#

#	Please note that while this directive defines how Squid processes

#	authentication it does not automatically activate authentication.

#	To use authentication you must in addition make use of ACLs based

#	on login name in http_access (proxy_auth, proxy_auth_regex or

#	external with %LOGIN used in the format tag). The browser will be

#	challenged for authentication on the first such acl encountered

#	in http_access processing and will also be re-challenged for new

#	login credentials if the request is being denied by a proxy_auth

#	type acl.

#

#	WARNING: authentication can't be used in a transparently intercepting

#	proxy as the client then thinks it is talking to an origin server and

#	not the proxy. This is a limitation of bending the TCP/IP protocol to

#	transparently intercepting port 80, not a limitation in Squid.

#	Ports flagged 'transparent', 'intercept', or 'tproxy' have

#	authentication disabled.

#

#	=== Parameters for the basic scheme follow. ===

#

#	"program" cmdline

#	Specify the command for the external authenticator.  Such a program

#	reads a line containing "username password" and replies "OK" or

#	"ERR" in an endless loop. "ERR" responses may optionally be followed

#	by a error description available as %m in the returned error page.

#	If you use an authenticator, make sure you have 1 acl of type

#	proxy_auth.

#

#	By default, the basic authentication scheme is not used unless a

#	program is specified.

#

#	If you want to use the traditional NCSA proxy authentication, set

#	this line to something like

#

#	auth_param basic program /usr/lib/squid3/ncsa_auth /usr/etc/passwd

#

#	"utf8" on|off

#	HTTP uses iso-latin-1 as characterset, while some authentication

#	backends such as LDAP expects UTF-8. If this is set to on Squid will

#	translate the HTTP iso-latin-1 charset to UTF-8 before sending the

#	username & password to the helper.

#

#	"children" numberofchildren

#	The number of authenticator processes to spawn. If you start too few

#	Squid will have to wait for them to process a backlog of credential

#	verifications, slowing it down. When password verifications are

#	done via a (slow) network you are likely to need lots of

#	authenticator processes.

#	auth_param basic children 5

#

#	"concurrency" concurrency

#	The number of concurrent requests the helper can process.

#	The default of 0 is used for helpers who only supports

#	one request at a time. Setting this changes the protocol used to

#	include a channel number first on the request/response line, allowing

#	multiple requests to be sent to the same helper in parallell without

#	wating for the response.

#	Must not be set unless it's known the helper supports this.

#	auth_param basic concurrency 0

#

#	"realm" realmstring

#	Specifies the realm name which is to be reported to the

#	client for the basic proxy authentication scheme (part of

#	the text the user will see when prompted their username and

#	password). There is no default.

#	auth_param basic realm Squid proxy-caching web server

#

#	"credentialsttl" timetolive

#	Specifies how long squid assumes an externally validated

#	username:password pair is valid for - in other words how

#	often the helper program is called for that user. Set this

#	low to force revalidation with short lived passwords.  Note

#	setting this high does not impact your susceptibility

#	to replay attacks unless you are using an one-time password

#	system (such as SecureID).  If you are using such a system,

#	you will be vulnerable to replay attacks unless you also

#	use the max_user_ip ACL in an http_access rule.

#

#	"casesensitive" on|off

#	Specifies if usernames are case sensitive. Most user databases are

#	case insensitive allowing the same username to be spelled using both

#	lower and upper case letters, but some are case sensitive. This

#	makes a big difference for user_max_ip ACL processing and similar.

#	auth_param basic casesensitive off

#

#	=== Parameters for the digest scheme follow ===

#

#	"program" cmdline

#	Specify the command for the external authenticator.  Such

#	a program reads a line containing "username":"realm" and

#	replies with the appropriate H(A1) value hex encoded or

#	ERR if the user (or his H(A1) hash) does not exists.

#	See rfc 2616 for the definition of H(A1).

#	"ERR" responses may optionally be followed by a error description

#	available as %m in the returned error page.

#

#	By default, the digest authentication scheme is not used unless a

#	program is specified.

#

#	If you want to use a digest authenticator, set this line to

#	something like

#

#	auth_param digest program /usr/lib/squid3/digest_pw_auth /usr/etc/digpass

#

#	"utf8" on|off

#	HTTP uses iso-latin-1 as characterset, while some authentication

#	backends such as LDAP expects UTF-8. If this is set to on Squid will

#	translate the HTTP iso-latin-1 charset to UTF-8 before sending the

#	username & password to the helper.

#

#	"children" numberofchildren

#	The number of authenticator processes to spawn (no default).

#	If you start too few Squid will have to wait for them to

#	process a backlog of H(A1) calculations, slowing it down.

#	When the H(A1) calculations are done via a (slow) network

#	you are likely to need lots of authenticator processes.

#	auth_param digest children 5

#

#	"realm" realmstring

#	Specifies the realm name which is to be reported to the

#	client for the digest proxy authentication scheme (part of

#	the text the user will see when prompted their username and

#	password). There is no default.

#	auth_param digest realm Squid proxy-caching web server

#

#	"nonce_garbage_interval" timeinterval

#	Specifies the interval that nonces that have been issued

#	to client_agent's are checked for validity.

#

#	"nonce_max_duration" timeinterval

#	Specifies the maximum length of time a given nonce will be

#	valid for.

#

#	"nonce_max_count" number

#	Specifies the maximum number of times a given nonce can be

#	used.

#

#	"nonce_strictness" on|off

#	Determines if squid requires strict increment-by-1 behavior

#	for nonce counts, or just incrementing (off - for use when

#	useragents generate nonce counts that occasionally miss 1

#	(ie, 1,2,4,6)). Default off.

#

#	"check_nonce_count" on|off

#	This directive if set to off can disable the nonce count check

#	completely to work around buggy digest qop implementations in

#	certain mainstream browser versions. Default on to check the

#	nonce count to protect from authentication replay attacks.

#

#	"post_workaround" on|off

#	This is a workaround to certain buggy browsers who sends

#	an incorrect request digest in POST requests when reusing

#	the same nonce as acquired earlier on a GET request.

#

#	=== NTLM scheme options follow ===

#

#	"program" cmdline

#	Specify the command for the external NTLM authenticator.

#	Such a program reads exchanged NTLMSSP packets with

#	the browser via Squid until authentication is completed.

#	If you use an NTLM authenticator, make sure you have 1 acl

#	of type proxy_auth.  By default, the NTLM authenticator_program

#	is not used.

#

#	auth_param ntlm program /usr/lib/squid3/ntlm_auth

#

#	"children" numberofchildren

#	The number of authenticator processes to spawn (no default).

#	If you start too few Squid will have to wait for them to

#	process a backlog of credential verifications, slowing it

#	down. When credential verifications are done via a (slow)

#	network you are likely to need lots of authenticator

#	processes.

#

#	auth_param ntlm children 5

#

#	"keep_alive" on|off

#	If you experience problems with PUT/POST requests when using the

#	Negotiate authentication scheme then you can try setting this to

#	off. This will cause Squid to forcibly close the connection on

#	the initial requests where the browser asks which schemes are

#	supported by the proxy.

#

#	auth_param ntlm keep_alive on

#

#	=== Options for configuring the NEGOTIATE auth-scheme follow ===

#

#	"program" cmdline

#	Specify the command for the external Negotiate authenticator.

#	This protocol is used in Microsoft Active-Directory enabled setups with

#	the Microsoft Internet Explorer or Mozilla Firefox browsers.

#	Its main purpose is to exchange credentials with the Squid proxy

#	using the Kerberos mechanisms.

#	If you use a Negotiate authenticator, make sure you have at least

#	one acl of type proxy_auth active. By default, the negotiate

#	authenticator_program is not used.

#	The only supported program for this role is the ntlm_auth

#	program distributed as part of Samba, version 4 or later.

#

#	auth_param negotiate program /usr/lib/squid3/ntlm_auth --helper-protocol=gss-spnego

#

#	"children" numberofchildren

#	The number of authenticator processes to spawn (no default).

#	If you start too few Squid will have to wait for them to

#	process a backlog of credential verifications, slowing it

#	down. When crendential verifications are done via a (slow)

#	network you are likely to need lots of authenticator

#	processes.

#	auth_param negotiate children 5

#

#	"keep_alive" on|off

#	If you experience problems with PUT/POST requests when using the

#	Negotiate authentication scheme then you can try setting this to

#	off. This will cause Squid to forcibly close the connection on

#	the initial requests where the browser asks which schemes are

#	supported by the proxy.

#

#	auth_param negotiate keep_alive on

#

#	

#	Examples:

#

##Recommended minimum configuration per scheme:

##auth_param negotiate program <uncomment and complete this line to activate>

##auth_param negotiate children 5

##auth_param negotiate keep_alive on

##

##auth_param ntlm program <uncomment and complete this line to activate>

##auth_param ntlm children 5

##auth_param ntlm keep_alive on

##

##auth_param digest program <uncomment and complete this line>

##auth_param digest children 5

##auth_param digest realm Squid proxy-caching web server

##auth_param digest nonce_garbage_interval 5 minutes

##auth_param digest nonce_max_duration 30 minutes

##auth_param digest nonce_max_count 50

##

##auth_param basic program <uncomment and complete this line>

##auth_param basic children 5

##auth_param basic realm Squid proxy-caching web server

##auth_param basic credentialsttl 2 hours

#Default:

# none

#  TAG: authenticate_cache_garbage_interval

#	The time period between garbage collection across the username cache.

#	This is a tradeoff between memory utilization (long intervals - say

#	2 days) and CPU (short intervals - say 1 minute). Only change if you

#	have good reason to.

#Default:

# authenticate_cache_garbage_interval 1 hour

#  TAG: authenticate_ttl

#	The time a user & their credentials stay in the logged in

#	user cache since their last request. When the garbage

#	interval passes, all user credentials that have passed their

#	TTL are removed from memory.

#Default:

# authenticate_ttl 1 hour

#  TAG: authenticate_ip_ttl

#	If you use proxy authentication and the 'max_user_ip' ACL,

#	this directive controls how long Squid remembers the IP

#	addresses associated with each user.  Use a small value

#	(e.g., 60 seconds) if your users might change addresses

#	quickly, as is the case with dialups.   You might be safe

#	using a larger value (e.g., 2 hours) in a corporate LAN

#	environment with relatively static address assignments.

#Default:

