Want more features on Pastebin? Sign Up, it's FREE!
Guest

Untitled

By: a guest on Apr 6th, 2011  |  syntax: None  |  size: 305.61 KB  |  views: 178  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. #       WELCOME TO SQUID 3.1.6
  2. #       ----------------------------
  3. #
  4. #       This is the default Squid configuration file. You may wish
  5. #       to look at the Squid home page (http://www.squid-cache.org/)
  6. #       for the FAQ and other documentation.
  7. #
  8. #       The default Squid config file shows what the defaults for
  9. #       various options happen to be.  If you don't need to change the
  10. #       default, you shouldn't uncomment the line.  Doing so may cause
  11. #       run-time problems.  In some cases "none" refers to no default
  12. #       setting at all, while in other cases it refers to a valid
  13. #       option - the comments for that keyword indicate if this is the
  14. #       case.
  15. #
  16.  
  17. #  Configuration options can be included using the "include" directive.
  18. #  Include takes a list of files to include. Quoting and wildcards is
  19. #  supported.
  20. #
  21. #  For example,
  22. #
  23. #  include /path/to/included/file/squid.acl.config
  24. #
  25. #  Includes can be nested up to a hard-coded depth of 16 levels.
  26. #  This arbitrary restriction is to prevent recursive include references
  27. #  from causing Squid entering an infinite loop whilst trying to load
  28. #  configuration files.
  29.  
  30. # OPTIONS FOR AUTHENTICATION
  31. # -----------------------------------------------------------------------------
  32.  
  33. #  TAG: auth_param
  34. #       This is used to define parameters for the various authentication
  35. #       schemes supported by Squid.
  36. #
  37. #       format: auth_param scheme parameter [setting]
  38. #
  39. #       The order in which authentication schemes are presented to the client is
  40. #       dependent on the order the scheme first appears in config file. IE
  41. #       has a bug (it's not RFC 2617 compliant) in that it will use the basic
  42. #       scheme if basic is the first entry presented, even if more secure
  43. #       schemes are presented. For now use the order in the recommended
  44. #       settings section below. If other browsers have difficulties (don't
  45. #       recognize the schemes offered even if you are using basic) either
  46. #       put basic first, or disable the other schemes (by commenting out their
  47. #       program entry).
  48. #
  49. #       Once an authentication scheme is fully configured, it can only be
  50. #       shutdown by shutting squid down and restarting. Changes can be made on
  51. #       the fly and activated with a reconfigure. I.E. You can change to a
  52. #       different helper, but not unconfigure the helper completely.
  53. #
  54. #       Please note that while this directive defines how Squid processes
  55. #       authentication it does not automatically activate authentication.
  56. #       To use authentication you must in addition make use of ACLs based
  57. #       on login name in http_access (proxy_auth, proxy_auth_regex or
  58. #       external with %LOGIN used in the format tag). The browser will be
  59. #       challenged for authentication on the first such acl encountered
  60. #       in http_access processing and will also be re-challenged for new
  61. #       login credentials if the request is being denied by a proxy_auth
  62. #       type acl.
  63. #
  64. #       WARNING: authentication can't be used in a transparently intercepting
  65. #       proxy as the client then thinks it is talking to an origin server and
  66. #       not the proxy. This is a limitation of bending the TCP/IP protocol to
  67. #       transparently intercepting port 80, not a limitation in Squid.
  68. #       Ports flagged 'transparent', 'intercept', or 'tproxy' have
  69. #       authentication disabled.
  70. #
  71. #       === Parameters for the basic scheme follow. ===
  72. #
  73. #       "program" cmdline
  74. #       Specify the command for the external authenticator.  Such a program
  75. #       reads a line containing "username password" and replies "OK" or
  76. #       "ERR" in an endless loop. "ERR" responses may optionally be followed
  77. #       by a error description available as %m in the returned error page.
  78. #       If you use an authenticator, make sure you have 1 acl of type
  79. #       proxy_auth.
  80. #
  81. #       By default, the basic authentication scheme is not used unless a
  82. #       program is specified.
  83. #
  84. #       If you want to use the traditional NCSA proxy authentication, set
  85. #       this line to something like
  86. #
  87. #       auth_param basic program /usr/lib/squid3/ncsa_auth /usr/etc/passwd
  88. #
  89. #       "utf8" on|off
  90. #       HTTP uses iso-latin-1 as characterset, while some authentication
  91. #       backends such as LDAP expects UTF-8. If this is set to on Squid will
  92. #       translate the HTTP iso-latin-1 charset to UTF-8 before sending the
  93. #       username & password to the helper.
  94. #
  95. #       "children" numberofchildren
  96. #       The number of authenticator processes to spawn. If you start too few
  97. #       Squid will have to wait for them to process a backlog of credential
  98. #       verifications, slowing it down. When password verifications are
  99. #       done via a (slow) network you are likely to need lots of
  100. #       authenticator processes.
  101. #       auth_param basic children 5
  102. #
  103. #       "concurrency" concurrency
  104. #       The number of concurrent requests the helper can process.
  105. #       The default of 0 is used for helpers who only supports
  106. #       one request at a time. Setting this changes the protocol used to
  107. #       include a channel number first on the request/response line, allowing
  108. #       multiple requests to be sent to the same helper in parallell without
  109. #       wating for the response.
  110. #       Must not be set unless it's known the helper supports this.
  111. #       auth_param basic concurrency 0
  112. #
  113. #       "realm" realmstring
  114. #       Specifies the realm name which is to be reported to the
  115. #       client for the basic proxy authentication scheme (part of
  116. #       the text the user will see when prompted their username and
  117. #       password). There is no default.
  118. #       auth_param basic realm Squid proxy-caching web server
  119. #
  120. #       "credentialsttl" timetolive
  121. #       Specifies how long squid assumes an externally validated
  122. #       username:password pair is valid for - in other words how
  123. #       often the helper program is called for that user. Set this
  124. #       low to force revalidation with short lived passwords.  Note
  125. #       setting this high does not impact your susceptibility
  126. #       to replay attacks unless you are using an one-time password
  127. #       system (such as SecureID).  If you are using such a system,
  128. #       you will be vulnerable to replay attacks unless you also
  129. #       use the max_user_ip ACL in an http_access rule.
  130. #
  131. #       "casesensitive" on|off
  132. #       Specifies if usernames are case sensitive. Most user databases are
  133. #       case insensitive allowing the same username to be spelled using both
  134. #       lower and upper case letters, but some are case sensitive. This
  135. #       makes a big difference for user_max_ip ACL processing and similar.
  136. #       auth_param basic casesensitive off
  137. #
  138. #       === Parameters for the digest scheme follow ===
  139. #
  140. #       "program" cmdline
  141. #       Specify the command for the external authenticator.  Such
  142. #       a program reads a line containing "username":"realm" and
  143. #       replies with the appropriate H(A1) value hex encoded or
  144. #       ERR if the user (or his H(A1) hash) does not exists.
  145. #       See rfc 2616 for the definition of H(A1).
  146. #       "ERR" responses may optionally be followed by a error description
  147. #       available as %m in the returned error page.
  148. #
  149. #       By default, the digest authentication scheme is not used unless a
  150. #       program is specified.
  151. #
  152. #       If you want to use a digest authenticator, set this line to
  153. #       something like
  154. #
  155. #       auth_param digest program /usr/lib/squid3/digest_pw_auth /usr/etc/digpass
  156. #
  157. #       "utf8" on|off
  158. #       HTTP uses iso-latin-1 as characterset, while some authentication
  159. #       backends such as LDAP expects UTF-8. If this is set to on Squid will
  160. #       translate the HTTP iso-latin-1 charset to UTF-8 before sending the
  161. #       username & password to the helper.
  162. #
  163. #       "children" numberofchildren
  164. #       The number of authenticator processes to spawn (no default).
  165. #       If you start too few Squid will have to wait for them to
  166. #       process a backlog of H(A1) calculations, slowing it down.
  167. #       When the H(A1) calculations are done via a (slow) network
  168. #       you are likely to need lots of authenticator processes.
  169. #       auth_param digest children 5
  170. #
  171. #       "realm" realmstring
  172. #       Specifies the realm name which is to be reported to the
  173. #       client for the digest proxy authentication scheme (part of
  174. #       the text the user will see when prompted their username and
  175. #       password). There is no default.
  176. #       auth_param digest realm Squid proxy-caching web server
  177. #
  178. #       "nonce_garbage_interval" timeinterval
  179. #       Specifies the interval that nonces that have been issued
  180. #       to client_agent's are checked for validity.
  181. #
  182. #       "nonce_max_duration" timeinterval
  183. #       Specifies the maximum length of time a given nonce will be
  184. #       valid for.
  185. #
  186. #       "nonce_max_count" number
  187. #       Specifies the maximum number of times a given nonce can be
  188. #       used.
  189. #
  190. #       "nonce_strictness" on|off
  191. #       Determines if squid requires strict increment-by-1 behavior
  192. #       for nonce counts, or just incrementing (off - for use when
  193. #       useragents generate nonce counts that occasionally miss 1
  194. #       (ie, 1,2,4,6)). Default off.
  195. #
  196. #       "check_nonce_count" on|off
  197. #       This directive if set to off can disable the nonce count check
  198. #       completely to work around buggy digest qop implementations in
  199. #       certain mainstream browser versions. Default on to check the
  200. #       nonce count to protect from authentication replay attacks.
  201. #
  202. #       "post_workaround" on|off
  203. #       This is a workaround to certain buggy browsers who sends
  204. #       an incorrect request digest in POST requests when reusing
  205. #       the same nonce as acquired earlier on a GET request.
  206. #
  207. #       === NTLM scheme options follow ===
  208. #
  209. #       "program" cmdline
  210. #       Specify the command for the external NTLM authenticator.
  211. #       Such a program reads exchanged NTLMSSP packets with
  212. #       the browser via Squid until authentication is completed.
  213. #       If you use an NTLM authenticator, make sure you have 1 acl
  214. #       of type proxy_auth.  By default, the NTLM authenticator_program
  215. #       is not used.
  216. #
  217. #       auth_param ntlm program /usr/lib/squid3/ntlm_auth
  218. #
  219. #       "children" numberofchildren
  220. #       The number of authenticator processes to spawn (no default).
  221. #       If you start too few Squid will have to wait for them to
  222. #       process a backlog of credential verifications, slowing it
  223. #       down. When credential verifications are done via a (slow)
  224. #       network you are likely to need lots of authenticator
  225. #       processes.
  226. #
  227. #       auth_param ntlm children 5
  228. #
  229. #       "keep_alive" on|off
  230. #       If you experience problems with PUT/POST requests when using the
  231. #       Negotiate authentication scheme then you can try setting this to
  232. #       off. This will cause Squid to forcibly close the connection on
  233. #       the initial requests where the browser asks which schemes are
  234. #       supported by the proxy.
  235. #
  236. #       auth_param ntlm keep_alive on
  237. #
  238. #       === Options for configuring the NEGOTIATE auth-scheme follow ===
  239. #
  240. #       "program" cmdline
  241. #       Specify the command for the external Negotiate authenticator.
  242. #       This protocol is used in Microsoft Active-Directory enabled setups with
  243. #       the Microsoft Internet Explorer or Mozilla Firefox browsers.
  244. #       Its main purpose is to exchange credentials with the Squid proxy
  245. #       using the Kerberos mechanisms.
  246. #       If you use a Negotiate authenticator, make sure you have at least
  247. #       one acl of type proxy_auth active. By default, the negotiate
  248. #       authenticator_program is not used.
  249. #       The only supported program for this role is the ntlm_auth
  250. #       program distributed as part of Samba, version 4 or later.
  251. #
  252. #       auth_param negotiate program /usr/lib/squid3/ntlm_auth --helper-protocol=gss-spnego
  253. #
  254. #       "children" numberofchildren
  255. #       The number of authenticator processes to spawn (no default).
  256. #       If you start too few Squid will have to wait for them to
  257. #       process a backlog of credential verifications, slowing it
  258. #       down. When crendential verifications are done via a (slow)
  259. #       network you are likely to need lots of authenticator
  260. #       processes.
  261. #       auth_param negotiate children 5
  262. #
  263. #       "keep_alive" on|off
  264. #       If you experience problems with PUT/POST requests when using the
  265. #       Negotiate authentication scheme then you can try setting this to
  266. #       off. This will cause Squid to forcibly close the connection on
  267. #       the initial requests where the browser asks which schemes are
  268. #       supported by the proxy.
  269. #
  270. #       auth_param negotiate keep_alive on
  271. #
  272. #      
  273. #       Examples:
  274. #
  275. ##Recommended minimum configuration per scheme:
  276. ##auth_param negotiate program <uncomment and complete this line to activate>
  277. ##auth_param negotiate children 5
  278. ##auth_param negotiate keep_alive on
  279. ##
  280. ##auth_param ntlm program <uncomment and complete this line to activate>
  281. ##auth_param ntlm children 5
  282. ##auth_param ntlm keep_alive on
  283. ##
  284. ##auth_param digest program <uncomment and complete this line>
  285. ##auth_param digest children 5
  286. ##auth_param digest realm Squid proxy-caching web server
  287. ##auth_param digest nonce_garbage_interval 5 minutes
  288. ##auth_param digest nonce_max_duration 30 minutes
  289. ##auth_param digest nonce_max_count 50
  290. ##
  291. ##auth_param basic program <uncomment and complete this line>
  292. ##auth_param basic children 5
  293. ##auth_param basic realm Squid proxy-caching web server
  294. ##auth_param basic credentialsttl 2 hours
  295. #Default:
  296. # none
  297.  
  298. #  TAG: authenticate_cache_garbage_interval
  299. #       The time period between garbage collection across the username cache.
  300. #       This is a tradeoff between memory utilization (long intervals - say
  301. #       2 days) and CPU (short intervals - say 1 minute). Only change if you
  302. #       have good reason to.
  303. #Default:
  304. # authenticate_cache_garbage_interval 1 hour
  305.  
  306. #  TAG: authenticate_ttl
  307. #       The time a user & their credentials stay in the logged in
  308. #       user cache since their last request. When the garbage
  309. #       interval passes, all user credentials that have passed their
  310. #       TTL are removed from memory.
  311. #Default:
  312. # authenticate_ttl 1 hour
  313.  
  314. #  TAG: authenticate_ip_ttl
  315. #       If you use proxy authentication and the 'max_user_ip' ACL,
  316. #       this directive controls how long Squid remembers the IP
  317. #       addresses associated with each user.  Use a small value
  318. #       (e.g., 60 seconds) if your users might change addresses
  319. #       quickly, as is the case with dialups.   You might be safe
  320. #       using a larger value (e.g., 2 hours) in a corporate LAN
  321. #       environment with relatively static address assignments.
  322. #Default:
  323. # authenticate_ip_ttl 0 seconds
  324.  
  325. # ACCESS CONTROLS
  326. # -----------------------------------------------------------------------------
  327.  
  328. #  TAG: external_acl_type
  329. #       This option defines external acl classes using a helper program
  330. #       to look up the status
  331. #
  332. #         external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
  333. #
  334. #       Options:
  335. #
  336. #         ttl=n         TTL in seconds for cached results (defaults to 3600
  337. #                       for 1 hour)
  338. #         negative_ttl=n
  339. #                       TTL for cached negative lookups (default same
  340. #                       as ttl)
  341. #         children=n    Number of acl helper processes spawn to service
  342. #                       external acl lookups of this type. (default 5)
  343. #         concurrency=n concurrency level per process. Only used with helpers
  344. #                       capable of processing more than one query at a time.
  345. #         cache=n       result cache size, 0 is unbounded (default)
  346. #         grace=n       Percentage remaining of TTL where a refresh of a
  347. #                       cached entry should be initiated without needing to
  348. #                       wait for a new reply. (default 0 for no grace period)
  349. #         protocol=2.5  Compatibility mode for Squid-2.5 external acl helpers
  350. #         ipv4 / ipv6   IP-mode used to communicate to this helper.
  351. #                       For compatability with older configurations and helpers
  352. #                       the default is currently 'ipv4'.
  353. #
  354. #       FORMAT specifications
  355. #
  356. #         %LOGIN        Authenticated user login name
  357. #         %EXT_USER     Username from external acl
  358. #         %IDENT        Ident user name
  359. #         %SRC          Client IP
  360. #         %SRCPORT      Client source port
  361. #         %URI          Requested URI
  362. #         %DST          Requested host
  363. #         %PROTO        Requested protocol
  364. #         %PORT         Requested port
  365. #         %PATH         Requested URL path
  366. #         %METHOD       Request method
  367. #         %MYADDR       Squid interface address
  368. #         %MYPORT       Squid http_port number
  369. #         %PATH         Requested URL-path (including query-string if any)
  370. #         %USER_CERT    SSL User certificate in PEM format
  371. #         %USER_CERTCHAIN SSL User certificate chain in PEM format
  372. #         %USER_CERT_xx SSL User certificate subject attribute xx
  373. #         %USER_CA_xx   SSL User certificate issuer attribute xx
  374. #
  375. #         %>{Header}    HTTP request header "Header"
  376. #         %>{Hdr:member}
  377. #                       HTTP request header "Hdr" list member "member"
  378. #         %>{Hdr:;member}
  379. #                       HTTP request header list member using ; as
  380. #                       list separator. ; can be any non-alphanumeric
  381. #                       character.
  382. #
  383. #         %<{Header}    HTTP reply header "Header"
  384. #         %<{Hdr:member}
  385. #                       HTTP reply header "Hdr" list member "member"
  386. #         %<{Hdr:;member}
  387. #                       HTTP reply header list member using ; as
  388. #                       list separator. ; can be any non-alphanumeric
  389. #                       character.
  390. #
  391. #       In addition to the above, any string specified in the referencing
  392. #       acl will also be included in the helper request line, after the
  393. #       specified formats (see the "acl external" directive)
  394. #
  395. #       The helper receives lines per the above format specification,
  396. #       and returns lines starting with OK or ERR indicating the validity
  397. #       of the request and optionally followed by additional keywords with
  398. #       more details.
  399. #
  400. #       General result syntax:
  401. #
  402. #         OK/ERR keyword=value ...
  403. #
  404. #       Defined keywords:
  405. #
  406. #         user=         The users name (login)
  407. #         password=     The users password (for login= cache_peer option)
  408. #         message=      Message describing the reason. Available as %o
  409. #                       in error pages
  410. #         tag=          Apply a tag to a request (for both ERR and OK results)
  411. #                       Only sets a tag, does not alter existing tags.
  412. #         log=          String to be logged in access.log. Available as
  413. #                       %ea in logformat specifications
  414. #
  415. #       If protocol=3.0 (the default) then URL escaping is used to protect
  416. #       each value in both requests and responses.
  417. #
  418. #       If using protocol=2.5 then all values need to be enclosed in quotes
  419. #       if they may contain whitespace, or the whitespace escaped using \.
  420. #       And quotes or \ characters within the keyword value must be \ escaped.
  421. #
  422. #       When using the concurrency= option the protocol is changed by
  423. #       introducing a query channel tag infront of the request/response.
  424. #       The query channel tag is a number between 0 and concurrency-1.
  425. #Default:
  426. # none
  427.  
  428. #  TAG: acl
  429. #       Defining an Access List
  430. #
  431. #       Every access list definition must begin with an aclname and acltype,
  432. #       followed by either type-specific arguments or a quoted filename that
  433. #       they are read from.
  434. #
  435. #          acl aclname acltype argument ...
  436. #          acl aclname acltype "file" ...
  437. #
  438. #       When using "file", the file should contain one item per line.
  439. #
  440. #       By default, regular expressions are CASE-SENSITIVE.  To make
  441. #       them case-insensitive, use the -i option.
  442. #
  443. #       Some acl types require suspending the current request in order
  444. #       to access some external data source.
  445. #       Those which do are marked with the tag [slow], those which
  446. #       don't are marked as [fast].
  447. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl
  448. #       for further information
  449. #
  450. #       ***** ACL TYPES AVAILABLE *****
  451. #
  452. #       acl aclname src ip-address/netmask ...  # clients IP address [fast]
  453. #       acl aclname src addr1-addr2/netmask ... # range of addresses [fast]
  454. #       acl aclname dst ip-address/netmask ...  # URL host's IP address [slow]
  455. #       acl aclname myip ip-address/netmask ... # local socket IP address [fast]
  456. #
  457. #       acl aclname arp      mac-address ... (xx:xx:xx:xx:xx:xx notation)
  458. #         # The arp ACL requires the special configure option --enable-arp-acl.
  459. #         # Furthermore, the ARP ACL code is not portable to all operating systems.
  460. #         # It works on Linux, Solaris, Windows, FreeBSD, and some
  461. #         # other *BSD variants.
  462. #         # [fast]
  463. #         #
  464. #         # NOTE: Squid can only determine the MAC address for clients that are on
  465. #         # the same subnet. If the client is on a different subnet,
  466. #         # then Squid cannot find out its MAC address.
  467. #
  468. #       acl aclname srcdomain   .foo.com ...
  469. #         # reverse lookup, from client IP [slow]
  470. #       acl aclname dstdomain   .foo.com ...
  471. #         # Destination server from URL [fast]
  472. #       acl aclname srcdom_regex [-i] \.foo\.com ...
  473. #         # regex matching client name [slow]
  474. #       acl aclname dstdom_regex [-i] \.foo\.com ...
  475. #         # regex matching server [fast]
  476. #         #
  477. #         # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
  478. #         # based URL is used and no match is found. The name "none" is used
  479. #         # if the reverse lookup fails.
  480. #
  481. #       acl aclname src_as number ...
  482. #       acl aclname dst_as number ...
  483. #         # [fast]
  484. #         # Except for access control, AS numbers can be used for
  485. #         # routing of requests to specific caches. Here's an
  486. #         # example for routing all requests for AS#1241 and only
  487. #         # those to mycache.mydomain.net:
  488. #         # acl asexample dst_as 1241
  489. #         # cache_peer_access mycache.mydomain.net allow asexample
  490. #         # cache_peer_access mycache_mydomain.net deny all
  491. #
  492. #       acl aclname peername myPeer ...
  493. #         # [fast]
  494. #         # match against a named cache_peer entry
  495. #         # set unique name= on cache_peer lines for reliable use.
  496. #
  497. #       acl aclname time [day-abbrevs] [h1:m1-h2:m2]
  498. #         # [fast]
  499. #         #  day-abbrevs:
  500. #         #     S - Sunday
  501. #         #     M - Monday
  502. #         #     T - Tuesday
  503. #         #     W - Wednesday
  504. #         #     H - Thursday
  505. #         #     F - Friday
  506. #         #     A - Saturday
  507. #         #  h1:m1 must be less than h2:m2
  508. #
  509. #       acl aclname url_regex [-i] ^http:// ...
  510. #         # regex matching on whole URL [fast]
  511. #       acl aclname urlpath_regex [-i] \.gif$ ...
  512. #         # regex matching on URL path [fast]
  513. #
  514. #       acl aclname port 80 70 21 0-1024...   # destination TCP port [fast]
  515. #                                             # ranges are alloed
  516. #       acl aclname myport 3128 ...               # local socket TCP port [fast]
  517. #       acl aclname myportname 3128 ...       # http(s)_port name [fast]
  518. #
  519. #       acl aclname proto HTTP FTP ...        # request protocol [fast]
  520. #
  521. #       acl aclname method GET POST ...       # HTTP request method [fast]
  522. #
  523. #       acl aclname http_status 200 301 500- 400-403 ...
  524. #         # status code in reply [fast]
  525. #
  526. #       acl aclname browser [-i] regexp ...
  527. #         # pattern match on User-Agent header (see also req_header below) [fast]
  528. #
  529. #       acl aclname referer_regex [-i] regexp ...
  530. #         # pattern match on Referer header [fast]
  531. #         # Referer is highly unreliable, so use with care
  532. #
  533. #       acl aclname ident username ...
  534. #       acl aclname ident_regex [-i] pattern ...
  535. #         # string match on ident output [slow]
  536. #         # use REQUIRED to accept any non-null ident.
  537. #
  538. #       acl aclname proxy_auth [-i] username ...
  539. #       acl aclname proxy_auth_regex [-i] pattern ...
  540. #         # perform http authentication challenge to the client and match against
  541. #         # supplied credentials [slow]
  542. #         #
  543. #         # takes a list of allowed usernames.
  544. #         # use REQUIRED to accept any valid username.
  545. #         #
  546. #         # Will use proxy authentication in forward-proxy scenarios, and plain
  547. #         # http authenticaiton in reverse-proxy scenarios
  548. #         #
  549. #         # NOTE: when a Proxy-Authentication header is sent but it is not
  550. #         # needed during ACL checking the username is NOT logged
  551. #         # in access.log.
  552. #         #
  553. #         # NOTE: proxy_auth requires a EXTERNAL authentication program
  554. #         # to check username/password combinations (see
  555. #         # auth_param directive).
  556. #         #
  557. #         # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
  558. #         # as the browser needs to be configured for using a proxy in order
  559. #         # to respond to proxy authentication.
  560. #
  561. #       acl aclname snmp_community string ...
  562. #         # A community string to limit access to your SNMP Agent [fast]
  563. #         # Example:
  564. #         #
  565. #         #     acl snmppublic snmp_community public
  566. #
  567. #       acl aclname maxconn number
  568. #         # This will be matched when the client's IP address has
  569. #         # more than <number> HTTP connections established. [fast]
  570. #
  571. #       acl aclname max_user_ip [-s] number
  572. #         # This will be matched when the user attempts to log in from more
  573. #         # than <number> different ip addresses. The authenticate_ip_ttl
  574. #         # parameter controls the timeout on the ip entries. [fast]
  575. #         # If -s is specified the limit is strict, denying browsing
  576. #         # from any further IP addresses until the ttl has expired. Without
  577. #         # -s Squid will just annoy the user by "randomly" denying requests.
  578. #         # (the counter is reset each time the limit is reached and a
  579. #         # request is denied)
  580. #         # NOTE: in acceleration mode or where there is mesh of child proxies,
  581. #         # clients may appear to come from multiple addresses if they are
  582. #         # going through proxy farms, so a limit of 1 may cause user problems.
  583. #
  584. #       acl aclname req_mime_type [-i] mime-type ...
  585. #         # regex match against the mime type of the request generated
  586. #         # by the client. Can be used to detect file upload or some
  587. #         # types HTTP tunneling requests [fast]
  588. #         # NOTE: This does NOT match the reply. You cannot use this
  589. #         # to match the returned file type.
  590. #
  591. #       acl aclname req_header header-name [-i] any\.regex\.here
  592. #         # regex match against any of the known request headers.  May be
  593. #         # thought of as a superset of "browser", "referer" and "mime-type"
  594. #         # ACL [fast]
  595. #
  596. #       acl aclname rep_mime_type [-i] mime-type ...
  597. #         # regex match against the mime type of the reply received by
  598. #         # squid. Can be used to detect file download or some
  599. #         # types HTTP tunneling requests. [fast]
  600. #         # NOTE: This has no effect in http_access rules. It only has
  601. #         # effect in rules that affect the reply data stream such as
  602. #         # http_reply_access.
  603. #
  604. #       acl aclname rep_header header-name [-i] any\.regex\.here
  605. #         # regex match against any of the known reply headers. May be
  606. #         # thought of as a superset of "browser", "referer" and "mime-type"
  607. #         # ACLs [fast]
  608. #
  609. #       acl aclname external class_name [arguments...]
  610. #         # external ACL lookup via a helper class defined by the
  611. #         # external_acl_type directive [slow]
  612. #
  613. #       acl aclname user_cert attribute values...
  614. #         # match against attributes in a user SSL certificate
  615. #         # attribute is one of DN/C/O/CN/L/ST [fast]
  616. #
  617. #       acl aclname ca_cert attribute values...
  618. #         # match against attributes a users issuing CA SSL certificate
  619. #         # attribute is one of DN/C/O/CN/L/ST [fast]
  620. #
  621. #       acl aclname ext_user username ...
  622. #       acl aclname ext_user_regex [-i] pattern ...
  623. #         # string match on username returned by external acl helper [slow]
  624. #         # use REQUIRED to accept any non-null user name.
  625. #
  626. #       acl aclname tag tagvalue ...
  627. #         # string match on tag returned by external acl helper [slow]
  628. #
  629. #       Examples:
  630. #               acl macaddress arp 09:00:2b:23:45:67
  631. #               acl myexample dst_as 1241
  632. #               acl password proxy_auth REQUIRED
  633. #               acl fileupload req_mime_type -i ^multipart/form-data$
  634. #               acl javascript rep_mime_type -i ^application/x-javascript$
  635. #
  636. #Default:
  637. # acl all src all
  638. #
  639. #
  640. # Recommended minimum configuration:
  641. #
  642. acl manager proto cache_object
  643. acl localhost src 127.0.0.1/32 ::1
  644. acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
  645.  
  646. # Example rule allowing access from your local networks.
  647. # Adapt to list your (internal) IP networks from where browsing
  648. # should be allowed
  649. #acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
  650. #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
  651. #acl localnet src 192.168.0.0/16        # RFC1918 possible internal network
  652. #acl localnet src fc00::/7       # RFC 4193 local private network range
  653. #acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
  654.  
  655. acl SSL_ports port 443
  656. acl Safe_ports port 80          # http
  657. acl Safe_ports port 21          # ftp
  658. acl Safe_ports port 443         # https
  659. acl Safe_ports port 70          # gopher
  660. acl Safe_ports port 210         # wais
  661. acl Safe_ports port 1025-65535  # unregistered ports
  662. acl Safe_ports port 280         # http-mgmt
  663. acl Safe_ports port 488         # gss-http
  664. acl Safe_ports port 591         # filemaker
  665. acl Safe_ports port 777         # multiling http
  666. acl CONNECT method CONNECT
  667.  
  668. #  TAG: follow_x_forwarded_for
  669. #       Allowing or Denying the X-Forwarded-For header to be followed to
  670. #       find the original source of a request.
  671. #
  672. #       Requests may pass through a chain of several other proxies
  673. #       before reaching us.  The X-Forwarded-For header will contain a
  674. #       comma-separated list of the IP addresses in the chain, with the
  675. #       rightmost address being the most recent.
  676. #
  677. #       If a request reaches us from a source that is allowed by this
  678. #       configuration item, then we consult the X-Forwarded-For header
  679. #       to see where that host received the request from.  If the
  680. #       X-Forwarded-For header contains multiple addresses, we continue
  681. #       backtracking until we reach an address for which we are not allowed
  682. #       to follow the X-Forwarded-For header, or until we reach the first
  683. #       address in the list. For the purpose of ACL used in the
  684. #       follow_x_forwarded_for directive the src ACL type always matches
  685. #       the address we are testing and srcdomain matches its rDNS.
  686. #
  687. #       The end result of this process is an IP address that we will
  688. #       refer to as the indirect client address.  This address may
  689. #       be treated as the client address for access control, ICAP, delay
  690. #       pools and logging, depending on the acl_uses_indirect_client,
  691. #       icap_uses_indirect_client, delay_pool_uses_indirect_client and
  692. #       log_uses_indirect_client options.
  693. #
  694. #       This clause only supports fast acl types.
  695. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  696. #
  697. #       SECURITY CONSIDERATIONS:
  698. #
  699. #               Any host for which we follow the X-Forwarded-For header
  700. #               can place incorrect information in the header, and Squid
  701. #               will use the incorrect information as if it were the
  702. #               source address of the request.  This may enable remote
  703. #               hosts to bypass any access control restrictions that are
  704. #               based on the client's source addresses.
  705. #
  706. #       For example:
  707. #
  708. #               acl localhost src 127.0.0.1
  709. #               acl my_other_proxy srcdomain .proxy.example.com
  710. #               follow_x_forwarded_for allow localhost
  711. #               follow_x_forwarded_for allow my_other_proxy
  712. #Default:
  713. # follow_x_forwarded_for deny all
  714.  
  715. #  TAG: acl_uses_indirect_client        on|off
  716. #       Controls whether the indirect client address
  717. #       (see follow_x_forwarded_for) is used instead of the
  718. #       direct client address in acl matching.
  719. #Default:
  720. # acl_uses_indirect_client on
  721.  
  722. #  TAG: delay_pool_uses_indirect_client on|off
  723. #       Controls whether the indirect client address
  724. #       (see follow_x_forwarded_for) is used instead of the
  725. #       direct client address in delay pools.
  726. #Default:
  727. # delay_pool_uses_indirect_client on
  728.  
  729. #  TAG: log_uses_indirect_client        on|off
  730. #       Controls whether the indirect client address
  731. #       (see follow_x_forwarded_for) is used instead of the
  732. #       direct client address in the access log.
  733. #Default:
  734. # log_uses_indirect_client on
  735.  
  736. #  TAG: http_access
  737. #       Allowing or Denying access based on defined access lists
  738. #
  739. #       Access to the HTTP port:
  740. #       http_access allow|deny [!]aclname ...
  741. #
  742. #       NOTE on default values:
  743. #
  744. #       If there are no "access" lines present, the default is to deny
  745. #       the request.
  746. #
  747. #       If none of the "access" lines cause a match, the default is the#        WELCOME TO SQUID 3.1.6
  748. #       ----------------------------
  749. #
  750. #       This is the default Squid configuration file. You may wish
  751. #       to look at the Squid home page (http://www.squid-cache.org/)
  752. #       for the FAQ and other documentation.
  753. #
  754. #       The default Squid config file shows what the defaults for
  755. #       various options happen to be.  If you don't need to change the
  756. #       default, you shouldn't uncomment the line.  Doing so may cause
  757. #       run-time problems.  In some cases "none" refers to no default
  758. #       setting at all, while in other cases it refers to a valid
  759. #       option - the comments for that keyword indicate if this is the
  760. #       case.
  761. #
  762.  
  763. #  Configuration options can be included using the "include" directive.
  764. #  Include takes a list of files to include. Quoting and wildcards is
  765. #  supported.
  766. #
  767. #  For example,
  768. #
  769. #  include /path/to/included/file/squid.acl.config
  770. #
  771. #  Includes can be nested up to a hard-coded depth of 16 levels.
  772. #  This arbitrary restriction is to prevent recursive include references
  773. #  from causing Squid entering an infinite loop whilst trying to load
  774. #  configuration files.
  775.  
  776. # OPTIONS FOR AUTHENTICATION
  777. # -----------------------------------------------------------------------------
  778.  
  779. #  TAG: auth_param
  780. #       This is used to define parameters for the various authentication
  781. #       schemes supported by Squid.
  782. #
  783. #       format: auth_param scheme parameter [setting]
  784. #
  785. #       The order in which authentication schemes are presented to the client is
  786. #       dependent on the order the scheme first appears in config file. IE
  787. #       has a bug (it's not RFC 2617 compliant) in that it will use the basic
  788. #       scheme if basic is the first entry presented, even if more secure
  789. #       schemes are presented. For now use the order in the recommended
  790. #       settings section below. If other browsers have difficulties (don't
  791. #       recognize the schemes offered even if you are using basic) either
  792. #       put basic first, or disable the other schemes (by commenting out their
  793. #       program entry).
  794. #
  795. #       Once an authentication scheme is fully configured, it can only be
  796. #       shutdown by shutting squid down and restarting. Changes can be made on
  797. #       the fly and activated with a reconfigure. I.E. You can change to a
  798. #       different helper, but not unconfigure the helper completely.
  799. #
  800. #       Please note that while this directive defines how Squid processes
  801. #       authentication it does not automatically activate authentication.
  802. #       To use authentication you must in addition make use of ACLs based
  803. #       on login name in http_access (proxy_auth, proxy_auth_regex or
  804. #       external with %LOGIN used in the format tag). The browser will be
  805. #       challenged for authentication on the first such acl encountered
  806. #       in http_access processing and will also be re-challenged for new
  807. #       login credentials if the request is being denied by a proxy_auth
  808. #       type acl.
  809. #
  810. #       WARNING: authentication can't be used in a transparently intercepting
  811. #       proxy as the client then thinks it is talking to an origin server and
  812. #       not the proxy. This is a limitation of bending the TCP/IP protocol to
  813. #       transparently intercepting port 80, not a limitation in Squid.
  814. #       Ports flagged 'transparent', 'intercept', or 'tproxy' have
  815. #       authentication disabled.
  816. #
  817. #       === Parameters for the basic scheme follow. ===
  818. #
  819. #       "program" cmdline
  820. #       Specify the command for the external authenticator.  Such a program
  821. #       reads a line containing "username password" and replies "OK" or
  822. #       "ERR" in an endless loop. "ERR" responses may optionally be followed
  823. #       by a error description available as %m in the returned error page.
  824. #       If you use an authenticator, make sure you have 1 acl of type
  825. #       proxy_auth.
  826. #
  827. #       By default, the basic authentication scheme is not used unless a
  828. #       program is specified.
  829. #
  830. #       If you want to use the traditional NCSA proxy authentication, set
  831. #       this line to something like
  832. #
  833. #       auth_param basic program /usr/lib/squid3/ncsa_auth /usr/etc/passwd
  834. #
  835. #       "utf8" on|off
  836. #       HTTP uses iso-latin-1 as characterset, while some authentication
  837. #       backends such as LDAP expects UTF-8. If this is set to on Squid will
  838. #       translate the HTTP iso-latin-1 charset to UTF-8 before sending the
  839. #       username & password to the helper.
  840. #
  841. #       "children" numberofchildren
  842. #       The number of authenticator processes to spawn. If you start too few
  843. #       Squid will have to wait for them to process a backlog of credential
  844. #       verifications, slowing it down. When password verifications are
  845. #       done via a (slow) network you are likely to need lots of
  846. #       authenticator processes.
  847. #       auth_param basic children 5
  848. #
  849. #       "concurrency" concurrency
  850. #       The number of concurrent requests the helper can process.
  851. #       The default of 0 is used for helpers who only supports
  852. #       one request at a time. Setting this changes the protocol used to
  853. #       include a channel number first on the request/response line, allowing
  854. #       multiple requests to be sent to the same helper in parallell without
  855. #       wating for the response.
  856. #       Must not be set unless it's known the helper supports this.
  857. #       auth_param basic concurrency 0
  858. #
  859. #       "realm" realmstring
  860. #       Specifies the realm name which is to be reported to the
  861. #       client for the basic proxy authentication scheme (part of
  862. #       the text the user will see when prompted their username and
  863. #       password). There is no default.
  864. #       auth_param basic realm Squid proxy-caching web server
  865. #
  866. #       "credentialsttl" timetolive
  867. #       Specifies how long squid assumes an externally validated
  868. #       username:password pair is valid for - in other words how
  869. #       often the helper program is called for that user. Set this
  870. #       low to force revalidation with short lived passwords.  Note
  871. #       setting this high does not impact your susceptibility
  872. #       to replay attacks unless you are using an one-time password
  873. #       system (such as SecureID).  If you are using such a system,
  874. #       you will be vulnerable to replay attacks unless you also
  875. #       use the max_user_ip ACL in an http_access rule.
  876. #
  877. #       "casesensitive" on|off
  878. #       Specifies if usernames are case sensitive. Most user databases are
  879. #       case insensitive allowing the same username to be spelled using both
  880. #       lower and upper case letters, but some are case sensitive. This
  881. #       makes a big difference for user_max_ip ACL processing and similar.
  882. #       auth_param basic casesensitive off
  883. #
  884. #       === Parameters for the digest scheme follow ===
  885. #
  886. #       "program" cmdline
  887. #       Specify the command for the external authenticator.  Such
  888. #       a program reads a line containing "username":"realm" and
  889. #       replies with the appropriate H(A1) value hex encoded or
  890. #       ERR if the user (or his H(A1) hash) does not exists.
  891. #       See rfc 2616 for the definition of H(A1).
  892. #       "ERR" responses may optionally be followed by a error description
  893. #       available as %m in the returned error page.
  894. #
  895. #       By default, the digest authentication scheme is not used unless a
  896. #       program is specified.
  897. #
  898. #       If you want to use a digest authenticator, set this line to
  899. #       something like
  900. #
  901. #       auth_param digest program /usr/lib/squid3/digest_pw_auth /usr/etc/digpass
  902. #
  903. #       "utf8" on|off
  904. #       HTTP uses iso-latin-1 as characterset, while some authentication
  905. #       backends such as LDAP expects UTF-8. If this is set to on Squid will
  906. #       translate the HTTP iso-latin-1 charset to UTF-8 before sending the
  907. #       username & password to the helper.
  908. #
  909. #       "children" numberofchildren
  910. #       The number of authenticator processes to spawn (no default).
  911. #       If you start too few Squid will have to wait for them to
  912. #       process a backlog of H(A1) calculations, slowing it down.
  913. #       When the H(A1) calculations are done via a (slow) network
  914. #       you are likely to need lots of authenticator processes.
  915. #       auth_param digest children 5
  916. #
  917. #       "realm" realmstring
  918. #       Specifies the realm name which is to be reported to the
  919. #       client for the digest proxy authentication scheme (part of
  920. #       the text the user will see when prompted their username and
  921. #       password). There is no default.
  922. #       auth_param digest realm Squid proxy-caching web server
  923. #
  924. #       "nonce_garbage_interval" timeinterval
  925. #       Specifies the interval that nonces that have been issued
  926. #       to client_agent's are checked for validity.
  927. #
  928. #       "nonce_max_duration" timeinterval
  929. #       Specifies the maximum length of time a given nonce will be
  930. #       valid for.
  931. #
  932. #       "nonce_max_count" number
  933. #       Specifies the maximum number of times a given nonce can be
  934. #       used.
  935. #
  936. #       "nonce_strictness" on|off
  937. #       Determines if squid requires strict increment-by-1 behavior
  938. #       for nonce counts, or just incrementing (off - for use when
  939. #       useragents generate nonce counts that occasionally miss 1
  940. #       (ie, 1,2,4,6)). Default off.
  941. #
  942. #       "check_nonce_count" on|off
  943. #       This directive if set to off can disable the nonce count check
  944. #       completely to work around buggy digest qop implementations in
  945. #       certain mainstream browser versions. Default on to check the
  946. #       nonce count to protect from authentication replay attacks.
  947. #
  948. #       "post_workaround" on|off
  949. #       This is a workaround to certain buggy browsers who sends
  950. #       an incorrect request digest in POST requests when reusing
  951. #       the same nonce as acquired earlier on a GET request.
  952. #
  953. #       === NTLM scheme options follow ===
  954. #
  955. #       "program" cmdline
  956. #       Specify the command for the external NTLM authenticator.
  957. #       Such a program reads exchanged NTLMSSP packets with
  958. #       the browser via Squid until authentication is completed.
  959. #       If you use an NTLM authenticator, make sure you have 1 acl
  960. #       of type proxy_auth.  By default, the NTLM authenticator_program
  961. #       is not used.
  962. #
  963. #       auth_param ntlm program /usr/lib/squid3/ntlm_auth
  964. #
  965. #       "children" numberofchildren
  966. #       The number of authenticator processes to spawn (no default).
  967. #       If you start too few Squid will have to wait for them to
  968. #       process a backlog of credential verifications, slowing it
  969. #       down. When credential verifications are done via a (slow)
  970. #       network you are likely to need lots of authenticator
  971. #       processes.
  972. #
  973. #       auth_param ntlm children 5
  974. #
  975. #       "keep_alive" on|off
  976. #       If you experience problems with PUT/POST requests when using the
  977. #       Negotiate authentication scheme then you can try setting this to
  978. #       off. This will cause Squid to forcibly close the connection on
  979. #       the initial requests where the browser asks which schemes are
  980. #       supported by the proxy.
  981. #
  982. #       auth_param ntlm keep_alive on
  983. #
  984. #       === Options for configuring the NEGOTIATE auth-scheme follow ===
  985. #
  986. #       "program" cmdline
  987. #       Specify the command for the external Negotiate authenticator.
  988. #       This protocol is used in Microsoft Active-Directory enabled setups with
  989. #       the Microsoft Internet Explorer or Mozilla Firefox browsers.
  990. #       Its main purpose is to exchange credentials with the Squid proxy
  991. #       using the Kerberos mechanisms.
  992. #       If you use a Negotiate authenticator, make sure you have at least
  993. #       one acl of type proxy_auth active. By default, the negotiate
  994. #       authenticator_program is not used.
  995. #       The only supported program for this role is the ntlm_auth
  996. #       program distributed as part of Samba, version 4 or later.
  997. #
  998. #       auth_param negotiate program /usr/lib/squid3/ntlm_auth --helper-protocol=gss-spnego
  999. #
  1000. #       "children" numberofchildren
  1001. #       The number of authenticator processes to spawn (no default).
  1002. #       If you start too few Squid will have to wait for them to
  1003. #       process a backlog of credential verifications, slowing it
  1004. #       down. When crendential verifications are done via a (slow)
  1005. #       network you are likely to need lots of authenticator
  1006. #       processes.
  1007. #       auth_param negotiate children 5
  1008. #
  1009. #       "keep_alive" on|off
  1010. #       If you experience problems with PUT/POST requests when using the
  1011. #       Negotiate authentication scheme then you can try setting this to
  1012. #       off. This will cause Squid to forcibly close the connection on
  1013. #       the initial requests where the browser asks which schemes are
  1014. #       supported by the proxy.
