Parent Directory | Revision Log
- fix race condition checking service status (mga#10934) - fix directory definition in proxy wizard - fix parameter format in proxy wizard - updated default proxy config file
1 | # WELCOME TO SQUID 3.2.10 |
2 | # ---------------------------- |
3 | # |
4 | # This is the documentation for the Squid configuration file. |
5 | # This documentation can also be found online at: |
6 | # http://www.squid-cache.org/Doc/config/ |
7 | # |
8 | # You may wish to look at the Squid home page and wiki for the |
9 | # FAQ and other documentation: |
10 | # http://www.squid-cache.org/ |
11 | # http://wiki.squid-cache.org/SquidFaq |
12 | # http://wiki.squid-cache.org/ConfigExamples |
13 | # |
14 | # This documentation shows what the defaults for various directives |
15 | # happen to be. If you don't need to change the default, you should |
16 | # leave the line out of your squid.conf in most cases. |
17 | # |
18 | # In some cases "none" refers to no default setting at all, |
19 | # while in other cases it refers to the value of the option |
20 | # - the comments for that keyword indicate if this is the case. |
21 | # |
22 | |
23 | # Configuration options can be included using the "include" directive. |
24 | # Include takes a list of files to include. Quoting and wildcards are |
25 | # supported. |
26 | # |
27 | # For example, |
28 | # |
29 | # include /path/to/included/file/squid.acl.config |
30 | # |
31 | # Includes can be nested up to a hard-coded depth of 16 levels. |
32 | # This arbitrary restriction is to prevent recursive include references |
33 | # from causing Squid entering an infinite loop whilst trying to load |
34 | # configuration files. |
35 | # |
36 | # |
37 | # Conditional configuration |
38 | # |
39 | # If-statements can be used to make configuration directives |
40 | # depend on conditions: |
41 | # |
42 | # if <CONDITION> |
43 | # ... regular configuration directives ... |
44 | # [else |
45 | # ... regular configuration directives ...] |
46 | # endif |
47 | # |
48 | # The else part is optional. The keywords "if", "else", and "endif" |
49 | # must be typed on their own lines, as if they were regular |
50 | # configuration directives. |
51 | # |
52 | # NOTE: An else-if condition is not supported. |
53 | # |
54 | # These individual conditions types are supported: |
55 | # |
56 | # true |
57 | # Always evaluates to true. |
58 | # false |
59 | # Always evaluates to false. |
60 | # <integer> = <integer> |
61 | # Equality comparison of two integer numbers. |
62 | # |
63 | # |
64 | # SMP-Related Macros |
65 | # |
66 | # The following SMP-related preprocessor macros can be used. |
67 | # |
68 | # ${process_name} expands to the current Squid process "name" |
69 | # (e.g., squid1, squid2, or cache1). |
70 | # |
71 | # ${process_number} expands to the current Squid process |
72 | # identifier, which is an integer number (e.g., 1, 2, 3) unique |
73 | # across all Squid processes. |
74 | |
75 | # TAG: broken_vary_encoding |
76 | # This option is not yet supported by Squid-3. |
77 | #Default: |
78 | # none |
79 | |
80 | # TAG: cache_vary |
81 | # This option is not yet supported by Squid-3. |
82 | #Default: |
83 | # none |
84 | |
85 | # TAG: collapsed_forwarding |
86 | # This option is not yet supported by Squid-3. see http://bugs.squid-cache.org/show_bug.cgi?id=3495 |
87 | #Default: |
88 | # none |
89 | |
90 | # TAG: error_map |
91 | # This option is not yet supported by Squid-3. |
92 | #Default: |
93 | # none |
94 | |
95 | # TAG: external_refresh_check |
96 | # This option is not yet supported by Squid-3. |
97 | #Default: |
98 | # none |
99 | |
100 | # TAG: ignore_ims_on_miss |
101 | # This option is not yet supported by Squid-3. |
102 | #Default: |
103 | # none |
104 | |
105 | # TAG: location_rewrite_program |
106 | # This option is not yet supported by Squid-3. |
107 | #Default: |
108 | # none |
109 | |
110 | # TAG: refresh_stale_hit |
111 | # This option is not yet supported by Squid-3. |
112 | #Default: |
113 | # none |
114 | |
115 | # TAG: storeurl_access |
116 | # This option is not yet supported by this version of Squid-3. Please try a later release. |
117 | #Default: |
118 | # none |
119 | |
120 | # TAG: ignore_expect_100 |
121 | # Remove this line. The HTTP/1.1 feature is now fully supported by default. |
122 | #Default: |
123 | # none |
124 | |
125 | # TAG: dns_v4_fallback |
126 | # Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. |
127 | #Default: |
128 | # none |
129 | |
130 | # TAG: ftp_list_width |
131 | # Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead. |
132 | #Default: |
133 | # none |
134 | |
135 | # TAG: maximum_single_addr_tries |
136 | # Replaced by connect_retries. The behaviour has changed, please read the documentation before altering. |
137 | #Default: |
138 | # none |
139 | |
140 | # TAG: update_headers |
141 | # Remove this line. The feature is supported by default in storage types where update is implemented. |
142 | #Default: |
143 | # none |
144 | |
145 | # TAG: url_rewrite_concurrency |
146 | # Remove this line. Set the 'concurrency=' option of url_rewrite_children instead. |
147 | #Default: |
148 | # none |
149 | |
150 | # TAG: dns_testnames |
151 | # Remove this line. DNS is no longer tested on startup. |
152 | #Default: |
153 | # none |
154 | |
155 | # TAG: extension_methods |
156 | # Remove this line. All valid methods for HTTP are accepted by default. |
157 | #Default: |
158 | # none |
159 | |
160 | # TAG: zero_buffers |
161 | #Default: |
162 | # none |
163 | |
164 | # TAG: incoming_rate |
165 | #Default: |
166 | # none |
167 | |
168 | # TAG: server_http11 |
169 | # Remove this line. HTTP/1.1 is supported by default. |
170 | #Default: |
171 | # none |
172 | |
173 | # TAG: upgrade_http0.9 |
174 | # Remove this line. ICY/1.0 streaming protocol is supported by default. |
175 | #Default: |
176 | # none |
177 | |
178 | # TAG: zph_local |
179 | # Alter these entries. Use the qos_flows directive instead. |
180 | #Default: |
181 | # none |
182 | |
183 | # TAG: header_access |
184 | # Since squid-3.0 replace with request_header_access or reply_header_access |
185 | # depending on whether you wish to match client requests or server replies. |
186 | #Default: |
187 | # none |
188 | |
189 | # TAG: httpd_accel_no_pmtu_disc |
190 | # Since squid-3.0 use the 'disable-pmtu-discovery' flag on http_port instead. |
191 | #Default: |
192 | # none |
193 | |
194 | # TAG: wais_relay_host |
195 | # Replace this line with 'cache_peer' configuration. |
196 | #Default: |
197 | # none |
198 | |
199 | # TAG: wais_relay_port |
200 | # Replace this line with 'cache_peer' configuration. |
201 | #Default: |
202 | # none |
203 | |
204 | # OPTIONS FOR AUTHENTICATION |
205 | # ----------------------------------------------------------------------------- |
206 | |
207 | # TAG: auth_param |
208 | # This is used to define parameters for the various authentication |
209 | # schemes supported by Squid. |
210 | # |
211 | # format: auth_param scheme parameter [setting] |
212 | # |
213 | # The order in which authentication schemes are presented to the client is |
214 | # dependent on the order the scheme first appears in config file. IE |
215 | # has a bug (it's not RFC 2617 compliant) in that it will use the basic |
216 | # scheme if basic is the first entry presented, even if more secure |
217 | # schemes are presented. For now use the order in the recommended |
218 | # settings section below. If other browsers have difficulties (don't |
219 | # recognize the schemes offered even if you are using basic) either |
220 | # put basic first, or disable the other schemes (by commenting out their |
221 | # program entry). |
222 | # |
223 | # Once an authentication scheme is fully configured, it can only be |
224 | # shutdown by shutting squid down and restarting. Changes can be made on |
225 | # the fly and activated with a reconfigure. I.E. You can change to a |
226 | # different helper, but not unconfigure the helper completely. |
227 | # |
228 | # Please note that while this directive defines how Squid processes |
229 | # authentication it does not automatically activate authentication. |
230 | # To use authentication you must in addition make use of ACLs based |
231 | # on login name in http_access (proxy_auth, proxy_auth_regex or |
232 | # external with %LOGIN used in the format tag). The browser will be |
233 | # challenged for authentication on the first such acl encountered |
234 | # in http_access processing and will also be re-challenged for new |
235 | # login credentials if the request is being denied by a proxy_auth |
236 | # type acl. |
237 | # |
238 | # WARNING: authentication can't be used in a transparently intercepting |
239 | # proxy as the client then thinks it is talking to an origin server and |
240 | # not the proxy. This is a limitation of bending the TCP/IP protocol to |
241 | # transparently intercepting port 80, not a limitation in Squid. |
242 | # Ports flagged 'transparent', 'intercept', or 'tproxy' have |
243 | # authentication disabled. |
244 | # |
245 | # === Parameters for the basic scheme follow. === |
246 | # |
247 | # "program" cmdline |
248 | # Specify the command for the external authenticator. Such a program |
249 | # reads a line containing "username password" and replies "OK" or |
250 | # "ERR" in an endless loop. "ERR" responses may optionally be followed |
251 | # by a error description available as %m in the returned error page. |
252 | # If you use an authenticator, make sure you have 1 acl of type |
253 | # proxy_auth. |
254 | # |
255 | # By default, the basic authentication scheme is not used unless a |
256 | # program is specified. |
257 | # |
258 | # If you want to use the traditional NCSA proxy authentication, set |
259 | # this line to something like |
260 | # |
261 | # auth_param basic program /usr/libexec/ncsa_auth /usr/etc/passwd |
262 | # |
263 | # "utf8" on|off |
264 | # HTTP uses iso-latin-1 as character set, while some authentication |
265 | # backends such as LDAP expects UTF-8. If this is set to on Squid will |
266 | # translate the HTTP iso-latin-1 charset to UTF-8 before sending the |
267 | # username & password to the helper. |
268 | # |
269 | # "children" numberofchildren [startup=N] [idle=N] [concurrency=N] |
270 | # The maximum number of authenticator processes to spawn. If you start too few |
271 | # Squid will have to wait for them to process a backlog of credential |
272 | # verifications, slowing it down. When password verifications are |
273 | # done via a (slow) network you are likely to need lots of |
274 | # authenticator processes. |
275 | # |
276 | # The startup= and idle= options permit some skew in the exact amount |
277 | # run. A minimum of startup=N will begin during startup and reconfigure. |
278 | # Squid will start more in groups of up to idle=N in an attempt to meet |
279 | # traffic needs and to keep idle=N free above those traffic needs up to |
280 | # the maximum. |
281 | # |
282 | # The concurrency= option sets the number of concurrent requests the |
283 | # helper can process. The default of 0 is used for helpers who only |
284 | # supports one request at a time. Setting this to a number greater than |
285 | # 0 changes the protocol used to include a channel number first on the |
286 | # request/response line, allowing multiple requests to be sent to the |
287 | # same helper in parallel without waiting for the response. |
288 | # Must not be set unless it's known the helper supports this. |
289 | # |
290 | # auth_param basic children 20 startup=0 idle=1 |
291 | # |
292 | # "realm" realmstring |
293 | # Specifies the realm name which is to be reported to the |
294 | # client for the basic proxy authentication scheme (part of |
295 | # the text the user will see when prompted their username and |
296 | # password). There is no default. |
297 | # auth_param basic realm Squid proxy-caching web server |
298 | # |
299 | # "credentialsttl" timetolive |
300 | # Specifies how long squid assumes an externally validated |
301 | # username:password pair is valid for - in other words how |
302 | # often the helper program is called for that user. Set this |
303 | # low to force revalidation with short lived passwords. Note |
304 | # setting this high does not impact your susceptibility |
305 | # to replay attacks unless you are using an one-time password |
306 | # system (such as SecureID). If you are using such a system, |
307 | # you will be vulnerable to replay attacks unless you also |
308 | # use the max_user_ip ACL in an http_access rule. |
309 | # |
310 | # "casesensitive" on|off |
311 | # Specifies if usernames are case sensitive. Most user databases are |
312 | # case insensitive allowing the same username to be spelled using both |
313 | # lower and upper case letters, but some are case sensitive. This |
314 | # makes a big difference for user_max_ip ACL processing and similar. |
315 | # auth_param basic casesensitive off |
316 | # |
317 | # === Parameters for the digest scheme follow === |
318 | # |
319 | # "program" cmdline |
320 | # Specify the command for the external authenticator. Such |
321 | # a program reads a line containing "username":"realm" and |
322 | # replies with the appropriate H(A1) value hex encoded or |
323 | # ERR if the user (or his H(A1) hash) does not exists. |
324 | # See rfc 2616 for the definition of H(A1). |
325 | # "ERR" responses may optionally be followed by a error description |
326 | # available as %m in the returned error page. |
327 | # |
328 | # By default, the digest authentication scheme is not used unless a |
329 | # program is specified. |
330 | # |
331 | # If you want to use a digest authenticator, set this line to |
332 | # something like |
333 | # |
334 | # auth_param digest program /usr/bin/digest_pw_auth /usr/etc/digpass |
335 | # |
336 | # "utf8" on|off |
337 | # HTTP uses iso-latin-1 as character set, while some authentication |
338 | # backends such as LDAP expects UTF-8. If this is set to on Squid will |
339 | # translate the HTTP iso-latin-1 charset to UTF-8 before sending the |
340 | # username & password to the helper. |
341 | # |
342 | # "children" numberofchildren [startup=N] [idle=N] [concurrency=N] |
343 | # The maximum number of authenticator processes to spawn (default 5). |
344 | # If you start too few Squid will have to wait for them to |
345 | # process a backlog of H(A1) calculations, slowing it down. |
346 | # When the H(A1) calculations are done via a (slow) network |
347 | # you are likely to need lots of authenticator processes. |
348 | # |
349 | # The startup= and idle= options permit some skew in the exact amount |
350 | # run. A minimum of startup=N will begin during startup and reconfigure. |
351 | # Squid will start more in groups of up to idle=N in an attempt to meet |
352 | # traffic needs and to keep idle=N free above those traffic needs up to |
353 | # the maximum. |
354 | # |
355 | # The concurrency= option sets the number of concurrent requests the |
356 | # helper can process. The default of 0 is used for helpers who only |
357 | # supports one request at a time. Setting this to a number greater than |
358 | # 0 changes the protocol used to include a channel number first on the |
359 | # request/response line, allowing multiple requests to be sent to the |
360 | # same helper in parallel without waiting for the response. |
361 | # Must not be set unless it's known the helper supports this. |
362 | # |
363 | # auth_param digest children 20 startup=0 idle=1 |
364 | # |
365 | # "realm" realmstring |
366 | # Specifies the realm name which is to be reported to the |
367 | # client for the digest proxy authentication scheme (part of |
368 | # the text the user will see when prompted their username and |
369 | # password). There is no default. |
370 | # auth_param digest realm Squid proxy-caching web server |
371 | # |
372 | # "nonce_garbage_interval" timeinterval |
373 | # Specifies the interval that nonces that have been issued |
374 | # to client_agent's are checked for validity. |
375 | # |
376 | # "nonce_max_duration" timeinterval |
377 | # Specifies the maximum length of time a given nonce will be |
378 | # valid for. |
379 | # |
380 | # "nonce_max_count" number |
381 | # Specifies the maximum number of times a given nonce can be |
382 | # used. |
383 | # |
384 | # "nonce_strictness" on|off |
385 | # Determines if squid requires strict increment-by-1 behavior |
386 | # for nonce counts, or just incrementing (off - for use when |
387 | # user agents generate nonce counts that occasionally miss 1 |
388 | # (ie, 1,2,4,6)). Default off. |
389 | # |
390 | # "check_nonce_count" on|off |
391 | # This directive if set to off can disable the nonce count check |
392 | # completely to work around buggy digest qop implementations in |
393 | # certain mainstream browser versions. Default on to check the |
394 | # nonce count to protect from authentication replay attacks. |
395 | # |
396 | # "post_workaround" on|off |
397 | # This is a workaround to certain buggy browsers who sends |
398 | # an incorrect request digest in POST requests when reusing |
399 | # the same nonce as acquired earlier on a GET request. |
400 | # |
401 | # === NTLM scheme options follow === |
402 | # |
403 | # "program" cmdline |
404 | # Specify the command for the external NTLM authenticator. |
405 | # Such a program reads exchanged NTLMSSP packets with |
406 | # the browser via Squid until authentication is completed. |
407 | # If you use an NTLM authenticator, make sure you have 1 acl |
408 | # of type proxy_auth. By default, the NTLM authenticator_program |
409 | # is not used. |
410 | # |
411 | # auth_param ntlm program /usr/bin/ntlm_auth |
412 | # |
413 | # "children" numberofchildren [startup=N] [idle=N] |
414 | # The maximum number of authenticator processes to spawn (default 5). |
415 | # If you start too few Squid will have to wait for them to |
416 | # process a backlog of credential verifications, slowing it |
417 | # down. When credential verifications are done via a (slow) |
418 | # network you are likely to need lots of authenticator |
419 | # processes. |
420 | # |
421 | # The startup= and idle= options permit some skew in the exact amount |
422 | # run. A minimum of startup=N will begin during startup and reconfigure. |
423 | # Squid will start more in groups of up to idle=N in an attempt to meet |
424 | # traffic needs and to keep idle=N free above those traffic needs up to |
425 | # the maximum. |
426 | # |
427 | # auth_param ntlm children 20 startup=0 idle=1 |
428 | # |
429 | # "keep_alive" on|off |
430 | # If you experience problems with PUT/POST requests when using the |
431 | # Negotiate authentication scheme then you can try setting this to |
432 | # off. This will cause Squid to forcibly close the connection on |
433 | # the initial requests where the browser asks which schemes are |
434 | # supported by the proxy. |
435 | # |
436 | # auth_param ntlm keep_alive on |
437 | # |
438 | # === Options for configuring the NEGOTIATE auth-scheme follow === |
439 | # |
440 | # "program" cmdline |
441 | # Specify the command for the external Negotiate authenticator. |
442 | # This protocol is used in Microsoft Active-Directory enabled setups with |
443 | # the Microsoft Internet Explorer or Mozilla Firefox browsers. |
444 | # Its main purpose is to exchange credentials with the Squid proxy |
445 | # using the Kerberos mechanisms. |
446 | # If you use a Negotiate authenticator, make sure you have at least |
447 | # one acl of type proxy_auth active. By default, the negotiate |
448 | # authenticator_program is not used. |
449 | # The only supported program for this role is the ntlm_auth |
450 | # program distributed as part of Samba, version 4 or later. |
451 | # |
452 | # auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego |
453 | # |
454 | # "children" numberofchildren [startup=N] [idle=N] |
455 | # The maximum number of authenticator processes to spawn (default 5). |
456 | # If you start too few Squid will have to wait for them to |
457 | # process a backlog of credential verifications, slowing it |
458 | # down. When credential verifications are done via a (slow) |
459 | # network you are likely to need lots of authenticator |
460 | # processes. |
461 | # |
462 | # The startup= and idle= options permit some skew in the exact amount |
463 | # run. A minimum of startup=N will begin during startup and reconfigure. |
464 | # Squid will start more in groups of up to idle=N in an attempt to meet |
465 | # traffic needs and to keep idle=N free above those traffic needs up to |
466 | # the maximum. |
467 | # |
468 | # auth_param negotiate children 20 startup=0 idle=1 |
469 | # |
470 | # "keep_alive" on|off |
471 | # If you experience problems with PUT/POST requests when using the |
472 | # Negotiate authentication scheme then you can try setting this to |
473 | # off. This will cause Squid to forcibly close the connection on |
474 | # the initial requests where the browser asks which schemes are |
475 | # supported by the proxy. |
476 | # |
477 | # auth_param negotiate keep_alive on |
478 | # |
479 | # |
480 | # Examples: |
481 | # |
482 | ##Recommended minimum configuration per scheme: |
483 | ##auth_param negotiate program <uncomment and complete this line to activate> |
484 | ##auth_param negotiate children 20 startup=0 idle=1 |
485 | ##auth_param negotiate keep_alive on |
486 | ## |
487 | ##auth_param ntlm program <uncomment and complete this line to activate> |
488 | ##auth_param ntlm children 20 startup=0 idle=1 |
489 | ##auth_param ntlm keep_alive on |
490 | ## |
491 | ##auth_param digest program <uncomment and complete this line> |
492 | ##auth_param digest children 20 startup=0 idle=1 |
493 | ##auth_param digest realm Squid proxy-caching web server |
494 | ##auth_param digest nonce_garbage_interval 5 minutes |
495 | ##auth_param digest nonce_max_duration 30 minutes |
496 | ##auth_param digest nonce_max_count 50 |
497 | ## |
498 | ##auth_param basic program <uncomment and complete this line> |
499 | ##auth_param basic children 5 startup=5 idle=1 |
500 | ##auth_param basic realm Squid proxy-caching web server |
501 | ##auth_param basic credentialsttl 2 hours |
502 | #Default: |
503 | # none |
504 | |
505 | # TAG: authenticate_cache_garbage_interval |
506 | # The time period between garbage collection across the username cache. |
507 | # This is a trade-off between memory utilization (long intervals - say |
508 | # 2 days) and CPU (short intervals - say 1 minute). Only change if you |
509 | # have good reason to. |
510 | #Default: |
511 | # authenticate_cache_garbage_interval 1 hour |
512 | |
513 | # TAG: authenticate_ttl |
514 | # The time a user & their credentials stay in the logged in |
515 | # user cache since their last request. When the garbage |
516 | # interval passes, all user credentials that have passed their |
517 | # TTL are removed from memory. |
518 | #Default: |
519 | # authenticate_ttl 1 hour |
520 | |
521 | # TAG: authenticate_ip_ttl |
522 | # If you use proxy authentication and the 'max_user_ip' ACL, |
523 | # this directive controls how long Squid remembers the IP |
524 | # addresses associated with each user. Use a small value |
525 | # (e.g., 60 seconds) if your users might change addresses |
526 | # quickly, as is the case with dialup. You might be safe |
527 | # using a larger value (e.g., 2 hours) in a corporate LAN |
528 | # environment with relatively static address assignments. |
529 | #Default: |
530 | # authenticate_ip_ttl 0 seconds |
531 | |
532 | # ACCESS CONTROLS |
533 | # ----------------------------------------------------------------------------- |
534 | |
535 | # TAG: external_acl_type |
536 | # This option defines external acl classes using a helper program |
537 | # to look up the status |
538 | # |
539 | # external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..] |
540 | # |
541 | # Options: |
542 | # |
543 | # ttl=n TTL in seconds for cached results (defaults to 3600 |
544 | # for 1 hour) |
545 | # negative_ttl=n |
546 | # TTL for cached negative lookups (default same |
547 | # as ttl) |
548 | # children-max=n |
549 | # Maximum number of acl helper processes spawned to service |
550 | # external acl lookups of this type. (default 20) |
551 | # children-startup=n |
552 | # Minimum number of acl helper processes to spawn during |
553 | # startup and reconfigure to service external acl lookups |
554 | # of this type. (default 0) |
555 | # children-idle=n |
556 | # Number of acl helper processes to keep ahead of traffic |
557 | # loads. Squid will spawn this many at once whenever load |
558 | # rises above the capabilities of existing processes. |
559 | # Up to the value of children-max. (default 1) |
560 | # concurrency=n concurrency level per process. Only used with helpers |
561 | # capable of processing more than one query at a time. |
562 | # cache=n limit the result cache size, default is unbounded. |
563 | # grace=n Percentage remaining of TTL where a refresh of a |
564 | # cached entry should be initiated without needing to |
565 | # wait for a new reply. (default is for no grace period) |
566 | # protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers |
567 | # ipv4 / ipv6 IP protocol used to communicate with this helper. |
568 | # The default is to auto-detect IPv6 and use it when available. |
569 | # |
570 | # FORMAT specifications |
571 | # |
572 | # %LOGIN Authenticated user login name |
573 | # %EXT_USER Username from previous external acl |
574 | # %EXT_LOG Log details from previous external acl |
575 | # %EXT_TAG Tag from previous external acl |
576 | # %IDENT Ident user name |
577 | # %SRC Client IP |
578 | # %SRCPORT Client source port |
579 | # %URI Requested URI |
580 | # %DST Requested host |
581 | # %PROTO Requested protocol |
582 | # %PORT Requested port |
583 | # %PATH Requested URL path |
584 | # %METHOD Request method |
585 | # %MYADDR Squid interface address |
586 | # %MYPORT Squid http_port number |
587 | # %PATH Requested URL-path (including query-string if any) |
588 | # %USER_CERT SSL User certificate in PEM format |
589 | # %USER_CERTCHAIN SSL User certificate chain in PEM format |
590 | # %USER_CERT_xx SSL User certificate subject attribute xx |
591 | # %USER_CA_xx SSL User certificate issuer attribute xx |
592 | # |
593 | # %>{Header} HTTP request header "Header" |
594 | # %>{Hdr:member} |
595 | # HTTP request header "Hdr" list member "member" |
596 | # %>{Hdr:;member} |
597 | # HTTP request header list member using ; as |
598 | # list separator. ; can be any non-alphanumeric |
599 | # character. |
600 | # |
601 | # %<{Header} HTTP reply header "Header" |
602 | # %<{Hdr:member} |
603 | # HTTP reply header "Hdr" list member "member" |
604 | # %<{Hdr:;member} |
605 | # HTTP reply header list member using ; as |
606 | # list separator. ; can be any non-alphanumeric |
607 | # character. |
608 | # |
609 | # %% The percent sign. Useful for helpers which need |
610 | # an unchanging input format. |
611 | # |
612 | # In addition to the above, any string specified in the referencing |