# authenticate_ip_ttl 0 seconds

# ACCESS CONTROLS

# -----------------------------------------------------------------------------

#  TAG: external_acl_type

#	This option defines external acl classes using a helper program

#	to look up the status

#

#	  external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]

#

#	Options:

#

#	  ttl=n		TTL in seconds for cached results (defaults to 3600

#	  		for 1 hour)

#	  negative_ttl=n

#	  		TTL for cached negative lookups (default same

#	  		as ttl)

#	  children=n	Number of acl helper processes spawn to service

#			external acl lookups of this type. (default 5)

#	  concurrency=n	concurrency level per process. Only used with helpers

#			capable of processing more than one query at a time.

#	  cache=n	result cache size, 0 is unbounded (default)

#	  grace=n	Percentage remaining of TTL where a refresh of a

#			cached entry should be initiated without needing to

#			wait for a new reply. (default 0 for no grace period)

#	  protocol=2.5	Compatibility mode for Squid-2.5 external acl helpers

#	  ipv4 / ipv6	IP-mode used to communicate to this helper.

#			For compatability with older configurations and helpers

#			the default is currently 'ipv4'.

#

#	FORMAT specifications

#

#	  %LOGIN	Authenticated user login name

#	  %EXT_USER	Username from external acl

#	  %IDENT	Ident user name

#	  %SRC		Client IP

#	  %SRCPORT	Client source port

#	  %URI		Requested URI

#	  %DST		Requested host

#	  %PROTO	Requested protocol

#	  %PORT		Requested port

#	  %PATH		Requested URL path

#	  %METHOD	Request method

#	  %MYADDR	Squid interface address

#	  %MYPORT	Squid http_port number

#	  %PATH		Requested URL-path (including query-string if any)

#	  %USER_CERT	SSL User certificate in PEM format

#	  %USER_CERTCHAIN SSL User certificate chain in PEM format

#	  %USER_CERT_xx	SSL User certificate subject attribute xx

#	  %USER_CA_xx	SSL User certificate issuer attribute xx

#

#	  %>{Header}	HTTP request header "Header"

#	  %>{Hdr:member}

#	  		HTTP request header "Hdr" list member "member"

#	  %>{Hdr:;member}

#	  		HTTP request header list member using ; as

#	  		list separator. ; can be any non-alphanumeric

#			character.

#

#	  %<{Header}	HTTP reply header "Header"

#	  %<{Hdr:member}

#	  		HTTP reply header "Hdr" list member "member"

#	  %<{Hdr:;member}

#	  		HTTP reply header list member using ; as

#	  		list separator. ; can be any non-alphanumeric

#			character.

#

#	In addition to the above, any string specified in the referencing

#	acl will also be included in the helper request line, after the

#	specified formats (see the "acl external" directive)

#

#	The helper receives lines per the above format specification,

#	and returns lines starting with OK or ERR indicating the validity

#	of the request and optionally followed by additional keywords with

#	more details.

#

#	General result syntax:

#

#	  OK/ERR keyword=value ...

#

#	Defined keywords:

#

#	  user=		The users name (login)

#	  password=	The users password (for login= cache_peer option)

#	  message=	Message describing the reason. Available as %o

#	  		in error pages

#	  tag=		Apply a tag to a request (for both ERR and OK results)

#	  		Only sets a tag, does not alter existing tags.

#	  log=		String to be logged in access.log. Available as

#	  		%ea in logformat specifications

#

#	If protocol=3.0 (the default) then URL escaping is used to protect

#	each value in both requests and responses.

#

#	If using protocol=2.5 then all values need to be enclosed in quotes

#	if they may contain whitespace, or the whitespace escaped using \.

#	And quotes or \ characters within the keyword value must be \ escaped.

#

#	When using the concurrency= option the protocol is changed by

#	introducing a query channel tag infront of the request/response.

#	The query channel tag is a number between 0 and concurrency-1.

#Default:

# none

#  TAG: acl

#	Defining an Access List

#

#	Every access list definition must begin with an aclname and acltype, 

#	followed by either type-specific arguments or a quoted filename that

#	they are read from.

#

#	   acl aclname acltype argument ...

#	   acl aclname acltype "file" ...

#

#	When using "file", the file should contain one item per line.

#

#	By default, regular expressions are CASE-SENSITIVE.  To make

#	them case-insensitive, use the -i option.

#

#	Some acl types require suspending the current request in order

#	to access some external data source.

#	Those which do are marked with the tag [slow], those which

#	don't are marked as [fast].

#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl

#	for further information

#

#	***** ACL TYPES AVAILABLE *****

#

#	acl aclname src ip-address/netmask ...	# clients IP address [fast]

#	acl aclname src addr1-addr2/netmask ...	# range of addresses [fast]

#	acl aclname dst ip-address/netmask ...	# URL host's IP address [slow]

#	acl aclname myip ip-address/netmask ...	# local socket IP address [fast]

#

#	acl aclname arp      mac-address ... (xx:xx:xx:xx:xx:xx notation)

#	  # The arp ACL requires the special configure option --enable-arp-acl.

#	  # Furthermore, the ARP ACL code is not portable to all operating systems.

#	  # It works on Linux, Solaris, Windows, FreeBSD, and some

#	  # other *BSD variants.

#	  # [fast]

#	  #

#	  # NOTE: Squid can only determine the MAC address for clients that are on

#	  # the same subnet. If the client is on a different subnet,

#	  # then Squid cannot find out its MAC address.

#

#	acl aclname srcdomain   .foo.com ...

#	  # reverse lookup, from client IP [slow]

#	acl aclname dstdomain   .foo.com ...

#	  # Destination server from URL [fast]

#	acl aclname srcdom_regex [-i] \.foo\.com ...

#	  # regex matching client name [slow]

#	acl aclname dstdom_regex [-i] \.foo\.com ...

#	  # regex matching server [fast]

#	  #

#	  # For dstdomain and dstdom_regex a reverse lookup is tried if a IP

#	  # based URL is used and no match is found. The name "none" is used

#	  # if the reverse lookup fails.

#

#	acl aclname src_as number ...

#	acl aclname dst_as number ...

#	  # [fast]

#	  # Except for access control, AS numbers can be used for

#	  # routing of requests to specific caches. Here's an

#	  # example for routing all requests for AS#1241 and only

#	  # those to mycache.mydomain.net:

#	  # acl asexample dst_as 1241

#	  # cache_peer_access mycache.mydomain.net allow asexample

#	  # cache_peer_access mycache_mydomain.net deny all

#

#	acl aclname peername myPeer ...

#	  # [fast]

#	  # match against a named cache_peer entry

#	  # set unique name= on cache_peer lines for reliable use.

#

#	acl aclname time [day-abbrevs] [h1:m1-h2:m2]

#	  # [fast]

#	  #  day-abbrevs:

#	  #	S - Sunday

#	  #	M - Monday

#	  #	T - Tuesday

#	  #	W - Wednesday

#	  #	H - Thursday

#	  #	F - Friday

#	  #	A - Saturday

#	  #  h1:m1 must be less than h2:m2

#

#	acl aclname url_regex [-i] ^http:// ...

#	  # regex matching on whole URL [fast]

#	acl aclname urlpath_regex [-i] \.gif$ ...

#	  # regex matching on URL path [fast]

#

#	acl aclname port 80 70 21 0-1024...   # destination TCP port [fast]

#	                                      # ranges are alloed

#	acl aclname myport 3128 ...	          # local socket TCP port [fast]

#	acl aclname myportname 3128 ...       # http(s)_port name [fast]

#

#	acl aclname proto HTTP FTP ...        # request protocol [fast]

# 

#	acl aclname method GET POST ...       # HTTP request method [fast]

#

#	acl aclname http_status 200 301 500- 400-403 ... 

#	  # status code in reply [fast]

#

#	acl aclname browser [-i] regexp ...

#	  # pattern match on User-Agent header (see also req_header below) [fast]

#

#	acl aclname referer_regex [-i] regexp ...

#	  # pattern match on Referer header [fast]

#	  # Referer is highly unreliable, so use with care

#

#	acl aclname ident username ...

#	acl aclname ident_regex [-i] pattern ...

#	  # string match on ident output [slow]

#	  # use REQUIRED to accept any non-null ident.

#

#	acl aclname proxy_auth [-i] username ...

#	acl aclname proxy_auth_regex [-i] pattern ...

#	  # perform http authentication challenge to the client and match against

#	  # supplied credentials [slow]

#	  #

#	  # takes a list of allowed usernames.

#	  # use REQUIRED to accept any valid username.

#	  #

#	  # Will use proxy authentication in forward-proxy scenarios, and plain

#	  # http authenticaiton in reverse-proxy scenarios

#	  #

#	  # NOTE: when a Proxy-Authentication header is sent but it is not

#	  # needed during ACL checking the username is NOT logged

#	  # in access.log.

#	  #

#	  # NOTE: proxy_auth requires a EXTERNAL authentication program

#	  # to check username/password combinations (see

#	  # auth_param directive).

#	  #

#	  # NOTE: proxy_auth can't be used in a transparent/intercepting proxy

#	  # as the browser needs to be configured for using a proxy in order

#	  # to respond to proxy authentication.

#

#	acl aclname snmp_community string ...