  1015. #
  1016. #       auth_param negotiate keep_alive on
  1017. #
  1018. #      
  1019. #       Examples:
  1020. #
  1021. ##Recommended minimum configuration per scheme:
  1022. ##auth_param negotiate program <uncomment and complete this line to activate>
  1023. ##auth_param negotiate children 5
  1024. ##auth_param negotiate keep_alive on
  1025. ##
  1026. ##auth_param ntlm program <uncomment and complete this line to activate>
  1027. ##auth_param ntlm children 5
  1028. ##auth_param ntlm keep_alive on
  1029. ##
  1030. ##auth_param digest program <uncomment and complete this line>
  1031. ##auth_param digest children 5
  1032. ##auth_param digest realm Squid proxy-caching web server
  1033. ##auth_param digest nonce_garbage_interval 5 minutes
  1034. ##auth_param digest nonce_max_duration 30 minutes
  1035. ##auth_param digest nonce_max_count 50
  1036. ##
  1037. ##auth_param basic program <uncomment and complete this line>
  1038. ##auth_param basic children 5
  1039. ##auth_param basic realm Squid proxy-caching web server
  1040. ##auth_param basic credentialsttl 2 hours
  1041. #Default:
  1042. # none
  1043.  
  1044. #  TAG: authenticate_cache_garbage_interval
  1045. #       The time period between garbage collection across the username cache.
  1046. #       This is a tradeoff between memory utilization (long intervals - say
  1047. #       2 days) and CPU (short intervals - say 1 minute). Only change if you
  1048. #       have good reason to.
  1049. #Default:
  1050. # authenticate_cache_garbage_interval 1 hour
  1051.  
  1052. #  TAG: authenticate_ttl
  1053. #       The time a user & their credentials stay in the logged in
  1054. #       user cache since their last request. When the garbage
  1055. #       interval passes, all user credentials that have passed their
  1056. #       TTL are removed from memory.
  1057. #Default:
  1058. # authenticate_ttl 1 hour
  1059.  
  1060. #  TAG: authenticate_ip_ttl
  1061. #       If you use proxy authentication and the 'max_user_ip' ACL,
  1062. #       this directive controls how long Squid remembers the IP
  1063. #       addresses associated with each user.  Use a small value
  1064. #       (e.g., 60 seconds) if your users might change addresses
  1065. #       quickly, as is the case with dialups.   You might be safe
  1066. #       using a larger value (e.g., 2 hours) in a corporate LAN
  1067. #       environment with relatively static address assignments.
  1068. #Default:
  1069. # authenticate_ip_ttl 0 seconds
  1070.  
  1071. # ACCESS CONTROLS
  1072. # -----------------------------------------------------------------------------
  1073.  
  1074. #  TAG: external_acl_type
  1075. #       This option defines external acl classes using a helper program
  1076. #       to look up the status
  1077. #
  1078. #         external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
  1079. #
  1080. #       Options:
  1081. #
  1082. #         ttl=n         TTL in seconds for cached results (defaults to 3600
  1083. #                       for 1 hour)
  1084. #         negative_ttl=n
  1085. #                       TTL for cached negative lookups (default same
  1086. #                       as ttl)
  1087. #         children=n    Number of acl helper processes spawn to service
  1088. #                       external acl lookups of this type. (default 5)
  1089. #         concurrency=n concurrency level per process. Only used with helpers
  1090. #                       capable of processing more than one query at a time.
  1091. #         cache=n       result cache size, 0 is unbounded (default)
  1092. #         grace=n       Percentage remaining of TTL where a refresh of a
  1093. #                       cached entry should be initiated without needing to
  1094. #                       wait for a new reply. (default 0 for no grace period)
  1095. #         protocol=2.5  Compatibility mode for Squid-2.5 external acl helpers
  1096. #         ipv4 / ipv6   IP-mode used to communicate to this helper.
  1097. #                       For compatability with older configurations and helpers
  1098. #                       the default is currently 'ipv4'.
  1099. #
  1100. #       FORMAT specifications
  1101. #
  1102. #         %LOGIN        Authenticated user login name
  1103. #         %EXT_USER     Username from external acl
  1104. #         %IDENT        Ident user name
  1105. #         %SRC          Client IP
  1106. #         %SRCPORT      Client source port
  1107. #         %URI          Requested URI
  1108. #         %DST          Requested host
  1109. #         %PROTO        Requested protocol
  1110. #         %PORT         Requested port
  1111. #         %PATH         Requested URL path
  1112. #         %METHOD       Request method
  1113. #         %MYADDR       Squid interface address
  1114. #         %MYPORT       Squid http_port number
  1115. #         %PATH         Requested URL-path (including query-string if any)
  1116. #         %USER_CERT    SSL User certificate in PEM format
  1117. #         %USER_CERTCHAIN SSL User certificate chain in PEM format
  1118. #         %USER_CERT_xx SSL User certificate subject attribute xx
  1119. #         %USER_CA_xx   SSL User certificate issuer attribute xx
  1120. #
  1121. #         %>{Header}    HTTP request header "Header"
  1122. #         %>{Hdr:member}
  1123. #                       HTTP request header "Hdr" list member "member"
  1124. #         %>{Hdr:;member}
  1125. #                       HTTP request header list member using ; as
  1126. #                       list separator. ; can be any non-alphanumeric
  1127. #                       character.
  1128. #
  1129. #         %<{Header}    HTTP reply header "Header"
  1130. #         %<{Hdr:member}
  1131. #                       HTTP reply header "Hdr" list member "member"
  1132. #         %<{Hdr:;member}
  1133. #                       HTTP reply header list member using ; as
  1134. #                       list separator. ; can be any non-alphanumeric
  1135. #                       character.
  1136. #
  1137. #       In addition to the above, any string specified in the referencing
  1138. #       acl will also be included in the helper request line, after the
  1139. #       specified formats (see the "acl external" directive)
  1140. #
  1141. #       The helper receives lines per the above format specification,
  1142. #       and returns lines starting with OK or ERR indicating the validity
  1143. #       of the request and optionally followed by additional keywords with
  1144. #       more details.
  1145. #
  1146. #       General result syntax:
  1147. #
  1148. #         OK/ERR keyword=value ...
  1149. #
  1150. #       Defined keywords:
  1151. #
  1152. #         user=         The users name (login)
  1153. #         password=     The users password (for login= cache_peer option)
  1154. #         message=      Message describing the reason. Available as %o
  1155. #                       in error pages
  1156. #         tag=          Apply a tag to a request (for both ERR and OK results)
  1157. #                       Only sets a tag, does not alter existing tags.
  1158. #         log=          String to be logged in access.log. Available as
  1159. #                       %ea in logformat specifications
  1160. #
  1161. #       If protocol=3.0 (the default) then URL escaping is used to protect
  1162. #       each value in both requests and responses.
  1163. #
  1164. #       If using protocol=2.5 then all values need to be enclosed in quotes
  1165. #       if they may contain whitespace, or the whitespace escaped using \.
  1166. #       And quotes or \ characters within the keyword value must be \ escaped.
  1167. #
  1168. #       When using the concurrency= option the protocol is changed by
  1169. #       introducing a query channel tag infront of the request/response.
  1170. #       The query channel tag is a number between 0 and concurrency-1.
  1171. #Default:
  1172. # none
  1173.  
  1174. #  TAG: acl
  1175. #       Defining an Access List
  1176. #
  1177. #       Every access list definition must begin with an aclname and acltype,
  1178. #       followed by either type-specific arguments or a quoted filename that
  1179. #       they are read from.
  1180. #
  1181. #          acl aclname acltype argument ...
  1182. #          acl aclname acltype "file" ...
  1183. #
  1184. #       When using "file", the file should contain one item per line.
  1185. #
  1186. #       By default, regular expressions are CASE-SENSITIVE.  To make
  1187. #       them case-insensitive, use the -i option.
  1188. #
  1189. #       Some acl types require suspending the current request in order
  1190. #       to access some external data source.
  1191. #       Those which do are marked with the tag [slow], those which
  1192. #       don't are marked as [fast].
  1193. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl
  1194. #       for further information
  1195. #
  1196. #       ***** ACL TYPES AVAILABLE *****
  1197. #
  1198. #       acl aclname src ip-address/netmask ...  # clients IP address [fast]
  1199. #       acl aclname src addr1-addr2/netmask ... # range of addresses [fast]
  1200. #       acl aclname dst ip-address/netmask ...  # URL host's IP address [slow]
  1201. #       acl aclname myip ip-address/netmask ... # local socket IP address [fast]
  1202. #
  1203. #       acl aclname arp      mac-address ... (xx:xx:xx:xx:xx:xx notation)
  1204. #         # The arp ACL requires the special configure option --enable-arp-acl.
  1205. #         # Furthermore, the ARP ACL code is not portable to all operating systems.
  1206. #         # It works on Linux, Solaris, Windows, FreeBSD, and some
  1207. #         # other *BSD variants.
  1208. #         # [fast]
  1209. #         #
  1210. #         # NOTE: Squid can only determine the MAC address for clients that are on
  1211. #         # the same subnet. If the client is on a different subnet,
  1212. #         # then Squid cannot find out its MAC address.
  1213. #
  1214. #       acl aclname srcdomain   .foo.com ...
  1215. #         # reverse lookup, from client IP [slow]
  1216. #       acl aclname dstdomain   .foo.com ...
  1217. #         # Destination server from URL [fast]
  1218. #       acl aclname srcdom_regex [-i] \.foo\.com ...
  1219. #         # regex matching client name [slow]
  1220. #       acl aclname dstdom_regex [-i] \.foo\.com ...
  1221. #         # regex matching server [fast]
  1222. #         #
  1223. #         # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
  1224. #         # based URL is used and no match is found. The name "none" is used
  1225. #         # if the reverse lookup fails.
  1226. #
  1227. #       acl aclname src_as number ...
  1228. #       acl aclname dst_as number ...
  1229. #         # [fast]
  1230. #         # Except for access control, AS numbers can be used for
  1231. #         # routing of requests to specific caches. Here's an
  1232. #         # example for routing all requests for AS#1241 and only
  1233. #         # those to mycache.mydomain.net:
  1234. #         # acl asexample dst_as 1241
  1235. #         # cache_peer_access mycache.mydomain.net allow asexample
  1236. #         # cache_peer_access mycache_mydomain.net deny all
  1237. #
  1238. #       acl aclname peername myPeer ...
  1239. #         # [fast]
  1240. #         # match against a named cache_peer entry
  1241. #         # set unique name= on cache_peer lines for reliable use.
  1242. #
  1243. #       acl aclname time [day-abbrevs] [h1:m1-h2:m2]
  1244. #         # [fast]
  1245. #         #  day-abbrevs:
  1246. #         #     S - Sunday
  1247. #         #     M - Monday
  1248. #         #     T - Tuesday
  1249. #         #     W - Wednesday
  1250. #         #     H - Thursday
  1251. #         #     F - Friday
  1252. #         #     A - Saturday
  1253. #         #  h1:m1 must be less than h2:m2
  1254. #
  1255. #       acl aclname url_regex [-i] ^http:// ...
  1256. #         # regex matching on whole URL [fast]
  1257. #       acl aclname urlpath_regex [-i] \.gif$ ...
  1258. #         # regex matching on URL path [fast]
  1259. #
  1260. #       acl aclname port 80 70 21 0-1024...   # destination TCP port [fast]
  1261. #                                             # ranges are alloed
  1262. #       acl aclname myport 3128 ...               # local socket TCP port [fast]
  1263. #       acl aclname myportname 3128 ...       # http(s)_port name [fast]
  1264. #
  1265. #       acl aclname proto HTTP FTP ...        # request protocol [fast]
  1266. #
  1267. #       acl aclname method GET POST ...       # HTTP request method [fast]
  1268. #
  1269. #       acl aclname http_status 200 301 500- 400-403 ...
  1270. #         # status code in reply [fast]
  1271. #
  1272. #       acl aclname browser [-i] regexp ...
  1273. #         # pattern match on User-Agent header (see also req_header below) [fast]
  1274. #
  1275. #       acl aclname referer_regex [-i] regexp ...
  1276. #         # pattern match on Referer header [fast]
  1277. #         # Referer is highly unreliable, so use with care
  1278. #
  1279. #       acl aclname ident username ...
  1280. #       acl aclname ident_regex [-i] pattern ...
  1281. #         # string match on ident output [slow]
  1282. #         # use REQUIRED to accept any non-null ident.
  1283. #
  1284. #       acl aclname proxy_auth [-i] username ...
  1285. #       acl aclname proxy_auth_regex [-i] pattern ...
  1286. #         # perform http authentication challenge to the client and match against
  1287. #         # supplied credentials [slow]
  1288. #         #
  1289. #         # takes a list of allowed usernames.
  1290. #         # use REQUIRED to accept any valid username.
  1291. #         #
  1292. #         # Will use proxy authentication in forward-proxy scenarios, and plain
  1293. #         # http authenticaiton in reverse-proxy scenarios
  1294. #         #
  1295. #         # NOTE: when a Proxy-Authentication header is sent but it is not
  1296. #         # needed during ACL checking the username is NOT logged
  1297. #         # in access.log.
  1298. #         #
  1299. #         # NOTE: proxy_auth requires a EXTERNAL authentication program
  1300. #         # to check username/password combinations (see
  1301. #         # auth_param directive).
  1302. #         #
  1303. #         # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
  1304. #         # as the browser needs to be configured for using a proxy in order
  1305. #         # to respond to proxy authentication.
  1306. #
  1307. #       acl aclname snmp_community string ...
  1308. #         # A community string to limit access to your SNMP Agent [fast]
  1309. #         # Example:
  1310. #         #
  1311. #         #     acl snmppublic snmp_community public
  1312. #
  1313. #       acl aclname maxconn number
  1314. #         # This will be matched when the client's IP address has
  1315. #         # more than <number> HTTP connections established. [fast]
  1316. #
  1317. #       acl aclname max_user_ip [-s] number
  1318. #         # This will be matched when the user attempts to log in from more
  1319. #         # than <number> different ip addresses. The authenticate_ip_ttl
  1320. #         # parameter controls the timeout on the ip entries. [fast]
  1321. #         # If -s is specified the limit is strict, denying browsing
  1322. #         # from any further IP addresses until the ttl has expired. Without
  1323. #         # -s Squid will just annoy the user by "randomly" denying requests.
  1324. #         # (the counter is reset each time the limit is reached and a
  1325. #         # request is denied)
  1326. #         # NOTE: in acceleration mode or where there is mesh of child proxies,
  1327. #         # clients may appear to come from multiple addresses if they are
  1328. #         # going through proxy farms, so a limit of 1 may cause user problems.
  1329. #
  1330. #       acl aclname req_mime_type [-i] mime-type ...
  1331. #         # regex match against the mime type of the request generated
  1332. #         # by the client. Can be used to detect file upload or some
  1333. #         # types HTTP tunneling requests [fast]
  1334. #         # NOTE: This does NOT match the reply. You cannot use this
  1335. #         # to match the returned file type.
  1336. #
  1337. #       acl aclname req_header header-name [-i] any\.regex\.here
  1338. #         # regex match against any of the known request headers.  May be
  1339. #         # thought of as a superset of "browser", "referer" and "mime-type"
  1340. #         # ACL [fast]
  1341. #
  1342. #       acl aclname rep_mime_type [-i] mime-type ...
  1343. #         # regex match against the mime type of the reply received by
  1344. #         # squid. Can be used to detect file download or some
  1345. #         # types HTTP tunneling requests. [fast]
  1346. #         # NOTE: This has no effect in http_access rules. It only has
  1347. #         # effect in rules that affect the reply data stream such as
  1348. #         # http_reply_access.
  1349. #
  1350. #       acl aclname rep_header header-name [-i] any\.regex\.here
  1351. #         # regex match against any of the known reply headers. May be
  1352. #         # thought of as a superset of "browser", "referer" and "mime-type"
  1353. #         # ACLs [fast]
  1354. #
  1355. #       acl aclname external class_name [arguments...]
  1356. #         # external ACL lookup via a helper class defined by the
  1357. #         # external_acl_type directive [slow]
  1358. #
  1359. #       acl aclname user_cert attribute values...
  1360. #         # match against attributes in a user SSL certificate
  1361. #         # attribute is one of DN/C/O/CN/L/ST [fast]
  1362. #
  1363. #       acl aclname ca_cert attribute values...
  1364. #         # match against attributes a users issuing CA SSL certificate
  1365. #         # attribute is one of DN/C/O/CN/L/ST [fast]
  1366. #
  1367. #       acl aclname ext_user username ...
  1368. #       acl aclname ext_user_regex [-i] pattern ...
  1369. #         # string match on username returned by external acl helper [slow]
  1370. #         # use REQUIRED to accept any non-null user name.
  1371. #
  1372. #       acl aclname tag tagvalue ...
  1373. #         # string match on tag returned by external acl helper [slow]
  1374. #
  1375. #       Examples:
  1376. #               acl macaddress arp 09:00:2b:23:45:67
  1377. #               acl myexample dst_as 1241
  1378. #               acl password proxy_auth REQUIRED
  1379. #               acl fileupload req_mime_type -i ^multipart/form-data$
  1380. #               acl javascript rep_mime_type -i ^application/x-javascript$
  1381. #
  1382. #Default:
  1383. # acl all src all
  1384. #
  1385. #
  1386. # Recommended minimum configuration:
  1387. #
  1388. acl manager proto cache_object
  1389. acl localhost src 127.0.0.1/32 ::1
  1390. acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
  1391.  
  1392. # Example rule allowing access from your local networks.
  1393. # Adapt to list your (internal) IP networks from where browsing
  1394. # should be allowed
  1395. #acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
  1396. #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
  1397. #acl localnet src 192.168.0.0/16        # RFC1918 possible internal network
  1398. #acl localnet src fc00::/7       # RFC 4193 local private network range
  1399. #acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
  1400.  
  1401. acl SSL_ports port 443
  1402. acl Safe_ports port 80          # http
  1403. acl Safe_ports port 21          # ftp
  1404. acl Safe_ports port 443         # https
  1405. acl Safe_ports port 70          # gopher
  1406. acl Safe_ports port 210         # wais
  1407. acl Safe_ports port 1025-65535  # unregistered ports
  1408. acl Safe_ports port 280         # http-mgmt
  1409. acl Safe_ports port 488         # gss-http
  1410. acl Safe_ports port 591         # filemaker
  1411. acl Safe_ports port 777         # multiling http
  1412. acl CONNECT method CONNECT
  1413.  
  1414. #  TAG: follow_x_forwarded_for
  1415. #       Allowing or Denying the X-Forwarded-For header to be followed to
  1416. #       find the original source of a request.
  1417. #
  1418. #       Requests may pass through a chain of several other proxies
  1419. #       before reaching us.  The X-Forwarded-For header will contain a
  1420. #       comma-separated list of the IP addresses in the chain, with the
  1421. #       rightmost address being the most recent.
  1422. #
  1423. #       If a request reaches us from a source that is allowed by this
  1424. #       configuration item, then we consult the X-Forwarded-For header
  1425. #       to see where that host received the request from.  If the
  1426. #       X-Forwarded-For header contains multiple addresses, we continue
  1427. #       backtracking until we reach an address for which we are not allowed
  1428. #       to follow the X-Forwarded-For header, or until we reach the first
  1429. #       address in the list. For the purpose of ACL used in the
  1430. #       follow_x_forwarded_for directive the src ACL type always matches
  1431. #       the address we are testing and srcdomain matches its rDNS.
  1432. #
  1433. #       The end result of this process is an IP address that we will
  1434. #       refer to as the indirect client address.  This address may
  1435. #       be treated as the client address for access control, ICAP, delay
  1436. #       pools and logging, depending on the acl_uses_indirect_client,
  1437. #       icap_uses_indirect_client, delay_pool_uses_indirect_client and
  1438. #       log_uses_indirect_client options.
  1439. #
  1440. #       This clause only supports fast acl types.
  1441. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1442. #
  1443. #       SECURITY CONSIDERATIONS:
  1444. #
  1445. #               Any host for which we follow the X-Forwarded-For header
  1446. #               can place incorrect information in the header, and Squid
  1447. #               will use the incorrect information as if it were the
  1448. #               source address of the request.  This may enable remote
  1449. #               hosts to bypass any access control restrictions that are
  1450. #               based on the client's source addresses.
  1451. #
  1452. #       For example:
  1453. #
  1454. #               acl localhost src 127.0.0.1
  1455. #               acl my_other_proxy srcdomain .proxy.example.com
  1456. #               follow_x_forwarded_for allow localhost
  1457. #               follow_x_forwarded_for allow my_other_proxy
  1458. #Default:
  1459. # follow_x_forwarded_for deny all
  1460.  
  1461. #  TAG: acl_uses_indirect_client        on|off
  1462. #       Controls whether the indirect client address
  1463. #       (see follow_x_forwarded_for) is used instead of the
  1464. #       direct client address in acl matching.
  1465. #Default:
  1466. # acl_uses_indirect_client on
  1467.  
  1468. #  TAG: delay_pool_uses_indirect_client on|off
  1469. #       Controls whether the indirect client address
  1470. #       (see follow_x_forwarded_for) is used instead of the
  1471. #       direct client address in delay pools.
  1472. #Default:
  1473. # delay_pool_uses_indirect_client on
  1474.  
  1475. #  TAG: log_uses_indirect_client        on|off
  1476. #       Controls whether the indirect client address
  1477. #       (see follow_x_forwarded_for) is used instead of the
  1478. #       direct client address in the access log.
  1479. #Default:
  1480. # log_uses_indirect_client on
  1481.  
  1482. #  TAG: http_access
  1483. #       Allowing or Denying access based on defined access lists
  1484. #
  1485. #       Access to the HTTP port:
  1486. #       http_access allow|deny [!]aclname ...
  1487. #
  1488. #       opposite of the last line in the list.  If the last line was
  1489. #       deny, the default is allow.  Conversely, if the last line
  1490. #       is allow, the default will be deny.  For these reasons, it is a
  1491. #       good idea to have an "deny all" entry at the end of your access
  1492. #       lists to avoid potential confusion.
  1493. #
  1494. #       This clause supports both fast and slow acl types.
  1495. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1496. #
  1497. #Default:
  1498. # http_access deny all
  1499. #
  1500.  
  1501. #
  1502. # Recommended minimum Access Permission configuration:
  1503. #
  1504. # Only allow cachemgr access from localhost
  1505. http_access allow manager localhost
  1506. http_access deny manager
  1507.  
  1508. # Deny requests to certain unsafe ports
  1509. http_access deny !Safe_ports
  1510.  
  1511. # Deny CONNECT to other than secure SSL ports
  1512. http_access deny CONNECT !SSL_ports
  1513.  
  1514. # We strongly recommend the following be uncommented to protect innocent
  1515. # web applications running on the proxy server who think the only
  1516. # one who can access services on "localhost" is a local user
  1517. #http_access deny to_localhost
  1518.  
  1519. #
  1520. # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
  1521. #
  1522.  
  1523. # Example rule allowing access from your local networks.
  1524. # Adapt localnet in the ACL section to list your (internal) IP networks
  1525. # from where browsing should be allowed
  1526. #http_access allow localnet
  1527. http_access allow localhost
  1528.  
  1529. # And finally deny all other access to this proxy
  1530. http_access deny all
  1531.  
  1532. #  TAG: adapted_http_access
  1533. #       Allowing or Denying access based on defined access lists
  1534. #
  1535. #       Essentially identical to http_access, but runs after redirectors
  1536. #       and ICAP/eCAP adaptation. Allowing access control based on their
  1537. #       output.
  1538. #
  1539. #       If not set then only http_access is used.
  1540. #Default:
  1541. # none
  1542.  
  1543. #  TAG: http_reply_access
  1544. #       Allow replies to client requests. This is complementary to http_access.
  1545. #
  1546. #       http_reply_access allow|deny [!] aclname ...
  1547. #
  1548. #       NOTE: if there are no access lines present, the default is to allow
  1549. #       all replies
  1550. #
  1551. #       If none of the access lines cause a match the opposite of the
  1552. #       last line will apply. Thus it is good practice to end the rules
  1553. #       with an "allow all" or "deny all" entry.
  1554. #
  1555. #       This clause supports both fast and slow acl types.
  1556. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1557. #Default:
  1558. # none
  1559.  
  1560. #  TAG: icp_access
  1561. #       Allowing or Denying access to the ICP port based on defined
  1562. #       access lists
  1563. #
  1564. #       icp_access  allow|deny [!]aclname ...
  1565. #
  1566. #       See http_access for details
  1567. #
  1568. #       This clause only supports fast acl types.
  1569. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1570. #
  1571. ## Allow ICP queries from local networks only
  1572. ##icp_access allow localnet
  1573. ##icp_access deny all
  1574. #Default:
  1575. # icp_access deny all
  1576.  
  1577. #  TAG: htcp_access
  1578. #       Allowing or Denying access to the HTCP port based on defined
  1579. #       access lists
  1580. #
  1581. #       htcp_access  allow|deny [!]aclname ...
  1582. #
  1583. #       See http_access for details
  1584. #
  1585. #       NOTE: The default if no htcp_access lines are present is to
  1586. #       deny all traffic. This default may cause problems with peers
  1587. #       using the htcp or htcp-oldsquid options.
  1588. #
  1589. #       This clause only supports fast acl types.
  1590. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1591. #
  1592. ## Allow HTCP queries from local networks only
  1593. ##htcp_access allow localnet
  1594. ##htcp_access deny all
  1595. #Default:
  1596. # htcp_access deny all
  1597.  
  1598. #  TAG: htcp_clr_access
  1599. #       Allowing or Denying access to purge content using HTCP based
  1600. #       on defined access lists
  1601. #
  1602. #       htcp_clr_access  allow|deny [!]aclname ...
  1603. #
  1604. #       See http_access for details
  1605. #
  1606. #       This clause only supports fast acl types.
  1607. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1608. #
  1609. ## Allow HTCP CLR requests from trusted peers
  1610. #acl htcp_clr_peer src 172.16.1.2
  1611. #htcp_clr_access allow htcp_clr_peer
  1612. #Default:
  1613. # htcp_clr_access deny all
  1614.  
  1615. #  TAG: miss_access
  1616. #       Use to force your neighbors to use you as a sibling instead of
  1617. #       a parent.  For example:
  1618. #
  1619. #               acl localclients src 172.16.0.0/16
  1620. #               miss_access allow localclients
  1621. #               miss_access deny  !localclients
  1622. #
  1623. #       This means only your local clients are allowed to fetch
  1624. #       MISSES and all other clients can only fetch HITS.
  1625. #
  1626. #       By default, allow all clients who passed the http_access rules
  1627. #       to fetch MISSES from us.
  1628. #
  1629. #       This clause only supports fast acl types.
  1630. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1631. #Default:
  1632. # miss_access allow all
  1633.  
  1634. #  TAG: ident_lookup_access
  1635. #       A list of ACL elements which, if matched, cause an ident
  1636. #       (RFC 931) lookup to be performed for this request.  For
  1637. #       example, you might choose to always perform ident lookups
  1638. #       for your main multi-user Unix boxes, but not for your Macs
  1639. #       and PCs.  By default, ident lookups are not performed for
  1640. #       any requests.
  1641. #
  1642. #       To enable ident lookups for specific client addresses, you
  1643. #       can follow this example:
  1644. #
  1645. #       acl ident_aware_hosts src 198.168.1.0/24
  1646. #       ident_lookup_access allow ident_aware_hosts
  1647. #       ident_lookup_access deny all
  1648. #
  1649. #       Only src type ACL checks are fully supported.  A srcdomain
  1650. #       ACL might work at times, but it will not always provide
  1651. #       the correct result.
  1652. #
  1653. #       This clause only supports fast acl types.
  1654. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1655. #Default:
  1656. # ident_lookup_access deny all
  1657.  
  1658. #  TAG: reply_body_max_size     size [acl acl...]
  1659. #       This option specifies the maximum size of a reply body. It can be
  1660. #       used to prevent users from downloading very large files, such as
  1661. #       MP3's and movies. When the reply headers are received, the
  1662. #       reply_body_max_size lines are processed, and the first line where
  1663. #       all (if any) listed ACLs are true is used as the maximum body size
  1664. #       for this reply.
  1665. #
  1666. #       This size is checked twice. First when we get the reply headers,
  1667. #       we check the content-length value.  If the content length value exists
  1668. #       and is larger than the allowed size, the request is denied and the
  1669. #       user receives an error message that says "the request or reply
  1670. #       is too large." If there is no content-length, and the reply
  1671. #       size exceeds this limit, the client's connection is just closed
  1672. #       and they will receive a partial reply.
  1673. #
  1674. #       WARNING: downstream caches probably can not detect a partial reply
  1675. #       if there is no content-length header, so they will cache
  1676. #       partial responses and give them out as hits.  You should NOT
  1677. #       use this option if you have downstream caches.
  1678. #
  1679. #       WARNING: A maximum size smaller than the size of squid's error messages
  1680. #       will cause an infinite loop and crash squid. Ensure that the smallest
  1681. #       non-zero value you use is greater that the maximum header size plus
  1682. #       the size of your largest error page.
  1683. #
  1684. #       If you set this parameter none (the default), there will be
  1685. #       no limit imposed.
  1686. #
  1687. #       Configuration Format is:
  1688. #               reply_body_max_size SIZE UNITS [acl ...]
  1689. #       ie.
  1690. #               reply_body_max_size 10 MB
  1691. #
  1692. #Default:
  1693. # none
  1694.  
  1695. # NETWORK OPTIONS
  1696. # -----------------------------------------------------------------------------
  1697.  
  1698. #  TAG: http_port
  1699. #       Usage:  port [options]
  1700. #               hostname:port [options]
  1701. #               1.2.3.4:port [options]
  1702. #
  1703. #       The socket addresses where Squid will listen for HTTP client
  1704. #       requests.  You may specify multiple socket addresses.
  1705. #       There are three forms: port alone, hostname with port, and
  1706. #       IP address with port.  If you specify a hostname or IP
  1707. #       address, Squid binds the socket to that specific
  1708. #       address.  This replaces the old 'tcp_incoming_address'
  1709. #       option.  Most likely, you do not need to bind to a specific
  1710. #       address, so you can use the port number alone.
  1711. #
  1712. #       If you are running Squid in accelerator mode, you
  1713. #       probably want to listen on port 80 also, or instead.
  1714. #
  1715. #       The -a command line option may be used to specify additional
  1716. #       port(s) where Squid listens for proxy request. Such ports will
  1717. #       be plain proxy ports with no options.
  1718. #
  1719. #       You may specify multiple socket addresses on multiple lines.
  1720. #
  1721. #       Options:
  1722. #
  1723. #          intercept    Support for IP-Layer interception of
  1724. #                       outgoing requests without browser settings.
  1725. #                       NP: disables authentication and IPv6 on the port.
  1726. #
  1727. #          tproxy       Support Linux TPROXY for spoofing outgoing
  1728. #                       connections using the client IP address.
  1729. #                       NP: disables authentication and maybe IPv6 on the port.
  1730. #
  1731. #          accel        Accelerator mode. Also needs at least one of
  1732. #                       vhost / vport / defaultsite.
  1733. #
  1734. #          allow-direct Allow direct forwarding in accelerator mode. Normally
  1735. #                       accelerated requests are denied direct forwarding as if
  1736. #                       never_direct was used.
  1737. #
  1738. #          defaultsite=domainname
  1739. #                       What to use for the Host: header if it is not present
  1740. #                       in a request. Determines what site (not origin server)
  1741. #                       accelerators should consider the default.
  1742. #                       Implies accel.
  1743. #
  1744. #          vhost        Accelerator mode using Host header for virtual
  1745. #                       domain support. Implies accel.
  1746. #
  1747. #          vport        Accelerator with IP based virtual host support.
  1748. #                       Implies accel.
  1749. #
  1750. #          vport=NN     As above, but uses specified port number rather
  1751. #                       than the http_port number. Implies accel.
  1752. #
  1753. #          protocol=    Protocol to reconstruct accelerated requests with.
  1754. #                       Defaults to http.
  1755. #
  1756. #          ignore-cc    Ignore request Cache-Control headers.
  1757. #
  1758. #                       Warning: This option violates HTTP specifications if
  1759. #                       used in non-accelerator setups.
  1760. #
  1761. #          connection-auth[=on|off]
  1762. #                       use connection-auth=off to tell Squid to prevent
  1763. #                       forwarding Microsoft connection oriented authentication
  1764. #                       (NTLM, Negotiate and Kerberos)
  1765. #
  1766. #          disable-pmtu-discovery=
  1767. #                       Control Path-MTU discovery usage:
  1768. #                           off         lets OS decide on what to do (default).
  1769. #                           transparent disable PMTU discovery when transparent
  1770. #                                       support is enabled.
  1771. #                           always      disable always PMTU discovery.
  1772. #
  1773. #                       In many setups of transparently intercepting proxies
  1774. #                       Path-MTU discovery can not work on traffic towards the
  1775. #                       clients. This is the case when the intercepting device
  1776. #                       does not fully track connections and fails to forward
  1777. #                       ICMP must fragment messages to the cache server. If you
  1778. #                       have such setup and experience that certain clients
  1779. #                       sporadically hang or never complete requests set
  1780. #                       disable-pmtu-discovery option to 'transparent'.
  1781. #
  1782. #          sslBump      Intercept each CONNECT request matching ssl_bump ACL,
  1783. #                       establish secure connection with the client and with
  1784. #                       the server, decrypt HTTP messages as they pass through
  1785. #                       Squid, and treat them as unencrypted HTTP messages,
  1786. #                       becoming the man-in-the-middle.
  1787. #
  1788. #                       When this option is enabled, additional options become
  1789. #                       available to specify SSL-related properties of the
  1790. #                       client-side connection: cert, key, version, cipher,
  1791. #                       options, clientca, cafile, capath, crlfile, dhparams,
  1792. #                       sslflags, and sslcontext. See the https_port directive
  1793. #                       for more information on these options.
  1794. #
  1795. #                       The ssl_bump option is required to fully enable
  1796. #                       the SslBump feature.
  1797. #
  1798. #          name=        Specifies a internal name for the port. Defaults to
  1799. #                       the port specification (port or addr:port)
  1800. #
  1801. #          tcpkeepalive[=idle,interval,timeout]
  1802. #                       Enable TCP keepalive probes of idle connections.
  1803. #                       In seconds; idle is the initial time before TCP starts
  1804. #                       probing the connection, interval how often to probe, and
  1805. #                       timeout the time before giving up.
  1806. #
  1807. #       If you run Squid on a dual-homed machine with an internal
  1808. #       and an external interface we recommend you to specify the
  1809. #       internal address:port in http_port. This way Squid will only be
  1810. #       visible on the internal address.
  1811. #
  1812. #
  1813.  
  1814. # Squid normally listens to port 3128
  1815. http_port 3128
  1816.  
  1817. #  TAG: https_port
  1818. # Note: This option is only available if Squid is rebuilt with the
  1819. #       --enable-ssl option
  1820. #
  1821. #       Usage:  [ip:]port cert=certificate.pem [key=key.pem] [options...]
  1822. #
  1823. #       The socket address where Squid will listen for HTTPS client
  1824. #       requests.
  1825. #
  1826. #       This is really only useful for situations where you are running
  1827. #       squid in accelerator mode and you want to do the SSL work at the
  1828. #       accelerator level.
  1829. #
  1830. #       You may specify multiple socket addresses on multiple lines,
  1831. #       each with their own SSL certificate and/or options.
  1832. #
  1833. #       Options:
  1834. #
  1835. #          accel        Accelerator mode. Also needs at least one of
  1836. #                       defaultsite or vhost.
  1837. #
  1838. #          defaultsite= The name of the https site presented on
  1839. #                       this port. Implies accel.
  1840. #
  1841. #          vhost        Accelerator mode using Host header for virtual
  1842. #                       domain support. Requires a wildcard certificate
  1843. #                       or other certificate valid for more than one domain.
  1844. #                       Implies accel.
  1845. #
  1846. #          protocol=    Protocol to reconstruct accelerated requests with.
  1847. #                       Defaults to https.
  1848. #
  1849. #          cert=        Path to SSL certificate (PEM format).
  1850. #
  1851. #          key=         Path to SSL private key file (PEM format)
  1852. #                       if not specified, the certificate file is
  1853. #                       assumed to be a combined certificate and
  1854. #                       key file.
  1855. #
  1856. #          version=     The version of SSL/TLS supported
  1857. #                           1   automatic (default)
  1858. #                           2   SSLv2 only
  1859. #                           3   SSLv3 only
  1860. #                           4   TLSv1 only
  1861. #
  1862. #          cipher=      Colon separated list of supported ciphers.
  1863. #
  1864. #          options=     Various SSL engine options. The most important
  1865. #                       being:
  1866. #                           NO_SSLv2  Disallow the use of SSLv2
  1867. #                           NO_SSLv3  Disallow the use of SSLv3
  1868. #                           NO_TLSv1  Disallow the use of TLSv1
  1869. #                           SINGLE_DH_USE Always create a new key when using
  1870. #                                     temporary/ephemeral DH key exchanges
  1871. #                       See src/ssl_support.c or OpenSSL SSL_CTX_set_options
  1872. #                       documentation for a complete list of options.
  1873. #
  1874. #          clientca=    File containing the list of CAs to use when
  1875. #                       requesting a client certificate.
  1876. #
  1877. #          cafile=      File containing additional CA certificates to
  1878. #                       use when verifying client certificates. If unset
  1879. #                       clientca will be used.
  1880. #
  1881. #          capath=      Directory containing additional CA certificates
  1882. #                       and CRL lists to use when verifying client certificates.
  1883. #
  1884. #          crlfile=     File of additional CRL lists to use when verifying
  1885. #                       the client certificate, in addition to CRLs stored in
  1886. #                       the capath. Implies VERIFY_CRL flag below.
  1887. #
  1888. #          dhparams=    File containing DH parameters for temporary/ephemeral
  1889. #                       DH key exchanges.
  1890. #
  1891. #          sslflags=    Various flags modifying the use of SSL:
  1892. #                           DELAYED_AUTH
  1893. #                               Don't request client certificates
  1894. #                               immediately, but wait until acl processing
  1895. #                               requires a certificate (not yet implemented).
  1896. #                           NO_DEFAULT_CA
  1897. #                               Don't use the default CA lists built in
  1898. #                               to OpenSSL.
  1899. #                           NO_SESSION_REUSE
  1900. #                               Don't allow for session reuse. Each connection
  1901. #                               will result in a new SSL session.
  1902. #                           VERIFY_CRL
  1903. #                               Verify CRL lists when accepting client
  1904. #                               certificates.
  1905. #                           VERIFY_CRL_ALL
  1906. #                               Verify CRL lists for all certificates in the
  1907. #                               client certificate chain.
  1908. #
  1909. #          sslcontext=  SSL session ID context identifier.
  1910. #
  1911. #          vport        Accelerator with IP based virtual host support.
  1912. #
  1913. #          vport=NN     As above, but uses specified port number rather
  1914. #                       than the https_port number. Implies accel.
  1915. #
  1916. #          name=        Specifies a internal name for the port. Defaults to
  1917. #                       the port specification (port or addr:port)
  1918. #
  1919. #Default:
  1920. # none
  1921.  
  1922. #  TAG: tcp_outgoing_tos
  1923. #       Allows you to select a TOS/Diffserv value to mark outgoing
  1924. #       connections with, based on the username or source address
  1925. #       making the request.
  1926. #
  1927. #       tcp_outgoing_tos ds-field [!]aclname ...
  1928. #
  1929. #       Example where normal_service_net uses the TOS value 0x00
  1930. #       and good_service_net uses 0x20
  1931. #
  1932. #       acl normal_service_net src 10.0.0.0/255.255.255.0
  1933. #       acl good_service_net src 10.0.1.0/255.255.255.0
  1934. #       tcp_outgoing_tos 0x00 normal_service_net
  1935. #       tcp_outgoing_tos 0x20 good_service_net
  1936. #
  1937. #       TOS/DSCP values really only have local significance - so you should
  1938. #       know what you're specifying. For more information, see RFC2474,
  1939. #       RFC2475, and RFC3260.
  1940. #
  1941. #       The TOS/DSCP byte must be exactly that - a octet value  0 - 255, or
  1942. #       "default" to use whatever default your host has. Note that in
  1943. #       practice often only values 0 - 63 is usable as the two highest bits
  1944. #       have been redefined for use by ECN (RFC3168).
  1945. #
  1946. #       Processing proceeds in the order specified, and stops at first fully
  1947. #       matching line.
  1948. #
  1949. #       Note: The use of this directive using client dependent ACLs is
  1950. #       incompatible with the use of server side persistent connections. To
  1951. #       ensure correct results it is best to set server_persisten_connections
  1952. #       to off when using this directive in such configurations.
  1953. #Default:
  1954. # none
  1955.  
  1956. #  TAG: clientside_tos
  1957. #       Allows you to select a TOS/Diffserv value to mark client-side
  1958. #       connections with, based on the username or source address
  1959. #       making the request.
  1960. #Default:
  1961. # none
  1962.  
  1963. #  TAG: qos_flows
  1964. # Note: This option is only available if Squid is rebuilt with the
  1965. #       --enable-zph-qos option
  1966. #
  1967. #       Allows you to select a TOS/DSCP value to mark outgoing
  1968. #       connections with, based on where the reply was sourced.
  1969. #
  1970. #       TOS values really only have local significance - so you should
  1971. #       know what you're specifying. For more information, see RFC2474,
  1972. #       RFC2475, and RFC3260.
  1973. #
  1974. #       "children" numberofchildren
  1975. #       The number of authenticator processes to spawn (no default).
  1976. #       If you start too few Squid will have to wait for them to
  1977. #       process a backlog of credential verifications, slowing it
  1978. #       down. When credential verifications are done via a (slow)
  1979. #       network you are likely to need lots of authenticator
  1980. #       processes.
  1981. #
  1982. #       auth_param ntlm children 5
  1983. #
  1984. #       "keep_alive" on|off
  1985. #       If you experience problems with PUT/POST requests when using the
  1986. #       Negotiate authentication scheme then you can try setting this to
  1987. #       off. This will cause Squid to forcibly close the connection on
  1988. #       the initial requests where the browser asks which schemes are
  1989. #       supported by the proxy.
  1990. #
  1991. #       auth_param ntlm keep_alive on
  1992. #
  1993. #       === Options for configuring the NEGOTIATE auth-scheme follow ===
  1994. #
  1995. #       "program" cmdline
  1996. #       Specify the command for the external Negotiate authenticator.
  1997. #       This protocol is used in Microsoft Active-Directory enabled setups with
  1998. #       the Microsoft Internet Explorer or Mozilla Firefox browsers.
  1999. #       Its main purpose is to exchange credentials with the Squid proxy
  2000. #       using the Kerberos mechanisms.
  2001. #       If you use a Negotiate authenticator, make sure you have at least
  2002. #       one acl of type proxy_auth active. By default, the negotiate
  2003. #       authenticator_program is not used.
  2004. #       The only supported program for this role is the ntlm_auth
  2005. #       program distributed as part of Samba, version 4 or later.
  2006. #
  2007. #       auth_param negotiate program /usr/lib/squid3/ntlm_auth --helper-protocol=gss-spnego
  2008. #
  2009. #       "children" numberofchildren
  2010. #       The number of authenticator processes to spawn (no default).
  2011. #       If you start too few Squid will have to wait for them to
  2012. #       process a backlog of credential verifications, slowing it
  2013. #       down. When crendential verifications are done via a (slow)
  2014. #       network you are likely to need lots of authenticator
  2015. #       processes.
  2016. #       auth_param negotiate children 5
  2017. #
  2018. #       "keep_alive" on|off
  2019. #       If you experience problems with PUT/POST requests when using the
  2020. #       Negotiate authentication scheme then you can try setting this to
  2021. #       off. This will cause Squid to forcibly close the connection on
  2022. #       the initial requests where the browser asks which schemes are
  2023. #       supported by the proxy.
  2024. #
  2025. #       auth_param negotiate keep_alive on
  2026. #
  2027. #      
  2028. #       Examples:
  2029. #
  2030. ##Recommended minimum configuration per scheme:
  2031. ##auth_param negotiate program <uncomment and complete this line to activate>
  2032. ##auth_param negotiate children 5
  2033. ##auth_param negotiate keep_alive on
  2034. ##
  2035. ##auth_param ntlm program <uncomment and complete this line to activate>
  2036. ##auth_param ntlm children 5
  2037. ##auth_param ntlm keep_alive on
  2038. ##
  2039. ##auth_param digest program <uncomment and complete this line>
  2040. ##auth_param digest children 5
  2041. ##auth_param digest realm Squid proxy-caching web server
  2042. ##auth_param digest nonce_garbage_interval 5 minutes
  2043. ##auth_param digest nonce_max_duration 30 minutes
  2044. ##auth_param digest nonce_max_count 50
  2045. ##
  2046. ##auth_param basic program <uncomment and complete this line>
  2047. ##auth_param basic children 5
  2048. ##auth_param basic realm Squid proxy-caching web server
  2049. ##auth_param basic credentialsttl 2 hours
  2050. #Default:
  2051. # none
  2052.  
  2053. #  TAG: authenticate_cache_garbage_interval
  2054. #       The time period between garbage collection across the username cache.
  2055. #       This is a tradeoff between memory utilization (long intervals - say
  2056. #       2 days) and CPU (short intervals - say 1 minute). Only change if you
  2057. #       have good reason to.
