915 # the old Squid behavior, which is better for hit ratios but
3916 # worse for clients using IE, if they need to be able to
3917 # force fresh content.
3918 #Default:
3919 # ie_refresh off
3920
3921 # TAG: vary_ignore_expire on|off
3922 # Many HTTP servers supporting Vary gives such objects
3923 # immediate expiry time with no cache-control header
3924 # when requested by a HTTP/1.0 client. This option
3925 # enables Squid to ignore such expiry times until
3926 # HTTP/1.1 is fully implemented.
3927 #
3928 # WARNING: If turned on this may eventually cause some
3929 # varying objects not intended for caching to get cached.
3930 #Default:
3931 # vary_ignore_expire off
3932
3933 # TAG: request_entities
3934 # Squid defaults to deny GET and HEAD requests with request entities,
3935 # as the meaning of such requests are undefined in the HTTP standard
3936 # even if not explicitly forbidden.
3937 #
3938 # Set this directive to on if you have clients which insists
3939 # on sending request entities in GET or HEAD requests. But be warned
3940 # that there is server software (both proxies and web servers) which
3941 # can fail to properly process this kind of request which may make you
3942 # vulnerable to cache pollution attacks if enabled.
3943 #Default:
3944 # request_entities off
3945
3946 # TAG: request_header_access
3947 # Usage: request_header_access header_name allow|deny [!]aclname ...
3948 #
3949 # WARNING: Doing this VIOLATES the HTTP standard. Enabling
3950 # this feature could make you liable for problems which it
3951 # causes.
3952 #
3953 # This option replaces the old 'anonymize_headers' and the
3954 # older 'http_anonymizer' option with something that is much
3955 # more configurable. A list of ACLs for each header name allows
3956 # removal of specific header fields under specific conditions.
3957 #
3958 # This option only applies to outgoing HTTP request headers (i.e.,
3959 # headers sent by Squid to the next HTTP hop such as a cache peer
3960 # or an origin server). The option has no effect during cache hit
3961 # detection. The equivalent adaptation vectoring point in ICAP
3962 # terminology is post-cache REQMOD.
3963 #
3964 # The option is applied to individual outgoing request header
3965 # fields. For each request header field F, Squid uses the first
3966 # qualifying sets of request_header_access rules:
3967 #
3968 # 1. Rules with header_name equal to F's name.
3969 # 2. Rules with header_name 'Other', provided F's name is not
3970 # on the hard-coded list of commonly used HTTP header names.
3971 # 3. Rules with header_name 'All'.
3972 #
3973 # Within that qualifying rule set, rule ACLs are checked as usual.
3974 # If ACLs of an "allow" rule match, the header field is allowed to
3975 # go through as is. If ACLs of a "deny" rule match, the header is
3976 # removed and request_header_replace is then checked to identify
3977 # if the removed header has a replacement. If no rules within the
3978 # set have matching ACLs, the header field is left as is.
3979 #
3980 # For example, to achieve the same behavior as the old
3981 # 'http_anonymizer standard' option, you should use:
3982 #
3983 # request_header_access From deny all
3984 # request_header_access Referer deny all
3985 # request_header_access Server deny all
3986 # request_header_access User-Agent deny all
3987 # request_header_access WWW-Authenticate deny all
3988 # request_header_access Link deny all
3989 #
3990 # Or, to reproduce the old 'http_anonymizer paranoid' feature
3991 # you should use:
3992 #
3993 # request_header_access Allow allow all
3994 # request_header_access Authorization allow all
3995 # request_header_access WWW-Authenticate allow all
3996 # request_header_access Proxy-Authorization allow all
3997 # request_header_access Proxy-Authenticate allow all
3998 # request_header_access Cache-Control allow all
3999 # request_header_access Content-Encoding allow all
4000 # request_header_access Content-Length allow all
4001 # request_header_access Content-Type allow all
4002 # request_header_access Date allow all
4003 # request_header_access Expires allow all
4004 # request_header_access Host allow all
4005 # request_header_access If-Modified-Since allow all
4006 # request_header_access Last-Modified allow all
4007 # request_header_access Location allow all
4008 # request_header_access Pragma allow all
4009 # request_header_access Accept allow all
4010 # request_header_access Accept-Charset allow all
4011 # request_header_access Accept-Encoding allow all
4012 # request_header_access Accept-Language allow all
4013 # request_header_access Content-Language allow all
4014 # request_header_access Mime-Version allow all
4015 # request_header_access Retry-After allow all
4016 # request_header_access Title allow all
4017 # request_header_access Connection allow all
4018 # request_header_access All deny all
4019 #
4020 # although many of those are HTTP reply headers, and so should be
4021 # controlled with the reply_header_access directive.
4022 #
4023 # By default, all headers are allowed (no anonymizing is
4024 # performed).
