Guest User

Untitled

a guest
Sep 27th, 2019
548
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # WELCOME TO SQUID 4.6
  2. # ----------------------------
  3. #
  4. # This is the documentation for the Squid configuration file.
  5. # This documentation can also be found online at:
  6. # http://www.squid-cache.org/Doc/config/
  7. #
  8. # You may wish to look at the Squid home page and wiki for the
  9. # FAQ and other documentation:
  10. # http://www.squid-cache.org/
  11. # http://wiki.squid-cache.org/SquidFaq
  12. # http://wiki.squid-cache.org/ConfigExamples
  13. #
  14. # This documentation shows what the defaults for various directives
  15. # happen to be. If you don't need to change the default, you should
  16. # leave the line out of your squid.conf in most cases.
  17. #
  18. # In some cases "none" refers to no default setting at all,
  19. # while in other cases it refers to the value of the option
  20. # - the comments for that keyword indicate if this is the case.
  21. #
  22.  
  23. # Configuration options can be included using the "include" directive.
  24. # Include takes a list of files to include. Quoting and wildcards are
  25. # supported.
  26. #
  27. # For example,
  28. #
  29. # include /path/to/included/file/squid.acl.config
  30. #
  31. # Includes can be nested up to a hard-coded depth of 16 levels.
  32. # This arbitrary restriction is to prevent recursive include references
  33. # from causing Squid entering an infinite loop whilst trying to load
  34. # configuration files.
  35. #
  36. # Values with byte units
  37. #
  38. # Squid accepts size units on some size related directives. All
  39. # such directives are documented with a default value displaying
  40. # a unit.
  41. #
  42. # Units accepted by Squid are:
  43. # bytes - byte
  44. # KB - Kilobyte (1024 bytes)
  45. # MB - Megabyte
  46. # GB - Gigabyte
  47. #
  48. # Values with spaces, quotes, and other special characters
  49. #
  50. # Squid supports directive parameters with spaces, quotes, and other
  51. # special characters. Surround such parameters with "double quotes". Use
  52. # the configuration_includes_quoted_values directive to enable or
  53. # disable that support.
  54. #
  55. # Squid supports reading configuration option parameters from external
  56. # files using the syntax:
  57. # parameters("/path/filename")
  58. # For example:
  59. # acl whitelist dstdomain parameters("/etc/squid/whitelist.txt")
  60. #
  61. # Conditional configuration
  62. #
  63. # If-statements can be used to make configuration directives
  64. # depend on conditions:
  65. #
  66. # if <CONDITION>
  67. # ... regular configuration directives ...
  68. # [else
  69. # ... regular configuration directives ...]
  70. # endif
  71. #
  72. # The else part is optional. The keywords "if", "else", and "endif"
  73. # must be typed on their own lines, as if they were regular
  74. # configuration directives.
  75. #
  76. # NOTE: An else-if condition is not supported.
  77. #
  78. # These individual conditions types are supported:
  79. #
  80. # true
  81. # Always evaluates to true.
  82. # false
  83. # Always evaluates to false.
  84. # <integer> = <integer>
  85. # Equality comparison of two integer numbers.
  86. #
  87. #
  88. # SMP-Related Macros
  89. #
  90. # The following SMP-related preprocessor macros can be used.
  91. #
  92. # ${process_name} expands to the current Squid process "name"
  93. # (e.g., squid1, squid2, or cache1).
  94. #
  95. # ${process_number} expands to the current Squid process
  96. # identifier, which is an integer number (e.g., 1, 2, 3) unique
  97. # across all Squid processes of the current service instance.
  98. #
  99. # ${service_name} expands into the current Squid service instance
  100. # name identifier which is provided by -n on the command line.
  101. #
  102. # Logformat Macros
  103. #
  104. # Logformat macros can be used in many places outside of the logformat
  105. # directive. In theory, all of the logformat codes can be used as %macros,
  106. # where they are supported. In practice, a %macro expands as a dash (-) when
  107. # the transaction does not yet have enough information and a value is needed.
  108. #
  109. # There is no definitive list of what tokens are available at the various
  110. # stages of the transaction.
  111. #
  112. # And some information may already be available to Squid but not yet
  113. # committed where the macro expansion code can access it (report
  114. # such instances!). The macro will be expanded into a single dash
  115. # ('-') in such cases. Not all macros have been tested.
  116. #
  117.  
  118. # TAG: broken_vary_encoding
  119. # This option is not yet supported by Squid-3.
  120. #Default:
  121. # none
  122.  
  123. # TAG: cache_vary
  124. # This option is not yet supported by Squid-3.
  125. #Default:
  126. # none
  127.  
  128. # TAG: error_map
  129. # This option is not yet supported by Squid-3.
  130. #Default:
  131. # none
  132.  
  133. # TAG: external_refresh_check
  134. # This option is not yet supported by Squid-3.
  135. #Default:
  136. # none
  137.  
  138. # TAG: location_rewrite_program
  139. # This option is not yet supported by Squid-3.
  140. #Default:
  141. # none
  142.  
  143. # TAG: refresh_stale_hit
  144. # This option is not yet supported by Squid-3.
  145. #Default:
  146. # none
  147.  
  148. # TAG: cache_peer_domain
  149. # Replace with dstdomain ACLs and cache_peer_access.
  150. #Default:
  151. # none
  152.  
  153. # TAG: ie_refresh
  154. # Remove this line. The behaviour enabled by this is no longer needed.
  155. #Default:
  156. # none
  157.  
  158. # TAG: sslproxy_cafile
  159. # Remove this line. Use tls_outgoing_options cafile= instead.
  160. #Default:
  161. # none
  162.  
  163. # TAG: sslproxy_capath
  164. # Remove this line. Use tls_outgoing_options capath= instead.
  165. #Default:
  166. # none
  167.  
  168. # TAG: sslproxy_cipher
  169. # Remove this line. Use tls_outgoing_options cipher= instead.
  170. #Default:
  171. # none
  172.  
  173. # TAG: sslproxy_client_certificate
  174. # Remove this line. Use tls_outgoing_options cert= instead.
  175. #Default:
  176. # none
  177.  
  178. # TAG: sslproxy_client_key
  179. # Remove this line. Use tls_outgoing_options key= instead.
  180. #Default:
  181. # none
  182.  
  183. # TAG: sslproxy_flags
  184. # Remove this line. Use tls_outgoing_options flags= instead.
  185. #Default:
  186. # none
  187.  
  188. # TAG: sslproxy_options
  189. # Remove this line. Use tls_outgoing_options options= instead.
  190. #Default:
  191. # none
  192.  
  193. # TAG: sslproxy_version
  194. # Remove this line. Use tls_outgoing_options options= instead.
  195. #Default:
  196. # none
  197.  
  198. # TAG: hierarchy_stoplist
  199. # Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use.
  200. #Default:
  201. # none
  202.  
  203. # TAG: log_access
  204. # Remove this line. Use acls with access_log directives to control access logging
  205. #Default:
  206. # none
  207.  
  208. # TAG: log_icap
  209. # Remove this line. Use acls with icap_log directives to control icap logging
  210. #Default:
  211. # none
  212.  
  213. # TAG: ignore_ims_on_miss
  214. # Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'.
  215. #Default:
  216. # none
  217.  
  218. # TAG: balance_on_multiple_ip
  219. # Remove this line. Squid performs a 'Happy Eyeballs' algorithm, this multiple-IP algorithm is not longer relevant.
  220. #Default:
  221. # none
  222.  
  223. # TAG: chunked_request_body_max_size
  224. # Remove this line. Squid is now HTTP/1.1 compliant.
  225. #Default:
  226. # none
  227.  
  228. # TAG: dns_v4_fallback
  229. # Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant.
  230. #Default:
  231. # none
  232.  
  233. # TAG: emulate_httpd_log
  234. # Replace this with an access_log directive using the format 'common' or 'combined'.
  235. #Default:
  236. # none
  237.  
  238. # TAG: forward_log
  239. # Use a regular access.log with ACL limiting it to MISS events.
  240. #Default:
  241. # none
  242.  
  243. # TAG: ftp_list_width
  244. # Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead.
  245. #Default:
  246. # none
  247.  
  248. # TAG: ignore_expect_100
  249. # Remove this line. The HTTP/1.1 feature is now fully supported by default.
  250. #Default:
  251. # none
  252.  
  253. # TAG: log_fqdn
  254. # Remove this option from your config. To log FQDN use %>A in the log format.
  255. #Default:
  256. # none
  257.  
  258. # TAG: log_ip_on_direct
  259. # Remove this option from your config. To log server or peer names use %<A in the log format.
  260. #Default:
  261. # none
  262.  
  263. # TAG: maximum_single_addr_tries
  264. # Replaced by connect_retries. The behaviour has changed, please read the documentation before altering.
  265. #Default:
  266. # none
  267.  
  268. # TAG: referer_log
  269. # Replace this with an access_log directive using the format 'referrer'.
  270. #Default:
  271. # none
  272.  