  2058. #Default:
  2059. # authenticate_cache_garbage_interval 1 hour
  2060.  
  2061. #  TAG: authenticate_ttl
  2062. #       The time a user & their credentials stay in the logged in
  2063. #
  2064. #       "children" numberofchildren
  2065. #       The number of authenticator processes to spawn (no default).
  2066. #       If you start too few Squid will have to wait for them to
  2067. #       process a backlog of credential verifications, slowing it
  2068. #       down. When credential verifications are done via a (slow)
  2069. #       network you are likely to need lots of authenticator
  2070. #       processes.
  2071. #
  2072. #       auth_param ntlm children 5
  2073. #
  2074. #       "keep_alive" on|off
  2075. #       If you experience problems with PUT/POST requests when using the
  2076. #       Negotiate authentication scheme then you can try setting this to
  2077. #       off. This will cause Squid to forcibly close the connection on
  2078. #       the initial requests where the browser asks which schemes are
  2079. #       supported by the proxy.
  2080. #
  2081. #       auth_param ntlm keep_alive on
  2082. #
  2083. #       === Options for configuring the NEGOTIATE auth-scheme follow ===
  2084. #
  2085. #       "program" cmdline
  2086. #       Specify the command for the external Negotiate authenticator.
  2087. #       This protocol is used in Microsoft Active-Directory enabled setups with
  2088. #       the Microsoft Internet Explorer or Mozilla Firefox browsers.
  2089. #       Its main purpose is to exchange credentials with the Squid proxy
  2090. #       using the Kerberos mechanisms.
  2091. #       If you use a Negotiate authenticator, make sure you have at least
  2092. #       one acl of type proxy_auth active. By default, the negotiate
  2093. #       authenticator_program is not used.
  2094. #       The only supported program for this role is the ntlm_auth
  2095. #       program distributed as part of Samba, version 4 or later.
  2096. #
  2097. #       auth_param negotiate program /usr/lib/squid3/ntlm_auth --helper-protocol=gss-spnego
  2098. #
  2099. #       "children" numberofchildren
  2100. #       The number of authenticator processes to spawn (no default).
  2101. #       If you start too few Squid will have to wait for them to
  2102. #       process a backlog of credential verifications, slowing it
  2103. #       down. When crendential verifications are done via a (slow)
  2104. #       network you are likely to need lots of authenticator
  2105. #       processes.
  2106. #       auth_param negotiate children 5
  2107. #
  2108. #       "keep_alive" on|off
  2109. #       If you experience problems with PUT/POST requests when using the
  2110. #       Negotiate authentication scheme then you can try setting this to
  2111. #       off. This will cause Squid to forcibly close the connection on
  2112. #       the initial requests where the browser asks which schemes are
  2113. #       supported by the proxy.
  2114. #
  2115. #       auth_param negotiate keep_alive on
  2116. #
  2117. #      
  2118. #       Examples:
  2119. #
  2120. ##Recommended minimum configuration per scheme:
  2121. ##auth_param negotiate program <uncomment and complete this line to activate>
  2122. ##auth_param negotiate children 5
  2123. ##auth_param negotiate keep_alive on
  2124. ##
  2125. ##auth_param ntlm program <uncomment and complete this line to activate>
  2126. ##auth_param ntlm children 5
  2127. ##auth_param ntlm keep_alive on
  2128. ##
  2129. ##auth_param digest program <uncomment and complete this line>
  2130. ##auth_param digest children 5
  2131. ##auth_param digest realm Squid proxy-caching web server
  2132. ##auth_param digest nonce_garbage_interval 5 minutes
  2133. ##auth_param digest nonce_max_duration 30 minutes
  2134. ##auth_param digest nonce_max_count 50
  2135. ##
  2136. ##auth_param basic program <uncomment and complete this line>
  2137. ##auth_param basic children 5
  2138. ##auth_param basic realm Squid proxy-caching web server
  2139. ##auth_param basic credentialsttl 2 hours
  2140. #Default:
  2141. # none
  2142.  
  2143. #  TAG: authenticate_cache_garbage_interval
  2144. #       The time period between garbage collection across the username cache.
  2145. #       This is a tradeoff between memory utilization (long intervals - say
  2146. #       2 days) and CPU (short intervals - say 1 minute). Only change if you
  2147. #       have good reason to.
  2148. #Default:
  2149. # authenticate_cache_garbage_interval 1 hour
  2150.  
  2151. #  TAG: authenticate_ttl
  2152. #       The time a user & their credentials stay in the logged in
  2153. #       user cache since their last request. When the garbage
  2154. #       interval passes, all user credentials that have passed their
  2155. #       TTL are removed from memory.
  2156. #Default:
  2157. # authenticate_ttl 1 hour
  2158.  
  2159. #  TAG: authenticate_ip_ttl
  2160. #       If you use proxy authentication and the 'max_user_ip' ACL,
  2161. #       this directive controls how long Squid remembers the IP
  2162. #       addresses associated with each user.  Use a small value
  2163. #       (e.g., 60 seconds) if your users might change addresses
  2164. #       quickly, as is the case with dialups.   You might be safe
  2165. #       using a larger value (e.g., 2 hours) in a corporate LAN
  2166. #       environment with relatively static address assignments.
  2167. #Default:
  2168. # authenticate_ip_ttl 0 seconds
  2169.  
  2170. # ACCESS CONTROLS
  2171. # -----------------------------------------------------------------------------
  2172.  
  2173. #  TAG: external_acl_type
  2174. #       This option defines external acl classes using a helper program
  2175. #       to look up the status
  2176. #
  2177. #         external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
  2178. #
  2179. #       Options:
  2180. #
  2181. #         ttl=n         TTL in seconds for cached results (defaults to 3600
  2182. #                       for 1 hour)
  2183. #         negative_ttl=n
  2184. #                       TTL for cached negative lookups (default same
  2185. #                       as ttl)
  2186. #         children=n    Number of acl helper processes spawn to service
  2187. #                       external acl lookups of this type. (default 5)
  2188. #         concurrency=n concurrency level per process. Only used with helpers
  2189. #                       capable of processing more than one query at a time.
  2190. #         cache=n       result cache size, 0 is unbounded (default)
  2191. #         grace=n       Percentage remaining of TTL where a refresh of a
  2192. #                       cached entry should be initiated without needing to
  2193. #                       wait for a new reply. (default 0 for no grace period)
  2194. #         protocol=2.5  Compatibility mode for Squid-2.5 external acl helpers
  2195. #         ipv4 / ipv6   IP-mode used to communicate to this helper.
  2196. #                       For compatability with older configurations and helpers
  2197. #                       the default is currently 'ipv4'.
  2198. #
  2199. #       FORMAT specifications
  2200. #
  2201. #         %LOGIN        Authenticated user login name
  2202. #         %EXT_USER     Username from external acl
  2203. #         %IDENT        Ident user name
  2204. #         %SRC          Client IP
  2205. #         %SRCPORT      Client source port
  2206. #         %URI          Requested URI
  2207. #         %DST          Requested host
  2208. #         %PROTO        Requested protocol
  2209. #         %PORT         Requested port
  2210. #         %PATH         Requested URL path
  2211. #         %METHOD       Request method
  2212. #         %MYADDR       Squid interface address
  2213. #         %MYPORT       Squid http_port number
  2214. #         %PATH         Requested URL-path (including query-string if any)
  2215. #         %USER_CERT    SSL User certificate in PEM format
  2216. #         %USER_CERTCHAIN SSL User certificate chain in PEM format
  2217. #         %USER_CERT_xx SSL User certificate subject attribute xx
  2218. #         %USER_CA_xx   SSL User certificate issuer attribute xx
  2219. #
  2220. #         %>{Header}    HTTP request header "Header"
  2221. #         %>{Hdr:member}
  2222. #                       HTTP request header "Hdr" list member "member"
  2223. #         %>{Hdr:;member}
  2224. #                       HTTP request header list member using ; as
  2225. #                       list separator. ; can be any non-alphanumeric
  2226. #                       character.
  2227. #
  2228. #         %<{Header}    HTTP reply header "Header"
  2229. #         %<{Hdr:member}
  2230. #                       HTTP reply header "Hdr" list member "member"
  2231. #         %<{Hdr:;member}
  2232. #                       HTTP reply header list member using ; as
  2233. #                       list separator. ; can be any non-alphanumeric
  2234. #                       character.
  2235. #
  2236. #       In addition to the above, any string specified in the referencing
  2237. #       acl will also be included in the helper request line, after the
  2238. #       specified formats (see the "acl external" directive)
  2239. #
  2240. #       The helper receives lines per the above format specification,
  2241. #       and returns lines starting with OK or ERR indicating the validity
  2242. #       of the request and optionally followed by additional keywords with
  2243. #       more details.
  2244. #
  2245. #       General result syntax:
  2246. #
  2247. #         OK/ERR keyword=value ...
  2248. #
  2249. #       Defined keywords:
  2250. #
  2251. #         user=         The users name (login)
  2252. #         password=     The users password (for login= cache_peer option)
  2253. #         message=      Message describing the reason. Available as %o
  2254. #                       in error pages
  2255. #         tag=          Apply a tag to a request (for both ERR and OK results)
  2256. #                       Only sets a tag, does not alter existing tags.
  2257. #         log=          String to be logged in access.log. Available as
  2258. #                       %ea in logformat specifications
  2259. #
  2260. #       If protocol=3.0 (the default) then URL escaping is used to protect
  2261. #       each value in both requests and responses.
  2262. #
  2263. #       If using protocol=2.5 then all values need to be enclosed in quotes
  2264. #       if they may contain whitespace, or the whitespace escaped using \.
  2265. #       And quotes or \ characters within the keyword value must be \ escaped.
  2266. #
  2267. #       When using the concurrency= option the protocol is changed by
  2268. #       introducing a query channel tag infront of the request/response.
  2269. #       The query channel tag is a number between 0 and concurrency-1.
  2270. #Default:
  2271. # none
  2272.  
  2273. #  TAG: acl
  2274. #       Defining an Access List
  2275. #
  2276. #       Every access list definition must begin with an aclname and acltype,
  2277. #       followed by either type-specific arguments or a quoted filename that
  2278. #       they are read from.
  2279. #
  2280. #          acl aclname acltype argument ...
  2281. #          acl aclname acltype "file" ...
  2282. #
  2283. #       When using "file", the file should contain one item per line.
  2284. #
  2285. #       By default, regular expressions are CASE-SENSITIVE.  To make
  2286. #       them case-insensitive, use the -i option.
  2287. #
  2288. #       Some acl types require suspending the current request in order
  2289. #       to access some external data source.
  2290. #       Those which do are marked with the tag [slow], those which
  2291. #       don't are marked as [fast].
  2292. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl
  2293. #       for further information
  2294. #
  2295. #       ***** ACL TYPES AVAILABLE *****
  2296. #
  2297. #       acl aclname src ip-address/netmask ...  # clients IP address [fast]
  2298. #       acl aclname src addr1-addr2/netmask ... # range of addresses [fast]
  2299. #       acl aclname dst ip-address/netmask ...  # URL host's IP address [slow]
  2300. #       acl aclname myip ip-address/netmask ... # local socket IP address [fast]
  2301. #
  2302. #       acl aclname arp      mac-address ... (xx:xx:xx:xx:xx:xx notation)
  2303. #         # The arp ACL requires the special configure option --enable-arp-acl.
  2304. #         # Furthermore, the ARP ACL code is not portable to all operating systems.
  2305. #         # It works on Linux, Solaris, Windows, FreeBSD, and some
  2306. #         # other *BSD variants.
  2307. #         # [fast]
  2308. #         #
  2309. #         # NOTE: Squid can only determine the MAC address for clients that are on
  2310. #         # the same subnet. If the client is on a different subnet,
  2311. #         # then Squid cannot find out its MAC address.
  2312. #
  2313. #       acl aclname srcdomain   .foo.com ...
  2314. #         # reverse lookup, from client IP [slow]
  2315. #       acl aclname dstdomain   .foo.com ...
  2316. #         # Destination server from URL [fast]
  2317. #       acl aclname srcdom_regex [-i] \.foo\.com ...
  2318. #         # regex matching client name [slow]
  2319. #       acl aclname dstdom_regex [-i] \.foo\.com ...
  2320. #         # regex matching server [fast]
  2321. #         #
  2322. #         # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
  2323. #         # based URL is used and no match is found. The name "none" is used
  2324. #         # if the reverse lookup fails.
  2325. #
  2326. #       acl aclname src_as number ...
  2327. #       acl aclname dst_as number ...
  2328. #         # [fast]
  2329. #         # Except for access control, AS numbers can be used for
  2330. #         # routing of requests to specific caches. Here's an
  2331. #         # example for routing all requests for AS#1241 and only
  2332. #         # those to mycache.mydomain.net:
  2333. #         # acl asexample dst_as 1241
  2334. #         # cache_peer_access mycache.mydomain.net allow asexample
  2335. #         # cache_peer_access mycache_mydomain.net deny all
  2336. #
  2337. #       acl aclname peername myPeer ...
  2338. #         # [fast]
  2339. #         # match against a named cache_peer entry
  2340. #         # set unique name= on cache_peer lines for reliable use.
  2341. #
  2342. #       acl aclname time [day-abbrevs] [h1:m1-h2:m2]
  2343. #         # [fast]
  2344. #         #  day-abbrevs:
  2345. #         #     S - Sunday
  2346. #         #     M - Monday
  2347. #         #     T - Tuesday
  2348. #         #     W - Wednesday
  2349. #         #     H - Thursday
  2350. #         #     F - Friday
  2351. #         #     A - Saturday
  2352. #         #  h1:m1 must be less than h2:m2
  2353. #
  2354. #       acl aclname url_regex [-i] ^http:// ...
  2355. #         # regex matching on whole URL [fast]
  2356. #       acl aclname urlpath_regex [-i] \.gif$ ...
  2357. #         # regex matching on URL path [fast]
  2358. #
  2359. #       acl aclname port 80 70 21 0-1024...   # destination TCP port [fast]
  2360. #                                             # ranges are alloed
  2361. #       acl aclname myport 3128 ...               # local socket TCP port [fast]
  2362. #       acl aclname myportname 3128 ...       # http(s)_port name [fast]
  2363. #
  2364. #       acl aclname proto HTTP FTP ...        # request protocol [fast]
  2365. #
  2366. #       acl aclname method GET POST ...       # HTTP request method [fast]
  2367. #
  2368. #       acl aclname http_status 200 301 500- 400-403 ...
  2369. #         # status code in reply [fast]
  2370. #
  2371. #       acl aclname browser [-i] regexp ...
  2372. #         # pattern match on User-Agent header (see also req_header below) [fast]
  2373. #
  2374. #       acl aclname referer_regex [-i] regexp ...
  2375. #         # pattern match on Referer header [fast]
  2376. #         # Referer is highly unreliable, so use with care
  2377. #
  2378. #       acl aclname ident username ...
  2379. #       acl aclname ident_regex [-i] pattern ...
  2380. #         # string match on ident output [slow]
  2381. #         # use REQUIRED to accept any non-null ident.
  2382. #
  2383. #       acl aclname proxy_auth [-i] username ...
  2384. #       acl aclname proxy_auth_regex [-i] pattern ...
  2385. #         # perform http authentication challenge to the client and match against
  2386. #         # supplied credentials [slow]
  2387. #         #
  2388. #         # takes a list of allowed usernames.
  2389. #         # use REQUIRED to accept any valid username.
  2390. #         #
  2391. #         # Will use proxy authentication in forward-proxy scenarios, and plain
  2392. #         # http authenticaiton in reverse-proxy scenarios
  2393. #         #
  2394. #         # NOTE: when a Proxy-Authentication header is sent but it is not
  2395. #         # needed during ACL checking the username is NOT logged
  2396. #         # in access.log.
  2397. #         #
  2398. #         # NOTE: proxy_auth requires a EXTERNAL authentication program
  2399. #         # to check username/password combinations (see
  2400. #         # auth_param directive).
  2401. #         #
  2402. #         # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
  2403. #         # as the browser needs to be configured for using a proxy in order
  2404. #         # to respond to proxy authentication.
  2405. #
  2406. #       acl aclname snmp_community string ...
  2407. #         # A community string to limit access to your SNMP Agent [fast]
  2408. #         # Example:
  2409. #         #
  2410. #         #     acl snmppublic snmp_community public
  2411. #
  2412. #       acl aclname maxconn number
  2413. #         # This will be matched when the client's IP address has
  2414. #         # more than <number> HTTP connections established. [fast]
  2415. #
  2416. #       acl aclname max_user_ip [-s] number
  2417. #         # This will be matched when the user attempts to log in from more
  2418. #         # than <number> different ip addresses. The authenticate_ip_ttl
  2419. #         # parameter controls the timeout on the ip entries. [fast]
  2420. #         # If -s is specified the limit is strict, denying browsing
  2421. #         # from any further IP addresses until the ttl has expired. Without
  2422. #         # -s Squid will just annoy the user by "randomly" denying requests.
  2423. #         # (the counter is reset each time the limit is reached and a
  2424. #         # request is denied)
  2425. #         # NOTE: in acceleration mode or where there is mesh of child proxies,
  2426. #         # clients may appear to come from multiple addresses if they are
  2427. #         # going through proxy farms, so a limit of 1 may cause user problems.
  2428. #
  2429. #       acl aclname req_mime_type [-i] mime-type ...
  2430. #         # regex match against the mime type of the request generated
  2431. #         # by the client. Can be used to detect file upload or some
  2432. #         # types HTTP tunneling requests [fast]
  2433. #         # NOTE: This does NOT match the reply. You cannot use this
  2434. #         # to match the returned file type.
  2435. #
  2436. #       acl aclname req_header header-name [-i] any\.regex\.here
  2437. #         # regex match against any of the known request headers.  May be
  2438. #         # thought of as a superset of "browser", "referer" and "mime-type"
  2439. #         # ACL [fast]
  2440. #
  2441. #       acl aclname rep_mime_type [-i] mime-type ...
  2442. #         # regex match against the mime type of the reply received by
  2443. #         # squid. Can be used to detect file download or some
  2444. #         # types HTTP tunneling requests. [fast]
  2445. #         # NOTE: This has no effect in http_access rules. It only has
  2446. #         # effect in rules that affect the reply data stream such as
  2447. #         # http_reply_access.
  2448. #
  2449. #       acl aclname rep_header header-name [-i] any\.regex\.here
  2450. #         # regex match against any of the known reply headers. May be
  2451. #         # thought of as a superset of "browser", "referer" and "mime-type"
  2452. #         # ACLs [fast]
  2453. #
  2454. #       acl aclname external class_name [arguments...]
  2455. #         # external ACL lookup via a helper class defined by the
  2456. #         # external_acl_type directive [slow]
  2457. #
  2458. #       acl aclname user_cert attribute values...
  2459. #         # match against attributes in a user SSL certificate
  2460. #         # attribute is one of DN/C/O/CN/L/ST [fast]
  2461. #
  2462. #       acl aclname ca_cert attribute values...
  2463. #         # match against attributes a users issuing CA SSL certificate
  2464. #         # attribute is one of DN/C/O/CN/L/ST [fast]
  2465. #
  2466. #       acl aclname ext_user username ...
  2467. #       acl aclname ext_user_regex [-i] pattern ...
  2468. #         # string match on username returned by external acl helper [slow]
  2469. #         # use REQUIRED to accept any non-null user name.
  2470. #
  2471. #       acl aclname tag tagvalue ...
  2472. #         # string match on tag returned by external acl helper [slow]
  2473. #
  2474. #       Examples:
  2475. #               acl macaddress arp 09:00:2b:23:45:67
  2476. #               acl myexample dst_as 1241
  2477. #               acl password proxy_auth REQUIRED
  2478. #               acl fileupload req_mime_type -i ^multipart/form-data$
  2479. #               acl javascript rep_mime_type -i ^application/x-javascript$
  2480. #
  2481. #Default:
  2482. # acl all src all
  2483. #
  2484. #
  2485. # Recommended minimum configuration:
  2486. #
  2487. acl manager proto cache_object
  2488. acl localhost src 127.0.0.1/32 ::1
  2489. acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
  2490.  
  2491. # Example rule allowing access from your local networks.
  2492. # Adapt to list your (internal) IP networks from where browsing
  2493. # should be allowed
  2494. #acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
  2495. #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
  2496. #acl localnet src 192.168.0.0/16        # RFC1918 possible internal network
  2497. #acl localnet src fc00::/7       # RFC 4193 local private network range
  2498. #acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
  2499.  
  2500. acl SSL_ports port 443
  2501. acl Safe_ports port 80          # http
  2502. acl Safe_ports port 21          # ftp
  2503. acl Safe_ports port 443         # https
  2504. acl Safe_ports port 70          # gopher
  2505. acl Safe_ports port 210         # wais
  2506. acl Safe_ports port 1025-65535  # unregistered ports
  2507. acl Safe_ports port 280         # http-mgmt
  2508. acl Safe_ports port 488         # gss-http
  2509. acl Safe_ports port 591         # filemaker
  2510. acl Safe_ports port 777         # multiling http
  2511. acl CONNECT method CONNECT
  2512.  
  2513. #  TAG: follow_x_forwarded_for
  2514. #       Allowing or Denying the X-Forwarded-For header to be followed to
  2515. #       find the original source of a request.
  2516. #
  2517. #       Requests may pass through a chain of several other proxies
  2518. #       before reaching us.  The X-Forwarded-For header will contain a
  2519. #       comma-separated list of the IP addresses in the chain, with the
  2520. #       rightmost address being the most recent.
  2521. #
  2522. #       If a request reaches us from a source that is allowed by this
  2523. #       configuration item, then we consult the X-Forwarded-For header
  2524. #       to see where that host received the request from.  If the
  2525. #       X-Forwarded-For header contains multiple addresses, we continue
  2526. #       backtracking until we reach an address for which we are not allowed
  2527. #       to follow the X-Forwarded-For header, or until we reach the first
  2528. #       address in the list. For the purpose of ACL used in the
  2529. #       follow_x_forwarded_for directive the src ACL type always matches
  2530. #       the address we are testing and srcdomain matches its rDNS.
  2531. #
  2532. #       The end result of this process is an IP address that we will
  2533. #       refer to as the indirect client address.  This address may
  2534. #       be treated as the client address for access control, ICAP, delay
  2535. #       pools and logging, depending on the acl_uses_indirect_client,
  2536. #       icap_uses_indirect_client, delay_pool_uses_indirect_client and
  2537. #       log_uses_indirect_client options.
  2538. #
  2539. #       This clause only supports fast acl types.
  2540. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  2541. #
  2542. #       SECURITY CONSIDERATIONS:
  2543. #
  2544. #               Any host for which we follow the X-Forwarded-For header
  2545. #               can place incorrect information in the header, and Squid
  2546. #               will use the incorrect information as if it were the
  2547. #               source address of the request.  This may enable remote
  2548. #               hosts to bypass any access control restrictions that are
  2549. #               based on the client's source addresses.
  2550. #
  2551. #       For example:
  2552. #
  2553. #               acl localhost src 127.0.0.1
  2554. #               acl my_other_proxy srcdomain .proxy.example.com
  2555. #               follow_x_forwarded_for allow localhost
  2556. #               follow_x_forwarded_for allow my_other_proxy
  2557. #Default:
  2558. # follow_x_forwarded_for deny all
  2559.  
  2560. #  TAG: acl_uses_indirect_client        on|off
  2561. #       Controls whether the indirect client address
  2562. #       (see follow_x_forwarded_for) is used instead of the
  2563. #       direct client address in acl matching.
  2564. #Default:
  2565. # acl_uses_indirect_client on
  2566.  
  2567. #  TAG: delay_pool_uses_indirect_client on|off
  2568. #       Controls whether the indirect client address
  2569. #       (see follow_x_forwarded_for) is used instead of the
  2570. #       direct client address in delay pools.
  2571. #Default:
  2572. # delay_pool_uses_indirect_client on
  2573.  
  2574. #  TAG: log_uses_indirect_client        on|off
  2575. #       Controls whether the indirect client address
  2576. #       (see follow_x_forwarded_for) is used instead of the
  2577. #       direct client address in the access log.
  2578. #Default:
  2579. # log_uses_indirect_client on
  2580.  
  2581. #  TAG: http_access
  2582. #       Allowing or Denying access based on defined access lists
  2583. #
  2584. #       Access to the HTTP port:
  2585. #       http_access allow|deny [!]aclname ...
  2586. #
  2587. #       opposite of the last line in the list.  If the last line was
  2588. #       deny, the default is allow.  Conversely, if the last line
  2589. #       is allow, the default will be deny.  For these reasons, it is a
  2590. #       good idea to have an "deny all" entry at the end of your access
  2591. #       lists to avoid potential confusion.
  2592. #
  2593. #       This clause supports both fast and slow acl types.
  2594. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  2595. #
  2596. #Default:
  2597. # http_access deny all
  2598. #
  2599.  
  2600. #
  2601. # Recommended minimum Access Permission configuration:
  2602. #
  2603. # Only allow cachemgr access from localhost
  2604. http_access allow manager localhost
  2605. http_access deny manager
  2606.  
  2607. # Deny requests to certain unsafe ports
  2608. http_access deny !Safe_ports
  2609.  
  2610. # Deny CONNECT to other than secure SSL ports
  2611. http_access deny CONNECT !SSL_ports
  2612.  
  2613. # We strongly recommend the following be uncommented to protect innocent
  2614. # web applications running on the proxy server who think the only
  2615. # one who can access services on "localhost" is a local user
  2616. #http_access deny to_localhost
  2617.  
  2618. #
  2619. # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
  2620. #
  2621.  
  2622. # Example rule allowing access from your local networks.
  2623. # Adapt localnet in the ACL section to list your (internal) IP networks
  2624. # from where browsing should be allowed
  2625. #http_access allow localnet
  2626. http_access allow localhost
  2627.  
  2628. # And finally deny all other access to this proxy
  2629. http_access deny all
  2630.  
  2631. #  TAG: adapted_http_access
  2632. #       Allowing or Denying access based on defined access lists
  2633. #
  2634. #       Essentially identical to http_access, but runs after redirectors
  2635. #       and ICAP/eCAP adaptation. Allowing access control based on their
  2636. #       output.
  2637. #
  2638. #       If not set then only http_access is used.
  2639. #Default:
  2640. # none
  2641.  
  2642. #  TAG: http_reply_access
  2643. #       Allow replies to client requests. This is complementary to http_access.
  2644. #
  2645. #       http_reply_access allow|deny [!] aclname ...
  2646. #
  2647. #       NOTE: if there are no access lines present, the default is to allow
  2648. #       all replies
  2649. #
  2650. #       If none of the access lines cause a match the opposite of the
  2651. #       last line will apply. Thus it is good practice to end the rules
  2652. #       with an "allow all" or "deny all" entry.
  2653. #
  2654. #       This clause supports both fast and slow acl types.
  2655. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  2656. #Default:
  2657. # none
  2658.  
  2659. #  TAG: icp_access
  2660. #       Allowing or Denying access to the ICP port based on defined
  2661. #       access lists
  2662. #
  2663. #       icp_access  allow|deny [!]aclname ...
  2664. #
  2665. #       See http_access for details
  2666. #
  2667. #       This clause only supports fast acl types.
  2668. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  2669. #
  2670. ## Allow ICP queries from local networks only
  2671. ##icp_access allow localnet
  2672. ##icp_access deny all
  2673. #Default:
  2674. # icp_access deny all
  2675.  
  2676. #  TAG: htcp_access
  2677. #       Allowing or Denying access to the HTCP port based on defined
  2678. #       access lists
  2679. #
  2680. #       htcp_access  allow|deny [!]aclname ...
  2681. #
  2682. #       See http_access for details
  2683. #
  2684. #       NOTE: The default if no htcp_access lines are present is to
  2685. #       deny all traffic. This default may cause problems with peers
  2686. #       using the htcp or htcp-oldsquid options.
  2687. #
  2688. #       This clause only supports fast acl types.
  2689. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  2690. #
  2691. ## Allow HTCP queries from local networks only
  2692. ##htcp_access allow localnet
  2693. ##htcp_access deny all
  2694. #Default:
  2695. # htcp_access deny all
  2696.  
  2697. #  TAG: htcp_clr_access
  2698. #       Allowing or Denying access to purge content using HTCP based
  2699. #       on defined access lists
  2700. #
  2701. #       htcp_clr_access  allow|deny [!]aclname ...
  2702. #
  2703. #       See http_access for details
  2704. #
  2705. #       This clause only supports fast acl types.
  2706. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  2707. #
  2708. ## Allow HTCP CLR requests from trusted peers
  2709. #acl htcp_clr_peer src 172.16.1.2
  2710. #htcp_clr_access allow htcp_clr_peer
  2711. #Default:
  2712. # htcp_clr_access deny all
  2713.  
  2714. #  TAG: miss_access
  2715. #       Use to force your neighbors to use you as a sibling instead of
  2716. #       a parent.  For example:
  2717. #
  2718. #               acl localclients src 172.16.0.0/16
  2719. #               miss_access allow localclients
  2720. #               miss_access deny  !localclients
  2721. #
  2722. #       This means only your local clients are allowed to fetch
  2723. #       MISSES and all other clients can only fetch HITS.
  2724. #
  2725. #       By default, allow all clients who passed the http_access rules
  2726. #       to fetch MISSES from us.
  2727. #
  2728. #       This clause only supports fast acl types.
  2729. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  2730. #Default:
  2731. # miss_access allow all
  2732.  
  2733. #  TAG: ident_lookup_access
  2734. #       A list of ACL elements which, if matched, cause an ident
  2735. #       (RFC 931) lookup to be performed for this request.  For
  2736. #       example, you might choose to always perform ident lookups
  2737. #       for your main multi-user Unix boxes, but not for your Macs
  2738. #       and PCs.  By default, ident lookups are not performed for
  2739. #       any requests.
  2740. #
  2741. #       To enable ident lookups for specific client addresses, you
  2742. #       can follow this example:
  2743. #
  2744. #       acl ident_aware_hosts src 198.168.1.0/24
  2745. #       ident_lookup_access allow ident_aware_hosts
  2746. #       ident_lookup_access deny all
  2747. #
  2748. #       Only src type ACL checks are fully supported.  A srcdomain
  2749. #       ACL might work at times, but it will not always provide
  2750. #       the correct result.
  2751. #
  2752. #       This clause only supports fast acl types.
  2753. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  2754. #Default:
  2755. # ident_lookup_access deny all
  2756.  
  2757. #  TAG: reply_body_max_size     size [acl acl...]
  2758. #       This option specifies the maximum size of a reply body. It can be
  2759. #       used to prevent users from downloading very large files, such as
  2760. #       MP3's and movies. When the reply headers are received, the
  2761. #       reply_body_max_size lines are processed, and the first line where
  2762. #       all (if any) listed ACLs are true is used as the maximum body size
  2763. #       for this reply.
  2764. #
  2765. #       This size is checked twice. First when we get the reply headers,
  2766. #       we check the content-length value.  If the content length value exists
  2767. #       and is larger than the allowed size, the request is denied and the
  2768. #       user receives an error message that says "the request or reply
  2769. #       is too large." If there is no content-length, and the reply
  2770. #       size exceeds this limit, the client's connection is just closed
  2771. #       and they will receive a partial reply.
  2772. #
  2773. #       WARNING: downstream caches probably can not detect a partial reply
  2774. #       if there is no content-length header, so they will cache
  2775. #       partial responses and give them out as hits.  You should NOT
  2776. #       use this option if you have downstream caches.
  2777. #
  2778. #       WARNING: A maximum size smaller than the size of squid's error messages
  2779. #       will cause an infinite loop and crash squid. Ensure that the smallest
  2780. #       non-zero value you use is greater that the maximum header size plus
  2781. #       the size of your largest error page.
  2782. #
  2783. #       If you set this parameter none (the default), there will be
  2784. #       no limit imposed.
  2785. #
  2786. #       Configuration Format is:
  2787. #               reply_body_max_size SIZE UNITS [acl ...]
  2788. #       ie.
  2789. #               reply_body_max_size 10 MB
  2790. #
  2791. #Default:
  2792. # none
  2793.  
  2794. # NETWORK OPTIONS
  2795. # -----------------------------------------------------------------------------
  2796.  
  2797. #  TAG: http_port
  2798. #       Usage:  port [options]
  2799. #               hostname:port [options]
  2800. #               1.2.3.4:port [options]
  2801. #
  2802. #       The socket addresses where Squid will listen for HTTP client
  2803. #       requests.  You may specify multiple socket addresses.
  2804. #       There are three forms: port alone, hostname with port, and
  2805. #       IP address with port.  If you specify a hostname or IP
  2806. #       address, Squid binds the socket to that specific
  2807. #       address.  This replaces the old 'tcp_incoming_address'
  2808. #       option.  Most likely, you do not need to bind to a specific
  2809. #       address, so you can use the port number alone.
  2810. #
  2811. #       If you are running Squid in accelerator mode, you
  2812. #       probably want to listen on port 80 also, or instead.
  2813. #
  2814. #       The -a command line option may be used to specify additional
  2815. #       port(s) where Squid listens for proxy request. Such ports will
  2816. #       be plain proxy ports with no options.
  2817. #
  2818. #       You may specify multiple socket addresses on multiple lines.
  2819. #
  2820. #       Options:
  2821. #
  2822. #          intercept    Support for IP-Layer interception of
  2823. #                       outgoing requests without browser settings.
  2824. #                       NP: disables authentication and IPv6 on the port.
  2825. #
  2826. #          tproxy       Support Linux TPROXY for spoofing outgoing
  2827. #                       connections using the client IP address.
  2828. #                       NP: disables authentication and maybe IPv6 on the port.
  2829. #
  2830. #          accel        Accelerator mode. Also needs at least one of
  2831. #                       vhost / vport / defaultsite.
  2832. #
  2833. #          allow-direct Allow direct forwarding in accelerator mode. Normally
  2834. #                       accelerated requests are denied direct forwarding as if
  2835. #                       never_direct was used.
  2836. #
  2837. #          defaultsite=domainname
  2838. #                       What to use for the Host: header if it is not present
  2839. #                       in a request. Determines what site (not origin server)
  2840. #                       accelerators should consider the default.
  2841. #                       Implies accel.
  2842. #
  2843. #          vhost        Accelerator mode using Host header for virtual
  2844. #                       domain support. Implies accel.
  2845. #
  2846. #          vport        Accelerator with IP based virtual host support.
  2847. #                       Implies accel.
  2848. #
  2849. #          vport=NN     As above, but uses specified port number rather
  2850. #                       than the http_port number. Implies accel.
  2851. #
  2852. #          protocol=    Protocol to reconstruct accelerated requests with.
  2853. #                       Defaults to http.
  2854. #
  2855. #          ignore-cc    Ignore request Cache-Control headers.
  2856. #
  2857. #                       Warning: This option violates HTTP specifications if
  2858. #                       used in non-accelerator setups.
  2859. #
  2860. #          connection-auth[=on|off]
  2861. #                       use connection-auth=off to tell Squid to prevent
  2862. #                       forwarding Microsoft connection oriented authentication
  2863. #                       (NTLM, Negotiate and Kerberos)
  2864. #
  2865. #          disable-pmtu-discovery=
  2866. #                       Control Path-MTU discovery usage:
  2867. #                           off         lets OS decide on what to do (default).
  2868. #                           transparent disable PMTU discovery when transparent
  2869. #                                       support is enabled.
  2870. #                           always      disable always PMTU discovery.
  2871. #
  2872. #                       In many setups of transparently intercepting proxies
  2873. #                       Path-MTU discovery can not work on traffic towards the
  2874. #                       clients. This is the case when the intercepting device
  2875. #                       does not fully track connections and fails to forward
  2876. #                       ICMP must fragment messages to the cache server. If you
  2877. #                       have such setup and experience that certain clients
  2878. #                       sporadically hang or never complete requests set
  2879. #                       disable-pmtu-discovery option to 'transparent'.
  2880. #
  2881. #          sslBump      Intercept each CONNECT request matching ssl_bump ACL,
  2882. #                       establish secure connection with the client and with
  2883. #                       the server, decrypt HTTP messages as they pass through
  2884. #                       Squid, and treat them as unencrypted HTTP messages,
  2885. #                       becoming the man-in-the-middle.
  2886. #
  2887. #                       When this option is enabled, additional options become
  2888. #                       available to specify SSL-related properties of the
  2889. #                       client-side connection: cert, key, version, cipher,
  2890. #                       options, clientca, cafile, capath, crlfile, dhparams,
  2891. #                       sslflags, and sslcontext. See the https_port directive
  2892. #                       for more information on these options.
  2893. #
  2894. #                       The ssl_bump option is required to fully enable
  2895. #                       the SslBump feature.
  2896. #
  2897. #          name=        Specifies a internal name for the port. Defaults to
  2898. #                       the port specification (port or addr:port)
  2899. #
  2900. #          tcpkeepalive[=idle,interval,timeout]
  2901. #                       Enable TCP keepalive probes of idle connections.
  2902. #                       In seconds; idle is the initial time before TCP starts
  2903. #                       probing the connection, interval how often to probe, and
  2904. #                       timeout the time before giving up.
  2905. #
  2906. #       If you run Squid on a dual-homed machine with an internal
  2907. #       and an external interface we recommend you to specify the
  2908. #       internal address:port in http_port. This way Squid will only be
  2909. #       visible on the internal address.
  2910. #
  2911. #
  2912.  
  2913. # Squid normally listens to port 3128
  2914. http_port 3128
  2915.  
  2916. #  TAG: https_port
  2917. # Note: This option is only available if Squid is rebuilt with the
  2918. #       --enable-ssl option
  2919. #
  2920. #       Usage:  [ip:]port cert=certificate.pem [key=key.pem] [options...]
  2921. #
  2922. #       The socket address where Squid will listen for HTTPS client
  2923. #       requests.
  2924. #
  2925. #       This is really only useful for situations where you are running
  2926. #       squid in accelerator mode and you want to do the SSL work at the
  2927. #       accelerator level.
  2928. #
  2929. #       You may specify multiple socket addresses on multiple lines,
  2930. #       each with their own SSL certificate and/or options.
  2931. #
  2932. #       Options:
  2933. #
  2934. #          accel        Accelerator mode. Also needs at least one of
  2935. #                       defaultsite or vhost.
  2936. #
  2937. #          defaultsite= The name of the https site presented on
  2938. #                       this port. Implies accel.
  2939. #
  2940. #          vhost        Accelerator mode using Host header for virtual
  2941. #                       domain support. Requires a wildcard certificate
  2942. #                       or other certificate valid for more than one domain.
  2943. #                       Implies accel.
  2944. #
  2945. #          protocol=    Protocol to reconstruct accelerated requests with.
  2946. #                       Defaults to https.
  2947. #
  2948. #          cert=        Path to SSL certificate (PEM format).
  2949. #
  2950. #          key=         Path to SSL private key file (PEM format)
  2951. #                       if not specified, the certificate file is
  2952. #                       assumed to be a combined certificate and
  2953. #                       key file.
  2954. #
  2955. #          version=     The version of SSL/TLS supported
  2956. #                           1   automatic (default)
  2957. #                           2   SSLv2 only
  2958. #                           3   SSLv3 only
  2959. #                           4   TLSv1 only
  2960. #
  2961. #          cipher=      Colon separated list of supported ciphers.
  2962. #
  2963. #          options=     Various SSL engine options. The most important
  2964. #                       being:
  2965. #                           NO_SSLv2  Disallow the use of SSLv2
  2966. #                           NO_SSLv3  Disallow the use of SSLv3
  2967. #                           NO_TLSv1  Disallow the use of TLSv1
  2968. #                           SINGLE_DH_USE Always create a new key when using
  2969. #                                     temporary/ephemeral DH key exchanges
  2970. #                       See src/ssl_support.c or OpenSSL SSL_CTX_set_options
  2971. #                       documentation for a complete list of options.
  2972. #
  2973. #          clientca=    File containing the list of CAs to use when
  2974. #                       requesting a client certificate.
  2975. #
  2976. #          cafile=      File containing additional CA certificates to
  2977. #                       use when verifying client certificates. If unset
  2978. #                       clientca will be used.
  2979. #
  2980. #          capath=      Directory containing additional CA certificates
  2981. #                       and CRL lists to use when verifying client certificates.
  2982. #
  2983. #          crlfile=     File of additional CRL lists to use when verifying
  2984. #                       the client certificate, in addition to CRLs stored in
  2985. #                       the capath. Implies VERIFY_CRL flag below.
  2986. #
  2987. #          dhparams=    File containing DH parameters for temporary/ephemeral
  2988. #                       DH key exchanges.
  2989. #
  2990. #          sslflags=    Various flags modifying the use of SSL:
  2991. #                           DELAYED_AUTH
  2992. #                               Don't request client certificates
  2993. #                               immediately, but wait until acl processing
  2994. #                               requires a certificate (not yet implemented).
  2995. #                           NO_DEFAULT_CA
  2996. #                               Don't use the default CA lists built in
  2997. #                               to OpenSSL.
  2998. #                           NO_SESSION_REUSE
  2999. #                               Don't allow for session reuse. Each connection
  3000. #                               will result in a new SSL session.
  3001. #                           VERIFY_CRL
  3002. #                               Verify CRL lists when accepting client
  3003. #                               certificates.
  3004. #                           VERIFY_CRL_ALL
  3005. #                               Verify CRL lists for all certificates in the
  3006. #                               client certificate chain.
  3007. #
  3008. #          sslcontext=  SSL session ID context identifier.
  3009. #
  3010. #          vport        Accelerator with IP based virtual host support.
  3011. #
  3012. #          vport=NN     As above, but uses specified port number rather
  3013. #                       than the https_port number. Implies accel.
  3014. #
  3015. #          name=        Specifies a internal name for the port. Defaults to
  3016. #                       the port specification (port or addr:port)
  3017. #
  3018. #Default:
  3019. # none
  3020.  
  3021. #  TAG: tcp_outgoing_tos
  3022. #       Allows you to select a TOS/Diffserv value to mark outgoing
  3023. #       connections with, based on the username or source address
  3024. #       making the request.
  3025. #
  3026. #       tcp_outgoing_tos ds-field [!]aclname ...
  3027. #
  3028. #       Example where normal_service_net uses the TOS value 0x00
  3029. #       and good_service_net uses 0x20
  3030. #
  3031. #       acl normal_service_net src 10.0.0.0/255.255.255.0
  3032. #       acl good_service_net src 10.0.1.0/255.255.255.0
  3033. #       tcp_outgoing_tos 0x00 normal_service_net
  3034. #       tcp_outgoing_tos 0x20 good_service_net
  3035. #
  3036. #       TOS/DSCP values really only have local significance - so you should
  3037. #       know what you're specifying. For more information, see RFC2474,
  3038. #       RFC2475, and RFC3260.
  3039. #
  3040. #       The TOS/DSCP byte must be exactly that - a octet value  0 - 255, or
  3041. #       "default" to use whatever default your host has. Note that in
  3042. #       practice often only values 0 - 63 is usable as the two highest bits
  3043. #       have been redefined for use by ECN (RFC3168).
  3044. #
  3045. #       Processing proceeds in the order specified, and stops at first fully
  3046. #       matching line.
  3047. #
  3048. #       Note: The use of this directive using client dependent ACLs is
  3049. #       incompatible with the use of server side persistent connections. To
  3050. #       ensure correct results it is best to set server_persisten_connections
  3051. #       to off when using this directive in such configurations.
  3052. #Default:
  3053. # none
  3054.  
  3055. #  TAG: clientside_tos
  3056. #       Allows you to select a TOS/Diffserv value to mark client-side
  3057. #       connections with, based on the username or source address
  3058. #       making the request.
  3059. #Default:
  3060. # none
  3061.  
  3062. #  TAG: qos_flows
  3063. # Note: This option is only available if Squid is rebuilt with the
  3064. #       --enable-zph-qos option
  3065. #
  3066. #       Allows you to select a TOS/DSCP value to mark outgoing
  3067. #       connections with, based on where the reply was sourced.
  3068. #
  3069. #       TOS values really only have local significance - so you should
  3070. #       know what you're specifying. For more information, see RFC2474,
  3071. #       RFC2475, and RFC3260.
  3072. #
  3073. #       "children" numberofchildren
  3074. #       The number of authenticator processes to spawn (no default).
  3075. #       If you start too few Squid will have to wait for them to
  3076. #       process a backlog of credential verifications, slowing it
  3077. #       down. When credential verifications are done via a (slow)
  3078. #       network you are likely to need lots of authenticator
  3079. #       processes.
  3080. #
  3081. #       auth_param ntlm children 5
  3082. #
  3083. #       "keep_alive" on|off
  3084. #       If you experience problems with PUT/POST requests when using the
  3085. #       Negotiate authentication scheme then you can try setting this to
  3086. #       off. This will cause Squid to forcibly close the connection on
  3087. #       the initial requests where the browser asks which schemes are
  3088. #       supported by the proxy.
  3089. #
  3090. #       auth_param ntlm keep_alive on
  3091. #
  3092. #       === Options for configuring the NEGOTIATE auth-scheme follow ===
  3093. #
  3094. #       "program" cmdline
  3095. #       Specify the command for the external Negotiate authenticator.
  3096. #       This protocol is used in Microsoft Active-Directory enabled setups with
  3097. #       the Microsoft Internet Explorer or Mozilla Firefox browsers.