4025 #Default:
4026 # none
4027
4028 # TAG: reply_header_access
4029 # Usage: reply_header_access header_name allow|deny [!]aclname ...
4030 #
4031 # WARNING: Doing this VIOLATES the HTTP standard. Enabling
4032 # this feature could make you liable for problems which it
4033 # causes.
4034 #
4035 # This option only applies to reply headers, i.e., from the
4036 # server to the client.
4037 #
4038 # This is the same as request_header_access, but in the other
4039 # direction. Please see request_header_access for detailed
4040 # documentation.
4041 #
4042 # For example, to achieve the same behavior as the old
4043 # 'http_anonymizer standard' option, you should use:
4044 #
4045 # reply_header_access From deny all
4046 # reply_header_access Referer deny all
4047 # reply_header_access Server deny all
4048 # reply_header_access User-Agent deny all
4049 # reply_header_access WWW-Authenticate deny all
4050 # reply_header_access Link deny all
4051 #
4052 # Or, to reproduce the old 'http_anonymizer paranoid' feature
4053 # you should use:
4054 #
4055 # reply_header_access Allow allow all
4056 # reply_header_access Authorization allow all
4057 # reply_header_access WWW-Authenticate allow all
4058 # reply_header_access Proxy-Authorization allow all
4059 # reply_header_access Proxy-Authenticate allow all
4060 # reply_header_access Cache-Control allow all
4061 # reply_header_access Content-Encoding allow all
4062 # reply_header_access Content-Length allow all
4063 # reply_header_access Content-Type allow all
4064 # reply_header_access Date allow all
4065 # reply_header_access Expires allow all
4066 # reply_header_access Host allow all
4067 # reply_header_access If-Modified-Since allow all
4068 # reply_header_access Last-Modified allow all
4069 # reply_header_access Location allow all
4070 # reply_header_access Pragma allow all
4071 # reply_header_access Accept allow all
4072 # reply_header_access Accept-Charset allow all
4073 # reply_header_access Accept-Encoding allow all
4074 # reply_header_access Accept-Language allow all
4075 # reply_header_access Content-Language allow all
4076 # reply_header_access Mime-Version allow all
4077 # reply_header_access Retry-After allow all
4078 # reply_header_access Title allow all
4079 # reply_header_access Connection allow all
4080 # reply_header_access All deny all
4081 #
4082 # although the HTTP request headers won't be usefully controlled
4083 # by this directive -- see request_header_access for details.
4084 #
4085 # By default, all headers are allowed (no anonymizing is
4086 # performed).
4087 #Default:
4088 # none
4089
4090 # TAG: request_header_replace
4091 # Usage: request_header_replace header_name message
4092 # Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
4093 #
4094 # This option allows you to change the contents of headers
4095 # denied with request_header_access above, by replacing them
4096 # with some fixed string. This replaces the old fake_user_agent
4097 # option.
4098 #
4099 # This only applies to request headers, not reply headers.
4100 #
4101 # By default, headers are removed if denied.
4102 #Default:
4103 # none
4104
4105 # TAG: reply_header_replace
4106 # Usage: reply_header_replace header_name message
4107 # Example: reply_header_replace Server Foo/1.0
4108 #
4109 # This option allows you to change the contents of headers
4110 # denied with reply_header_access above, by replacing them
4111 # with some fixed string.
4112 #
4113 # This only applies to reply headers, not request headers.
4114 #
4115 # By default, headers are removed if denied.
4116 #Default:
4117 # none
4118
4119 # TAG: relaxed_header_parser on|off|warn
4120 # In the default "on" setting Squid accepts certain forms
4121 # of non-compliant HTTP messages where it is unambiguous
4122 # what the sending application intended even if the message
4123 # is not correctly formatted. The messages is then normalized
4124 # to the correct form when forwarded by Squid.
4125 #
4126 # If set to "warn" then a warning will be emitted in cache.log
4127 # each time such HTTP error is encountered.
4128 #
4129 # If set to "off" then such HTTP errors will cause the request
4130 # or response to be rejected.
4131 #Default:
4132 # relaxed_header_parser on
4133
4134 # TIMEOUTS
4135 # -----------------------------------------------------------------------------
4136
4137 # TAG: forward_timeout time-units
4138 # This parameter specifies how long Squid should at most attempt in
4139 # finding a forwarding path for the request before giving up.
4140 #Default:
4141 # forward_timeout 4 minutes
4142
4143 # TAG: connect_timeout time-units
4144 # This parameter specifies how long to wait for the TCP connect to
4145 # the requested server or peer to complete before Squid should
4146 # attempt to find another path where to forward the request.
4147 #Default:
4148 # connect_timeout 1 minute
4149
4150 # TAG: peer_connect_timeout time-units
4151 # This parameter specifies how long to wait for a pending TCP
4152 # connection to a peer cache. The default is 30 seconds. You
4153 # may also set different timeout values for individual neighbors
4154 # with the 'connect-timeout' option on a 'cache_peer' line.