613 | # acl will also be included in the helper request line, after the |
614 | # specified formats (see the "acl external" directive) |
615 | # |
616 | # The helper receives lines per the above format specification, |
617 | # and returns lines starting with OK or ERR indicating the validity |
618 | # of the request and optionally followed by additional keywords with |
619 | # more details. |
620 | # |
621 | # General result syntax: |
622 | # |
623 | # OK/ERR keyword=value ... |
624 | # |
625 | # Defined keywords: |
626 | # |
627 | # user= The users name (login) |
628 | # password= The users password (for login= cache_peer option) |
629 | # message= Message describing the reason. Available as %o |
630 | # in error pages |
631 | # tag= Apply a tag to a request (for both ERR and OK results) |
632 | # Only sets a tag, does not alter existing tags. |
633 | # log= String to be logged in access.log. Available as |
634 | # %ea in logformat specifications |
635 | # |
636 | # If protocol=3.0 (the default) then URL escaping is used to protect |
637 | # each value in both requests and responses. |
638 | # |
639 | # If using protocol=2.5 then all values need to be enclosed in quotes |
640 | # if they may contain whitespace, or the whitespace escaped using \. |
641 | # And quotes or \ characters within the keyword value must be \ escaped. |
642 | # |
643 | # When using the concurrency= option the protocol is changed by |
644 | # introducing a query channel tag infront of the request/response. |
645 | # The query channel tag is a number between 0 and concurrency-1. |
646 | #Default: |
647 | # none |
648 | |
649 | # TAG: acl |
650 | # Defining an Access List |
651 | # |
652 | # Every access list definition must begin with an aclname and acltype, |
653 | # followed by either type-specific arguments or a quoted filename that |
654 | # they are read from. |
655 | # |
656 | # acl aclname acltype argument ... |
657 | # acl aclname acltype "file" ... |
658 | # |
659 | # When using "file", the file should contain one item per line. |
660 | # |
661 | # By default, regular expressions are CASE-SENSITIVE. |
662 | # To make them case-insensitive, use the -i option. To return case-sensitive |
663 | # use the +i option between patterns, or make a new ACL line without -i. |
664 | # |
665 | # Some acl types require suspending the current request in order |
666 | # to access some external data source. |
667 | # Those which do are marked with the tag [slow], those which |
668 | # don't are marked as [fast]. |
669 | # See http://wiki.squid-cache.org/SquidFaq/SquidAcl |
670 | # for further information |
671 | # |
672 | # ***** ACL TYPES AVAILABLE ***** |
673 | # |
674 | # acl aclname src ip-address/netmask ... # clients IP address [fast] |
675 | # acl aclname src addr1-addr2/netmask ... # range of addresses [fast] |
676 | # acl aclname dst ip-address/netmask ... # URL host's IP address [slow] |
677 | # acl aclname myip ip-address/netmask ... # local socket IP address [fast] |
678 | # |
679 | # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) |
680 | # # The arp ACL requires the special configure option --enable-arp-acl. |
681 | # # Furthermore, the ARP ACL code is not portable to all operating systems. |
682 | # # It works on Linux, Solaris, Windows, FreeBSD, and some |
683 | # # other *BSD variants. |
684 | # # [fast] |
685 | # # |
686 | # # NOTE: Squid can only determine the MAC address for clients that are on |
687 | # # the same subnet. If the client is on a different subnet, |
688 | # # then Squid cannot find out its MAC address. |
689 | # |
690 | # acl aclname srcdomain .foo.com ... |
691 | # # reverse lookup, from client IP [slow] |
692 | # acl aclname dstdomain .foo.com ... |
693 | # # Destination server from URL [fast] |
694 | # acl aclname srcdom_regex [-i] \.foo\.com ... |
695 | # # regex matching client name [slow] |
696 | # acl aclname dstdom_regex [-i] \.foo\.com ... |
697 | # # regex matching server [fast] |
698 | # # |
699 | # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP |
700 | # # based URL is used and no match is found. The name "none" is used |
701 | # # if the reverse lookup fails. |
702 | # |
703 | # acl aclname src_as number ... |
704 | # acl aclname dst_as number ... |
705 | # # [fast] |
706 | # # Except for access control, AS numbers can be used for |
707 | # # routing of requests to specific caches. Here's an |
708 | # # example for routing all requests for AS#1241 and only |
709 | # # those to mycache.mydomain.net: |
710 | # # acl asexample dst_as 1241 |
711 | # # cache_peer_access mycache.mydomain.net allow asexample |
712 | # # cache_peer_access mycache_mydomain.net deny all |
713 | # |
714 | # acl aclname peername myPeer ... |
715 | # # [fast] |
716 | # # match against a named cache_peer entry |
717 | # # set unique name= on cache_peer lines for reliable use. |
718 | # |
719 | # acl aclname time [day-abbrevs] [h1:m1-h2:m2] |
720 | # # [fast] |
721 | # # day-abbrevs: |
722 | # # S - Sunday |
723 | # # M - Monday |
724 | # # T - Tuesday |
725 | # # W - Wednesday |
726 | # # H - Thursday |
727 | # # F - Friday |
728 | # # A - Saturday |
729 | # # h1:m1 must be less than h2:m2 |
730 | # |
731 | # acl aclname url_regex [-i] ^http:// ... |
732 | # # regex matching on whole URL [fast] |
733 | # acl aclname urllogin [-i] [^a-zA-Z0-9] ... |
734 | # # regex matching on URL login field |
735 | # acl aclname urlpath_regex [-i] \.gif$ ... |
736 | # # regex matching on URL path [fast] |
737 | # |
738 | # acl aclname port 80 70 21 0-1024... # destination TCP port [fast] |
739 | # # ranges are alloed |
740 | # acl aclname myport 3128 ... # local socket TCP port [fast] |
741 | # acl aclname myportname 3128 ... # http(s)_port name [fast] |
742 | # |
743 | # acl aclname proto HTTP FTP ... # request protocol [fast] |
744 | # |
745 | # acl aclname method GET POST ... # HTTP request method [fast] |
746 | # |
747 | # acl aclname http_status 200 301 500- 400-403 ... |
748 | # # status code in reply [fast] |
749 | # |
750 | # acl aclname browser [-i] regexp ... |
751 | # # pattern match on User-Agent header (see also req_header below) [fast] |
752 | # |
753 | # acl aclname referer_regex [-i] regexp ... |
754 | # # pattern match on Referer header [fast] |
755 | # # Referer is highly unreliable, so use with care |
756 | # |
757 | # acl aclname ident username ... |
758 | # acl aclname ident_regex [-i] pattern ... |
759 | # # string match on ident output [slow] |
760 | # # use REQUIRED to accept any non-null ident. |
761 | # |
762 | # acl aclname proxy_auth [-i] username ... |
763 | # acl aclname proxy_auth_regex [-i] pattern ... |
764 | # # perform http authentication challenge to the client and match against |
765 | # # supplied credentials [slow] |
766 | # # |
767 | # # takes a list of allowed usernames. |
768 | # # use REQUIRED to accept any valid username. |
769 | # # |
770 | # # Will use proxy authentication in forward-proxy scenarios, and plain |
771 | # # http authenticaiton in reverse-proxy scenarios |
772 | # # |
773 | # # NOTE: when a Proxy-Authentication header is sent but it is not |
774 | # # needed during ACL checking the username is NOT logged |
775 | # # in access.log. |
776 | # # |
777 | # # NOTE: proxy_auth requires a EXTERNAL authentication program |
778 | # # to check username/password combinations (see |
779 | # # auth_param directive). |
780 | # # |
781 | # # NOTE: proxy_auth can't be used in a transparent/intercepting proxy |
782 | # # as the browser needs to be configured for using a proxy in order |
783 | # # to respond to proxy authentication. |
784 | # |
785 | # acl aclname snmp_community string ... |
786 | # # A community string to limit access to your SNMP Agent [fast] |
787 | # # Example: |
788 | # # |
789 | # # acl snmppublic snmp_community public |
790 | # |
791 | # acl aclname maxconn number |
792 | # # This will be matched when the client's IP address has |
793 | # # more than <number> TCP connections established. [fast] |
794 | # # NOTE: This only measures direct TCP links so X-Forwarded-For |
795 | # # indirect clients are not counted. |
796 | # |
797 | # acl aclname max_user_ip [-s] number |
798 | # # This will be matched when the user attempts to log in from more |
799 | # # than <number> different ip addresses. The authenticate_ip_ttl |
800 | # # parameter controls the timeout on the ip entries. [fast] |
801 | # # If -s is specified the limit is strict, denying browsing |
802 | # # from any further IP addresses until the ttl has expired. Without |
803 | # # -s Squid will just annoy the user by "randomly" denying requests. |
804 | # # (the counter is reset each time the limit is reached and a |
805 | # # request is denied) |
806 | # # NOTE: in acceleration mode or where there is mesh of child proxies, |
807 | # # clients may appear to come from multiple addresses if they are |
808 | # # going through proxy farms, so a limit of 1 may cause user problems. |
809 | # |
810 | # acl aclname random probability |
811 | # # Pseudo-randomly match requests. Based on the probability given. |
812 | # # Probability may be written as a decimal (0.333), fraction (1/3) |
813 | # # or ratio of matches:non-matches (3:5). |
814 | # |
815 | # acl aclname req_mime_type [-i] mime-type ... |
816 | # # regex match against the mime type of the request generated |
817 | # # by the client. Can be used to detect file upload or some |
818 | # # types HTTP tunneling requests [fast] |
819 | # # NOTE: This does NOT match the reply. You cannot use this |
820 | # # to match the returned file type. |
821 | # |
822 | # acl aclname req_header header-name [-i] any\.regex\.here |
823 | # # regex match against any of the known request headers. May be |
824 | # # thought of as a superset of "browser", "referer" and "mime-type" |
825 | # # ACL [fast] |
826 | # |
827 | # acl aclname rep_mime_type [-i] mime-type ... |
828 | # # regex match against the mime type of the reply received by |
829 | # # squid. Can be used to detect file download or some |
830 | # # types HTTP tunneling requests. [fast] |
831 | # # NOTE: This has no effect in http_access rules. It only has |
832 | # # effect in rules that affect the reply data stream such as |
833 | # # http_reply_access. |
834 | # |
835 | # acl aclname rep_header header-name [-i] any\.regex\.here |
836 | # # regex match against any of the known reply headers. May be |
837 | # # thought of as a superset of "browser", "referer" and "mime-type" |
838 | # # ACLs [fast] |
839 | # |
840 | # acl aclname external class_name [arguments...] |
841 | # # external ACL lookup via a helper class defined by the |
842 | # # external_acl_type directive [slow] |
843 | # |
844 | # acl aclname user_cert attribute values... |
845 | # # match against attributes in a user SSL certificate |
846 | # # attribute is one of DN/C/O/CN/L/ST [fast] |
847 | # |
848 | # acl aclname ca_cert attribute values... |
849 | # # match against attributes a users issuing CA SSL certificate |
850 | # # attribute is one of DN/C/O/CN/L/ST [fast] |
851 | # |
852 | # acl aclname ext_user username ... |
853 | # acl aclname ext_user_regex [-i] pattern ... |
854 | # # string match on username returned by external acl helper [slow] |
855 | # # use REQUIRED to accept any non-null user name. |
856 | # |
857 | # acl aclname tag tagvalue ... |
858 | # # string match on tag returned by external acl helper [slow] |
859 | # |
860 | # acl aclname hier_code codename ... |
861 | # # string match against squid hierarchy code(s); [fast] |
862 | # # e.g., DIRECT, PARENT_HIT, NONE, etc. |
863 | # # |
864 | # # NOTE: This has no effect in http_access rules. It only has |
865 | # # effect in rules that affect the reply data stream such as |
866 | # # http_reply_access. |
867 | # |
868 | # Examples: |
869 | # acl macaddress arp 09:00:2b:23:45:67 |
870 | # acl myexample dst_as 1241 |
871 | # acl password proxy_auth REQUIRED |
872 | # acl fileupload req_mime_type -i ^multipart/form-data$ |
873 | # acl javascript rep_mime_type -i ^application/x-javascript$ |
874 | # |
875 | #Default: |
876 | # ACLs all, manager, localhost, and to_localhost are predefined. |
877 | # |
878 | # |
879 | # Recommended minimum configuration: |
880 | # |
881 | |
882 | # Example rule allowing access from your local networks. |
883 | # Adapt to list your (internal) IP networks from where browsing |
884 | # should be allowed |
885 | acl localnet src 10.0.0.0/8 # RFC1918 possible internal network |
886 | acl localnet src 172.16.0.0/12 # RFC1918 possible internal network |
887 | acl localnet src 192.168.0.0/16 # RFC1918 possible internal network |
888 | acl localnet src fc00::/7 # RFC 4193 local private network range |
889 | acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines |
890 | |
891 | acl SSL_ports port 443 |
892 | acl Safe_ports port 80 # http |
893 | acl Safe_ports port 21 # ftp |
894 | acl Safe_ports port 443 # https |
895 | acl Safe_ports port 70 # gopher |
896 | acl Safe_ports port 210 # wais |
897 | acl Safe_ports port 1025-65535 # unregistered ports |
898 | acl Safe_ports port 280 # http-mgmt |
899 | acl Safe_ports port 488 # gss-http |
900 | acl Safe_ports port 591 # filemaker |
901 | acl Safe_ports port 777 # multiling http |
902 | acl CONNECT method CONNECT |
903 | |
904 | # TAG: follow_x_forwarded_for |
905 | # Allowing or Denying the X-Forwarded-For header to be followed to |
906 | # find the original source of a request. |
907 | # |
908 | # Requests may pass through a chain of several other proxies |
909 | # before reaching us. The X-Forwarded-For header will contain a |
910 | # comma-separated list of the IP addresses in the chain, with the |
911 | # rightmost address being the most recent. |
912 | # |
913 | # If a request reaches us from a source that is allowed by this |
914 | # configuration item, then we consult the X-Forwarded-For header |
915 | # to see where that host received the request from. If the |
916 | # X-Forwarded-For header contains multiple addresses, we continue |
917 | # backtracking until we reach an address for which we are not allowed |
918 | # to follow the X-Forwarded-For header, or until we reach the first |
919 | # address in the list. For the purpose of ACL used in the |
920 | # follow_x_forwarded_for directive the src ACL type always matches |
921 | # the address we are testing and srcdomain matches its rDNS. |
922 | # |
923 | # The end result of this process is an IP address that we will |
924 | # refer to as the indirect client address. This address may |
925 | # be treated as the client address for access control, ICAP, delay |
926 | # pools and logging, depending on the acl_uses_indirect_client, |
927 | # icap_uses_indirect_client, delay_pool_uses_indirect_client, |
928 | # log_uses_indirect_client and tproxy_uses_indirect_client options. |
929 | # |
930 | # This clause only supports fast acl types. |
931 | # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
932 | # |
933 | # SECURITY CONSIDERATIONS: |
934 | # |
935 | # Any host for which we follow the X-Forwarded-For header |
936 | # can place incorrect information in the header, and Squid |
937 | # will use the incorrect information as if it were the |
938 | # source address of the request. This may enable remote |
939 | # hosts to bypass any access control restrictions that are |
940 | # based on the client's source addresses. |
941 | # |
942 | # For example: |
943 | # |
944 | # acl localhost src 127.0.0.1 |
945 | # acl my_other_proxy srcdomain .proxy.example.com |
946 | # follow_x_forwarded_for allow localhost |
947 | # follow_x_forwarded_for allow my_other_proxy |
948 | #Default: |
949 | # follow_x_forwarded_for deny all |
950 | |
951 | # TAG: acl_uses_indirect_client on|off |
952 | # Controls whether the indirect client address |
953 | # (see follow_x_forwarded_for) is used instead of the |
954 | # direct client address in acl matching. |
955 | # |
956 | # NOTE: maxconn ACL considers direct TCP links and indirect |
957 | # clients will always have zero. So no match. |
958 | #Default: |
959 | # acl_uses_indirect_client on |
960 | |
961 | # TAG: delay_pool_uses_indirect_client on|off |
962 | # Controls whether the indirect client address |
963 | # (see follow_x_forwarded_for) is used instead of the |
964 | # direct client address in delay pools. |
965 | #Default: |
966 | # delay_pool_uses_indirect_client on |
967 | |
968 | # TAG: log_uses_indirect_client on|off |
969 | # Controls whether the indirect client address |
970 | # (see follow_x_forwarded_for) is used instead of the |
971 | # direct client address in the access log. |
972 | #Default: |
973 | # log_uses_indirect_client on |
974 | |
975 | # TAG: tproxy_uses_indirect_client on|off |
976 | # Controls whether the indirect client address |
977 | # (see follow_x_forwarded_for) is used instead of the |
978 | # direct client address when spoofing the outgoing client. |
979 | # |
980 | # This has no effect on requests arriving in non-tproxy |
981 | # mode ports. |
982 | # |
983 | # SECURITY WARNING: Usage of this option is dangerous |
984 | # and should not be used trivially. Correct configuration |
985 | # of follow_x_forewarded_for with a limited set of trusted |
986 | # sources is required to prevent abuse of your proxy. |
987 | #Default: |
988 | # tproxy_uses_indirect_client off |
989 | |
990 | # TAG: http_access |
991 | # Allowing or Denying access based on defined access lists |
992 | # |
993 | # Access to the HTTP port: |
994 | # http_access allow|deny [!]aclname ... |
995 | # |
996 | # NOTE on default values: |
997 | # |
998 | # If there are no "access" lines present, the default is to deny |
999 | # the request. |
1000 | # |
1001 | # If none of the "access" lines cause a match, the default is the |
1002 | # opposite of the last line in the list. If the last line was |
1003 | # deny, the default is allow. Conversely, if the last line |
1004 | # is allow, the default will be deny. For these reasons, it is a |
1005 | # good idea to have an "deny all" entry at the end of your access |
1006 | # lists to avoid potential confusion. |
1007 | # |
1008 | # This clause supports both fast and slow acl types. |
1009 | # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
1010 | # |
1011 | #Default: |
1012 | # http_access deny all |
1013 | # |
1014 | |
1015 | # |
1016 | # Recommended minimum Access Permission configuration: |
1017 | # |
1018 | # Only allow cachemgr access from localhost |
1019 | http_access allow localhost manager |
1020 | http_access deny manager |
1021 | |
1022 | # Deny requests to certain unsafe ports |
1023 | http_access deny !Safe_ports |
1024 | |
1025 | # Deny CONNECT to other than secure SSL ports |
1026 | http_access deny CONNECT !SSL_ports |
1027 | |
1028 | # We strongly recommend the following be uncommented to protect innocent |
1029 | # web applications running on the proxy server who think the only |
1030 | # one who can access services on "localhost" is a local user |
1031 | #http_access deny to_localhost |
1032 | |
1033 | # |
1034 | # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS |
1035 | # |
1036 | |
1037 | # Example rule allowing access from your local networks. |
1038 | # Adapt localnet in the ACL section to list your (internal) IP networks |
1039 | # from where browsing should be allowed |
1040 | http_access allow localnet |
1041 | http_access allow localhost |
1042 | |
1043 | # And finally deny all other access to this proxy |
1044 | http_access allow localhost |
1045 | |
1046 | # TAG: adapted_http_access |
1047 | # Allowing or Denying access based on defined access lists |
1048 | # |
1049 | # Essentially identical to http_access, but runs after redirectors |
1050 | # and ICAP/eCAP adaptation. Allowing access control based on their |
1051 | # output. |
1052 | # |
1053 | # If not set then only http_access is used. |
1054 | #Default: |
1055 | # none |
1056 | |
1057 | # TAG: http_reply_access |
1058 | # Allow replies to client requests. This is complementary to http_access. |
1059 | # |
1060 | # http_reply_access allow|deny [!] aclname ... |
1061 | # |
1062 | # NOTE: if there are no access lines present, the default is to allow |
1063 | # all replies |
1064 | # |
1065 | # If none of the access lines cause a match the opposite of the |
1066 | # last line will apply. Thus it is good practice to end the rules |
1067 | # with an "allow all" or "deny all" entry. |
1068 | # |
1069 | # This clause supports both fast and slow acl types. |
1070 | # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
1071 | #Default: |
1072 | # none |
1073 | |
1074 | # TAG: icp_access |
1075 | # Allowing or Denying access to the ICP port based on defined |
1076 | # access lists |
1077 | # |
1078 | # icp_access allow|deny [!]aclname ... |
1079 | # |
1080 | # See http_access for details |
1081 | # |
1082 | # This clause only supports fast acl types. |
1083 | # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
1084 | # |
1085 | ## Allow ICP queries from local networks only |
1086 | ##icp_access allow localnet |
1087 | ##icp_access deny all |
1088 | #Default: |
1089 | # icp_access deny all |
1090 | |
1091 | # TAG: htcp_access |
1092 | # Allowing or Denying access to the HTCP port based on defined |
1093 | # access lists |
1094 | # |
1095 | # htcp_access allow|deny [!]aclname ... |
1096 | # |
1097 | # See http_access for details |
1098 | # |
1099 | # NOTE: The default if no htcp_access lines are present is to |
1100 | # deny all traffic. This default may cause problems with peers |
1101 | # using the htcp option. |
1102 | # |
1103 | # This clause only supports fast acl types. |
1104 | # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
1105 | # |
1106 | ## Allow HTCP queries from local networks only |
1107 | ##htcp_access allow localnet |
1108 | ##htcp_access deny all |
1109 | #Default: |
1110 | # htcp_access deny all |
1111 | |
1112 | # TAG: htcp_clr_access |
1113 | # Allowing or Denying access to purge content using HTCP based |
1114 | # on defined access lists |
1115 | # |
1116 | # htcp_clr_access allow|deny [!]aclname ... |
1117 | # |
1118 | # See http_access for details |
1119 | # |
1120 | # This clause only supports fast acl types. |
1121 | # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
1122 | # |
1123 | ## Allow HTCP CLR requests from trusted peers |
1124 | #acl htcp_clr_peer src 172.16.1.2 |
1125 | #htcp_clr_access allow htcp_clr_peer |
1126 | #Default: |
1127 | # htcp_clr_access deny all |
1128 | |
1129 | # TAG: miss_access |
1130 | # Determins whether network access is permitted when satisfying a request. |
1131 | # |
1132 | # For example; |
1133 | # to force your neighbors to use you as a sibling instead of |
1134 | # a parent. |
1135 | # |
1136 | # acl localclients src 172.16.0.0/16 |
1137 | # miss_access allow localclients |
1138 | # miss_access deny !localclients |
1139 | # |
1140 | # This means only your local clients are allowed to fetch relayed/MISS |
1141 | # replies from the network and all other clients can only fetch cached |
1142 | # objects (HITs). |
1143 | # |
1144 | # |
1145 | # The default for this setting allows all clients who passed the |
1146 | # http_access rules to relay via this proxy. |
1147 | # |
1148 | # This clause only supports fast acl types. |
1149 | # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
1150 | #Default: |
1151 | # none |
1152 | |
1153 | # TAG: ident_lookup_access |
1154 | # Note: This option is only available if Squid is rebuilt with the |
1155 | # --enable-ident-lookups |
1156 | # |
1157 | # A list of ACL elements which, if matched, cause an ident |
1158 | # (RFC 931) lookup to be performed for this request. For |
1159 | # example, you might choose to always perform ident lookups |
1160 | # for your main multi-user Unix boxes, but not for your Macs |
1161 | # and PCs. By default, ident lookups are not performed for |
1162 | # any requests. |
1163 | # |
1164 | # To enable ident lookups for specific client addresses, you |
1165 | # can follow this example: |
1166 | # |
1167 | # acl ident_aware_hosts src 198.168.1.0/24 |
1168 | # ident_lookup_access allow ident_aware_hosts |
1169 | # ident_lookup_access deny all |
1170 | # |
1171 | # Only src type ACL checks are fully supported. A srcdomain |
1172 | # ACL might work at times, but it will not always provide |
1173 | # the correct result. |
1174 | # |
1175 | # This clause only supports fast acl types. |
1176 | # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
1177 | #Default: |
1178 | # ident_lookup_access deny all |
1179 | |
1180 | # TAG: reply_body_max_size size [acl acl...] |
1181 | # This option specifies the maximum size of a reply body. It can be |
1182 | # used to prevent users from downloading very large files, such as |
1183 | # MP3's and movies. When the reply headers are received, the |
1184 | # reply_body_max_size lines are processed, and the first line where |
1185 | # all (if any) listed ACLs are true is used as the maximum body size |
1186 | # for this reply. |
1187 | # |
1188 | # This size is checked twice. First when we get the reply headers, |
1189 | # we check the content-length value. If the content length value exists |
1190 | # and is larger than the allowed size, the request is denied and the |
1191 | # user receives an error message that says "the request or reply |
1192 | # is too large." If there is no content-length, and the reply |
1193 | # size exceeds this limit, the client's connection is just closed |
1194 | # and they will receive a partial reply. |
1195 | # |
1196 | # WARNING: downstream caches probably can not detect a partial reply |
1197 | # if there is no content-length header, so they will cache |
1198 | # partial responses and give them out as hits. You should NOT |
1199 | # use this option if you have downstream caches. |
1200 | # |
1201 | # WARNING: A maximum size smaller than the size of squid's error messages |
1202 | # will cause an infinite loop and crash squid. Ensure that the smallest |
1203 | # non-zero value you use is greater that the maximum header size plus |
1204 | # the size of your largest error page. |
1205 | # |
1206 | # If you set this parameter none (the default), there will be |
1207 | # no limit imposed. |
1208 | # |
1209 | # Configuration Format is: |
1210 | # reply_body_max_size SIZE UNITS [acl ...] |
1211 | # ie. |
1212 | # reply_body_max_size 10 MB |
1213 | # |
1214 | #Default: |
1215 | # none |
1216 | |
1217 | # NETWORK OPTIONS |
1218 | # ----------------------------------------------------------------------------- |
1219 | |
1220 | # TAG: http_port |
1221 | # Usage: port [mode] [options] |
1222 | # hostname:port [mode] [options] |
1223 | # 1.2.3.4:port [mode] [options] |
1224 | # |
1225 | # The socket addresses where Squid will listen for HTTP client |
1226 | # requests. You may specify multiple socket addresses. |
1227 | # There are three forms: port alone, hostname with port, and |
1228 | # IP address with port. If you specify a hostname or IP |
1229 | # address, Squid binds the socket to that specific |
1230 | # address. Most likely, you do not need to bind to a specific |
1231 | # address, so you can use the port number alone. |
1232 | # |