  3098. #       Its main purpose is to exchange credentials with the Squid proxy
  3099. #       using the Kerberos mechanisms.
  3100. #       If you use a Negotiate authenticator, make sure you have at least
  3101. #       one acl of type proxy_auth active. By default, the negotiate
  3102. #       authenticator_program is not used.
  3103. #       The only supported program for this role is the ntlm_auth
  3104. #       program distributed as part of Samba, version 4 or later.
  3105. #
  3106. #       auth_param negotiate program /usr/lib/squid3/ntlm_auth --helper-protocol=gss-spnego
  3107. #
  3108. #       "children" numberofchildren
  3109. #       The number of authenticator processes to spawn (no default).
  3110. #       If you start too few Squid will have to wait for them to
  3111. #       process a backlog of credential verifications, slowing it
  3112. #       down. When crendential verifications are done via a (slow)
  3113. #       network you are likely to need lots of authenticator
  3114. #       processes.
  3115. #       auth_param negotiate children 5
  3116. #
  3117. #       "keep_alive" on|off
  3118. #       If you experience problems with PUT/POST requests when using the
  3119. #       Negotiate authentication scheme then you can try setting this to
  3120. #       off. This will cause Squid to forcibly close the connection on
  3121. #       the initial requests where the browser asks which schemes are
  3122. #       supported by the proxy.
  3123. #
  3124. #       auth_param negotiate keep_alive on
  3125. #
  3126. #      
  3127. #       Examples:
  3128. #
  3129. ##Recommended minimum configuration per scheme:
  3130. ##auth_param negotiate program <uncomment and complete this line to activate>
  3131. ##auth_param negotiate children 5
  3132. ##auth_param negotiate keep_alive on
  3133. ##
  3134. ##auth_param ntlm program <uncomment and complete this line to activate>
  3135. ##auth_param ntlm children 5
  3136. ##auth_param ntlm keep_alive on
  3137. ##
  3138. ##auth_param digest program <uncomment and complete this line>
  3139. ##auth_param digest children 5
  3140. ##auth_param digest realm Squid proxy-caching web server
  3141. ##auth_param digest nonce_garbage_interval 5 minutes
  3142. ##auth_param digest nonce_max_duration 30 minutes
  3143. ##auth_param digest nonce_max_count 50
  3144. ##
  3145. ##auth_param basic program <uncomment and complete this line>
  3146. ##auth_param basic children 5
  3147. ##auth_param basic realm Squid proxy-caching web server
  3148. ##auth_param basic credentialsttl 2 hours
  3149. #Default:
  3150. # none
  3151.  
  3152. #  TAG: authenticate_cache_garbage_interval
  3153. #       The time period between garbage collection across the username cache.
  3154. #       This is a tradeoff between memory utilization (long intervals - say
  3155. #       2 days) and CPU (short intervals - say 1 minute). Only change if you
  3156. #       have good reason to.
  3157. #       user cache since their last request. When the garbage
  3158. #       interval passes, all user credentials that have passed their
  3159. #       TTL are removed from memory.
  3160. #Default:
  3161. # authenticate_ttl 1 hour
  3162.  
  3163. #  TAG: authenticate_ip_ttl
  3164. #       If you use proxy authentication and the 'max_user_ip' ACL,
  3165. #       this directive controls how long Squid remembers the IP
  3166. #       addresses associated with each user.  Use a small value
  3167. #       (e.g., 60 seconds) if your users might change addresses
  3168. #       quickly, as is the case with dialups.   You might be safe
  3169. #       using a larger value (e.g., 2 hours) in a corporate LAN
  3170. #       environment with relatively static address assignments.
  3171. #Default:
  3172. # authenticate_ip_ttl 0 seconds
  3173.  
  3174. # ACCESS CONTROLS
  3175. # -----------------------------------------------------------------------------
  3176.  
  3177. #  TAG: external_acl_type
  3178. #       This option defines external acl classes using a helper program
  3179. #       to look up the status
  3180. #
  3181. #         external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
  3182. #
  3183. #       Options:
  3184. #
  3185. #         ttl=n         TTL in seconds for cached results (defaults to 3600
  3186. #                       for 1 hour)
  3187. #         negative_ttl=n
  3188. #                       TTL for cached negative lookups (default same
  3189. #                       as ttl)
  3190. #         children=n    Number of acl helper processes spawn to service
  3191. #                       external acl lookups of this type. (default 5)
  3192. #         concurrency=n concurrency level per process. Only used with helpers
  3193. #                       capable of processing more than one query at a time.
  3194. #         cache=n       result cache size, 0 is unbounded (default)
  3195. #         grace=n       Percentage remaining of TTL where a refresh of a
  3196. #                       cached entry should be initiated without needing to
  3197. #                       wait for a new reply. (default 0 for no grace period)
  3198. #         protocol=2.5  Compatibility mode for Squid-2.5 external acl helpers
  3199. #         ipv4 / ipv6   IP-mode used to communicate to this helper.
  3200. #                       For compatability with older configurations and helpers
  3201. #                       the default is currently 'ipv4'.
  3202. #
  3203. #       FORMAT specifications
  3204. #
  3205. #         %LOGIN        Authenticated user login name
  3206. #         %EXT_USER     Username from external acl
  3207. #         %IDENT        Ident user name
  3208. #         %SRC          Client IP
  3209. #         %SRCPORT      Client source port
  3210. #         %URI          Requested URI
  3211. #         %DST          Requested host
  3212. #         %PROTO        Requested protocol
  3213. #         %PORT         Requested port
  3214. #         %PATH         Requested URL path
  3215. #         %METHOD       Request method
  3216. #         %MYADDR       Squid interface address
  3217. #         %MYPORT       Squid http_port number
  3218. #         %PATH         Requested URL-path (including query-string if any)
  3219. #         %USER_CERT    SSL User certificate in PEM format
  3220. #         %USER_CERTCHAIN SSL User certificate chain in PEM format
  3221. #         %USER_CERT_xx SSL User certificate subject attribute xx
  3222. #         %USER_CA_xx   SSL User certificate issuer attribute xx
  3223. #
  3224. #         %>{Header}    HTTP request header "Header"
  3225. #         %>{Hdr:member}
  3226. #                       HTTP request header "Hdr" list member "member"
  3227. #         %>{Hdr:;member}
  3228. #                       HTTP request header list member using ; as
  3229. #                       list separator. ; can be any non-alphanumeric
  3230. #                       character.
  3231. #
  3232. #         %<{Header}    HTTP reply header "Header"
  3233. #         %<{Hdr:member}
  3234. #                       HTTP reply header "Hdr" list member "member"
  3235. #         %<{Hdr:;member}
  3236. #                       HTTP reply header list member using ; as
  3237. #                       list separator. ; can be any non-alphanumeric
  3238. #                       character.
  3239. #
  3240. #       In addition to the above, any string specified in the referencing
  3241. #       acl will also be included in the helper request line, after the
  3242. #       specified formats (see the "acl external" directive)
  3243. #
  3244. #       The helper receives lines per the above format specification,
  3245. #       and returns lines starting with OK or ERR indicating the validity
  3246. #       of the request and optionally followed by additional keywords with
  3247. #       more details.
  3248. #
  3249. #       General result syntax:
  3250. #
  3251. #         OK/ERR keyword=value ...
  3252. #
  3253. #       Defined keywords:
  3254. #
  3255. #         user=         The users name (login)
  3256. #         password=     The users password (for login= cache_peer option)
  3257. #         message=      Message describing the reason. Available as %o
  3258. #                       in error pages
  3259. #         tag=          Apply a tag to a request (for both ERR and OK results)
  3260. #                       Only sets a tag, does not alter existing tags.
  3261. #         log=          String to be logged in access.log. Available as
  3262. #                       %ea in logformat specifications
  3263. #
  3264. #       If protocol=3.0 (the default) then URL escaping is used to protect
  3265. #       each value in both requests and responses.
  3266. #
  3267. #       If using protocol=2.5 then all values need to be enclosed in quotes
  3268. #       if they may contain whitespace, or the whitespace escaped using \.
  3269. #       And quotes or \ characters within the keyword value must be \ escaped.
  3270. #
  3271. #       When using the concurrency= option the protocol is changed by
  3272. #       introducing a query channel tag infront of the request/response.
  3273. #       The query channel tag is a number between 0 and concurrency-1.
  3274. #Default:
  3275. # none
  3276.  
  3277. #  TAG: acl
  3278. #       Defining an Access List
  3279. #
  3280. #       Every access list definition must begin with an aclname and acltype,
  3281. #       followed by either type-specific arguments or a quoted filename that
  3282. #       they are read from.
  3283. #
  3284. #          acl aclname acltype argument ...
  3285. #          acl aclname acltype "file" ...
  3286. #
  3287. #       When using "file", the file should contain one item per line.
  3288. #
  3289. #       By default, regular expressions are CASE-SENSITIVE.  To make
  3290. #       them case-insensitive, use the -i option.
  3291. #
  3292. #       Some acl types require suspending the current request in order
  3293. #       to access some external data source.
  3294. #       Those which do are marked with the tag [slow], those which
  3295. #       don't are marked as [fast].
  3296. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl
  3297. #       for further information
  3298. #
  3299. #       ***** ACL TYPES AVAILABLE *****
  3300. #
  3301. #       acl aclname src ip-address/netmask ...  # clients IP address [fast]
  3302. #       acl aclname src addr1-addr2/netmask ... # range of addresses [fast]
  3303. #       acl aclname dst ip-address/netmask ...  # URL host's IP address [slow]
  3304. #       acl aclname myip ip-address/netmask ... # local socket IP address [fast]
  3305. #
  3306. #       acl aclname arp      mac-address ... (xx:xx:xx:xx:xx:xx notation)
  3307. #         # The arp ACL requires the special configure option --enable-arp-acl.
  3308. #         # Furthermore, the ARP ACL code is not portable to all operating systems.
  3309. #         # It works on Linux, Solaris, Windows, FreeBSD, and some
  3310. #         # other *BSD variants.
  3311. #         # [fast]
  3312. #         #
  3313. #         # NOTE: Squid can only determine the MAC address for clients that are on
  3314. #         # the same subnet. If the client is on a different subnet,
  3315. #         # then Squid cannot find out its MAC address.
  3316. #
  3317. #       acl aclname srcdomain   .foo.com ...
  3318. #         # reverse lookup, from client IP [slow]
  3319. #       acl aclname dstdomain   .foo.com ...
  3320. #         # Destination server from URL [fast]
  3321. #       acl aclname srcdom_regex [-i] \.foo\.com ...
  3322. #         # regex matching client name [slow]
  3323. #       acl aclname dstdom_regex [-i] \.foo\.com ...
  3324. #         # regex matching server [fast]
  3325. #         #
  3326. #         # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
  3327. #         # based URL is used and no match is found. The name "none" is used
  3328. #         # if the reverse lookup fails.
  3329. #
  3330. #       acl aclname src_as number ...
  3331. #       acl aclname dst_as number ...
  3332. #         # [fast]
  3333. #         # Except for access control, AS numbers can be used for
  3334. #         # routing of requests to specific caches. Here's an
  3335. #         # example for routing all requests for AS#1241 and only
  3336. #         # those to mycache.mydomain.net:
  3337. #         # acl asexample dst_as 1241
  3338. #         # cache_peer_access mycache.mydomain.net allow asexample
  3339. #         # cache_peer_access mycache_mydomain.net deny all
  3340. #
  3341. #       acl aclname peername myPeer ...
  3342. #         # [fast]
  3343. #         # match against a named cache_peer entry
  3344. #         # set unique name= on cache_peer lines for reliable use.
  3345. #
  3346. #       acl aclname time [day-abbrevs] [h1:m1-h2:m2]
  3347. #         # [fast]
  3348. #         #  day-abbrevs:
  3349. #         #     S - Sunday
  3350. #         #     M - Monday
  3351. #         #     T - Tuesday
  3352. #         #     W - Wednesday
  3353. #         #     H - Thursday
  3354. #         #     F - Friday
  3355. #         #     A - Saturday
  3356. #         #  h1:m1 must be less than h2:m2
  3357. #
  3358. #       acl aclname url_regex [-i] ^http:// ...
  3359. #         # regex matching on whole URL [fast]
  3360. #       acl aclname urlpath_regex [-i] \.gif$ ...
  3361. #         # regex matching on URL path [fast]
  3362. #
  3363. #       acl aclname port 80 70 21 0-1024...   # destination TCP port [fast]
  3364. #                                             # ranges are alloed
  3365. #       acl aclname myport 3128 ...               # local socket TCP port [fast]
  3366. #       acl aclname myportname 3128 ...       # http(s)_port name [fast]
  3367. #
  3368. #       acl aclname proto HTTP FTP ...        # request protocol [fast]
  3369. #
  3370. #       acl aclname method GET POST ...       # HTTP request method [fast]
  3371. #
  3372. #       acl aclname http_status 200 301 500- 400-403 ...
  3373. #         # status code in reply [fast]
  3374. #
  3375. #       acl aclname browser [-i] regexp ...
  3376. #         # pattern match on User-Agent header (see also req_header below) [fast]
  3377. #
  3378. #       acl aclname referer_regex [-i] regexp ...
  3379. #         # pattern match on Referer header [fast]
  3380. #         # Referer is highly unreliable, so use with care
  3381. #
  3382. #       acl aclname ident username ...
  3383. #       acl aclname ident_regex [-i] pattern ...
  3384. #         # string match on ident output [slow]
  3385. #         # use REQUIRED to accept any non-null ident.
  3386. #
  3387. #       acl aclname proxy_auth [-i] username ...
  3388. #       acl aclname proxy_auth_regex [-i] pattern ...
  3389. #         # perform http authentication challenge to the client and match against
  3390. #         # supplied credentials [slow]
  3391. #         #
  3392. #         # takes a list of allowed usernames.
  3393. #         # use REQUIRED to accept any valid username.
  3394. #         #
  3395. #         # Will use proxy authentication in forward-proxy scenarios, and plain
  3396. #         # http authenticaiton in reverse-proxy scenarios
  3397. #         #
  3398. #         # NOTE: when a Proxy-Authentication header is sent but it is not
  3399. #         # needed during ACL checking the username is NOT logged
  3400. #         # in access.log.
  3401. #         #
  3402. #         # NOTE: proxy_auth requires a EXTERNAL authentication program
  3403. #         # to check username/password combinations (see
  3404. #         # auth_param directive).
  3405. #         #
  3406. #         # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
  3407. #         # as the browser needs to be configured for using a proxy in order
  3408. #         # to respond to proxy authentication.
  3409. #
  3410. #       acl aclname snmp_community string ...
  3411. #         # A community string to limit access to your SNMP Agent [fast]
  3412. #         # Example:
  3413. #         #
  3414. #         #     acl snmppublic snmp_community public
  3415. #
  3416. #       acl aclname maxconn number
  3417. #         # This will be matched when the client's IP address has
  3418. #         # more than <number> HTTP connections established. [fast]
  3419. #
  3420. #       acl aclname max_user_ip [-s] number
  3421. #         # This will be matched when the user attempts to log in from more
  3422. #         # than <number> different ip addresses. The authenticate_ip_ttl
  3423. #         # parameter controls the timeout on the ip entries. [fast]
  3424. #         # If -s is specified the limit is strict, denying browsing
  3425. #         # from any further IP addresses until the ttl has expired. Without
  3426. #         # -s Squid will just annoy the user by "randomly" denying requests.
  3427. #         # (the counter is reset each time the limit is reached and a
  3428. #         # request is denied)
  3429. #         # NOTE: in acceleration mode or where there is mesh of child proxies,
  3430. #         # clients may appear to come from multiple addresses if they are
  3431. #         # going through proxy farms, so a limit of 1 may cause user problems.
  3432. #
  3433. #       acl aclname req_mime_type [-i] mime-type ...
  3434. #         # regex match against the mime type of the request generated
  3435. #         # by the client. Can be used to detect file upload or some
  3436. #         # types HTTP tunneling requests [fast]
  3437. #         # NOTE: This does NOT match the reply. You cannot use this
  3438. #         # to match the returned file type.
  3439. #
  3440. #       acl aclname req_header header-name [-i] any\.regex\.here
  3441. #         # regex match against any of the known request headers.  May be
  3442. #         # thought of as a superset of "browser", "referer" and "mime-type"
  3443. #         # ACL [fast]
  3444. #
  3445. #       acl aclname rep_mime_type [-i] mime-type ...
  3446. #         # regex match against the mime type of the reply received by
  3447. #         # squid. Can be used to detect file download or some
  3448. #         # types HTTP tunneling requests. [fast]
  3449. #         # NOTE: This has no effect in http_access rules. It only has
  3450. #         # effect in rules that affect the reply data stream such as
  3451. #         # http_reply_access.
  3452. #
  3453. #       acl aclname rep_header header-name [-i] any\.regex\.here
  3454. #         # regex match against any of the known reply headers. May be
  3455. #         # thought of as a superset of "browser", "referer" and "mime-type"
  3456. #         # ACLs [fast]
  3457. #
  3458. #       acl aclname external class_name [arguments...]
  3459. #         # external ACL lookup via a helper class defined by the
  3460. #         # external_acl_type directive [slow]
  3461. #
  3462. #       acl aclname user_cert attribute values...
  3463. #         # match against attributes in a user SSL certificate
  3464. #         # attribute is one of DN/C/O/CN/L/ST [fast]
  3465. #
  3466. #       acl aclname ca_cert attribute values...
  3467. #         # match against attributes a users issuing CA SSL certificate
  3468. #         # attribute is one of DN/C/O/CN/L/ST [fast]
  3469. #
  3470. #       acl aclname ext_user username ...
  3471. #       acl aclname ext_user_regex [-i] pattern ...
  3472. #         # string match on username returned by external acl helper [slow]
  3473. #         # use REQUIRED to accept any non-null user name.
  3474. #
  3475. #       acl aclname tag tagvalue ...
  3476. #         # string match on tag returned by external acl helper [slow]
  3477. #
  3478. #       Examples:
  3479. #               acl macaddress arp 09:00:2b:23:45:67
  3480. #               acl myexample dst_as 1241
  3481. #               acl password proxy_auth REQUIRED
  3482. #               acl fileupload req_mime_type -i ^multipart/form-data$
  3483. #               acl javascript rep_mime_type -i ^application/x-javascript$
  3484. #
  3485. #Default:
  3486. # acl all src all
  3487. #
  3488. #
  3489. # Recommended minimum configuration:
  3490. #
  3491. acl manager proto cache_object
  3492. acl localhost src 127.0.0.1/32 ::1
  3493. acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
  3494.  
  3495. # Example rule allowing access from your local networks.
  3496. # Adapt to list your (internal) IP networks from where browsing
  3497. # should be allowed
  3498. #acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
  3499. #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
  3500. #acl localnet src 192.168.0.0/16        # RFC1918 possible internal network
  3501. #acl localnet src fc00::/7       # RFC 4193 local private network range
  3502. #acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
  3503.  
  3504. acl SSL_ports port 443
  3505. acl Safe_ports port 80          # http
  3506. acl Safe_ports port 21          # ftp
  3507. acl Safe_ports port 443         # https
  3508. acl Safe_ports port 70          # gopher
  3509. acl Safe_ports port 210         # wais
  3510. acl Safe_ports port 1025-65535  # unregistered ports
  3511. acl Safe_ports port 280         # http-mgmt
  3512. acl Safe_ports port 488         # gss-http
  3513. acl Safe_ports port 591         # filemaker
  3514. acl Safe_ports port 777         # multiling http
  3515. acl CONNECT method CONNECT
  3516.  
  3517. #  TAG: follow_x_forwarded_for
  3518. #       Allowing or Denying the X-Forwarded-For header to be followed to
  3519. #       find the original source of a request.
  3520. #
  3521. #       Requests may pass through a chain of several other proxies
  3522. #       before reaching us.  The X-Forwarded-For header will contain a
  3523. #       comma-separated list of the IP addresses in the chain, with the
  3524. #       rightmost address being the most recent.
  3525. #
  3526. #       If a request reaches us from a source that is allowed by this
  3527. #       configuration item, then we consult the X-Forwarded-For header
  3528. #       to see where that host received the request from.  If the
  3529. #       X-Forwarded-For header contains multiple addresses, we continue
  3530. #       backtracking until we reach an address for which we are not allowed
  3531. #       to follow the X-Forwarded-For header, or until we reach the first
  3532. #       address in the list. For the purpose of ACL used in the
  3533. #       follow_x_forwarded_for directive the src ACL type always matches
  3534. #       the address we are testing and srcdomain matches its rDNS.
  3535. #
  3536. #       The end result of this process is an IP address that we will
  3537. #       refer to as the indirect client address.  This address may
  3538. #       be treated as the client address for access control, ICAP, delay
  3539. #       pools and logging, depending on the acl_uses_indirect_client,
  3540. #       icap_uses_indirect_client, delay_pool_uses_indirect_client and
  3541. #       log_uses_indirect_client options.
  3542. #
  3543. #       This clause only supports fast acl types.
  3544. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  3545. #
  3546. #       SECURITY CONSIDERATIONS:
  3547. #
  3548. #               Any host for which we follow the X-Forwarded-For header
  3549. #               can place incorrect information in the header, and Squid
  3550. #               will use the incorrect information as if it were the
  3551. #               source address of the request.  This may enable remote
  3552. #               hosts to bypass any access control restrictions that are
  3553. #               based on the client's source addresses.
  3554. #
  3555. #       For example:
  3556. #
  3557. #               acl localhost src 127.0.0.1
  3558. #               acl my_other_proxy srcdomain .proxy.example.com
  3559. #               follow_x_forwarded_for allow localhost
  3560. #               follow_x_forwarded_for allow my_other_proxy
  3561. #Default:
  3562. # follow_x_forwarded_for deny all
  3563.  
  3564. #  TAG: acl_uses_indirect_client        on|off
  3565. #       Controls whether the indirect client address
  3566. #       (see follow_x_forwarded_for) is used instead of the
  3567. #       direct client address in acl matching.
  3568. #Default:
  3569. # acl_uses_indirect_client on
  3570.  
  3571. #  TAG: delay_pool_uses_indirect_client on|off
  3572. #       Controls whether the indirect client address
  3573. #       (see follow_x_forwarded_for) is used instead of the
  3574. #       direct client address in delay pools.
  3575. #Default:
  3576. # delay_pool_uses_indirect_client on
  3577.  
  3578. #  TAG: log_uses_indirect_client        on|off
  3579. #       Controls whether the indirect client address
  3580. #       (see follow_x_forwarded_for) is used instead of the
  3581. #       direct client address in the access log.
  3582. #Default:
  3583. # log_uses_indirect_client on
  3584.  
  3585. #  TAG: http_access
  3586. #       Allowing or Denying access based on defined access lists
  3587. #
  3588. #       Access to the HTTP port:
  3589. #       http_access allow|deny [!]aclname ...
  3590. #
  3591. #       opposite of the last line in the list.  If the last line was
  3592. #       deny, the default is allow.  Conversely, if the last line
  3593. #       is allow, the default will be deny.  For these reasons, it is a
  3594. #       good idea to have an "deny all" entry at the end of your access
  3595. #       lists to avoid potential confusion.
  3596. #
  3597. #       This clause supports both fast and slow acl types.
  3598. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  3599. #
  3600. #Default:
  3601. # http_access deny all
  3602. #
  3603.  
  3604. #
  3605. # Recommended minimum Access Permission configuration:
  3606. #
  3607. # Only allow cachemgr access from localhost
  3608. http_access allow manager localhost
  3609. http_access deny manager
  3610.  
  3611. # Deny requests to certain unsafe ports
  3612. http_access deny !Safe_ports
  3613.  
  3614. # Deny CONNECT to other than secure SSL ports
  3615. http_access deny CONNECT !SSL_ports
  3616.  
  3617. # We strongly recommend the following be uncommented to protect innocent
  3618. # web applications running on the proxy server who think the only
  3619. # one who can access services on "localhost" is a local user
  3620. #http_access deny to_localhost
  3621.  
  3622. #
  3623. # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
  3624. #
  3625.  
  3626. # Example rule allowing access from your local networks.
  3627. # Adapt localnet in the ACL section to list your (internal) IP networks
  3628. # from where browsing should be allowed
  3629. #http_access allow localnet
  3630. http_access allow localhost
  3631.  
  3632. # And finally deny all other access to this proxy
  3633. http_access deny all
  3634.  
  3635. #  TAG: adapted_http_access
  3636. #       Allowing or Denying access based on defined access lists
  3637. #
  3638. #       Essentially identical to http_access, but runs after redirectors
  3639. #       and ICAP/eCAP adaptation. Allowing access control based on their
  3640. #       output.
  3641. #
  3642. #       If not set then only http_access is used.
  3643. #Default:
  3644. # none
  3645.  
  3646. #  TAG: http_reply_access
  3647. #       Allow replies to client requests. This is complementary to http_access.
  3648. #
  3649. #       http_reply_access allow|deny [!] aclname ...
  3650. #
  3651. #       NOTE: if there are no access lines present, the default is to allow
  3652. #       all replies
  3653. #
  3654. #       If none of the access lines cause a match the opposite of the
  3655. #       last line will apply. Thus it is good practice to end the rules
  3656. #       with an "allow all" or "deny all" entry.
  3657. #
  3658. #       This clause supports both fast and slow acl types.
  3659. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  3660. #Default:
  3661. # none
  3662.  
  3663. #  TAG: icp_access
  3664. #       Allowing or Denying access to the ICP port based on defined
  3665. #       access lists
  3666. #
  3667. #       icp_access  allow|deny [!]aclname ...
  3668. #
  3669. #       See http_access for details
  3670. #
  3671. #       This clause only supports fast acl types.
  3672. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  3673. #
  3674. ## Allow ICP queries from local networks only
  3675. ##icp_access allow localnet
  3676. ##icp_access deny all
  3677. #Default:
  3678. # icp_access deny all
  3679.  
  3680. #  TAG: htcp_access
  3681. #       Allowing or Denying access to the HTCP port based on defined
  3682. #       access lists
  3683. #
  3684. #       htcp_access  allow|deny [!]aclname ...
  3685. #
  3686. #       See http_access for details
  3687. #
  3688. #       NOTE: The default if no htcp_access lines are present is to
  3689. #       deny all traffic. This default may cause problems with peers
  3690. #       using the htcp or htcp-oldsquid options.
  3691. #
  3692. #       This clause only supports fast acl types.
  3693. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  3694. #
  3695. ## Allow HTCP queries from local networks only
  3696. ##htcp_access allow localnet
  3697. ##htcp_access deny all
  3698. #Default:
  3699. # htcp_access deny all
  3700.  
  3701. #  TAG: htcp_clr_access
  3702. #       Allowing or Denying access to purge content using HTCP based
  3703. #       on defined access lists
  3704. #
  3705. #       htcp_clr_access  allow|deny [!]aclname ...
  3706. #
  3707. #       See http_access for details
  3708. #
  3709. #       This clause only supports fast acl types.
  3710. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  3711. #
  3712. ## Allow HTCP CLR requests from trusted peers
  3713. #acl htcp_clr_peer src 172.16.1.2
  3714. #htcp_clr_access allow htcp_clr_peer
  3715. #Default:
  3716. # htcp_clr_access deny all
  3717.  
  3718. #  TAG: miss_access
  3719. #       Use to force your neighbors to use you as a sibling instead of
  3720. #       a parent.  For example:
  3721. #
  3722. #               acl localclients src 172.16.0.0/16
  3723. #               miss_access allow localclients
  3724. #               miss_access deny  !localclients
  3725. #
  3726. #       This means only your local clients are allowed to fetch
  3727. #       MISSES and all other clients can only fetch HITS.
  3728. #
  3729. #       By default, allow all clients who passed the http_access rules
  3730. #       to fetch MISSES from us.
  3731. #
  3732. #       This clause only supports fast acl types.
  3733. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  3734. #Default:
  3735. # miss_access allow all
  3736.  
  3737. #  TAG: ident_lookup_access
  3738. #       A list of ACL elements which, if matched, cause an ident
  3739. #       (RFC 931) lookup to be performed for this request.  For
  3740. #       example, you might choose to always perform ident lookups
  3741. #       for your main multi-user Unix boxes, but not for your Macs
  3742. #       and PCs.  By default, ident lookups are not performed for
  3743. #       any requests.
  3744. #
  3745. #       To enable ident lookups for specific client addresses, you
  3746. #       can follow this example:
  3747. #
  3748. #       acl ident_aware_hosts src 198.168.1.0/24
  3749. #       ident_lookup_access allow ident_aware_hosts
  3750. #       ident_lookup_access deny all
  3751. #
  3752. #       Only src type ACL checks are fully supported.  A srcdomain
  3753. #       ACL might work at times, but it will not always provide
  3754. #       the correct result.
  3755. #
  3756. #       This clause only supports fast acl types.
  3757. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  3758. #Default:
  3759. # ident_lookup_access deny all
  3760.  
  3761. #  TAG: reply_body_max_size     size [acl acl...]
  3762. #       This option specifies the maximum size of a reply body. It can be
  3763. #       used to prevent users from downloading very large files, such as
  3764. #       MP3's and movies. When the reply headers are received, the
  3765. #       reply_body_max_size lines are processed, and the first line where
  3766. #       all (if any) listed ACLs are true is used as the maximum body size
  3767. #       for this reply.
  3768. #
  3769. #       This size is checked twice. First when we get the reply headers,
  3770. #       we check the content-length value.  If the content length value exists
  3771. #       and is larger than the allowed size, the request is denied and the
  3772. #       user receives an error message that says "the request or reply
  3773. #       is too large." If there is no content-length, and the reply
  3774. #       size exceeds this limit, the client's connection is just closed
  3775. #       and they will receive a partial reply.
  3776. #
  3777. #       WARNING: downstream caches probably can not detect a partial reply
  3778. #       if there is no content-length header, so they will cache
  3779. #       partial responses and give them out as hits.  You should NOT
  3780. #       use this option if you have downstream caches.
  3781. #
  3782. #       WARNING: A maximum size smaller than the size of squid's error messages
  3783. #       will cause an infinite loop and crash squid. Ensure that the smallest
  3784. #       non-zero value you use is greater that the maximum header size plus
  3785. #       the size of your largest error page.
  3786. #
  3787. #       If you set this parameter none (the default), there will be
  3788. #       no limit imposed.
  3789. #
  3790. #       Configuration Format is:
  3791. #               reply_body_max_size SIZE UNITS [acl ...]
  3792. #       ie.
  3793. #               reply_body_max_size 10 MB
  3794. #
  3795. #Default:
  3796. # none
  3797.  
  3798. # NETWORK OPTIONS
  3799. # -----------------------------------------------------------------------------
  3800.  
  3801. #  TAG: http_port
  3802. #       Usage:  port [options]
  3803. #               hostname:port [options]
  3804. #               1.2.3.4:port [options]
  3805. #
  3806. #       The socket addresses where Squid will listen for HTTP client
  3807. #       requests.  You may specify multiple socket addresses.
  3808. #       There are three forms: port alone, hostname with port, and
  3809. #       IP address with port.  If you specify a hostname or IP
  3810. #       address, Squid binds the socket to that specific
  3811. #       address.  This replaces the old 'tcp_incoming_address'
  3812. #       option.  Most likely, you do not need to bind to a specific
  3813. #       address, so you can use the port number alone.
  3814. #
  3815. #       If you are running Squid in accelerator mode, you
  3816. #       probably want to listen on port 80 also, or instead.
  3817. #
  3818. #       The -a command line option may be used to specify additional
  3819. #       port(s) where Squid listens for proxy request. Such ports will
  3820. #       be plain proxy ports with no options.
  3821. #
  3822. #       You may specify multiple socket addresses on multiple lines.
  3823. #
  3824. #       Options:
  3825. #
  3826. #          intercept    Support for IP-Layer interception of
  3827. #                       outgoing requests without browser settings.
  3828. #                       NP: disables authentication and IPv6 on the port.
  3829. #
  3830. #          tproxy       Support Linux TPROXY for spoofing outgoing
  3831. #                       connections using the client IP address.
  3832. #                       NP: disables authentication and maybe IPv6 on the port.
  3833. #
  3834. #          accel        Accelerator mode. Also needs at least one of
  3835. #                       vhost / vport / defaultsite.
  3836. #
  3837. #          allow-direct Allow direct forwarding in accelerator mode. Normally
  3838. #                       accelerated requests are denied direct forwarding as if
  3839. #                       never_direct was used.
  3840. #
  3841. #          defaultsite=domainname
  3842. #                       What to use for the Host: header if it is not present
  3843. #                       in a request. Determines what site (not origin server)
  3844. #                       accelerators should consider the default.
  3845. #                       Implies accel.
  3846. #
  3847. #          vhost        Accelerator mode using Host header for virtual
  3848. #                       domain support. Implies accel.
  3849. #
  3850. #          vport        Accelerator with IP based virtual host support.
  3851. #                       Implies accel.
  3852. #
  3853. #          vport=NN     As above, but uses specified port number rather
  3854. #                       than the http_port number. Implies accel.
  3855. #
  3856. #          protocol=    Protocol to reconstruct accelerated requests with.
  3857. #                       Defaults to http.
  3858. #
  3859. #          ignore-cc    Ignore request Cache-Control headers.
  3860. #
  3861. #                       Warning: This option violates HTTP specifications if
  3862. #                       used in non-accelerator setups.
  3863. #
  3864. #          connection-auth[=on|off]
  3865. #                       use connection-auth=off to tell Squid to prevent
  3866. #                       forwarding Microsoft connection oriented authentication
  3867. #                       (NTLM, Negotiate and Kerberos)
  3868. #
  3869. #          disable-pmtu-discovery=
  3870. #                       Control Path-MTU discovery usage:
  3871. #                           off         lets OS decide on what to do (default).
  3872. #                           transparent disable PMTU discovery when transparent
  3873. #                                       support is enabled.
  3874. #                           always      disable always PMTU discovery.
  3875. #
  3876. #                       In many setups of transparently intercepting proxies
  3877. #                       Path-MTU discovery can not work on traffic towards the
  3878. #                       clients. This is the case when the intercepting device
  3879. #                       does not fully track connections and fails to forward
  3880. #                       ICMP must fragment messages to the cache server. If you
  3881. #                       have such setup and experience that certain clients
  3882. #                       sporadically hang or never complete requests set
  3883. #                       disable-pmtu-discovery option to 'transparent'.
  3884. #
  3885. #          sslBump      Intercept each CONNECT request matching ssl_bump ACL,
  3886. #                       establish secure connection with the client and with
  3887. #                       the server, decrypt HTTP messages as they pass through
  3888. #                       Squid, and treat them as unencrypted HTTP messages,
  3889. #                       becoming the man-in-the-middle.
  3890. #
  3891. #                       When this option is enabled, additional options become
  3892. #                       available to specify SSL-related properties of the
  3893. #                       client-side connection: cert, key, version, cipher,
  3894. #                       options, clientca, cafile, capath, crlfile, dhparams,
  3895. #                       sslflags, and sslcontext. See the https_port directive
  3896. #                       for more information on these options.
  3897. #
  3898. #                       The ssl_bump option is required to fully enable
  3899. #                       the SslBump feature.
  3900. #
  3901. #          name=        Specifies a internal name for the port. Defaults to
  3902. #                       the port specification (port or addr:port)
  3903. #
  3904. #          tcpkeepalive[=idle,interval,timeout]
  3905. #                       Enable TCP keepalive probes of idle connections.
  3906. #                       In seconds; idle is the initial time before TCP starts
  3907. #                       probing the connection, interval how often to probe, and
  3908. #                       timeout the time before giving up.
  3909. #
  3910. #       If you run Squid on a dual-homed machine with an internal
  3911. #       and an external interface we recommend you to specify the
  3912. #       internal address:port in http_port. This way Squid will only be
  3913. #       visible on the internal address.
  3914. #
  3915. #
  3916.  
  3917. # Squid normally listens to port 3128
  3918. http_port 3128
  3919.  
  3920. #  TAG: https_port
  3921. # Note: This option is only available if Squid is rebuilt with the
  3922. #       --enable-ssl option
  3923. #
  3924. #       Usage:  [ip:]port cert=certificate.pem [key=key.pem] [options...]
  3925. #
  3926. #       The socket address where Squid will listen for HTTPS client
  3927. #       requests.
  3928. #
  3929. #       This is really only useful for situations where you are running
  3930. #       squid in accelerator mode and you want to do the SSL work at the
  3931. #       accelerator level.
  3932. #
  3933. #       You may specify multiple socket addresses on multiple lines,
  3934. #       each with their own SSL certificate and/or options.
  3935. #
  3936. #       Options:
  3937. #
  3938. #          accel        Accelerator mode. Also needs at least one of
  3939. #                       defaultsite or vhost.
  3940. #
  3941. #          defaultsite= The name of the https site presented on
  3942. #                       this port. Implies accel.
  3943. #
  3944. #          vhost        Accelerator mode using Host header for virtual
  3945. #                       domain support. Requires a wildcard certificate
  3946. #                       or other certificate valid for more than one domain.
  3947. #                       Implies accel.
  3948. #
  3949. #          protocol=    Protocol to reconstruct accelerated requests with.
  3950. #                       Defaults to https.
  3951. #
  3952. #          cert=        Path to SSL certificate (PEM format).
  3953. #
  3954. #          key=         Path to SSL private key file (PEM format)
  3955. #                       if not specified, the certificate file is
  3956. #                       assumed to be a combined certificate and
  3957. #                       key file.
  3958. #
  3959. #          version=     The version of SSL/TLS supported
  3960. #                           1   automatic (default)
  3961. #                           2   SSLv2 only
  3962. #                           3   SSLv3 only
  3963. #                           4   TLSv1 only
  3964. #
  3965. #          cipher=      Colon separated list of supported ciphers.
  3966. #
  3967. #          options=     Various SSL engine options. The most important
  3968. #                       being:
  3969. #                           NO_SSLv2  Disallow the use of SSLv2
  3970. #                           NO_SSLv3  Disallow the use of SSLv3
  3971. #                           NO_TLSv1  Disallow the use of TLSv1
  3972. #                           SINGLE_DH_USE Always create a new key when using
  3973. #                                     temporary/ephemeral DH key exchanges
  3974. #                       See src/ssl_support.c or OpenSSL SSL_CTX_set_options
  3975. #                       documentation for a complete list of options.
  3976. #
  3977. #          clientca=    File containing the list of CAs to use when
  3978. #                       requesting a client certificate.
  3979. #
  3980. #          cafile=      File containing additional CA certificates to
  3981. #                       use when verifying client certificates. If unset
  3982. #                       clientca will be used.
  3983. #
  3984. #          capath=      Directory containing additional CA certificates
  3985. #                       and CRL lists to use when verifying client certificates.
  3986. #
  3987. #          crlfile=     File of additional CRL lists to use when verifying
  3988. #                       the client certificate, in addition to CRLs stored in
  3989. #                       the capath. Implies VERIFY_CRL flag below.
  3990. #
  3991. #          dhparams=    File containing DH parameters for temporary/ephemeral
  3992. #                       DH key exchanges.
  3993. #
  3994. #          sslflags=    Various flags modifying the use of SSL:
  3995. #                           DELAYED_AUTH
  3996. #                               Don't request client certificates
  3997. #                               immediately, but wait until acl processing
  3998. #                               requires a certificate (not yet implemented).
  3999. #                           NO_DEFAULT_CA
  4000. #                               Don't use the default CA lists built in
  4001. #                               to OpenSSL.
  4002. #                           NO_SESSION_REUSE
  4003. #                               Don't allow for session reuse. Each connection
  4004. #                               will result in a new SSL session.
  4005. #                           VERIFY_CRL
  4006. #                               Verify CRL lists when accepting client
  4007. #                               certificates.
  4008. #                           VERIFY_CRL_ALL
  4009. #                               Verify CRL lists for all certificates in the
  4010. #                               client certificate chain.
  4011. #
  4012. #          sslcontext=  SSL session ID context identifier.
  4013. #
  4014. #          vport        Accelerator with IP based virtual host support.
  4015. #
  4016. #          vport=NN     As above, but uses specified port number rather
  4017. #                       than the https_port number. Implies accel.
  4018. #
  4019. #          name=        Specifies a internal name for the port. Defaults to
  4020. #                       the port specification (port or addr:port)
  4021. #
  4022. #Default:
  4023. # none
  4024.  
  4025. #  TAG: tcp_outgoing_tos
  4026. #       Allows you to select a TOS/Diffserv value to mark outgoing
  4027. #       connections with, based on the username or source address
  4028. #       making the request.
  4029. #
  4030. #       tcp_outgoing_tos ds-field [!]aclname ...
  4031. #
  4032. #       Example where normal_service_net uses the TOS value 0x00
  4033. #       and good_service_net uses 0x20
  4034. #
  4035. #       acl normal_service_net src 10.0.0.0/255.255.255.0
  4036. #       acl good_service_net src 10.0.1.0/255.255.255.0
  4037. #       tcp_outgoing_tos 0x00 normal_service_net
  4038. #       tcp_outgoing_tos 0x20 good_service_net
  4039. #
  4040. #       TOS/DSCP values really only have local significance - so you should
  4041. #       know what you're specifying. For more information, see RFC2474,
  4042. #       RFC2475, and RFC3260.
  4043. #
  4044. #       The TOS/DSCP byte must be exactly that - a octet value  0 - 255, or
  4045. #       "default" to use whatever default your host has. Note that in
  4046. #       practice often only values 0 - 63 is usable as the two highest bits
  4047. #       have been redefined for use by ECN (RFC3168).
  4048. #
  4049. #       Processing proceeds in the order specified, and stops at first fully
  4050. #       matching line.
  4051. #
  4052. #       Note: The use of this directive using client dependent ACLs is
  4053. #       incompatible with the use of server side persistent connections. To
  4054. #       ensure correct results it is best to set server_persisten_connections
  4055. #       to off when using this directive in such configurations.
  4056. #Default:
  4057. # none
  4058.  
  4059. #  TAG: clientside_tos
  4060. #       Allows you to select a TOS/Diffserv value to mark client-side
  4061. #       connections with, based on the username or source address
  4062. #       making the request.
  4063. #Default:
  4064. # none
  4065.  
  4066. #  TAG: qos_flows
  4067. # Note: This option is only available if Squid is rebuilt with the
  4068. #       --enable-zph-qos option
  4069. #
  4070. #       Allows you to select a TOS/DSCP value to mark outgoing
  4071. #
  4072. #       The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF.
  4073. #       Note that in practice often only values up to 0x3F are usable
  4074. #       as the two highest bits have been redefined for use by ECN
  4075. #       (RFC3168).
  4076. #
  4077. #       This setting is configured by setting the source TOS values:
  4078. #
  4079. #       local-hit=0xFF          Value to mark local cache hits.
  4080. #
  4081. #       sibling-hit=0xFF        Value to mark hits from sibling peers.
  4082. #
  4083. #       parent-hit=0xFF         Value to mark hits from parent peers.
  4084. #
  4085. #
  4086. #       NOTE: 'miss' preserve feature is only possible on Linux at this time.
  4087. #
  4088. #       For the following to work correctly, you will need to patch your
  4089. #       linux kernel with the TOS preserving ZPH patch.
  4090. #       The kernel patch can be downloaded from http://zph.bratcheda.org
  4091. #
  4092. #       disable-preserve-miss
  4093. #               By default, the existing TOS value of the response coming
  4094. #               from the remote server will be retained and masked with
  4095. #               miss-mark. This option disables that feature.
  4096. #
  4097. #       miss-mask=0xFF
  4098. #               Allows you to mask certain bits in the TOS received from the
  4099. #               remote server, before copying the value to the TOS sent
  4100. #               towards clients.
  4101. #               Default: 0xFF (TOS from server is not changed).
  4102. #
  4103. #Default:
  4104. # none
  4105.  
  4106. #  TAG: tcp_outgoing_address
  4107. #       Allows you to map requests to different outgoing IP addresses
  4108. #       based on the username or source address of the user making
  4109. #       the request.
  4110. #
  4111. #       tcp_outgoing_address ipaddr [[!]aclname] ...
  4112. #
  4113. #       Example where requests from 10.0.0.0/24 will be forwarded
  4114. #       with source address 10.1.0.1, 10.0.2.0/24 forwarded with
  4115. #       source address 10.1.0.2 and the rest will be forwarded with
  4116. #       source address 10.1.0.3.
  4117. #
  4118. #       acl normal_service_net src 10.0.0.0/24
  4119. #       acl good_service_net src 10.0.2.0/24
  4120. #       tcp_outgoing_address 10.1.0.1 normal_service_net
  4121. #       tcp_outgoing_address 10.1.0.2 good_service_net
  4122. #       tcp_outgoing_address 10.1.0.3
  4123. #
  4124. #       Processing proceeds in the order specified, and stops at first fully
  4125. #       matching line.
  4126. #
  4127. #       Note: The use of this directive using client dependent ACLs is
  4128. #       incompatible with the use of server side persistent connections. To
  4129. #       ensure correct results it is best to set server_persistent_connections
  4130. #       to off when using this directive in such configurations.
  4131. #
  4132. #
  4133. #        IPv6 Magic:
  4134. #
  4135. #       Squid is built with a capability of bridging the IPv4 and IPv6
  4136. #       internets.