4155 #Default:
4156 # peer_connect_timeout 30 seconds
4157
4158 # TAG: read_timeout time-units
4159 # The read_timeout is applied on server-side connections. After
4160 # each successful read(), the timeout will be extended by this
4161 # amount. If no data is read again after this amount of time,
4162 # the request is aborted and logged with ERR_READ_TIMEOUT. The
4163 # default is 15 minutes.
4164 #Default:
4165 # read_timeout 15 minutes
4166
4167 # TAG: write_timeout time-units
4168 # This timeout is tracked for all connections that have data
4169 # available for writing and are waiting for the socket to become
4170 # ready. After each successful write, the timeout is extended by
4171 # the configured amount. If Squid has data to write but the
4172 # connection is not ready for the configured duration, the
4173 # transaction associated with the connection is terminated. The
4174 # default is 15 minutes.
4175 #Default:
4176 # write_timeout 15 minutes
4177
4178 # TAG: request_timeout
4179 # How long to wait for complete HTTP request headers after initial
4180 # connection establishment.
4181 #Default:
4182 # request_timeout 5 minutes
4183
4184 # TAG: client_idle_pconn_timeout
4185 # How long to wait for the next HTTP request on a persistent
4186 # client connection after the previous request completes.
4187 #Default:
4188 # client_idle_pconn_timeout 2 minutes
4189
4190 # TAG: client_lifetime time-units
4191 # The maximum amount of time a client (browser) is allowed to
4192 # remain connected to the cache process. This protects the Cache
4193 # from having a lot of sockets (and hence file descriptors) tied up
4194 # in a CLOSE_WAIT state from remote clients that go away without
4195 # properly shutting down (either because of a network failure or
4196 # because of a poor client implementation). The default is one
4197 # day, 1440 minutes.
4198 #
4199 # NOTE: The default value is intended to be much larger than any
4200 # client would ever need to be connected to your cache. You
4201 # should probably change client_lifetime only as a last resort.
4202 # If you seem to have many client connections tying up
4203 # filedescriptors, we recommend first tuning the read_timeout,
4204 # request_timeout, persistent_request_timeout and quick_abort values.
4205 #Default:
4206 # client_lifetime 1 day
4207
4208 # TAG: half_closed_clients
4209 # Some clients may shutdown the sending side of their TCP
4210 # connections, while leaving their receiving sides open. Sometimes,
4211 # Squid can not tell the difference between a half-closed and a
4212 # fully-closed TCP connection.
4213 #
4214 # By default, Squid will immediately close client connections when
4215 # read(2) returns "no more data to read."
4216 #
4217 # Change this option to 'on' and Squid will keep open connections
4218 # until a read(2) or write(2) on the socket returns an error.
4219 # This may show some benefits for reverse proxies. But if not
4220 # it is recommended to leave OFF.
4221 #Default:
4222 # half_closed_clients off
4223
4224 # TAG: server_idle_pconn_timeout
4225 # Timeout for idle persistent connections to servers and other
4226 # proxies.
4227 #Default:
4228 # server_idle_pconn_timeout 1 minute
4229
4230 # TAG: ident_timeout
4231 # Note: This option is only available if Squid is rebuilt with the
4232 # --enable-ident-lookups
4233 #
4234 # Maximum time to wait for IDENT lookups to complete.
4235 #
4236 # If this is too high, and you enabled IDENT lookups from untrusted
4237 # users, you might be susceptible to denial-of-service by having
4238 # many ident requests going at once.
4239 #Default:
4240 # ident_timeout 10 seconds
4241
4242 # TAG: shutdown_lifetime time-units
4243 # When SIGTERM or SIGHUP is received, the cache is put into
4244 # "shutdown pending" mode until all active sockets are closed.
4245 # This value is the lifetime to set for all open descriptors
4246 # during shutdown mode. Any active clients after this many
4247 # seconds will receive a 'timeout' message.
4248 #Default:
4249 # shutdown_lifetime 30 seconds
4250 #
4251 shutdown_lifetime 5 seconds
4252
4253 # ADMINISTRATIVE PARAMETERS
4254 # -----------------------------------------------------------------------------
4255
4256 # TAG: cache_mgr
4257 # Email-address of local cache manager who will receive
4258 # mail if the cache dies. The default is "webmaster."
4259 #Default:
4260 # cache_mgr root
4261
4262 # TAG: mail_from
4263 # From: email-address for mail sent when the cache dies.
4264 # The default is to use 'appname@unique_hostname'.
4265 # Default appname value is "squid", can be changed into
4266 # src/globals.h before building squid.
4267 #Default:
4268 # none
4269
4270 # TAG: mail_program
4271 # Email program used to send mail if the cache dies.