1233 | # If you are running Squid in accelerator mode, you |
1234 | # probably want to listen on port 80 also, or instead. |
1235 | # |
1236 | # The -a command line option may be used to specify additional |
1237 | # port(s) where Squid listens for proxy request. Such ports will |
1238 | # be plain proxy ports with no options. |
1239 | # |
1240 | # You may specify multiple socket addresses on multiple lines. |
1241 | # |
1242 | # Modes: |
1243 | # |
1244 | # intercept Support for IP-Layer interception of |
1245 | # outgoing requests without browser settings. |
1246 | # NP: disables authentication and IPv6 on the port. |
1247 | # |
1248 | # tproxy Support Linux TPROXY for spoofing outgoing |
1249 | # connections using the client IP address. |
1250 | # NP: disables authentication and maybe IPv6 on the port. |
1251 | # |
1252 | # accel Accelerator / reverse proxy mode |
1253 | # |
1254 | # ssl-bump Intercept each CONNECT request matching ssl_bump ACL, |
1255 | # establish secure connection with the client and with |
1256 | # the server, decrypt HTTP messages as they pass through |
1257 | # Squid, and treat them as unencrypted HTTP messages, |
1258 | # becoming the man-in-the-middle. |
1259 | # |
1260 | # The ssl_bump option is required to fully enable |
1261 | # the SslBump feature. |
1262 | # |
1263 | # Omitting the mode flag causes default forward proxy mode to be used. |
1264 | # |
1265 | # |
1266 | # Accelerator Mode Options: |
1267 | # |
1268 | # defaultsite=domainname |
1269 | # What to use for the Host: header if it is not present |
1270 | # in a request. Determines what site (not origin server) |
1271 | # accelerators should consider the default. |
1272 | # |
1273 | # no-vhost Disable using HTTP/1.1 Host header for virtual domain support. |
1274 | # |
1275 | # protocol= Protocol to reconstruct accelerated requests with. |
1276 | # Defaults to http for http_port and https for |
1277 | # https_port |
1278 | # |
1279 | # vport Virtual host port support. Using the http_port number |
1280 | # instead of the port passed on Host: headers. |
1281 | # |
1282 | # vport=NN Virtual host port support. Using the specified port |
1283 | # number instead of the port passed on Host: headers. |
1284 | # |
1285 | # act-as-origin |
1286 | # Act as if this Squid is the origin server. |
1287 | # This currently means generate new Date: and Expires: |
1288 | # headers on HIT instead of adding Age:. |
1289 | # |
1290 | # ignore-cc Ignore request Cache-Control headers. |
1291 | # |
1292 | # WARNING: This option violates HTTP specifications if |
1293 | # used in non-accelerator setups. |
1294 | # |
1295 | # allow-direct Allow direct forwarding in accelerator mode. Normally |
1296 | # accelerated requests are denied direct forwarding as if |
1297 | # never_direct was used. |
1298 | # |
1299 | # WARNING: this option opens accelerator mode to security |
1300 | # vulnerabilities usually only affecting in interception |
1301 | # mode. Make sure to protect forwarding with suitable |
1302 | # http_access rules when using this. |
1303 | # |
1304 | # |
1305 | # SSL Bump Mode Options: |
1306 | # In addition to these options ssl-bump requires TLS/SSL options. |
1307 | # |
1308 | # generate-host-certificates[=<on|off>] |
1309 | # Dynamically create SSL server certificates for the |
1310 | # destination hosts of bumped CONNECT requests.When |
1311 | # enabled, the cert and key options are used to sign |
1312 | # generated certificates. Otherwise generated |
1313 | # certificate will be selfsigned. |
1314 | # If there is a CA certificate lifetime of the generated |
1315 | # certificate equals lifetime of the CA certificate. If |
1316 | # generated certificate is selfsigned lifetime is three |
1317 | # years. |
1318 | # This option is enabled by default when ssl-bump is used. |
1319 | # See the ssl-bump option above for more information. |
1320 | # |
1321 | # dynamic_cert_mem_cache_size=SIZE |
1322 | # Approximate total RAM size spent on cached generated |
1323 | # certificates. If set to zero, caching is disabled. The |
1324 | # default value is 4MB. An average XXX-bit certificate |
1325 | # consumes about XXX bytes of RAM. |
1326 | # |
1327 | # TLS / SSL Options: |
1328 | # |
1329 | # cert= Path to SSL certificate (PEM format). |
1330 | # |
1331 | # key= Path to SSL private key file (PEM format) |
1332 | # if not specified, the certificate file is |
1333 | # assumed to be a combined certificate and |
1334 | # key file. |
1335 | # |
1336 | # version= The version of SSL/TLS supported |
1337 | # 1 automatic (default) |
1338 | # 2 SSLv2 only |
1339 | # 3 SSLv3 only |
1340 | # 4 TLSv1.0 only |
1341 | # 5 TLSv1.1 only |
1342 | # 6 TLSv1.2 only |
1343 | # |
1344 | # cipher= Colon separated list of supported ciphers. |
1345 | # NOTE: some ciphers such as EDH ciphers depend on |
1346 | # additional settings. If those settings are |
1347 | # omitted the ciphers may be silently ignored |
1348 | # by the OpenSSL library. |
1349 | # |
1350 | # options= Various SSL implementation options. The most important |
1351 | # being: |
1352 | # NO_SSLv2 Disallow the use of SSLv2 |
1353 | # NO_SSLv3 Disallow the use of SSLv3 |
1354 | # NO_TLSv1 Disallow the use of TLSv1.0 |
1355 | # NO_TLSv1_1 Disallow the use of TLSv1.1 |
1356 | # NO_TLSv1_2 Disallow the use of TLSv1.2 |
1357 | # SINGLE_DH_USE Always create a new key when using |
1358 | # temporary/ephemeral DH key exchanges |
1359 | # ALL Enable various bug workarounds |
1360 | # suggested as "harmless" by OpenSSL |
1361 | # Be warned that this reduces SSL/TLS |
1362 | # strength to some attacks. |
1363 | # See OpenSSL SSL_CTX_set_options documentation for a |
1364 | # complete list of options. |
1365 | # |
1366 | # clientca= File containing the list of CAs to use when |
1367 | # requesting a client certificate. |
1368 | # |
1369 | # cafile= File containing additional CA certificates to |
1370 | # use when verifying client certificates. If unset |
1371 | # clientca will be used. |
1372 | # |
1373 | # capath= Directory containing additional CA certificates |
1374 | # and CRL lists to use when verifying client certificates. |
1375 | # |
1376 | # crlfile= File of additional CRL lists to use when verifying |
1377 | # the client certificate, in addition to CRLs stored in |
1378 | # the capath. Implies VERIFY_CRL flag below. |
1379 | # |
1380 | # dhparams= File containing DH parameters for temporary/ephemeral |
1381 | # DH key exchanges. See OpenSSL documentation for details |
1382 | # on how to create this file. |
1383 | # WARNING: EDH ciphers will be silently disabled if this |
1384 | # option is not set. |
1385 | # |
1386 | # sslflags= Various flags modifying the use of SSL: |
1387 | # DELAYED_AUTH |
1388 | # Don't request client certificates |
1389 | # immediately, but wait until acl processing |
1390 | # requires a certificate (not yet implemented). |
1391 | # NO_DEFAULT_CA |
1392 | # Don't use the default CA lists built in |
1393 | # to OpenSSL. |
1394 | # NO_SESSION_REUSE |
1395 | # Don't allow for session reuse. Each connection |
1396 | # will result in a new SSL session. |
1397 | # VERIFY_CRL |
1398 | # Verify CRL lists when accepting client |
1399 | # certificates. |
1400 | # VERIFY_CRL_ALL |
1401 | # Verify CRL lists for all certificates in the |
1402 | # client certificate chain. |
1403 | # |
1404 | # sslcontext= SSL session ID context identifier. |
1405 | # |
1406 | # Other Options: |
1407 | # |
1408 | # connection-auth[=on|off] |
1409 | # use connection-auth=off to tell Squid to prevent |
1410 | # forwarding Microsoft connection oriented authentication |
1411 | # (NTLM, Negotiate and Kerberos) |
1412 | # |
1413 | # disable-pmtu-discovery= |
1414 | # Control Path-MTU discovery usage: |
1415 | # off lets OS decide on what to do (default). |
1416 | # transparent disable PMTU discovery when transparent |
1417 | # support is enabled. |
1418 | # always disable always PMTU discovery. |
1419 | # |
1420 | # In many setups of transparently intercepting proxies |
1421 | # Path-MTU discovery can not work on traffic towards the |
1422 | # clients. This is the case when the intercepting device |
1423 | # does not fully track connections and fails to forward |
1424 | # ICMP must fragment messages to the cache server. If you |
1425 | # have such setup and experience that certain clients |
1426 | # sporadically hang or never complete requests set |
1427 | # disable-pmtu-discovery option to 'transparent'. |
1428 | # |
1429 | # name= Specifies a internal name for the port. Defaults to |
1430 | # the port specification (port or addr:port) |
1431 | # |
1432 | # tcpkeepalive[=idle,interval,timeout] |
1433 | # Enable TCP keepalive probes of idle connections. |
1434 | # In seconds; idle is the initial time before TCP starts |
1435 | # probing the connection, interval how often to probe, and |
1436 | # timeout the time before giving up. |
1437 | # |
1438 | # If you run Squid on a dual-homed machine with an internal |
1439 | # and an external interface we recommend you to specify the |
1440 | # internal address:port in http_port. This way Squid will only be |
1441 | # visible on the internal address. |
1442 | # |
1443 | # |
1444 | |
1445 | # Squid normally listens to port 3128 |
1446 | http_port 3128 |
1447 | |
1448 | # TAG: https_port |
1449 | # Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...] |
1450 | # |
1451 | # The socket address where Squid will listen for client requests made |
1452 | # over TLS or SSL connections. Commonly referred to as HTTPS. |
1453 | # |
1454 | # This is most useful for situations where you are running squid in |
1455 | # accelerator mode and you want to do the SSL work at the accelerator level. |
1456 | # |
1457 | # You may specify multiple socket addresses on multiple lines, |
1458 | # each with their own SSL certificate and/or options. |
1459 | # |
1460 | # See http_port for a list of available options. |
1461 | #Default: |
1462 | # none |
1463 | |
1464 | # TAG: tcp_outgoing_tos |
1465 | # Allows you to select a TOS/Diffserv value for packets outgoing |
1466 | # on the server side, based on an ACL. |
1467 | # |
1468 | # tcp_outgoing_tos ds-field [!]aclname ... |
1469 | # |
1470 | # Example where normal_service_net uses the TOS value 0x00 |
1471 | # and good_service_net uses 0x20 |
1472 | # |
1473 | # acl normal_service_net src 10.0.0.0/24 |
1474 | # acl good_service_net src 10.0.1.0/24 |
1475 | # tcp_outgoing_tos 0x00 normal_service_net |
1476 | # tcp_outgoing_tos 0x20 good_service_net |
1477 | # |
1478 | # TOS/DSCP values really only have local significance - so you should |
1479 | # know what you're specifying. For more information, see RFC2474, |
1480 | # RFC2475, and RFC3260. |
1481 | # |
1482 | # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or |
1483 | # "default" to use whatever default your host has. Note that in |
1484 | # practice often only multiples of 4 is usable as the two rightmost bits |
1485 | # have been redefined for use by ECN (RFC 3168 section 23.1). |
1486 | # |
1487 | # Processing proceeds in the order specified, and stops at first fully |
1488 | # matching line. |
1489 | #Default: |
1490 | # none |
1491 | |
1492 | # TAG: clientside_tos |
1493 | # Allows you to select a TOS/Diffserv value for packets being transmitted |
1494 | # on the client-side, based on an ACL. |
1495 | # |
1496 | # clientside_tos ds-field [!]aclname ... |
1497 | # |
1498 | # Example where normal_service_net uses the TOS value 0x00 |
1499 | # and good_service_net uses 0x20 |
1500 | # |
1501 | # acl normal_service_net src 10.0.0.0/24 |
1502 | # acl good_service_net src 10.0.1.0/24 |
1503 | # clientside_tos 0x00 normal_service_net |
1504 | # clientside_tos 0x20 good_service_net |
1505 | # |
1506 | # Note: This feature is incompatible with qos_flows. Any TOS values set here |
1507 | # will be overwritten by TOS values in qos_flows. |
1508 | #Default: |
1509 | # none |
1510 | |
1511 | # TAG: tcp_outgoing_mark |
1512 | # Note: This option is only available if Squid is rebuilt with the |
1513 | # Packet MARK (Linux) |
1514 | # |
1515 | # Allows you to apply a Netfilter mark value to outgoing packets |
1516 | # on the server side, based on an ACL. |
1517 | # |
1518 | # tcp_outgoing_mark mark-value [!]aclname ... |
1519 | # |
1520 | # Example where normal_service_net uses the mark value 0x00 |
1521 | # and good_service_net uses 0x20 |
1522 | # |
1523 | # acl normal_service_net src 10.0.0.0/24 |
1524 | # acl good_service_net src 10.0.1.0/24 |
1525 | # tcp_outgoing_mark 0x00 normal_service_net |
1526 | # tcp_outgoing_mark 0x20 good_service_net |
1527 | #Default: |
1528 | # none |
1529 | |
1530 | # TAG: clientside_mark |
1531 | # Note: This option is only available if Squid is rebuilt with the |
1532 | # Packet MARK (Linux) |
1533 | # |
1534 | # Allows you to apply a Netfilter mark value to packets being transmitted |
1535 | # on the client-side, based on an ACL. |
1536 | # |
1537 | # clientside_mark mark-value [!]aclname ... |
1538 | # |
1539 | # Example where normal_service_net uses the mark value 0x00 |
1540 | # and good_service_net uses 0x20 |
1541 | # |
1542 | # acl normal_service_net src 10.0.0.0/24 |
1543 | # acl good_service_net src 10.0.1.0/24 |
1544 | # clientside_mark 0x00 normal_service_net |
1545 | # clientside_mark 0x20 good_service_net |
1546 | # |
1547 | # Note: This feature is incompatible with qos_flows. Any mark values set here |
1548 | # will be overwritten by mark values in qos_flows. |
1549 | #Default: |
1550 | # none |
1551 | |
1552 | # TAG: qos_flows |
1553 | # Allows you to select a TOS/DSCP value to mark outgoing |
1554 | # connections with, based on where the reply was sourced. For |
1555 | # platforms using netfilter, allows you to set a netfilter mark |
1556 | # value instead of, or in addition to, a TOS value. |
1557 | # |
1558 | # TOS values really only have local significance - so you should |
1559 | # know what you're specifying. For more information, see RFC2474, |
1560 | # RFC2475, and RFC3260. |
1561 | # |
1562 | # The TOS/DSCP byte must be exactly that - a octet value 0 - 255. Note that |
1563 | # in practice often only multiples of 4 is usable as the two rightmost bits |
1564 | # have been redefined for use by ECN (RFC 3168 section 23.1). |
1565 | # |
1566 | # Mark values can be any unsigned 32-bit integer value. |
1567 | # |
1568 | # This setting is configured by setting the following values: |
1569 | # |
1570 | # tos|mark Whether to set TOS or netfilter mark values |
1571 | # |
1572 | # local-hit=0xFF Value to mark local cache hits. |
1573 | # |
1574 | # sibling-hit=0xFF Value to mark hits from sibling peers. |
1575 | # |
1576 | # parent-hit=0xFF Value to mark hits from parent peers. |
1577 | # |
1578 | # miss=0xFF[/mask] Value to mark cache misses. Takes precedence |
1579 | # over the preserve-miss feature (see below), unless |
1580 | # mask is specified, in which case only the bits |
1581 | # specified in the mask are written. |
1582 | # |
1583 | # The TOS variant of the following features are only possible on Linux |
1584 | # and require your kernel to be patched with the TOS preserving ZPH |
1585 | # patch, available from http://zph.bratcheda.org |
1586 | # No patch is needed to preserve the netfilter mark, which will work |
1587 | # with all variants of netfilter. |
1588 | # |
1589 | # disable-preserve-miss |
1590 | # This option disables the preservation of the TOS or netfilter |
1591 | # mark. By default, the existing TOS or netfilter mark value of |
1592 | # the response coming from the remote server will be retained |
1593 | # and masked with miss-mark. |
1594 | # NOTE: in the case of a netfilter mark, the mark must be set on |
1595 | # the connection (using the CONNMARK target) not on the packet |
1596 | # (MARK target). |
1597 | # |
1598 | # miss-mask=0xFF |
1599 | # Allows you to mask certain bits in the TOS or mark value |
1600 | # received from the remote server, before copying the value to |
1601 | # the TOS sent towards clients. |
1602 | # Default for tos: 0xFF (TOS from server is not changed). |
1603 | # Default for mark: 0xFFFFFFFF (mark from server is not changed). |
1604 | # |
1605 | # All of these features require the --enable-zph-qos compilation flag |
1606 | # (enabled by default). Netfilter marking also requires the |
1607 | # libnetfilter_conntrack libraries (--with-netfilter-conntrack) and |
1608 | # libcap 2.09+ (--with-libcap). |
1609 | # |
1610 | #Default: |
1611 | # none |
1612 | |
1613 | # TAG: tcp_outgoing_address |
1614 | # Allows you to map requests to different outgoing IP addresses |
1615 | # based on the username or source address of the user making |
1616 | # the request. |
1617 | # |
1618 | # tcp_outgoing_address ipaddr [[!]aclname] ... |
1619 | # |
1620 | # For example; |
1621 | # Forwarding clients with dedicated IPs for certain subnets. |
1622 | # |
1623 | # acl normal_service_net src 10.0.0.0/24 |
1624 | # acl good_service_net src 10.0.2.0/24 |
1625 | # |
1626 | # tcp_outgoing_address 2001:db8::c001 good_service_net |
1627 | # tcp_outgoing_address 10.1.0.2 good_service_net |
1628 | # |
1629 | # tcp_outgoing_address 2001:db8::beef normal_service_net |
1630 | # tcp_outgoing_address 10.1.0.1 normal_service_net |
1631 | # |
1632 | # tcp_outgoing_address 2001:db8::1 |
1633 | # tcp_outgoing_address 10.1.0.3 |
1634 | # |
1635 | # Processing proceeds in the order specified, and stops at first fully |
1636 | # matching line. |
1637 | # |
1638 | # Squid will add an implicit IP version test to each line. |
1639 | # Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. |
1640 | # Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. |
1641 | # |
1642 | # |
1643 | # NOTE: The use of this directive using client dependent ACLs is |
1644 | # incompatible with the use of server side persistent connections. To |
1645 | # ensure correct results it is best to set server_persistent_connections |
1646 | # to off when using this directive in such configurations. |
1647 | # |
1648 | # NOTE: The use of this directive to set a local IP on outgoing TCP links |
1649 | # is incompatible with using TPROXY to set client IP out outbound TCP links. |
1650 | # When needing to contact peers use the no-tproxy cache_peer option and the |
1651 | # client_dst_passthru directive re-enable normal forwarding such as this. |
1652 | # |
1653 | #Default: |
1654 | # none |
1655 | |
1656 | # TAG: host_verify_strict |
1657 | # Regardless of this option setting, when dealing with intercepted |
1658 | # traffic, Squid always verifies that the destination IP address matches |
1659 | # the Host header domain or IP (called 'authority form URL'). |
1660 | # |
1661 | # This enforcement is performed to satisfy a MUST-level requirement in |
1662 | # RFC 2616 section 14.23: "The Host field value MUST represent the naming |
1663 | # authority of the origin server or gateway given by the original URL". |
1664 | # |
1665 | # When set to ON: |
1666 | # Squid always responds with an HTTP 409 (Conflict) error |
1667 | # page and logs a security warning if there is no match. |
1668 | # |
1669 | # Squid verifies that the destination IP address matches |
1670 | # the Host header for forward-proxy and reverse-proxy traffic |
1671 | # as well. For those traffic types, Squid also enables the |
1672 | # following checks, comparing the corresponding Host header |
1673 | # and Request-URI components: |
1674 | # |
1675 | # * The host names (domain or IP) must be identical, |
1676 | # but valueless or missing Host header disables all checks. |
1677 | # For the two host names to match, both must be either IP |
1678 | # or FQDN. |
1679 | # |
1680 | # * Port numbers must be identical, but if a port is missing |
1681 | # the scheme-default port is assumed. |
1682 | # |
1683 | # |
1684 | # When set to OFF (the default): |
1685 | # Squid allows suspicious requests to continue but logs a |
1686 | # security warning and blocks caching of the response. |
1687 | # |
1688 | # * Forward-proxy traffic is not checked at all. |
1689 | # |
1690 | # * Reverse-proxy traffic is not checked at all. |
1691 | # |
1692 | # * Intercepted traffic which passes verification is handled |
1693 | # according to client_dst_passthru. |
1694 | # |
1695 | # * Intercepted requests which fail verification are sent |
1696 | # to the client original destination instead of DIRECT. |
1697 | # This overrides 'client_dst_passthru off'. |
1698 | # |
1699 | # For now suspicious intercepted CONNECT requests are always |
1700 | # responded to with an HTTP 409 (Conflict) error page. |
1701 | # |
1702 | # |
1703 | # SECURITY NOTE: |
1704 | # |
1705 | # As described in CVE-2009-0801 when the Host: header alone is used |
1706 | # to determine the destination of a request it becomes trivial for |
1707 | # malicious scripts on remote websites to bypass browser same-origin |
1708 | # security policy and sandboxing protections. |
1709 | # |
1710 | # The cause of this is that such applets are allowed to perform their |
1711 | # own HTTP stack, in which case the same-origin policy of the browser |
1712 | # sandbox only verifies that the applet tries to contact the same IP |
1713 | # as from where it was loaded at the IP level. The Host: header may |
1714 | # be different from the connected IP and approved origin. |
1715 | # |
1716 | #Default: |
1717 | # host_verify_strict off |
1718 | |
1719 | # TAG: client_dst_passthru |
1720 | # With NAT or TPROXY intercepted traffic Squid may pass the request |
1721 | # directly to the original client destination IP or seek a faster |
1722 | # source using the HTTP Host header. |
1723 | # |
1724 | # Using Host to locate alternative servers can provide faster |
1725 | # connectivity with a range of failure recovery options. |
1726 | # But can also lead to connectivity trouble when the client and |
1727 | # server are attempting stateful interactions unaware of the proxy. |
1728 | # |
1729 | # This option (on by default) prevents alternative DNS entries being |
1730 | # located to send intercepted traffic DIRECT to an origin server. |
1731 | # The clients original destination IP and port will be used instead. |
1732 | # |
1733 | # Regardless of this option setting, when dealing with intercepted |
1734 | # traffic Squid will verify the Host: header and any traffic which |
1735 | # fails Host verification will be treated as if this option were ON. |
1736 | # |
1737 | # see host_verify_strict for details on the verification process. |
1738 | #Default: |
1739 | # client_dst_passthru on |
1740 | |
1741 | # SSL OPTIONS |
1742 | # ----------------------------------------------------------------------------- |
1743 | |
1744 | # TAG: ssl_unclean_shutdown |
1745 | # Some browsers (especially MSIE) bugs out on SSL shutdown |
1746 | # messages. |
1747 | #Default: |
1748 | # ssl_unclean_shutdown off |
1749 | |
1750 | # TAG: ssl_engine |
1751 | # The OpenSSL engine to use. You will need to set this if you |
1752 | # would like to use hardware SSL acceleration for example. |
1753 | #Default: |
1754 | # none |
1755 | |
1756 | # TAG: sslproxy_client_certificate |
1757 | # Client SSL Certificate to use when proxying https:// URLs |
1758 | #Default: |
1759 | # none |
1760 | |
1761 | # TAG: sslproxy_client_key |
1762 | # Client SSL Key to use when proxying https:// URLs |
1763 | #Default: |
1764 | # none |
1765 | |
1766 | # TAG: sslproxy_version |
1767 | # SSL version level to use when proxying https:// URLs |
1768 | # |
1769 | # The versions of SSL/TLS supported: |
1770 | # |
1771 | # 1 automatic (default) |
1772 | # 2 SSLv2 only |
1773 | # 3 SSLv3 only |
1774 | # 4 TLSv1.0 only |
1775 | # 5 TLSv1.1 only |
1776 | # 6 TLSv1.2 only |
1777 | #Default: |
1778 | # sslproxy_version 1 |
1779 | |
1780 | # TAG: sslproxy_options |
1781 | # SSL implementation options to use when proxying https:// URLs |
1782 | # |
1783 | # The most important being: |
1784 | # |
1785 | # NO_SSLv2 Disallow the use of SSLv2 |
1786 | # NO_SSLv3 Disallow the use of SSLv3 |
1787 | # NO_TLSv1 Disallow the use of TLSv1.0 |
1788 | # NO_TLSv1_1 Disallow the use of TLSv1.1 |
1789 | # NO_TLSv1_2 Disallow the use of TLSv1.2 |
1790 | # SINGLE_DH_USE |
1791 | # Always create a new key when using temporary/ephemeral |
1792 | # DH key exchanges |
1793 | # SSL_OP_NO_TICKET |
1794 | # Disable use of RFC5077 session tickets. Some servers |
1795 | # may have problems understanding the TLS extension due |
1796 | # to ambiguous specification in RFC4507. |
1797 | # ALL Enable various bug workarounds suggested as "harmless" |
1798 | # by OpenSSL. Be warned that this may reduce SSL/TLS |
1799 | # strength to some attacks. |
1800 | # |
1801 | # See the OpenSSL SSL_CTX_set_options documentation for a |
1802 | # complete list of possible options. |
1803 | #Default: |
1804 | # none |
1805 | |
1806 | # TAG: sslproxy_cipher |
1807 | # SSL cipher list to use when proxying https:// URLs |
1808 | # |
1809 | # Colon separated list of supported ciphers. |
1810 | #Default: |
1811 | # none |
1812 | |
1813 | # TAG: sslproxy_cafile |
1814 | # file containing CA certificates to use when verifying server |
1815 | # certificates while proxying https:// URLs |
1816 | #Default: |
1817 | # none |
1818 | |
1819 | # TAG: sslproxy_capath |
1820 | # directory containing CA certificates to use when verifying |
1821 | # server certificates while proxying https:// URLs |
1822 | #Default: |
1823 | # none |
1824 | |
1825 | # TAG: ssl_bump |
1826 | # This ACL controls which CONNECT requests to an http_port |
1827 | # marked with an sslBump flag are actually "bumped". Please |
1828 | # see the sslBump flag of an http_port option for more details |
1829 | # about decoding proxied SSL connections. |
1830 | # |
1831 | # By default, no requests are bumped. |
1832 | # |
1833 | # See also: http_port ssl-bump |
1834 | # |
1835 | # This clause supports both fast and slow acl types. |
1836 | # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
1837 | # |
1838 | # |
1839 | # # Example: Bump all requests except those originating from localhost and |
1840 | # # those going to webax.com or example.com sites. |
1841 | # |
1842 | # acl localhost src 127.0.0.1/32 |
1843 | # acl broken_sites dstdomain .webax.com |
1844 | # acl broken_sites dstdomain .example.com |
1845 | # ssl_bump deny localhost |
1846 | # ssl_bump deny broken_sites |
1847 | # ssl_bump allow all |
1848 | #Default: |
1849 | # none |
1850 | |
1851 | # TAG: sslproxy_flags |
1852 | # Various flags modifying the use of SSL while proxying https:// URLs: |
1853 | # DONT_VERIFY_PEER Accept certificates that fail verification. |
1854 | # For refined control, see sslproxy_cert_error. |
1855 | # NO_DEFAULT_CA Don't use the default CA list built in |
1856 | # to OpenSSL. |
1857 | #Default: |
1858 | # none |
1859 | |
1860 | # TAG: sslproxy_cert_error |
1861 | # Use this ACL to bypass server certificate validation errors. |
1862 | # |
1863 | # For example, the following lines will bypass all validation errors |
1864 | # when talking to servers for example.com. All other |
1865 | # validation errors will result in ERR_SECURE_CONNECT_FAIL error. |
1866 | # |
1867 | # acl BrokenButTrustedServers dstdomain example.com |