  4137. #       tcp_outgoing_address as exampled above breaks this bridging by forcing
  4138. #       all outbound traffic through a certain IPv4 which may be on the wrong
  4139. #       side of the IPv4/IPv6 boundary.
  4140. #
  4141. #       To operate with tcp_outgoing_address and keep the bridging benefits
  4142. #       an additional ACL needs to be used which ensures the IPv6-bound traffic
  4143. #       is never forced or permitted out the IPv4 interface.
  4144. #
  4145. #       acl to_ipv6 dst ipv6
  4146. #       tcp_outgoing_address 2002::c001 good_service_net to_ipv6
  4147. #       tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6
  4148. #
  4149. #       tcp_outgoing_address 2002::beef normal_service_net to_ipv6
  4150. #       tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6
  4151. #
  4152. #       tcp_outgoing_address 2002::1 to_ipv6
  4153. #       tcp_outgoing_address 10.1.0.3 !to_ipv6
  4154. #
  4155. #       WARNING:
  4156. #         'dst ipv6' bases its selection assuming DIRECT access.
  4157. #         If peers are used the peername ACL are needed to select outgoing
  4158. #         address which can link to the peer.
  4159. #
  4160. #         'dst ipv6' is a slow ACL. It will only work here if 'dst' is used
  4161. #         previously in the http_access rules to locate the destination IP.
  4162. #         Some more magic may be needed for that:
  4163. #           http_access allow to_ipv6 !all
  4164. #         (meaning, allow if to IPv6 but not from anywhere ;)
  4165. #
  4166. #Default:
  4167. # none
  4168.  
  4169. # SSL OPTIONS
  4170. # -----------------------------------------------------------------------------
  4171.  
  4172. #  TAG: ssl_unclean_shutdown
  4173. # Note: This option is only available if Squid is rebuilt with the
  4174. #       --enable-ssl option
  4175. #
  4176. #       Some browsers (especially MSIE) bugs out on SSL shutdown
  4177. #       messages.
  4178. #Default:
  4179. # ssl_unclean_shutdown off
  4180.  
  4181. #  TAG: ssl_engine
  4182. # Note: This option is only available if Squid is rebuilt with the
  4183. #       --enable-ssl option
  4184. #
  4185. #       The OpenSSL engine to use. You will need to set this if you
  4186. #       would like to use hardware SSL acceleration for example.
  4187. #Default:
  4188. # none
  4189.  
  4190. #  TAG: sslproxy_client_certificate
  4191. # Note: This option is only available if Squid is rebuilt with the
  4192. #       --enable-ssl option
  4193. #
  4194. #       Client SSL Certificate to use when proxying https:// URLs
  4195. #Default:
  4196. # none
  4197.  
  4198. #  TAG: sslproxy_client_key
  4199. # Note: This option is only available if Squid is rebuilt with the
  4200. #       --enable-ssl option
  4201. #
  4202. #       Client SSL Key to use when proxying https:// URLs
  4203. #Default:
  4204. # none
  4205.  
  4206. #  TAG: sslproxy_version
  4207. # Note: This option is only available if Squid is rebuilt with the
  4208. #       --enable-ssl option
  4209. #
  4210. #       SSL version level to use when proxying https:// URLs
  4211. #Default:
  4212. # sslproxy_version 1
  4213.  
  4214. #  TAG: sslproxy_options
  4215. # Note: This option is only available if Squid is rebuilt with the
  4216. #       --enable-ssl option
  4217. #
  4218. #       SSL engine options to use when proxying https:// URLs
  4219. #      
  4220. #       The most important being:
  4221. #
  4222. #               NO_SSLv2  Disallow the use of SSLv2
  4223. #               NO_SSLv3  Disallow the use of SSLv3
  4224. #               NO_TLSv1  Disallow the use of TLSv1
  4225. #               SINGLE_DH_USE
  4226. #                       Always create a new key when using
  4227. #                       temporary/ephemeral DH key exchanges
  4228. #      
  4229. #       These options vary depending on your SSL engine.
  4230. #       See the OpenSSL SSL_CTX_set_options documentation for a
  4231. #       complete list of possible options.
  4232. #Default:
  4233. # none
  4234.  
  4235. #  TAG: sslproxy_cipher
  4236. # Note: This option is only available if Squid is rebuilt with the
  4237. #       --enable-ssl option
  4238. #
  4239. #       SSL cipher list to use when proxying https:// URLs
  4240. #
  4241. #       Colon separated list of supported ciphers.
  4242. #Default:
  4243. # none
  4244.  
  4245. #  TAG: sslproxy_cafile
  4246. # Note: This option is only available if Squid is rebuilt with the
  4247. #       --enable-ssl option
  4248. #
  4249. #       file containing CA certificates to use when verifying server
  4250. #       certificates while proxying https:// URLs
  4251. #Default:
  4252. # none
  4253.  
  4254. #  TAG: sslproxy_capath
  4255. # Note: This option is only available if Squid is rebuilt with the
  4256. #       --enable-ssl option
  4257. #
  4258. #       directory containing CA certificates to use when verifying
  4259. #       server certificates while proxying https:// URLs
  4260. #Default:
  4261. # none
  4262.  
  4263. #  TAG: ssl_bump
  4264. # Note: This option is only available if Squid is rebuilt with the
  4265. #       --enable-ssl option
  4266. #
  4267. #       This ACL controls which CONNECT requests to an http_port
  4268. #       marked with an sslBump flag are actually "bumped". Please
  4269. #       see the sslBump flag of an http_port option for more details
  4270. #       about decoding proxied SSL connections.
  4271. #
  4272. #       By default, no requests are bumped.
  4273. #
  4274. #       See also: http_port sslBump
  4275. #  
  4276. #       This clause only supports fast acl types.
  4277. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  4278. #
  4279. #
  4280. #       # Example: Bump all requests except those originating from localhost and
  4281. #       # those going to webax.com or example.com sites.
  4282. #
  4283. #       acl localhost src 127.0.0.1/32
  4284. #       acl broken_sites dstdomain .webax.com
  4285. #       acl broken_sites dstdomain .example.com
  4286. #       ssl_bump deny localhost
  4287. #       ssl_bump deny broken_sites
  4288. #       ssl_bump allow all
  4289. #Default:
  4290. # none
  4291.  
  4292. #  TAG: sslproxy_flags
  4293. # Note: This option is only available if Squid is rebuilt with the
  4294. #       --enable-ssl option
  4295. #
  4296. #       Various flags modifying the use of SSL while proxying https:// URLs:
  4297. #           DONT_VERIFY_PEER    Accept certificates that fail verification.
  4298. #                               For refined control, see sslproxy_cert_error.
  4299. #           NO_DEFAULT_CA       Don't use the default CA list built in
  4300. #                               to OpenSSL.
  4301. #Default:
  4302. # none
  4303.  
  4304. #  TAG: sslproxy_cert_error
  4305. # Note: This option is only available if Squid is rebuilt with the
  4306. #       --enable-ssl option
  4307. #
  4308. #       Use this ACL to bypass server certificate validation errors.
  4309. #
  4310. #       For example, the following lines will bypass all validation errors
  4311. #       when talking to servers located at 172.16.0.0/16. All other
  4312. #       validation errors will result in ERR_SECURE_CONNECT_FAIL error.
  4313. #
  4314. #               acl BrokenServersAtTrustedIP dst 172.16.0.0/16
  4315. #               sslproxy_cert_error allow BrokenServersAtTrustedIP
  4316. #               sslproxy_cert_error deny all
  4317. #
  4318. #       This clause only supports fast acl types.
  4319. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  4320. #       Using slow acl types may result in server crashes
  4321. #
  4322. #       Without this option, all server certificate validation errors
  4323. #       terminate the transaction. Bypassing validation errors is dangerous
  4324. #       because an error usually implies that the server cannot be trusted and
  4325. #       the connection may be insecure.
  4326. #
  4327. #       See also: sslproxy_flags and DONT_VERIFY_PEER.
  4328. #
  4329. #       Default setting:  sslproxy_cert_error deny all
  4330. #Default:
  4331. # none
  4332.  
  4333. #  TAG: sslpassword_program
  4334. # Note: This option is only available if Squid is rebuilt with the
  4335. #       --enable-ssl option
  4336. #
  4337. #       Specify a program used for entering SSL key passphrases
  4338. #       when using encrypted SSL certificate keys. If not specified
  4339. #       keys must either be unencrypted, or Squid started with the -N
  4340. #       option to allow it to query interactively for the passphrase.
  4341. #Default:
  4342. # none
  4343.  
  4344. # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
  4345. # -----------------------------------------------------------------------------
  4346.  
  4347. #  TAG: cache_peer
  4348. #       To specify other caches in a hierarchy, use the format:
  4349. #      
  4350. #               cache_peer hostname type http-port icp-port [options]
  4351. #      
  4352. #       For example,
  4353. #      
  4354. #       #                                        proxy  icp
  4355. #       #          hostname             type     port   port  options
  4356. #       #          -------------------- -------- ----- -----  -----------
  4357. #       cache_peer parent.foo.net       parent    3128  3130  default
  4358. #       cache_peer sib1.foo.net         sibling   3128  3130  proxy-only
  4359. #       cache_peer sib2.foo.net         sibling   3128  3130  proxy-only
  4360. #       cache_peer example.com          parent    80       0  no-query default
  4361. #       cache_peer cdn.example.com      sibling   3128     0  
  4362. #      
  4363. #             type:     either 'parent', 'sibling', or 'multicast'.
  4364. #      
  4365. #       proxy-port:     The port number where the peer accept HTTP requests.
  4366. #                       For other Squid proxies this is usually 3128
  4367. #                       For web servers this is usually 80
  4368. #      
  4369. #         icp-port:     Used for querying neighbor caches about objects.
  4370. #                       Set to 0 if the peer does not support ICP or HTCP.
  4371. #                       See ICP and HTCP options below for additional details.
  4372. #      
  4373. #      
  4374. #       ==== ICP OPTIONS ====
  4375. #      
  4376. #       You MUST also set icp_port and icp_access explicitly when using these options.
  4377. #       The defaults will prevent peer traffic using ICP.
  4378. #      
  4379. #      
  4380. #       no-query        Disable ICP queries to this neighbor.
  4381. #      
  4382. #       multicast-responder
  4383. #                       Indicates the named peer is a member of a multicast group.
  4384. #                       ICP queries will not be sent directly to the peer, but ICP
  4385. #                       replies will be accepted from it.
  4386. #      
  4387. #       closest-only    Indicates that, for ICP_OP_MISS replies, we'll only forward
  4388. #                       CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.
  4389. #      
  4390. #       background-ping
  4391. #                       To only send ICP queries to this neighbor infrequently.
  4392. #                       This is used to keep the neighbor round trip time updated
  4393. #                       and is usually used in conjunction with weighted-round-robin.
  4394. #      
  4395. #      
  4396. #       ==== HTCP OPTIONS ====
  4397. #      
  4398. #       You MUST also set htcp_port and htcp_access explicitly when using these options.
  4399. #       The defaults will prevent peer traffic using HTCP.
  4400. #      
  4401. #      
  4402. #       htcp            Send HTCP, instead of ICP, queries to the neighbor.
  4403. #                       You probably also want to set the "icp-port" to 4827
  4404. #                       instead of 3130.
  4405. #      
  4406. #       htcp-oldsquid   Send HTCP to old Squid versions.
  4407. #      
  4408. #       htcp-no-clr     Send HTCP to the neighbor but without
  4409. #                       sending any CLR requests.  This cannot be used with
  4410. #                       htcp-only-clr.
  4411. #      
  4412. #       htcp-only-clr   Send HTCP to the neighbor but ONLY CLR requests.
  4413. #                       This cannot be used with htcp-no-clr.
  4414. #      
  4415. #       htcp-no-purge-clr
  4416. #                       Send HTCP to the neighbor including CLRs but only when
  4417. #                       they do not result from PURGE requests.
  4418. #      
  4419. #       htcp-forward-clr
  4420. #                       Forward any HTCP CLR requests this proxy receives to the peer.
  4421. #      
  4422. #      
  4423. #       ==== PEER SELECTION METHODS ====
  4424. #      
  4425. #       The default peer selection method is ICP, with the first responding peer
  4426. #       being used as source. These options can be used for better load balancing.
  4427. #      
  4428. #      
  4429. #       default         This is a parent cache which can be used as a "last-resort"
  4430. #                       if a peer cannot be located by any of the peer-selection methods.
  4431. #                       If specified more than once, only the first is used.
  4432. #      
  4433. #       round-robin     Load-Balance parents which should be used in a round-robin
  4434. #                       fashion in the absence of any ICP queries.
  4435. #                       weight=N can be used to add bias.
  4436. #      
  4437. #       weighted-round-robin
  4438. #                       Load-Balance parents which should be used in a round-robin
  4439. #                       fashion with the frequency of each parent being based on the
  4440. #                       round trip time. Closer parents are used more often.
  4441. #                       Usually used for background-ping parents.
  4442. #                       weight=N can be used to add bias.
  4443. #      
  4444. #       carp            Load-Balance parents which should be used as a CARP array.
  4445. #                       The requests will be distributed among the parents based on the
  4446. #                       CARP load balancing hash function based on their weight.
  4447. #      
  4448. #       userhash        Load-balance parents based on the client proxy_auth or ident username.
  4449. #      
  4450. #       sourcehash      Load-balance parents based on the client source IP.
  4451. #
  4452. #       multicast-siblings
  4453. #                       To be used only for cache peers of type "multicast".
  4454. #                       ALL members of this multicast group have "sibling"
  4455. #                       relationship with it, not "parent".  This is to a mulicast
  4456. #                       group when the requested object would be fetched only from
  4457. #                       a "parent" cache, anyway.  It's useful, e.g., when
  4458. #                       configuring a pool of redundant Squid proxies, being
  4459. #                       members of the same multicast group.
  4460. #      
  4461. #      
  4462. #       ==== PEER SELECTION OPTIONS ====
  4463. #      
  4464. #       weight=N        use to affect the selection of a peer during any weighted
  4465. #                       peer-selection mechanisms.
  4466. #                       The weight must be an integer; default is 1,
  4467. #                       larger weights are favored more.
  4468. #                       This option does not affect parent selection if a peering
  4469. #                       protocol is not in use.
  4470. #      
  4471. #       basetime=N      Specify a base amount to be subtracted from round trip
  4472. #                       times of parents.
  4473. #                       It is subtracted before division by weight in calculating
  4474. #                       which parent to fectch from. If the rtt is less than the
  4475. #                       base time the rtt is set to a minimal value.
  4476. #      
  4477. #       ttl=N           Specify a IP multicast TTL to use when sending an ICP
  4478. #                       queries to this address.
  4479. #                       Only useful when sending to a multicast group.
  4480. #                       Because we don't accept ICP replies from random
  4481. #                       hosts, you must configure other group members as
  4482. #                       peers with the 'multicast-responder' option.
  4483. #      
  4484. #       no-delay        To prevent access to this neighbor from influencing the
  4485. #                       delay pools.
  4486. #      
  4487. #       digest-url=URL  Tell Squid to fetch the cache digest (if digests are
  4488. #                       enabled) for this host from the specified URL rather
  4489. #                       than the Squid default location.
  4490. #      
  4491. #      
  4492. #       ==== ACCELERATOR / REVERSE-PROXY OPTIONS ====
  4493. #      
  4494. #       originserver    Causes this parent to be contacted as an origin server.
  4495. #                       Meant to be used in accelerator setups when the peer
  4496. #                       is a web server.
  4497. #      
  4498. #       forceddomain=name
  4499. #                       Set the Host header of requests forwarded to this peer.
  4500. #                       Useful in accelerator setups where the server (peer)
  4501. #                       expects a certain domain name but clients may request
  4502. #                       others. ie example.com or www.example.com
  4503. #      
  4504. #       no-digest       Disable request of cache digests.
  4505. #      
  4506. #       no-netdb-exchange
  4507. #                       Disables requesting ICMP RTT database (NetDB).
  4508. #      
  4509. #      
  4510. #       ==== AUTHENTICATION OPTIONS ====
  4511. #      
  4512. #       login=user:password
  4513. #                       If this is a personal/workgroup proxy and your parent
  4514. #                       requires proxy authentication.
  4515. #                      
  4516. #                       Note: The string can include URL escapes (i.e. %20 for
  4517. #                       spaces). This also means % must be written as %%.
  4518. #      
  4519. #       login=PROXYPASS
  4520. #                       Send login details received from client to this peer.
  4521. #                       Authentication is not required, nor changed.
  4522. #                      
  4523. #                       Note: This will pass any form of authentication but
  4524. #                       only Basic auth will work through a proxy unless the
  4525. #                       connection-auth options are also used.
  4526. #      
  4527. #       login=PASS      Send login details received from client to this peer.
  4528. #                       Authentication is not required by this option.
  4529. #                       If there are no client-provided authentication headers
  4530. #                       to pass on, but username and password are available
  4531. #                       from either proxy login or an external ACL user= and
  4532. #                       password= result tags they may be sent instead.
  4533. #                      
  4534. #                       Note: To combine this with proxy_auth both proxies must
  4535. #                       share the same user database as HTTP only allows for
  4536. #                       a single login (one for proxy, one for origin server).
  4537. #                       Also be warned this will expose your users proxy
  4538. #                       password to the peer. USE WITH CAUTION
  4539. #      
  4540. #       login=*:password
  4541. #                       Send the username to the upstream cache, but with a
  4542. #                       fixed password. This is meant to be used when the peer
  4543. #                       is in another administrative domain, but it is still
  4544. #                       needed to identify each user.
  4545. #                       The star can optionally be followed by some extra
  4546. #                       information which is added to the username. This can
  4547. #                       be used to identify this proxy to the peer, similar to
  4548. #                       the login=username:password option above.
  4549. #      
  4550. #       connection-auth=on|off
  4551. #                       Tell Squid that this peer does or not support Microsoft
  4552. #                       connection oriented authentication, and any such
  4553. #                       challenges received from there should be ignored.
  4554. #                       Default is auto to automatically determine the status
  4555. #                       of the peer.
  4556. #      
  4557. #      
  4558. #       ==== SSL / HTTPS / TLS OPTIONS ====
  4559. #      
  4560. #       ssl             Encrypt connections to this peer with SSL/TLS.
  4561. #      
  4562. #       sslcert=/path/to/ssl/certificate
  4563. #                       A client SSL certificate to use when connecting to
  4564. #                       this peer.
  4565. #      
  4566. #       sslkey=/path/to/ssl/key
  4567. #                       The private SSL key corresponding to sslcert above.
  4568. #                       If 'sslkey' is not specified 'sslcert' is assumed to
  4569. #                       reference a combined file containing both the
  4570. #                       certificate and the key.
  4571. #      
  4572. #       sslversion=1|2|3|4
  4573. #                       The SSL version to use when connecting to this peer
  4574. #                               1 = automatic (default)
  4575. #                               2 = SSL v2 only
  4576. #                               3 = SSL v3 only
  4577. #                               4 = TLS v1 only
  4578. #      
  4579. #       sslcipher=...   The list of valid SSL ciphers to use when connecting
  4580. #                       to this peer.
  4581. #      
  4582. #       ssloptions=...  Specify various SSL engine options:
  4583. #                               NO_SSLv2  Disallow the use of SSLv2
  4584. #                               NO_SSLv3  Disallow the use of SSLv3
  4585. #                               NO_TLSv1  Disallow the use of TLSv1
  4586. #                       See src/ssl_support.c or the OpenSSL documentation for
  4587. #                       a more complete list.
  4588. #      
  4589. #       sslcafile=...   A file containing additional CA certificates to use
  4590. #                       when verifying the peer certificate.
  4591. #      
  4592. #       sslcapath=...   A directory containing additional CA certificates to
  4593. #                       use when verifying the peer certificate.
  4594. #      
  4595. #       sslcrlfile=...  A certificate revocation list file to use when
  4596. #                       verifying the peer certificate.
  4597. #      
  4598. #       sslflags=...    Specify various flags modifying the SSL implementation:
  4599. #      
  4600. #                       DONT_VERIFY_PEER
  4601. #                               Accept certificates even if they fail to
  4602. #                               verify.
  4603. #                       NO_DEFAULT_CA
  4604. #                               Don't use the default CA list built in
  4605. #                               to OpenSSL.
  4606. #                       DONT_VERIFY_DOMAIN
  4607. #                               Don't verify the peer certificate
  4608. #                               matches the server name
  4609. #      
  4610. #       ssldomain=      The peer name as advertised in it's certificate.
  4611. #                       Used for verifying the correctness of the received peer
  4612. #                       certificate. If not specified the peer hostname will be
  4613. #                       used.
  4614. #      
  4615. #       front-end-https
  4616. #                       Enable the "Front-End-Https: On" header needed when
  4617. #                       using Squid as a SSL frontend in front of Microsoft OWA.
  4618. #                       See MS KB document Q307347 for details on this header.
  4619. #                       If set to auto the header will only be added if the
  4620. #                       request is forwarded as a https:// URL.
  4621. #      
  4622. #      
  4623. #       ==== GENERAL OPTIONS ====
  4624. #      
  4625. #       connect-timeout=N
  4626. #                       A peer-specific connect timeout.
  4627. #                       Also see the peer_connect_timeout directive.
  4628. #      
  4629. #       connect-fail-limit=N
  4630. #                       How many times connecting to a peer must fail before
  4631. #                       it is marked as down. Default is 10.
  4632. #      
  4633. #       allow-miss      Disable Squid's use of only-if-cached when forwarding
  4634. #                       requests to siblings. This is primarily useful when
  4635. #                       icp_hit_stale is used by the sibling. To extensive use
  4636. #                       of this option may result in forwarding loops, and you
  4637. #                       should avoid having two-way peerings with this option.
  4638. #                       For example to deny peer usage on requests from peer
  4639. #                       by denying cache_peer_access if the source is a peer.
  4640. #      
  4641. #       max-conn=N      Limit the amount of connections Squid may open to this
  4642. #                       peer. see also
  4643. #      
  4644. #       name=xxx        Unique name for the peer.
  4645. #                       Required if you have multiple peers on the same host
  4646. #                       but different ports.
  4647. #                       This name can be used in cache_peer_access and similar
  4648. #                       directives to dentify the peer.
  4649. #                       Can be used by outgoing access controls through the
  4650. #                       peername ACL type.
  4651. #      
  4652. #       no-tproxy       Do not use the client-spoof TPROXY support when forwarding
  4653. #                       requests to this peer. Use normal address selection instead.
  4654. #      
  4655. #       proxy-only      objects fetched from the peer will not be stored locally.
  4656. #      
  4657. #Default:
  4658. # none
  4659.  
  4660. #  TAG: cache_peer_domain
  4661. #       Use to limit the domains for which a neighbor cache will be
  4662. #       queried.  Usage:
  4663. #
  4664. #       cache_peer_domain cache-host domain [domain ...]
  4665. #       cache_peer_domain cache-host !domain
  4666. #
  4667. #       For example, specifying
  4668. #
  4669. #               cache_peer_domain parent.foo.net        .edu
  4670. #
  4671. #       has the effect such that UDP query packets are sent to
  4672. #       'bigserver' only when the requested object exists on a
  4673. #       server in the .edu domain.  Prefixing the domainname
  4674. #       with '!' means the cache will be queried for objects
  4675. #       NOT in that domain.
  4676. #
  4677. #       NOTE:   * Any number of domains may be given for a cache-host,
  4678. #                 either on the same or separate lines.
  4679. #               * When multiple domains are given for a particular
  4680. #                 cache-host, the first matched domain is applied.
  4681. #               * Cache hosts with no domain restrictions are queried
  4682. #                 for all requests.
  4683. #               * There are no defaults.
  4684. #               * There is also a 'cache_peer_access' tag in the ACL
  4685. #                 section.
  4686. #Default:
  4687. # none
  4688.  
  4689. #  TAG: cache_peer_access
  4690. #       Similar to 'cache_peer_domain' but provides more flexibility by
  4691. #       using ACL elements.
  4692. #
  4693. #       cache_peer_access cache-host allow|deny [!]aclname ...
  4694. #
  4695. #       The syntax is identical to 'http_access' and the other lists of
  4696. #       ACL elements.  See the comments for 'http_access' below, or
  4697. #       the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl).
  4698. #Default:
  4699. # none
  4700.  
  4701. #  TAG: neighbor_type_domain
  4702. #       usage: neighbor_type_domain neighbor parent|sibling domain domain ...
  4703. #
  4704. #       Modifying the neighbor type for specific domains is now
  4705. #       possible.  You can treat some domains differently than the the
  4706. #       default neighbor type specified on the 'cache_peer' line.
  4707. #       Normally it should only be necessary to list domains which
  4708. #       should be treated differently because the default neighbor type
  4709. #       applies for hostnames which do not match domains listed here.
  4710. #
  4711. #EXAMPLE:
  4712. #       cache_peer cache.foo.org parent 3128 3130
  4713. #       neighbor_type_domain cache.foo.org sibling .com .net
  4714. #       neighbor_type_domain cache.foo.org sibling .au .de
  4715. #Default:
  4716. # none
  4717.  
  4718. #  TAG: dead_peer_timeout       (seconds)
  4719. #       This controls how long Squid waits to declare a peer cache
  4720. #       as "dead."  If there are no ICP replies received in this
  4721. #       amount of time, Squid will declare the peer dead and not
  4722. #       expect to receive any further ICP replies.  However, it
  4723. #       continues to send ICP queries, and will mark the peer as
  4724. #       alive upon receipt of the first subsequent ICP reply.
  4725. #
  4726. #       This timeout also affects when Squid expects to receive ICP
  4727. #       replies from peers.  If more than 'dead_peer' seconds have
  4728. #       passed since the last ICP reply was received, Squid will not
  4729. #       expect to receive an ICP reply on the next query.  Thus, if
  4730. #       your time between requests is greater than this timeout, you
  4731. #       will see a lot of requests sent DIRECT to origin servers
  4732. #       instead of to your parents.
  4733. #Default:
  4734. # dead_peer_timeout 10 seconds
  4735.  
  4736. #  TAG: forward_max_tries
  4737. #       Controls how many different forward paths Squid will try
  4738. #       before giving up. See also forward_timeout.
  4739. #Default:
  4740. # forward_max_tries 10
  4741.  
  4742. #  TAG: hierarchy_stoplist
  4743. #       A list of words which, if found in a URL, cause the object to
  4744. #       be handled directly by this cache.  In other words, use this
  4745. #       to not query neighbor caches for certain objects.  You may
  4746. #       list this option multiple times.
  4747. #       Note: never_direct overrides this option.
  4748. #
  4749.  
  4750. # We recommend you to use at least the following line.
  4751. hierarchy_stoplist cgi-bin ?
  4752.  
  4753. # MEMORY CACHE OPTIONS
  4754. # -----------------------------------------------------------------------------
  4755.  
  4756. #  TAG: cache_mem       (bytes)
  4757. #       NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
  4758. #       IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
  4759. #       USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
  4760. #       THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
  4761. #
  4762. #       'cache_mem' specifies the ideal amount of memory to be used
  4763. #       for:
  4764. #               * In-Transit objects
  4765. #               * Hot Objects
  4766. #               * Negative-Cached objects
  4767. #
  4768. #       Data for these objects are stored in 4 KB blocks.  This
  4769. #       parameter specifies the ideal upper limit on the total size of
  4770. #       4 KB blocks allocated.  In-Transit objects take the highest
  4771. #       priority.
  4772. #
  4773. #       In-transit objects have priority over the others.  When
  4774. #       additional space is needed for incoming data, negative-cached
  4775. #       and hot objects will be released.  In other words, the
  4776. #       negative-cached and hot objects will fill up any unused space
  4777. #       not needed for in-transit objects.
  4778. #
  4779. #       If circumstances require, this limit will be exceeded.
  4780. #       Specifically, if your incoming request rate requires more than
  4781. #       'cache_mem' of memory to hold in-transit objects, Squid will
  4782. #       exceed this limit to satisfy the new requests.  When the load
  4783. #       decreases, blocks will be freed until the high-water mark is
  4784. #       reached.  Thereafter, blocks will be used to store hot
  4785. #       objects.
  4786. #Default:
  4787. # cache_mem 256 MB
  4788.  
  4789. #  TAG: maximum_object_size_in_memory   (bytes)
  4790. #       Objects greater than this size will not be attempted to kept in
  4791. #       the memory cache. This should be set high enough to keep objects
  4792. #       accessed frequently in memory to improve performance whilst low
  4793. #       enough to keep larger objects from hoarding cache_mem.
  4794. #Default:
  4795. # maximum_object_size_in_memory 512 KB
  4796.  
  4797. #  TAG: memory_replacement_policy
  4798. #       The memory replacement policy parameter determines which
  4799. #       objects are purged from memory when memory space is needed.
  4800. #
  4801. #       See cache_replacement_policy for details.
  4802. #Default:
  4803. # memory_replacement_policy lru
  4804.  
  4805. # DISK CACHE OPTIONS
  4806. # -----------------------------------------------------------------------------
  4807.  
  4808. #  TAG: cache_replacement_policy
  4809. #       The cache replacement policy parameter determines which
  4810. #       objects are evicted (replaced) when disk space is needed.
  4811. #
  4812. #           lru       : Squid's original list based LRU policy
  4813. #           heap GDSF : Greedy-Dual Size Frequency
  4814. #           heap LFUDA: Least Frequently Used with Dynamic Aging
  4815. #           heap LRU  : LRU policy implemented using a heap
  4816. #
  4817. #       Applies to any cache_dir lines listed below this.
  4818. #
  4819. #       The LRU policies keeps recently referenced objects.
  4820. #
  4821. #       The heap GDSF policy optimizes object hit rate by keeping smaller
  4822. #       popular objects in cache so it has a better chance of getting a
  4823. #       hit.  It achieves a lower byte hit rate than LFUDA though since
  4824. #       it evicts larger (possibly popular) objects.
  4825. #
  4826. #       The heap LFUDA policy keeps popular objects in cache regardless of
  4827. #       their size and thus optimizes byte hit rate at the expense of
  4828. #       hit rate since one large, popular object will prevent many
  4829. #       smaller, slightly less popular objects from being cached.
  4830. #
  4831. #       Both policies utilize a dynamic aging mechanism that prevents
  4832. #       cache pollution that can otherwise occur with frequency-based
  4833. #       replacement policies.
  4834. #
  4835. #       NOTE: if using the LFUDA replacement policy you should increase
  4836. #       the value of maximum_object_size above its default of 4096 KB to
  4837. #       to maximize the potential byte hit rate improvement of LFUDA.
  4838. #
  4839. #       For more information about the GDSF and LFUDA cache replacement
  4840. #       policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
  4841. #       and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
  4842. #Default:
  4843. # cache_replacement_policy lru
  4844.  
  4845. #  TAG: cache_dir
  4846. #       Usage:
  4847. #
  4848. #       cache_dir Type Directory-Name Fs-specific-data [options]
  4849. #
  4850. #       You can specify multiple cache_dir lines to spread the
  4851. #       cache among different disk partitions.
  4852. #
  4853. #       Type specifies the kind of storage system to use. Only "ufs"
  4854. #       is built by default. To enable any of the other storage systems
  4855. #       see the --enable-storeio configure option.
  4856. #
  4857. #       'Directory' is a top-level directory where cache swap
  4858. #       files will be stored.  If you want to use an entire disk
  4859. #       for caching, this can be the mount-point directory.
  4860. #       The directory must exist and be writable by the Squid
  4861. #       process.  Squid will NOT create this directory for you.
  4862. #
  4863. #       The ufs store type:
  4864. #
  4865. #       "ufs" is the old well-known Squid storage format that has always
  4866. #       been there.
  4867. #
  4868. #       cache_dir ufs Directory-Name Mbytes L1 L2 [options]
  4869. #
  4870. #       'Mbytes' is the amount of disk space (MB) to use under this
  4871. #       directory.  The default is 100 MB.  Change this to suit your
  4872. #       configuration.  Do NOT put the size of your disk drive here.
  4873. #       Instead, if you want Squid to use the entire disk drive,
  4874. #       subtract 20% and use that value.
  4875. #
  4876. #       'Level-1' is the number of first-level subdirectories which
  4877. #       will be created under the 'Directory'.  The default is 16.
  4878. #
  4879. #       'Level-2' is the number of second-level subdirectories which
  4880. #       will be created under each first-level directory.  The default
  4881. #       is 256.
  4882. #
  4883. #       The aufs store type:
  4884. #
  4885. #       "aufs" uses the same storage format as "ufs", utilizing
  4886. #       POSIX-threads to avoid blocking the main Squid process on
  4887. #       disk-I/O. This was formerly known in Squid as async-io.
  4888. #
  4889. #       cache_dir aufs Directory-Name Mbytes L1 L2 [options]
  4890. #
  4891. #       see argument descriptions under ufs above
  4892. #
  4893. #       The diskd store type:
  4894. #
  4895. #       "diskd" uses the same storage format as "ufs", utilizing a
  4896. #       separate process to avoid blocking the main Squid process on
  4897. #       disk-I/O.
  4898. #
  4899. #       cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
  4900. #
  4901. #       see argument descriptions under ufs above
  4902. #
  4903. #       Q1 specifies the number of unacknowledged I/O requests when Squid
  4904. #       stops opening new files. If this many messages are in the queues,
  4905. #       Squid won't open new files. Default is 64
  4906. #
  4907. #       Q2 specifies the number of unacknowledged messages when Squid
  4908. #       starts blocking.  If this many messages are in the queues,
  4909. #       Squid blocks until it receives some replies. Default is 72
  4910. #
  4911. #       When Q1 < Q2 (the default), the cache directory is optimized
  4912. #       for lower response time at the expense of a decrease in hit
  4913. #       ratio.  If Q1 > Q2, the cache directory is optimized for
  4914. #       higher hit ratio at the expense of an increase in response
  4915. #       time.
  4916. #
  4917. #       The coss store type:
  4918. #
  4919. #       NP: COSS filesystem in Squid-3 has been deemed too unstable for
  4920. #           production use and has thus been removed from this release.
  4921. #           We hope that it can be made usable again soon.
  4922. #
  4923. #       block-size=n defines the "block size" for COSS cache_dir's.
  4924. #       Squid uses file numbers as block numbers.  Since file numbers
  4925. #       are limited to 24 bits, the block size determines the maximum
  4926. #       size of the COSS partition.  The default is 512 bytes, which
  4927. #       leads to a maximum cache_dir size of 512<<24, or 8 GB.  Note
  4928. #       you should not change the coss block size after Squid
  4929. #       has written some objects to the cache_dir.
  4930. #
  4931. #       The coss file store has changed from 2.5. Now it uses a file
  4932. #       called 'stripe' in the directory names in the config - and
  4933. #       this will be created by squid -z.
  4934. #
  4935. #       Common options:
  4936. #
  4937. #       no-store, no new objects should be stored to this cache_dir
  4938. #
  4939. #       max-size=n, refers to the max object size this storedir supports.
  4940. #       It is used to initially choose the storedir to dump the object.
  4941. #       Note: To make optimal use of the max-size limits you should order
  4942. #       the cache_dir lines with the smallest max-size value first and the
  4943. #       ones with no max-size specification last.
  4944. #
  4945. #       Note for coss, max-size must be less than COSS_MEMBUF_SZ,
  4946. #       which can be changed with the --with-coss-membuf-size=N configure
  4947. #       option.
  4948. #
  4949.  
  4950. # Uncomment and adjust the following to add a disk cache directory.
  4951. #cache_dir ufs /var/spool/squid3 100 16 256
  4952.  
  4953. #  TAG: store_dir_select_algorithm
  4954. #       Set this to 'round-robin' as an alternative.
  4955. #Default:
  4956. # store_dir_select_algorithm least-load
  4957.  
  4958. #  TAG: max_open_disk_fds
  4959. #       To avoid having disk as the I/O bottleneck Squid can optionally
  4960. #       bypass the on-disk cache if more than this amount of disk file
  4961. #       descriptors are open.
  4962. #
  4963. #       A value of 0 indicates no limit.
  4964. #Default:
  4965. # max_open_disk_fds 0
  4966.  
  4967. #  TAG: minimum_object_size     (bytes)
  4968. #       Objects smaller than this size will NOT be saved on disk.  The
  4969. #       value is specified in kilobytes, and the default is 0 KB, which
  4970. #       means there is no minimum.
  4971. #Default:
  4972. # minimum_object_size 0 KB
  4973.  
  4974. #  TAG: maximum_object_size     (bytes)
  4975. #       Objects larger than this size will NOT be saved on disk.  The
  4976. #       value is specified in kilobytes, and the default is 4MB.  If
  4977. #       you wish to get a high BYTES hit ratio, you should probably
  4978. #       increase this (one 32 MB object hit counts for 3200 10KB
  4979. #       hits).  If you wish to increase speed more than your want to
  4980. #       save bandwidth you should leave this low.
  4981. #
  4982. #       NOTE: if using the LFUDA replacement policy you should increase
  4983. #       this value to maximize the byte hit rate improvement of LFUDA!
  4984. #       See replacement_policy below for a discussion of this policy.
  4985. #Default:
  4986. # maximum_object_size 4096 KB
  4987.  
  4988. #  TAG: cache_swap_low  (percent, 0-100)
  4989. #  TAG: cache_swap_high (percent, 0-100)
  4990. #
  4991. #       The low- and high-water marks for cache object replacement.
  4992. #       Replacement begins when the swap (disk) usage is above the
  4993. #       low-water mark and attempts to maintain utilization near the
  4994. #       low-water mark.  As swap utilization gets close to high-water
  4995. #       mark object eviction becomes more aggressive.  If utilization is
  4996. #       close to the low-water mark less replacement is done each time.
  4997. #
  4998. #       Defaults are 90% and 95%. If you have a large cache, 5% could be
  4999. #       hundreds of MB. If this is the case you may wish to set these
  5000. #       numbers closer together.
  5001. #Default:
  5002. # cache_swap_low 90
  5003. # cache_swap_high 95
  5004.  
  5005. # LOGFILE OPTIONS
  5006. # -----------------------------------------------------------------------------
  5007.  
  5008. #  TAG: logformat
  5009. #       Usage:
  5010. #
  5011. #       logformat <name> <format specification>
  5012. #
  5013. #       Defines an access log format.
  5014. #
  5015. #       The <format specification> is a string with embedded % format codes
  5016. #
  5017. #       % format codes all follow the same basic structure where all but
  5018. #       the formatcode is optional. Output strings are automatically escaped
  5019. #       as required according to their context and the output format
  5020. #       modifiers are usually not needed, but can be specified if an explicit
  5021. #       output format is desired.
  5022. #
  5023. #               % ["|[|'|#] [-] [[0]width] [{argument}] formatcode
  5024. #
  5025. #               "       output in quoted string format
  5026. #               [       output in squid text log format as used by log_mime_hdrs
  5027. #               #       output in URL quoted format
  5028. #               '       output as-is
  5029. #
  5030. #               -       left aligned
  5031. #               width   field width. If starting with 0 the
  5032. #                       output is zero padded
  5033. #               {arg}   argument such as header name etc
  5034. #
  5035. #       Format codes:
  5036. #
  5037. #               %       a literal % character
  5038. #               >a      Client source IP address
  5039. #               >A      Client FQDN
  5040. #               >p      Client source port
  5041. #               <A      Server IP address or peer name
  5042. #               la      Local IP address (http_port)
  5043. #               lp      Local port number (http_port)
  5044. #               ts      Seconds since epoch
  5045. #               tu      subsecond time (milliseconds)
  5046. #               tl      Local time. Optional strftime format argument
  5047. #                               default %d/%b/%Y:%H:%M:%S %z
  5048. #               tg      GMT time. Optional strftime format argument
  5049. #                               default %d/%b/%Y:%H:%M:%S %z
  5050. #               tr      Response time (milliseconds)
  5051. #               dt      Total time spent making DNS lookups (milliseconds)
  5052. #
  5053. #       HTTP cache related format codes:
  5054. #
  5055. #               [http::]>h      Original request header. Optional header name argument
  5056. #                               on the format header[:[separator]element]
  5057. #               [http::]>ha     The HTTP request headers after adaptation and redirection.
  5058. #                               Optional header name argument as for >h
  5059. #               [http::]<h      Reply header. Optional header name argument
  5060. #                               as for >h
  5061. #               [http::]un      User name
  5062. #               [http::]ul      User name from authentication
  5063. #               [http::]ui      User name from ident
  5064. #               [http::]us      User name from SSL
  5065. #               [http::]ue      User name from external acl helper
  5066. #               [http::]>Hs     HTTP status code sent to the client
  5067. #               [http::]<Hs     HTTP status code received from the next hop
  5068. #               [http::]Ss      Squid request status (TCP_MISS etc)
  5069. #               [http::]Sh      Squid hierarchy status (DEFAULT_PARENT etc)
  5070. #               [http::]mt      MIME content type
  5071. #               [http::]rm      Request method (GET/POST etc)
  5072. #               [http::]ru      Request URL
  5073. #               [http::]rp      Request URL-Path excluding hostname
  5074. #               [http::]rv      Request protocol version
  5075. #               [http::]et      Tag returned by external acl
  5076. #               [http::]ea      Log string returned by external acl
  5077. #               [http::]<st     Sent reply size including HTTP headers
  5078. #               [http::]>st     Received request size including HTTP headers. In the
  5079. #                               case of chunked requests the chunked encoding metadata
  5080. #                               are not included
  5081. #               [http::]>sh     Received HTTP request headers size
  5082. #               [http::]<sh     Sent HTTP reply headers size
  5083. #               [http::]st      Request+Reply size including HTTP headers
  5084. #               [http::]<sH     Reply high offset sent
  5085. #               [http::]<sS     Upstream object size
  5086. #               [http::]<pt     Peer response time in milliseconds. The timer starts
  5087. #                               when the last request byte is sent to the next hop
  5088. #                               and stops when the last response byte is received.
  5089. #               [http::]<tt     Total server-side time in milliseconds. The timer
  5090. #                               starts with the first connect request (or write I/O)
  5091. #                               sent to the first selected peer. The timer stops
  5092. #                               with the last I/O with the last peer.
  5093. #
  5094. #       If ICAP is enabled, the following two codes become available (as
  5095. #       well as ICAP log codes documented with the icap_log option):
  5096. #
  5097. #               icap::tt        Total ICAP processing time for the HTTP
  5098. #                               transaction. The timer ticks when ICAP
  5099. #                               ACLs are checked and when ICAP
  5100. #                               transaction is in progress.
  5101. #
  5102. #               icap::<last_h   The header of the last ICAP response
  5103. #                               related to the HTTP transaction. Like
  5104. #                               <h, accepts an optional header name
  5105. #                               argument.  Will not change semantics
  5106. #                               when multiple ICAP transactions per HTTP
  5107. #                               transaction are supported.
  5108. #
  5109. #       If adaptation is enabled the following two codes become available:
  5110. #
  5111. #               adapt::sum_trs Summed adaptation transaction response
  5112. #                               times recorded as a comma-separated list in
  5113. #                               the order of transaction start time. Each time
  5114. #                               value is recorded as an integer number,
  5115. #                               representing response time of one or more
  5116. #                               adaptation (ICAP or eCAP) transaction in
  5117. #                               milliseconds.  When a failed transaction is
  5118. #                               being retried or repeated, its time is not
  5119. #                               logged individually but added to the
  5120. #                               replacement (next) transaction. See also:
  5121. #                               adapt::all_trs.
  5122. #
  5123. #               adapt::all_trs All adaptation transaction response times.
  5124. #                               Same as adaptation_strs but response times of
  5125. #                               individual transactions are never added
  5126. #                               together. Instead, all transaction response
  5127. #                               times are recorded individually.
  5128. #
  5129. #       You can prefix adapt::*_trs format codes with adaptation
  5130. #       service name in curly braces to record response time(s) specific
  5131. #       to that service. For example: %{my_service}adapt::sum_trs
  5132. #
  5133. #       The default formats available (which do not need re-defining) are:
  5134. #
  5135. #logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
  5136. #logformat squidmime %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
  5137. #logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
  5138. #logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
  5139. #Default:
  5140. # none
  5141.  
  5142. #  TAG: access_log
  5143. #       These files log client request activities. Has a line every HTTP or
  5144. #       ICP request. The format is:
  5145. #       access_log <filepath> [<logformat name> [acl acl ...]]
  5146. #       access_log none [acl acl ...]]
  5147. #
  5148. #       Will log to the specified file using the specified format (which
  5149. #       must be defined in a logformat directive) those entries which match
  5150. #       ALL the acl's specified (which must be defined in acl clauses).
  5151. #       If no acl is specified, all requests will be logged to this file.
  5152. #
  5153. #       To disable logging of a request use the filepath "none", in which case
  5154. #       a logformat name should not be specified.
  5155. #
  5156. #       To log the request via syslog specify a filepath of "syslog":
  5157. #
  5158. #       access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]]
  5159. #       where facility could be any of:
  5160. #       authpriv, daemon, local0 .. local7 or user.
  5161. #
  5162. #       And priority could be any of:
  5163. #       err, warning, notice, info, debug.
  5164. #
  5165. #       Default:
  5166. #               access_log /var/log/squid3/access.log squid
  5167. #Default:
  5168. # access_log /var/log/squid3/access.log squid
  5169.  
  5170. #  TAG: icap_log
  5171. #       ICAP log files record ICAP transaction summaries, one line per
  5172. #       transaction.