  273. # TAG: update_headers
  274. # Remove this line. The feature is supported by default in storage types where update is implemented.
  275. #Default:
  276. # none
  277.  
  278. # TAG: url_rewrite_concurrency
  279. # Remove this line. Set the 'concurrency=' option of url_rewrite_children instead.
  280. #Default:
  281. # none
  282.  
  283. # TAG: useragent_log
  284. # Replace this with an access_log directive using the format 'useragent'.
  285. #Default:
  286. # none
  287.  
  288. # TAG: dns_testnames
  289. # Remove this line. DNS is no longer tested on startup.
  290. #Default:
  291. # none
  292.  
  293. # TAG: extension_methods
  294. # Remove this line. All valid methods for HTTP are accepted by default.
  295. #Default:
  296. # none
  297.  
  298. # TAG: zero_buffers
  299. #Default:
  300. # none
  301.  
  302. # TAG: incoming_rate
  303. #Default:
  304. # none
  305.  
  306. # TAG: server_http11
  307. # Remove this line. HTTP/1.1 is supported by default.
  308. #Default:
  309. # none
  310.  
  311. # TAG: upgrade_http0.9
  312. # Remove this line. ICY/1.0 streaming protocol is supported by default.
  313. #Default:
  314. # none
  315.  
  316. # TAG: zph_local
  317. # Alter these entries. Use the qos_flows directive instead.
  318. #Default:
  319. # none
  320.  
  321. # TAG: header_access
  322. # Since squid-3.0 replace with request_header_access or reply_header_access
  323. # depending on whether you wish to match client requests or server replies.
  324. #Default:
  325. # none
  326.  
  327. # TAG: httpd_accel_no_pmtu_disc
  328. # Since squid-3.0 use the 'disable-pmtu-discovery' flag on http_port instead.
  329. #Default:
  330. # none
  331.  
  332. # TAG: wais_relay_host
  333. # Replace this line with 'cache_peer' configuration.
  334. #Default:
  335. # none
  336.  
  337. # TAG: wais_relay_port
  338. # Replace this line with 'cache_peer' configuration.
  339. #Default:
  340. # none
  341.  
  342. # OPTIONS FOR SMP
  343. # -----------------------------------------------------------------------------
  344.  
  345. # TAG: workers
  346. # Number of main Squid processes or "workers" to fork and maintain.
  347. # 0: "no daemon" mode, like running "squid -N ..."
  348. # 1: "no SMP" mode, start one main Squid process daemon (default)
  349. # N: start N main Squid process daemons (i.e., SMP mode)
  350. #
  351. # In SMP mode, each worker does nearly all what a single Squid daemon
  352. # does (e.g., listen on http_port and forward HTTP requests).
  353. #Default:
  354. # SMP support disabled.
  355.  
  356. # TAG: cpu_affinity_map
  357. # Usage: cpu_affinity_map process_numbers=P1,P2,... cores=C1,C2,...
  358. #
  359. # Sets 1:1 mapping between Squid processes and CPU cores. For example,
  360. #
  361. # cpu_affinity_map process_numbers=1,2,3,4 cores=1,3,5,7
  362. #
  363. # affects processes 1 through 4 only and places them on the first
  364. # four even cores, starting with core #1.
  365. #
  366. # CPU cores are numbered starting from 1. Requires support for
  367. # sched_getaffinity(2) and sched_setaffinity(2) system calls.
  368. #
  369. # Multiple cpu_affinity_map options are merged.
  370. #
  371. # See also: workers
  372. #Default:
  373. # Let operating system decide.
  374.  
  375. # TAG: shared_memory_locking on|off
  376. # Whether to ensure that all required shared memory is available by
  377. # "locking" that shared memory into RAM when Squid starts. The
  378. # alternative is faster startup time followed by slightly slower
  379. # performance and, if not enough RAM is actually available during
  380. # runtime, mysterious crashes.
  381. #
  382. # SMP Squid uses many shared memory segments. These segments are
  383. # brought into Squid memory space using an mmap(2) system call. During
  384. # Squid startup, the mmap() call often succeeds regardless of whether
  385. # the system has enough RAM. In general, Squid cannot tell whether the
  386. # kernel applies this "optimistic" memory allocation policy (but
  387. # popular modern kernels usually use it).
  388. #
  389. # Later, if Squid attempts to actually access the mapped memory
  390. # regions beyond what the kernel is willing to allocate, the
  391. # "optimistic" kernel simply kills Squid kid with a SIGBUS signal.
  392. # Some of the memory limits enforced by the kernel are currently
  393. # poorly understood: We do not know how to detect and check them. This
  394. # option ensures that the mapped memory will be available.
  395. #
  396. # This option may have a positive performance side-effect: Locking
  397. # memory at start avoids runtime paging I/O. Paging slows Squid down.
  398. #
  399. # Locking memory may require a large enough RLIMIT_MEMLOCK OS limit,
  400. # CAP_IPC_LOCK capability, or equivalent.
  401. #Default:
  402. # shared_memory_locking off
  403.  
  404. # TAG: hopeless_kid_revival_delay time-units
  405. # Normally, when a kid process dies, Squid immediately restarts the
  406. # kid. A kid experiencing frequent deaths is marked as "hopeless" for
  407. # the duration specified by this directive. Hopeless kids are not
  408. # automatically restarted.
  409. #
  410. # Currently, zero values are not supported because they result in
  411. # misconfigured SMP Squid instances running forever, endlessly
  412. # restarting each dying kid. To effectively disable hopeless kids
  413. # revival, set the delay to a huge value (e.g., 1 year).
  414. #
  415. # Reconfiguration also clears all hopeless kids designations, allowing
  416. # for manual revival of hopeless kids.
  417. #Default:
  418. # hopeless_kid_revival_delay 1 hour
  419.  
  420. # OPTIONS FOR AUTHENTICATION
  421. # -----------------------------------------------------------------------------
  422.  
  423. # TAG: auth_param
  424. # This is used to define parameters for the various authentication
  425. # schemes supported by Squid.
  426. #
  427. # format: auth_param scheme parameter [setting]
  428. #
  429. # The order in which authentication schemes are presented to the client is
  430. # dependent on the order the scheme first appears in config file. IE
  431. # has a bug (it's not RFC 2617 compliant) in that it will use the basic
  432. # scheme if basic is the first entry presented, even if more secure
  433. # schemes are presented. For now use the order in the recommended
  434. # settings section below. If other browsers have difficulties (don't
  435. # recognize the schemes offered even if you are using basic) either
  436. # put basic first, or disable the other schemes (by commenting out their
  437. # program entry).
  438. #
  439. # Once an authentication scheme is fully configured, it can only be
  440. # shutdown by shutting squid down and restarting. Changes can be made on
  441. # the fly and activated with a reconfigure. I.E. You can change to a
  442. # different helper, but not unconfigure the helper completely.
  443. #
  444. # Please note that while this directive defines how Squid processes
  445. # authentication it does not automatically activate authentication.
  446. # To use authentication you must in addition make use of ACLs based
  447. # on login name in http_access (proxy_auth, proxy_auth_regex or
  448. # external with %LOGIN used in the format tag). The browser will be
  449. # challenged for authentication on the first such acl encountered
  450. # in http_access processing and will also be re-challenged for new
  451. # login credentials if the request is being denied by a proxy_auth
  452. # type acl.
  453. #
  454. # WARNING: authentication can't be used in a transparently intercepting
  455. # proxy as the client then thinks it is talking to an origin server and
  456. # not the proxy. This is a limitation of bending the TCP/IP protocol to
  457. # transparently intercepting port 80, not a limitation in Squid.
  458. # Ports flagged 'transparent', 'intercept', or 'tproxy' have
  459. # authentication disabled.
  460. #
  461. # === Parameters common to all schemes. ===
  462. #
  463. # "program" cmdline
  464. # Specifies the command for the external authenticator.
  465. #
  466. # By default, each authentication scheme is not used unless a
  467. # program is specified.
  468. #
  469. # See http://wiki.squid-cache.org/Features/AddonHelpers for
  470. # more details on helper operations and creating your own.
  471. #
  472. # "key_extras" format
  473. # Specifies a string to be append to request line format for
  474. # the authentication helper. "Quoted" format values may contain
  475. # spaces and logformat %macros. In theory, any logformat %macro
  476. # can be used. In practice, a %macro expands as a dash (-) if
  477. # the helper request is sent before the required macro
  478. # information is available to Squid.
  479. #
  480. # By default, Squid uses request formats provided in
  481. # scheme-specific examples below (search for %credentials).
  482. #
  483. # The expanded key_extras value is added to the Squid credentials
  484. # cache and, hence, will affect authentication. It can be used to
  485. # autenticate different users with identical user names (e.g.,
  486. # when user authentication depends on http_port).
  487. #
  488. # Avoid adding frequently changing information to key_extras. For
  489. # example, if you add user source IP, and it changes frequently
  490. # in your environment, then max_user_ip ACL is going to treat
  491. # every user+IP combination as a unique "user", breaking the ACL
  492. # and wasting a lot of memory on those user records. It will also
  493. # force users to authenticate from scratch whenever their IP
  494. # changes.