1868 | # sslproxy_cert_error allow BrokenButTrustedServers |
1869 | # sslproxy_cert_error deny all |
1870 | # |
1871 | # This clause only supports fast acl types. |
1872 | # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
1873 | # Using slow acl types may result in server crashes |
1874 | # |
1875 | # Without this option, all server certificate validation errors |
1876 | # terminate the transaction. Bypassing validation errors is dangerous |
1877 | # because an error usually implies that the server cannot be trusted and |
1878 | # the connection may be insecure. |
1879 | # |
1880 | # See also: sslproxy_flags and DONT_VERIFY_PEER. |
1881 | # |
1882 | # Default setting: sslproxy_cert_error deny all |
1883 | #Default: |
1884 | # none |
1885 | |
1886 | # TAG: sslpassword_program |
1887 | # Specify a program used for entering SSL key passphrases |
1888 | # when using encrypted SSL certificate keys. If not specified |
1889 | # keys must either be unencrypted, or Squid started with the -N |
1890 | # option to allow it to query interactively for the passphrase. |
1891 | # |
1892 | # The key file name is given as argument to the program allowing |
1893 | # selection of the right password if you have multiple encrypted |
1894 | # keys. |
1895 | #Default: |
1896 | # none |
1897 | |
1898 | # OPTIONS RELATING TO EXTERNAL SSL_CRTD |
1899 | # ----------------------------------------------------------------------------- |
1900 | |
1901 | # TAG: sslcrtd_program |
1902 | # Note: This option is only available if Squid is rebuilt with the |
1903 | # --enable-ssl-crtd |
1904 | # |
1905 | # Specify the location and options of the executable for ssl_crtd process. |
1906 | # /usr/lib64/squid/ssl_crtd program requires -s and -M parameters |
1907 | # For more information use: |
1908 | # /usr/lib64/squid/ssl_crtd -h |
1909 | #Default: |
1910 | # sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB |
1911 | |
1912 | # TAG: sslcrtd_children |
1913 | # Note: This option is only available if Squid is rebuilt with the |
1914 | # --enable-ssl-crtd |
1915 | # |
1916 | # The maximum number of processes spawn to service ssl server. |
1917 | # The maximum this may be safely set to is 32. |
1918 | # |
1919 | # The startup= and idle= options allow some measure of skew in your |
1920 | # tuning. |
1921 | # |
1922 | # startup=N |
1923 | # |
1924 | # Sets the minimum number of processes to spawn when Squid |
1925 | # starts or reconfigures. When set to zero the first request will |
1926 | # cause spawning of the first child process to handle it. |
1927 | # |
1928 | # Starting too few children temporary slows Squid under load while it |
1929 | # tries to spawn enough additional processes to cope with traffic. |
1930 | # |
1931 | # idle=N |
1932 | # |
1933 | # Sets a minimum of how many processes Squid is to try and keep available |
1934 | # at all times. When traffic begins to rise above what the existing |
1935 | # processes can handle this many more will be spawned up to the maximum |
1936 | # configured. A minimum setting of 1 is required. |
1937 | # |
1938 | # You must have at least one ssl_crtd process. |
1939 | #Default: |
1940 | # sslcrtd_children 32 startup=5 idle=1 |
1941 | |
1942 | # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM |
1943 | # ----------------------------------------------------------------------------- |
1944 | |
1945 | # TAG: cache_peer |
1946 | # To specify other caches in a hierarchy, use the format: |
1947 | # |
1948 | # cache_peer hostname type http-port icp-port [options] |
1949 | # |
1950 | # For example, |
1951 | # |
1952 | # # proxy icp |
1953 | # # hostname type port port options |
1954 | # # -------------------- -------- ----- ----- ----------- |
1955 | # cache_peer parent.foo.net parent 3128 3130 default |
1956 | # cache_peer sib1.foo.net sibling 3128 3130 proxy-only |
1957 | # cache_peer sib2.foo.net sibling 3128 3130 proxy-only |
1958 | # cache_peer example.com parent 80 0 default |
1959 | # cache_peer cdn.example.com sibling 3128 0 |
1960 | # |
1961 | # type: either 'parent', 'sibling', or 'multicast'. |
1962 | # |
1963 | # proxy-port: The port number where the peer accept HTTP requests. |
1964 | # For other Squid proxies this is usually 3128 |
1965 | # For web servers this is usually 80 |
1966 | # |
1967 | # icp-port: Used for querying neighbor caches about objects. |
1968 | # Set to 0 if the peer does not support ICP or HTCP. |
1969 | # See ICP and HTCP options below for additional details. |
1970 | # |
1971 | # |
1972 | # ==== ICP OPTIONS ==== |
1973 | # |
1974 | # You MUST also set icp_port and icp_access explicitly when using these options. |
1975 | # The defaults will prevent peer traffic using ICP. |
1976 | # |
1977 | # |
1978 | # no-query Disable ICP queries to this neighbor. |
1979 | # |
1980 | # multicast-responder |
1981 | # Indicates the named peer is a member of a multicast group. |
1982 | # ICP queries will not be sent directly to the peer, but ICP |
1983 | # replies will be accepted from it. |
1984 | # |
1985 | # closest-only Indicates that, for ICP_OP_MISS replies, we'll only forward |
1986 | # CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes. |
1987 | # |
1988 | # background-ping |
1989 | # To only send ICP queries to this neighbor infrequently. |
1990 | # This is used to keep the neighbor round trip time updated |
1991 | # and is usually used in conjunction with weighted-round-robin. |
1992 | # |
1993 | # |
1994 | # ==== HTCP OPTIONS ==== |
1995 | # |
1996 | # You MUST also set htcp_port and htcp_access explicitly when using these options. |
1997 | # The defaults will prevent peer traffic using HTCP. |
1998 | # |
1999 | # |
2000 | # htcp Send HTCP, instead of ICP, queries to the neighbor. |
2001 | # You probably also want to set the "icp-port" to 4827 |
2002 | # instead of 3130. This directive accepts a comma separated |
2003 | # list of options described below. |
2004 | # |
2005 | # htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier). |
2006 | # |
2007 | # htcp=no-clr Send HTCP to the neighbor but without |
2008 | # sending any CLR requests. This cannot be used with |
2009 | # only-clr. |
2010 | # |
2011 | # htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests. |
2012 | # This cannot be used with no-clr. |
2013 | # |
2014 | # htcp=no-purge-clr |
2015 | # Send HTCP to the neighbor including CLRs but only when |
2016 | # they do not result from PURGE requests. |
2017 | # |
2018 | # htcp=forward-clr |
2019 | # Forward any HTCP CLR requests this proxy receives to the peer. |
2020 | # |
2021 | # |
2022 | # ==== PEER SELECTION METHODS ==== |
2023 | # |
2024 | # The default peer selection method is ICP, with the first responding peer |
2025 | # being used as source. These options can be used for better load balancing. |
2026 | # |
2027 | # |
2028 | # default This is a parent cache which can be used as a "last-resort" |
2029 | # if a peer cannot be located by any of the peer-selection methods. |
2030 | # If specified more than once, only the first is used. |
2031 | # |
2032 | # round-robin Load-Balance parents which should be used in a round-robin |
2033 | # fashion in the absence of any ICP queries. |
2034 | # weight=N can be used to add bias. |
2035 | # |
2036 | # weighted-round-robin |
2037 | # Load-Balance parents which should be used in a round-robin |
2038 | # fashion with the frequency of each parent being based on the |
2039 | # round trip time. Closer parents are used more often. |
2040 | # Usually used for background-ping parents. |
2041 | # weight=N can be used to add bias. |
2042 | # |
2043 | # carp Load-Balance parents which should be used as a CARP array. |
2044 | # The requests will be distributed among the parents based on the |
2045 | # CARP load balancing hash function based on their weight. |
2046 | # |
2047 | # userhash Load-balance parents based on the client proxy_auth or ident username. |
2048 | # |
2049 | # sourcehash Load-balance parents based on the client source IP. |
2050 | # |
2051 | # multicast-siblings |
2052 | # To be used only for cache peers of type "multicast". |
2053 | # ALL members of this multicast group have "sibling" |
2054 | # relationship with it, not "parent". This is to a multicast |
2055 | # group when the requested object would be fetched only from |
2056 | # a "parent" cache, anyway. It's useful, e.g., when |
2057 | # configuring a pool of redundant Squid proxies, being |
2058 | # members of the same multicast group. |
2059 | # |
2060 | # |
2061 | # ==== PEER SELECTION OPTIONS ==== |
2062 | # |
2063 | # weight=N use to affect the selection of a peer during any weighted |
2064 | # peer-selection mechanisms. |
2065 | # The weight must be an integer; default is 1, |
2066 | # larger weights are favored more. |
2067 | # This option does not affect parent selection if a peering |
2068 | # protocol is not in use. |
2069 | # |
2070 | # basetime=N Specify a base amount to be subtracted from round trip |
2071 | # times of parents. |
2072 | # It is subtracted before division by weight in calculating |
2073 | # which parent to fectch from. If the rtt is less than the |
2074 | # base time the rtt is set to a minimal value. |
2075 | # |
2076 | # ttl=N Specify a TTL to use when sending multicast ICP queries |
2077 | # to this address. |
2078 | # Only useful when sending to a multicast group. |
2079 | # Because we don't accept ICP replies from random |
2080 | # hosts, you must configure other group members as |
2081 | # peers with the 'multicast-responder' option. |
2082 | # |
2083 | # no-delay To prevent access to this neighbor from influencing the |
2084 | # delay pools. |
2085 | # |
2086 | # digest-url=URL Tell Squid to fetch the cache digest (if digests are |
2087 | # enabled) for this host from the specified URL rather |
2088 | # than the Squid default location. |
2089 | # |
2090 | # |
2091 | # ==== CARP OPTIONS ==== |
2092 | # |
2093 | # carp-key=key-specification |
2094 | # use a different key than the full URL to hash against the peer. |
2095 | # the key-specification is a comma-separated list of the keywords |
2096 | # scheme, host, port, path, params |
2097 | # Order is not important. |
2098 | # |
2099 | # ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== |
2100 | # |
2101 | # originserver Causes this parent to be contacted as an origin server. |
2102 | # Meant to be used in accelerator setups when the peer |
2103 | # is a web server. |
2104 | # |
2105 | # forceddomain=name |
2106 | # Set the Host header of requests forwarded to this peer. |
2107 | # Useful in accelerator setups where the server (peer) |
2108 | # expects a certain domain name but clients may request |
2109 | # others. ie example.com or www.example.com |
2110 | # |
2111 | # no-digest Disable request of cache digests. |
2112 | # |
2113 | # no-netdb-exchange |
2114 | # Disables requesting ICMP RTT database (NetDB). |
2115 | # |
2116 | # |
2117 | # ==== AUTHENTICATION OPTIONS ==== |
2118 | # |
2119 | # login=user:password |
2120 | # If this is a personal/workgroup proxy and your parent |
2121 | # requires proxy authentication. |
2122 | # |
2123 | # Note: The string can include URL escapes (i.e. %20 for |
2124 | # spaces). This also means % must be written as %%. |
2125 | # |
2126 | # login=PASSTHRU |
2127 | # Send login details received from client to this peer. |
2128 | # Both Proxy- and WWW-Authorization headers are passed |
2129 | # without alteration to the peer. |
2130 | # Authentication is not required by Squid for this to work. |
2131 | # |
2132 | # Note: This will pass any form of authentication but |
2133 | # only Basic auth will work through a proxy unless the |
2134 | # connection-auth options are also used. |
2135 | # |
2136 | # login=PASS Send login details received from client to this peer. |
2137 | # Authentication is not required by this option. |
2138 | # |
2139 | # If there are no client-provided authentication headers |
2140 | # to pass on, but username and password are available |
2141 | # from an external ACL user= and password= result tags |
2142 | # they may be sent instead. |
2143 | # |
2144 | # Note: To combine this with proxy_auth both proxies must |
2145 | # share the same user database as HTTP only allows for |
2146 | # a single login (one for proxy, one for origin server). |
2147 | # Also be warned this will expose your users proxy |
2148 | # password to the peer. USE WITH CAUTION |
2149 | # |
2150 | # login=*:password |
2151 | # Send the username to the upstream cache, but with a |
2152 | # fixed password. This is meant to be used when the peer |
2153 | # is in another administrative domain, but it is still |
2154 | # needed to identify each user. |
2155 | # The star can optionally be followed by some extra |
2156 | # information which is added to the username. This can |
2157 | # be used to identify this proxy to the peer, similar to |
2158 | # the login=username:password option above. |
2159 | # |
2160 | # login=NEGOTIATE |
2161 | # If this is a personal/workgroup proxy and your parent |
2162 | # requires a secure proxy authentication. |
2163 | # The first principal from the default keytab or defined by |
2164 | # the environment variable KRB5_KTNAME will be used. |
2165 | # |
2166 | # WARNING: The connection may transmit requests from multiple |
2167 | # clients. Negotiate often assumes end-to-end authentication |
2168 | # and a single-client. Which is not strictly true here. |
2169 | # |
2170 | # login=NEGOTIATE:principal_name |
2171 | # If this is a personal/workgroup proxy and your parent |
2172 | # requires a secure proxy authentication. |
2173 | # The principal principal_name from the default keytab or |
2174 | # defined by the environment variable KRB5_KTNAME will be |
2175 | # used. |
2176 | # |
2177 | # WARNING: The connection may transmit requests from multiple |
2178 | # clients. Negotiate often assumes end-to-end authentication |
2179 | # and a single-client. Which is not strictly true here. |
2180 | # |
2181 | # connection-auth=on|off |
2182 | # Tell Squid that this peer does or not support Microsoft |
2183 | # connection oriented authentication, and any such |
2184 | # challenges received from there should be ignored. |
2185 | # Default is auto to automatically determine the status |
2186 | # of the peer. |
2187 | # |
2188 | # |
2189 | # ==== SSL / HTTPS / TLS OPTIONS ==== |
2190 | # |
2191 | # ssl Encrypt connections to this peer with SSL/TLS. |
2192 | # |
2193 | # sslcert=/path/to/ssl/certificate |
2194 | # A client SSL certificate to use when connecting to |
2195 | # this peer. |
2196 | # |
2197 | # sslkey=/path/to/ssl/key |
2198 | # The private SSL key corresponding to sslcert above. |
2199 | # If 'sslkey' is not specified 'sslcert' is assumed to |
2200 | # reference a combined file containing both the |
2201 | # certificate and the key. |
2202 | # |
2203 | # sslversion=1|2|3|4|5|6 |
2204 | # The SSL version to use when connecting to this peer |
2205 | # 1 = automatic (default) |
2206 | # 2 = SSL v2 only |
2207 | # 3 = SSL v3 only |
2208 | # 4 = TLS v1.0 only |
2209 | # 5 = TLS v1.1 only |
2210 | # 6 = TLS v1.2 only |
2211 | # |
2212 | # sslcipher=... The list of valid SSL ciphers to use when connecting |
2213 | # to this peer. |
2214 | # |
2215 | # ssloptions=... Specify various SSL implementation options: |
2216 | # |
2217 | # NO_SSLv2 Disallow the use of SSLv2 |
2218 | # NO_SSLv3 Disallow the use of SSLv3 |
2219 | # NO_TLSv1 Disallow the use of TLSv1.0 |
2220 | # NO_TLSv1_1 Disallow the use of TLSv1.1 |
2221 | # NO_TLSv1_2 Disallow the use of TLSv1.2 |
2222 | # SINGLE_DH_USE |
2223 | # Always create a new key when using |
2224 | # temporary/ephemeral DH key exchanges |
2225 | # ALL Enable various bug workarounds |
2226 | # suggested as "harmless" by OpenSSL |
2227 | # Be warned that this reduces SSL/TLS |
2228 | # strength to some attacks. |
2229 | # |
2230 | # See the OpenSSL SSL_CTX_set_options documentation for a |
2231 | # more complete list. |
2232 | # |
2233 | # sslcafile=... A file containing additional CA certificates to use |
2234 | # when verifying the peer certificate. |
2235 | # |
2236 | # sslcapath=... A directory containing additional CA certificates to |
2237 | # use when verifying the peer certificate. |
2238 | # |
2239 | # sslcrlfile=... A certificate revocation list file to use when |
2240 | # verifying the peer certificate. |
2241 | # |
2242 | # sslflags=... Specify various flags modifying the SSL implementation: |
2243 | # |
2244 | # DONT_VERIFY_PEER |
2245 | # Accept certificates even if they fail to |
2246 | # verify. |
2247 | # NO_DEFAULT_CA |
2248 | # Don't use the default CA list built in |
2249 | # to OpenSSL. |
2250 | # DONT_VERIFY_DOMAIN |
2251 | # Don't verify the peer certificate |
2252 | # matches the server name |
2253 | # |
2254 | # ssldomain= The peer name as advertised in it's certificate. |
2255 | # Used for verifying the correctness of the received peer |
2256 | # certificate. If not specified the peer hostname will be |
2257 | # used. |
2258 | # |
2259 | # front-end-https |
2260 | # Enable the "Front-End-Https: On" header needed when |
2261 | # using Squid as a SSL frontend in front of Microsoft OWA. |
2262 | # See MS KB document Q307347 for details on this header. |
2263 | # If set to auto the header will only be added if the |
2264 | # request is forwarded as a https:// URL. |
2265 | # |
2266 | # |
2267 | # ==== GENERAL OPTIONS ==== |
2268 | # |
2269 | # connect-timeout=N |
2270 | # A peer-specific connect timeout. |
2271 | # Also see the peer_connect_timeout directive. |
2272 | # |
2273 | # connect-fail-limit=N |
2274 | # How many times connecting to a peer must fail before |
2275 | # it is marked as down. Default is 10. |
2276 | # |
2277 | # allow-miss Disable Squid's use of only-if-cached when forwarding |
2278 | # requests to siblings. This is primarily useful when |
2279 | # icp_hit_stale is used by the sibling. To extensive use |
2280 | # of this option may result in forwarding loops, and you |
2281 | # should avoid having two-way peerings with this option. |
2282 | # For example to deny peer usage on requests from peer |
2283 | # by denying cache_peer_access if the source is a peer. |
2284 | # |
2285 | # max-conn=N Limit the amount of connections Squid may open to this |
2286 | # peer. see also |
2287 | # |
2288 | # name=xxx Unique name for the peer. |
2289 | # Required if you have multiple peers on the same host |
2290 | # but different ports. |
2291 | # This name can be used in cache_peer_access and similar |
2292 | # directives to dentify the peer. |
2293 | # Can be used by outgoing access controls through the |
2294 | # peername ACL type. |
2295 | # |
2296 | # no-tproxy Do not use the client-spoof TPROXY support when forwarding |
2297 | # requests to this peer. Use normal address selection instead. |
2298 | # |
2299 | # proxy-only objects fetched from the peer will not be stored locally. |
2300 | # |
2301 | #Default: |
2302 | # none |
2303 | |
2304 | # TAG: cache_peer_domain |
2305 | # Use to limit the domains for which a neighbor cache will be |
2306 | # queried. Usage: |
2307 | # |
2308 | # cache_peer_domain cache-host domain [domain ...] |
2309 | # cache_peer_domain cache-host !domain |
2310 | # |
2311 | # For example, specifying |
2312 | # |
2313 | # cache_peer_domain parent.foo.net .edu |
2314 | # |
2315 | # has the effect such that UDP query packets are sent to |
2316 | # 'bigserver' only when the requested object exists on a |
2317 | # server in the .edu domain. Prefixing the domainname |
2318 | # with '!' means the cache will be queried for objects |
2319 | # NOT in that domain. |
2320 | # |
2321 | # NOTE: * Any number of domains may be given for a cache-host, |
2322 | # either on the same or separate lines. |
2323 | # * When multiple domains are given for a particular |
2324 | # cache-host, the first matched domain is applied. |
2325 | # * Cache hosts with no domain restrictions are queried |
2326 | # for all requests. |
2327 | # * There are no defaults. |
2328 | # * There is also a 'cache_peer_access' tag in the ACL |
2329 | # section. |
2330 | #Default: |
2331 | # none |
2332 | |
2333 | # TAG: cache_peer_access |
2334 | # Similar to 'cache_peer_domain' but provides more flexibility by |
2335 | # using ACL elements. |
2336 | # |
2337 | # cache_peer_access cache-host allow|deny [!]aclname ... |
2338 | # |
2339 | # The syntax is identical to 'http_access' and the other lists of |
2340 | # ACL elements. See the comments for 'http_access' below, or |
2341 | # the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl). |
2342 | #Default: |
2343 | # none |
2344 | |
2345 | # TAG: neighbor_type_domain |
2346 | # usage: neighbor_type_domain neighbor parent|sibling domain domain ... |
2347 | # |
2348 | # Modifying the neighbor type for specific domains is now |
2349 | # possible. You can treat some domains differently than the |
2350 | # default neighbor type specified on the 'cache_peer' line. |
2351 | # Normally it should only be necessary to list domains which |
2352 | # should be treated differently because the default neighbor type |
2353 | # applies for hostnames which do not match domains listed here. |
2354 | # |
2355 | #EXAMPLE: |
2356 | # cache_peer cache.foo.org parent 3128 3130 |
2357 | # neighbor_type_domain cache.foo.org sibling .com .net |
2358 | # neighbor_type_domain cache.foo.org sibling .au .de |
2359 | #Default: |
2360 | # none |
2361 | |
2362 | # TAG: dead_peer_timeout (seconds) |
2363 | # This controls how long Squid waits to declare a peer cache |
2364 | # as "dead." If there are no ICP replies received in this |
2365 | # amount of time, Squid will declare the peer dead and not |
2366 | # expect to receive any further ICP replies. However, it |
2367 | # continues to send ICP queries, and will mark the peer as |
2368 | # alive upon receipt of the first subsequent ICP reply. |
2369 | # |
2370 | # This timeout also affects when Squid expects to receive ICP |
2371 | # replies from peers. If more than 'dead_peer' seconds have |
2372 | # passed since the last ICP reply was received, Squid will not |
2373 | # expect to receive an ICP reply on the next query. Thus, if |
2374 | # your time between requests is greater than this timeout, you |
2375 | # will see a lot of requests sent DIRECT to origin servers |
2376 | # instead of to your parents. |
2377 | #Default: |
2378 | # dead_peer_timeout 10 seconds |
2379 | |
2380 | # TAG: forward_max_tries |
2381 | # Controls how many different forward paths Squid will try |
2382 | # before giving up. See also forward_timeout. |
2383 | # |
2384 | # NOTE: connect_retries (default: none) can make each of these |
2385 | # possible forwarding paths be tried multiple times. |
2386 | #Default: |
2387 | # forward_max_tries 10 |
2388 | |
2389 | # TAG: hierarchy_stoplist |
2390 | # A list of words which, if found in a URL, cause the object to |
2391 | # be handled directly by this cache. In other words, use this |
2392 | # to not query neighbor caches for certain objects. You may |
2393 | # list this option multiple times. |
2394 | # |
2395 | # Example: |
2396 | # hierarchy_stoplist cgi-bin ? |
2397 | # |
2398 | # Note: never_direct overrides this option. |
2399 | #Default: |
2400 | # none |
2401 | |
2402 | # MEMORY CACHE OPTIONS |
2403 | # ----------------------------------------------------------------------------- |
2404 | |
2405 | # TAG: cache_mem (bytes) |
2406 | # NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE. |
2407 | # IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL |
2408 | # USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER |
2409 | # THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS. |
2410 | # |
2411 | # 'cache_mem' specifies the ideal amount of memory to be used |
2412 | # for: |
2413 | # * In-Transit objects |
2414 | # * Hot Objects |
2415 | # * Negative-Cached objects |
2416 | # |
2417 | # Data for these objects are stored in 4 KB blocks. This |
2418 | # parameter specifies the ideal upper limit on the total size of |
2419 | # 4 KB blocks allocated. In-Transit objects take the highest |
2420 | # priority. |
2421 | # |
2422 | # In-transit objects have priority over the others. When |
2423 | # additional space is needed for incoming data, negative-cached |
2424 | # and hot objects will be released. In other words, the |
2425 | # negative-cached and hot objects will fill up any unused space |
2426 | # not needed for in-transit objects. |
2427 | # |
2428 | # If circumstances require, this limit will be exceeded. |
2429 | # Specifically, if your incoming request rate requires more than |
2430 | # 'cache_mem' of memory to hold in-transit objects, Squid will |
2431 | # exceed this limit to satisfy the new requests. When the load |
2432 | # decreases, blocks will be freed until the high-water mark is |
2433 | # reached. Thereafter, blocks will be used to store hot |
2434 | # objects. |
2435 | # |
2436 | # If shared memory caching is enabled, Squid does not use the shared |
2437 | # cache space for in-transit objects, but they still consume as much |
2438 | # local memory as they need. For more details about the shared memory |
2439 | # cache, see memory_cache_shared. |
2440 | #Default: |
2441 | # cache_mem 256 MB |
2442 | |
2443 | # TAG: maximum_object_size_in_memory (bytes) |
2444 | # Objects greater than this size will not be attempted to kept in |
2445 | # the memory cache. This should be set high enough to keep objects |
2446 | # accessed frequently in memory to improve performance whilst low |
2447 | # enough to keep larger objects from hoarding cache_mem. |
2448 | #Default: |
2449 | # maximum_object_size_in_memory 512 KB |
2450 | |
2451 | # TAG: memory_cache_shared on|off |
2452 | # Controls whether the memory cache is shared among SMP workers. |
2453 | # |
2454 | # The shared memory cache is meant to occupy cache_mem bytes and replace |
2455 | # the non-shared memory cache, although some entities may still be |
2456 | # cached locally by workers for now (e.g., internal and in-transit |
2457 | # objects may be served from a local memory cache even if shared memory |
2458 | # caching is enabled). |
2459 | # |
2460 | # By default, the memory cache is shared if and only if all of the |
2461 | # following conditions are satisfied: Squid runs in SMP mode with |
2462 | # multiple workers, cache_mem is positive, and Squid environment |
2463 | # supports required IPC primitives (e.g., POSIX shared memory segments |
2464 | # and GCC-style atomic operations). |
2465 | # |
2466 | # To avoid blocking locks, shared memory uses opportunistic algorithms |
2467 | # that do not guarantee that every cachable entity that could have been |
2468 | # shared among SMP workers will actually be shared. |
2469 | # |
2470 | # Currently, entities exceeding 32KB in size cannot be shared. |
2471 | #Default: |
2472 | # "on" where supported if doing memory caching with multiple SMP workers. |
2473 | |
2474 | # TAG: memory_cache_mode |
2475 | # Controls which objects to keep in the memory cache (cache_mem) |
2476 | # |
2477 | # always Keep most recently fetched objects in memory (default) |
2478 | # |