4272 # The default is "mail". The specified program must comply
4273 # with the standard Unix mail syntax:
4274 # mail-program recipient < mailfile
4275 #
4276 # Optional command line options can be specified.
4277 #Default:
4278 # mail_program mail
4279
4280 # TAG: cache_effective_user
4281 # If you start Squid as root, it will change its effective/real
4282 # UID/GID to the user specified below. The default is to change
4283 # to UID of squid.
4284 # see also; cache_effective_group
4285 #Default:
4286 # cache_effective_user squid
4287 #
4288 cache_effective_user squid
4289
4290 # TAG: cache_effective_group
4291 # Squid sets the GID to the effective user's default group ID
4292 # (taken from the password file) and supplementary group list
4293 # from the groups membership.
4294 #
4295 # If you want Squid to run with a specific GID regardless of
4296 # the group memberships of the effective user then set this
4297 # to the group (or GID) you want Squid to run as. When set
4298 # all other group privileges of the effective user are ignored
4299 # and only this GID is effective. If Squid is not started as
4300 # root the user starting Squid MUST be member of the specified
4301 # group.
4302 #
4303 # This option is not recommended by the Squid Team.
4304 # Our preference is for administrators to configure a secure
4305 # user account for squid with UID/GID matching system policies.
4306 #Default:
4307 # cache_effective_group squid
4308 #
4309 cache_effective_group squid
4310
4311 # TAG: httpd_suppress_version_string on|off
4312 # Suppress Squid version string info in HTTP headers and HTML error pages.
4313 #Default:
4314 # httpd_suppress_version_string off
4315
4316 # TAG: visible_hostname
4317 # If you want to present a special hostname in error messages, etc,
4318 # define this. Otherwise, the return value of gethostname()
4319 # will be used. If you have multiple caches in a cluster and
4320 # get errors about IP-forwarding you must set them to have individual
4321 # names with this setting.
4322 #Default:
4323 # visible_hostname unconfigured
4324
4325 # TAG: unique_hostname
4326 # If you want to have multiple machines with the same
4327 # 'visible_hostname' you must give each machine a different
4328 # 'unique_hostname' so forwarding loops can be detected.
4329 #Default:
4330 # none
4331
4332 # TAG: hostname_aliases
4333 # A list of other DNS names your cache has.
4334 #Default:
4335 # none
4336
4337 # TAG: umask
4338 # Minimum umask which should be enforced while the proxy
4339 # is running, in addition to the umask set at startup.
4340 #
4341 # For a traditional octal representation of umasks, start
4342 # your value with 0.
4343 #Default:
4344 # umask 027
4345
4346 # OPTIONS FOR THE CACHE REGISTRATION SERVICE
4347 # -----------------------------------------------------------------------------
4348 #
4349 # This section contains parameters for the (optional) cache
4350 # announcement service. This service is provided to help
4351 # cache administrators locate one another in order to join or
4352 # create cache hierarchies.
4353 #
4354 # An 'announcement' message is sent (via UDP) to the registration
4355 # service by Squid. By default, the announcement message is NOT
4356 # SENT unless you enable it with 'announce_period' below.
4357 #
4358 # The announcement message includes your hostname, plus the
4359 # following information from this configuration file:
4360 #
4361 # http_port
4362 # icp_port
4363 # cache_mgr
4364 #
4365 # All current information is processed regularly and made
4366 # available on the Web at http://www.ircache.net/Cache/Tracker/.
4367
4368 # TAG: announce_period
4369 # This is how frequently to send cache announcements. The
4370 # default is `0' which disables sending the announcement
4371 # messages.
4372 #
4373 # To enable announcing your cache, just set an announce period.
4374 #
4375 # Example:
4376 # announce_period 1 day
4377 #Default:
4378 # announce_period 0
4379
4380 # TAG: announce_host
4381 #Default:
4382 # announce_host tracker.ircache.net
4383
4384 # TAG: announce_file
4385 #Default:
4386 # none
4387
4388 # TAG: announce_port
4389 # announce_host and announce_port set the hostname and port
4390 # number where the registration message will be sent.
4391 #
4392 # Hostname will default to 'tracker.ircache.net' and port will
4393 # default default to 3131. If the 'filename' argument is given,
4394 # the contents of that file will be included in the announce
4395 # message.
4396 #Default:
4397 # announce_port 3131
4398
4399 # HTTPD-ACCELERATOR OPTIONS
4400 # -----------------------------------------------------------------------------
4401
4402 # TAG: httpd_accel_surrogate_id
4403 # Surrogates (http://www.esi.org/architecture_spec_1.0.html)
4404 # need an identification token to allow control targeting. Because
4405 # a farm of surrogates may all perform the same tasks, they may share
4406 # an identification token.