  495. #
  496. # "realm" string
  497. # Specifies the protection scope (aka realm name) which is to be
  498. # reported to the client for the authentication scheme. It is
  499. # commonly part of the text the user will see when prompted for
  500. # their username and password.
  501. #
  502. # For Basic the default is "Squid proxy-caching web server".
  503. # For Digest there is no default, this parameter is mandatory.
  504. # For NTLM and Negotiate this parameter is ignored.
  505. #
  506. # "children" numberofchildren [startup=N] [idle=N] [concurrency=N]
  507. # [queue-size=N] [on-persistent-overload=action]
  508. #
  509. # The maximum number of authenticator processes to spawn. If
  510. # you start too few Squid will have to wait for them to process
  511. # a backlog of credential verifications, slowing it down. When
  512. # password verifications are done via a (slow) network you are
  513. # likely to need lots of authenticator processes.
  514. #
  515. # The startup= and idle= options permit some skew in the exact
  516. # amount run. A minimum of startup=N will begin during startup
  517. # and reconfigure. Squid will start more in groups of up to
  518. # idle=N in an attempt to meet traffic needs and to keep idle=N
  519. # free above those traffic needs up to the maximum.
  520. #
  521. # The concurrency= option sets the number of concurrent requests
  522. # the helper can process. The default of 0 is used for helpers
  523. # who only supports one request at a time. Setting this to a
  524. # number greater than 0 changes the protocol used to include a
  525. # channel ID field first on the request/response line, allowing
  526. # multiple requests to be sent to the same helper in parallel
  527. # without waiting for the response.
  528. #
  529. # Concurrency must not be set unless it's known the helper
  530. # supports the input format with channel-ID fields.
  531. #
  532. # The queue-size option sets the maximum number of queued
  533. # requests. A request is queued when no existing child can
  534. # accept it due to concurrency limit and no new child can be
  535. # started due to numberofchildren limit. The default maximum is
  536. # 2*numberofchildren. Squid is allowed to temporarily exceed the
  537. # configured maximum, marking the affected helper as
  538. # "overloaded". If the helper overload lasts more than 3
  539. # minutes, the action prescribed by the on-persistent-overload
  540. # option applies.
  541. #
  542. # The on-persistent-overload=action option specifies Squid
  543. # reaction to a new helper request arriving when the helper
  544. # has been overloaded for more that 3 minutes already. The number
  545. # of queued requests determines whether the helper is overloaded
  546. # (see the queue-size option).
  547. #
  548. # Two actions are supported:
  549. #
  550. # die Squid worker quits. This is the default behavior.
  551. #
  552. # ERR Squid treats the helper request as if it was
  553. # immediately submitted, and the helper immediately
  554. # replied with an ERR response. This action has no effect
  555. # on the already queued and in-progress helper requests.
  556. #
  557. # NOTE: NTLM and Negotiate schemes do not support concurrency
  558. # in the Squid code module even though some helpers can.
  559. #
  560. #
  561. #
  562. # === Example Configuration ===
  563. #
  564. # This configuration displays the recommended authentication scheme
  565. # order from most to least secure with recommended minimum configuration
  566. # settings for each scheme:
  567. #
  568. ##auth_param negotiate program <uncomment and complete this line to activate>
  569. ##auth_param negotiate children 20 startup=0 idle=1
  570. ##auth_param negotiate keep_alive on
  571. ##
  572. ##auth_param digest program <uncomment and complete this line to activate>
  573. ##auth_param digest children 20 startup=0 idle=1
  574. ##auth_param digest realm Squid proxy-caching web server
  575. ##auth_param digest nonce_garbage_interval 5 minutes
  576. ##auth_param digest nonce_max_duration 30 minutes
  577. ##auth_param digest nonce_max_count 50
  578. ##
  579. ##auth_param ntlm program <uncomment and complete this line to activate>
  580. ##auth_param ntlm children 20 startup=0 idle=1
  581. ##auth_param ntlm keep_alive on
  582. ##
  583. ##auth_param basic program <uncomment and complete this line>
  584. ##auth_param basic children 5 startup=5 idle=1
  585. ##auth_param basic realm Squid proxy-caching web server
  586. ##auth_param basic credentialsttl 2 hours
  587. #Default:
  588. # none
  589.  
  590. # TAG: authenticate_cache_garbage_interval
  591. # The time period between garbage collection across the username cache.
  592. # This is a trade-off between memory utilization (long intervals - say
  593. # 2 days) and CPU (short intervals - say 1 minute). Only change if you
  594. # have good reason to.
  595. #Default:
  596. # authenticate_cache_garbage_interval 1 hour
  597.  
  598. # TAG: authenticate_ttl
  599. # The time a user & their credentials stay in the logged in
  600. # user cache since their last request. When the garbage
  601. # interval passes, all user credentials that have passed their
  602. # TTL are removed from memory.
  603. #Default:
  604. # authenticate_ttl 1 hour
  605.  
  606. # TAG: authenticate_ip_ttl
  607. # If you use proxy authentication and the 'max_user_ip' ACL,
  608. # this directive controls how long Squid remembers the IP
  609. # addresses associated with each user. Use a small value
  610. # (e.g., 60 seconds) if your users might change addresses
  611. # quickly, as is the case with dialup. You might be safe
  612. # using a larger value (e.g., 2 hours) in a corporate LAN
  613. # environment with relatively static address assignments.
  614. #Default:
  615. # authenticate_ip_ttl 1 second
  616.  
  617. # ACCESS CONTROLS
  618. # -----------------------------------------------------------------------------
  619.  
  620. # TAG: external_acl_type
  621. # This option defines external acl classes using a helper program
  622. # to look up the status
  623. #
  624. # external_acl_type name [options] FORMAT /path/to/helper [helper arguments]
  625. #
  626. # Options:
  627. #
  628. # ttl=n TTL in seconds for cached results (defaults to 3600
  629. # for 1 hour)
  630. #
  631. # negative_ttl=n
  632. # TTL for cached negative lookups (default same
  633. # as ttl)
  634. #
  635. # grace=n Percentage remaining of TTL where a refresh of a
  636. # cached entry should be initiated without needing to
  637. # wait for a new reply. (default is for no grace period)
  638. #
  639. # cache=n The maximum number of entries in the result cache. The
  640. # default limit is 262144 entries. Each cache entry usually
  641. # consumes at least 256 bytes. Squid currently does not remove
  642. # expired cache entries until the limit is reached, so a proxy
  643. # will sooner or later reach the limit. The expanded FORMAT
  644. # value is used as the cache key, so if the details in FORMAT
  645. # are highly variable, a larger cache may be needed to produce
  646. # reduction in helper load.
  647. #
  648. # children-max=n
  649. # Maximum number of acl helper processes spawned to service
  650. # external acl lookups of this type. (default 5)
  651. #
  652. # children-startup=n
  653. # Minimum number of acl helper processes to spawn during
  654. # startup and reconfigure to service external acl lookups
  655. # of this type. (default 0)
  656. #
  657. # children-idle=n
  658. # Number of acl helper processes to keep ahead of traffic
  659. # loads. Squid will spawn this many at once whenever load
  660. # rises above the capabilities of existing processes.
  661. # Up to the value of children-max. (default 1)
  662. #
  663. # concurrency=n concurrency level per process. Only used with helpers
  664. # capable of processing more than one query at a time.
  665. #
  666. # queue-size=N The queue-size option sets the maximum number of
  667. # queued requests. A request is queued when no existing
  668. # helper can accept it due to concurrency limit and no
  669. # new helper can be started due to children-max limit.
  670. # If the queued requests exceed queue size, the acl is
  671. # ignored. The default value is set to 2*children-max.
  672. #
  673. # protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers.
  674. #
  675. # ipv4 / ipv6 IP protocol used to communicate with this helper.
  676. # The default is to auto-detect IPv6 and use it when available.
  677. #
  678. #
  679. # FORMAT is a series of %macro codes. See logformat directive for a full list
  680. # of the accepted codes. Although note that at the time of any external ACL
  681. # being tested data may not be available and thus some %macro expand to '-'.
  682. #
  683. # In addition to the logformat codes; when processing external ACLs these
  684. # additional macros are made available:
  685. #
  686. # %ACL The name of the ACL being tested.
  687. #
  688. # %DATA The ACL arguments specified in the referencing config
  689. # 'acl ... external' line, separated by spaces (an
  690. # "argument string"). see acl external.
  691. #
  692. # If there are no ACL arguments %DATA expands to '-'.
  693. #
  694. # If you do not specify a DATA macro inside FORMAT,
  695. # Squid automatically appends %DATA to your FORMAT.
  696. # Note that Squid-3.x may expand %DATA to whitespace
  697. # or nothing in this case.