2479 | # disk Only disk cache hits are kept in memory, which means |
2480 | # an object must first be cached on disk and then hit |
2481 | # a second time before cached in memory. |
2482 | # |
2483 | # network Only objects fetched from network is kept in memory |
2484 | #Default: |
2485 | # memory_cache_mode always |
2486 | |
2487 | # TAG: memory_replacement_policy |
2488 | # The memory replacement policy parameter determines which |
2489 | # objects are purged from memory when memory space is needed. |
2490 | # |
2491 | # See cache_replacement_policy for details. |
2492 | #Default: |
2493 | # memory_replacement_policy lru |
2494 | |
2495 | # DISK CACHE OPTIONS |
2496 | # ----------------------------------------------------------------------------- |
2497 | |
2498 | # TAG: cache_replacement_policy |
2499 | # The cache replacement policy parameter determines which |
2500 | # objects are evicted (replaced) when disk space is needed. |
2501 | # |
2502 | # lru : Squid's original list based LRU policy |
2503 | # heap GDSF : Greedy-Dual Size Frequency |
2504 | # heap LFUDA: Least Frequently Used with Dynamic Aging |
2505 | # heap LRU : LRU policy implemented using a heap |
2506 | # |
2507 | # Applies to any cache_dir lines listed below this. |
2508 | # |
2509 | # The LRU policies keeps recently referenced objects. |
2510 | # |
2511 | # The heap GDSF policy optimizes object hit rate by keeping smaller |
2512 | # popular objects in cache so it has a better chance of getting a |
2513 | # hit. It achieves a lower byte hit rate than LFUDA though since |
2514 | # it evicts larger (possibly popular) objects. |
2515 | # |
2516 | # The heap LFUDA policy keeps popular objects in cache regardless of |
2517 | # their size and thus optimizes byte hit rate at the expense of |
2518 | # hit rate since one large, popular object will prevent many |
2519 | # smaller, slightly less popular objects from being cached. |
2520 | # |
2521 | # Both policies utilize a dynamic aging mechanism that prevents |
2522 | # cache pollution that can otherwise occur with frequency-based |
2523 | # replacement policies. |
2524 | # |
2525 | # NOTE: if using the LFUDA replacement policy you should increase |
2526 | # the value of maximum_object_size above its default of 4 MB to |
2527 | # to maximize the potential byte hit rate improvement of LFUDA. |
2528 | # |
2529 | # For more information about the GDSF and LFUDA cache replacement |
2530 | # policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html |
2531 | # and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html. |
2532 | #Default: |
2533 | # cache_replacement_policy lru |
2534 | |
2535 | # TAG: cache_dir |
2536 | # Usage: |
2537 | # |
2538 | # cache_dir Type Directory-Name Fs-specific-data [options] |
2539 | # |
2540 | # You can specify multiple cache_dir lines to spread the |
2541 | # cache among different disk partitions. |
2542 | # |
2543 | # Type specifies the kind of storage system to use. Only "ufs" |
2544 | # is built by default. To enable any of the other storage systems |
2545 | # see the --enable-storeio configure option. |
2546 | # |
2547 | # 'Directory' is a top-level directory where cache swap |
2548 | # files will be stored. If you want to use an entire disk |
2549 | # for caching, this can be the mount-point directory. |
2550 | # The directory must exist and be writable by the Squid |
2551 | # process. Squid will NOT create this directory for you. |
2552 | # |
2553 | # In SMP configurations, cache_dir must not precede the workers option |
2554 | # and should use configuration macros or conditionals to give each |
2555 | # worker interested in disk caching a dedicated cache directory. |
2556 | # |
2557 | # The ufs store type: |
2558 | # |
2559 | # "ufs" is the old well-known Squid storage format that has always |
2560 | # been there. |
2561 | # |
2562 | # cache_dir ufs Directory-Name Mbytes L1 L2 [options] |
2563 | # |
2564 | # 'Mbytes' is the amount of disk space (MB) to use under this |
2565 | # directory. The default is 100 MB. Change this to suit your |
2566 | # configuration. Do NOT put the size of your disk drive here. |
2567 | # Instead, if you want Squid to use the entire disk drive, |
2568 | # subtract 20% and use that value. |
2569 | # |
2570 | # 'L1' is the number of first-level subdirectories which |
2571 | # will be created under the 'Directory'. The default is 16. |
2572 | # |
2573 | # 'L2' is the number of second-level subdirectories which |
2574 | # will be created under each first-level directory. The default |
2575 | # is 256. |
2576 | # |
2577 | # The aufs store type: |
2578 | # |
2579 | # "aufs" uses the same storage format as "ufs", utilizing |
2580 | # POSIX-threads to avoid blocking the main Squid process on |
2581 | # disk-I/O. This was formerly known in Squid as async-io. |
2582 | # |
2583 | # cache_dir aufs Directory-Name Mbytes L1 L2 [options] |
2584 | # |
2585 | # see argument descriptions under ufs above |
2586 | # |
2587 | # The diskd store type: |
2588 | # |
2589 | # "diskd" uses the same storage format as "ufs", utilizing a |
2590 | # separate process to avoid blocking the main Squid process on |
2591 | # disk-I/O. |
2592 | # |
2593 | # cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] |
2594 | # |
2595 | # see argument descriptions under ufs above |
2596 | # |
2597 | # Q1 specifies the number of unacknowledged I/O requests when Squid |
2598 | # stops opening new files. If this many messages are in the queues, |
2599 | # Squid won't open new files. Default is 64 |
2600 | # |
2601 | # Q2 specifies the number of unacknowledged messages when Squid |
2602 | # starts blocking. If this many messages are in the queues, |
2603 | # Squid blocks until it receives some replies. Default is 72 |
2604 | # |
2605 | # When Q1 < Q2 (the default), the cache directory is optimized |
2606 | # for lower response time at the expense of a decrease in hit |
2607 | # ratio. If Q1 > Q2, the cache directory is optimized for |
2608 | # higher hit ratio at the expense of an increase in response |
2609 | # time. |
2610 | # |
2611 | # The rock store type: |
2612 | # |
2613 | # cache_dir rock Directory-Name Mbytes <max-size=bytes> [options] |
2614 | # |
2615 | # The Rock Store type is a database-style storage. All cached |
2616 | # entries are stored in a "database" file, using fixed-size slots, |
2617 | # one entry per slot. The database size is specified in MB. The |
2618 | # slot size is specified in bytes using the max-size option. See |
2619 | # below for more info on the max-size option. |
2620 | # |
2621 | # If possible, Squid using Rock Store creates a dedicated kid |
2622 | # process called "disker" to avoid blocking Squid worker(s) on disk |
2623 | # I/O. One disker kid is created for each rock cache_dir. Diskers |
2624 | # are created only when Squid, running in daemon mode, has support |
2625 | # for the IpcIo disk I/O module. |
2626 | # |
2627 | # swap-timeout=msec: Squid will not start writing a miss to or |
2628 | # reading a hit from disk if it estimates that the swap operation |
2629 | # will take more than the specified number of milliseconds. By |
2630 | # default and when set to zero, disables the disk I/O time limit |
2631 | # enforcement. Ignored when using blocking I/O module because |
2632 | # blocking synchronous I/O does not allow Squid to estimate the |
2633 | # expected swap wait time. |
2634 | # |
2635 | # max-swap-rate=swaps/sec: Artificially limits disk access using |
2636 | # the specified I/O rate limit. Swap out requests that |
2637 | # would cause the average I/O rate to exceed the limit are |
2638 | # delayed. Individual swap in requests (i.e., hits or reads) are |
2639 | # not delayed, but they do contribute to measured swap rate and |
2640 | # since they are placed in the same FIFO queue as swap out |
2641 | # requests, they may wait longer if max-swap-rate is smaller. |
2642 | # This is necessary on file systems that buffer "too |
2643 | # many" writes and then start blocking Squid and other processes |
2644 | # while committing those writes to disk. Usually used together |
2645 | # with swap-timeout to avoid excessive delays and queue overflows |
2646 | # when disk demand exceeds available disk "bandwidth". By default |
2647 | # and when set to zero, disables the disk I/O rate limit |
2648 | # enforcement. Currently supported by IpcIo module only. |
2649 | # |
2650 | # |
2651 | # The coss store type: |
2652 | # |
2653 | # NP: COSS filesystem in Squid-3 has been deemed too unstable for |
2654 | # production use and has thus been removed from this release. |
2655 | # We hope that it can be made usable again soon. |
2656 | # |
2657 | # block-size=n defines the "block size" for COSS cache_dir's. |
2658 | # Squid uses file numbers as block numbers. Since file numbers |
2659 | # are limited to 24 bits, the block size determines the maximum |
2660 | # size of the COSS partition. The default is 512 bytes, which |
2661 | # leads to a maximum cache_dir size of 512<<24, or 8 GB. Note |
2662 | # you should not change the coss block size after Squid |
2663 | # has written some objects to the cache_dir. |
2664 | # |
2665 | # The coss file store has changed from 2.5. Now it uses a file |
2666 | # called 'stripe' in the directory names in the config - and |
2667 | # this will be created by squid -z. |
2668 | # |
2669 | # Common options: |
2670 | # |
2671 | # no-store, no new objects should be stored to this cache_dir |
2672 | # |
2673 | # min-size=n, refers to the min object size in bytes this cache_dir |
2674 | # will accept. It's used to restrict a cache_dir to only store |
2675 | # large objects (e.g. aufs) while other storedirs are optimized |
2676 | # for smaller objects (e.g. COSS). Defaults to 0. |
2677 | # |
2678 | # max-size=n, refers to the max object size in bytes this cache_dir |
2679 | # supports. It is used to select the cache_dir to store the object. |
2680 | # Note: To make optimal use of the max-size limits you should order |
2681 | # the cache_dir lines with the smallest max-size value first and the |
2682 | # ones with no max-size specification last. |
2683 | # |
2684 | # Note for coss, max-size must be less than COSS_MEMBUF_SZ, |
2685 | # which can be changed with the --with-coss-membuf-size=N configure |
2686 | # option. |
2687 | # |
2688 | |
2689 | # Uncomment and adjust the following to add a disk cache directory. |
2690 | #cache_dir ufs /var/spool/squid 100 16 256 |
2691 | |
2692 | # TAG: store_dir_select_algorithm |
2693 | # Set this to 'round-robin' as an alternative. |
2694 | #Default: |
2695 | # store_dir_select_algorithm least-load |
2696 | |
2697 | # TAG: max_open_disk_fds |
2698 | # To avoid having disk as the I/O bottleneck Squid can optionally |
2699 | # bypass the on-disk cache if more than this amount of disk file |
2700 | # descriptors are open. |
2701 | # |
2702 | # A value of 0 indicates no limit. |
2703 | #Default: |
2704 | # max_open_disk_fds 0 |
2705 | |
2706 | # TAG: minimum_object_size (bytes) |
2707 | # Objects smaller than this size will NOT be saved on disk. The |
2708 | # value is specified in kilobytes, and the default is 0 KB, which |
2709 | # means there is no minimum. |
2710 | #Default: |
2711 | # minimum_object_size 0 KB |
2712 | |
2713 | # TAG: maximum_object_size (bytes) |
2714 | # The default limit on size of objects stored to disk. |
2715 | # This size is used for cache_dir where max-size is not set. |
2716 | # The value is specified in bytes, and the default is 4 MB. |
2717 | # |
2718 | # If you wish to get a high BYTES hit ratio, you should probably |
2719 | # increase this (one 32 MB object hit counts for 3200 10KB |
2720 | # hits). |
2721 | # |
2722 | # If you wish to increase hit ratio more than you want to |
2723 | # save bandwidth you should leave this low. |
2724 | # |
2725 | # NOTE: if using the LFUDA replacement policy you should increase |
2726 | # this value to maximize the byte hit rate improvement of LFUDA! |
2727 | # See replacement_policy below for a discussion of this policy. |
2728 | #Default: |
2729 | # maximum_object_size 4 MB |
2730 | |
2731 | # TAG: cache_swap_low (percent, 0-100) |
2732 | #Default: |
2733 | # cache_swap_low 90 |
2734 | |
2735 | # TAG: cache_swap_high (percent, 0-100) |
2736 | # |
2737 | # The low- and high-water marks for cache object replacement. |
2738 | # Replacement begins when the swap (disk) usage is above the |
2739 | # low-water mark and attempts to maintain utilization near the |
2740 | # low-water mark. As swap utilization gets close to high-water |
2741 | # mark object eviction becomes more aggressive. If utilization is |
2742 | # close to the low-water mark less replacement is done each time. |
2743 | # |
2744 | # Defaults are 90% and 95%. If you have a large cache, 5% could be |
2745 | # hundreds of MB. If this is the case you may wish to set these |
2746 | # numbers closer together. |
2747 | #Default: |
2748 | # cache_swap_high 95 |
2749 | |
2750 | # LOGFILE OPTIONS |
2751 | # ----------------------------------------------------------------------------- |
2752 | |
2753 | # TAG: logformat |
2754 | # Usage: |
2755 | # |
2756 | # logformat <name> <format specification> |
2757 | # |
2758 | # Defines an access log format. |
2759 | # |
2760 | # The <format specification> is a string with embedded % format codes |
2761 | # |
2762 | # % format codes all follow the same basic structure where all but |
2763 | # the formatcode is optional. Output strings are automatically escaped |
2764 | # as required according to their context and the output format |
2765 | # modifiers are usually not needed, but can be specified if an explicit |
2766 | # output format is desired. |
2767 | # |
2768 | # % ["|[|'|#] [-] [[0]width] [{argument}] formatcode |
2769 | # |
2770 | # " output in quoted string format |
2771 | # [ output in squid text log format as used by log_mime_hdrs |
2772 | # # output in URL quoted format |
2773 | # ' output as-is |
2774 | # |
2775 | # - left aligned |
2776 | # |
2777 | # width minimum and/or maximum field width: |
2778 | # [width_min][.width_max] |
2779 | # When minimum starts with 0, the field is zero-padded. |
2780 | # String values exceeding maximum width are truncated. |
2781 | # |
2782 | # {arg} argument such as header name etc |
2783 | # |
2784 | # Format codes: |
2785 | # |
2786 | # % a literal % character |
2787 | # sn Unique sequence number per log line entry |
2788 | # err_code The ID of an error response served by Squid or |
2789 | # a similar internal error identifier. |
2790 | # err_detail Additional err_code-dependent error information. |
2791 | # |
2792 | # Connection related format codes: |
2793 | # |
2794 | # >a Client source IP address |
2795 | # >A Client FQDN |
2796 | # >p Client source port |
2797 | # >eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) |
2798 | # >la Local IP address the client connected to |
2799 | # >lp Local port number the client connected to |
2800 | # |
2801 | # la Local listening IP address the client connection was connected to. |
2802 | # lp Local listening port number the client connection was connected to. |
2803 | # |
2804 | # <a Server IP address of the last server or peer connection |
2805 | # <A Server FQDN or peer name |
2806 | # <p Server port number of the last server or peer connection |
2807 | # <la Local IP address of the last server or peer connection |
2808 | # <lp Local port number of the last server or peer connection |
2809 | # |
2810 | # Time related format codes: |
2811 | # |
2812 | # ts Seconds since epoch |
2813 | # tu subsecond time (milliseconds) |
2814 | # tl Local time. Optional strftime format argument |
2815 | # default %d/%b/%Y:%H:%M:%S %z |
2816 | # tg GMT time. Optional strftime format argument |
2817 | # default %d/%b/%Y:%H:%M:%S %z |
2818 | # tr Response time (milliseconds) |
2819 | # dt Total time spent making DNS lookups (milliseconds) |
2820 | # |
2821 | # Access Control related format codes: |
2822 | # |
2823 | # et Tag returned by external acl |
2824 | # ea Log string returned by external acl |
2825 | # un User name (any available) |
2826 | # ul User name from authentication |
2827 | # ue User name from external acl helper |
2828 | # ui User name from ident |
2829 | # us User name from SSL |
2830 | # |
2831 | # HTTP related format codes: |
2832 | # |
2833 | # [http::]>h Original request header. Optional header name argument |
2834 | # on the format header[:[separator]element] |
2835 | # [http::]>ha The HTTP request headers after adaptation and redirection. |
2836 | # Optional header name argument as for >h |
2837 | # [http::]<h Reply header. Optional header name argument |
2838 | # as for >h |
2839 | # [http::]>Hs HTTP status code sent to the client |
2840 | # [http::]<Hs HTTP status code received from the next hop |
2841 | # [http::]<bs Number of HTTP-equivalent message body bytes |
2842 | # received from the next hop, excluding chunked |
2843 | # transfer encoding and control messages. |
2844 | # Generated FTP/Gopher listings are treated as |
2845 | # received bodies. |
2846 | # [http::]mt MIME content type |
2847 | # [http::]rm Request method (GET/POST etc) |
2848 | # [http::]>rm Request method from client |
2849 | # [http::]<rm Request method sent to server or peer |
2850 | # [http::]ru Request URL from client (historic, filtered for logging) |
2851 | # [http::]>ru Request URL from client |
2852 | # [http::]<ru Request URL sent to server or peer |
2853 | # [http::]rp Request URL-Path excluding hostname |
2854 | # [http::]>rp Request URL-Path excluding hostname from client |
2855 | # [http::]<rp Request URL-Path excluding hostname sento to server or peer |
2856 | # [http::]rv Request protocol version |
2857 | # [http::]>rv Request protocol version from client |
2858 | # [http::]<rv Request protocol version sent to server or peer |
2859 | # [http::]<st Sent reply size including HTTP headers |
2860 | # [http::]>st Received request size including HTTP headers. In the |
2861 | # case of chunked requests the chunked encoding metadata |
2862 | # are not included |
2863 | # [http::]>sh Received HTTP request headers size |
2864 | # [http::]<sh Sent HTTP reply headers size |
2865 | # [http::]st Request+Reply size including HTTP headers |
2866 | # [http::]<sH Reply high offset sent |
2867 | # [http::]<sS Upstream object size |
2868 | # [http::]<pt Peer response time in milliseconds. The timer starts |
2869 | # when the last request byte is sent to the next hop |
2870 | # and stops when the last response byte is received. |
2871 | # [http::]<tt Total server-side time in milliseconds. The timer |
2872 | # starts with the first connect request (or write I/O) |
2873 | # sent to the first selected peer. The timer stops |
2874 | # with the last I/O with the last peer. |
2875 | # |
2876 | # Squid handling related format codes: |
2877 | # |
2878 | # Ss Squid request status (TCP_MISS etc) |
2879 | # Sh Squid hierarchy status (DEFAULT_PARENT etc) |
2880 | # |
2881 | # If ICAP is enabled, the following code becomes available (as |
2882 | # well as ICAP log codes documented with the icap_log option): |
2883 | # |
2884 | # icap::tt Total ICAP processing time for the HTTP |
2885 | # transaction. The timer ticks when ICAP |
2886 | # ACLs are checked and when ICAP |
2887 | # transaction is in progress. |
2888 | # |
2889 | # If adaptation is enabled the following three codes become available: |
2890 | # |
2891 | # adapt::<last_h The header of the last ICAP response or |
2892 | # meta-information from the last eCAP |
2893 | # transaction related to the HTTP transaction. |
2894 | # Like <h, accepts an optional header name |
2895 | # argument. |
2896 | # |
2897 | # adapt::sum_trs Summed adaptation transaction response |
2898 | # times recorded as a comma-separated list in |
2899 | # the order of transaction start time. Each time |
2900 | # value is recorded as an integer number, |
2901 | # representing response time of one or more |
2902 | # adaptation (ICAP or eCAP) transaction in |
2903 | # milliseconds. When a failed transaction is |
2904 | # being retried or repeated, its time is not |
2905 | # logged individually but added to the |
2906 | # replacement (next) transaction. See also: |
2907 | # adapt::all_trs. |
2908 | # |
2909 | # adapt::all_trs All adaptation transaction response times. |
2910 | # Same as adaptation_strs but response times of |
2911 | # individual transactions are never added |
2912 | # together. Instead, all transaction response |
2913 | # times are recorded individually. |
2914 | # |
2915 | # You can prefix adapt::*_trs format codes with adaptation |
2916 | # service name in curly braces to record response time(s) specific |
2917 | # to that service. For example: %{my_service}adapt::sum_trs |
2918 | # |
2919 | # The default formats available (which do not need re-defining) are: |
2920 | # |
2921 | #logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt |
2922 | #logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh |
2923 | #logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh |
2924 | #logformat referrer %ts.%03tu %>a %{Referer}>h %ru |
2925 | #logformat useragent %>a [%tl] "%{User-Agent}>h" |
2926 | # |
2927 | # NOTE: When the log_mime_hdrs directive is set to ON. |
2928 | # The squid, common and combined formats have a safely encoded copy |
2929 | # of the mime headers appended to each line within a pair of brackets. |
2930 | # |
2931 | # NOTE: The common and combined formats are not quite true to the Apache definition. |
2932 | # The logs from Squid contain an extra status and hierarchy code appended. |
2933 | # |
2934 | #Default: |
2935 | # none |
2936 | |
2937 | # TAG: access_log |
2938 | # These files log client request activities. Has a line every HTTP or |
2939 | # ICP request. The format is: |
2940 | # access_log <module>:<place> [<logformat name> [acl acl ...]] |
2941 | # access_log none [acl acl ...]] |
2942 | # |
2943 | # Will log to the specified module:place using the specified format (which |
2944 | # must be defined in a logformat directive) those entries which match |
2945 | # ALL the acl's specified (which must be defined in acl clauses). |
2946 | # If no acl is specified, all requests will be logged to this destination. |
2947 | # |
2948 | # ===== Modules Currently available ===== |
2949 | # |
2950 | # none Do not log any requests matching these ACL. |
2951 | # Do not specify Place or logformat name. |
2952 | # |
2953 | # stdio Write each log line to disk immediately at the completion of |
2954 | # each request. |
2955 | # Place: the filename and path to be written. |
2956 | # |
2957 | # daemon Very similar to stdio. But instead of writing to disk the log |
2958 | # line is passed to a daemon helper for asychronous handling instead. |
2959 | # Place: varies depending on the daemon. |
2960 | # |
2961 | # log_file_daemon Place: the file name and path to be written. |
2962 | # |
2963 | # syslog To log each request via syslog facility. |
2964 | # Place: The syslog facility and priority level for these entries. |
2965 | # Place Format: facility.priority |
2966 | # |
2967 | # where facility could be any of: |
2968 | # authpriv, daemon, local0 ... local7 or user. |
2969 | # |
2970 | # And priority could be any of: |
2971 | # err, warning, notice, info, debug. |
2972 | # |
2973 | # udp To send each log line as text data to a UDP receiver. |
2974 | # Place: The destination host name or IP and port. |
2975 | # Place Format: //host:port |
2976 | # |
2977 | # tcp To send each log line as text data to a TCP receiver. |
2978 | # Place: The destination host name or IP and port. |
2979 | # Place Format: //host:port |
2980 | # |
2981 | # Default: |
2982 | # access_log daemon:/var/log/squid/access.log squid |
2983 | #Default: |
2984 | # access_log daemon:/var/log/squid/access.log squid |
2985 | |
2986 | # TAG: icap_log |
2987 | # ICAP log files record ICAP transaction summaries, one line per |
2988 | # transaction. |
2989 | # |
2990 | # The icap_log option format is: |
2991 | # icap_log <filepath> [<logformat name> [acl acl ...]] |
2992 | # icap_log none [acl acl ...]] |
2993 | # |
2994 | # Please see access_log option documentation for details. The two |
2995 | # kinds of logs share the overall configuration approach and many |
2996 | # features. |
2997 | # |
2998 | # ICAP processing of a single HTTP message or transaction may |
2999 | # require multiple ICAP transactions. In such cases, multiple |
3000 | # ICAP transaction log lines will correspond to a single access |
3001 | # log line. |
3002 | # |
3003 | # ICAP log uses logformat codes that make sense for an ICAP |
3004 | # transaction. Header-related codes are applied to the HTTP header |
3005 | # embedded in an ICAP server response, with the following caveats: |
3006 | # For REQMOD, there is no HTTP response header unless the ICAP |
3007 | # server performed request satisfaction. For RESPMOD, the HTTP |
3008 | # request header is the header sent to the ICAP server. For |
3009 | # OPTIONS, there are no HTTP headers. |
3010 | # |
3011 | # The following format codes are also available for ICAP logs: |
3012 | # |
3013 | # icap::<A ICAP server IP address. Similar to <A. |
3014 | # |
3015 | # icap::<service_name ICAP service name from the icap_service |
3016 | # option in Squid configuration file. |
3017 | # |
3018 | # icap::ru ICAP Request-URI. Similar to ru. |
3019 | # |
3020 | # icap::rm ICAP request method (REQMOD, RESPMOD, or |
3021 | # OPTIONS). Similar to existing rm. |
3022 | # |
3023 | # icap::>st Bytes sent to the ICAP server (TCP payload |
3024 | # only; i.e., what Squid writes to the socket). |
3025 | # |
3026 | # icap::<st Bytes received from the ICAP server (TCP |
3027 | # payload only; i.e., what Squid reads from |
3028 | # the socket). |
3029 | # |
3030 | # icap::<bs Number of message body bytes received from the |
3031 | # ICAP server. ICAP message body, if any, usually |
3032 | # includes encapsulated HTTP message headers and |
3033 | # possibly encapsulated HTTP message body. The |
3034 | # HTTP body part is dechunked before its size is |
3035 | # computed. |
3036 | # |
3037 | # icap::tr Transaction response time (in |
3038 | # milliseconds). The timer starts when |
3039 | # the ICAP transaction is created and |
3040 | # stops when the transaction is completed. |
3041 | # Similar to tr. |
3042 | # |
3043 | # icap::tio Transaction I/O time (in milliseconds). The |
3044 | # timer starts when the first ICAP request |
3045 | # byte is scheduled for sending. The timers |
3046 | # stops when the last byte of the ICAP response |
3047 | # is received. |
3048 | # |
3049 | # icap::to Transaction outcome: ICAP_ERR* for all |
3050 | # transaction errors, ICAP_OPT for OPTION |
3051 | # transactions, ICAP_ECHO for 204 |
3052 | # responses, ICAP_MOD for message |
3053 | # modification, and ICAP_SAT for request |
3054 | # satisfaction. Similar to Ss. |
3055 | # |
3056 | # icap::Hs ICAP response status code. Similar to Hs. |
3057 | # |
3058 | # icap::>h ICAP request header(s). Similar to >h. |
3059 | # |
3060 | # icap::<h ICAP response header(s). Similar to <h. |
3061 | # |