  5173. #
  5174. #       The icap_log option format is:
  5175. #       icap_log <filepath> [<logformat name> [acl acl ...]]
  5176. #       icap_log none [acl acl ...]]
  5177. #      
  5178. #       Please see access_log option documentation for details. The two
  5179. #       kinds of logs share the overall configuration approach and many
  5180. #       features.
  5181. #
  5182. #       ICAP processing of a single HTTP message or transaction may
  5183. #       require multiple ICAP transactions.  In such cases, multiple
  5184. #       ICAP transaction log lines will correspond to a single access
  5185. #       log line.
  5186. #
  5187. #       ICAP log uses logformat codes that make sense for an ICAP
  5188. #       transaction. Header-related codes are applied to the HTTP header
  5189. #       embedded in an ICAP server response, with the following caveats:
  5190. #       For REQMOD, there is no HTTP response header unless the ICAP
  5191. #       server performed request satisfaction. For RESPMOD, the HTTP
  5192. #       request header is the header sent to the ICAP server. For
  5193. #       OPTIONS, there are no HTTP headers.
  5194. #
  5195. #       The following format codes are also available for ICAP logs:
  5196. #
  5197. #               icap::<A        ICAP server IP address. Similar to <A.
  5198. #
  5199. #               icap::<service_name     ICAP service name from the icap_service
  5200. #                               option in Squid configuration file.
  5201. #
  5202. #               icap::ru        ICAP Request-URI. Similar to ru.
  5203. #
  5204. #               icap::rm        ICAP request method (REQMOD, RESPMOD, or
  5205. #                               OPTIONS). Similar to existing rm.
  5206. #
  5207. #               icap::>st       Bytes sent to the ICAP server (TCP payload
  5208. #                               only; i.e., what Squid writes to the socket).
  5209. #
  5210. #               icap::<st       Bytes received from the ICAP server (TCP
  5211. #                               payload only; i.e., what Squid reads from
  5212. #                               the socket).
  5213. #
  5214. #               icap::tr        Transaction response time (in
  5215. #                               milliseconds).  The timer starts when
  5216. #                               the ICAP transaction is created and
  5217. #                               stops when the transaction is completed.
  5218. #                               Similar to tr.
  5219. #
  5220. #               icap::tio       Transaction I/O time (in milliseconds). The
  5221. #                               timer starts when the first ICAP request
  5222. #                               byte is scheduled for sending. The timers
  5223. #                               stops when the last byte of the ICAP response
  5224. #                               is received.
  5225. #
  5226. #               icap::to        Transaction outcome: ICAP_ERR* for all
  5227. #                               transaction errors, ICAP_OPT for OPTION
  5228. #                               transactions, ICAP_ECHO for 204
  5229. #                               responses, ICAP_MOD for message
  5230. #                               modification, and ICAP_SAT for request
  5231. #                               satisfaction. Similar to Ss.
  5232. #
  5233. #               icap::Hs        ICAP response status code. Similar to Hs.
  5234. #
  5235. #               icap::>h        ICAP request header(s). Similar to >h.
  5236. #
  5237. #               icap::<h        ICAP response header(s). Similar to <h.
  5238. #
  5239. #       The default ICAP log format, which can be used without an explicit
  5240. #       definition, is called icap_squid:
  5241. #
  5242. #logformat icap_squid %ts.%03tu %6icap::tr %>a %icap::to/%03icap::Hs %icap::<size %icap::rm %icap::ru% %un -/%icap::<A -
  5243. #
  5244. #       See also: logformat, log_icap, and %icap::<last_h
  5245. #Default:
  5246. # none
  5247.  
  5248. #  TAG: log_access      allow|deny acl acl...
  5249. #       This options allows you to control which requests gets logged
  5250. #       to access.log (see access_log directive). Requests denied for
  5251. #       logging will also not be accounted for in performance counters.
  5252. #
  5253. #       This clause only supports fast acl types.
  5254. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  5255. #Default:
  5256. # none
  5257.  
  5258. #  TAG: log_icap
  5259. #       This options allows you to control which requests get logged
  5260. #       to icap.log. See the icap_log directive for ICAP log details.
  5261. #Default:
  5262. # none
  5263.  
  5264. #  TAG: cache_store_log
  5265. #       Logs the activities of the storage manager.  Shows which
  5266. #       objects are ejected from the cache, and which objects are
  5267. #       saved and for how long.  To disable, enter "none" or remove the line.
  5268. #       There are not really utilities to analyze this data, so you can safely
  5269. #       disable it.
  5270. #
  5271. #       Example:
  5272. #               cache_store_log /var/log/squid3/store.log
  5273. #Default:
  5274. # none
  5275.  
  5276. #  TAG: cache_swap_state
  5277. #       Location for the cache "swap.state" file. This index file holds
  5278. #       the metadata of objects saved on disk.  It is used to rebuild
  5279. #       the cache during startup.  Normally this file resides in each
  5280. #       'cache_dir' directory, but you may specify an alternate
  5281. #       pathname here.  Note you must give a full filename, not just
  5282. #       a directory. Since this is the index for the whole object
  5283. #       list you CANNOT periodically rotate it!
  5284. #
  5285. #       If %s can be used in the file name it will be replaced with a
  5286. #       a representation of the cache_dir name where each / is replaced
  5287. #       with '.'. This is needed to allow adding/removing cache_dir
  5288. #       lines when cache_swap_log is being used.
  5289. #
  5290. #       If have more than one 'cache_dir', and %s is not used in the name
  5291. #       these swap logs will have names such as:
  5292. #
  5293. #               cache_swap_log.00
  5294. #               cache_swap_log.01
  5295. #               cache_swap_log.02
  5296. #
  5297. #       The numbered extension (which is added automatically)
  5298. #       corresponds to the order of the 'cache_dir' lines in this
  5299. #       configuration file.  If you change the order of the 'cache_dir'
  5300. #       lines in this file, these index files will NOT correspond to
  5301. #       the correct 'cache_dir' entry (unless you manually rename
  5302. #       them).  We recommend you do NOT use this option.  It is
  5303. #       better to keep these index files in each 'cache_dir' directory.
  5304. #Default:
  5305. # none
  5306.  
  5307. #  TAG: logfile_rotate
  5308. #       Specifies the number of logfile rotations to make when you
  5309. #       type 'squid -k rotate'. The default is 10, which will rotate
  5310. #       with extensions 0 through 9. Setting logfile_rotate to 0 will
  5311. #       disable the file name rotation, but the logfiles are still closed
  5312. #       and re-opened. This will enable you to rename the logfiles
  5313. #       yourself just before sending the rotate signal.
  5314. #
  5315. #       Note, the 'squid -k rotate' command normally sends a USR1
  5316. #       signal to the running squid process.  In certain situations
  5317. #       (e.g. on Linux with Async I/O), USR1 is used for other
  5318. #       purposes, so -k rotate uses another signal.  It is best to get
  5319. #       in the habit of using 'squid -k rotate' instead of 'kill -USR1
  5320. #       <pid>'.
  5321. #
  5322. #       Note, from Squid-3.1 this option has no effect on the cache.log,
  5323. #       that log can be rotated separately by using debug_options
  5324. #
  5325. #       Note2, for Debian/Linux the default of logfile_rotate is
  5326. #       zero, since it includes external logfile-rotation methods.
  5327. #Default:
  5328. # logfile_rotate 0
  5329.  
  5330. #  TAG: emulate_httpd_log       on|off
  5331. #       The Cache can emulate the log file format which many 'httpd'
  5332. #       programs use.  To disable/enable this emulation, set
  5333. #       emulate_httpd_log to 'off' or 'on'.  The default
  5334. #       is to use the native log format since it includes useful
  5335. #       information Squid-specific log analyzers use.
  5336. #Default:
  5337. # emulate_httpd_log off
  5338.  
  5339. #  TAG: log_ip_on_direct        on|off
  5340. #       Log the destination IP address in the hierarchy log tag when going
  5341. #       direct. Earlier Squid versions logged the hostname here. If you
  5342. #       prefer the old way set this to off.
  5343. #Default:
  5344. # log_ip_on_direct on
  5345.  
  5346. #  TAG: mime_table
  5347. #       Pathname to Squid's MIME table. You shouldn't need to change
  5348. #       this, but the default file contains examples and formatting
  5349. #       information if you do.
  5350. #Default:
  5351. # mime_table /usr/share/squid3/mime.conf
  5352.  
  5353. #  TAG: log_mime_hdrs   on|off
  5354. #       The Cache can record both the request and the response MIME
  5355. #       headers for each HTTP transaction.  The headers are encoded
  5356. #       safely and will appear as two bracketed fields at the end of
  5357. #       the access log (for either the native or httpd-emulated log
  5358. #       formats).  To enable this logging set log_mime_hdrs to 'on'.
  5359. #Default:
  5360. # log_mime_hdrs off
  5361.  
  5362. #  TAG: useragent_log
  5363. # Note: This option is only available if Squid is rebuilt with the
  5364. #       --enable-useragent-log option
  5365. #
  5366. #       Squid will write the User-Agent field from HTTP requests
  5367. #       to the filename specified here.  By default useragent_log
  5368. #       is disabled.
  5369. #Default:
  5370. # none
  5371.  
  5372. #  TAG: referer_log
  5373. # Note: This option is only available if Squid is rebuilt with the
  5374. #       --enable-referer-log option
  5375. #
  5376. #       Squid will write the Referer field from HTTP requests to the
  5377. #       filename specified here.  By default referer_log is disabled.
  5378. #       Note that "referer" is actually a misspelling of "referrer"
  5379. #       however the misspelt version has been accepted into the HTTP RFCs
  5380. #       and we accept both.
  5381. #Default:
  5382. # none
  5383.  
  5384. #  TAG: pid_filename
  5385. #       A filename to write the process-id to.  To disable, enter "none".
  5386. #Default:
  5387. # pid_filename /var/run/squid3.pid
  5388.  
  5389. #  TAG: log_fqdn        on|off
  5390. #       Turn this on if you wish to log fully qualified domain names
  5391. #       in the access.log. To do this Squid does a DNS lookup of all
  5392. #       IP's connecting to it. This can (in some situations) increase
  5393. #       latency, which makes your cache seem slower for interactive
  5394. #       browsing.
  5395. #Default:
  5396. # log_fqdn off
  5397.  
  5398. #  TAG: client_netmask
  5399. #       A netmask for client addresses in logfiles and cachemgr output.
  5400. #       Change this to protect the privacy of your cache clients.
  5401. #       A netmask of 255.255.255.0 will log all IP's in that range with
  5402. #       the last digit set to '0'.
  5403. #Default:
  5404. # client_netmask no_addr
  5405.  
  5406. #  TAG: forward_log
  5407. # Note: This option is only available if Squid is rebuilt with the
  5408. #       -DWIP_FWD_LOG define
  5409. #
  5410. #       Logs the server-side requests.
  5411. #
  5412. #       This is currently work in progress.
  5413. #Default:
  5414. # none
  5415.  
  5416. #  TAG: strip_query_terms
  5417. #       By default, Squid strips query terms from requested URLs before
  5418. #       logging.  This protects your user's privacy.
  5419. #Default:
  5420. # strip_query_terms on
  5421.  
  5422. #  TAG: buffered_logs   on|off
  5423. #       cache.log log file is written with stdio functions, and as such
  5424. #       it can be buffered or unbuffered. By default it will be unbuffered.
  5425. #       Buffering it can speed up the writing slightly (though you are
  5426. #       unlikely to need to worry unless you run with tons of debugging
  5427. #       enabled in which case performance will suffer badly anyway..).
  5428. #Default:
  5429. # buffered_logs off
  5430.  
  5431. #  TAG: netdb_filename
  5432. # Note: This option is only available if Squid is rebuilt with the
  5433. #       --enable-icmp option
  5434. #
  5435. #       A filename where Squid stores it's netdb state between restarts.
  5436. #       To disable, enter "none".
  5437. #Default:
  5438. # netdb_filename /var/log/squid3/netdb.state
  5439.  
  5440. # OPTIONS FOR TROUBLESHOOTING
  5441. # -----------------------------------------------------------------------------
  5442.  
  5443. #  TAG: cache_log
  5444. #       Cache logging file. This is where general information about
  5445. #       your cache's behavior goes. You can increase the amount of data
  5446. #       logged to this file and how often its rotated with "debug_options"
  5447. #Default:
  5448. # cache_log /var/log/squid3/cache.log
  5449.  
  5450. #  TAG: debug_options
  5451. #       Logging options are set as section,level where each source file
  5452. #       is assigned a unique section.  Lower levels result in less
  5453. #       output,  Full debugging (level 9) can result in a very large
  5454. #       log file, so be careful.
  5455. #
  5456. #       The magic word "ALL" sets debugging levels for all sections.
  5457. #       We recommend normally running with "ALL,1".
  5458. #
  5459. #       The rotate=N option can be used to keep more or less of these logs
  5460. #       than would otherwise be kept by logfile_rotate.
  5461. #       For most uses a single log should be enough to monitor current
  5462. #       events affecting Squid.
  5463. #Default:
  5464. # debug_options ALL,1
  5465.  
  5466. #  TAG: coredump_dir
  5467. #       By default Squid leaves core files in the directory from where
  5468. #       it was started. If you set 'coredump_dir' to a directory
  5469. #       that exists, Squid will chdir() to that directory at startup
  5470. #       and coredump files will be left there.
  5471. #
  5472. #Default:
  5473. # coredump_dir none
  5474. #
  5475.  
  5476. # Leave coredumps in the first cache dir
  5477. coredump_dir /var/spool/squid3
  5478.  
  5479. # OPTIONS FOR FTP GATEWAYING
  5480. # -----------------------------------------------------------------------------
  5481.  
  5482. #  TAG: ftp_user
  5483. #       If you want the anonymous login password to be more informative
  5484. #       (and enable the use of picky ftp servers), set this to something
  5485. #       reasonable for your domain, like wwwuser@somewhere.net
  5486. #
  5487. #       The reason why this is domainless by default is the
  5488. #       request can be made on the behalf of a user in any domain,
  5489. #       depending on how the cache is used.
  5490. #       Some ftp server also validate the email address is valid
  5491. #       (for example perl.com).
  5492. #Default:
  5493. # ftp_user Squid@
  5494.  
  5495. #  TAG: ftp_list_width
  5496. #       Sets the width of ftp listings. This should be set to fit in
  5497. #       the width of a standard browser. Setting this too small
  5498. #       can cut off long filenames when browsing ftp sites.
  5499. #Default:
  5500. # ftp_list_width 32
  5501.  
  5502. #  TAG: ftp_passive
  5503. #       If your firewall does not allow Squid to use passive
  5504. #       connections, turn off this option.
  5505. #
  5506. #       Use of ftp_epsv_all option requires this to be ON.
  5507. #Default:
  5508. # ftp_passive on
  5509.  
  5510. #  TAG: ftp_epsv_all
  5511. #       FTP Protocol extensions permit the use of a special "EPSV ALL" command.
  5512. #
  5513. #       NATs may be able to put the connection on a "fast path" through the
  5514. #       translator, as the EPRT command will never be used and therefore,
  5515. #       translation of the data portion of the segments will never be needed.
  5516. #
  5517. #       When a client only expects to do two-way FTP transfers this may be
  5518. #       useful.
  5519. #       If squid finds that it must do a three-way FTP transfer after issuing
  5520. #       an EPSV ALL command, the FTP session will fail.
  5521. #
  5522. #       If you have any doubts about this option do not use it.
  5523. #       Squid will nicely attempt all other connection methods.
  5524. #
  5525. #       Requires ftp_passive to be ON (default) for any effect.
  5526. #Default:
  5527. # ftp_epsv_all off
  5528.  
  5529. #  TAG: ftp_epsv
  5530. #       FTP Protocol extensions permit the use of a special "EPSV" command.
  5531. #
  5532. #       NATs may be able to put the connection on a "fast path" through the
  5533. #       translator using EPSV, as the EPRT command will never be used
  5534. #       and therefore, translation of the data portion of the segments
  5535. #       will never be needed.
  5536. #
  5537. #       Turning this OFF will prevent EPSV being attempted.
  5538. #       WARNING: Doing so will convert Squid back to the old behavior with all
  5539. #       the related problems with external NAT devices/layers.
  5540. #
  5541. #       Requires ftp_passive to be ON (default) for any effect.
  5542. #Default:
  5543. # ftp_epsv on
  5544.  
  5545. #  TAG: ftp_sanitycheck
  5546. #       For security and data integrity reasons Squid by default performs
  5547. #       sanity checks of the addresses of FTP data connections ensure the
  5548. #       data connection is to the requested server. If you need to allow
  5549. #       FTP connections to servers using another IP address for the data
  5550. #       connection turn this off.
  5551. #Default:
  5552. # ftp_sanitycheck on
  5553.  
  5554. #  TAG: ftp_telnet_protocol
  5555. #       The FTP protocol is officially defined to use the telnet protocol
  5556. #       as transport channel for the control connection. However, many
  5557. #       implementations are broken and does not respect this aspect of
  5558. #       the FTP protocol.
  5559. #
  5560. #       If you have trouble accessing files with ASCII code 255 in the
  5561. #       path or similar problems involving this ASCII code you can
  5562. #       try setting this directive to off. If that helps, report to the
  5563. #       operator of the FTP server in question that their FTP server
  5564. #       is broken and does not follow the FTP standard.
  5565. #Default:
  5566. # ftp_telnet_protocol on
  5567.  
  5568. # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
  5569. # -----------------------------------------------------------------------------
  5570.  
  5571. #  TAG: diskd_program
  5572. #       Specify the location of the diskd executable.
  5573. #       Note this is only useful if you have compiled in
  5574. #       diskd as one of the store io modules.
  5575. #Default:
  5576. # diskd_program /usr/lib/squid3/diskd
  5577.  
  5578. #  TAG: unlinkd_program
  5579. #       Specify the location of the executable for file deletion process.
  5580. #Default:
  5581. # unlinkd_program /usr/lib/squid3/unlinkd
  5582.  
  5583. #  TAG: pinger_program
  5584. # Note: This option is only available if Squid is rebuilt with the
  5585. #       --enable-icmp option
  5586. #
  5587. #       Specify the location of the executable for the pinger process.
  5588. #Default:
  5589. # pinger_program /usr/lib/squid3/pinger
  5590.  
  5591. #  TAG: pinger_enable
  5592. # Note: This option is only available if Squid is rebuilt with the
  5593. #       --enable-icmp option
  5594. #
  5595. #       Control whether the pinger is active at run-time.
  5596. #       Enables turning ICMP pinger on and off with a simple
  5597. #       squid -k reconfigure.
  5598. #Default:
  5599. # pinger_enable off
  5600.  
  5601. # OPTIONS FOR URL REWRITING
  5602. # -----------------------------------------------------------------------------
  5603.  
  5604. #  TAG: url_rewrite_program
  5605. #       Specify the location of the executable for the URL rewriter.
  5606. #       Since they can perform almost any function there isn't one included.
  5607. #
  5608. #       For each requested URL rewriter will receive on line with the format
  5609. #
  5610. #       URL <SP> client_ip "/" fqdn <SP> user <SP> method [<SP> kvpairs]<NL>
  5611. #
  5612. #       In the future, the rewriter interface will be extended with
  5613. #       key=value pairs ("kvpairs" shown above).  Rewriter programs
  5614. #       should be prepared to receive and possibly ignore additional
  5615. #       whitespace-separated tokens on each input line.
  5616. #
  5617. #       And the rewriter may return a rewritten URL. The other components of
  5618. #       the request line does not need to be returned (ignored if they are).
  5619. #
  5620. #       The rewriter can also indicate that a client-side redirect should
  5621. #       be performed to the new URL. This is done by prefixing the returned
  5622. #       URL with "301:" (moved permanently) or 302: (moved temporarily).
  5623. #
  5624. #       By default, a URL rewriter is not used.
  5625. #Default:
  5626. # none
  5627.  
  5628. #  TAG: url_rewrite_children
  5629. #       The number of redirector processes to spawn. If you start
  5630. #       too few Squid will have to wait for them to process a backlog of
  5631. #       URLs, slowing it down. If you start too many they will use RAM
  5632. #       and other system resources.
  5633. #Default:
  5634. # url_rewrite_children 5
  5635.  
  5636. #  TAG: url_rewrite_concurrency
  5637. #       The number of requests each redirector helper can handle in
  5638. #       parallel. Defaults to 0 which indicates the redirector
  5639. #       is a old-style single threaded redirector.
  5640. #
  5641. #       When this directive is set to a value >= 1 then the protocol
  5642. #       used to communicate with the helper is modified to include
  5643. #       a request ID in front of the request/response. The request
  5644. #       ID from the request must be echoed back with the response
  5645. #       to that request.
  5646. #Default:
  5647. # url_rewrite_concurrency 0
  5648.  
  5649. #  TAG: url_rewrite_host_header
  5650. #       By default Squid rewrites any Host: header in redirected
  5651. #       requests.  If you are running an accelerator this may
  5652. #       not be a wanted effect of a redirector.
  5653. #
  5654. #       WARNING: Entries are cached on the result of the URL rewriting
  5655. #       process, so be careful if you have domain-virtual hosts.
  5656. #Default:
  5657. # url_rewrite_host_header on
  5658.  
  5659. #  TAG: url_rewrite_access
  5660. #       If defined, this access list specifies which requests are
  5661. #       sent to the redirector processes.  By default all requests
  5662. #       are sent.
  5663. #
  5664. #       This clause supports both fast and slow acl types.
  5665. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  5666. #Default:
  5667. # none
  5668.  
  5669. #  TAG: url_rewrite_bypass
  5670. #       When this is 'on', a request will not go through the
  5671. #       redirector if all redirectors are busy.  If this is 'off'
  5672. #       and the redirector queue grows too large, Squid will exit
  5673. #       with a FATAL error and ask you to increase the number of
  5674. #       redirectors.  You should only enable this if the redirectors
  5675. #       are not critical to your caching system.  If you use
  5676. #       redirectors for access control, and you enable this option,
  5677. #       users may have access to pages they should not
  5678. #       be allowed to request.
  5679. #Default:
  5680. # url_rewrite_bypass off
  5681.  
  5682. # OPTIONS FOR TUNING THE CACHE
  5683. # -----------------------------------------------------------------------------
  5684.  
  5685. #  TAG: cache
  5686. #       A list of ACL elements which, if matched and denied, cause the request to
  5687. #       not be satisfied from the cache and the reply to not be cached.
  5688. #       In other words, use this to force certain objects to never be cached.
  5689. #
  5690. #       You must use the words 'allow' or 'deny' to indicate whether items
  5691. #       matching the ACL should be allowed or denied into the cache.
  5692. #
  5693. #       Default is to allow all to be cached.
  5694. #
  5695. #       This clause supports both fast and slow acl types.
  5696. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  5697. #Default:
  5698. # none
  5699.  
  5700. #  TAG: refresh_pattern
  5701. #       usage: refresh_pattern [-i] regex min percent max [options]
  5702. #
  5703. #       By default, regular expressions are CASE-SENSITIVE.  To make
  5704. #       them case-insensitive, use the -i option.
  5705. #
  5706. #       'Min' is the time (in minutes) an object without an explicit
  5707. #       expiry time should be considered fresh. The recommended
  5708. #       value is 0, any higher values may cause dynamic applications
  5709. #       to be erroneously cached unless the application designer
  5710. #       has taken the appropriate actions.
  5711. #
  5712. #       'Percent' is a percentage of the objects age (time since last
  5713. #       modification age) an object without explicit expiry time
  5714. #       will be considered fresh.
  5715. #
  5716. #       'Max' is an upper limit on how long objects without an explicit
  5717. #       expiry time will be considered fresh.
  5718. #
  5719. #       options: override-expire
  5720. #                override-lastmod
  5721. #                reload-into-ims
  5722. #                ignore-reload
  5723. #                ignore-no-cache
  5724. #                ignore-no-store
  5725. #                ignore-must-revalidate
  5726. #                ignore-private
  5727. #                ignore-auth
  5728. #                refresh-ims
  5729. #
  5730. #               override-expire enforces min age even if the server
  5731. #               sent an explicit expiry time (e.g., with the
  5732. #               Expires: header or Cache-Control: max-age). Doing this
  5733. #               VIOLATES the HTTP standard.  Enabling this feature
  5734. #               could make you liable for problems which it causes.
  5735. #
  5736. #               Note: override-expire does not enforce staleness - it only extends
  5737. #               freshness / min. If the server returns a Expires time which
  5738. #               is longer than your max time, Squid will still consider
  5739. #               the object fresh for that period of time.
  5740. #
  5741. #               override-lastmod enforces min age even on objects
  5742. #               that were modified recently.
  5743. #
  5744. #               reload-into-ims changes client no-cache or ``reload''
  5745. #               to If-Modified-Since requests. Doing this VIOLATES the
  5746. #               HTTP standard. Enabling this feature could make you
  5747. #               liable for problems which it causes.
  5748. #
  5749. #               ignore-reload ignores a client no-cache or ``reload''
  5750. #               header. Doing this VIOLATES the HTTP standard. Enabling
  5751. #               this feature could make you liable for problems which
  5752. #               it causes.
  5753. #
  5754. #               ignore-no-cache ignores any ``Pragma: no-cache'' and
  5755. #               ``Cache-control: no-cache'' headers received from a server.
  5756. #               The HTTP RFC never allows the use of this (Pragma) header
  5757. #               from a server, only a client, though plenty of servers
  5758. #               send it anyway.
  5759. #
  5760. #               ignore-no-store ignores any ``Cache-control: no-store''
  5761. #               headers received from a server. Doing this VIOLATES
  5762. #               the HTTP standard. Enabling this feature could make you
  5763. #               liable for problems which it causes.
  5764. #
  5765. #               ignore-must-revalidate ignores any ``Cache-Control: must-revalidate``
  5766. #               headers received from a server. Doing this VIOLATES
  5767. #               the HTTP standard. Enabling this feature could make you
  5768. #               liable for problems which it causes.
  5769. #
  5770. #               ignore-private ignores any ``Cache-control: private''
  5771. #               headers received from a server. Doing this VIOLATES
  5772. #               the HTTP standard. Enabling this feature could make you
  5773. #               liable for problems which it causes.
  5774. #
  5775. #               ignore-auth caches responses to requests with authorization,
  5776. #               as if the originserver had sent ``Cache-control: public''
  5777. #               in the response header. Doing this VIOLATES the HTTP standard.
  5778. #               Enabling this feature could make you liable for problems which
  5779. #               it causes.
  5780. #
  5781. #               refresh-ims causes squid to contact the origin server
  5782. #               when a client issues an If-Modified-Since request. This
  5783. #               ensures that the client will receive an updated version
  5784. #               if one is available.
  5785. #
  5786. #       Basically a cached object is:
  5787. #
  5788. #               FRESH if expires < now, else STALE
  5789. #               STALE if age > max
  5790. #               FRESH if lm-factor < percent, else STALE
  5791. #               FRESH if age < min
  5792. #               else STALE
  5793. #
  5794. #       The refresh_pattern lines are checked in the order listed here.
  5795. #       The first entry which matches is used.  If none of the entries
  5796. #       match the default will be used.
  5797. #
  5798. #       Note, you must uncomment all the default lines if you want
  5799. #       to change one. The default setting is only active if none is
  5800. #       used.
  5801. #
  5802. #
  5803.  
  5804. # Add any of your own refresh_pattern entries above these.
  5805. refresh_pattern ^ftp:           1440    20%     10080
  5806. refresh_pattern ^gopher:        1440    0%      1440
  5807. refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
  5808. refresh_pattern .               0       20%     4320
  5809.  
  5810. #  TAG: quick_abort_min (KB)
  5811. #  TAG: quick_abort_max (KB)
  5812. #  TAG: quick_abort_pct (percent)
  5813. #       The cache by default continues downloading aborted requests
  5814. #       which are almost completed (less than 16 KB remaining). This
  5815. #       may be undesirable on slow (e.g. SLIP) links and/or very busy
  5816. #       caches.  Impatient users may tie up file descriptors and
  5817. #       bandwidth by repeatedly requesting and immediately aborting
  5818. #       downloads.
  5819. #
  5820. #       When the user aborts a request, Squid will check the
  5821. #       quick_abort values to the amount of data transfered until
  5822. #       then.
  5823. #
  5824. #       If the transfer has less than 'quick_abort_min' KB remaining,
  5825. #       it will finish the retrieval.
  5826. #
  5827. #       If the transfer has more than 'quick_abort_max' KB remaining,
  5828. #       it will abort the retrieval.
  5829. #
  5830. #       If more than 'quick_abort_pct' of the transfer has completed,
  5831. #       it will finish the retrieval.
  5832. #
  5833. #       If you do not want any retrieval to continue after the client
  5834. #       has aborted, set both 'quick_abort_min' and 'quick_abort_max'
  5835. #       to '0 KB'.
  5836. #
  5837. #       If you want retrievals to always continue if they are being
  5838. #       cached set 'quick_abort_min' to '-1 KB'.
  5839. #Default:
  5840. # quick_abort_min 16 KB
  5841. # quick_abort_max 16 KB
  5842. # quick_abort_pct 95
  5843.  
  5844. #  TAG: read_ahead_gap  buffer-size
  5845. #       The amount of data the cache will buffer ahead of what has been
  5846. #       sent to the client when retrieving an object from another server.
  5847. #Default:
  5848. # read_ahead_gap 16 KB
  5849.  
  5850. #  TAG: negative_ttl    time-units
  5851. #       Set the Default Time-to-Live (TTL) for failed requests.
  5852. #       Certain types of failures (such as "connection refused" and
  5853. #       "404 Not Found") are able to be negatively-cached for a short time.
  5854. #       Modern web servers should provide Expires: header, however if they
  5855. #       do not this can provide a minimum TTL.
  5856. #       The default is not to cache errors with unknown expiry details.
  5857. #
  5858. #       Note that this is different from negative caching of DNS lookups.
  5859. #
  5860. #       WARNING: Doing this VIOLATES the HTTP standard.  Enabling
  5861. #       this feature could make you liable for problems which it
  5862. #       causes.
  5863. #Default:
  5864. # negative_ttl 0 seconds
  5865.  
  5866. #  TAG: positive_dns_ttl        time-units
  5867. #       Upper limit on how long Squid will cache positive DNS responses.
  5868. #       Default is 6 hours (360 minutes). This directive must be set
  5869. #       larger than negative_dns_ttl.
  5870. #Default:
  5871. # positive_dns_ttl 6 hours
  5872.  
  5873. #  TAG: negative_dns_ttl        time-units
  5874. #       Time-to-Live (TTL) for negative caching of failed DNS lookups.
  5875. #       This also sets the lower cache limit on positive lookups.
  5876. #       Minimum value is 1 second, and it is not recommendable to go
  5877. #       much below 10 seconds.
  5878. #Default:
  5879. # negative_dns_ttl 1 minutes
  5880.  
  5881. #  TAG: range_offset_limit      (bytes)
  5882. #       Sets a upper limit on how far into the the file a Range request
  5883. #       may be to cause Squid to prefetch the whole file. If beyond this
  5884. #       limit Squid forwards the Range request as it is and the result
  5885. #       is NOT cached.
  5886. #
  5887. #       This is to stop a far ahead range request (lets say start at 17MB)
  5888. #       from making Squid fetch the whole object up to that point before
  5889. #       sending anything to the client.
  5890. #
  5891. #       A value of 0 causes Squid to never fetch more than the
  5892. #       client requested. (default)
  5893. #
  5894. #       A value of -1 causes Squid to always fetch the object from the
  5895. #       beginning so it may cache the result. (2.0 style)
  5896. #
  5897. #       NP: Using -1 here will override any quick_abort settings that may
  5898. #           otherwise apply to the range request. The range request will
  5899. #           be fully fetched from start to finish regardless of the client
  5900. #           actions. This affects bandwidth usage.
  5901. #Default:
  5902. # range_offset_limit 0 KB
  5903.  
  5904. #  TAG: minimum_expiry_time     (seconds)
  5905. #       The minimum caching time according to (Expires - Date)
  5906. #       Headers Squid honors if the object can't be revalidated
  5907. #       defaults to 60 seconds. In reverse proxy environments it
  5908. #       might be desirable to honor shorter object lifetimes. It
  5909. #       is most likely better to make your server return a
  5910. #       meaningful Last-Modified header however. In ESI environments
  5911. #       where page fragments often have short lifetimes, this will
  5912. #       often be best set to 0.
  5913. #Default:
  5914. # minimum_expiry_time 60 seconds
  5915.  
  5916. #  TAG: store_avg_object_size   (kbytes)
  5917. #       Average object size, used to estimate number of objects your
  5918. #       cache can hold.  The default is 13 KB.
  5919. #Default:
  5920. # store_avg_object_size 13 KB
  5921.  
  5922. #  TAG: store_objects_per_bucket
  5923. #       Target number of objects per bucket in the store hash table.
  5924. #       Lowering this value increases the total number of buckets and
  5925. #       also the storage maintenance rate.  The default is 20.
  5926. #Default:
  5927. # store_objects_per_bucket 20
  5928.  
  5929. # HTTP OPTIONS
  5930. # -----------------------------------------------------------------------------
  5931.  
  5932. #  TAG: request_header_max_size (KB)
  5933. #       This specifies the maximum size for HTTP headers in a request.
  5934. #       Request headers are usually relatively small (about 512 bytes).
  5935. #       Placing a limit on the request header size will catch certain
  5936. #       bugs (for example with persistent connections) and possibly
  5937. #       buffer-overflow or denial-of-service attacks.
  5938. #Default:
  5939. # request_header_max_size 64 KB
  5940.  
  5941. #  TAG: reply_header_max_size   (KB)
  5942. #       This specifies the maximum size for HTTP headers in a reply.
  5943. #       Reply headers are usually relatively small (about 512 bytes).
  5944. #       Placing a limit on the reply header size will catch certain
  5945. #       bugs (for example with persistent connections) and possibly
  5946. #       buffer-overflow or denial-of-service attacks.
  5947. #Default:
  5948. # reply_header_max_size 64 KB
  5949.  
  5950. #  TAG: request_body_max_size   (bytes)
  5951. #       This specifies the maximum size for an HTTP request body.
  5952. #       In other words, the maximum size of a PUT/POST request.
  5953. #       A user who attempts to send a request with a body larger
  5954. #       than this limit receives an "Invalid Request" error message.
  5955. #       If you set this parameter to a zero (the default), there will
  5956. #       be no limit imposed.
  5957. #Default:
  5958. # request_body_max_size 0 KB
  5959.  
  5960. #  TAG: chunked_request_body_max_size   (bytes)
  5961. #       A broken or confused HTTP/1.1 client may send a chunked HTTP
  5962. #       request to Squid. Squid does not have full support for that
  5963. #       feature yet. To cope with such requests, Squid buffers the
  5964. #       entire request and then dechunks request body to create a
  5965. #       plain HTTP/1.0 request with a known content length. The plain
  5966. #       request is then used by the rest of Squid code as usual.
  5967. #
  5968. #       The option value specifies the maximum size of the buffer used
  5969. #       to hold the request before the conversion. If the chunked
  5970. #       request size exceeds the specified limit, the conversion
  5971. #       fails, and the client receives an "unsupported request" error,
  5972. #       as if dechunking was disabled.
  5973. #
  5974. #       Dechunking is enabled by default. To disable conversion of
  5975. #       chunked requests, set the maximum to zero.
  5976. #
  5977. #       Request dechunking feature and this option in particular are a
  5978. #       temporary hack. When chunking requests and responses are fully
  5979. #       supported, there will be no need to buffer a chunked request.
  5980. #Default:
  5981. # chunked_request_body_max_size 64 KB
  5982.  
  5983. #  TAG: broken_posts
  5984. #       A list of ACL elements which, if matched, causes Squid to send
  5985. #       an extra CRLF pair after the body of a PUT/POST request.
  5986. #
  5987. #       Some HTTP servers has broken implementations of PUT/POST,
  5988. #       and rely on an extra CRLF pair sent by some WWW clients.
  5989. #
  5990. #       Quote from RFC2616 section 4.1 on this matter:
  5991. #
  5992. #         Note: certain buggy HTTP/1.0 client implementations generate an
  5993. #         extra CRLF's after a POST request. To restate what is explicitly
  5994. #         forbidden by the BNF, an HTTP/1.1 client must not preface or follow
  5995. #         a request with an extra CRLF.
  5996. #
  5997. #       This clause only supports fast acl types.
  5998. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  5999. #
  6000. #Example:
  6001. # acl buggy_server url_regex ^http://....
  6002. # broken_posts allow buggy_server
  6003. #Default:
  6004. # none
  6005.  
  6006. #  TAG: icap_uses_indirect_client       on|off
  6007. #   Controls whether the indirect client address
  6008. #   (see follow_x_forwarded_for) instead of the
  6009. #   direct client address is passed to an ICAP
  6010. #   server as "X-Client-IP".
  6011. #Default:
  6012. # icap_uses_indirect_client on
  6013.  
  6014. #  TAG: via     on|off
  6015. #       If set (default), Squid will include a Via header in requests and
  6016. #       replies as required by RFC2616.
  6017. #Default:
  6018. # via on
  6019.  
  6020. #  TAG: ie_refresh      on|off
  6021. #       Microsoft Internet Explorer up until version 5.5 Service
  6022. #       Pack 1 has an issue with transparent proxies, wherein it
  6023. #       is impossible to force a refresh.  Turning this on provides
  6024. #       a partial fix to the problem, by causing all IMS-REFRESH
  6025. #       requests from older IE versions to check the origin server
  6026. #       for fresh content.  This reduces hit ratio by some amount
  6027. #       (~10% in my experience), but allows users to actually get
  6028. #       fresh content when they want it.  Note because Squid
  6029. #       cannot tell if the user is using 5.5 or 5.5SP1, the behavior
  6030. #       of 5.5 is unchanged from old versions of Squid (i.e. a
  6031. #       forced refresh is impossible).  Newer versions of IE will,
  6032. #       hopefully, continue to have the new behavior and will be
  6033. #       handled based on that assumption.  This option defaults to
  6034. #       the old Squid behavior, which is better for hit ratios but
  6035. #       worse for clients using IE, if they need to be able to
  6036. #       force fresh content.
  6037. #Default:
  6038. # ie_refresh off
  6039.  
  6040. #  TAG: vary_ignore_expire      on|off
  6041. #       Many HTTP servers supporting Vary gives such objects
  6042. #       immediate expiry time with no cache-control header
  6043. #       when requested by a HTTP/1.0 client. This option
  6044. #       enables Squid to ignore such expiry times until
  6045. #       HTTP/1.1 is fully implemented.
  6046. #
  6047. #       WARNING: If turned on this may eventually cause some
  6048. #       varying objects not intended for caching to get cached.
  6049. #Default:
  6050. # vary_ignore_expire off
  6051.  
  6052. #  TAG: request_entities
  6053. #       Squid defaults to deny GET and HEAD requests with request entities,
  6054. #       as the meaning of such requests are undefined in the HTTP standard
  6055. #       even if not explicitly forbidden.
  6056. #
  6057. #       Set this directive to on if you have clients which insists
  6058. #       on sending request entities in GET or HEAD requests. But be warned
  6059. #       that there is server software (both proxies and web servers) which
  6060. #       can fail to properly process this kind of request which may make you
  6061. #       vulnerable to cache pollution attacks if enabled.
  6062. #Default:
  6063. # request_entities off
  6064.  
  6065. #  TAG: request_header_access
  6066. #       Usage: request_header_access header_name allow|deny [!]aclname ...
  6067. #
  6068. #       WARNING: Doing this VIOLATES the HTTP standard.  Enabling
  6069. #       this feature could make you liable for problems which it
  6070. #       causes.
  6071. #
  6072. #       This option replaces the old 'anonymize_headers' and the
  6073. #       older 'http_anonymizer' option with something that is much
  6074. #       more configurable. This new method creates a list of ACLs
  6075. #       for each header, allowing you very fine-tuned header
  6076. #       mangling.
  6077. #
  6078. #       This option only applies to request headers, i.e., from the
  6079. #       client to the server.
  6080. #
  6081. #       You can only specify known headers for the header name.
  6082. #       Other headers are reclassified as 'Other'. You can also
  6083. #       refer to all the headers with 'All'.
  6084. #
  6085. #       For example, to achieve the same behavior as the old
  6086. #       'http_anonymizer standard' option, you should use:
  6087. #
  6088. #               request_header_access From deny all
  6089. #               request_header_access Referer deny all
  6090. #               request_header_access Server deny all
  6091. #               request_header_access User-Agent deny all
  6092. #               request_header_access WWW-Authenticate deny all
  6093. #               request_header_access Link deny all
  6094. #
  6095. #       Or, to reproduce the old 'http_anonymizer paranoid' feature
  6096. #       you should use:
  6097. #
  6098. #               request_header_access Allow allow all
  6099. #               request_header_access Authorization allow all
  6100. #               request_header_access WWW-Authenticate allow all
  6101. #               request_header_access Proxy-Authorization allow all
  6102. #               request_header_access Proxy-Authenticate allow all
  6103. #               request_header_access Cache-Control allow all
  6104. #               request_header_access Content-Encoding allow all
  6105. #               request_header_access Content-Length allow all
  6106. #               request_header_access Content-Type allow all
  6107. #               request_header_access Date allow all
  6108. #               request_header_access Expires allow all
  6109. #               request_header_access Host allow all
  6110. #               request_header_access If-Modified-Since allow all
  6111. #               request_header_access Last-Modified allow all
  6112. #               request_header_access Location allow all
  6113. #               request_header_access Pragma allow all
  6114. #               request_header_access Accept allow all
  6115. #               request_header_access Accept-Charset allow all
  6116. #               request_header_access Accept-Encoding allow all
  6117. #               request_header_access Accept-Language allow all
  6118. #               request_header_access Content-Language allow all
  6119. #               request_header_access Mime-Version allow all
  6120. #               request_header_access Retry-After allow all
  6121. #               request_header_access Title allow all
  6122. #               request_header_access Connection allow all
  6123. #               request_header_access Proxy-Connection allow all
  6124. #               request_header_access All deny all
  6125. #
  6126. #       although many of those are HTTP reply headers, and so should be
  6127. #       controlled with the reply_header_access directive.
  6128. #
  6129. #       By default, all headers are allowed (no anonymizing is
  6130. #       performed).
  6131. #Default:
  6132. # none
  6133.  
  6134. #  TAG: reply_header_access
  6135. #       Usage: reply_header_access header_name allow|deny [!]aclname ...
  6136. #
  6137. #       WARNING: Doing this VIOLATES the HTTP standard.  Enabling
  6138. #       this feature could make you liable for problems which it
  6139. #       causes.
  6140. #
  6141. #       This option only applies to reply headers, i.e., from the
  6142. #       server to the client.
  6143. #
  6144. #       This is the same as request_header_access, but in the other
  6145. #       direction.
  6146. #
  6147. #       This option replaces the old 'anonymize_headers' and the
  6148. #       older 'http_anonymizer' option with something that is much
  6149. #       more configurable. This new method creates a list of ACLs
  6150. #       for each header, allowing you very fine-tuned header
  6151. #       mangling.
  6152. #
  6153. #       You can only specify known headers for the header name.
  6154. #       Other headers are reclassified as 'Other'. You can also
  6155. #       refer to all the headers with 'All'.
  6156. #
  6157. #       For example, to achieve the same behavior as the old
  6158. #       'http_anonymizer standard' option, you should use:
  6159. #
  6160. #               reply_header_access From deny all
  6161. #               reply_header_access Referer deny all
  6162. #               reply_header_access Server deny all
  6163. #               reply_header_access User-Agent deny all
  6164. #               reply_header_access WWW-Authenticate deny all
  6165. #               reply_header_access Link deny all
  6166. #
  6167. #       Or, to reproduce the old 'http_anonymizer paranoid' feature
  6168. #       you should use:
  6169. #
  6170. #               reply_header_access Allow allow all
  6171. #               reply_header_access Authorization allow all
  6172. #               reply_header_access WWW-Authenticate allow all
  6173. #               reply_header_access Proxy-Authorization allow all
  6174. #               reply_header_access Proxy-Authenticate allow all
  6175. #               reply_header_access Cache-Control allow all
  6176. #               reply_header_access Content-Encoding allow all
  6177. #               reply_header_access Content-Length allow all
  6178. #               reply_header_access Content-Type allow all
  6179. #               reply_header_access Date allow all
  6180. #               reply_header_access Expires allow all
  6181. #               reply_header_access Host allow all
  6182. #               reply_header_access If-Modified-Since allow all
  6183. #               reply_header_access Last-Modified allow all
  6184. #               reply_header_access Location allow all
  6185. #               reply_header_access Pragma allow all
  6186. #               reply_header_access Accept allow all
  6187. #               reply_header_access Accept-Charset allow all
  6188. #               reply_header_access Accept-Encoding allow all
  6189. #               reply_header_access Accept-Language allow all
  6190. #               reply_header_access Content-Language allow all
  6191. #               reply_header_access Mime-Version allow all
  6192. #               reply_header_access Retry-After allow all
  6193. #               reply_header_access Title allow all
  6194. #               reply_header_access Connection allow all
  6195. #               reply_header_access Proxy-Connection allow all
  6196. #               reply_header_access All deny all
  6197. #
  6198. #       although the HTTP request headers won't be usefully controlled
  6199. #       by this directive -- see request_header_access for details.