  698. #
  699. # By default, Squid applies URL-encoding to each ACL
  700. # argument inside the argument string. If an explicit
  701. # encoding modifier is used (e.g., %#DATA), then Squid
  702. # encodes the whole argument string as a single token
  703. # (e.g., with %#DATA, spaces between arguments become
  704. # %20).
  705. #
  706. # If SSL is enabled, the following formating codes become available:
  707. #
  708. # %USER_CERT SSL User certificate in PEM format
  709. # %USER_CERTCHAIN SSL User certificate chain in PEM format
  710. # %USER_CERT_xx SSL User certificate subject attribute xx
  711. # %USER_CA_CERT_xx SSL User certificate issuer attribute xx
  712. #
  713. #
  714. # NOTE: all other format codes accepted by older Squid versions
  715. # are deprecated.
  716. #
  717. #
  718. # General request syntax:
  719. #
  720. # [channel-ID] FORMAT-values
  721. #
  722. #
  723. # FORMAT-values consists of transaction details expanded with
  724. # whitespace separation per the config file FORMAT specification
  725. # using the FORMAT macros listed above.
  726. #
  727. # Request values sent to the helper are URL escaped to protect
  728. # each value in requests against whitespaces.
  729. #
  730. # If using protocol=2.5 then the request sent to the helper is not
  731. # URL escaped to protect against whitespace.
  732. #
  733. # NOTE: protocol=3.0 is deprecated as no longer necessary.
  734. #
  735. # When using the concurrency= option the protocol is changed by
  736. # introducing a query channel tag in front of the request/response.
  737. # The query channel tag is a number between 0 and concurrency-1.
  738. # This value must be echoed back unchanged to Squid as the first part
  739. # of the response relating to its request.
  740. #
  741. #
  742. # The helper receives lines expanded per the above format specification
  743. # and for each input line returns 1 line starting with OK/ERR/BH result
  744. # code and optionally followed by additional keywords with more details.
  745. #
  746. #
  747. # General result syntax:
  748. #
  749. # [channel-ID] result keyword=value ...
  750. #
  751. # Result consists of one of the codes:
  752. #
  753. # OK
  754. # the ACL test produced a match.
  755. #
  756. # ERR
  757. # the ACL test does not produce a match.
  758. #
  759. # BH
  760. # An internal error occurred in the helper, preventing
  761. # a result being identified.
  762. #
  763. # The meaning of 'a match' is determined by your squid.conf
  764. # access control configuration. See the Squid wiki for details.
  765. #
  766. # Defined keywords:
  767. #
  768. # user= The users name (login)
  769. #
  770. # password= The users password (for login= cache_peer option)
  771. #
  772. # message= Message describing the reason for this response.
  773. # Available as %o in error pages.
  774. # Useful on (ERR and BH results).
  775. #
  776. # tag= Apply a tag to a request. Only sets a tag once,
  777. # does not alter existing tags.
  778. #
  779. # log= String to be logged in access.log. Available as
  780. # %ea in logformat specifications.
  781. #
  782. # clt_conn_tag= Associates a TAG with the client TCP connection.
  783. # Please see url_rewrite_program related documentation
  784. # for this kv-pair.
  785. #
  786. # Any keywords may be sent on any response whether OK, ERR or BH.
  787. #
  788. # All response keyword values need to be a single token with URL
  789. # escaping, or enclosed in double quotes (") and escaped using \ on
  790. # any double quotes or \ characters within the value. The wrapping
  791. # double quotes are removed before the value is interpreted by Squid.
  792. # \r and \n are also replace by CR and LF.
  793. #
  794. # Some example key values:
  795. #
  796. # user=John%20Smith
  797. # user="John Smith"
  798. # user="J. \"Bob\" Smith"
  799. #Default:
  800. # none
  801.  
  802. # TAG: acl
  803. # Defining an Access List
  804. #
  805. # Every access list definition must begin with an aclname and acltype,
  806. # followed by either type-specific arguments or a quoted filename that
  807. # they are read from.
  808. #
  809. # acl aclname acltype argument ...
  810. # acl aclname acltype "file" ...
  811. #
  812. # When using "file", the file should contain one item per line.
  813. #
  814. #
  815. # ACL Options
  816. #
  817. # Some acl types supports options which changes their default behaviour:
  818. #
  819. # -i,+i By default, regular expressions are CASE-SENSITIVE. To make them
  820. # case-insensitive, use the -i option. To return case-sensitive
  821. # use the +i option between patterns, or make a new ACL line
  822. # without -i.
  823. #
  824. # -n Disable lookups and address type conversions. If lookup or
  825. # conversion is required because the parameter type (IP or
  826. # domain name) does not match the message address type (domain
  827. # name or IP), then the ACL would immediately declare a mismatch
  828. # without any warnings or lookups.
  829. #
  830. # -m[=delimiters]
  831. # Perform a list membership test, interpreting values as
  832. # comma-separated token lists and matching against individual
  833. # tokens instead of whole values.
  834. # The optional "delimiters" parameter specifies one or more
  835. # alternative non-alphanumeric delimiter characters.
  836. # non-alphanumeric delimiter characters.
  837. #
  838. # -- Used to stop processing all options, in the case the first acl
  839. # value has '-' character as first character (for example the '-'
  840. # is a valid domain name)
  841. #
  842. # Some acl types require suspending the current request in order
  843. # to access some external data source.
  844. # Those which do are marked with the tag [slow], those which
  845. # don't are marked as [fast].
  846. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl
  847. # for further information
  848. #
  849. # ***** ACL TYPES AVAILABLE *****
  850. #
  851. # acl aclname src ip-address/mask ... # clients IP address [fast]
  852. # acl aclname src addr1-addr2/mask ... # range of addresses [fast]
  853. # acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow]
  854. # acl aclname localip ip-address/mask ... # IP address the client connected to [fast]
  855. #
  856. #if USE_SQUID_EUI
  857. # acl aclname arp mac-address ...
  858. # acl aclname eui64 eui64-address ...
  859. # # [fast]
  860. # # MAC (EUI-48) and EUI-64 addresses use xx:xx:xx:xx:xx:xx notation.
  861. # #
  862. # # The 'arp' ACL code is not portable to all operating systems.
  863. # # It works on Linux, Solaris, Windows, FreeBSD, and some other
  864. # # BSD variants.
  865. # #
  866. # # The eui_lookup directive is required to be 'on' (the default)
  867. # # and Squid built with --enable-eui for MAC/EUI addresses to be
  868. # # available for this ACL.
  869. # #
  870. # # Squid can only determine the MAC/EUI address for IPv4
  871. # # clients that are on the same subnet. If the client is on a
  872. # # different subnet, then Squid cannot find out its address.
  873. # #
  874. # # IPv6 protocol does not contain ARP. MAC/EUI is either
  875. # # encoded directly in the IPv6 address or not available.
  876. #endif
  877. # acl aclname clientside_mark mark[/mask] ...
  878. # # matches CONNMARK of an accepted connection [fast]
  879. # #
  880. # # mark and mask are unsigned integers (hex, octal, or decimal).
  881. # # If multiple marks are given, then the ACL matches if at least
  882. # # one mark matches.
  883. # #
  884. # # Uses netfilter-conntrack library.
  885. # # Requires building Squid with --enable-linux-netfilter.
  886. # #
  887. # # The client, various intermediaries, and Squid itself may set
  888. # # CONNMARK at various times. The last CONNMARK set wins. This ACL
  889. # # checks the mark present on an accepted connection or set by
  890. # # Squid afterwards, depending on the ACL check timing. This ACL
  891. # # effectively ignores any mark set by other agents after Squid has
  892. # # accepted the connection.
  893. #
  894. # acl aclname srcdomain .foo.com ...
  895. # # reverse lookup, from client IP [slow]
  896. # acl aclname dstdomain [-n] .foo.com ...
  897. # # Destination server from URL [fast]
  898. # acl aclname srcdom_regex [-i] \.foo\.com ...
  899. # # regex matching client name [slow]
  900. # acl aclname dstdom_regex [-n] [-i] \.foo\.com ...
  901. # # regex matching server [fast]
  902. # #
  903. # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
  904. # # based URL is used and no match is found. The name "none" is used
  905. # # if the reverse lookup fails.
  906. #
  907. # acl aclname src_as number ...
  908. # acl aclname dst_as number ...
  909. # # [fast]
  910. # # Except for access control, AS numbers can be used for
  911. # # routing of requests to specific caches. Here's an
  912. # # example for routing all requests for AS#1241 and only
  913. # # those to mycache.mydomain.net:
  914. # # acl asexample dst_as 1241
  915. # # cache_peer_access mycache.mydomain.net allow asexample
  916. # # cache_peer_access mycache_mydomain.net deny all
  917. #
  918. # acl aclname peername myPeer ...
  919. # acl aclname peername_regex [-i] regex-pattern ...
  920. # # [fast]
  921. # # match against a named cache_peer entry
  922. # # set unique name= on cache_peer lines for reliable use.