3062 | # The default ICAP log format, which can be used without an explicit |
3063 | # definition, is called icap_squid: |
3064 | # |
3065 | #logformat icap_squid %ts.%03tu %6icap::tr %>a %icap::to/%03icap::Hs %icap::<size %icap::rm %icap::ru% %un -/%icap::<A - |
3066 | # |
3067 | # See also: logformat, log_icap, and %adapt::<last_h |
3068 | #Default: |
3069 | # none |
3070 | |
3071 | # TAG: logfile_daemon |
3072 | # Specify the path to the logfile-writing daemon. This daemon is |
3073 | # used to write the access and store logs, if configured. |
3074 | # |
3075 | # Squid sends a number of commands to the log daemon: |
3076 | # L<data>\n - logfile data |
3077 | # R\n - rotate file |
3078 | # T\n - truncate file |
3079 | # O\n - reopen file |
3080 | # F\n - flush file |
3081 | # r<n>\n - set rotate count to <n> |
3082 | # b<n>\n - 1 = buffer output, 0 = don't buffer output |
3083 | # |
3084 | # No responses is expected. |
3085 | #Default: |
3086 | # logfile_daemon /usr/lib64/squid/log_file_daemon |
3087 | |
3088 | # TAG: log_access allow|deny acl acl... |
3089 | # This options allows you to control which requests gets logged |
3090 | # to access.log (see access_log directive). Requests denied for |
3091 | # logging will also not be accounted for in performance counters. |
3092 | # |
3093 | # This clause only supports fast acl types. |
3094 | # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
3095 | #Default: |
3096 | # none |
3097 | |
3098 | # TAG: log_icap |
3099 | # This options allows you to control which requests get logged |
3100 | # to icap.log. See the icap_log directive for ICAP log details. |
3101 | #Default: |
3102 | # none |
3103 | |
3104 | # TAG: cache_store_log |
3105 | # Logs the activities of the storage manager. Shows which |
3106 | # objects are ejected from the cache, and which objects are |
3107 | # saved and for how long. |
3108 | # There are not really utilities to analyze this data, so you can safely |
3109 | # disable it (the default). |
3110 | # |
3111 | # Store log uses modular logging outputs. See access_log for the list |
3112 | # of modules supported. |
3113 | # |
3114 | # Example: |
3115 | # cache_store_log stdio:/var/log/squid/store.log |
3116 | # cache_store_log daemon:/var/log/squid/store.log |
3117 | #Default: |
3118 | # none |
3119 | |
3120 | # TAG: cache_swap_state |
3121 | # Location for the cache "swap.state" file. This index file holds |
3122 | # the metadata of objects saved on disk. It is used to rebuild |
3123 | # the cache during startup. Normally this file resides in each |
3124 | # 'cache_dir' directory, but you may specify an alternate |
3125 | # pathname here. Note you must give a full filename, not just |
3126 | # a directory. Since this is the index for the whole object |
3127 | # list you CANNOT periodically rotate it! |
3128 | # |
3129 | # If %s can be used in the file name it will be replaced with a |
3130 | # a representation of the cache_dir name where each / is replaced |
3131 | # with '.'. This is needed to allow adding/removing cache_dir |
3132 | # lines when cache_swap_log is being used. |
3133 | # |
3134 | # If have more than one 'cache_dir', and %s is not used in the name |
3135 | # these swap logs will have names such as: |
3136 | # |
3137 | # cache_swap_log.00 |
3138 | # cache_swap_log.01 |
3139 | # cache_swap_log.02 |
3140 | # |
3141 | # The numbered extension (which is added automatically) |
3142 | # corresponds to the order of the 'cache_dir' lines in this |
3143 | # configuration file. If you change the order of the 'cache_dir' |
3144 | # lines in this file, these index files will NOT correspond to |
3145 | # the correct 'cache_dir' entry (unless you manually rename |
3146 | # them). We recommend you do NOT use this option. It is |
3147 | # better to keep these index files in each 'cache_dir' directory. |
3148 | #Default: |
3149 | # none |
3150 | |
3151 | # TAG: logfile_rotate |
3152 | # Specifies the number of logfile rotations to make when you |
3153 | # type 'squid -k rotate'. The default is 10, which will rotate |
3154 | # with extensions 0 through 9. Setting logfile_rotate to 0 will |
3155 | # disable the file name rotation, but the logfiles are still closed |
3156 | # and re-opened. This will enable you to rename the logfiles |
3157 | # yourself just before sending the rotate signal. |
3158 | # |
3159 | # Note, the 'squid -k rotate' command normally sends a USR1 |
3160 | # signal to the running squid process. In certain situations |
3161 | # (e.g. on Linux with Async I/O), USR1 is used for other |
3162 | # purposes, so -k rotate uses another signal. It is best to get |
3163 | # in the habit of using 'squid -k rotate' instead of 'kill -USR1 |
3164 | # <pid>'. |
3165 | # |
3166 | # Note, from Squid-3.1 this option has no effect on the cache.log, |
3167 | # that log can be rotated separately by using debug_options |
3168 | #Default: |
3169 | # logfile_rotate 0 |
3170 | |
3171 | # TAG: emulate_httpd_log |
3172 | # Replace this with an access_log directive using the format 'common' or 'combined'. |
3173 | #Default: |
3174 | # none |
3175 | |
3176 | # TAG: log_ip_on_direct |
3177 | # Remove this option from your config. To log server or peer names use %<A in the log format. |
3178 | #Default: |
3179 | # none |
3180 | |
3181 | # TAG: mime_table |
3182 | # Pathname to Squid's MIME table. You shouldn't need to change |
3183 | # this, but the default file contains examples and formatting |
3184 | # information if you do. |
3185 | #Default: |
3186 | # mime_table /etc/squid/mime.conf |
3187 | |
3188 | # TAG: log_mime_hdrs on|off |
3189 | # The Cache can record both the request and the response MIME |
3190 | # headers for each HTTP transaction. The headers are encoded |
3191 | # safely and will appear as two bracketed fields at the end of |
3192 | # the access log (for either the native or httpd-emulated log |
3193 | # formats). To enable this logging set log_mime_hdrs to 'on'. |
3194 | #Default: |
3195 | # log_mime_hdrs off |
3196 | |
3197 | # TAG: useragent_log |
3198 | # Replace this with an access_log directive using the format 'useragent'. |
3199 | #Default: |
3200 | # none |
3201 | |
3202 | # TAG: referer_log |
3203 | # Replace this with an access_log directive using the format 'referrer'. |
3204 | #Default: |
3205 | # none |
3206 | |
3207 | # TAG: pid_filename |
3208 | # A filename to write the process-id to. To disable, enter "none". |
3209 | #Default: |
3210 | # pid_filename /var/run/squid.pid |
3211 | |
3212 | # TAG: log_fqdn |
3213 | # Remove this option from your config. To log FQDN use %>A in the log format. |
3214 | #Default: |
3215 | # none |
3216 | |
3217 | # TAG: client_netmask |
3218 | # A netmask for client addresses in logfiles and cachemgr output. |
3219 | # Change this to protect the privacy of your cache clients. |
3220 | # A netmask of 255.255.255.0 will log all IP's in that range with |
3221 | # the last digit set to '0'. |
3222 | #Default: |
3223 | # client_netmask no_addr |
3224 | |
3225 | # TAG: forward_log |
3226 | # Use a regular access.log with ACL limiting it to MISS events. |
3227 | #Default: |
3228 | # none |
3229 | |
3230 | # TAG: strip_query_terms |
3231 | # By default, Squid strips query terms from requested URLs before |
3232 | # logging. This protects your user's privacy. |
3233 | #Default: |
3234 | # strip_query_terms on |
3235 | |
3236 | # TAG: buffered_logs on|off |
3237 | # cache.log log file is written with stdio functions, and as such |
3238 | # it can be buffered or unbuffered. By default it will be unbuffered. |
3239 | # Buffering it can speed up the writing slightly (though you are |
3240 | # unlikely to need to worry unless you run with tons of debugging |
3241 | # enabled in which case performance will suffer badly anyway..). |
3242 | #Default: |
3243 | # buffered_logs off |
3244 | |
3245 | # TAG: netdb_filename |
3246 | # A filename where Squid stores it's netdb state between restarts. |
3247 | # To disable, enter "none". |
3248 | #Default: |
3249 | # netdb_filename stdio:/var/log/squid/netdb.state |
3250 | |
3251 | # OPTIONS FOR TROUBLESHOOTING |
3252 | # ----------------------------------------------------------------------------- |
3253 | |
3254 | # TAG: cache_log |
3255 | # Cache logging file. This is where general information about |
3256 | # your cache's behavior goes. You can increase the amount of data |
3257 | # logged to this file and how often its rotated with "debug_options" |
3258 | #Default: |
3259 | # cache_log /var/log/squid/cache.log |
3260 | |
3261 | # TAG: debug_options |
3262 | # Logging options are set as section,level where each source file |
3263 | # is assigned a unique section. Lower levels result in less |
3264 | # output, Full debugging (level 9) can result in a very large |
3265 | # log file, so be careful. |
3266 | # |
3267 | # The magic word "ALL" sets debugging levels for all sections. |
3268 | # We recommend normally running with "ALL,1". |
3269 | # |
3270 | # The rotate=N option can be used to keep more or less of these logs |
3271 | # than would otherwise be kept by logfile_rotate. |
3272 | # For most uses a single log should be enough to monitor current |
3273 | # events affecting Squid. |
3274 | #Default: |
3275 | # debug_options ALL,1 |
3276 | |
3277 | # TAG: coredump_dir |
3278 | # By default Squid leaves core files in the directory from where |
3279 | # it was started. If you set 'coredump_dir' to a directory |
3280 | # that exists, Squid will chdir() to that directory at startup |
3281 | # and coredump files will be left there. |
3282 | # |
3283 | #Default: |
3284 | # coredump_dir none |
3285 | # |
3286 | |
3287 | # Leave coredumps in the first cache dir |
3288 | coredump_dir /var/spool/squid |
3289 | |
3290 | # OPTIONS FOR FTP GATEWAYING |
3291 | # ----------------------------------------------------------------------------- |
3292 | |
3293 | # TAG: ftp_user |
3294 | # If you want the anonymous login password to be more informative |
3295 | # (and enable the use of picky ftp servers), set this to something |
3296 | # reasonable for your domain, like wwwuser@somewhere.net |
3297 | # |
3298 | # The reason why this is domainless by default is the |
3299 | # request can be made on the behalf of a user in any domain, |
3300 | # depending on how the cache is used. |
3301 | # Some ftp server also validate the email address is valid |
3302 | # (for example perl.com). |
3303 | #Default: |
3304 | # ftp_user Squid@ |
3305 | |
3306 | # TAG: ftp_passive |
3307 | # If your firewall does not allow Squid to use passive |
3308 | # connections, turn off this option. |
3309 | # |
3310 | # Use of ftp_epsv_all option requires this to be ON. |
3311 | #Default: |
3312 | # ftp_passive on |
3313 | |
3314 | # TAG: ftp_epsv_all |
3315 | # FTP Protocol extensions permit the use of a special "EPSV ALL" command. |
3316 | # |
3317 | # NATs may be able to put the connection on a "fast path" through the |
3318 | # translator, as the EPRT command will never be used and therefore, |
3319 | # translation of the data portion of the segments will never be needed. |
3320 | # |
3321 | # When a client only expects to do two-way FTP transfers this may be |
3322 | # useful. |
3323 | # If squid finds that it must do a three-way FTP transfer after issuing |
3324 | # an EPSV ALL command, the FTP session will fail. |
3325 | # |
3326 | # If you have any doubts about this option do not use it. |
3327 | # Squid will nicely attempt all other connection methods. |
3328 | # |
3329 | # Requires ftp_passive to be ON (default) for any effect. |
3330 | #Default: |
3331 | # ftp_epsv_all off |
3332 | |
3333 | # TAG: ftp_epsv |
3334 | # FTP Protocol extensions permit the use of a special "EPSV" command. |
3335 | # |
3336 | # NATs may be able to put the connection on a "fast path" through the |
3337 | # translator using EPSV, as the EPRT command will never be used |
3338 | # and therefore, translation of the data portion of the segments |
3339 | # will never be needed. |
3340 | # |
3341 | # Turning this OFF will prevent EPSV being attempted. |
3342 | # WARNING: Doing so will convert Squid back to the old behavior with all |
3343 | # the related problems with external NAT devices/layers. |
3344 | # |
3345 | # Requires ftp_passive to be ON (default) for any effect. |
3346 | #Default: |
3347 | # ftp_epsv on |
3348 | |
3349 | # TAG: ftp_eprt |
3350 | # FTP Protocol extensions permit the use of a special "EPRT" command. |
3351 | # |
3352 | # This extension provides a protocol neutral alternative to the |
3353 | # IPv4-only PORT command. When supported it enables active FTP data |
3354 | # channels over IPv6 and efficient NAT handling. |
3355 | # |
3356 | # Turning this OFF will prevent EPRT being attempted and will skip |
3357 | # straight to using PORT for IPv4 servers. |
3358 | # |
3359 | # Some devices are known to not handle this extension correctly and |
3360 | # may result in crashes. Devices which suport EPRT enough to fail |
3361 | # cleanly will result in Squid attempting PORT anyway. This directive |
3362 | # should only be disabled when EPRT results in device failures. |
3363 | # |
3364 | # WARNING: Doing so will convert Squid back to the old behavior with all |
3365 | # the related problems with external NAT devices/layers and IPv4-only FTP. |
3366 | #Default: |
3367 | # ftp_eprt on |
3368 | |
3369 | # TAG: ftp_sanitycheck |
3370 | # For security and data integrity reasons Squid by default performs |
3371 | # sanity checks of the addresses of FTP data connections ensure the |
3372 | # data connection is to the requested server. If you need to allow |
3373 | # FTP connections to servers using another IP address for the data |
3374 | # connection turn this off. |
3375 | #Default: |
3376 | # ftp_sanitycheck on |
3377 | |
3378 | # TAG: ftp_telnet_protocol |
3379 | # The FTP protocol is officially defined to use the telnet protocol |
3380 | # as transport channel for the control connection. However, many |
3381 | # implementations are broken and does not respect this aspect of |
3382 | # the FTP protocol. |
3383 | # |
3384 | # If you have trouble accessing files with ASCII code 255 in the |
3385 | # path or similar problems involving this ASCII code you can |
3386 | # try setting this directive to off. If that helps, report to the |
3387 | # operator of the FTP server in question that their FTP server |
3388 | # is broken and does not follow the FTP standard. |
3389 | #Default: |
3390 | # ftp_telnet_protocol on |
3391 | |
3392 | # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS |
3393 | # ----------------------------------------------------------------------------- |
3394 | |
3395 | # TAG: diskd_program |
3396 | # Specify the location of the diskd executable. |
3397 | # Note this is only useful if you have compiled in |
3398 | # diskd as one of the store io modules. |
3399 | #Default: |
3400 | # diskd_program /usr/lib64/squid/diskd |
3401 | |
3402 | # TAG: unlinkd_program |
3403 | # Specify the location of the executable for file deletion process. |
3404 | #Default: |
3405 | # unlinkd_program /usr/lib64/squid/unlinkd |
3406 | |
3407 | # TAG: pinger_program |
3408 | # Specify the location of the executable for the pinger process. |
3409 | #Default: |
3410 | # pinger_program /usr/lib64/squid/pinger |
3411 | |
3412 | # TAG: pinger_enable |
3413 | # Control whether the pinger is active at run-time. |
3414 | # Enables turning ICMP pinger on and off with a simple |
3415 | # squid -k reconfigure. |
3416 | #Default: |
3417 | # pinger_enable on |
3418 | |
3419 | # OPTIONS FOR URL REWRITING |
3420 | # ----------------------------------------------------------------------------- |
3421 | |
3422 | # TAG: url_rewrite_program |
3423 | # Specify the location of the executable URL rewriter to use. |
3424 | # Since they can perform almost any function there isn't one included. |
3425 | # |
3426 | # For each requested URL, the rewriter will receive on line with the format |
3427 | # |
3428 | # URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kvpairs]<NL> |
3429 | # |
3430 | # In the future, the rewriter interface will be extended with |
3431 | # key=value pairs ("kvpairs" shown above). Rewriter programs |
3432 | # should be prepared to receive and possibly ignore additional |
3433 | # whitespace-separated tokens on each input line. |
3434 | # |
3435 | # And the rewriter may return a rewritten URL. The other components of |
3436 | # the request line does not need to be returned (ignored if they are). |
3437 | # |
3438 | # The rewriter can also indicate that a client-side redirect should |
3439 | # be performed to the new URL. This is done by prefixing the returned |
3440 | # URL with "301:" (moved permanently) or 302: (moved temporarily), etc. |
3441 | # |
3442 | # By default, a URL rewriter is not used. |
3443 | #Default: |
3444 | # none |
3445 | |
3446 | # TAG: url_rewrite_children |
3447 | # The maximum number of redirector processes to spawn. If you limit |
3448 | # it too few Squid will have to wait for them to process a backlog of |
3449 | # URLs, slowing it down. If you allow too many they will use RAM |
3450 | # and other system resources noticably. |
3451 | # |
3452 | # The startup= and idle= options allow some measure of skew in your |
3453 | # tuning. |
3454 | # |
3455 | # startup= |
3456 | # |
3457 | # Sets a minimum of how many processes are to be spawned when Squid |
3458 | # starts or reconfigures. When set to zero the first request will |
3459 | # cause spawning of the first child process to handle it. |
3460 | # |
3461 | # Starting too few will cause an initial slowdown in traffic as Squid |
3462 | # attempts to simultaneously spawn enough processes to cope. |
3463 | # |
3464 | # idle= |
3465 | # |
3466 | # Sets a minimum of how many processes Squid is to try and keep available |
3467 | # at all times. When traffic begins to rise above what the existing |
3468 | # processes can handle this many more will be spawned up to the maximum |
3469 | # configured. A minimum setting of 1 is required. |
3470 | # |
3471 | # concurrency= |
3472 | # |
3473 | # The number of requests each redirector helper can handle in |
3474 | # parallel. Defaults to 0 which indicates the redirector |
3475 | # is a old-style single threaded redirector. |
3476 | # |
3477 | # When this directive is set to a value >= 1 then the protocol |
3478 | # used to communicate with the helper is modified to include |
3479 | # a request ID in front of the request/response. The request |
3480 | # ID from the request must be echoed back with the response |
3481 | # to that request. |
3482 | #Default: |
3483 | # url_rewrite_children 20 startup=0 idle=1 concurrency=0 |
3484 | |
3485 | # TAG: url_rewrite_host_header |
3486 | # To preserve same-origin security policies in browsers and |
3487 | # prevent Host: header forgery by redirectors Squid rewrites |
3488 | # any Host: header in redirected requests. |
3489 | # |
3490 | # If you are running an accelerator this may not be a wanted |
3491 | # effect of a redirector. This directive enables you disable |
3492 | # Host: alteration in reverse-proxy traffic. |
3493 | # |
3494 | # WARNING: Entries are cached on the result of the URL rewriting |
3495 | # process, so be careful if you have domain-virtual hosts. |
3496 | # |
3497 | # WARNING: Squid and other software verifies the URL and Host |
3498 | # are matching, so be careful not to relay through other proxies |
3499 | # or inspecting firewalls with this disabled. |
3500 | #Default: |
3501 | # url_rewrite_host_header on |
3502 | |
3503 | # TAG: url_rewrite_access |
3504 | # If defined, this access list specifies which requests are |
3505 | # sent to the redirector processes. By default all requests |
3506 | # are sent. |
3507 | # |
3508 | # This clause supports both fast and slow acl types. |
3509 | # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
3510 | #Default: |
3511 | # none |
3512 | |
3513 | # TAG: url_rewrite_bypass |
3514 | # When this is 'on', a request will not go through the |
3515 | # redirector if all redirectors are busy. If this is 'off' |
3516 | # and the redirector queue grows too large, Squid will exit |
3517 | # with a FATAL error and ask you to increase the number of |
3518 | # redirectors. You should only enable this if the redirectors |
3519 | # are not critical to your caching system. If you use |
3520 | # redirectors for access control, and you enable this option, |
3521 | # users may have access to pages they should not |
3522 | # be allowed to request. |
3523 | #Default: |
3524 | # url_rewrite_bypass off |
3525 | |
3526 | # OPTIONS FOR TUNING THE CACHE |
3527 | # ----------------------------------------------------------------------------- |
3528 | |
3529 | # TAG: cache |
3530 | # A list of ACL elements which, if matched and denied, cause the request to |
3531 | # not be satisfied from the cache and the reply to not be cached. |
3532 | # In other words, use this to force certain objects to never be cached. |
3533 | # |
3534 | # You must use the words 'allow' or 'deny' to indicate whether items |
3535 | # matching the ACL should be allowed or denied into the cache. |
3536 | # |
3537 | # Default is to allow all to be cached. |
3538 | # |
3539 | # This clause supports both fast and slow acl types. |
3540 | # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
3541 | #Default: |
3542 | # none |
3543 | |
3544 | # TAG: max_stale time-units |
3545 | # This option puts an upper limit on how stale content Squid |
3546 | # will serve from the cache if cache validation fails. |
3547 | # Can be overriden by the refresh_pattern max-stale option. |
3548 | #Default: |
3549 | # max_stale 1 week |
3550 | |
3551 | # TAG: refresh_pattern |
3552 | # usage: refresh_pattern [-i] regex min percent max [options] |
3553 | # |
3554 | # By default, regular expressions are CASE-SENSITIVE. To make |
3555 | # them case-insensitive, use the -i option. |
3556 | # |
3557 | # 'Min' is the time (in minutes) an object without an explicit |
3558 | # expiry time should be considered fresh. The recommended |
3559 | # value is 0, any higher values may cause dynamic applications |
3560 | # to be erroneously cached unless the application designer |
3561 | # has taken the appropriate actions. |
3562 | # |
3563 | # 'Percent' is a percentage of the objects age (time since last |
3564 | # modification age) an object without explicit expiry time |
3565 | # will be considered fresh. |
3566 | # |
3567 | # 'Max' is an upper limit on how long objects without an explicit |
3568 | # expiry time will be considered fresh. |
3569 | # |
3570 | # options: override-expire |
3571 | # override-lastmod |
3572 | # reload-into-ims |
3573 | # ignore-reload |
3574 | # ignore-no-store |
3575 | # ignore-must-revalidate |
3576 | # ignore-private |
3577 | # ignore-auth |
3578 | # max-stale=NN |
3579 | # refresh-ims |
3580 | # store-stale |
3581 | # |
3582 | # override-expire enforces min age even if the server |
3583 | # sent an explicit expiry time (e.g., with the |
3584 | # Expires: header or Cache-Control: max-age). Doing this |
3585 | # VIOLATES the HTTP standard. Enabling this feature |
3586 | # could make you liable for problems which it causes. |
3587 | # |
3588 | # Note: override-expire does not enforce staleness - it only extends |
3589 | # freshness / min. If the server returns a Expires time which |
3590 | # is longer than your max time, Squid will still consider |
3591 | # the object fresh for that period of time. |
3592 | # |
3593 | # override-lastmod enforces min age even on objects |
3594 | # that were modified recently. |
3595 | # |
3596 | # reload-into-ims changes client no-cache or ``reload'' |
3597 | # to If-Modified-Since requests. Doing this VIOLATES the |
3598 | # HTTP standard. Enabling this feature could make you |
3599 | # liable for problems which it causes. |
3600 | # |
3601 | # ignore-reload ignores a client no-cache or ``reload'' |
3602 | # header. Doing this VIOLATES the HTTP standard. Enabling |
3603 | # this feature could make you liable for problems which |
3604 | # it causes. |
3605 | # |
3606 | # ignore-no-store ignores any ``Cache-control: no-store'' |
3607 | # headers received from a server. Doing this VIOLATES |
3608 | # the HTTP standard. Enabling this feature could make you |
3609 | # liable for problems which it causes. |
3610 | # |
3611 | # ignore-must-revalidate ignores any ``Cache-Control: must-revalidate`` |
3612 | # headers received from a server. Doing this VIOLATES |
3613 | # the HTTP standard. Enabling this feature could make you |
3614 | # liable for problems which it causes. |
3615 | # |
3616 | # ignore-private ignores any ``Cache-control: private'' |
3617 | # headers received from a server. Doing this VIOLATES |
3618 | # the HTTP standard. Enabling this feature could make you |
3619 | # liable for problems which it causes. |
3620 | # |
3621 | # ignore-auth caches responses to requests with authorization, |
3622 | # as if the originserver had sent ``Cache-control: public'' |
3623 | # in the response header. Doing this VIOLATES the HTTP standard. |
3624 | # Enabling this feature could make you liable for problems which |
3625 | # it causes. |
3626 | # |
3627 | # refresh-ims causes squid to contact the origin server |
3628 | # when a client issues an If-Modified-Since request. This |
3629 | # ensures that the client will receive an updated version |
3630 | # if one is available. |
3631 | # |
3632 | # store-stale stores responses even if they don't have explicit |
3633 | # freshness or a validator (i.e., Last-Modified or an ETag) |
3634 | # present, or if they're already stale. By default, Squid will |
3635 | # not cache such responses because they usually can't be |
3636 | # reused. Note that such responses will be stale by default. |
3637 | # |
3638 | # max-stale=NN provide a maximum staleness factor. Squid won't |
3639 | # serve objects more stale than this even if it failed to |
3640 | # validate the object. Default: use the max_stale global limit. |
3641 | # |
3642 | # Basically a cached object is: |
3643 | # |
3644 | # FRESH if expires < now, else STALE |
3645 | # STALE if age > max |
3646 | # FRESH if lm-factor < percent, else STALE |
3647 | # FRESH if age < min |
3648 | # else STALE |
3649 | # |
3650 | # The refresh_pattern lines are checked in the order listed here. |
3651 | # The first entry which matches is used. If none of the entries |
3652 | # match the default will be used. |
3653 | # |
3654 | # Note, you must uncomment all the default lines if you want |
3655 | # to change one. The default setting is only active if none is |
3656 | # used. |
3657 | # |
3658 | # |
3659 | |
3660 | # Add any of your own refresh_pattern entries above these. |
3661 | refresh_pattern ^ftp: 1440 20% 10080 |
3662 | refresh_pattern ^gopher: 1440 0% 1440 |
3663 | refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 |
3664 | refresh_pattern . 0 20% 4320 |
3665 | |
3666 | # TAG: quick_abort_min (KB) |
3667 | #Default: |
3668 | # quick_abort_min 16 KB |
3669 | |
3670 | # TAG: quick_abort_max (KB) |
3671 | #Default: |
3672 | # quick_abort_max 16 KB |
3673 | |
3674 | # TAG: quick_abort_pct (percent) |