  6200. #
  6201. #       By default, all headers are allowed (no anonymizing is
  6202. #       performed).
  6203. #Default:
  6204. # none
  6205.  
  6206. #  TAG: header_replace
  6207. #       Usage:   header_replace header_name message
  6208. #       Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
  6209. #
  6210. #       This option allows you to change the contents of headers
  6211. #       denied with header_access above, by replacing them with
  6212. #       some fixed string. This replaces the old fake_user_agent
  6213. #       option.
  6214. #
  6215. #       This only applies to request headers, not reply headers.
  6216. #
  6217. #       By default, headers are removed if denied.
  6218. #Default:
  6219. # none
  6220.  
  6221. #  TAG: relaxed_header_parser   on|off|warn
  6222. #       In the default "on" setting Squid accepts certain forms
  6223. #       of non-compliant HTTP messages where it is unambiguous
  6224. #       what the sending application intended even if the message
  6225. #       is not correctly formatted. The messages is then normalized
  6226. #       to the correct form when forwarded by Squid.
  6227. #
  6228. #       If set to "warn" then a warning will be emitted in cache.log
  6229. #       each time such HTTP error is encountered.
  6230. #
  6231. #       If set to "off" then such HTTP errors will cause the request
  6232. #       or response to be rejected.
  6233. #Default:
  6234. # relaxed_header_parser on
  6235.  
  6236. #  TAG: ignore_expect_100       on|off
  6237. #       This option makes Squid ignore any Expect: 100-continue header present
  6238. #       in the request. RFC 2616 requires that Squid being unable to satisfy
  6239. #       the response expectation MUST return a 417 error.
  6240. #
  6241. #       Note: Enabling this is a HTTP protocol violation, but some clients may
  6242. #       not handle it well..
  6243. #Default:
  6244. # ignore_expect_100 off
  6245.  
  6246. # TIMEOUTS
  6247. # -----------------------------------------------------------------------------
  6248.  
  6249. #  TAG: forward_timeout time-units
  6250. #       This parameter specifies how long Squid should at most attempt in
  6251. #       finding a forwarding path for the request before giving up.
  6252. #Default:
  6253. # forward_timeout 4 minutes
  6254.  
  6255. #  TAG: connect_timeout time-units
  6256. #       This parameter specifies how long to wait for the TCP connect to
  6257. #       the requested server or peer to complete before Squid should
  6258. #       attempt to find another path where to forward the request.
  6259. #Default:
  6260. # connect_timeout 1 minute
  6261.  
  6262. #  TAG: peer_connect_timeout    time-units
  6263. #       This parameter specifies how long to wait for a pending TCP
  6264. #       connection to a peer cache.  The default is 30 seconds.   You
  6265. #       may also set different timeout values for individual neighbors
  6266. #       with the 'connect-timeout' option on a 'cache_peer' line.
  6267. #Default:
  6268. # peer_connect_timeout 30 seconds
  6269.  
  6270. #  TAG: read_timeout    time-units
  6271. #       The read_timeout is applied on server-side connections.  After
  6272. #       each successful read(), the timeout will be extended by this
  6273. #       amount.  If no data is read again after this amount of time,
  6274. #       the request is aborted and logged with ERR_READ_TIMEOUT.  The
  6275. #       default is 15 minutes.
  6276. #Default:
  6277. # read_timeout 15 minutes
  6278.  
  6279. #  TAG: request_timeout
  6280. #       How long to wait for an HTTP request after initial
  6281. #       connection establishment.
  6282. #Default:
  6283. # request_timeout 5 minutes
  6284.  
  6285. #  TAG: persistent_request_timeout
  6286. #       How long to wait for the next HTTP request on a persistent
  6287. #       connection after the previous request completes.
  6288. #Default:
  6289. # persistent_request_timeout 2 minutes
  6290.  
  6291. #  TAG: client_lifetime time-units
  6292. #       The maximum amount of time a client (browser) is allowed to
  6293. #       remain connected to the cache process.  This protects the Cache
  6294. #       from having a lot of sockets (and hence file descriptors) tied up
  6295. #       in a CLOSE_WAIT state from remote clients that go away without
  6296. #       properly shutting down (either because of a network failure or
  6297. #       because of a poor client implementation).  The default is one
  6298. #       day, 1440 minutes.
  6299. #
  6300. #       NOTE:  The default value is intended to be much larger than any
  6301. #       client would ever need to be connected to your cache.  You
  6302. #       should probably change client_lifetime only as a last resort.
  6303. #       If you seem to have many client connections tying up
  6304. #       filedescriptors, we recommend first tuning the read_timeout,
  6305. #       request_timeout, persistent_request_timeout and quick_abort values.
  6306. #Default:
  6307. # client_lifetime 1 day
  6308.  
  6309. #  TAG: half_closed_clients
  6310. #       Some clients may shutdown the sending side of their TCP
  6311. #       connections, while leaving their receiving sides open.  Sometimes,
  6312. #       Squid can not tell the difference between a half-closed and a
  6313. #       fully-closed TCP connection.
  6314. #
  6315. #       By default, Squid will immediately close client connections when
  6316. #       read(2) returns "no more data to read."
  6317. #
  6318. #       Change this option to 'on' and Squid will keep open connections
  6319. #       until a read(2) or write(2) on the socket returns an error.
  6320. #       This may show some benefits for reverse proxies. But if not
  6321. #       it is recommended to leave OFF.
  6322. #Default:
  6323. # half_closed_clients off
  6324.  
  6325. #  TAG: pconn_timeout
  6326. #       Timeout for idle persistent connections to servers and other
  6327. #       proxies.
  6328. #Default:
  6329. # pconn_timeout 1 minute
  6330.  
  6331. #  TAG: ident_timeout
  6332. #       Maximum time to wait for IDENT lookups to complete.
  6333. #
  6334. #       If this is too high, and you enabled IDENT lookups from untrusted
  6335. #       users, you might be susceptible to denial-of-service by having
  6336. #       many ident requests going at once.
  6337. #Default:
  6338. # ident_timeout 10 seconds
  6339.  
  6340. #  TAG: shutdown_lifetime       time-units
  6341. #       When SIGTERM or SIGHUP is received, the cache is put into
  6342. #       "shutdown pending" mode until all active sockets are closed.
  6343. #       This value is the lifetime to set for all open descriptors
  6344. #       during shutdown mode.  Any active clients after this many
  6345. #       seconds will receive a 'timeout' message.
  6346. #Default:
  6347. # shutdown_lifetime 30 seconds
  6348.  
  6349. # ADMINISTRATIVE PARAMETERS
  6350. # -----------------------------------------------------------------------------
  6351.  
  6352. #  TAG: cache_mgr
  6353. #       Email-address of local cache manager who will receive
  6354. #       mail if the cache dies.  The default is "webmaster."
  6355. #Default:
  6356. # cache_mgr webmaster
  6357.  
  6358. #  TAG: mail_from
  6359. #       From: email-address for mail sent when the cache dies.
  6360. #       The default is to use 'appname@unique_hostname'.
  6361. #       Default appname value is "squid", can be changed into
  6362. #       src/globals.h before building squid.
  6363. #Default:
  6364. # none
  6365.  
  6366. #  TAG: mail_program
  6367. #       Email program used to send mail if the cache dies.
  6368. #       The default is "mail". The specified program must comply
  6369. #       with the standard Unix mail syntax:
  6370. #         mail-program recipient < mailfile
  6371. #
  6372. #       Optional command line options can be specified.
  6373. #Default:
  6374. # mail_program mail
  6375.  
  6376. #  TAG: cache_effective_user
  6377. #       If you start Squid as root, it will change its effective/real
  6378. #       UID/GID to the user specified below.  The default is to change
  6379. #       to UID of proxy.
  6380. #       see also; cache_effective_group
  6381. #Default:
  6382. # cache_effective_user proxy
  6383.  
  6384. #  TAG: cache_effective_group
  6385. #       Squid sets the GID to the effective user's default group ID
  6386. #       (taken from the password file) and supplementary group list
  6387. #       from the groups membership.
  6388. #
  6389. #       If you want Squid to run with a specific GID regardless of
  6390. #       the group memberships of the effective user then set this
  6391. #       to the group (or GID) you want Squid to run as. When set
  6392. #       all other group privileges of the effective user are ignored
  6393. #       and only this GID is effective. If Squid is not started as
  6394. #       root the user starting Squid MUST be member of the specified
  6395. #       group.
  6396. #
  6397. #       This option is not recommended by the Squid Team.
  6398. #       Our preference is for administrators to configure a secure
  6399. #       user account for squid with UID/GID matching system policies.
  6400. #Default:
  6401. # none
  6402.  
  6403. #  TAG: httpd_suppress_version_string   on|off
  6404. #       Suppress Squid version string info in HTTP headers and HTML error pages.
  6405. #Default:
  6406. # httpd_suppress_version_string off
  6407.  
  6408. #  TAG: visible_hostname
  6409. #       If you want to present a special hostname in error messages, etc,
  6410. #       define this.  Otherwise, the return value of gethostname()
  6411. #       will be used. If you have multiple caches in a cluster and
  6412. #       get errors about IP-forwarding you must set them to have individual
  6413. #       names with this setting.
  6414. #Default:
  6415. # visible_hostname localhost
  6416.  
  6417. #  TAG: unique_hostname
  6418. #       If you want to have multiple machines with the same
  6419. #       'visible_hostname' you must give each machine a different
  6420. #       'unique_hostname' so forwarding loops can be detected.
  6421. #Default:
  6422. # none
  6423.  
  6424. #  TAG: hostname_aliases
  6425. #       A list of other DNS names your cache has.
  6426. #Default:
  6427. # none
  6428.  
  6429. #  TAG: umask
  6430. #       Minimum umask which should be enforced while the proxy
  6431. #       is running, in addition to the umask set at startup.
  6432. #
  6433. #       For a traditional octal representation of umasks, start
  6434. #        your value with 0.
  6435. #Default:
  6436. # umask 027
  6437.  
  6438. # OPTIONS FOR THE CACHE REGISTRATION SERVICE
  6439. # -----------------------------------------------------------------------------
  6440. #
  6441. #       This section contains parameters for the (optional) cache
  6442. #       announcement service.  This service is provided to help
  6443. #       cache administrators locate one another in order to join or
  6444. #       create cache hierarchies.
  6445. #
  6446. #       An 'announcement' message is sent (via UDP) to the registration
  6447. #       service by Squid.  By default, the announcement message is NOT
  6448. #       SENT unless you enable it with 'announce_period' below.
  6449. #
  6450. #       The announcement message includes your hostname, plus the
  6451. #       following information from this configuration file:
  6452. #
  6453. #               http_port
  6454. #               icp_port
  6455. #               cache_mgr
  6456. #
  6457. #       All current information is processed regularly and made
  6458. #       available on the Web at http://www.ircache.net/Cache/Tracker/.
  6459.  
  6460. #  TAG: announce_period
  6461. #       This is how frequently to send cache announcements.  The
  6462. #       default is `0' which disables sending the announcement
  6463. #       messages.
  6464. #
  6465. #       To enable announcing your cache, just set an announce period.
  6466. #
  6467. #       Example:
  6468. #               announce_period 1 day
  6469. #Default:
  6470. # announce_period 0
  6471.  
  6472. #  TAG: announce_host
  6473. #  TAG: announce_file
  6474. #  TAG: announce_port
  6475. #       announce_host and announce_port set the hostname and port
  6476. #       number where the registration message will be sent.
  6477. #
  6478. #       Hostname will default to 'tracker.ircache.net' and port will
  6479. #       default default to 3131.  If the 'filename' argument is given,
  6480. #       the contents of that file will be included in the announce
  6481. #       message.
  6482. #Default:
  6483. # announce_host tracker.ircache.net
  6484. # announce_port 3131
  6485.  
  6486. # HTTPD-ACCELERATOR OPTIONS
  6487. # -----------------------------------------------------------------------------
  6488.  
  6489. #  TAG: httpd_accel_surrogate_id
  6490. #       Surrogates (http://www.esi.org/architecture_spec_1.0.html)
  6491. #       need an identification token to allow control targeting. Because
  6492. #       a farm of surrogates may all perform the same tasks, they may share
  6493. #       an identification token.
  6494. #Default:
  6495. # httpd_accel_surrogate_id unset-id
  6496.  
  6497. #  TAG: http_accel_surrogate_remote     on|off
  6498. #       Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote.
  6499. #       Set this to on to have squid behave as a remote surrogate.
  6500. #Default:
  6501. # http_accel_surrogate_remote off
  6502.  
  6503. #  TAG: esi_parser      libxml2|expat|custom
  6504. #       ESI markup is not strictly XML compatible. The custom ESI parser
  6505. #       will give higher performance, but cannot handle non ASCII character
  6506. #       encodings.
  6507. #Default:
  6508. # esi_parser custom
  6509.  
  6510. # DELAY POOL PARAMETERS
  6511. # -----------------------------------------------------------------------------
  6512.  
  6513. #  TAG: delay_pools
  6514. #       This represents the number of delay pools to be used.  For example,
  6515. #       if you have one class 2 delay pool and one class 3 delays pool, you
  6516. #       have a total of 2 delay pools.
  6517. #Default:
  6518. # delay_pools 0
  6519.  
  6520. #  TAG: delay_class
  6521. #       This defines the class of each delay pool.  There must be exactly one
  6522. #       delay_class line for each delay pool.  For example, to define two
  6523. #       delay pools, one of class 2 and one of class 3, the settings above
  6524. #       and here would be:
  6525. #
  6526. #       Example:
  6527. #           delay_pools 4      # 4 delay pools
  6528. #           delay_class 1 2    # pool 1 is a class 2 pool
  6529. #           delay_class 2 3    # pool 2 is a class 3 pool
  6530. #           delay_class 3 4    # pool 3 is a class 4 pool
  6531. #           delay_class 4 5    # pool 4 is a class 5 pool
  6532. #
  6533. #       The delay pool classes are:
  6534. #
  6535. #               class 1         Everything is limited by a single aggregate
  6536. #                               bucket.
  6537. #
  6538. #               class 2         Everything is limited by a single aggregate
  6539. #                               bucket as well as an "individual" bucket chosen
  6540. #                               from bits 25 through 32 of the IPv4 address.
  6541. #
  6542. #               class 3         Everything is limited by a single aggregate
  6543. #                               bucket as well as a "network" bucket chosen
  6544. #                               from bits 17 through 24 of the IP address and a
  6545. #                               "individual" bucket chosen from bits 17 through
  6546. #                               32 of the IPv4 address.
  6547. #
  6548. #               class 4         Everything in a class 3 delay pool, with an
  6549. #                               additional limit on a per user basis. This
  6550. #                               only takes effect if the username is established
  6551. #                               in advance - by forcing authentication in your
  6552. #                               http_access rules.
  6553. #
  6554. #               class 5         Requests are grouped according their tag (see
  6555. #                               external_acl's tag= reply).
  6556. #
  6557. #       NOTE: If an IP address is a.b.c.d
  6558. #               -> bits 25 through 32 are "d"
  6559. #               -> bits 17 through 24 are "c"
  6560. #               -> bits 17 through 32 are "c * 256 + d"
  6561. #
  6562. #       NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to
  6563. #               IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic.
  6564. #Default:
  6565. # none
  6566.  
  6567. #  TAG: delay_access
  6568. #       This is used to determine which delay pool a request falls into.
  6569. #
  6570. #       delay_access is sorted per pool and the matching starts with pool 1,
  6571. #       then pool 2, ..., and finally pool N. The first delay pool where the
  6572. #       request is allowed is selected for the request. If it does not allow
  6573. #       the request to any pool then the request is not delayed (default).
  6574. #
  6575. #       For example, if you want some_big_clients in delay
  6576. #       pool 1 and lotsa_little_clients in delay pool 2:
  6577. #
  6578. #Example:
  6579. # delay_access 1 allow some_big_clients
  6580. # delay_access 1 deny all
  6581. # delay_access 2 allow lotsa_little_clients
  6582. # delay_access 2 deny all
  6583. # delay_access 3 allow authenticated_clients
  6584. #Default:
  6585. # none
  6586.  
  6587. #  TAG: delay_parameters
  6588. #       This defines the parameters for a delay pool.  Each delay pool has
  6589. #       a number of "buckets" associated with it, as explained in the
  6590. #       description of delay_class.  For a class 1 delay pool, the syntax is:
  6591. #
  6592. #delay_parameters pool aggregate
  6593. #
  6594. #       For a class 2 delay pool:
  6595. #
  6596. #delay_parameters pool aggregate individual
  6597. #
  6598. #       For a class 3 delay pool:
  6599. #
  6600. #delay_parameters pool aggregate network individual
  6601. #
  6602. #       For a class 4 delay pool:
  6603. #
  6604. #delay_parameters pool aggregate network individual user
  6605. #
  6606. #       For a class 5 delay pool:
  6607. #
  6608. #delay_parameters pool tag
  6609. #
  6610. #       The variables here are:
  6611. #
  6612. #               pool            a pool number - ie, a number between 1 and the
  6613. #                               number specified in delay_pools as used in
  6614. #                               delay_class lines.
  6615. #
  6616. #               aggregate       the "delay parameters" for the aggregate bucket
  6617. #                               (class 1, 2, 3).
  6618. #
  6619. #               individual      the "delay parameters" for the individual
  6620. #                               buckets (class 2, 3).
  6621. #
  6622. #               network         the "delay parameters" for the network buckets
  6623. #                               (class 3).
  6624. #
  6625. #               user            the delay parameters for the user buckets
  6626. #                               (class 4).
  6627. #
  6628. #               tag             the delay parameters for the tag buckets
  6629. #                               (class 5).
  6630. #
  6631. #       A pair of delay parameters is written restore/maximum, where restore is
  6632. #       the number of bytes (not bits - modem and network speeds are usually
  6633. #       quoted in bits) per second placed into the bucket, and maximum is the
  6634. #       maximum number of bytes which can be in the bucket at any time.
  6635. #
  6636. #       For example, if delay pool number 1 is a class 2 delay pool as in the
  6637. #       above example, and is being used to strictly limit each host to 64kbps
  6638. #       (plus overheads), with no overall limit, the line is:
  6639. #
  6640. #delay_parameters 1 -1/-1 8000/8000
  6641. #
  6642. #       Note that the figure -1 is used to represent "unlimited".
  6643. #
  6644. #       And, if delay pool number 2 is a class 3 delay pool as in the above
  6645. #       example, and you want to limit it to a total of 256kbps (strict limit)
  6646. #       with each 8-bit network permitted 64kbps (strict limit) and each
  6647. #       individual host permitted 4800bps with a bucket maximum size of 64kb
  6648. #       to permit a decent web page to be downloaded at a decent speed
  6649. #       (if the network is not being limited due to overuse) but slow down
  6650. #       large downloads more significantly:
  6651. #
  6652. #delay_parameters 2 32000/32000 8000/8000 600/8000
  6653. #
  6654. #       There must be one delay_parameters line for each delay pool.
  6655. #
  6656. #       Finally, for a class 4 delay pool as in the example - each user will
  6657. #       be limited to 128Kb no matter how many workstations they are logged into.:
  6658. #
  6659. #delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
  6660. #Default:
  6661. # none
  6662.  
  6663. #  TAG: delay_initial_bucket_level      (percent, 0-100)
  6664. #       The initial bucket percentage is used to determine how much is put
  6665. #       in each bucket when squid starts, is reconfigured, or first notices
  6666. #       a host accessing it (in class 2 and class 3, individual hosts and
  6667. #       networks only have buckets associated with them once they have been
  6668. #       "seen" by squid).
  6669. #Default:
  6670. # delay_initial_bucket_level 50
  6671.  
  6672. # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
  6673. # -----------------------------------------------------------------------------
  6674.  
  6675. #  TAG: wccp_router
  6676. #       Use this option to define your WCCP ``home'' router for
  6677. #       Squid.
  6678. #
  6679. #       wccp_router supports a single WCCP(v1) router
  6680. #
  6681. #       wccp2_router supports multiple WCCPv2 routers
  6682. #
  6683. #       only one of the two may be used at the same time and defines
  6684. #       which version of WCCP to use.
  6685. #Default:
  6686. # wccp_router any_addr
  6687.  
  6688. #  TAG: wccp2_router
  6689. #       Use this option to define your WCCP ``home'' router for
  6690. #       Squid.
  6691. #
  6692. #       wccp_router supports a single WCCP(v1) router
  6693. #
  6694. #       wccp2_router supports multiple WCCPv2 routers
  6695. #
  6696. #       only one of the two may be used at the same time and defines
  6697. #       which version of WCCP to use.
  6698. #Default:
  6699. # none
  6700.  
  6701. #  TAG: wccp_version
  6702. #       This directive is only relevant if you need to set up WCCP(v1)
  6703. #       to some very old and end-of-life Cisco routers. In all other
  6704. #       setups it must be left unset or at the default setting.
  6705. #       It defines an internal version in the WCCP(v1) protocol,
  6706. #       with version 4 being the officially documented protocol.
  6707. #
  6708. #       According to some users, Cisco IOS 11.2 and earlier only
  6709. #       support WCCP version 3.  If you're using that or an earlier
  6710. #       version of IOS, you may need to change this value to 3, otherwise
  6711. #       do not specify this parameter.
  6712. #Default:
  6713. # wccp_version 4
  6714.  
  6715. #  TAG: wccp2_rebuild_wait
  6716. #       If this is enabled Squid will wait for the cache dir rebuild to finish
  6717. #       before sending the first wccp2 HereIAm packet
  6718. #Default:
  6719. # wccp2_rebuild_wait on
  6720.  
  6721. #  TAG: wccp2_forwarding_method
  6722. #       WCCP2 allows the setting of forwarding methods between the
  6723. #       router/switch and the cache.  Valid values are as follows:
  6724. #
  6725. #       gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
  6726. #       l2  - L2 redirect (forward the packet using Layer 2/MAC rewriting)
  6727. #
  6728. #       Currently (as of IOS 12.4) cisco routers only support GRE.
  6729. #       Cisco switches only support the L2 redirect assignment method.
  6730. #Default:
  6731. # wccp2_forwarding_method gre
  6732.  
  6733. #  TAG: wccp2_return_method
  6734. #       WCCP2 allows the setting of return methods between the
  6735. #       router/switch and the cache for packets that the cache
  6736. #       decides not to handle.  Valid values are as follows:
  6737. #
  6738. #       gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
  6739. #       l2  - L2 redirect (forward the packet using Layer 2/MAC rewriting)
  6740. #
  6741. #       Currently (as of IOS 12.4) cisco routers only support GRE.
  6742. #       Cisco switches only support the L2 redirect assignment.
  6743. #
  6744. #       If the "ip wccp redirect exclude in" command has been
  6745. #       enabled on the cache interface, then it is still safe for
  6746. #       the proxy server to use a l2 redirect method even if this
  6747. #       option is set to GRE.
  6748. #Default:
  6749. # wccp2_return_method gre
  6750.  
  6751. #  TAG: wccp2_assignment_method
  6752. #       WCCP2 allows the setting of methods to assign the WCCP hash
  6753. #       Valid values are as follows:
  6754. #
  6755. #       hash - Hash assignment
  6756. #       mask  - Mask assignment
  6757. #
  6758. #       As a general rule, cisco routers support the hash assignment method
  6759. #       and cisco switches support the mask assignment method.
  6760. #Default:
  6761. # wccp2_assignment_method hash
  6762.  
  6763. #  TAG: wccp2_service
  6764. #       WCCP2 allows for multiple traffic services. There are two
  6765. #       types: "standard" and "dynamic". The standard type defines
  6766. #       one service id - http (id 0). The dynamic service ids can be from
  6767. #       51 to 255 inclusive.  In order to use a dynamic service id
  6768. #       one must define the type of traffic to be redirected; this is done
  6769. #       using the wccp2_service_info option.
  6770. #
  6771. #       The "standard" type does not require a wccp2_service_info option,
  6772. #       just specifying the service id will suffice.
  6773. #
  6774. #       MD5 service authentication can be enabled by adding
  6775. #       "password=<password>" to the end of this service declaration.
  6776. #
  6777. #       Examples:
  6778. #
  6779. #       wccp2_service standard 0        # for the 'web-cache' standard service
  6780. #       wccp2_service dynamic 80        # a dynamic service type which will be
  6781. #                                       # fleshed out with subsequent options.
  6782. #       wccp2_service standard 0 password=foo
  6783. #Default:
  6784. # wccp2_service standard 0
  6785.  
  6786. #  TAG: wccp2_service_info
  6787. #       Dynamic WCCPv2 services require further information to define the
  6788. #       traffic you wish to have diverted.
  6789. #
  6790. #       The format is:
  6791. #
  6792. #       wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
  6793. #           priority=<priority> ports=<port>,<port>..
  6794. #
  6795. #       The relevant WCCPv2 flags:
  6796. #       + src_ip_hash, dst_ip_hash
  6797. #       + source_port_hash, dst_port_hash
  6798. #       + src_ip_alt_hash, dst_ip_alt_hash
  6799. #       + src_port_alt_hash, dst_port_alt_hash
  6800. #       + ports_source
  6801. #
  6802. #       The port list can be one to eight entries.
  6803. #
  6804. #       Example:
  6805. #
  6806. #       wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source
  6807. #           priority=240 ports=80
  6808. #
  6809. #       Note: the service id must have been defined by a previous
  6810. #       'wccp2_service dynamic <id>' entry.
  6811. #Default:
  6812. # none
  6813.  
  6814. #  TAG: wccp2_weight
  6815. #       Each cache server gets assigned a set of the destination
  6816. #       hash proportional to their weight.
  6817. #Default:
  6818. # wccp2_weight 10000
  6819.  
  6820. #  TAG: wccp_address
  6821. #  TAG: wccp2_address
  6822. #       Use this option if you require WCCP to use a specific
  6823. #       interface address.
  6824. #
  6825. #       The default behavior is to not bind to any specific address.
  6826. #Default:
  6827. # wccp_address 0.0.0.0
  6828. # wccp2_address 0.0.0.0
  6829.  
  6830. # PERSISTENT CONNECTION HANDLING
  6831. # -----------------------------------------------------------------------------
  6832. #
  6833. # Also see "pconn_timeout" in the TIMEOUTS section
  6834.  
  6835. #  TAG: client_persistent_connections
  6836. #  TAG: server_persistent_connections
  6837. #       Persistent connection support for clients and servers.  By
  6838. #       default, Squid uses persistent connections (when allowed)
  6839. #       with its clients and servers.  You can use these options to
  6840. #       disable persistent connections with clients and/or servers.
  6841. #Default:
  6842. # client_persistent_connections on
  6843. # server_persistent_connections on
  6844.  
  6845. #  TAG: persistent_connection_after_error
  6846. #       With this directive the use of persistent connections after
  6847. #       HTTP errors can be disabled. Useful if you have clients
  6848. #       who fail to handle errors on persistent connections proper.
  6849. #Default:
  6850. # persistent_connection_after_error on
  6851.  
  6852. #  TAG: detect_broken_pconn
  6853. #       Some servers have been found to incorrectly signal the use
  6854. #       of HTTP/1.0 persistent connections even on replies not
  6855. #       compatible, causing significant delays. This server problem
  6856. #       has mostly been seen on redirects.
  6857. #
  6858. #       By enabling this directive Squid attempts to detect such
  6859. #       broken replies and automatically assume the reply is finished
  6860. #       after 10 seconds timeout.
  6861. #Default:
  6862. # detect_broken_pconn off
  6863.  
  6864. # CACHE DIGEST OPTIONS
  6865. # -----------------------------------------------------------------------------
  6866.  
  6867. #  TAG: digest_generation
  6868. #       This controls whether the server will generate a Cache Digest
  6869. #       of its contents.  By default, Cache Digest generation is
  6870. #       enabled if Squid is compiled with --enable-cache-digests defined.
  6871. #Default:
  6872. # digest_generation on
  6873.  
  6874. #  TAG: digest_bits_per_entry
  6875. #       This is the number of bits of the server's Cache Digest which
  6876. #       will be associated with the Digest entry for a given HTTP
  6877. #       Method and URL (public key) combination.  The default is 5.
  6878. #Default:
  6879. # digest_bits_per_entry 5
  6880.  
  6881. #  TAG: digest_rebuild_period   (seconds)
  6882. #       This is the wait time between Cache Digest rebuilds.
  6883. #Default:
  6884. # digest_rebuild_period 1 hour
  6885.  
  6886. #  TAG: digest_rewrite_period   (seconds)
  6887. #       This is the wait time between Cache Digest writes to
  6888. #       disk.
  6889. #Default:
  6890. # digest_rewrite_period 1 hour
  6891.  
  6892. #  TAG: digest_swapout_chunk_size       (bytes)
  6893. #       This is the number of bytes of the Cache Digest to write to
  6894. #       disk at a time.  It defaults to 4096 bytes (4KB), the Squid
  6895. #       default swap page.
  6896. #Default:
  6897. # digest_swapout_chunk_size 4096 bytes
  6898.  
  6899. #  TAG: digest_rebuild_chunk_percentage (percent, 0-100)
  6900. #       This is the percentage of the Cache Digest to be scanned at a
  6901. #       time.  By default it is set to 10% of the Cache Digest.
  6902. #Default:
  6903. # digest_rebuild_chunk_percentage 10
  6904.  
  6905. # SNMP OPTIONS
  6906. # -----------------------------------------------------------------------------
  6907.  
  6908. #  TAG: snmp_port
  6909. #       The port number where Squid listens for SNMP requests. To enable
  6910. #       SNMP support set this to a suitable port number. Port number
  6911. #       3401 is often used for the Squid SNMP agent. By default it's
  6912. #       set to "0" (disabled)
  6913. #
  6914. #       Example:
  6915. #               snmp_port 3401
  6916. #Default:
  6917. # snmp_port 0
  6918.  
  6919. #  TAG: snmp_access
  6920. #       Allowing or denying access to the SNMP port.
  6921. #
  6922. #       All access to the agent is denied by default.
  6923. #       usage:
  6924. #
  6925. #       snmp_access allow|deny [!]aclname ...
  6926. #
  6927. #       This clause only supports fast acl types.
  6928. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  6929. #Example:
  6930. # snmp_access allow snmppublic localhost
  6931. # snmp_access deny all
  6932. #Default:
  6933. # snmp_access deny all
  6934.  
  6935. #  TAG: snmp_incoming_address
  6936. #  TAG: snmp_outgoing_address
  6937. #       Just like 'udp_incoming_address', but for the SNMP port.
  6938. #
  6939. #       snmp_incoming_address   is used for the SNMP socket receiving
  6940. #                               messages from SNMP agents.
  6941. #       snmp_outgoing_address   is used for SNMP packets returned to SNMP
  6942. #                               agents.
  6943. #
  6944. #       The default snmp_incoming_address is to listen on all
  6945. #       available network interfaces.
  6946. #
  6947. #       If snmp_outgoing_address is not set it will use the same socket
  6948. #       as snmp_incoming_address. Only change this if you want to have
  6949. #       SNMP replies sent using another address than where this Squid
  6950. #       listens for SNMP queries.
  6951. #
  6952. #       NOTE, snmp_incoming_address and snmp_outgoing_address can not have
  6953. #       the same value since they both use port 3401.
  6954. #Default:
  6955. # snmp_incoming_address any_addr
  6956. # snmp_outgoing_address no_addr
  6957.  
  6958. # ICP OPTIONS
  6959. # -----------------------------------------------------------------------------
  6960.  
  6961. #  TAG: icp_port
  6962. #       The port number where Squid sends and receives ICP queries to
  6963. #       and from neighbor caches.  The standard UDP port for ICP is 3130.
  6964. #       Default is disabled (0).
  6965. #
  6966. #       Example:
  6967. #               icp_port 3130
  6968. #Default:
  6969. # icp_port 0
  6970.  
  6971. #  TAG: htcp_port
  6972. #       The port number where Squid sends and receives HTCP queries to
  6973. #       and from neighbor caches.  To turn it on you want to set it to
  6974. #       4827. By default it is set to "0" (disabled).
  6975. #
  6976. #       Example:
  6977. #               htcp_port 4827
  6978. #Default:
  6979. # htcp_port 0
  6980.  
  6981. #  TAG: log_icp_queries on|off
  6982. #       If set, ICP queries are logged to access.log. You may wish
  6983. #       do disable this if your ICP load is VERY high to speed things
  6984. #       up or to simplify log analysis.
  6985. #Default:
  6986. # log_icp_queries on
  6987.  
  6988. #  TAG: udp_incoming_address
  6989. #       udp_incoming_address    is used for UDP packets received from other
  6990. #                               caches.
  6991. #
  6992. #       The default behavior is to not bind to any specific address.
  6993. #
  6994. #       Only change this if you want to have all UDP queries received on
  6995. #       a specific interface/address.
  6996. #
  6997. #       NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS
  6998. #       modules. Altering it will affect all of them in the same manner.
  6999. #
  7000. #       see also; udp_outgoing_address
  7001. #
  7002. #       NOTE, udp_incoming_address and udp_outgoing_address can not
  7003. #       have the same value since they both use the same port.
  7004. #Default:
  7005. # udp_incoming_address any_addr
  7006.  
  7007. #  TAG: udp_outgoing_address
  7008. #       udp_outgoing_address    is used for UDP packets sent out to other
  7009. #                               caches.
  7010. #
  7011. #       The default behavior is to not bind to any specific address.
  7012. #
  7013. #       Instead it will use the same socket as udp_incoming_address.
  7014. #       Only change this if you want to have UDP queries sent using another
  7015. #       address than where this Squid listens for UDP queries from other
  7016. #       caches.
  7017. #
  7018. #       NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS
  7019. #       modules. Altering it will affect all of them in the same manner.
  7020. #
  7021. #       see also; udp_incoming_address
  7022. #
  7023. #       NOTE, udp_incoming_address and udp_outgoing_address can not
  7024. #       have the same value since they both use the same port.
  7025. #Default:
  7026. # udp_outgoing_address no_addr
  7027.  
  7028. #  TAG: icp_hit_stale   on|off
  7029. #       If you want to return ICP_HIT for stale cache objects, set this
  7030. #       option to 'on'.  If you have sibling relationships with caches
  7031. #       in other administrative domains, this should be 'off'.  If you only
  7032. #       have sibling relationships with caches under your control,
  7033. #       it is probably okay to set this to 'on'.
  7034. #       If set to 'on', your siblings should use the option "allow-miss"
  7035. #       on their cache_peer lines for connecting to you.
  7036. #Default:
  7037. # icp_hit_stale off
  7038.  
  7039. #  TAG: minimum_direct_hops
  7040. #       If using the ICMP pinging stuff, do direct fetches for sites
  7041. #       which are no more than this many hops away.
  7042. #Default:
  7043. # minimum_direct_hops 4
  7044.  
  7045. #  TAG: minimum_direct_rtt
  7046. #       If using the ICMP pinging stuff, do direct fetches for sites
  7047. #       which are no more than this many rtt milliseconds away.
  7048. #Default:
  7049. # minimum_direct_rtt 400
  7050.  
  7051. #  TAG: netdb_low
  7052. #  TAG: netdb_high
  7053. #       The low and high water marks for the ICMP measurement
  7054. #       database.  These are counts, not percents.  The defaults are
  7055. #       900 and 1000.  When the high water mark is reached, database
  7056. #       entries will be deleted until the low mark is reached.
  7057. #Default:
  7058. # netdb_low 900
  7059. # netdb_high 1000
  7060.  
  7061. #  TAG: netdb_ping_period
  7062. #       The minimum period for measuring a site.  There will be at
  7063. #       least this much delay between successive pings to the same
  7064. #       network.  The default is five minutes.
  7065. #Default:
  7066. # netdb_ping_period 5 minutes
  7067.  
  7068. #  TAG: query_icmp      on|off
  7069. #       If you want to ask your peers to include ICMP data in their ICP
  7070. #       replies, enable this option.
  7071. #
  7072. #       If your peer has configured Squid (during compilation) with
  7073. #       '--enable-icmp' that peer will send ICMP pings to origin server
  7074. #       sites of the URLs it receives.  If you enable this option the
  7075. #       ICP replies from that peer will include the ICMP data (if available).
  7076. #       Then, when choosing a parent cache, Squid will choose the parent with
  7077. #       the minimal RTT to the origin server.  When this happens, the
  7078. #       hierarchy field of the access.log will be
  7079. #       "CLOSEST_PARENT_MISS".  This option is off by default.
  7080. #Default:
  7081. # query_icmp off
  7082.  
  7083. #  TAG: test_reachability       on|off
  7084. #       When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
  7085. #       instead of ICP_MISS if the target host is NOT in the ICMP
  7086. #       database, or has a zero RTT.
  7087. #Default:
  7088. # test_reachability off
  7089.  
  7090. #  TAG: icp_query_timeout       (msec)
  7091. #       Normally Squid will automatically determine an optimal ICP
  7092. #       query timeout value based on the round-trip-time of recent ICP
  7093. #       queries.  If you want to override the value determined by
  7094. #       Squid, set this 'icp_query_timeout' to a non-zero value.  This
  7095. #       value is specified in MILLISECONDS, so, to use a 2-second
  7096. #       timeout (the old default), you would write:
  7097. #
  7098. #               icp_query_timeout 2000
  7099. #Default:
  7100. # icp_query_timeout 0
  7101.  
  7102. #  TAG: maximum_icp_query_timeout       (msec)
  7103. #       Normally the ICP query timeout is determined dynamically.  But
  7104. #       sometimes it can lead to very large values (say 5 seconds).
  7105. #       Use this option to put an upper limit on the dynamic timeout
  7106. #       value.  Do NOT use this option to always use a fixed (instead
  7107. #       of a dynamic) timeout value. To set a fixed timeout see the
  7108. #       'icp_query_timeout' directive.
  7109. #Default:
  7110. # maximum_icp_query_timeout 2000
  7111.  
  7112. #  TAG: minimum_icp_query_timeout       (msec)
  7113. #       Normally the ICP query timeout is determined dynamically.  But
  7114. #       sometimes it can lead to very small timeouts, even lower than
  7115. #       the normal latency variance on your link due to traffic.
  7116. #       Use this option to put an lower limit on the dynamic timeout
  7117. #       value.  Do NOT use this option to always use a fixed (instead
  7118. #       of a dynamic) timeout value. To set a fixed timeout see the
  7119. #       'icp_query_timeout' directive.
  7120. #Default:
  7121. # minimum_icp_query_timeout 5
  7122.  
  7123. #  TAG: background_ping_rate    time-units
  7124. #       Controls how often the ICP pings are sent to siblings that
  7125. #       have background-ping set.
  7126. #Default:
  7127. # background_ping_rate 10 seconds
  7128.  
  7129. # MULTICAST ICP OPTIONS
  7130. # -----------------------------------------------------------------------------
  7131.  
  7132. #  TAG: mcast_groups
  7133. #       This tag specifies a list of multicast groups which your server
  7134. #       should join to receive multicasted ICP queries.
  7135. #
  7136. #       NOTE!  Be very careful what you put here!  Be sure you
  7137. #       understand the difference between an ICP _query_ and an ICP
  7138. #       _reply_.  This option is to be set only if you want to RECEIVE
  7139. #       multicast queries.  Do NOT set this option to SEND multicast
  7140. #       ICP (use cache_peer for that).  ICP replies are always sent via
  7141. #       unicast, so this option does not affect whether or not you will
  7142. #       receive replies from multicast group members.
  7143. #
  7144. #       You must be very careful to NOT use a multicast address which
  7145. #       is already in use by another group of caches.
  7146. #
  7147. #       If you are unsure about multicast, please read the Multicast
  7148. #       chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
  7149. #
  7150. #       Usage: mcast_groups 239.128.16.128 224.0.1.20
  7151. #
  7152. #       By default, Squid doesn't listen on any multicast groups.
  7153. #Default:
  7154. # none
  7155.  
  7156. #  TAG: mcast_miss_addr
  7157. # Note: This option is only available if Squid is rebuilt with the
  7158. #       -DMULTICAST_MISS_STREAM define
  7159. #
  7160. #       If you enable this option, every "cache miss" URL will
  7161. #       be sent out on the specified multicast address.
  7162. #
  7163. #       Do not enable this option unless you are are absolutely
  7164. #       certain you understand what you are doing.
  7165. #Default:
  7166. # mcast_miss_addr no_addr
  7167.  
  7168. #  TAG: mcast_miss_ttl
  7169. # Note: This option is only available if Squid is rebuilt with the
  7170. #       -DMULTICAST_MISS_STREAM define
  7171. #
  7172. #       This is the time-to-live value for packets multicasted
  7173. #       when multicasting off cache miss URLs is enabled.  By
  7174. #       default this is set to 'site scope', i.e. 16.
  7175. #Default:
  7176. # mcast_miss_ttl 16
  7177.  
  7178. #  TAG: mcast_miss_port
  7179. # Note: This option is only available if Squid is rebuilt with the
  7180. #       -DMULTICAST_MISS_STREAM define
  7181. #
  7182. #       This is the port number to be used in conjunction with
  7183. #       'mcast_miss_addr'.
  7184. #Default:
  7185. # mcast_miss_port 3135
  7186.  
  7187. #  TAG: mcast_miss_encode_key
  7188. # Note: This option is only available if Squid is rebuilt with the
  7189. #       -DMULTICAST_MISS_STREAM define
  7190. #
  7191. #       The URLs that are sent in the multicast miss stream are
  7192. #       encrypted.  This is the encryption key.
  7193. #Default:
  7194. # mcast_miss_encode_key XXXXXXXXXXXXXXXX
  7195.  
  7196. #  TAG: mcast_icp_query_timeout (msec)
  7197. #       For multicast peers, Squid regularly sends out ICP "probes" to
  7198. #       count how many other peers are listening on the given multicast
  7199. #       address.  This value specifies how long Squid should wait to
  7200. #       count all the replies.  The default is 2000 msec, or 2
  7201. #       seconds.
  7202. #Default:
  7203. # mcast_icp_query_timeout 2000
  7204.  
  7205. # INTERNAL ICON OPTIONS
  7206. # -----------------------------------------------------------------------------
  7207.  
  7208. #  TAG: icon_directory
  7209. #       Where the icons are stored. These are normally kept in
  7210. #       /usr/share/squid3/icons
  7211. #Default:
  7212. # icon_directory /usr/share/squid3/icons
  7213.  
  7214. #  TAG: global_internal_static
  7215. #       This directive controls is Squid should intercept all requests for
  7216. #       /squid-internal-static/ no matter which host the URL is requesting
  7217. #       (default on setting), or if nothing special should be done for
  7218. #       such URLs (off setting). The purpose of this directive is to make
  7219. #       icons etc work better in complex cache hierarchies where it may
  7220. #       not always be possible for all corners in the cache mesh to reach
  7221. #       the server generating a directory listing.
  7222. #Default:
  7223. # global_internal_static on
  7224.  
  7225. #  TAG: short_icon_urls
  7226. #       If this is enabled Squid will use short URLs for icons.
  7227. #       If disabled it will revert to the old behavior of including
  7228. #       it's own name and port in the URL.
  7229. #
  7230. #       If you run a complex cache hierarchy with a mix of Squid and
  7231. #       other proxies you may need to disable this directive.
  7232. #Default:
  7233. # short_icon_urls on
  7234.  
  7235. # ERROR PAGE OPTIONS
  7236. # -----------------------------------------------------------------------------
  7237.  
  7238. #  TAG: error_directory
  7239. #       If you wish to create your own versions of the default
  7240. #       error files to customize them to suit your company copy
  7241. #       the error/template files to another directory and point
  7242. #       this tag at them.
  7243. #
  7244. #       WARNING: This option will disable multi-language support
  7245. #                on error pages if used.
  7246. #
  7247. #       The squid developers are interested in making squid available in
  7248. #       a wide variety of languages. If you are making translations for a
  7249. #       language that Squid does not currently provide please consider
  7250. #       contributing your translation back to the project.
  7251. #       http://wiki.squid-cache.org/Translations
  7252. #
  7253. #       The squid developers working on translations are happy to supply drop-in
  7254. #       translated error files in exchange for any new language contributions.
  7255. #Default:
  7256. # none
  7257.  
  7258. #  TAG: error_default_language
  7259. #       Set the default language which squid will send error pages in
  7260. #       if no existing translation matches the clients language
  7261. #       preferences.
  7262. #
  7263. #       If unset (default) generic English will be used.
  7264. #
  7265. #       The squid developers are interested in making squid available in
  7266. #       a wide variety of languages. If you are interested in making
  7267. #       translations for any language see the squid wiki for details.
  7268. #       http://wiki.squid-cache.org/Translations
  7269. #Default:
  7270. # none
  7271.  
  7272. #  TAG: error_log_languages
  7273. #       Log to cache.log what languages users are attempting to
  7274. #       auto-negotiate for translations.
  7275. #
  7276. #       Successful negotiations are not logged. Only failures
  7277. #       have meaning to indicate that Squid may need an upgrade
  7278. #       of its error page translations.
  7279. #Default:
  7280. # error_log_languages on
  7281.  
  7282. #  TAG: err_page_stylesheet
  7283. #       CSS Stylesheet to pattern the display of Squid default error pages.
  7284. #
  7285. #       For information on CSS see http://www.w3.org/Style/CSS/
  7286. #Default:
  7287. # err_page_stylesheet /etc/squid3/errorpage.css
  7288.  