  923. #
  924. # acl aclname time [day-abbrevs] [h1:m1-h2:m2]
  925. # # [fast]
  926. # # day-abbrevs:
  927. # # S - Sunday
  928. # # M - Monday
  929. # # T - Tuesday
  930. # # W - Wednesday
  931. # # H - Thursday
  932. # # F - Friday
  933. # # A - Saturday
  934. # # h1:m1 must be less than h2:m2
  935. #
  936. # acl aclname url_regex [-i] ^http:// ...
  937. # # regex matching on whole URL [fast]
  938. # acl aclname urllogin [-i] [^a-zA-Z0-9] ...
  939. # # regex matching on URL login field
  940. # acl aclname urlpath_regex [-i] \.gif$ ...
  941. # # regex matching on URL path [fast]
  942. #
  943. # acl aclname port 80 70 21 0-1024... # destination TCP port [fast]
  944. # # ranges are alloed
  945. # acl aclname localport 3128 ... # TCP port the client connected to [fast]
  946. # # NP: for interception mode this is usually '80'
  947. #
  948. # acl aclname myportname 3128 ... # *_port name [fast]
  949. #
  950. # acl aclname proto HTTP FTP ... # request protocol [fast]
  951. #
  952. # acl aclname method GET POST ... # HTTP request method [fast]
  953. #
  954. # acl aclname http_status 200 301 500- 400-403 ...
  955. # # status code in reply [fast]
  956. #
  957. # acl aclname browser [-i] regexp ...
  958. # # pattern match on User-Agent header (see also req_header below) [fast]
  959. #
  960. # acl aclname referer_regex [-i] regexp ...
  961. # # pattern match on Referer header [fast]
  962. # # Referer is highly unreliable, so use with care
  963. #
  964. # acl aclname ident [-i] username ...
  965. # acl aclname ident_regex [-i] pattern ...
  966. # # string match on ident output [slow]
  967. # # use REQUIRED to accept any non-null ident.
  968. #
  969. # acl aclname proxy_auth [-i] username ...
  970. # acl aclname proxy_auth_regex [-i] pattern ...
  971. # # perform http authentication challenge to the client and match against
  972. # # supplied credentials [slow]
  973. # #
  974. # # takes a list of allowed usernames.
  975. # # use REQUIRED to accept any valid username.
  976. # #
  977. # # Will use proxy authentication in forward-proxy scenarios, and plain
  978. # # http authenticaiton in reverse-proxy scenarios
  979. # #
  980. # # NOTE: when a Proxy-Authentication header is sent but it is not
  981. # # needed during ACL checking the username is NOT logged
  982. # # in access.log.
  983. # #
  984. # # NOTE: proxy_auth requires a EXTERNAL authentication program
  985. # # to check username/password combinations (see
  986. # # auth_param directive).
  987. # #
  988. # # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
  989. # # as the browser needs to be configured for using a proxy in order
  990. # # to respond to proxy authentication.
  991. #
  992. # acl aclname snmp_community string ...
  993. # # A community string to limit access to your SNMP Agent [fast]
  994. # # Example:
  995. # #
  996. # # acl snmppublic snmp_community public
  997. #
  998. # acl aclname maxconn number
  999. # # This will be matched when the client's IP address has
  1000. # # more than <number> TCP connections established. [fast]
  1001. # # NOTE: This only measures direct TCP links so X-Forwarded-For
  1002. # # indirect clients are not counted.
  1003. #
  1004. # acl aclname max_user_ip [-s] number
  1005. # # This will be matched when the user attempts to log in from more
  1006. # # than <number> different ip addresses. The authenticate_ip_ttl
  1007. # # parameter controls the timeout on the ip entries. [fast]
  1008. # # If -s is specified the limit is strict, denying browsing
  1009. # # from any further IP addresses until the ttl has expired. Without
  1010. # # -s Squid will just annoy the user by "randomly" denying requests.
  1011. # # (the counter is reset each time the limit is reached and a
  1012. # # request is denied)
  1013. # # NOTE: in acceleration mode or where there is mesh of child proxies,
  1014. # # clients may appear to come from multiple addresses if they are
  1015. # # going through proxy farms, so a limit of 1 may cause user problems.
  1016. #
  1017. # acl aclname random probability
  1018. # # Pseudo-randomly match requests. Based on the probability given.
  1019. # # Probability may be written as a decimal (0.333), fraction (1/3)
  1020. # # or ratio of matches:non-matches (3:5).
  1021. #
  1022. # acl aclname req_mime_type [-i] mime-type ...
  1023. # # regex match against the mime type of the request generated
  1024. # # by the client. Can be used to detect file upload or some
  1025. # # types HTTP tunneling requests [fast]
  1026. # # NOTE: This does NOT match the reply. You cannot use this
  1027. # # to match the returned file type.
  1028. #
  1029. # acl aclname req_header header-name [-i] any\.regex\.here
  1030. # # regex match against any of the known request headers. May be
  1031. # # thought of as a superset of "browser", "referer" and "mime-type"
  1032. # # ACL [fast]
  1033. #
  1034. # acl aclname rep_mime_type [-i] mime-type ...
  1035. # # regex match against the mime type of the reply received by
  1036. # # squid. Can be used to detect file download or some
  1037. # # types HTTP tunneling requests. [fast]
  1038. # # NOTE: This has no effect in http_access rules. It only has
  1039. # # effect in rules that affect the reply data stream such as
  1040. # # http_reply_access.
  1041. #
  1042. # acl aclname rep_header header-name [-i] any\.regex\.here
  1043. # # regex match against any of the known reply headers. May be
  1044. # # thought of as a superset of "browser", "referer" and "mime-type"
  1045. # # ACLs [fast]
  1046. #
  1047. # acl aclname external class_name [arguments...]
  1048. # # external ACL lookup via a helper class defined by the
  1049. # # external_acl_type directive [slow]
  1050. #
  1051. # acl aclname user_cert attribute values...
  1052. # # match against attributes in a user SSL certificate
  1053. # # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast]
  1054. #
  1055. # acl aclname ca_cert attribute values...
  1056. # # match against attributes a users issuing CA SSL certificate
  1057. # # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast]
  1058. #
  1059. # acl aclname ext_user [-i] username ...
  1060. # acl aclname ext_user_regex [-i] pattern ...
  1061. # # string match on username returned by external acl helper [slow]
  1062. # # use REQUIRED to accept any non-null user name.
  1063. #
  1064. # acl aclname tag tagvalue ...
  1065. # # string match on tag returned by external acl helper [fast]
  1066. # # DEPRECATED. Only the first tag will match with this ACL.
  1067. # # Use the 'note' ACL instead for handling multiple tag values.
  1068. #
  1069. # acl aclname hier_code codename ...
  1070. # # string match against squid hierarchy code(s); [fast]
  1071. # # e.g., DIRECT, PARENT_HIT, NONE, etc.
  1072. # #
  1073. # # NOTE: This has no effect in http_access rules. It only has
  1074. # # effect in rules that affect the reply data stream such as
  1075. # # http_reply_access.
  1076. #
  1077. # acl aclname note [-m[=delimiters]] name [value ...]
  1078. # # match transaction annotation [fast]
  1079. # # Without values, matches any annotation with a given name.
  1080. # # With value(s), matches any annotation with a given name that
  1081. # # also has one of the given values.
  1082. # # If the -m flag is used, then the value of the named
  1083. # # annotation is interpreted as a list of tokens, and the ACL
  1084. # # matches individual name=token pairs rather than whole
  1085. # # name=value pairs. See "ACL Options" above for more info.
  1086. # # Annotation sources include note and adaptation_meta directives
  1087. # # as well as helper and eCAP responses.
  1088. #
  1089. # acl aclname adaptation_service service ...
  1090. # # Matches the name of any icap_service, ecap_service,
  1091. # # adaptation_service_set, or adaptation_service_chain that Squid
  1092. # # has used (or attempted to use) for the master transaction.
  1093. # # This ACL must be defined after the corresponding adaptation
  1094. # # service is named in squid.conf. This ACL is usable with
  1095. # # adaptation_meta because it starts matching immediately after
  1096. # # the service has been selected for adaptation.
  1097. #
  1098. # acl aclname transaction_initiator initiator ...
  1099. # # Matches transaction's initiator [fast]
  1100. # #
  1101. # # Supported initiators are:
  1102. # # esi: matches transactions fetching ESI resources
  1103. # # certificate-fetching: matches transactions fetching
  1104. # # a missing intermediate TLS certificate
  1105. # # cache-digest: matches transactions fetching Cache Digests
  1106. # # from a cache_peer
  1107. # # htcp: matches HTCP requests from peers
  1108. # # icp: matches ICP requests to peers
  1109. # # icmp: matches ICMP RTT database (NetDB) requests to peers
  1110. # # asn: matches asns db requests
  1111. # # internal: matches any of the above
  1112. # # client: matches transactions containing an HTTP or FTP
  1113. # # client request received at a Squid *_port
  1114. # # all: matches any transaction, including internal transactions
  1115. # # without a configurable initiator and hopefully rare
  1116. # # transactions without a known-to-Squid initiator
  1117. # #
  1118. # # Multiple initiators are ORed.