3675 | # The cache by default continues downloading aborted requests |
3676 | # which are almost completed (less than 16 KB remaining). This |
3677 | # may be undesirable on slow (e.g. SLIP) links and/or very busy |
3678 | # caches. Impatient users may tie up file descriptors and |
3679 | # bandwidth by repeatedly requesting and immediately aborting |
3680 | # downloads. |
3681 | # |
3682 | # When the user aborts a request, Squid will check the |
3683 | # quick_abort values to the amount of data transfered until |
3684 | # then. |
3685 | # |
3686 | # If the transfer has less than 'quick_abort_min' KB remaining, |
3687 | # it will finish the retrieval. |
3688 | # |
3689 | # If the transfer has more than 'quick_abort_max' KB remaining, |
3690 | # it will abort the retrieval. |
3691 | # |
3692 | # If more than 'quick_abort_pct' of the transfer has completed, |
3693 | # it will finish the retrieval. |
3694 | # |
3695 | # If you do not want any retrieval to continue after the client |
3696 | # has aborted, set both 'quick_abort_min' and 'quick_abort_max' |
3697 | # to '0 KB'. |
3698 | # |
3699 | # If you want retrievals to always continue if they are being |
3700 | # cached set 'quick_abort_min' to '-1 KB'. |
3701 | #Default: |
3702 | # quick_abort_pct 95 |
3703 | |
3704 | # TAG: read_ahead_gap buffer-size |
3705 | # The amount of data the cache will buffer ahead of what has been |
3706 | # sent to the client when retrieving an object from another server. |
3707 | #Default: |
3708 | # read_ahead_gap 16 KB |
3709 | |
3710 | # TAG: negative_ttl time-units |
3711 | # Set the Default Time-to-Live (TTL) for failed requests. |
3712 | # Certain types of failures (such as "connection refused" and |
3713 | # "404 Not Found") are able to be negatively-cached for a short time. |
3714 | # Modern web servers should provide Expires: header, however if they |
3715 | # do not this can provide a minimum TTL. |
3716 | # The default is not to cache errors with unknown expiry details. |
3717 | # |
3718 | # Note that this is different from negative caching of DNS lookups. |
3719 | # |
3720 | # WARNING: Doing this VIOLATES the HTTP standard. Enabling |
3721 | # this feature could make you liable for problems which it |
3722 | # causes. |
3723 | #Default: |
3724 | # negative_ttl 0 seconds |
3725 | |
3726 | # TAG: positive_dns_ttl time-units |
3727 | # Upper limit on how long Squid will cache positive DNS responses. |
3728 | # Default is 6 hours (360 minutes). This directive must be set |
3729 | # larger than negative_dns_ttl. |
3730 | #Default: |
3731 | # positive_dns_ttl 6 hours |
3732 | |
3733 | # TAG: negative_dns_ttl time-units |
3734 | # Time-to-Live (TTL) for negative caching of failed DNS lookups. |
3735 | # This also sets the lower cache limit on positive lookups. |
3736 | # Minimum value is 1 second, and it is not recommendable to go |
3737 | # much below 10 seconds. |
3738 | #Default: |
3739 | # negative_dns_ttl 1 minutes |
3740 | |
3741 | # TAG: range_offset_limit size [acl acl...] |
3742 | # usage: (size) [units] [[!]aclname] |
3743 | # |
3744 | # Sets an upper limit on how far (number of bytes) into the file |
3745 | # a Range request may be to cause Squid to prefetch the whole file. |
3746 | # If beyond this limit, Squid forwards the Range request as it is and |
3747 | # the result is NOT cached. |
3748 | # |
3749 | # This is to stop a far ahead range request (lets say start at 17MB) |
3750 | # from making Squid fetch the whole object up to that point before |
3751 | # sending anything to the client. |
3752 | # |
3753 | # Multiple range_offset_limit lines may be specified, and they will |
3754 | # be searched from top to bottom on each request until a match is found. |
3755 | # The first match found will be used. If no line matches a request, the |
3756 | # default limit of 0 bytes will be used. |
3757 | # |
3758 | # 'size' is the limit specified as a number of units. |
3759 | # |
3760 | # 'units' specifies whether to use bytes, KB, MB, etc. |
3761 | # If no units are specified bytes are assumed. |
3762 | # |
3763 | # A size of 0 causes Squid to never fetch more than the |
3764 | # client requested. (default) |
3765 | # |
3766 | # A size of 'none' causes Squid to always fetch the object from the |
3767 | # beginning so it may cache the result. (2.0 style) |
3768 | # |
3769 | # 'aclname' is the name of a defined ACL. |
3770 | # |
3771 | # NP: Using 'none' as the byte value here will override any quick_abort settings |
3772 | # that may otherwise apply to the range request. The range request will |
3773 | # be fully fetched from start to finish regardless of the client |
3774 | # actions. This affects bandwidth usage. |
3775 | #Default: |
3776 | # none |
3777 | |
3778 | # TAG: minimum_expiry_time (seconds) |
3779 | # The minimum caching time according to (Expires - Date) |
3780 | # Headers Squid honors if the object can't be revalidated |
3781 | # defaults to 60 seconds. In reverse proxy environments it |
3782 | # might be desirable to honor shorter object lifetimes. It |
3783 | # is most likely better to make your server return a |
3784 | # meaningful Last-Modified header however. In ESI environments |
3785 | # where page fragments often have short lifetimes, this will |
3786 | # often be best set to 0. |
3787 | #Default: |
3788 | # minimum_expiry_time 60 seconds |
3789 | |
3790 | # TAG: store_avg_object_size (bytes) |
3791 | # Average object size, used to estimate number of objects your |
3792 | # cache can hold. The default is 13 KB. |
3793 | #Default: |
3794 | # store_avg_object_size 13 KB |
3795 | |
3796 | # TAG: store_objects_per_bucket |
3797 | # Target number of objects per bucket in the store hash table. |
3798 | # Lowering this value increases the total number of buckets and |
3799 | # also the storage maintenance rate. The default is 20. |
3800 | #Default: |
3801 | # store_objects_per_bucket 20 |
3802 | |
3803 | # HTTP OPTIONS |
3804 | # ----------------------------------------------------------------------------- |
3805 | |
3806 | # TAG: request_header_max_size (KB) |
3807 | # This specifies the maximum size for HTTP headers in a request. |
3808 | # Request headers are usually relatively small (about 512 bytes). |
3809 | # Placing a limit on the request header size will catch certain |
3810 | # bugs (for example with persistent connections) and possibly |
3811 | # buffer-overflow or denial-of-service attacks. |
3812 | #Default: |
3813 | # request_header_max_size 64 KB |
3814 | |
3815 | # TAG: reply_header_max_size (KB) |
3816 | # This specifies the maximum size for HTTP headers in a reply. |
3817 | # Reply headers are usually relatively small (about 512 bytes). |
3818 | # Placing a limit on the reply header size will catch certain |
3819 | # bugs (for example with persistent connections) and possibly |
3820 | # buffer-overflow or denial-of-service attacks. |
3821 | #Default: |
3822 | # reply_header_max_size 64 KB |
3823 | |
3824 | # TAG: request_body_max_size (bytes) |
3825 | # This specifies the maximum size for an HTTP request body. |
3826 | # In other words, the maximum size of a PUT/POST request. |
3827 | # A user who attempts to send a request with a body larger |
3828 | # than this limit receives an "Invalid Request" error message. |
3829 | # If you set this parameter to a zero (the default), there will |
3830 | # be no limit imposed. |
3831 | #Default: |
3832 | # request_body_max_size 0 KB |
3833 | |
3834 | # TAG: client_request_buffer_max_size (bytes) |
3835 | # This specifies the maximum buffer size of a client request. |
3836 | # It prevents squid eating too much memory when somebody uploads |
3837 | # a large file. |
3838 | #Default: |
3839 | # client_request_buffer_max_size 512 KB |
3840 | |
3841 | # TAG: chunked_request_body_max_size (bytes) |
3842 | # A broken or confused HTTP/1.1 client may send a chunked HTTP |
3843 | # request to Squid. Squid does not have full support for that |
3844 | # feature yet. To cope with such requests, Squid buffers the |
3845 | # entire request and then dechunks request body to create a |
3846 | # plain HTTP/1.0 request with a known content length. The plain |
3847 | # request is then used by the rest of Squid code as usual. |
3848 | # |
3849 | # The option value specifies the maximum size of the buffer used |
3850 | # to hold the request before the conversion. If the chunked |
3851 | # request size exceeds the specified limit, the conversion |
3852 | # fails, and the client receives an "unsupported request" error, |
3853 | # as if dechunking was disabled. |
3854 | # |
3855 | # Dechunking is enabled by default. To disable conversion of |
3856 | # chunked requests, set the maximum to zero. |
3857 | # |
3858 | # Request dechunking feature and this option in particular are a |
3859 | # temporary hack. When chunking requests and responses are fully |
3860 | # supported, there will be no need to buffer a chunked request. |
3861 | #Default: |
3862 | # chunked_request_body_max_size 64 KB |
3863 | |
3864 | # TAG: broken_posts |
3865 | # A list of ACL elements which, if matched, causes Squid to send |
3866 | # an extra CRLF pair after the body of a PUT/POST request. |
3867 | # |
3868 | # Some HTTP servers has broken implementations of PUT/POST, |
3869 | # and rely on an extra CRLF pair sent by some WWW clients. |
3870 | # |
3871 | # Quote from RFC2616 section 4.1 on this matter: |
3872 | # |
3873 | # Note: certain buggy HTTP/1.0 client implementations generate an |
3874 | # extra CRLF's after a POST request. To restate what is explicitly |
3875 | # forbidden by the BNF, an HTTP/1.1 client must not preface or follow |
3876 | # a request with an extra CRLF. |
3877 | # |
3878 | # This clause only supports fast acl types. |
3879 | # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
3880 | # |
3881 | #Example: |
3882 | # acl buggy_server url_regex ^http://.... |
3883 | # broken_posts allow buggy_server |
3884 | #Default: |
3885 | # none |
3886 | |
3887 | # TAG: adaptation_uses_indirect_client on|off |
3888 | # Controls whether the indirect client IP address (instead of the direct |
3889 | # client IP address) is passed to adaptation services. |
3890 | # |
3891 | # See also: follow_x_forwarded_for adaptation_send_client_ip |
3892 | #Default: |
3893 | # adaptation_uses_indirect_client on |
3894 | |
3895 | # TAG: via on|off |
3896 | # If set (default), Squid will include a Via header in requests and |
3897 | # replies as required by RFC2616. |
3898 | #Default: |
3899 | # via on |
3900 | |
3901 | # TAG: ie_refresh on|off |
3902 | # Microsoft Internet Explorer up until version 5.5 Service |
3903 | # Pack 1 has an issue with transparent proxies, wherein it |
3904 | # is impossible to force a refresh. Turning this on provides |
3905 | # a partial fix to the problem, by causing all IMS-REFRESH |
3906 | # requests from older IE versions to check the origin server |
3907 | # for fresh content. This reduces hit ratio by some amount |
3908 | # (~10% in my experience), but allows users to actually get |
3909 | # fresh content when they want it. Note because Squid |
3910 | # cannot tell if the user is using 5.5 or 5.5SP1, the behavior |
3911 | # of 5.5 is unchanged from old versions of Squid (i.e. a |
3912 | # forced refresh is impossible). Newer versions of IE will, |
3913 | # hopefully, continue to have the new behavior and will be |
3914 | # handled based on that assumption. This option defaults to |
3915 | # the old Squid behavior, which is better for hit ratios but |
3916 | # worse for clients using IE, if they need to be able to |
3917 | # force fresh content. |
3918 | #Default: |
3919 | # ie_refresh off |
3920 | |
3921 | # TAG: vary_ignore_expire on|off |
3922 | # Many HTTP servers supporting Vary gives such objects |
3923 | # immediate expiry time with no cache-control header |
3924 | # when requested by a HTTP/1.0 client. This option |
3925 | # enables Squid to ignore such expiry times until |
3926 | # HTTP/1.1 is fully implemented. |
3927 | # |
3928 | # WARNING: If turned on this may eventually cause some |
3929 | # varying objects not intended for caching to get cached. |
3930 | #Default: |
3931 | # vary_ignore_expire off |
3932 | |
3933 | # TAG: request_entities |
3934 | # Squid defaults to deny GET and HEAD requests with request entities, |
3935 | # as the meaning of such requests are undefined in the HTTP standard |
3936 | # even if not explicitly forbidden. |
3937 | # |
3938 | # Set this directive to on if you have clients which insists |
3939 | # on sending request entities in GET or HEAD requests. But be warned |
3940 | # that there is server software (both proxies and web servers) which |
3941 | # can fail to properly process this kind of request which may make you |
3942 | # vulnerable to cache pollution attacks if enabled. |
3943 | #Default: |
3944 | # request_entities off |
3945 | |
3946 | # TAG: request_header_access |
3947 | # Usage: request_header_access header_name allow|deny [!]aclname ... |
3948 | # |
3949 | # WARNING: Doing this VIOLATES the HTTP standard. Enabling |
3950 | # this feature could make you liable for problems which it |
3951 | # causes. |
3952 | # |
3953 | # This option replaces the old 'anonymize_headers' and the |
3954 | # older 'http_anonymizer' option with something that is much |
3955 | # more configurable. A list of ACLs for each header name allows |
3956 | # removal of specific header fields under specific conditions. |
3957 | # |
3958 | # This option only applies to outgoing HTTP request headers (i.e., |
3959 | # headers sent by Squid to the next HTTP hop such as a cache peer |
3960 | # or an origin server). The option has no effect during cache hit |
3961 | # detection. The equivalent adaptation vectoring point in ICAP |
3962 | # terminology is post-cache REQMOD. |
3963 | # |
3964 | # The option is applied to individual outgoing request header |
3965 | # fields. For each request header field F, Squid uses the first |
3966 | # qualifying sets of request_header_access rules: |
3967 | # |
3968 | # 1. Rules with header_name equal to F's name. |
3969 | # 2. Rules with header_name 'Other', provided F's name is not |
3970 | # on the hard-coded list of commonly used HTTP header names. |
3971 | # 3. Rules with header_name 'All'. |
3972 | # |
3973 | # Within that qualifying rule set, rule ACLs are checked as usual. |
3974 | # If ACLs of an "allow" rule match, the header field is allowed to |
3975 | # go through as is. If ACLs of a "deny" rule match, the header is |
3976 | # removed and request_header_replace is then checked to identify |
3977 | # if the removed header has a replacement. If no rules within the |
3978 | # set have matching ACLs, the header field is left as is. |
3979 | # |
3980 | # For example, to achieve the same behavior as the old |
3981 | # 'http_anonymizer standard' option, you should use: |
3982 | # |
3983 | # request_header_access From deny all |
3984 | # request_header_access Referer deny all |
3985 | # request_header_access Server deny all |
3986 | # request_header_access User-Agent deny all |
3987 | # request_header_access WWW-Authenticate deny all |
3988 | # request_header_access Link deny all |
3989 | # |
3990 | # Or, to reproduce the old 'http_anonymizer paranoid' feature |
3991 | # you should use: |
3992 | # |
3993 | # request_header_access Allow allow all |
3994 | # request_header_access Authorization allow all |
3995 | # request_header_access WWW-Authenticate allow all |
3996 | # request_header_access Proxy-Authorization allow all |
3997 | # request_header_access Proxy-Authenticate allow all |
3998 | # request_header_access Cache-Control allow all |
3999 | # request_header_access Content-Encoding allow all |
4000 | # request_header_access Content-Length allow all |
4001 | # request_header_access Content-Type allow all |
4002 | # request_header_access Date allow all |
4003 | # request_header_access Expires allow all |
4004 | # request_header_access Host allow all |
4005 | # request_header_access If-Modified-Since allow all |
4006 | # request_header_access Last-Modified allow all |
4007 | # request_header_access Location allow all |
4008 | # request_header_access Pragma allow all |
4009 | # request_header_access Accept allow all |
4010 | # request_header_access Accept-Charset allow all |
4011 | # request_header_access Accept-Encoding allow all |
4012 | # request_header_access Accept-Language allow all |
4013 | # request_header_access Content-Language allow all |
4014 | # request_header_access Mime-Version allow all |
4015 | # request_header_access Retry-After allow all |
4016 | # request_header_access Title allow all |
4017 | # request_header_access Connection allow all |
4018 | # request_header_access All deny all |
4019 | # |
4020 | # although many of those are HTTP reply headers, and so should be |
4021 | # controlled with the reply_header_access directive. |
4022 | # |
4023 | # By default, all headers are allowed (no anonymizing is |
4024 | # performed). |
4025 | #Default: |
4026 | # none |
4027 | |
4028 | # TAG: reply_header_access |
4029 | # Usage: reply_header_access header_name allow|deny [!]aclname ... |
4030 | # |
4031 | # WARNING: Doing this VIOLATES the HTTP standard. Enabling |
4032 | # this feature could make you liable for problems which it |
4033 | # causes. |
4034 | # |
4035 | # This option only applies to reply headers, i.e., from the |
4036 | # server to the client. |
4037 | # |
4038 | # This is the same as request_header_access, but in the other |
4039 | # direction. Please see request_header_access for detailed |
4040 | # documentation. |
4041 | # |
4042 | # For example, to achieve the same behavior as the old |
4043 | # 'http_anonymizer standard' option, you should use: |
4044 | # |
4045 | # reply_header_access From deny all |
4046 | # reply_header_access Referer deny all |
4047 | # reply_header_access Server deny all |
4048 | # reply_header_access User-Agent deny all |
4049 | # reply_header_access WWW-Authenticate deny all |
4050 | # reply_header_access Link deny all |
4051 | # |
4052 | # Or, to reproduce the old 'http_anonymizer paranoid' feature |
4053 | # you should use: |
4054 | # |
4055 | # reply_header_access Allow allow all |
4056 | # reply_header_access Authorization allow all |
4057 | # reply_header_access WWW-Authenticate allow all |
4058 | # reply_header_access Proxy-Authorization allow all |
4059 | # reply_header_access Proxy-Authenticate allow all |
4060 | # reply_header_access Cache-Control allow all |
4061 | # reply_header_access Content-Encoding allow all |
4062 | # reply_header_access Content-Length allow all |
4063 | # reply_header_access Content-Type allow all |
4064 | # reply_header_access Date allow all |
4065 | # reply_header_access Expires allow all |
4066 | # reply_header_access Host allow all |
4067 | # reply_header_access If-Modified-Since allow all |
4068 | # reply_header_access Last-Modified allow all |
4069 | # reply_header_access Location allow all |
4070 | # reply_header_access Pragma allow all |
4071 | # reply_header_access Accept allow all |
4072 | # reply_header_access Accept-Charset allow all |
4073 | # reply_header_access Accept-Encoding allow all |
4074 | # reply_header_access Accept-Language allow all |
4075 | # reply_header_access Content-Language allow all |
4076 | # reply_header_access Mime-Version allow all |
4077 | # reply_header_access Retry-After allow all |
4078 | # reply_header_access Title allow all |
4079 | # reply_header_access Connection allow all |
4080 | # reply_header_access All deny all |
4081 | # |
4082 | # although the HTTP request headers won't be usefully controlled |
4083 | # by this directive -- see request_header_access for details. |
4084 | # |
4085 | # By default, all headers are allowed (no anonymizing is |
4086 | # performed). |
4087 | #Default: |
4088 | # none |
4089 | |
4090 | # TAG: request_header_replace |
4091 | # Usage: request_header_replace header_name message |
4092 | # Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit) |
4093 | # |
4094 | # This option allows you to change the contents of headers |
4095 | # denied with request_header_access above, by replacing them |
4096 | # with some fixed string. This replaces the old fake_user_agent |
4097 | # option. |
4098 | # |
4099 | # This only applies to request headers, not reply headers. |
4100 | # |
4101 | # By default, headers are removed if denied. |
4102 | #Default: |
4103 | # none |
4104 | |
4105 | # TAG: reply_header_replace |
4106 | # Usage: reply_header_replace header_name message |
4107 | # Example: reply_header_replace Server Foo/1.0 |
4108 | # |
4109 | # This option allows you to change the contents of headers |
4110 | # denied with reply_header_access above, by replacing them |
4111 | # with some fixed string. |
4112 | # |
4113 | # This only applies to reply headers, not request headers. |
4114 | # |
4115 | # By default, headers are removed if denied. |
4116 | #Default: |
4117 | # none |
4118 | |
4119 | # TAG: relaxed_header_parser on|off|warn |
4120 | # In the default "on" setting Squid accepts certain forms |
4121 | # of non-compliant HTTP messages where it is unambiguous |
4122 | # what the sending application intended even if the message |
4123 | # is not correctly formatted. The messages is then normalized |
4124 | # to the correct form when forwarded by Squid. |
4125 | # |
4126 | # If set to "warn" then a warning will be emitted in cache.log |
4127 | # each time such HTTP error is encountered. |
4128 | # |
4129 | # If set to "off" then such HTTP errors will cause the request |
4130 | # or response to be rejected. |
4131 | #Default: |
4132 | # relaxed_header_parser on |
4133 | |
4134 | # TIMEOUTS |
4135 | # ----------------------------------------------------------------------------- |
4136 | |
4137 | # TAG: forward_timeout time-units |
4138 | # This parameter specifies how long Squid should at most attempt in |
4139 | # finding a forwarding path for the request before giving up. |
4140 | #Default: |
4141 | # forward_timeout 4 minutes |
4142 | |
4143 | # TAG: connect_timeout time-units |
4144 | # This parameter specifies how long to wait for the TCP connect to |
4145 | # the requested server or peer to complete before Squid should |
4146 | # attempt to find another path where to forward the request. |
4147 | #Default: |
4148 | # connect_timeout 1 minute |
4149 | |
4150 | # TAG: peer_connect_timeout time-units |
4151 | # This parameter specifies how long to wait for a pending TCP |
4152 | # connection to a peer cache. The default is 30 seconds. You |
4153 | # may also set different timeout values for individual neighbors |
4154 | # with the 'connect-timeout' option on a 'cache_peer' line. |
4155 | #Default: |
4156 | # peer_connect_timeout 30 seconds |
4157 | |
4158 | # TAG: read_timeout time-units |
4159 | # The read_timeout is applied on server-side connections. After |
4160 | # each successful read(), the timeout will be extended by this |
4161 | # amount. If no data is read again after this amount of time, |
4162 | # the request is aborted and logged with ERR_READ_TIMEOUT. The |
4163 | # default is 15 minutes. |
4164 | #Default: |
4165 | # read_timeout 15 minutes |
4166 | |
4167 | # TAG: write_timeout time-units |
4168 | # This timeout is tracked for all connections that have data |
4169 | # available for writing and are waiting for the socket to become |
4170 | # ready. After each successful write, the timeout is extended by |
4171 | # the configured amount. If Squid has data to write but the |
4172 | # connection is not ready for the configured duration, the |
4173 | # transaction associated with the connection is terminated. The |
4174 | # default is 15 minutes. |
4175 | #Default: |
4176 | # write_timeout 15 minutes |
4177 | |
4178 | # TAG: request_timeout |
4179 | # How long to wait for complete HTTP request headers after initial |
4180 | # connection establishment. |
4181 | #Default: |
4182 | # request_timeout 5 minutes |
4183 | |
4184 | # TAG: client_idle_pconn_timeout |
4185 | # How long to wait for the next HTTP request on a persistent |
4186 | # client connection after the previous request completes. |
4187 | #Default: |
4188 | # client_idle_pconn_timeout 2 minutes |
4189 | |
4190 | # TAG: client_lifetime time-units |
4191 | # The maximum amount of time a client (browser) is allowed to |
4192 | # remain connected to the cache process. This protects the Cache |
4193 | # from having a lot of sockets (and hence file descriptors) tied up |
4194 | # in a CLOSE_WAIT state from remote clients that go away without |
4195 | # properly shutting down (either because of a network failure or |
4196 | # because of a poor client implementation). The default is one |
4197 | # day, 1440 minutes. |
4198 | # |
4199 | # NOTE: The default value is intended to be much larger than any |
4200 | # client would ever need to be connected to your cache. You |
4201 | # should probably change client_lifetime only as a last resort. |
4202 | # If you seem to have many client connections tying up |
4203 | # filedescriptors, we recommend first tuning the read_timeout, |
4204 | # request_timeout, persistent_request_timeout and quick_abort values. |
4205 | #Default: |
4206 | # client_lifetime 1 day |
4207 | |
4208 | # TAG: half_closed_clients |
4209 | # Some clients may shutdown the sending side of their TCP |
4210 | # connections, while leaving their receiving sides open. Sometimes, |
4211 | # Squid can not tell the difference between a half-closed and a |
4212 | # fully-closed TCP connection. |
4213 | # |
4214 | # By default, Squid will immediately close client connections when |
4215 | # read(2) returns "no more data to read." |
4216 | # |
4217 | # Change this option to 'on' and Squid will keep open connections |
4218 | # until a read(2) or write(2) on the socket returns an error. |
4219 | # This may show some benefits for reverse proxies. But if not |
4220 | # it is recommended to leave OFF. |
4221 | #Default: |
4222 | # half_closed_clients off |
4223 | |
4224 | # TAG: server_idle_pconn_timeout |
4225 | # Timeout for idle persistent connections to servers and other |
4226 | # proxies. |
4227 | #Default: |
4228 | # server_idle_pconn_timeout 1 minute |
4229 | |
4230 | # TAG: ident_timeout |
4231 | # Note: This option is only available if Squid is rebuilt with the |
4232 | # --enable-ident-lookups |
4233 | # |
4234 | # Maximum time to wait for IDENT lookups to complete. |
4235 | # |
4236 | # If this is too high, and you enabled IDENT lookups from untrusted |
4237 | # users, you might be susceptible to denial-of-service by having |
4238 | # many ident requests going at once. |
4239 | #Default: |
4240 | # ident_timeout 10 seconds |
4241 | |
4242 | # TAG: shutdown_lifetime time-units |
4243 | # When SIGTERM or SIGHUP is received, the cache is put into |
4244 | # "shutdown pending" mode until all active sockets are closed. |
4245 | # This value is the lifetime to set for all open descriptors |
4246 | # during shutdown mode. Any active clients after this many |
4247 | # seconds will receive a 'timeout' message. |
4248 | #Default: |
4249 | # shutdown_lifetime 30 seconds |
4250 | # |