#	  # A community string to limit access to your SNMP Agent [fast]

#	  # Example:

#	  #

#	  #	acl snmppublic snmp_community public

#

#	acl aclname maxconn number

#	  # This will be matched when the client's IP address has

#	  # more than <number> HTTP connections established. [fast]

#

#	acl aclname max_user_ip [-s] number

#	  # This will be matched when the user attempts to log in from more

#	  # than <number> different ip addresses. The authenticate_ip_ttl

#	  # parameter controls the timeout on the ip entries. [fast]

#	  # If -s is specified the limit is strict, denying browsing

#	  # from any further IP addresses until the ttl has expired. Without

#	  # -s Squid will just annoy the user by "randomly" denying requests.

#	  # (the counter is reset each time the limit is reached and a

#	  # request is denied)

#	  # NOTE: in acceleration mode or where there is mesh of child proxies,

#	  # clients may appear to come from multiple addresses if they are

#	  # going through proxy farms, so a limit of 1 may cause user problems.

#

#	acl aclname req_mime_type [-i] mime-type ...

#	  # regex match against the mime type of the request generated

#	  # by the client. Can be used to detect file upload or some

#	  # types HTTP tunneling requests [fast]

#	  # NOTE: This does NOT match the reply. You cannot use this

#	  # to match the returned file type.

#

#	acl aclname req_header header-name [-i] any\.regex\.here

#	  # regex match against any of the known request headers.  May be

#	  # thought of as a superset of "browser", "referer" and "mime-type"

#	  # ACL [fast]

#

#	acl aclname rep_mime_type [-i] mime-type ...

#	  # regex match against the mime type of the reply received by

#	  # squid. Can be used to detect file download or some

#	  # types HTTP tunneling requests. [fast]

#	  # NOTE: This has no effect in http_access rules. It only has

#	  # effect in rules that affect the reply data stream such as

#	  # http_reply_access.

#

#	acl aclname rep_header header-name [-i] any\.regex\.here

#	  # regex match against any of the known reply headers. May be

#	  # thought of as a superset of "browser", "referer" and "mime-type"

#	  # ACLs [fast]

#

#	acl aclname external class_name [arguments...]

#	  # external ACL lookup via a helper class defined by the

#	  # external_acl_type directive [slow]

#

#	acl aclname user_cert attribute values...

#	  # match against attributes in a user SSL certificate

#	  # attribute is one of DN/C/O/CN/L/ST [fast]

#

#	acl aclname ca_cert attribute values...

#	  # match against attributes a users issuing CA SSL certificate

#	  # attribute is one of DN/C/O/CN/L/ST [fast]

#

#	acl aclname ext_user username ...

#	acl aclname ext_user_regex [-i] pattern ...

#	  # string match on username returned by external acl helper [slow]

#	  # use REQUIRED to accept any non-null user name.

#

#	acl aclname tag tagvalue ...

#	  # string match on tag returned by external acl helper [slow]

#

#	Examples:

#		acl macaddress arp 09:00:2b:23:45:67

#		acl myexample dst_as 1241

#		acl password proxy_auth REQUIRED

#		acl fileupload req_mime_type -i ^multipart/form-data$

#		acl javascript rep_mime_type -i ^application/x-javascript$

#

#Default:

# acl all src all

#

#

# Recommended minimum configuration:

#

acl manager proto cache_object

acl localhost src 127.0.0.1/32 ::1

acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed

#acl localnet src 10.0.0.0/8	# RFC1918 possible internal network

#acl localnet src 172.16.0.0/12	# RFC1918 possible internal network

#acl localnet src 192.168.0.0/16	# RFC1918 possible internal network

#acl localnet src fc00::/7       # RFC 4193 local private network range

#acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443

acl Safe_ports port 80		# http

acl Safe_ports port 21		# ftp

acl Safe_ports port 443		# https

acl Safe_ports port 70		# gopher

acl Safe_ports port 210		# wais

acl Safe_ports port 1025-65535	# unregistered ports

acl Safe_ports port 280		# http-mgmt

acl Safe_ports port 488		# gss-http

acl Safe_ports port 591		# filemaker

acl Safe_ports port 777		# multiling http

acl CONNECT method CONNECT

#  TAG: follow_x_forwarded_for

#	Allowing or Denying the X-Forwarded-For header to be followed to

#	find the original source of a request.

#

#	Requests may pass through a chain of several other proxies

#	before reaching us.  The X-Forwarded-For header will contain a

#	comma-separated list of the IP addresses in the chain, with the

#	rightmost address being the most recent.

#

#	If a request reaches us from a source that is allowed by this

#	configuration item, then we consult the X-Forwarded-For header

#	to see where that host received the request from.  If the

#	X-Forwarded-For header contains multiple addresses, we continue

#	backtracking until we reach an address for which we are not allowed

#	to follow the X-Forwarded-For header, or until we reach the first

#	address in the list. For the purpose of ACL used in the

#	follow_x_forwarded_for directive the src ACL type always matches

#	the address we are testing and srcdomain matches its rDNS.

#

#	The end result of this process is an IP address that we will

#	refer to as the indirect client address.  This address may

#	be treated as the client address for access control, ICAP, delay

#	pools and logging, depending on the acl_uses_indirect_client,

#	icap_uses_indirect_client, delay_pool_uses_indirect_client and

#	log_uses_indirect_client options.

#

#	This clause only supports fast acl types.

#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.