  1119. #
  1120. # acl aclname has component
  1121. # # matches a transaction "component" [fast]
  1122. # #
  1123. # # Supported transaction components are:
  1124. # # request: transaction has a request header (at least)
  1125. # # response: transaction has a response header (at least)
  1126. # # ALE: transaction has an internally-generated Access Log Entry
  1127. # # structure; bugs notwithstanding, all transaction have it
  1128. # #
  1129. # # For example, the following configuration helps when dealing with HTTP
  1130. # # clients that close connections without sending a request header:
  1131. # #
  1132. # # acl hasRequest has request
  1133. # # acl logMe note important_transaction
  1134. # # # avoid "logMe ACL is used in context without an HTTP request" warnings
  1135. # # access_log ... logformat=detailed hasRequest logMe
  1136. # # # log request-less transactions, instead of ignoring them
  1137. # # access_log ... logformat=brief !hasRequest
  1138. # #
  1139. # # Multiple components are not supported for one "acl" rule, but
  1140. # # can be specified (and are ORed) using multiple same-name rules:
  1141. # #
  1142. # # # OK, this strange logging daemon needs request or response,
  1143. # # # but can work without either a request or a response:
  1144. # # acl hasWhatMyLoggingDaemonNeeds has request
  1145. # # acl hasWhatMyLoggingDaemonNeeds has response
  1146. #
  1147. # acl aclname any-of acl1 acl2 ...
  1148. # # match any one of the acls [fast or slow]
  1149. # # The first matching ACL stops further ACL evaluation.
  1150. # #
  1151. # # ACLs from multiple any-of lines with the same name are ORed.
  1152. # # For example, A = (a1 or a2) or (a3 or a4) can be written as
  1153. # # acl A any-of a1 a2
  1154. # # acl A any-of a3 a4
  1155. # #
  1156. # # This group ACL is fast if all evaluated ACLs in the group are fast
  1157. # # and slow otherwise.
  1158. #
  1159. # acl aclname all-of acl1 acl2 ...
  1160. # # match all of the acls [fast or slow]
  1161. # # The first mismatching ACL stops further ACL evaluation.
  1162. # #
  1163. # # ACLs from multiple all-of lines with the same name are ORed.
  1164. # # For example, B = (b1 and b2) or (b3 and b4) can be written as
  1165. # # acl B all-of b1 b2
  1166. # # acl B all-of b3 b4
  1167. # #
  1168. # # This group ACL is fast if all evaluated ACLs in the group are fast
  1169. # # and slow otherwise.
  1170. #
  1171. # Examples:
  1172. # acl macaddress arp 09:00:2b:23:45:67
  1173. # acl myexample dst_as 1241
  1174. # acl password proxy_auth REQUIRED
  1175. # acl fileupload req_mime_type -i ^multipart/form-data$
  1176. # acl javascript rep_mime_type -i ^application/x-javascript$
  1177. #
  1178. #Default:
  1179. # ACLs all, manager, localhost, and to_localhost are predefined.
  1180. #
  1181. #
  1182. # Recommended minimum configuration:
  1183. #
  1184.  
  1185. # Example rule allowing access from your local networks.
  1186. # Adapt to list your (internal) IP networks from where browsing
  1187. # should be allowed
  1188. acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
  1189. acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
  1190. acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
  1191. acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
  1192. acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
  1193. acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
  1194. acl localnet src fc00::/7 # RFC 4193 local private network range
  1195. acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
  1196.  
  1197. acl SSL_ports port 443
  1198. acl Safe_ports port 80 # http
  1199. acl Safe_ports port 21 # ftp
  1200. acl Safe_ports port 443 # https
  1201. acl Safe_ports port 70 # gopher
  1202. acl Safe_ports port 210 # wais
  1203. acl Safe_ports port 1025-65535 # unregistered ports
  1204. acl Safe_ports port 280 # http-mgmt
  1205. acl Safe_ports port 488 # gss-http
  1206. acl Safe_ports port 591 # filemaker
  1207. acl Safe_ports port 777 # multiling http
  1208. acl CONNECT method CONNECT
  1209.  
  1210. # TAG: proxy_protocol_access
  1211. # Determine which client proxies can be trusted to provide correct
  1212. # information regarding real client IP address using PROXY protocol.
  1213. #
  1214. # Requests may pass through a chain of several other proxies
  1215. # before reaching us. The original source details may by sent in:
  1216. # * HTTP message Forwarded header, or
  1217. # * HTTP message X-Forwarded-For header, or
  1218. # * PROXY protocol connection header.
  1219. #
  1220. # This directive is solely for validating new PROXY protocol
  1221. # connections received from a port flagged with require-proxy-header.
  1222. # It is checked only once after TCP connection setup.
  1223. #
  1224. # A deny match results in TCP connection closure.
  1225. #
  1226. # An allow match is required for Squid to permit the corresponding
  1227. # TCP connection, before Squid even looks for HTTP request headers.
  1228. # If there is an allow match, Squid starts using PROXY header information
  1229. # to determine the source address of the connection for all future ACL
  1230. # checks, logging, etc.
  1231. #
  1232. # SECURITY CONSIDERATIONS:
  1233. #
  1234. # Any host from which we accept client IP details can place
  1235. # incorrect information in the relevant header, and Squid
  1236. # will use the incorrect information as if it were the
  1237. # source address of the request. This may enable remote
  1238. # hosts to bypass any access control restrictions that are
  1239. # based on the client's source addresses.
  1240. #
  1241. # This clause only supports fast acl types.
  1242. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1243. #Default:
  1244. # all TCP connections to ports with require-proxy-header will be denied
  1245.  
  1246. # TAG: follow_x_forwarded_for
  1247. # Determine which client proxies can be trusted to provide correct
  1248. # information regarding real client IP address.
  1249. #
  1250. # Requests may pass through a chain of several other proxies
  1251. # before reaching us. The original source details may by sent in:
  1252. # * HTTP message Forwarded header, or
  1253. # * HTTP message X-Forwarded-For header, or
  1254. # * PROXY protocol connection header.
  1255. #
  1256. # PROXY protocol connections are controlled by the proxy_protocol_access
  1257. # directive which is checked before this.
  1258. #
  1259. # If a request reaches us from a source that is allowed by this
  1260. # directive, then we trust the information it provides regarding
  1261. # the IP of the client it received from (if any).
  1262. #
  1263. # For the purpose of ACLs used in this directive the src ACL type always
  1264. # matches the address we are testing and srcdomain matches its rDNS.
  1265. #
  1266. # On each HTTP request Squid checks for X-Forwarded-For header fields.
  1267. # If found the header values are iterated in reverse order and an allow
  1268. # match is required for Squid to continue on to the next value.
  1269. # The verification ends when a value receives a deny match, cannot be
  1270. # tested, or there are no more values to test.
  1271. # NOTE: Squid does not yet follow the Forwarded HTTP header.
  1272. #
  1273. # The end result of this process is an IP address that we will
  1274. # refer to as the indirect client address. This address may
  1275. # be treated as the client address for access control, ICAP, delay
  1276. # pools and logging, depending on the acl_uses_indirect_client,
  1277. # icap_uses_indirect_client, delay_pool_uses_indirect_client,
  1278. # log_uses_indirect_client and tproxy_uses_indirect_client options.
  1279. #
  1280. # This clause only supports fast acl types.
  1281. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1282. #
  1283. # SECURITY CONSIDERATIONS:
  1284. #
  1285. # Any host from which we accept client IP details can place
  1286. # incorrect information in the relevant header, and Squid
  1287. # will use the incorrect information as if it were the
  1288. # source address of the request. This may enable remote
  1289. # hosts to bypass any access control restrictions that are
  1290. # based on the client's source addresses.
  1291. #
  1292. # For example:
  1293. #
  1294. # acl localhost src 127.0.0.1
  1295. # acl my_other_proxy srcdomain .proxy.example.com
  1296. # follow_x_forwarded_for allow localhost
  1297. # follow_x_forwarded_for allow my_other_proxy
  1298. #Default:
  1299. # X-Forwarded-For header will be ignored.
  1300.  
  1301. # TAG: acl_uses_indirect_client on|off
  1302. # Controls whether the indirect client address
  1303. # (see follow_x_forwarded_for) is used instead of the
  1304. # direct client address in acl matching.
  1305. #
  1306. # NOTE: maxconn ACL considers direct TCP links and indirect
  1307. # clients will always have zero. So no match.
  1308. #Default:
  1309. # acl_uses_indirect_client on
  1310.  
  1311. # TAG: delay_pool_uses_indirect_client on|off
  1312. # Controls whether the indirect client address
  1313. # (see follow_x_forwarded_for) is used instead of the
  1314. # direct client address in delay pools.
  1315. #Default:
  1316. # delay_pool_uses_indirect_client on
  1317.  