4407 #
4408 # The default ID is the visible_hostname
4409 #Default:
4410 # none
4411
4412 # TAG: http_accel_surrogate_remote on|off
4413 # Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote.
4414 # Set this to on to have squid behave as a remote surrogate.
4415 #Default:
4416 # http_accel_surrogate_remote off
4417
4418 # TAG: esi_parser libxml2|expat|custom
4419 # Note: This option is only available if Squid is rebuilt with the
4420 # --enable-esi
4421 #
4422 # ESI markup is not strictly XML compatible. The custom ESI parser
4423 # will give higher performance, but cannot handle non ASCII character
4424 # encodings.
4425 #Default:
4426 # esi_parser custom
4427
4428 # DELAY POOL PARAMETERS
4429 # -----------------------------------------------------------------------------
4430
4431 # TAG: delay_pools
4432 # This represents the number of delay pools to be used. For example,
4433 # if you have one class 2 delay pool and one class 3 delays pool, you
4434 # have a total of 2 delay pools.
4435 #Default:
4436 # delay_pools 0
4437
4438 # TAG: delay_class
4439 # This defines the class of each delay pool. There must be exactly one
4440 # delay_class line for each delay pool. For example, to define two
4441 # delay pools, one of class 2 and one of class 3, the settings above
4442 # and here would be:
4443 #
4444 # Example:
4445 # delay_pools 4 # 4 delay pools
4446 # delay_class 1 2 # pool 1 is a class 2 pool
4447 # delay_class 2 3 # pool 2 is a class 3 pool
4448 # delay_class 3 4 # pool 3 is a class 4 pool
4449 # delay_class 4 5 # pool 4 is a class 5 pool
4450 #
4451 # The delay pool classes are:
4452 #
4453 # class 1 Everything is limited by a single aggregate
4454 # bucket.
4455 #
4456 # class 2 Everything is limited by a single aggregate
4457 # bucket as well as an "individual" bucket chosen
4458 # from bits 25 through 32 of the IPv4 address.
4459 #
4460 # class 3 Everything is limited by a single aggregate
4461 # bucket as well as a "network" bucket chosen
4462 # from bits 17 through 24 of the IP address and a
4463 # "individual" bucket chosen from bits 17 through
4464 # 32 of the IPv4 address.
4465 #
4466 # class 4 Everything in a class 3 delay pool, with an
4467 # additional limit on a per user basis. This
4468 # only takes effect if the username is established
4469 # in advance - by forcing authentication in your
4470 # http_access rules.
4471 #
4472 # class 5 Requests are grouped according their tag (see
4473 # external_acl's tag= reply).
4474 #
4475 #
4476 # Each pool also requires a delay_parameters directive to configure the pool size
4477 # and speed limits used whenever the pool is applied to a request. Along with
4478 # a set of delay_access directives to determine when it is used.
4479 #
4480 # NOTE: If an IP address is a.b.c.d
4481 # -> bits 25 through 32 are "d"
4482 # -> bits 17 through 24 are "c"
4483 # -> bits 17 through 32 are "c * 256 + d"
4484 #
4485 # NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to
4486 # IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic.
4487 #Default:
4488 # none
4489
4490 # TAG: delay_access
4491 # This is used to determine which delay pool a request falls into.
4492 #
4493 # delay_access is sorted per pool and the matching starts with pool 1,
4494 # then pool 2, ..., and finally pool N. The first delay pool where the
4495 # request is allowed is selected for the request. If it does not allow
4496 # the request to any pool then the request is not delayed (default).
4497 #
4498 # For example, if you want some_big_clients in delay
4499 # pool 1 and lotsa_little_clients in delay pool 2:
4500 #
4501 #Example:
4502 # delay_access 1 allow some_big_clients
4503 # delay_access 1 deny all
4504 # delay_access 2 allow lotsa_little_clients
4505 # delay_access 2 deny all
4506 # delay_access 3 allow authenticated_clients
4507 #Default:
4508 # none
4509
4510 # TAG: delay_parameters
4511 # This defines the parameters for a delay pool. Each delay pool has
4512 # a number of "buckets" associated with it, as explained in the
4513 # description of delay_class.
4514 #
4515 # For a class 1 delay pool, the syntax is:
4516 # delay_pools pool 1
4517 # delay_parameters pool aggregate
4518 #
4519 # For a class 2 delay pool:
4520 # delay_pools pool 2
4521 # delay_parameters pool aggregate individual
4522 #
4523 # For a class 3 delay pool:
4524 # delay_pools pool 3
4525 # delay_parameters pool aggregate network individual
4526 #
4527 # For a class 4 delay pool:
4528 # delay_pools pool 4
4529 # delay_parameters pool aggregate network individual user
4530 #
4531 # For a class 5 delay pool:
4532 # delay_pools pool 5
4533 # delay_parameters pool tagrate
4534 #
4535 # The option variables are:
4536 #
4537 # pool a pool number - ie, a number between 1 and the
4538 # number specified in delay_pools as used in
4539 # delay_class lines.