#

#	SECURITY CONSIDERATIONS:

#

#		Any host for which we follow the X-Forwarded-For header

#		can place incorrect information in the header, and Squid

#		will use the incorrect information as if it were the

#		source address of the request.  This may enable remote

#		hosts to bypass any access control restrictions that are

#		based on the client's source addresses.

#

#	For example:

#

#		acl localhost src 127.0.0.1

#		acl my_other_proxy srcdomain .proxy.example.com

#		follow_x_forwarded_for allow localhost

#		follow_x_forwarded_for allow my_other_proxy

#Default:

# follow_x_forwarded_for deny all

#  TAG: acl_uses_indirect_client	on|off

#	Controls whether the indirect client address

#	(see follow_x_forwarded_for) is used instead of the

#	direct client address in acl matching.

#Default:

# acl_uses_indirect_client on

#  TAG: delay_pool_uses_indirect_client	on|off

#	Controls whether the indirect client address

#	(see follow_x_forwarded_for) is used instead of the

#	direct client address in delay pools.

#Default:

# delay_pool_uses_indirect_client on

#  TAG: log_uses_indirect_client	on|off

#	Controls whether the indirect client address

#	(see follow_x_forwarded_for) is used instead of the

#	direct client address in the access log.

#Default:

# log_uses_indirect_client on

#  TAG: http_access

#	Allowing or Denying access based on defined access lists

#

#	Access to the HTTP port:

#	http_access allow|deny [!]aclname ...

#

#	NOTE on default values:

#

#	If there are no "access" lines present, the default is to deny

#	the request.

#

#	If none of the "access" lines cause a match, the default is the

#	opposite of the last line in the list.  If the last line was

#	deny, the default is allow.  Conversely, if the last line

#	is allow, the default will be deny.  For these reasons, it is a

#	good idea to have an "deny all" entry at the end of your access

#	lists to avoid potential confusion.

#

#	This clause supports both fast and slow acl types.

#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.

#

#Default:

# http_access deny all

#

#

# Recommended minimum Access Permission configuration:

#

# Only allow cachemgr access from localhost

http_access allow manager localhost

http_access deny manager

# Deny requests to certain unsafe ports

http_access deny !Safe_ports

acl red_local src 10.0.0.0/8

http_access allow red_local

dns_nameservers 8.8.8.8 8.8.4.4 200.48.0.30 200.48.0.36 200.48.0.50 200.48.0.51 200.48.225.130 200.48.225.146

# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

#http_access deny to_localhost

#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#

acl m_post method POST

acl url_block url_regex ^http.{1,4}[\w\.]*\.fwmrm\.net\/ad\/p\/1\?$

http_access deny m_post url_block

#

# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

#http_access allow localnet

http_access allow localhost

# And finally deny all other access to this proxy

http_access deny all

#  TAG: adapted_http_access

#	Allowing or Denying access based on defined access lists

#

#	Essentially identical to http_access, but runs after redirectors

#	and ICAP/eCAP adaptation. Allowing access control based on their

#	output.

#

#	If not set then only http_access is used.

#Default:

# none

#  TAG: http_reply_access

#	Allow replies to client requests. This is complementary to http_access.

#

#	http_reply_access allow|deny [!] aclname ...

#

#	NOTE: if there are no access lines present, the default is to allow

#	all replies

#

#	If none of the access lines cause a match the opposite of the

#	last line will apply. Thus it is good practice to end the rules

#	with an "allow all" or "deny all" entry.

#

#	This clause supports both fast and slow acl types.

#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.

#Default:

# none

#  TAG: icp_access

#	Allowing or Denying access to the ICP port based on defined

#	access lists

#

#	icp_access  allow|deny [!]aclname ...

#

#	See http_access for details

#

#	This clause only supports fast acl types.

#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.

#

## Allow ICP queries from local networks only

##icp_access allow localnet

##icp_access deny all

#Default:

# icp_access deny all

#  TAG: htcp_access

#	Allowing or Denying access to the HTCP port based on defined

#	access lists

#

#	htcp_access  allow|deny [!]aclname ...

#

#	See http_access for details

#

#	NOTE: The default if no htcp_access lines are present is to

#	deny all traffic. This default may cause problems with peers

#	using the htcp or htcp-oldsquid options.

#

#	This clause only supports fast acl types.

#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.

#

## Allow HTCP queries from local networks only

##htcp_access allow localnet

##htcp_access deny all

#Default:

# htcp_access deny all

#  TAG: htcp_clr_access

#	Allowing or Denying access to purge content using HTCP based

#	on defined access lists

#

#	htcp_clr_access  allow|deny [!]aclname ...

#

#	See http_access for details

#

#	This clause only supports fast acl types.

#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.

#

## Allow HTCP CLR requests from trusted peers

#acl htcp_clr_peer src 172.16.1.2

#htcp_clr_access allow htcp_clr_peer

#Default:

# htcp_clr_access deny all

#  TAG: miss_access

#	Use to force your neighbors to use you as a sibling instead of

#	a parent.  For example:

#

#		acl localclients src 172.16.0.0/16

#		miss_access allow localclients

#		miss_access deny  !localclients

#

#	This means only your local clients are allowed to fetch

#	MISSES and all other clients can only fetch HITS.

#

#	By default, allow all clients who passed the http_access rules

#	to fetch MISSES from us.

#

#	This clause only supports fast acl types.

#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.

#Default:

# miss_access allow all

#  TAG: ident_lookup_access

#	A list of ACL elements which, if matched, cause an ident

#	(RFC 931) lookup to be performed for this request.  For

#	example, you might choose to always perform ident lookups

#	for your main multi-user Unix boxes, but not for your Macs

#	and PCs.  By default, ident lookups are not performed for

#	any requests.

#

#	To enable ident lookups for specific client addresses, you

#	can follow this example:

#

#	acl ident_aware_hosts src 198.168.1.0/24

#	ident_lookup_access allow ident_aware_hosts

#	ident_lookup_access deny all

#

#	Only src type ACL checks are fully supported.  A srcdomain

#	ACL might work at times, but it will not always provide

#	the correct result.

#

#	This clause only supports fast acl types.

#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.

#Default:

# ident_lookup_access deny all

#  TAG: reply_body_max_size	size [acl acl...]

#	This option specifies the maximum size of a reply body. It can be

#	used to prevent users from downloading very large files, such as

#	MP3's and movies. When the reply headers are received, the

#	reply_body_max_size lines are processed, and the first line where

#	all (if any) listed ACLs are true is used as the maximum body size

#	for this reply.

#

#	This size is checked twice. First when we get the reply headers,

#	we check the content-length value.  If the content length value exists

#	and is larger than the allowed size, the request is denied and the

#	user receives an error message that says "the request or reply

#	is too large." If there is no content-length, and the reply

#	size exceeds this limit, the client's connection is just closed

#	and they will receive a partial reply.

#

#	WARNING: downstream caches probably can not detect a partial reply

#	if there is no content-length header, so they will cache

#	partial responses and give them out as hits.  You should NOT

#	use this option if you have downstream caches.

#

#	WARNING: A maximum size smaller than the size of squid's error messages

#	will cause an infinite loop and crash squid. Ensure that the smallest

#	non-zero value you use is greater that the maximum header size plus

#	the size of your largest error page.

#

#	If you set this parameter none (the default), there will be

#	no limit imposed.

#

#	Configuration Format is:

#		reply_body_max_size SIZE UNITS [acl ...]

#	ie.

#		reply_body_max_size 10 MB

#

#Default:

# none

# NETWORK OPTIONS

# -----------------------------------------------------------------------------

#  TAG: http_port

#	Usage:	port [options]

#		hostname:port [options]

#		1.2.3.4:port [options]

#

#	The socket addresses where Squid will listen for HTTP client

#	requests.  You may specify multiple socket addresses.

#	There are three forms: port alone, hostname with port, and

#	IP address with port.  If you specify a hostname or IP

#	address, Squid binds the socket to that specific

#	address.  This replaces the old 'tcp_incoming_address'

#	option.  Most likely, you do not need to bind to a specific

#	address, so you can use the port number alone.

#

#	If you are running Squid in accelerator mode, you

#	probably want to listen on port 80 also, or instead.

#

#	The -a command line option may be used to specify additional

#	port(s) where Squid listens for proxy request. Such ports will

#	be plain proxy ports with no options.

#

#	You may specify multiple socket addresses on multiple lines.

#

#	Options:

#

#	   intercept	Support for IP-Layer interception of

#			outgoing requests without browser settings.

#			NP: disables authentication and IPv6 on the port.

#

#	   tproxy	Support Linux TPROXY for spoofing outgoing

#			connections using the client IP address.

#			NP: disables authentication and maybe IPv6 on the port.

#

#	   accel	Accelerator mode. Also needs at least one of

#			vhost / vport / defaultsite.

#

#	   allow-direct	Allow direct forwarding in accelerator mode. Normally

#			accelerated requests are denied direct forwarding as if

#			never_direct was used.

#

#	   defaultsite=domainname

#			What to use for the Host: header if it is not present

#			in a request. Determines what site (not origin server)

#			accelerators should consider the default.

#			Implies accel.

#

#	   vhost	Accelerator mode using Host header for virtual

#			domain support. Implies accel.

#

#	   vport	Accelerator with IP based virtual host support.

#			Implies accel.

#

#	   vport=NN	As above, but uses specified port number rather

#			than the http_port number. Implies accel.

#

#	   protocol=	Protocol to reconstruct accelerated requests with.

#			Defaults to http.

#

#	   ignore-cc	Ignore request Cache-Control headers.

#

#	   		Warning: This option violates HTTP specifications if

#			used in non-accelerator setups.

#

#	   connection-auth[=on|off]

#	                use connection-auth=off to tell Squid to prevent 

#	                forwarding Microsoft connection oriented authentication

#			(NTLM, Negotiate and Kerberos)

#

#	   disable-pmtu-discovery=

#			Control Path-MTU discovery usage:

#			    off		lets OS decide on what to do (default).

#			    transparent	disable PMTU discovery when transparent

#					support is enabled.

#			    always	disable always PMTU discovery.

#

#			In many setups of transparently intercepting proxies

#			Path-MTU discovery can not work on traffic towards the

#			clients. This is the case when the intercepting device

#			does not fully track connections and fails to forward

#			ICMP must fragment messages to the cache server. If you

#			have such setup and experience that certain clients

#			sporadically hang or never complete requests set

#			disable-pmtu-discovery option to 'transparent'.

#

#	   sslBump 	Intercept each CONNECT request matching ssl_bump ACL,

#			establish secure connection with the client and with

#			the server, decrypt HTTP messages as they pass through

#			Squid, and treat them as unencrypted HTTP messages,

#			becoming the man-in-the-middle.

#

#			When this option is enabled, additional options become

#			available to specify SSL-related properties of the

#			client-side connection: cert, key, version, cipher,

#			options, clientca, cafile, capath, crlfile, dhparams,

#			sslflags, and sslcontext. See the https_port directive

#			for more information on these options.

#

#			The ssl_bump option is required to fully enable

#			the SslBump feature.

#

#	   name=	Specifies a internal name for the port. Defaults to

#			the port specification (port or addr:port)

#

#	   tcpkeepalive[=idle,interval,timeout]

#			Enable TCP keepalive probes of idle connections.

#			In seconds; idle is the initial time before TCP starts

#			probing the connection, interval how often to probe, and

#			timeout the time before giving up.

#

#	If you run Squid on a dual-homed machine with an internal

#	and an external interface we recommend you to specify the

#	internal address:port in http_port. This way Squid will only be

#	visible on the internal address.

#

#

# Squid normally listens to port 3128

http_port 3128 transparent

#  TAG: https_port

# Note: This option is only available if Squid is rebuilt with the

#       --enable-ssl option

#

#	Usage:  [ip:]port cert=certificate.pem [key=key.pem] [options...]

#

#	The socket address where Squid will listen for HTTPS client

#	requests.

#

#	This is really only useful for situations where you are running

#	squid in accelerator mode and you want to do the SSL work at the

#	accelerator level.

#

#	You may specify multiple socket addresses on multiple lines,

#	each with their own SSL certificate and/or options.

#

#	Options:

#

#	   accel	Accelerator mode. Also needs at least one of

#			defaultsite or vhost.

#

#	   defaultsite=	The name of the https site presented on

#	   		this port. Implies accel.

#

#	   vhost	Accelerator mode using Host header for virtual

#			domain support. Requires a wildcard certificate

#			or other certificate valid for more than one domain.

#			Implies accel.

#

#	   protocol=	Protocol to reconstruct accelerated requests with.

#			Defaults to https.

#

#	   cert=	Path to SSL certificate (PEM format).

#

#	   key=		Path to SSL private key file (PEM format)

#			if not specified, the certificate file is

#			assumed to be a combined certificate and

#			key file.

#

#	   version=	The version of SSL/TLS supported

#			    1	automatic (default)

#			    2	SSLv2 only

#			    3	SSLv3 only

#			    4	TLSv1 only

#

#	   cipher=	Colon separated list of supported ciphers.

#

#	   options=	Various SSL engine options. The most important

#			being:

#			    NO_SSLv2  Disallow the use of SSLv2

#			    NO_SSLv3  Disallow the use of SSLv3

#			    NO_TLSv1  Disallow the use of TLSv1

#			    SINGLE_DH_USE Always create a new key when using

#				      temporary/ephemeral DH key exchanges

#			See src/ssl_support.c or OpenSSL SSL_CTX_set_options

#			documentation for a complete list of options.

#

#	   clientca=	File containing the list of CAs to use when

#			requesting a client certificate.

#

#	   cafile=	File containing additional CA certificates to

#			use when verifying client certificates. If unset

#			clientca will be used.