  7289. #  TAG: err_html_text
  7290. #       HTML text to include in error messages.  Make this a "mailto"
  7291. #       URL to your admin address, or maybe just a link to your
  7292. #       organizations Web page.
  7293. #
  7294. #       To include this in your error messages, you must rewrite
  7295. #       the error template files (found in the "errors" directory).
  7296. #       Wherever you want the 'err_html_text' line to appear,
  7297. #       insert a %L tag in the error template file.
  7298. #Default:
  7299. # none
  7300.  
  7301. #  TAG: email_err_data  on|off
  7302. #       If enabled, information about the occurred error will be
  7303. #       included in the mailto links of the ERR pages (if %W is set)
  7304. #       so that the email body contains the data.
  7305. #       Syntax is <A HREF="mailto:%w%W">%w</A>
  7306. #Default:
  7307. # email_err_data on
  7308.  
  7309. #  TAG: deny_info
  7310. #       Usage:   deny_info err_page_name acl
  7311. #       or       deny_info http://... acl
  7312. #       or       deny_info TCP_RESET acl
  7313. #
  7314. #       This can be used to return a ERR_ page for requests which
  7315. #       do not pass the 'http_access' rules.  Squid remembers the last
  7316. #       acl it evaluated in http_access, and if a 'deny_info' line exists
  7317. #       for that ACL Squid returns a corresponding error page.
  7318. #
  7319. #       The acl is typically the last acl on the http_access deny line which
  7320. #       denied access. The exceptions to this rule are:
  7321. #       - When Squid needs to request authentication credentials. It's then
  7322. #         the first authentication related acl encountered
  7323. #       - When none of the http_access lines matches. It's then the last
  7324. #         acl processed on the last http_access line.
  7325. #
  7326. #       NP: If providing your own custom error pages with error_directory
  7327. #           you may also specify them by your custom file name:
  7328. #           Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
  7329. #
  7330. #       Alternatively you can specify an error URL. The browsers will
  7331. #       get redirected (302) to the specified URL. %s in the redirection
  7332. #       URL will be replaced by the requested URL.
  7333. #
  7334. #       Alternatively you can tell Squid to reset the TCP connection
  7335. #       by specifying TCP_RESET.
  7336. #Default:
  7337. # none
  7338.  
  7339. # OPTIONS INFLUENCING REQUEST FORWARDING
  7340. # -----------------------------------------------------------------------------
  7341.  
  7342. #  TAG: nonhierarchical_direct
  7343. #       By default, Squid will send any non-hierarchical requests
  7344. #       (matching hierarchy_stoplist or not cacheable request type) direct
  7345. #       to origin servers.
  7346. #
  7347. #       If you set this to off, Squid will prefer to send these
  7348. #       requests to parents.
  7349. #
  7350. #       Note that in most configurations, by turning this off you will only
  7351. #       add latency to these request without any improvement in global hit
  7352. #       ratio.
  7353. #
  7354. #       If you are inside an firewall see never_direct instead of
  7355. #       this directive.
  7356. #Default:
  7357. # nonhierarchical_direct on
  7358.  
  7359. #  TAG: prefer_direct
  7360. #       Normally Squid tries to use parents for most requests. If you for some
  7361. #       reason like it to first try going direct and only use a parent if
  7362. #       going direct fails set this to on.
  7363. #
  7364. #       By combining nonhierarchical_direct off and prefer_direct on you
  7365. #       can set up Squid to use a parent as a backup path if going direct
  7366. #       fails.
  7367. #
  7368. #       Note: If you want Squid to use parents for all requests see
  7369. #       the never_direct directive. prefer_direct only modifies how Squid
  7370. #       acts on cacheable requests.
  7371. #Default:
  7372. # prefer_direct off
  7373.  
  7374. #  TAG: always_direct
  7375. #       Usage: always_direct allow|deny [!]aclname ...
  7376. #
  7377. #       Here you can use ACL elements to specify requests which should
  7378. #       ALWAYS be forwarded by Squid to the origin servers without using
  7379. #       any peers.  For example, to always directly forward requests for
  7380. #       local servers ignoring any parents or siblings you may have use
  7381. #       something like:
  7382. #
  7383. #               acl local-servers dstdomain my.domain.net
  7384. #               always_direct allow local-servers
  7385. #
  7386. #       To always forward FTP requests directly, use
  7387. #
  7388. #               acl FTP proto FTP
  7389. #               always_direct allow FTP
  7390. #
  7391. #       NOTE: There is a similar, but opposite option named
  7392. #       'never_direct'.  You need to be aware that "always_direct deny
  7393. #       foo" is NOT the same thing as "never_direct allow foo".  You
  7394. #       may need to use a deny rule to exclude a more-specific case of
  7395. #       some other rule.  Example:
  7396. #
  7397. #               acl local-external dstdomain external.foo.net
  7398. #               acl local-servers dstdomain  .foo.net
  7399. #               always_direct deny local-external
  7400. #               always_direct allow local-servers
  7401. #
  7402. #       NOTE: If your goal is to make the client forward the request
  7403. #       directly to the origin server bypassing Squid then this needs
  7404. #       to be done in the client configuration. Squid configuration
  7405. #       can only tell Squid how Squid should fetch the object.
  7406. #
  7407. #       NOTE: This directive is not related to caching. The replies
  7408. #       is cached as usual even if you use always_direct. To not cache
  7409. #       the replies see the 'cache' directive.
  7410. #
  7411. #       This clause supports both fast and slow acl types.
  7412. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  7413. #Default:
  7414. # none
  7415.  
  7416. #  TAG: never_direct
  7417. #       Usage: never_direct allow|deny [!]aclname ...
  7418. #
  7419. #       never_direct is the opposite of always_direct.  Please read
  7420. #       the description for always_direct if you have not already.
  7421. #
  7422. #       With 'never_direct' you can use ACL elements to specify
  7423. #       requests which should NEVER be forwarded directly to origin
  7424. #       servers.  For example, to force the use of a proxy for all
  7425. #       requests, except those in your local domain use something like:
  7426. #
  7427. #               acl local-servers dstdomain .foo.net
  7428. #               never_direct deny local-servers
  7429. #               never_direct allow all
  7430. #
  7431. #       or if Squid is inside a firewall and there are local intranet
  7432. #       servers inside the firewall use something like:
  7433. #
  7434. #               acl local-intranet dstdomain .foo.net
  7435. #               acl local-external dstdomain external.foo.net
  7436. #               always_direct deny local-external
  7437. #               always_direct allow local-intranet
  7438. #               never_direct allow all
  7439. #
  7440. #       This clause supports both fast and slow acl types.
  7441. #       See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  7442. #Default:
  7443. # none
  7444.  
  7445. # ADVANCED NETWORKING OPTIONS
  7446. # -----------------------------------------------------------------------------
  7447.  
  7448. #  TAG: incoming_icp_average
  7449. #  TAG: incoming_http_average
  7450. #  TAG: incoming_dns_average
  7451. #  TAG: min_icp_poll_cnt
  7452. #  TAG: min_dns_poll_cnt
  7453. #  TAG: min_http_poll_cnt
  7454. #       Heavy voodoo here.  I can't even believe you are reading this.
  7455. #       Are you crazy?  Don't even think about adjusting these unless
  7456. #       you understand the algorithms in comm_select.c first!
  7457. #Default:
  7458. # incoming_icp_average 6
  7459. # incoming_http_average 4
  7460. # incoming_dns_average 4
  7461. # min_icp_poll_cnt 8
  7462. # min_dns_poll_cnt 8
  7463. # min_http_poll_cnt 8
  7464.  
  7465. #  TAG: accept_filter
  7466. #       FreeBSD:
  7467. #
  7468. #       The name of an accept(2) filter to install on Squid's
  7469. #       listen socket(s).  This feature is perhaps specific to
  7470. #       FreeBSD and requires support in the kernel.
  7471. #
  7472. #       The 'httpready' filter delays delivering new connections
  7473. #       to Squid until a full HTTP request has been received.
  7474. #       See the accf_http(9) man page for details.
  7475. #
  7476. #       The 'dataready' filter delays delivering new connections
  7477. #       to Squid until there is some data to process.
  7478. #       See the accf_dataready(9) man page for details.
  7479. #
  7480. #       Linux:
  7481. #      
  7482. #       The 'data' filter delays delivering of new connections
  7483. #       to Squid until there is some data to process by TCP_ACCEPT_DEFER.
  7484. #       You may optionally specify a number of seconds to wait by
  7485. #       'data=N' where N is the number of seconds. Defaults to 30
  7486. #       if not specified.  See the tcp(7) man page for details.
  7487. #EXAMPLE:
  7488. ## FreeBSD
  7489. #accept_filter httpready
  7490. ## Linux
  7491. #accept_filter data
  7492. #Default:
  7493. # none
  7494.  
  7495. #  TAG: client_ip_max_connections
  7496. #       Set an absolute limit on the number of connections a single
  7497. #       client IP can use. Any more than this and Squid will begin to drop
  7498. #       new connections from the client until it closes some links.
  7499. #
  7500. #       Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP
  7501. #       connections from the client. For finer control use the ACL access controls.
  7502. #
  7503. #       Requires client_db to be enabled (the default).
  7504. #
  7505. #       WARNING: This may noticably slow down traffic received via external proxies
  7506. #       or NAT devices and cause them to rebound error messages back to their clients.
  7507. #Default:
  7508. # client_ip_max_connections -1
  7509.  
  7510. #  TAG: tcp_recv_bufsize        (bytes)
  7511. #       Size of receive buffer to set for TCP sockets.  Probably just
  7512. #       as easy to change your kernel's default.  Set to zero to use
  7513. #       the default buffer size.
  7514. #Default:
  7515. # tcp_recv_bufsize 0 bytes
  7516.  
  7517. # ICAP OPTIONS
  7518. # -----------------------------------------------------------------------------
  7519.  
  7520. #  TAG: icap_enable     on|off
  7521. #       If you want to enable the ICAP module support, set this to on.
  7522. #Default:
  7523. # icap_enable off
  7524.  
  7525. #  TAG: icap_connect_timeout
  7526. #       This parameter specifies how long to wait for the TCP connect to
  7527. #       the requested ICAP server to complete before giving up and either
  7528. #       terminating the HTTP transaction or bypassing the failure.
  7529. #
  7530. #       The default for optional services is peer_connect_timeout.
  7531. #       The default for essential services is connect_timeout.
  7532. #       If this option is explicitly set, its value applies to all services.
  7533. #Default:
  7534. # none
  7535.  
  7536. #  TAG: icap_io_timeout time-units
  7537. #       This parameter specifies how long to wait for an I/O activity on
  7538. #       an established, active ICAP connection before giving up and
  7539. #       either terminating the HTTP transaction or bypassing the
  7540. #       failure.
  7541. #
  7542. #       The default is read_timeout.
  7543. #Default:
  7544. # none
  7545.  
  7546. #  TAG: icap_service_failure_limit
  7547. #       The limit specifies the number of failures that Squid tolerates
  7548. #       when establishing a new TCP connection with an ICAP service. If
  7549. #       the number of failures exceeds the limit, the ICAP service is
  7550. #       not used for new ICAP requests until it is time to refresh its
  7551. #       OPTIONS. The per-service failure counter is reset to zero each
  7552. #       time Squid fetches new service OPTIONS.
  7553. #
  7554. #       A negative value disables the limit. Without the limit, an ICAP
  7555. #       service will not be considered down due to connectivity failures
  7556. #       between ICAP OPTIONS requests.
  7557. #Default:
  7558. # icap_service_failure_limit 10
  7559.  
  7560. #  TAG: icap_service_revival_delay
  7561. #       The delay specifies the number of seconds to wait after an ICAP
  7562. #       OPTIONS request failure before requesting the options again. The
  7563. #       failed ICAP service is considered "down" until fresh OPTIONS are
  7564. #       fetched.
  7565. #
  7566. #       The actual delay cannot be smaller than the hardcoded minimum
  7567. #       delay of 30 seconds.
  7568. #Default:
  7569. # icap_service_revival_delay 180
  7570.  
  7571. #  TAG: icap_preview_enable     on|off
  7572. #       The ICAP Preview feature allows the ICAP server to handle the
  7573. #       HTTP message by looking only at the beginning of the message body
  7574. #       or even without receiving the body at all. In some environments,
  7575. #       previews greatly speedup ICAP processing.
  7576. #
  7577. #       During an ICAP OPTIONS transaction, the server may tell Squid what
  7578. #       HTTP messages should be previewed and how big the preview should be.
  7579. #       Squid will not use Preview if the server did not request one.
  7580. #
  7581. #       To disable ICAP Preview for all ICAP services, regardless of
  7582. #       individual ICAP server OPTIONS responses, set this option to "off".
  7583. #Example:
  7584. #icap_preview_enable off
  7585. #Default:
  7586. # icap_preview_enable on
  7587.  
  7588. #  TAG: icap_preview_size
  7589. #       The default size of preview data to be sent to the ICAP server.
  7590. #       -1 means no preview. This value might be overwritten on a per server
  7591. #       basis by OPTIONS requests.
  7592. #Default:
  7593. # icap_preview_size -1
  7594.  
  7595. #  TAG: icap_default_options_ttl
  7596. #       The default TTL value for ICAP OPTIONS responses that don't have
  7597. #       an Options-TTL header.
  7598. #Default:
  7599. # icap_default_options_ttl 60
  7600.  
  7601. #  TAG: icap_persistent_connections     on|off
  7602. #       Whether or not Squid should use persistent connections to
  7603. #       an ICAP server.
  7604. #Default:
  7605. # icap_persistent_connections on
  7606.  
  7607. #  TAG: icap_send_client_ip     on|off
  7608. #       This adds the header "X-Client-IP" to ICAP requests.
  7609. #Default:
  7610. # icap_send_client_ip off
  7611.  
  7612. #  TAG: icap_send_client_username       on|off
  7613. #       This sends authenticated HTTP client username (if available) to
  7614. #       the ICAP service. The username value is encoded based on the
  7615. #       icap_client_username_encode option and is sent using the header
  7616. #       specified by the icap_client_username_header option.
  7617. #Default:
  7618. # icap_send_client_username off
  7619.  
  7620. #  TAG: icap_client_username_header
  7621. #       ICAP request header name to use for send_client_username.
  7622. #Default:
  7623. # icap_client_username_header X-Client-Username
  7624.  
  7625. #  TAG: icap_client_username_encode     on|off
  7626. #       Whether to base64 encode the authenticated client username.
  7627. #Default:
  7628. # icap_client_username_encode off
  7629.  
  7630. #  TAG: icap_service
  7631. #       Defines a single ICAP service using the following format:
  7632. #
  7633. #       icap_service service_name vectoring_point [options] service_url
  7634. #
  7635. #       service_name: ID
  7636. #               an opaque identifier which must be unique in squid.conf
  7637. #
  7638. #       vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
  7639. #               This specifies at which point of transaction processing the
  7640. #               ICAP service should be activated. *_postcache vectoring points
  7641. #               are not yet supported.
  7642. #
  7643. #       service_url: icap://servername:port/servicepath
  7644. #               ICAP server and service location.
  7645. #
  7646. #       ICAP does not allow a single service to handle both REQMOD and RESPMOD
  7647. #       transactions. Squid does not enforce that requirement. You can specify
  7648. #       services with the same service_url and different vectoring_points. You
  7649. #       can even specify multiple identical services as long as their
  7650. #       service_names differ.
  7651. #
  7652. #
  7653. #       Service options are separated by white space. ICAP services support
  7654. #       the following name=value options:
  7655. #
  7656. #       bypass=on|off|1|0
  7657. #               If set to 'on' or '1', the ICAP service is treated as
  7658. #               optional. If the service cannot be reached or malfunctions,
  7659. #               Squid will try to ignore any errors and process the message as
  7660. #               if the service was not enabled. No all ICAP errors can be
  7661. #               bypassed.  If set to 0, the ICAP service is treated as
  7662. #               essential and all ICAP errors will result in an error page
  7663. #               returned to the HTTP client.
  7664. #
  7665. #               Bypass is off by default: services are treated as essential.
  7666. #
  7667. #       routing=on|off|1|0
  7668. #               If set to 'on' or '1', the ICAP service is allowed to
  7669. #               dynamically change the current message adaptation plan by
  7670. #               returning a chain of services to be used next. The services
  7671. #               are specified using the X-Next-Services ICAP response header
  7672. #               value, formatted as a comma-separated list of service names.
  7673. #               Each named service should be configured in squid.conf and
  7674. #               should have the same method and vectoring point as the current
  7675. #               ICAP transaction.  Services violating these rules are ignored.
  7676. #               An empty X-Next-Services value results in an empty plan which
  7677. #               ends the current adaptation.
  7678. #
  7679. #               Routing is not allowed by default: the ICAP X-Next-Services
  7680. #               response header is ignored.
  7681. #
  7682. #       Older icap_service format without optional named parameters is
  7683. #       deprecated but supported for backward compatibility.
  7684. #
  7685. #Example:
  7686. #icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod
  7687. #icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod
  7688. #Default:
  7689. # none
  7690.  
  7691. #  TAG: icap_class
  7692. #       This deprecated option was documented to define an ICAP service
  7693. #       chain, even though it actually defined a set of similar, redundant
  7694. #       services, and the chains were not supported.
  7695. #
  7696. #       To define a set of redundant services, please use the
  7697. #       adaptation_service_set directive. For service chains, use
  7698. #       adaptation_service_chain.
  7699. #Default:
  7700. # none
  7701.  
  7702. #  TAG: icap_access
  7703. #       This option is deprecated. Please use adaptation_access, which
  7704. #       has the same ICAP functionality, but comes with better
  7705. #       documentation, and eCAP support.
  7706. #Default:
  7707. # none
  7708.  
  7709. # eCAP OPTIONS
  7710. # -----------------------------------------------------------------------------
  7711.  
  7712. #  TAG: ecap_enable     on|off
  7713. # Note: This option is only available if Squid is rebuilt with the
  7714. #       --enable-ecap option
  7715. #
  7716. #       Controls whether eCAP support is enabled.
  7717. #Default:
  7718. # ecap_enable off
  7719.  
  7720. #  TAG: ecap_service
  7721. # Note: This option is only available if Squid is rebuilt with the
  7722. #       --enable-ecap option
  7723. #
  7724. #       Defines a single eCAP service
  7725. #
  7726. #       ecap_service servicename vectoring_point bypass service_url
  7727. #
  7728. #       vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
  7729. #               This specifies at which point of transaction processing the
  7730. #               eCAP service should be activated. *_postcache vectoring points
  7731. #               are not yet supported.
  7732. #       bypass = 1|0
  7733. #               If set to 1, the eCAP service is treated as optional. If the
  7734. #               service cannot be reached or malfunctions, Squid will try to
  7735. #               ignore any errors and process the message as if the service
  7736. #               was not enabled. No all eCAP errors can be bypassed.
  7737. #               If set to 0, the eCAP service is treated as essential and all
  7738. #               eCAP errors will result in an error page returned to the
  7739. #               HTTP client.
  7740. #       service_url = ecap://vendor/service_name?custom&cgi=style&parameters=optional
  7741. #
  7742. #Example:
  7743. #ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block
  7744. #ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg
  7745. #Default:
  7746. # none
  7747.  
  7748. #  TAG: loadable_modules
  7749. #       Instructs Squid to load the specified dynamic module(s) or activate
  7750. #       preloaded module(s).
  7751. #Example:
  7752. #loadable_modules /usr/lib/MinimalAdapter.so
  7753. #Default:
  7754. # none
  7755.  
  7756. # MESSAGE ADAPTATION OPTIONS
  7757. # -----------------------------------------------------------------------------
  7758.  
  7759. #  TAG: adaptation_service_set
  7760. #
  7761. #       Configures an ordered set of similar, redundant services. This is
  7762. #       useful when hot standby or backup adaptation servers are available.
  7763. #
  7764. #           adaptation_service_set set_name service_name1 service_name2 ...
  7765. #
  7766. #       The named services are used in the set declaration order. The first
  7767. #       applicable adaptation service from the set is used first. The next
  7768. #       applicable service is tried if and only if the transaction with the
  7769. #       previous service fails and the message waiting to be adapted is still
  7770. #       intact.
  7771. #
  7772. #       When adaptation starts, broken services are ignored as if they were
  7773. #       not a part of the set. A broken service is a down optional service.
  7774. #
  7775. #       The services in a set must be attached to the same vectoring point
  7776. #       (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
  7777. #
  7778. #       If all services in a set are optional then adaptation failures are
  7779. #       bypassable. If all services in the set are essential, then a
  7780. #       transaction failure with one service may still be retried using
  7781. #       another service from the set, but when all services fail, the master
  7782. #       transaction fails as well.
  7783. #
  7784. #       A set may contain a mix of optional and essential services, but that
  7785. #       is likely to lead to surprising results because broken services become
  7786. #       ignored (see above), making previously bypassable failures fatal.
  7787. #       Technically, it is the bypassability of the last failed service that
  7788. #       matters.
  7789. #
  7790. #       See also: adaptation_access adaptation_service_chain
  7791. #
  7792. #Example:
  7793. #adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup
  7794. #adaptation service_set svcLogger loggerLocal loggerRemote
  7795. #Default:
  7796. # none
  7797.  
  7798. #  TAG: adaptation_service_chain
  7799. #
  7800. #       Configures a list of complementary services that will be applied
  7801. #       one-by-one, forming an adaptation chain or pipeline. This is useful
  7802. #       when Squid must perform different adaptations on the same message.
  7803. #
  7804. #           adaptation_service_chain chain_name service_name1 svc_name2 ...
  7805. #
  7806. #       The named services are used in the chain declaration order. The first
  7807. #       applicable adaptation service from the chain is used first. The next
  7808. #       applicable service is applied to the successful adaptation results of
  7809. #       the previous service in the chain.
  7810. #
  7811. #       When adaptation starts, broken services are ignored as if they were
  7812. #       not a part of the chain. A broken service is a down optional service.
  7813. #
  7814. #       Request satisfaction terminates the adaptation chain because Squid
  7815. #       does not currently allow declaration of RESPMOD services at the
  7816. #       "reqmod_precache" vectoring point (see icap_service or ecap_service).
  7817. #
  7818. #       The services in a chain must be attached to the same vectoring point
  7819. #       (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
  7820. #
  7821. #       A chain may contain a mix of optional and essential services. If an
  7822. #       essential adaptation fails (or the failure cannot be bypassed for
  7823. #       other reasons), the master transaction fails. Otherwise, the failure
  7824. #       is bypassed as if the failed adaptation service was not in the chain.
  7825. #
  7826. #       See also: adaptation_access adaptation_service_set
  7827. #
  7828. #Example:
  7829. #adaptation_service_chain svcRequest requestLogger urlFilter leakDetector
  7830. #Default:
  7831. # none
  7832.  
  7833. #  TAG: adaptation_access
  7834. #       Sends an HTTP transaction to an ICAP or eCAP adaptation service.
  7835. #
  7836. #       adaptation_access service_name allow|deny [!]aclname...
  7837. #       adaptation_access set_name     allow|deny [!]aclname...
  7838. #
  7839. #       At each supported vectoring point, the adaptation_access
  7840. #       statements are processed in the order they appear in this
  7841. #       configuration file. Statements pointing to the following services
  7842. #       are ignored (i.e., skipped without checking their ACL):
  7843. #
  7844. #           - services serving different vectoring points
  7845. #           - "broken-but-bypassable" services
  7846. #           - "up" services configured to ignore such transactions
  7847. #              (e.g., based on the ICAP Transfer-Ignore header).
  7848. #
  7849. #        When a set_name is used, all services in the set are checked
  7850. #       using the same rules, to find the first applicable one. See
  7851. #       adaptation_service_set for details.
  7852. #
  7853. #       If an access list is checked and there is a match, the
  7854. #       processing stops: For an "allow" rule, the corresponding
  7855. #       adaptation service is used for the transaction. For a "deny"
  7856. #       rule, no adaptation service is activated.
  7857. #
  7858. #       It is currently not possible to apply more than one adaptation
  7859. #       service at the same vectoring point to the same HTTP transaction.
  7860. #
  7861. #        See also: icap_service and ecap_service
  7862. #
  7863. #Example:
  7864. #adaptation_access service_1 allow all
  7865. #Default:
  7866. # none
  7867.  
  7868. #  TAG: adaptation_service_iteration_limit
  7869. #       Limits the number of iterations allowed when applying adaptation
  7870. #       services to a message. If your longest adaptation set or chain
  7871. #       may have more than 16 services, increase the limit beyond its
  7872. #       default value of 16. If detecting infinite iteration loops sooner
  7873. #       is critical, make the iteration limit match the actual number
  7874. #       of services in your longest adaptation set or chain.
  7875. #
  7876. #       Infinite adaptation loops are most likely with routing services.
  7877. #
  7878. #       See also: icap_service routing=1
  7879. #Default:
  7880. # adaptation_service_iteration_limit 16
  7881.  
  7882. #  TAG: adaptation_masterx_shared_names
  7883. #       For each master transaction (i.e., the HTTP request and response
  7884. #       sequence, including all related ICAP and eCAP exchanges), Squid
  7885. #       maintains a table of metadata. The table entries are (name, value)
  7886. #       pairs shared among eCAP and ICAP exchanges. The table is destroyed
  7887. #       with the master transaction.
  7888. #
  7889. #       This option specifies the table entry names that Squid must accept
  7890. #       from and forward to the adaptation transactions.
  7891. #
  7892. #       An ICAP REQMOD or RESPMOD transaction may set an entry in the
  7893. #       shared table by returning an ICAP header field with a name
  7894. #       specified in adaptation_masterx_shared_names. Squid will store
  7895. #       and forward that ICAP header field to subsequent ICAP
  7896. #       transactions within the same master transaction scope.
  7897. #
  7898. #       Only one shared entry name is supported at this time.
  7899. #
  7900. #Example:
  7901. ## share authentication information among ICAP services
  7902. #adaptation_masterx_shared_names X-Subscriber-ID
  7903. #Default:
  7904. # none
  7905.  
  7906. #  TAG: icap_retry
  7907. #       This ACL determines which retriable ICAP transactions are
  7908. #       retried. Transactions that received a complete ICAP response
  7909. #       and did not have to consume or produce HTTP bodies to receive
  7910. #       that response are usually retriable.
  7911. #
  7912. #       icap_retry allow|deny [!]aclname ...
  7913. #
  7914. #       Squid automatically retries some ICAP I/O timeouts and errors
  7915. #       due to persistent connection race conditions.
  7916. #
  7917. #       See also: icap_retry_limit
  7918. #Default:
  7919. # icap_retry deny all
  7920.  
  7921. #  TAG: icap_retry_limit
  7922. #       Limits the number of retries allowed. When set to zero (default),
  7923. #       no retries are allowed.
  7924. #
  7925. #       Communication errors due to persistent connection race
  7926. #       conditions are unavoidable, automatically retried, and do not
  7927. #       count against this limit.
  7928. #
  7929. #       See also: icap_retry
  7930. #Default:
  7931. # icap_retry_limit 0
  7932.  
  7933. # DNS OPTIONS
  7934. # -----------------------------------------------------------------------------
  7935.  
  7936. #  TAG: check_hostnames
  7937. #       For security and stability reasons Squid can check
  7938. #       hostnames for Internet standard RFC compliance. If you want
  7939. #       Squid to perform these checks turn this directive on.
  7940. #Default:
  7941. # check_hostnames off
  7942.  
  7943. #  TAG: allow_underscore
  7944. #       Underscore characters is not strictly allowed in Internet hostnames
  7945. #       but nevertheless used by many sites. Set this to off if you want
  7946. #       Squid to be strict about the standard.
  7947. #       This check is performed only when check_hostnames is set to on.
  7948. #Default:
  7949. # allow_underscore on
  7950.  
  7951. #  TAG: cache_dns_program
  7952. # Note: This option is only available if Squid is rebuilt with the
  7953. #       --disable-internal-dns option
  7954. #
  7955. #       Specify the location of the executable for dnslookup process.
  7956. #Default:
  7957. # cache_dns_program /usr/lib/squid3/dnsserver
  7958.  
  7959. #  TAG: dns_children
  7960. # Note: This option is only available if Squid is rebuilt with the
  7961. #       --disable-internal-dns option
  7962. #
  7963. #       The number of processes spawn to service DNS name lookups.
  7964. #       For heavily loaded caches on large servers, you should
  7965. #       probably increase this value to at least 10.  The maximum
  7966. #       is 32.  The default is 5.
  7967. #
  7968. #       You must have at least one dnsserver process.
  7969. #Default:
  7970. # dns_children 5
  7971.  
  7972. #  TAG: dns_retransmit_interval
  7973. #       Initial retransmit interval for DNS queries. The interval is
  7974. #       doubled each time all configured DNS servers have been tried.
  7975. #
  7976. #Default:
  7977. # dns_retransmit_interval 5 seconds
  7978.  
  7979. #  TAG: dns_timeout
  7980. #       DNS Query timeout. If no response is received to a DNS query
  7981. #       within this time all DNS servers for the queried domain
  7982. #       are assumed to be unavailable.
  7983. #Default:
  7984. # dns_timeout 2 minutes
  7985.  
  7986. #  TAG: dns_defnames    on|off
  7987. #       Normally the RES_DEFNAMES resolver option is disabled
  7988. #       (see res_init(3)).  This prevents caches in a hierarchy
  7989. #       from interpreting single-component hostnames locally.  To allow
  7990. #       Squid to handle single-component names, enable this option.
  7991. #Default:
  7992. # dns_defnames off
  7993.  
  7994. #  TAG: dns_nameservers
  7995. #       Use this if you want to specify a list of DNS name servers
  7996. #       (IP addresses) to use instead of those given in your
  7997. #       /etc/resolv.conf file.
  7998. #       On Windows platforms, if no value is specified here or in
  7999. #       the /etc/resolv.conf file, the list of DNS name servers are
  8000. #       taken from the Windows registry, both static and dynamic DHCP
  8001. #       configurations are supported.
  8002. #
  8003. #       Example: dns_nameservers 10.0.0.1 192.172.0.4
  8004. #Default:
  8005. # none
  8006.  
  8007. #  TAG: hosts_file
  8008. #       Location of the host-local IP name-address associations
  8009. #       database. Most Operating Systems have such a file on different
  8010. #       default locations:
  8011. #       - Un*X & Linux:    /etc/hosts
  8012. #       - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
  8013. #                          (%SystemRoot% value install default is c:\winnt)
  8014. #       - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts
  8015. #                          (%SystemRoot% value install default is c:\windows)
  8016. #       - Windows 9x/Me:   %windir%\hosts
  8017. #                          (%windir% value is usually c:\windows)
  8018. #       - Cygwin:          /etc/hosts
  8019. #
  8020. #       The file contains newline-separated definitions, in the
  8021. #       form ip_address_in_dotted_form name [name ...] names are
  8022. #       whitespace-separated. Lines beginning with an hash (#)
  8023. #       character are comments.
  8024. #
  8025. #       The file is checked at startup and upon configuration.
  8026. #       If set to 'none', it won't be checked.
  8027. #       If append_domain is used, that domain will be added to
  8028. #       domain-local (i.e. not containing any dot character) host
  8029. #       definitions.
  8030. #Default:
  8031. # hosts_file /etc/hosts
  8032.  
  8033. #  TAG: append_domain
  8034. #       Appends local domain name to hostnames without any dots in
  8035. #       them.  append_domain must begin with a period.
  8036. #
  8037. #       Be warned there are now Internet names with no dots in
  8038. #       them using only top-domain names, so setting this may
  8039. #       cause some Internet sites to become unavailable.
  8040. #
  8041. #Example:
  8042. # append_domain .yourdomain.com
  8043. #Default:
  8044. # none
  8045.  
  8046. #  TAG: ignore_unknown_nameservers
  8047. #       By default Squid checks that DNS responses are received
  8048. #       from the same IP addresses they are sent to.  If they
  8049. #       don't match, Squid ignores the response and writes a warning
  8050. #       message to cache.log.  You can allow responses from unknown
  8051. #       nameservers by setting this option to 'off'.
  8052. #Default:
  8053. # ignore_unknown_nameservers on
  8054.  
  8055. #  TAG: dns_v4_fallback
  8056. #       Standard practice with DNS is to lookup either A or AAAA records
  8057. #       and use the results if it succeeds. Only looking up the other if
  8058. #       the first attempt fails or otherwise produces no results.
  8059. #
  8060. #       That policy however will cause squid to produce error pages for some
  8061. #       servers that advertise AAAA but are unreachable over IPv6.
  8062. #
  8063. #       If this is ON  squid will always lookup both AAAA and A, using both.
  8064. #       If this is OFF squid will lookup AAAA and only try A if none found.
  8065. #
  8066. #       WARNING: There are some possibly unwanted side-effects with this on:
  8067. #               *) Doubles the load placed by squid on the DNS network.
  8068. #               *) May negatively impact connection delay times.
  8069. #Default:
  8070. # dns_v4_fallback on
  8071.  
  8072. #  TAG: ipcache_size    (number of entries)
  8073. #  TAG: ipcache_low     (percent)
  8074. #  TAG: ipcache_high    (percent)
  8075. #       The size, low-, and high-water marks for the IP cache.
  8076. #Default:
  8077. # ipcache_size 1024
  8078. # ipcache_low 90
  8079. # ipcache_high 95
  8080.  
  8081. #  TAG: fqdncache_size  (number of entries)
  8082. #       Maximum number of FQDN cache entries.
  8083. #Default:
  8084. # fqdncache_size 1024
  8085.  
  8086. # MISCELLANEOUS
  8087. # -----------------------------------------------------------------------------
  8088.  
  8089. #  TAG: memory_pools    on|off
  8090. #       If set, Squid will keep pools of allocated (but unused) memory
  8091. #       available for future use.  If memory is a premium on your
  8092. #       system and you believe your malloc library outperforms Squid
  8093. #       routines, disable this.
  8094. #Default:
  8095. # memory_pools on
  8096.  
  8097. #  TAG: memory_pools_limit      (bytes)
  8098. #       Used only with memory_pools on:
  8099. #       memory_pools_limit 50 MB
  8100. #
  8101. #       If set to a non-zero value, Squid will keep at most the specified
  8102. #       limit of allocated (but unused) memory in memory pools. All free()
  8103. #       requests that exceed this limit will be handled by your malloc
  8104. #       library. Squid does not pre-allocate any memory, just safe-keeps
  8105. #       objects that otherwise would be free()d. Thus, it is safe to set
  8106. #       memory_pools_limit to a reasonably high value even if your
  8107. #       configuration will use less memory.
  8108. #
  8109. #       If set to none, Squid will keep all memory it can. That is, there
  8110. #       will be no limit on the total amount of memory used for safe-keeping.
  8111. #
  8112. #       To disable memory allocation optimization, do not set
  8113. #       memory_pools_limit to 0 or none. Set memory_pools to "off" instead.
  8114. #
  8115. #       An overhead for maintaining memory pools is not taken into account
  8116. #       when the limit is checked. This overhead is close to four bytes per
  8117. #       object kept. However, pools may actually _save_ memory because of
  8118. #       reduced memory thrashing in your malloc library.
  8119. #Default:
  8120. # memory_pools_limit 5 MB
  8121.  
  8122. #  TAG: forwarded_for   on|off|transparent|truncate|delete
  8123. #       If set to "on", Squid will append your client's IP address
  8124. #       in the HTTP requests it forwards. By default it looks like:
  8125. #
  8126. #               X-Forwarded-For: 192.1.2.3
  8127. #
  8128. #       If set to "off", it will appear as
  8129. #
  8130. #               X-Forwarded-For: unknown
  8131. #
  8132. #       If set to "transparent", Squid will not alter the
  8133. #       X-Forwarded-For header in any way.
  8134. #
  8135. #       If set to "delete", Squid will delete the entire
  8136. #       X-Forwarded-For header.
  8137. #
  8138. #       If set to "truncate", Squid will remove all existing
  8139. #       X-Forwarded-For entries, and place itself as the sole entry.
  8140. #Default:
  8141. # forwarded_for on
  8142.  
  8143. #  TAG: cachemgr_passwd
  8144. #       Specify passwords for cachemgr operations.
  8145. #
  8146. #       Usage: cachemgr_passwd password action action ...
  8147. #
  8148. #       Some valid actions are (see cache manager menu for a full list):
  8149. #               5min
  8150. #               60min
  8151. #               asndb
  8152. #               authenticator
  8153. #               cbdata
  8154. #               client_list
  8155. #               comm_incoming
  8156. #               config *
  8157. #               counters
  8158. #               delay
  8159. #               digest_stats
  8160. #               dns
  8161. #               events
  8162. #               filedescriptors
  8163. #               fqdncache
  8164. #               histograms
  8165. #               http_headers
  8166. #               info
  8167. #               io
  8168. #               ipcache
  8169. #               mem
  8170. #               menu
  8171. #               netdb
  8172. #               non_peers
  8173. #               objects
  8174. #               offline_toggle *
  8175. #               pconn
  8176. #               peer_select
  8177. #               reconfigure *
  8178. #               redirector
  8179. #               refresh
  8180. #               server_list
  8181. #               shutdown *
  8182. #               store_digest
  8183. #               storedir
  8184. #               utilization
  8185. #               via_headers
  8186. #               vm_objects
  8187. #
  8188. #       * Indicates actions which will not be performed without a
  8189. #         valid password, others can be performed if not listed here.
  8190. #
  8191. #       To disable an action, set the password to "disable".
  8192. #       To allow performing an action without a password, set the
  8193. #       password to "none".
  8194. #
  8195. #       Use the keyword "all" to set the same password for all actions.
  8196. #
  8197. #Example:
  8198. # cachemgr_passwd secret shutdown
  8199. # cachemgr_passwd lesssssssecret info stats/objects
  8200. # cachemgr_passwd disable all
  8201. #Default:
  8202. # none
  8203.  
  8204. #  TAG: client_db       on|off
  8205. #       If you want to disable collecting per-client statistics,
  8206. #       turn off client_db here.
  8207. #Default:
  8208. # client_db on
  8209.  
  8210. #  TAG: refresh_all_ims on|off
  8211. #       When you enable this option, squid will always check
  8212. #       the origin server for an update when a client sends an
  8213. #       If-Modified-Since request.  Many browsers use IMS
  8214. #       requests when the user requests a reload, and this
  8215. #       ensures those clients receive the latest version.
  8216. #
  8217. #       By default (off), squid may return a Not Modified response
  8218. #       based on the age of the cached version.
  8219. #Default:
  8220. # refresh_all_ims off
  8221.  
  8222. #  TAG: reload_into_ims on|off
  8223. #       When you enable this option, client no-cache or ``reload''
  8224. #       requests will be changed to If-Modified-Since requests.
  8225. #       Doing this VIOLATES the HTTP standard.  Enabling this
  8226. #       feature could make you liable for problems which it
  8227. #       causes.
  8228. #
  8229. #       see also refresh_pattern for a more selective approach.
  8230. #Default:
  8231. # reload_into_ims off
  8232.  
  8233. #  TAG: maximum_single_addr_tries
  8234. #       This sets the maximum number of connection attempts for a
  8235. #       host that only has one address (for multiple-address hosts,
  8236. #       each address is tried once).
  8237. #
  8238. #       The default value is one attempt, the (not recommended)
  8239. #       maximum is 255 tries.  A warning message will be generated
  8240. #       if it is set to a value greater than ten.
  8241. #
  8242. #       Note: This is in addition to the request re-forwarding which
  8243. #       takes place if Squid fails to get a satisfying response.
  8244. #Default:
  8245. # maximum_single_addr_tries 1
  8246.  
  8247. #  TAG: retry_on_error
  8248. #       If set to on Squid will automatically retry requests when
  8249. #       receiving an error response. This is mainly useful if you
  8250. #       are in a complex cache hierarchy to work around access
  8251. #       control errors.
  8252. #Default:
  8253. # retry_on_error off
  8254.  
  8255. #  TAG: as_whois_server
  8256. #       WHOIS server to query for AS numbers.  NOTE: AS numbers are
  8257. #       queried only when Squid starts up, not for every request.
  8258. #Default:
  8259. # as_whois_server whois.ra.net
  8260. # as_whois_server whois.ra.net
  8261.  
  8262. #  TAG: offline_mode
  8263. #       Enable this option and Squid will never try to validate cached
  8264. #       objects.
  8265. #Default:
  8266. # offline_mode off
  8267.  
  8268. #  TAG: uri_whitespace
  8269. #       What to do with requests that have whitespace characters in the
  8270. #       URI.  Options:
  8271. #
  8272. #       strip:  The whitespace characters are stripped out of the URL.
  8273. #               This is the behavior recommended by RFC2396.
  8274. #       deny:   The request is denied.  The user receives an "Invalid
  8275. #               Request" message.
  8276. #       allow:  The request is allowed and the URI is not changed.  The
  8277. #               whitespace characters remain in the URI.  Note the
  8278. #               whitespace is passed to redirector processes if they
  8279. #               are in use.
  8280. #       encode: The request is allowed and the whitespace characters are
  8281. #               encoded according to RFC1738.  This could be considered
  8282. #               a violation of the HTTP/1.1
  8283. #               RFC because proxies are not allowed to rewrite URI's.
  8284. #       chop:   The request is allowed and the URI is chopped at the
  8285. #               first whitespace.  This might also be considered a
  8286. #               violation.
  8287. #Default:
  8288. # uri_whitespace strip
  8289.  
  8290. #  TAG: chroot
  8291. #       Specifies a directory where Squid should do a chroot() while
  8292. #       initializing.  This also causes Squid to fully drop root
  8293. #       privileges after initializing.  This means, for example, if you
  8294. #       use a HTTP port less than 1024 and try to reconfigure, you may
  8295. #       get an error saying that Squid can not open the port.
  8296. #Default:
  8297. # none
  8298.  
  8299. #  TAG: balance_on_multiple_ip
  8300. #       Modern IP resolvers in squid sort lookup results by preferred access.
  8301. #       By default squid will use these IP in order and only rotates to
  8302. #       the next listed when the most preffered fails.
  8303. #
  8304. #       Some load balancing servers based on round robin DNS have been
  8305. #       found not to preserve user session state across requests
  8306. #       to different IP addresses.
  8307. #
  8308. #       Enabling this directive Squid rotates IP's per request.
  8309. #Default:
  8310. # balance_on_multiple_ip off
  8311.  
  8312. #  TAG: pipeline_prefetch
  8313. #       To boost the performance of pipelined requests to closer
  8314. #       match that of a non-proxied environment Squid can try to fetch
  8315. #       up to two requests in parallel from a pipeline.
  8316. #
  8317. #       Defaults to off for bandwidth management and access logging
  8318. #       reasons.
  8319. #Default:
  8320. # pipeline_prefetch off
  8321.  
  8322. #  TAG: high_response_time_warning      (msec)
  8323. #       If the one-minute median response time exceeds this value,
  8324. #       Squid prints a WARNING with debug level 0 to get the
  8325. #       administrators attention.  The value is in milliseconds.
  8326. #Default:
  8327. # high_response_time_warning 0
  8328.  
  8329. #  TAG: high_page_fault_warning
  8330. #       If the one-minute average page fault rate exceeds this
  8331. #       value, Squid prints a WARNING with debug level 0 to get
  8332. #       the administrators attention.  The value is in page faults
  8333. #       per second.
  8334. #Default:
  8335. # high_page_fault_warning 0
  8336.  
  8337. #  TAG: high_memory_warning
  8338. #       If the memory usage (as determined by mallinfo) exceeds
  8339. #       this amount, Squid prints a WARNING with debug level 0 to get
  8340. #       the administrators attention.
  8341. #Default:
  8342. # high_memory_warning 0 KB
  8343.  
  8344. #  TAG: sleep_after_fork        (microseconds)
  8345. #       When this is set to a non-zero value, the main Squid process
  8346. #       sleeps the specified number of microseconds after a fork()
  8347. #       system call. This sleep may help the situation where your
  8348. #       system reports fork() failures due to lack of (virtual)
  8349. #       memory. Note, however, if you have a lot of child
  8350. #       processes, these sleep delays will add up and your
  8351. #       Squid will not service requests for some amount of time
  8352. #       until all the child processes have been started.
  8353. #       On Windows value less then 1000 (1 milliseconds) are
  8354. #       rounded to 1000.
  8355. #Default:
  8356. # sleep_after_fork 0
  8357.  
  8358. #  TAG: windows_ipaddrchangemonitor     on|off
  8359. #       On Windows Squid by default will monitor IP address changes and will
  8360. #       reconfigure itself after any detected event. This is very useful for
  8361. #       proxies connected to internet with dial-up interfaces.
  8362. #       In some cases (a Proxy server acting as VPN gateway is one) it could be
  8363. #       desiderable to disable this behaviour setting this to 'off'.
  8364. #       Note: after changing this, Squid service must be restarted.
  8365. #Default:
  8366. # windows_ipaddrchangemonitor on
  8367.  
  8368. #  TAG: max_filedescriptors
  8369. #       The maximum number of filedescriptors supported.
  8370. #
  8371. #       The default "0" means Squid inherits the current ulimit setting.
  8372. #
  8373. #       Note: Changing this requires a restart of Squid. Also
  8374. #       not all comm loops supports large values.
  8375. #Default:
  8376. # max_filedescriptors 0
clone this paste RAW Paste Data