4540 #
4541 # aggregate the speed limit parameters for the aggregate bucket
4542 # (class 1, 2, 3).
4543 #
4544 # individual the speed limit parameters for the individual
4545 # buckets (class 2, 3).
4546 #
4547 # network the speed limit parameters for the network buckets
4548 # (class 3).
4549 #
4550 # user the speed limit parameters for the user buckets
4551 # (class 4).
4552 #
4553 # tagrate the speed limit parameters for the tag buckets
4554 # (class 5).
4555 #
4556 # A pair of delay parameters is written restore/maximum, where restore is
4557 # the number of bytes (not bits - modem and network speeds are usually
4558 # quoted in bits) per second placed into the bucket, and maximum is the
4559 # maximum number of bytes which can be in the bucket at any time.
4560 #
4561 # There must be one delay_parameters line for each delay pool.
4562 #
4563 #
4564 # For example, if delay pool number 1 is a class 2 delay pool as in the
4565 # above example, and is being used to strictly limit each host to 64Kbit/sec
4566 # (plus overheads), with no overall limit, the line is:
4567 #
4568 # delay_parameters 1 -1/-1 8000/8000
4569 #
4570 # Note that 8 x 8000 KByte/sec -> 64Kbit/sec.
4571 #
4572 # Note that the figure -1 is used to represent "unlimited".
4573 #
4574 #
4575 # And, if delay pool number 2 is a class 3 delay pool as in the above
4576 # example, and you want to limit it to a total of 256Kbit/sec (strict limit)
4577 # with each 8-bit network permitted 64Kbit/sec (strict limit) and each
4578 # individual host permitted 4800bit/sec with a bucket maximum size of 64Kbits
4579 # to permit a decent web page to be downloaded at a decent speed
4580 # (if the network is not being limited due to overuse) but slow down
4581 # large downloads more significantly:
4582 #
4583 # delay_parameters 2 32000/32000 8000/8000 600/8000
4584 #
4585 # Note that 8 x 32000 KByte/sec -> 256Kbit/sec.
4586 # 8 x 8000 KByte/sec -> 64Kbit/sec.
4587 # 8 x 600 Byte/sec -> 4800bit/sec.
4588 #
4589 #
4590 # Finally, for a class 4 delay pool as in the example - each user will
4591 # be limited to 128Kbits/sec no matter how many workstations they are logged into.:
4592 #
4593 # delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
4594 #Default:
4595 # none
4596
4597 # TAG: delay_initial_bucket_level (percent, 0-100)
4598 # The initial bucket percentage is used to determine how much is put
4599 # in each bucket when squid starts, is reconfigured, or first notices
4600 # a host accessing it (in class 2 and class 3, individual hosts and
4601 # networks only have buckets associated with them once they have been
4602 # "seen" by squid).
4603 #Default:
4604 # delay_initial_bucket_level 50
4605
4606 # CLIENT DELAY POOL PARAMETERS
4607 # -----------------------------------------------------------------------------
4608
4609 # TAG: client_delay_pools
4610 # This option specifies the number of client delay pools used. It must
4611 # preceed other client_delay_* options.
4612 #
4613 #Example:
4614 # client_delay_pools 2
4615 #Default:
4616 # client_delay_pools 0
4617
4618 # TAG: client_delay_initial_bucket_level (percent, 0-no_limit)
4619 # This option determines the initial bucket size as a percentage of
4620 # max_bucket_size from client_delay_parameters. Buckets are created
4621 # at the time of the "first" connection from the matching IP. Idle
4622 # buckets are periodically deleted up.
4623 #
4624 # You can specify more than 100 percent but note that such "oversized"
4625 # buckets are not refilled until their size goes down to max_bucket_size
4626 # from client_delay_parameters.
4627 #
4628 #Example:
4629 # client_delay_initial_bucket_level 50
4630 #Default:
4631 # client_delay_initial_bucket_level 50
4632
4633 # TAG: client_delay_parameters
4634 #
4635 # This option configures client-side bandwidth limits using the
4636 # following format:
4637 #
4638 # client_delay_parameters pool speed_limit max_bucket_size
4639 #
4640 # pool is an integer ID used for client_delay_access matching.
4641 #
4642 # speed_limit is bytes added to the bucket per second.
4643 #
4644 # max_bucket_size is the maximum size of a bucket, enforced after any
4645 # speed_limit additions.
4646 #
4647 # Please see the delay_parameters option for more information and
4648 # examples.