  1318. # TAG: log_uses_indirect_client on|off
  1319. # Controls whether the indirect client address
  1320. # (see follow_x_forwarded_for) is used instead of the
  1321. # direct client address in the access log.
  1322. #Default:
  1323. # log_uses_indirect_client on
  1324.  
  1325. # TAG: tproxy_uses_indirect_client on|off
  1326. # Controls whether the indirect client address
  1327. # (see follow_x_forwarded_for) is used instead of the
  1328. # direct client address when spoofing the outgoing client.
  1329. #
  1330. # This has no effect on requests arriving in non-tproxy
  1331. # mode ports.
  1332. #
  1333. # SECURITY WARNING: Usage of this option is dangerous
  1334. # and should not be used trivially. Correct configuration
  1335. # of follow_x_forwarded_for with a limited set of trusted
  1336. # sources is required to prevent abuse of your proxy.
  1337. #Default:
  1338. # tproxy_uses_indirect_client off
  1339.  
  1340. # TAG: spoof_client_ip
  1341. # Control client IP address spoofing of TPROXY traffic based on
  1342. # defined access lists.
  1343. #
  1344. # spoof_client_ip allow|deny [!]aclname ...
  1345. #
  1346. # If there are no "spoof_client_ip" lines present, the default
  1347. # is to "allow" spoofing of any suitable request.
  1348. #
  1349. # Note that the cache_peer "no-tproxy" option overrides this ACL.
  1350. #
  1351. # This clause supports fast acl types.
  1352. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1353. #Default:
  1354. # Allow spoofing on all TPROXY traffic.
  1355.  
  1356. # TAG: http_access
  1357. # Allowing or Denying access based on defined access lists
  1358. #
  1359. # To allow or deny a message received on an HTTP, HTTPS, or FTP port:
  1360. # http_access allow|deny [!]aclname ...
  1361. #
  1362. # NOTE on default values:
  1363. #
  1364. # If there are no "access" lines present, the default is to deny
  1365. # the request.
  1366. #
  1367. # If none of the "access" lines cause a match, the default is the
  1368. # opposite of the last line in the list. If the last line was
  1369. # deny, the default is allow. Conversely, if the last line
  1370. # is allow, the default will be deny. For these reasons, it is a
  1371. # good idea to have an "deny all" entry at the end of your access
  1372. # lists to avoid potential confusion.
  1373. #
  1374. # This clause supports both fast and slow acl types.
  1375. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1376. #
  1377. #Default:
  1378. # Deny, unless rules exist in squid.conf.
  1379. #
  1380.  
  1381. #
  1382. # Recommended minimum Access Permission configuration:
  1383. #
  1384. # Deny requests to certain unsafe ports
  1385. http_access deny !Safe_ports
  1386.  
  1387. # Deny CONNECT to other than secure SSL ports
  1388. http_access deny CONNECT !SSL_ports
  1389.  
  1390. # Only allow cachemgr access from localhost
  1391. http_access allow localhost manager
  1392. http_access deny manager
  1393.  
  1394. # We strongly recommend the following be uncommented to protect innocent
  1395. # web applications running on the proxy server who think the only
  1396. # one who can access services on "localhost" is a local user
  1397. #http_access deny to_localhost
  1398.  
  1399. #
  1400. # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
  1401. #
  1402. include /etc/squid/conf.d/*
  1403.  
  1404. # Example rule allowing access from your local networks.
  1405. # Adapt localnet in the ACL section to list your (internal) IP networks
  1406. # from where browsing should be allowed
  1407. #http_access allow localnet
  1408. http_access allow localhost
  1409.  
  1410. # And finally deny all other access to this proxy
  1411. http_access deny all
  1412.  
  1413. # TAG: adapted_http_access
  1414. # Allowing or Denying access based on defined access lists
  1415. #
  1416. # Essentially identical to http_access, but runs after redirectors
  1417. # and ICAP/eCAP adaptation. Allowing access control based on their
  1418. # output.
  1419. #
  1420. # If not set then only http_access is used.
  1421. #Default:
  1422. # Allow, unless rules exist in squid.conf.
  1423.  
  1424. # TAG: http_reply_access
  1425. # Allow replies to client requests. This is complementary to http_access.
  1426. #
  1427. # http_reply_access allow|deny [!] aclname ...
  1428. #
  1429. # NOTE: if there are no access lines present, the default is to allow
  1430. # all replies.
  1431. #
  1432. # If none of the access lines cause a match the opposite of the
  1433. # last line will apply. Thus it is good practice to end the rules
  1434. # with an "allow all" or "deny all" entry.
  1435. #
  1436. # This clause supports both fast and slow acl types.
  1437. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1438. #Default:
  1439. # Allow, unless rules exist in squid.conf.
  1440.  
  1441. # TAG: icp_access
  1442. # Allowing or Denying access to the ICP port based on defined
  1443. # access lists
  1444. #
  1445. # icp_access allow|deny [!]aclname ...
  1446. #
  1447. # NOTE: The default if no icp_access lines are present is to
  1448. # deny all traffic. This default may cause problems with peers
  1449. # using ICP.
  1450. #
  1451. # This clause only supports fast acl types.
  1452. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1453. #
  1454. ## Allow ICP queries from local networks only
  1455. ##icp_access allow localnet
  1456. ##icp_access deny all
  1457. #Default:
  1458. # Deny, unless rules exist in squid.conf.
  1459.  
  1460. # TAG: htcp_access
  1461. # Allowing or Denying access to the HTCP port based on defined
  1462. # access lists
  1463. #
  1464. # htcp_access allow|deny [!]aclname ...
  1465. #
  1466. # See also htcp_clr_access for details on access control for
  1467. # cache purge (CLR) HTCP messages.
  1468. #
  1469. # NOTE: The default if no htcp_access lines are present is to
  1470. # deny all traffic. This default may cause problems with peers
  1471. # using the htcp option.
  1472. #
  1473. # This clause only supports fast acl types.
  1474. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1475. #
  1476. ## Allow HTCP queries from local networks only
  1477. ##htcp_access allow localnet
  1478. ##htcp_access deny all
  1479. #Default:
  1480. # Deny, unless rules exist in squid.conf.
  1481.  
  1482. # TAG: htcp_clr_access
  1483. # Allowing or Denying access to purge content using HTCP based
  1484. # on defined access lists.
  1485. # See htcp_access for details on general HTCP access control.
  1486. #
  1487. # htcp_clr_access allow|deny [!]aclname ...
  1488. #
  1489. # This clause only supports fast acl types.
  1490. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1491. #
  1492. ## Allow HTCP CLR requests from trusted peers
  1493. #acl htcp_clr_peer src 192.0.2.2 2001:DB8::2
  1494. #htcp_clr_access allow htcp_clr_peer
  1495. #htcp_clr_access deny all
  1496. #Default:
  1497. # Deny, unless rules exist in squid.conf.
  1498.  
  1499. # TAG: miss_access
  1500. # Determines whether network access is permitted when satisfying a request.
  1501. #
  1502. # For example;
  1503. # to force your neighbors to use you as a sibling instead of
  1504. # a parent.
  1505. #
  1506. # acl localclients src 192.0.2.0/24 2001:DB8::a:0/64
  1507. # miss_access deny !localclients
  1508. # miss_access allow all
  1509. #
  1510. # This means only your local clients are allowed to fetch relayed/MISS
  1511. # replies from the network and all other clients can only fetch cached
  1512. # objects (HITs).
  1513. #
  1514. # The default for this setting allows all clients who passed the
  1515. # http_access rules to relay via this proxy.
  1516. #
  1517. # This clause only supports fast acl types.
  1518. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1519. #Default:
  1520. # Allow, unless rules exist in squid.conf.
  1521.  
  1522. # TAG: ident_lookup_access
  1523. # A list of ACL elements which, if matched, cause an ident
  1524. # (RFC 931) lookup to be performed for this request. For
  1525. # example, you might choose to always perform ident lookups
  1526. # for your main multi-user Unix boxes, but not for your Macs
  1527. # and PCs. By default, ident lookups are not performed for
  1528. # any requests.
  1529. #
  1530. # To enable ident lookups for specific client addresses, you
  1531. # can follow this example:
  1532. #
  1533. # acl ident_aware_hosts src 198.168.1.0/24
  1534. # ident_lookup_access allow ident_aware_hosts
  1535. # ident_lookup_access deny all
  1536. #
  1537. # Only src type ACL checks are fully supported. A srcdomain
  1538. # ACL might work at times, but it will not always provide
  1539. # the correct result.
  1540. #
  1541. # This clause only supports fast acl types.
  1542. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1543. #Default:
  1544. # Unless rules exist in squid.conf, IDENT is not fetched.
  1545.  
  1546. # TAG: reply_body_max_size size [acl acl...]
  1547. # This option specifies the maximum size of a reply body. It can be
  1548. # used to prevent users from downloading very large files, such as
  1549. # MP3's and movies. When the reply headers are received, the
  1550. # reply_body_max_size lines are processed, and the first line where
  1551. # all (if any) listed ACLs are true is used as the maximum body size
  1552. # for this reply.