#

#	   capath=	Directory containing additional CA certificates

#			and CRL lists to use when verifying client certificates.

#

#	   crlfile=	File of additional CRL lists to use when verifying

#			the client certificate, in addition to CRLs stored in

#			the capath. Implies VERIFY_CRL flag below.

#

#	   dhparams=	File containing DH parameters for temporary/ephemeral

#			DH key exchanges.

#

#	   sslflags=	Various flags modifying the use of SSL:

#			    DELAYED_AUTH

#				Don't request client certificates

#				immediately, but wait until acl processing

#				requires a certificate (not yet implemented).

#			    NO_DEFAULT_CA

#				Don't use the default CA lists built in

#				to OpenSSL.

#			    NO_SESSION_REUSE

#				Don't allow for session reuse. Each connection

#				will result in a new SSL session.

#			    VERIFY_CRL

#				Verify CRL lists when accepting client

#				certificates.

#			    VERIFY_CRL_ALL

#				Verify CRL lists for all certificates in the

#				client certificate chain.

#

#	   sslcontext=	SSL session ID context identifier.

#

#	   vport	Accelerator with IP based virtual host support.

#

#	   vport=NN	As above, but uses specified port number rather

#			than the https_port number. Implies accel.

#

#	   name=	Specifies a internal name for the port. Defaults to

#			the port specification (port or addr:port)

#

#Default:

# none

#  TAG: tcp_outgoing_tos

#	Allows you to select a TOS/Diffserv value to mark outgoing

#	connections with, based on the username or source address

#	making the request.

#

#	tcp_outgoing_tos ds-field [!]aclname ...

#

#	Example where normal_service_net uses the TOS value 0x00

#	and good_service_net uses 0x20

#

#	acl normal_service_net src 10.0.0.0/255.255.255.0

#	acl good_service_net src 10.0.1.0/255.255.255.0

#	tcp_outgoing_tos 0x00 normal_service_net

#	tcp_outgoing_tos 0x20 good_service_net

#

#	TOS/DSCP values really only have local significance - so you should

#	know what you're specifying. For more information, see RFC2474,

#	RFC2475, and RFC3260.

#

#	The TOS/DSCP byte must be exactly that - a octet value  0 - 255, or

#	"default" to use whatever default your host has. Note that in

#	practice often only values 0 - 63 is usable as the two highest bits

#	have been redefined for use by ECN (RFC3168).

#

#	Processing proceeds in the order specified, and stops at first fully

#	matching line.

#

#	Note: The use of this directive using client dependent ACLs is

#	incompatible with the use of server side persistent connections. To

#	ensure correct results it is best to set server_persisten_connections

#	to off when using this directive in such configurations.

#Default:

# none

#  TAG: clientside_tos

#	Allows you to select a TOS/Diffserv value to mark client-side

#	connections with, based on the username or source address

#	making the request.

#Default:

# none

#  TAG: qos_flows

# Note: This option is only available if Squid is rebuilt with the

#       --enable-zph-qos option

#

#	Allows you to select a TOS/DSCP value to mark outgoing

#	connections with, based on where the reply was sourced.

#

#	TOS values really only have local significance - so you should

#	know what you're specifying. For more information, see RFC2474,

#	RFC2475, and RFC3260.

#

#	The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF.

#	Note that in practice often only values up to 0x3F are usable

#	as the two highest bits have been redefined for use by ECN

#	(RFC3168).

#

#	This setting is configured by setting the source TOS values:

#

#	local-hit=0xFF		Value to mark local cache hits.

#

#	sibling-hit=0xFF	Value to mark hits from sibling peers.

#

#	parent-hit=0xFF		Value to mark hits from parent peers.

#

#

#	NOTE: 'miss' preserve feature is only possible on Linux at this time.

#

#	For the following to work correctly, you will need to patch your

#	linux kernel with the TOS preserving ZPH patch.

#	The kernel patch can be downloaded from http://zph.bratcheda.org

#

#	disable-preserve-miss

#		By default, the existing TOS value of the response coming

#		from the remote server will be retained and masked with

#		miss-mark. This option disables that feature.

#

#	miss-mask=0xFF

#		Allows you to mask certain bits in the TOS received from the

#		remote server, before copying the value to the TOS sent

#		towards clients.

#		Default: 0xFF (TOS from server is not changed).

#

#Default:

# none

#  TAG: tcp_outgoing_address

#	Allows you to map requests to different outgoing IP addresses

#	based on the username or source address of the user making

#	the request.

#

#	tcp_outgoing_address ipaddr [[!]aclname] ...

#

#	Example where requests from 10.0.0.0/24 will be forwarded

#	with source address 10.1.0.1, 10.0.2.0/24 forwarded with

#	source address 10.1.0.2 and the rest will be forwarded with

#	source address 10.1.0.3.

#

#	acl normal_service_net src 10.0.0.0/24

#	acl good_service_net src 10.0.2.0/24

#	tcp_outgoing_address 10.1.0.1 normal_service_net

#	tcp_outgoing_address 10.1.0.2 good_service_net

#	tcp_outgoing_address 10.1.0.3

#

#	Processing proceeds in the order specified, and stops at first fully

#	matching line.

#

#	Note: The use of this directive using client dependent ACLs is

#	incompatible with the use of server side persistent connections. To

#	ensure correct results it is best to set server_persistent_connections

#	to off when using this directive in such configurations.

#

#

#        IPv6 Magic:

#

#	Squid is built with a capability of bridging the IPv4 and IPv6 

#	internets.

#	tcp_outgoing_address as exampled above breaks this bridging by forcing

#	all outbound traffic through a certain IPv4 which may be on the wrong

#	side of the IPv4/IPv6 boundary.

#

#	To operate with tcp_outgoing_address and keep the bridging benefits

#	an additional ACL needs to be used which ensures the IPv6-bound traffic

#	is never forced or permitted out the IPv4 interface.

#

#	acl to_ipv6 dst ipv6

#	tcp_outgoing_address 2002::c001 good_service_net to_ipv6

#	tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6

#

#	tcp_outgoing_address 2002::beef normal_service_net to_ipv6

#	tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6

#

#	tcp_outgoing_address 2002::1 to_ipv6

#	tcp_outgoing_address 10.1.0.3 !to_ipv6

#

#	WARNING:

#	  'dst ipv6' bases its selection assuming DIRECT access.

#	  If peers are used the peername ACL are needed to select outgoing

#	  address which can link to the peer.

#

#	  'dst ipv6' is a slow ACL. It will only work here if 'dst' is used

#	  previously in the http_access rules to locate the destination IP.

#	  Some more magic may be needed for that:

#	    http_access allow to_ipv6 !all

#	  (meaning, allow if to IPv6 but not from anywhere ;)

#

#Default:

# none

# SSL OPTIONS

# -----------------------------------------------------------------------------

#  TAG: ssl_unclean_shutdown

# Note: This option is only available if Squid is rebuilt with the

#       --enable-ssl option

#

#	Some browsers (especially MSIE) bugs out on SSL shutdown

#	messages.

#Default:

# ssl_unclean_shutdown off

#  TAG: ssl_engine

# Note: This option is only available if Squid is rebuilt with the

#       --enable-ssl option

#

#	The OpenSSL engine to use. You will need to set this if you

#	would like to use hardware SSL acceleration for example.

#Default:

# none

#  TAG: sslproxy_client_certificate

# Note: This option is only available if Squid is rebuilt with the

#       --enable-ssl option

#

#	Client SSL Certificate to use when proxying https:// URLs

#Default:

# none

#  TAG: sslproxy_client_key

# Note: This option is only available if Squid is rebuilt with the

#       --enable-ssl option

#

#	Client SSL Key to use when proxying https:// URLs

#Default:

# none

#  TAG: sslproxy_version

# Note: This option is only available if Squid is rebuilt with the

#       --enable-ssl option

#

#	SSL version level to use when proxying https:// URLs

#Default:

# sslproxy_version 1

#  TAG: sslproxy_options

# Note: This option is only available if Squid is rebuilt with the

#       --enable-ssl option

#

#	SSL engine options to use when proxying https:// URLs

#	

#	The most important being:

#

#		NO_SSLv2  Disallow the use of SSLv2

#		NO_SSLv3  Disallow the use of SSLv3

#		NO_TLSv1  Disallow the use of TLSv1

#		SINGLE_DH_USE

#			Always create a new key when using

#			temporary/ephemeral DH key exchanges

#	

#	These options vary depending on your SSL engine.

#	See the OpenSSL SSL_CTX_set_options documentation for a

#	complete list of possible options.

#Default:

# none

#  TAG: sslproxy_cipher

# Note: This option is only available if Squid is rebuilt with the

#       --enable-ssl option

#

#	SSL cipher list to use when proxying https:// URLs

#

#	Colon separated list of supported ciphers.

#Default:

# none

#  TAG: sslproxy_cafile

# Note: This option is only available if Squid is rebuilt with the

#       --enable-ssl option

#

#	file containing CA certificates to use when verifying server

#	certificates while proxying https:// URLs

#Default:

# none

#  TAG: sslproxy_capath

# Note: This option is only available if Squid is rebuilt with the

#       --enable-ssl option

#

#	directory containing CA certificates to use when verifying

#	server certificates while proxying https:// URLs

#Default:

# none

#  TAG: ssl_bump

# Note: This option is only available if Squid is rebuilt with the

#       --enable-ssl option

#

#	This ACL controls which CONNECT requests to an http_port

#	marked with an sslBump flag are actually "bumped". Please 

#	see the sslBump flag of an http_port option for more details

#	about decoding proxied SSL connections.

#

#	By default, no requests are bumped.

#

#	See also: http_port sslBump

#   

#	This clause only supports fast acl types.

#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.

#

#

#	# Example: Bump all requests except those originating from localhost and 

#	# those going to webax.com or example.com sites.

#

#	acl localhost src 127.0.0.1/32

#	acl broken_sites dstdomain .webax.com

#	acl broken_sites dstdomain .example.com

#	ssl_bump deny localhost

#	ssl_bump deny broken_sites

#	ssl_bump allow all

#Default:

# none

#  TAG: sslproxy_flags

# Note: This option is only available if Squid is rebuilt with the

#       --enable-ssl option

#

#	Various flags modifying the use of SSL while proxying https:// URLs:

#	    DONT_VERIFY_PEER	Accept certificates that fail verification.

#				For refined control, see sslproxy_cert_error.

#	    NO_DEFAULT_CA	Don't use the default CA list built in

#				to OpenSSL.

#Default:

# none

#  TAG: sslproxy_cert_error

# Note: This option is only available if Squid is rebuilt with the

#       --enable-ssl option

#

#	Use this ACL to bypass server certificate validation errors.

#

#	For example, the following lines will bypass all validation errors

#	when talking to servers located at 172.16.0.0/16. All other

#	validation errors will result in ERR_SECURE_CONNECT_FAIL error.

#

#		acl BrokenServersAtTrustedIP dst 172.16.0.0/16

#		sslproxy_cert_error allow BrokenServersAtTrustedIP

#		sslproxy_cert_error deny all

#

#	This clause only supports fast acl types.

#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.

#	Using slow acl types may result in server crashes

#

#	Without this option, all server certificate validation errors

#	terminate the transaction. Bypassing validation errors is dangerous

#	because an error usually implies that the server cannot be trusted and

#	the connection may be insecure.

#

#	See also: sslproxy_flags and DONT_VERIFY_PEER.

#

#	Default setting:  sslproxy_cert_error deny all

#Default:

# none

#  TAG: sslpassword_program

# Note: This option is only available if Squid is rebuilt with the

#       --enable-ssl option

#

#	Specify a program used for entering SSL key passphrases

#	when using encrypted SSL certificate keys. If not specified

#	keys must either be unencrypted, or Squid started with the -N

#	option to allow it to query interactively for the passphrase.

#Default:

# none

# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM

# -----------------------------------------------------------------------------

#  TAG: cache_peer

#	To specify other caches in a hierarchy, use the format:

#	

#		cache_peer hostname type http-port icp-port [options]

#	

#	For example,

#	

#	#                                        proxy  icp

#	#          hostname             type     port   port  options

#	#          -------------------- -------- ----- -----  -----------

#	cache_peer parent.foo.net       parent    3128  3130  default

#	cache_peer sib1.foo.net         sibling   3128  3130  proxy-only

#	cache_peer sib2.foo.net         sibling   3128  3130  proxy-only

#	cache_peer example.com          parent    80       0  no-query default

#	cache_peer cdn.example.com      sibling   3128     0  

#	

#	      type:	either 'parent', 'sibling', or 'multicast'.

#	

#	proxy-port:	The port number where the peer accept HTTP requests.

#			For other Squid proxies this is usually 3128

#			For web servers this is usually 80

#	

#	  icp-port:	Used for querying neighbor caches about objects.

#			Set to 0 if the peer does not support ICP or HTCP.