4251 | shutdown_lifetime 5 seconds |
4252 | |
4253 | # ADMINISTRATIVE PARAMETERS |
4254 | # ----------------------------------------------------------------------------- |
4255 | |
4256 | # TAG: cache_mgr |
4257 | # Email-address of local cache manager who will receive |
4258 | # mail if the cache dies. The default is "webmaster." |
4259 | #Default: |
4260 | # cache_mgr root |
4261 | |
4262 | # TAG: mail_from |
4263 | # From: email-address for mail sent when the cache dies. |
4264 | # The default is to use 'appname@unique_hostname'. |
4265 | # Default appname value is "squid", can be changed into |
4266 | # src/globals.h before building squid. |
4267 | #Default: |
4268 | # none |
4269 | |
4270 | # TAG: mail_program |
4271 | # Email program used to send mail if the cache dies. |
4272 | # The default is "mail". The specified program must comply |
4273 | # with the standard Unix mail syntax: |
4274 | # mail-program recipient < mailfile |
4275 | # |
4276 | # Optional command line options can be specified. |
4277 | #Default: |
4278 | # mail_program mail |
4279 | |
4280 | # TAG: cache_effective_user |
4281 | # If you start Squid as root, it will change its effective/real |
4282 | # UID/GID to the user specified below. The default is to change |
4283 | # to UID of squid. |
4284 | # see also; cache_effective_group |
4285 | #Default: |
4286 | # cache_effective_user squid |
4287 | # |
4288 | cache_effective_user squid |
4289 | |
4290 | # TAG: cache_effective_group |
4291 | # Squid sets the GID to the effective user's default group ID |
4292 | # (taken from the password file) and supplementary group list |
4293 | # from the groups membership. |
4294 | # |
4295 | # If you want Squid to run with a specific GID regardless of |
4296 | # the group memberships of the effective user then set this |
4297 | # to the group (or GID) you want Squid to run as. When set |
4298 | # all other group privileges of the effective user are ignored |
4299 | # and only this GID is effective. If Squid is not started as |
4300 | # root the user starting Squid MUST be member of the specified |
4301 | # group. |
4302 | # |
4303 | # This option is not recommended by the Squid Team. |
4304 | # Our preference is for administrators to configure a secure |
4305 | # user account for squid with UID/GID matching system policies. |
4306 | #Default: |
4307 | # cache_effective_group squid |
4308 | # |
4309 | cache_effective_group squid |
4310 | |
4311 | # TAG: httpd_suppress_version_string on|off |
4312 | # Suppress Squid version string info in HTTP headers and HTML error pages. |
4313 | #Default: |
4314 | # httpd_suppress_version_string off |
4315 | |
4316 | # TAG: visible_hostname |
4317 | # If you want to present a special hostname in error messages, etc, |
4318 | # define this. Otherwise, the return value of gethostname() |
4319 | # will be used. If you have multiple caches in a cluster and |
4320 | # get errors about IP-forwarding you must set them to have individual |
4321 | # names with this setting. |
4322 | #Default: |
4323 | # visible_hostname unconfigured |
4324 | |
4325 | # TAG: unique_hostname |
4326 | # If you want to have multiple machines with the same |
4327 | # 'visible_hostname' you must give each machine a different |
4328 | # 'unique_hostname' so forwarding loops can be detected. |
4329 | #Default: |
4330 | # none |
4331 | |
4332 | # TAG: hostname_aliases |
4333 | # A list of other DNS names your cache has. |
4334 | #Default: |
4335 | # none |
4336 | |
4337 | # TAG: umask |
4338 | # Minimum umask which should be enforced while the proxy |
4339 | # is running, in addition to the umask set at startup. |
4340 | # |
4341 | # For a traditional octal representation of umasks, start |
4342 | # your value with 0. |
4343 | #Default: |
4344 | # umask 027 |
4345 | |
4346 | # OPTIONS FOR THE CACHE REGISTRATION SERVICE |
4347 | # ----------------------------------------------------------------------------- |
4348 | # |
4349 | # This section contains parameters for the (optional) cache |
4350 | # announcement service. This service is provided to help |
4351 | # cache administrators locate one another in order to join or |
4352 | # create cache hierarchies. |
4353 | # |
4354 | # An 'announcement' message is sent (via UDP) to the registration |
4355 | # service by Squid. By default, the announcement message is NOT |
4356 | # SENT unless you enable it with 'announce_period' below. |
4357 | # |
4358 | # The announcement message includes your hostname, plus the |
4359 | # following information from this configuration file: |
4360 | # |
4361 | # http_port |
4362 | # icp_port |
4363 | # cache_mgr |
4364 | # |
4365 | # All current information is processed regularly and made |
4366 | # available on the Web at http://www.ircache.net/Cache/Tracker/. |
4367 | |
4368 | # TAG: announce_period |
4369 | # This is how frequently to send cache announcements. The |
4370 | # default is `0' which disables sending the announcement |
4371 | # messages. |
4372 | # |
4373 | # To enable announcing your cache, just set an announce period. |
4374 | # |
4375 | # Example: |
4376 | # announce_period 1 day |
4377 | #Default: |
4378 | # announce_period 0 |
4379 | |
4380 | # TAG: announce_host |
4381 | #Default: |
4382 | # announce_host tracker.ircache.net |
4383 | |
4384 | # TAG: announce_file |
4385 | #Default: |
4386 | # none |
4387 | |
4388 | # TAG: announce_port |
4389 | # announce_host and announce_port set the hostname and port |
4390 | # number where the registration message will be sent. |
4391 | # |
4392 | # Hostname will default to 'tracker.ircache.net' and port will |
4393 | # default default to 3131. If the 'filename' argument is given, |
4394 | # the contents of that file will be included in the announce |
4395 | # message. |
4396 | #Default: |
4397 | # announce_port 3131 |
4398 | |
4399 | # HTTPD-ACCELERATOR OPTIONS |
4400 | # ----------------------------------------------------------------------------- |
4401 | |
4402 | # TAG: httpd_accel_surrogate_id |
4403 | # Surrogates (http://www.esi.org/architecture_spec_1.0.html) |
4404 | # need an identification token to allow control targeting. Because |
4405 | # a farm of surrogates may all perform the same tasks, they may share |
4406 | # an identification token. |
4407 | # |
4408 | # The default ID is the visible_hostname |
4409 | #Default: |
4410 | # none |
4411 | |
4412 | # TAG: http_accel_surrogate_remote on|off |
4413 | # Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. |
4414 | # Set this to on to have squid behave as a remote surrogate. |
4415 | #Default: |
4416 | # http_accel_surrogate_remote off |
4417 | |
4418 | # TAG: esi_parser libxml2|expat|custom |
4419 | # Note: This option is only available if Squid is rebuilt with the |
4420 | # --enable-esi |
4421 | # |
4422 | # ESI markup is not strictly XML compatible. The custom ESI parser |
4423 | # will give higher performance, but cannot handle non ASCII character |
4424 | # encodings. |
4425 | #Default: |
4426 | # esi_parser custom |
4427 | |
4428 | # DELAY POOL PARAMETERS |
4429 | # ----------------------------------------------------------------------------- |
4430 | |
4431 | # TAG: delay_pools |
4432 | # This represents the number of delay pools to be used. For example, |
4433 | # if you have one class 2 delay pool and one class 3 delays pool, you |
4434 | # have a total of 2 delay pools. |
4435 | #Default: |
4436 | # delay_pools 0 |
4437 | |
4438 | # TAG: delay_class |
4439 | # This defines the class of each delay pool. There must be exactly one |
4440 | # delay_class line for each delay pool. For example, to define two |
4441 | # delay pools, one of class 2 and one of class 3, the settings above |
4442 | # and here would be: |
4443 | # |
4444 | # Example: |
4445 | # delay_pools 4 # 4 delay pools |
4446 | # delay_class 1 2 # pool 1 is a class 2 pool |
4447 | # delay_class 2 3 # pool 2 is a class 3 pool |
4448 | # delay_class 3 4 # pool 3 is a class 4 pool |
4449 | # delay_class 4 5 # pool 4 is a class 5 pool |
4450 | # |
4451 | # The delay pool classes are: |
4452 | # |
4453 | # class 1 Everything is limited by a single aggregate |
4454 | # bucket. |
4455 | # |
4456 | # class 2 Everything is limited by a single aggregate |
4457 | # bucket as well as an "individual" bucket chosen |
4458 | # from bits 25 through 32 of the IPv4 address. |
4459 | # |
4460 | # class 3 Everything is limited by a single aggregate |
4461 | # bucket as well as a "network" bucket chosen |
4462 | # from bits 17 through 24 of the IP address and a |
4463 | # "individual" bucket chosen from bits 17 through |
4464 | # 32 of the IPv4 address. |
4465 | # |
4466 | # class 4 Everything in a class 3 delay pool, with an |
4467 | # additional limit on a per user basis. This |
4468 | # only takes effect if the username is established |
4469 | # in advance - by forcing authentication in your |
4470 | # http_access rules. |
4471 | # |
4472 | # class 5 Requests are grouped according their tag (see |
4473 | # external_acl's tag= reply). |
4474 | # |
4475 | # |
4476 | # Each pool also requires a delay_parameters directive to configure the pool size |
4477 | # and speed limits used whenever the pool is applied to a request. Along with |
4478 | # a set of delay_access directives to determine when it is used. |
4479 | # |
4480 | # NOTE: If an IP address is a.b.c.d |
4481 | # -> bits 25 through 32 are "d" |
4482 | # -> bits 17 through 24 are "c" |
4483 | # -> bits 17 through 32 are "c * 256 + d" |
4484 | # |
4485 | # NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to |
4486 | # IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. |
4487 | #Default: |
4488 | # none |
4489 | |
4490 | # TAG: delay_access |
4491 | # This is used to determine which delay pool a request falls into. |
4492 | # |
4493 | # delay_access is sorted per pool and the matching starts with pool 1, |
4494 | # then pool 2, ..., and finally pool N. The first delay pool where the |
4495 | # request is allowed is selected for the request. If it does not allow |
4496 | # the request to any pool then the request is not delayed (default). |
4497 | # |
4498 | # For example, if you want some_big_clients in delay |
4499 | # pool 1 and lotsa_little_clients in delay pool 2: |
4500 | # |
4501 | #Example: |
4502 | # delay_access 1 allow some_big_clients |
4503 | # delay_access 1 deny all |
4504 | # delay_access 2 allow lotsa_little_clients |
4505 | # delay_access 2 deny all |
4506 | # delay_access 3 allow authenticated_clients |
4507 | #Default: |
4508 | # none |
4509 | |
4510 | # TAG: delay_parameters |
4511 | # This defines the parameters for a delay pool. Each delay pool has |
4512 | # a number of "buckets" associated with it, as explained in the |
4513 | # description of delay_class. |
4514 | # |
4515 | # For a class 1 delay pool, the syntax is: |
4516 | # delay_pools pool 1 |
4517 | # delay_parameters pool aggregate |
4518 | # |
4519 | # For a class 2 delay pool: |
4520 | # delay_pools pool 2 |
4521 | # delay_parameters pool aggregate individual |
4522 | # |
4523 | # For a class 3 delay pool: |
4524 | # delay_pools pool 3 |
4525 | # delay_parameters pool aggregate network individual |
4526 | # |
4527 | # For a class 4 delay pool: |
4528 | # delay_pools pool 4 |
4529 | # delay_parameters pool aggregate network individual user |
4530 | # |
4531 | # For a class 5 delay pool: |
4532 | # delay_pools pool 5 |
4533 | # delay_parameters pool tagrate |
4534 | # |
4535 | # The option variables are: |
4536 | # |
4537 | # pool a pool number - ie, a number between 1 and the |
4538 | # number specified in delay_pools as used in |
4539 | # delay_class lines. |
4540 | # |
4541 | # aggregate the speed limit parameters for the aggregate bucket |
4542 | # (class 1, 2, 3). |
4543 | # |
4544 | # individual the speed limit parameters for the individual |
4545 | # buckets (class 2, 3). |
4546 | # |
4547 | # network the speed limit parameters for the network buckets |
4548 | # (class 3). |
4549 | # |
4550 | # user the speed limit parameters for the user buckets |
4551 | # (class 4). |
4552 | # |
4553 | # tagrate the speed limit parameters for the tag buckets |
4554 | # (class 5). |
4555 | # |
4556 | # A pair of delay parameters is written restore/maximum, where restore is |
4557 | # the number of bytes (not bits - modem and network speeds are usually |
4558 | # quoted in bits) per second placed into the bucket, and maximum is the |
4559 | # maximum number of bytes which can be in the bucket at any time. |
4560 | # |
4561 | # There must be one delay_parameters line for each delay pool. |
4562 | # |
4563 | # |
4564 | # For example, if delay pool number 1 is a class 2 delay pool as in the |
4565 | # above example, and is being used to strictly limit each host to 64Kbit/sec |
4566 | # (plus overheads), with no overall limit, the line is: |
4567 | # |
4568 | # delay_parameters 1 -1/-1 8000/8000 |
4569 | # |
4570 | # Note that 8 x 8000 KByte/sec -> 64Kbit/sec. |
4571 | # |
4572 | # Note that the figure -1 is used to represent "unlimited". |
4573 | # |
4574 | # |
4575 | # And, if delay pool number 2 is a class 3 delay pool as in the above |
4576 | # example, and you want to limit it to a total of 256Kbit/sec (strict limit) |
4577 | # with each 8-bit network permitted 64Kbit/sec (strict limit) and each |
4578 | # individual host permitted 4800bit/sec with a bucket maximum size of 64Kbits |
4579 | # to permit a decent web page to be downloaded at a decent speed |
4580 | # (if the network is not being limited due to overuse) but slow down |
4581 | # large downloads more significantly: |
4582 | # |
4583 | # delay_parameters 2 32000/32000 8000/8000 600/8000 |
4584 | # |
4585 | # Note that 8 x 32000 KByte/sec -> 256Kbit/sec. |
4586 | # 8 x 8000 KByte/sec -> 64Kbit/sec. |
4587 | # 8 x 600 Byte/sec -> 4800bit/sec. |
4588 | # |
4589 | # |
4590 | # Finally, for a class 4 delay pool as in the example - each user will |
4591 | # be limited to 128Kbits/sec no matter how many workstations they are logged into.: |
4592 | # |
4593 | # delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 |
4594 | #Default: |
4595 | # none |
4596 | |
4597 | # TAG: delay_initial_bucket_level (percent, 0-100) |
4598 | # The initial bucket percentage is used to determine how much is put |
4599 | # in each bucket when squid starts, is reconfigured, or first notices |
4600 | # a host accessing it (in class 2 and class 3, individual hosts and |
4601 | # networks only have buckets associated with them once they have been |
4602 | # "seen" by squid). |
4603 | #Default: |
4604 | # delay_initial_bucket_level 50 |
4605 | |
4606 | # CLIENT DELAY POOL PARAMETERS |
4607 | # ----------------------------------------------------------------------------- |
4608 | |
4609 | # TAG: client_delay_pools |
4610 | # This option specifies the number of client delay pools used. It must |
4611 | # preceed other client_delay_* options. |
4612 | # |
4613 | #Example: |
4614 | # client_delay_pools 2 |
4615 | #Default: |
4616 | # client_delay_pools 0 |
4617 | |
4618 | # TAG: client_delay_initial_bucket_level (percent, 0-no_limit) |
4619 | # This option determines the initial bucket size as a percentage of |
4620 | # max_bucket_size from client_delay_parameters. Buckets are created |
4621 | # at the time of the "first" connection from the matching IP. Idle |
4622 | # buckets are periodically deleted up. |
4623 | # |
4624 | # You can specify more than 100 percent but note that such "oversized" |
4625 | # buckets are not refilled until their size goes down to max_bucket_size |
4626 | # from client_delay_parameters. |
4627 | # |
4628 | #Example: |
4629 | # client_delay_initial_bucket_level 50 |
4630 | #Default: |
4631 | # client_delay_initial_bucket_level 50 |
4632 | |
4633 | # TAG: client_delay_parameters |
4634 | # |
4635 | # This option configures client-side bandwidth limits using the |
4636 | # following format: |
4637 | # |
4638 | # client_delay_parameters pool speed_limit max_bucket_size |
4639 | # |
4640 | # pool is an integer ID used for client_delay_access matching. |
4641 | # |
4642 | # speed_limit is bytes added to the bucket per second. |
4643 | # |
4644 | # max_bucket_size is the maximum size of a bucket, enforced after any |
4645 | # speed_limit additions. |
4646 | # |
4647 | # Please see the delay_parameters option for more information and |
4648 | # examples. |
4649 | # |
4650 | #Example: |
4651 | # client_delay_parameters 1 1024 2048 |
4652 | # client_delay_parameters 2 51200 16384 |
4653 | #Default: |
4654 | # none |
4655 | |
4656 | # TAG: client_delay_access |
4657 | # |
4658 | # This option determines the client-side delay pool for the |
4659 | # request: |
4660 | # |
4661 | # client_delay_access pool_ID allow|deny acl_name |
4662 | # |
4663 | # All client_delay_access options are checked in their pool ID |
4664 | # order, starting with pool 1. The first checked pool with allowed |
4665 | # request is selected for the request. If no ACL matches or there |
4666 | # are no client_delay_access options, the request bandwidth is not |
4667 | # limited. |
4668 | # |
4669 | # The ACL-selected pool is then used to find the |
4670 | # client_delay_parameters for the request. Client-side pools are |
4671 | # not used to aggregate clients. Clients are always aggregated |
4672 | # based on their source IP addresses (one bucket per source IP). |
4673 | # |
4674 | # Please see delay_access for more examples. |
4675 | # |
4676 | #Example: |
4677 | # client_delay_access 1 allow low_rate_network |
4678 | # client_delay_access 2 allow vips_network |
4679 | #Default: |
4680 | # none |
4681 | |
4682 | # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS |
4683 | # ----------------------------------------------------------------------------- |
4684 | |
4685 | # TAG: wccp_router |
4686 | # Use this option to define your WCCP ``home'' router for |
4687 | # Squid. |
4688 | # |
4689 | # wccp_router supports a single WCCP(v1) router |
4690 | # |
4691 | # wccp2_router supports multiple WCCPv2 routers |
4692 | # |
4693 | # only one of the two may be used at the same time and defines |
4694 | # which version of WCCP to use. |
4695 | #Default: |
4696 | # wccp_router any_addr |
4697 | |
4698 | # TAG: wccp2_router |
4699 | # Use this option to define your WCCP ``home'' router for |
4700 | # Squid. |
4701 | # |
4702 | # wccp_router supports a single WCCP(v1) router |
4703 | # |
4704 | # wccp2_router supports multiple WCCPv2 routers |
4705 | # |
4706 | # only one of the two may be used at the same time and defines |
4707 | # which version of WCCP to use. |
4708 | #Default: |
4709 | # none |
4710 | |
4711 | # TAG: wccp_version |
4712 | # This directive is only relevant if you need to set up WCCP(v1) |
4713 | # to some very old and end-of-life Cisco routers. In all other |
4714 | # setups it must be left unset or at the default setting. |
4715 | # It defines an internal version in the WCCP(v1) protocol, |
4716 | # with version 4 being the officially documented protocol. |
4717 | # |
4718 | # According to some users, Cisco IOS 11.2 and earlier only |
4719 | # support WCCP version 3. If you're using that or an earlier |
4720 | # version of IOS, you may need to change this value to 3, otherwise |
4721 | # do not specify this parameter. |
4722 | #Default: |
4723 | # wccp_version 4 |
4724 | |
4725 | # TAG: wccp2_rebuild_wait |
4726 | # If this is enabled Squid will wait for the cache dir rebuild to finish |
4727 | # before sending the first wccp2 HereIAm packet |
4728 | #Default: |
4729 | # wccp2_rebuild_wait on |
4730 | |
4731 | # TAG: wccp2_forwarding_method |
4732 | # WCCP2 allows the setting of forwarding methods between the |
4733 | # router/switch and the cache. Valid values are as follows: |
4734 | # |
4735 | # gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel) |
4736 | # l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting) |
4737 | # |
4738 | # Currently (as of IOS 12.4) cisco routers only support GRE. |
4739 | # Cisco switches only support the L2 redirect assignment method. |
4740 | #Default: |
4741 | # wccp2_forwarding_method gre |
4742 | |
4743 | # TAG: wccp2_return_method |
4744 | # WCCP2 allows the setting of return methods between the |
4745 | # router/switch and the cache for packets that the cache |
4746 | # decides not to handle. Valid values are as follows: |
4747 | # |
4748 | # gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel) |
4749 | # l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting) |
4750 | # |
4751 | # Currently (as of IOS 12.4) cisco routers only support GRE. |
4752 | # Cisco switches only support the L2 redirect assignment. |
4753 | # |
4754 | # If the "ip wccp redirect exclude in" command has been |
4755 | # enabled on the cache interface, then it is still safe for |
4756 | # the proxy server to use a l2 redirect method even if this |
4757 | # option is set to GRE. |
4758 | #Default: |
4759 | # wccp2_return_method gre |
4760 | |
4761 | # TAG: wccp2_assignment_method |
4762 | # WCCP2 allows the setting of methods to assign the WCCP hash |
4763 | # Valid values are as follows: |
4764 | # |
4765 | # hash - Hash assignment |
4766 | # mask - Mask assignment |
4767 | # |
4768 | # As a general rule, cisco routers support the hash assignment method |
4769 | # and cisco switches support the mask assignment method. |
4770 | #Default: |
4771 | # wccp2_assignment_method hash |
4772 | |
4773 | # TAG: wccp2_service |
4774 | # WCCP2 allows for multiple traffic services. There are two |
4775 | # types: "standard" and "dynamic". The standard type defines |
4776 | # one service id - http (id 0). The dynamic service ids can be from |
4777 | # 51 to 255 inclusive. In order to use a dynamic service id |
4778 | # one must define the type of traffic to be redirected; this is done |
4779 | # using the wccp2_service_info option. |
4780 | # |
4781 | # The "standard" type does not require a wccp2_service_info option, |
4782 | # just specifying the service id will suffice. |
4783 | # |
4784 | # MD5 service authentication can be enabled by adding |
4785 | # "password=<password>" to the end of this service declaration. |
4786 | # |
4787 | # Examples: |
4788 | # |
4789 | # wccp2_service standard 0 # for the 'web-cache' standard service |
4790 | # wccp2_service dynamic 80 # a dynamic service type which will be |
4791 | # # fleshed out with subsequent options. |
4792 | # wccp2_service standard 0 password=foo |
4793 | #Default: |
4794 | # wccp2_service standard 0 |
4795 | |
4796 | # TAG: wccp2_service_info |
4797 | # Dynamic WCCPv2 services require further information to define the |
4798 | # traffic you wish to have diverted. |
4799 | # |
4800 | # The format is: |
4801 | # |
4802 | # wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>.. |
4803 | # priority=<priority> ports=<port>,<port>.. |
4804 | # |
4805 | # The relevant WCCPv2 flags: |
4806 | # + src_ip_hash, dst_ip_hash |
4807 | # + source_port_hash, dst_port_hash |
4808 | # + src_ip_alt_hash, dst_ip_alt_hash |
4809 | # + src_port_alt_hash, dst_port_alt_hash |
4810 | # + ports_source |
4811 | # |
4812 | # The port list can be one to eight entries. |
4813 | # |
4814 | # Example: |
4815 | # |
4816 | # wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source |
4817 | # priority=240 ports=80 |
4818 | # |
4819 | # Note: the service id must have been defined by a previous |
4820 | # 'wccp2_service dynamic <id>' entry. |
4821 | #Default: |
4822 | # none |
4823 | |
4824 | # TAG: wccp2_weight |
4825 | # Each cache server gets assigned a set of the destination |
4826 | # hash proportional to their weight. |
4827 | #Default: |
4828 | # wccp2_weight 10000 |
4829 | |
4830 | # TAG: wccp_address |
4831 | #Default: |
4832 | # wccp_address 0.0.0.0 |
4833 | |
4834 | # TAG: wccp2_address |
4835 | # Use this option if you require WCCP to use a specific |
4836 | # interface address. |
4837 | # |
4838 | # The default behavior is to not bind to any specific address. |
4839 | #Default: |
4840 | # wccp2_address 0.0.0.0 |
4841 | |
4842 | # PERSISTENT CONNECTION HANDLING |
4843 | # ----------------------------------------------------------------------------- |
4844 | # |
4845 | # Also see "pconn_timeout" in the TIMEOUTS section |
4846 | |
4847 | # TAG: client_persistent_connections |
4848 | #Default: |
4849 | # client_persistent_connections on |
4850 | |
4851 | # TAG: server_persistent_connections |
4852 | # Persistent connection support for clients and servers. By |
4853 | # default, Squid uses persistent connections (when allowed) |
4854 | # with its clients and servers. You can use these options to |
4855 | # disable persistent connections with clients and/or servers. |
4856 | #Default: |
4857 | # server_persistent_connections on |
4858 | |
4859 | # TAG: persistent_connection_after_error |
4860 | # With this directive the use of persistent connections after |
4861 | # HTTP errors can be disabled. Useful if you have clients |
4862 | # who fail to handle errors on persistent connections proper. |
4863 | #Default: |
4864 | # persistent_connection_after_error on |
4865 | |
4866 | # TAG: detect_broken_pconn |
4867 | # Some servers have been found to incorrectly signal the use |
4868 | # of HTTP/1.0 persistent connections even on replies not |
4869 | # compatible, causing significant delays. This server problem |
4870 | # has mostly been seen on redirects. |
4871 | # |
4872 | # By enabling this directive Squid attempts to detect such |
4873 | # broken replies and automatically assume the reply is finished |
4874 | # after 10 seconds timeout. |
4875 | #Default: |
4876 | # detect_broken_pconn off |
4877 | |
4878 | # CACHE DIGEST OPTIONS |
4879 | # ----------------------------------------------------------------------------- |
4880 | |
4881 | # TAG: digest_generation |
4882 | # This controls whether the server will generate a Cache Digest |
4883 | # of its contents. By default, Cache Digest generation is |
4884 | # enabled if Squid is compiled with --enable-cache-digests defined. |
4885 | #Default: |
4886 | # digest_generation on |
4887 | |
4888 | # TAG: digest_bits_per_entry |
4889 | # This is the number of bits of the server's Cache Digest which |
4890 | # will be associated with the Digest entry for a given HTTP |
4891 | # Method and URL (public key) combination. The default is 5. |
4892 | #Default: |
4893 | # digest_bits_per_entry 5 |
4894 | |
4895 | # TAG: digest_rebuild_period (seconds) |
4896 | # This is the wait time between Cache Digest rebuilds. |
4897 | #Default: |
4898 | # digest_rebuild_period 1 hour |
4899 | |
4900 | # TAG: digest_rewrite_period (seconds) |
4901 | # This is the wait time between Cache Digest writes to |
4902 | # disk. |
4903 | #Default: |
4904 | # digest_rewrite_period 1 hour |
4905 | |
4906 | # TAG: digest_swapout_chunk_size (bytes) |
4907 | # This is the number of bytes of the Cache Digest to write to |
4908 | # disk at a time. It defaults to 4096 bytes (4KB), the Squid |
4909 | # default swap page. |
4910 | #Default: |
4911 | # digest_swapout_chunk_size 4096 bytes |
4912 | |
4913 | # TAG: digest_rebuild_chunk_percentage (percent, 0-100) |
4914 | # This is the percentage of the Cache Digest to |