4649 #
4650 #Example:
4651 # client_delay_parameters 1 1024 2048
4652 # client_delay_parameters 2 51200 16384
4653 #Default:
4654 # none
4655
4656 # TAG: client_delay_access
4657 #
4658 # This option determines the client-side delay pool for the
4659 # request:
4660 #
4661 # client_delay_access pool_ID allow|deny acl_name
4662 #
4663 # All client_delay_access options are checked in their pool ID
4664 # order, starting with pool 1. The first checked pool with allowed
4665 # request is selected for the request. If no ACL matches or there
4666 # are no client_delay_access options, the request bandwidth is not
4667 # limited.
4668 #
4669 # The ACL-selected pool is then used to find the
4670 # client_delay_parameters for the request. Client-side pools are
4671 # not used to aggregate clients. Clients are always aggregated
4672 # based on their source IP addresses (one bucket per source IP).
4673 #
4674 # Please see delay_access for more examples.
4675 #
4676 #Example:
4677 # client_delay_access 1 allow low_rate_network
4678 # client_delay_access 2 allow vips_network
4679 #Default:
4680 # none
4681
4682 # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
4683 # -----------------------------------------------------------------------------
4684
4685 # TAG: wccp_router
4686 # Use this option to define your WCCP ``home'' router for
4687 # Squid.
4688 #
4689 # wccp_router supports a single WCCP(v1) router
4690 #
4691 # wccp2_router supports multiple WCCPv2 routers
4692 #
4693 # only one of the two may be used at the same time and defines
4694 # which version of WCCP to use.
4695 #Default:
4696 # wccp_router any_addr
4697
4698 # TAG: wccp2_router
4699 # Use this option to define your WCCP ``home'' router for
4700 # Squid.
4701 #
4702 # wccp_router supports a single WCCP(v1) router
4703 #
4704 # wccp2_router supports multiple WCCPv2 routers
4705 #
4706 # only one of the two may be used at the same time and defines
4707 # which version of WCCP to use.
4708 #Default:
4709 # none
4710
4711 # TAG: wccp_version
4712 # This directive is only relevant if you need to set up WCCP(v1)
4713 # to some very old and end-of-life Cisco routers. In all other
4714 # setups it must be left unset or at the default setting.
4715 # It defines an internal version in the WCCP(v1) protocol,
4716 # with version 4 being the officially documented protocol.
4717 #
4718 # According to some users, Cisco IOS 11.2 and earlier only
4719 # support WCCP version 3. If you're using that or an earlier
4720 # version of IOS, you may need to change this value to 3, otherwise
4721 # do not specify this parameter.
4722 #Default:
4723 # wccp_version 4
4724
4725 # TAG: wccp2_rebuild_wait
4726 # If this is enabled Squid will wait for the cache dir rebuild to finish
4727 # before sending the first wccp2 HereIAm packet
4728 #Default:
4729 # wccp2_rebuild_wait on
4730
4731 # TAG: wccp2_forwarding_method
4732 # WCCP2 allows the setting of forwarding methods between the
4733 # router/switch and the cache. Valid values are as follows:
4734 #
4735 # gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
4736 # l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
4737 #
4738 # Currently (as of IOS 12.4) cisco routers only support GRE.
4739 # Cisco switches only support the L2 redirect assignment method.
4740 #Default:
4741 # wccp2_forwarding_method gre
4742
4743 # TAG: wccp2_return_method
4744 # WCCP2 allows the setting of return methods between the
4745 # router/switch and the cache for packets that the cache
4746 # decides not to handle. Valid values are as follows:
4747 #
4748 # gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
4749 # l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
4750 #
4751 # Currently (as of IOS 12.4) cisco routers only support GRE.
4752 # Cisco switches only support the L2 redirect assignment.
4753 #
4754 # If the "ip wccp redirect exclude in" command has been
4755 # enabled on the cache interface, then it is still safe for
4756 # the proxy server to use a l2 redirect method even if this
4757 # option is set to GRE.
4758 #Default:
4759 # wccp2_return_method gre
4760
4761 # TAG: wccp2_assignment_method
4762 # WCCP2 allows the setting of methods to assign the WCCP hash
4763 # Valid values are as follows:
4764 #
4765 # hash - Hash assignment
4766 # mask - Mask assignment
4767 #
4768 # As a general rule, cisco routers support the hash assignment method
4769 # and cisco switches support the mask assignment method.
4770 #Default:
4771 # wccp2_assignment_method hash
4772
4773 # TAG: wccp2_service
4774 # WCCP2 allows for multiple traffic services. There are two
4775 # types: "standard" and "dynamic". The standard type defines
4776 # one service id - http (id 0). The dynamic service ids can be from
4777 # 51 to 255 inclusive. In order to use a dynamic service id
4778 # one must define the type of traffic to be redirected; this is done
4779 # using the wccp2_service_info option.
4780 #
4781 # The "standard" type does not require a wccp2_service_info option,
4782 # just specifying the service id will suffice.
4783 #
4784 # MD5 service authentication can be enabled by adding
4785 # "password=<password>" to the end of this service declaration.
4786 #
4787 # Examples:
4788 #
4789 # wccp2_service standard 0 # for the 'web-cache' standard service
4790 # wccp2_service dynamic 80 # a dynamic service type which will be
4791 # # fleshed out with subsequent options.
4792 # wccp2_service standard 0 password=foo
4793 #Default:
4794 # wccp2_service standard 0
4795
4796 # TAG: wccp2_service_info
4797 # Dynamic WCCPv2 services require further information to define the
4798 # traffic you wish to have diverted.
4799 #
4800 # The format is:
4801 #
4802 # wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
4803 # priority=<priority> ports=<port>,<port>..
4804 #
4805 # The relevant WCCPv2 flags:
4806 # + src_ip_hash, dst_ip_hash
4807 # + source_port_hash, dst_port_hash
4808 # + src_ip_alt_hash, dst_ip_alt_hash
4809 # + src_port_alt_hash, dst_port_alt_hash
4810 # + ports_source
4811 #
4812 # The port list can be one to eight entries.
4813 #
4814 # Example:
4815 #
4816 # wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source
4817 # priority=240 ports=80
4818 #
4819 # Note: the service id must have been defined by a previous
4820 # 'wccp2_service dynamic <id>' entry.
4821 #Default:
4822 # none
4823
4824 # TAG: wccp2_weight
4825 # Each cache server gets assigned a set of the destination
4826 # hash proportional to their weight.
4827 #Default:
4828 # wccp2_weight 10000
4829
4830 # TAG: wccp_address
4831 #Default:
4832 # wccp_address 0.0.0.0
4833
4834 # TAG: wccp2_address
4835 # Use this option if you require WCCP to use a specific
4836 # interface address.
4837 #
4838 # The default behavior is to not bind to any specific address.
4839 #Default:
4840 # wccp2_address 0.0.0.0
4841
4842 # PERSISTENT CONNECTION HANDLING
4843 # -----------------------------------------------------------------------------
4844 #
4845 # Also see "pconn_timeout" in the TIMEOUTS section
4846
4847 # TAG: client_persistent_connections
4848 #Default:
4849 # client_persistent_connections on
4850
4851 # TAG: server_persistent_connections
4852 # Persistent connection support for clients and servers. By
4853 # default, Squid uses persistent connections (when allowed)
4854 # with its clients and servers. You can use these options to
4855 # disable persistent connections with clients and/or servers.
4856 #Default:
4857 # server_persistent_connections on
4858
4859 # TAG: persistent_connection_after_error
4860 # With this directive the use of persistent connections after
4861 # HTTP errors can be disabled. Useful if you have clients
4862 # who fail to handle errors on persistent connections proper.
4863 #Default:
4864 # persistent_connection_after_error on
4865
4866 # TAG: detect_broken_pconn
4867 # Some servers have been found to incorrectly signal the use
4868 # of HTTP/1.0 persistent connections even on replies not
4869 # compatible, causing significant delays. This server problem
4870 # has mostly been seen on redirects.
4871 #
4872 # By enabling this directive Squid attempts to detect such
4873 # broken replies and automatically assume the reply is finished
4874 # after 10 seconds timeout.
4875 #Default:
4876 # detect_broken_pconn off
4877
4878 # CACHE DIGEST OPTIONS
4879 # -----------------------------------------------------------------------------
4880
4881 # TAG: digest_generation
4882 # This controls whether the server will generate a Cache Digest
4883 # of its contents. By default, Cache Digest generation is
4884 # enabled if Squid is compiled with --enable-cache-digests defined.
4885 #Default:
4886 # digest_generation on
4887
4888 # TAG: digest_bits_per_entry
4889 # This is the number of bits of the server's Cache Digest which
4890 # will be associated with the Digest entry for a given HTTP
4891 # Method and URL (public key) combination. The default is 5.
4892 #Default:
4893 # digest_bits_per_entry 5
4894
4895 # TAG: digest_rebuild_period (seconds)
4896 # This is the wait time between Cache Digest rebuilds.
4897 #Default:
4898 # digest_rebuild_period 1 hour
4899
4900 # TAG: digest_rewrite_period (seconds)
4901 # This is the wait time between Cache Digest writes to
4902 # disk.
4903 #Default:
4904 # digest_rewrite_period 1 hour
4905
4906 # TAG: digest_swapout_chunk_size (bytes)
4907 # This is the number of bytes of the Cache Digest to write to
4908 # disk at a time. It defaults to 4096 bytes (4KB), the Squid
4909 # default swap page.
4910 #Default:
4911 # digest_swapout_chunk_size 4096 bytes
4912
4913 # TAG: digest_rebuild_chunk_percentage (percent, 0-100)
4914 # This is the percentage of the Cache Digest to