  1553. #
  1554. # This size is checked twice. First when we get the reply headers,
  1555. # we check the content-length value. If the content length value exists
  1556. # and is larger than the allowed size, the request is denied and the
  1557. # user receives an error message that says "the request or reply
  1558. # is too large." If there is no content-length, and the reply
  1559. # size exceeds this limit, the client's connection is just closed
  1560. # and they will receive a partial reply.
  1561. #
  1562. # WARNING: downstream caches probably can not detect a partial reply
  1563. # if there is no content-length header, so they will cache
  1564. # partial responses and give them out as hits. You should NOT
  1565. # use this option if you have downstream caches.
  1566. #
  1567. # WARNING: A maximum size smaller than the size of squid's error messages
  1568. # will cause an infinite loop and crash squid. Ensure that the smallest
  1569. # non-zero value you use is greater that the maximum header size plus
  1570. # the size of your largest error page.
  1571. #
  1572. # If you set this parameter none (the default), there will be
  1573. # no limit imposed.
  1574. #
  1575. # Configuration Format is:
  1576. # reply_body_max_size SIZE UNITS [acl ...]
  1577. # ie.
  1578. # reply_body_max_size 10 MB
  1579. #
  1580. #Default:
  1581. # No limit is applied.
  1582.  
  1583. # TAG: on_unsupported_protocol
  1584. # Determines Squid behavior when encountering strange requests at the
  1585. # beginning of an accepted TCP connection or the beginning of a bumped
  1586. # CONNECT tunnel. Controlling Squid reaction to unexpected traffic is
  1587. # especially useful in interception environments where Squid is likely
  1588. # to see connections for unsupported protocols that Squid should either
  1589. # terminate or tunnel at TCP level.
  1590. #
  1591. # on_unsupported_protocol <action> [!]acl ...
  1592. #
  1593. # The first matching action wins. Only fast ACLs are supported.
  1594. #
  1595. # Supported actions are:
  1596. #
  1597. # tunnel: Establish a TCP connection with the intended server and
  1598. # blindly shovel TCP packets between the client and server.
  1599. #
  1600. # respond: Respond with an error message, using the transfer protocol
  1601. # for the Squid port that received the request (e.g., HTTP
  1602. # for connections intercepted at the http_port). This is the
  1603. # default.
  1604. #
  1605. # Squid expects the following traffic patterns:
  1606. #
  1607. # http_port: a plain HTTP request
  1608. # https_port: SSL/TLS handshake followed by an [encrypted] HTTP request
  1609. # ftp_port: a plain FTP command (no on_unsupported_protocol support yet!)
  1610. # CONNECT tunnel on http_port: same as https_port
  1611. # CONNECT tunnel on https_port: same as https_port
  1612. #
  1613. # Currently, this directive has effect on intercepted connections and
  1614. # bumped tunnels only. Other cases are not supported because Squid
  1615. # cannot know the intended destination of other traffic.
  1616. #
  1617. # For example:
  1618. # # define what Squid errors indicate receiving non-HTTP traffic:
  1619. # acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG
  1620. # # define what Squid errors indicate receiving nothing:
  1621. # acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT
  1622. # # tunnel everything that does not look like HTTP:
  1623. # on_unsupported_protocol tunnel foreignProtocol
  1624. # # tunnel if we think the client waits for the server to talk first:
  1625. # on_unsupported_protocol tunnel serverTalksFirstProtocol
  1626. # # in all other error cases, just send an HTTP "error page" response:
  1627. # on_unsupported_protocol respond all
  1628. #
  1629. # See also: squid_error ACL
  1630. #Default:
  1631. # Respond with an error message to unidentifiable traffic
  1632.  
  1633. # NETWORK OPTIONS
  1634. # -----------------------------------------------------------------------------
  1635.  
  1636. # TAG: http_port
  1637. # Usage: port [mode] [options]
  1638. # hostname:port [mode] [options]
  1639. # 1.2.3.4:port [mode] [options]
  1640. #
  1641. # The socket addresses where Squid will listen for HTTP client
  1642. # requests. You may specify multiple socket addresses.
  1643. # There are three forms: port alone, hostname with port, and
  1644. # IP address with port. If you specify a hostname or IP
  1645. # address, Squid binds the socket to that specific
  1646. # address. Most likely, you do not need to bind to a specific
  1647. # address, so you can use the port number alone.
  1648. #
  1649. # If you are running Squid in accelerator mode, you
  1650. # probably want to listen on port 80 also, or instead.
  1651. #
  1652. # The -a command line option may be used to specify additional
  1653. # port(s) where Squid listens for proxy request. Such ports will
  1654. # be plain proxy ports with no options.
  1655. #
  1656. # You may specify multiple socket addresses on multiple lines.
  1657. #
  1658. # Modes:
  1659. #
  1660. # intercept Support for IP-Layer NAT interception delivering
  1661. # traffic to this Squid port.
  1662. # NP: disables authentication on the port.
  1663. #
  1664. # tproxy Support Linux TPROXY (or BSD divert-to) with spoofing
  1665. # of outgoing connections using the client IP address.
  1666. # NP: disables authentication on the port.
  1667. #
  1668. # accel Accelerator / reverse proxy mode
  1669. #
  1670. # ssl-bump For each CONNECT request allowed by ssl_bump ACLs,
  1671. # establish secure connection with the client and with
  1672. # the server, decrypt HTTPS messages as they pass through
  1673. # Squid, and treat them as unencrypted HTTP messages,
  1674. # becoming the man-in-the-middle.
  1675. #
  1676. # The ssl_bump option is required to fully enable
  1677. # bumping of CONNECT requests.
  1678. #
  1679. # Omitting the mode flag causes default forward proxy mode to be used.
  1680. #
  1681. #
  1682. # Accelerator Mode Options:
  1683. #
  1684. # defaultsite=domainname
  1685. # What to use for the Host: header if it is not present
  1686. # in a request. Determines what site (not origin server)
  1687. # accelerators should consider the default.
  1688. #
  1689. # no-vhost Disable using HTTP/1.1 Host header for virtual domain support.
  1690. #
  1691. # protocol= Protocol to reconstruct accelerated and intercepted
  1692. # requests with. Defaults to HTTP/1.1 for http_port and
  1693. # HTTPS/1.1 for https_port.
  1694. # When an unsupported value is configured Squid will
  1695. # produce a FATAL error.
  1696. # Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1
  1697. #
  1698. # vport Virtual host port support. Using the http_port number
  1699. # instead of the port passed on Host: headers.
  1700. #
  1701. # vport=NN Virtual host port support. Using the specified port
  1702. # number instead of the port passed on Host: headers.
  1703. #
  1704. # act-as-origin
  1705. # Act as if this Squid is the origin server.
  1706. # This currently means generate new Date: and Expires:
  1707. # headers on HIT instead of adding Age:.
  1708. #
  1709. # ignore-cc Ignore request Cache-Control headers.
  1710. #
  1711. # WARNING: This option violates HTTP specifications if
  1712. # used in non-accelerator setups.
  1713. #
  1714. # allow-direct Allow direct forwarding in accelerator mode. Normally
  1715. # accelerated requests are denied direct forwarding as if
  1716. # never_direct was used.
  1717. #
  1718. # WARNING: this option opens accelerator mode to security
  1719. # vulnerabilities usually only affecting in interception
  1720. # mode. Make sure to protect forwarding with suitable
  1721. # http_access rules when using this.
  1722. #
  1723. #
  1724. # SSL Bump Mode Options:
  1725. # In addition to these options ssl-bump requires TLS/SSL options.
  1726. #
  1727. # generate-host-certificates[=<on|off>]
  1728. # Dynamically create SSL server certificates for the
  1729. # destination hosts of bumped CONNECT requests.When
  1730. # enabled, the cert and key options are used to sign
  1731. # generated certificates. Otherwise generated
  1732. # certificate will be selfsigned.
  1733. # If there is a CA certificate lifetime of the generated
  1734. # certificate equals lifetime of the CA certificate. If
  1735. # generated certificate is selfsigned lifetime is three
  1736. # years.
  1737. # This option is enabled by default when ssl-bump is used.
  1738. # See the ssl-bump option above for more information.
  1739. #
  1740. # dynamic_cert_mem_cache_size=SIZE
  1741. # Approximate total RAM size spent on cached generated
  1742. # certificates. If set to zero, caching is disabled. The
  1743. # default value is 4MB.
  1744. #
  1745. # TLS / SSL Options:
  1746. #
  1747. # tls-cert= Path to file containing an X.509 certificate (PEM format)
  1748. # to be used in the TLS handshake ServerHello.
  1749. #
  1750. # If this certificate is constrained by KeyUsage TLS
  1751. # feature it must allow HTTP server usage, along with
  1752. # any additional restrictions imposed by your choice
  1753. # of options= settings.
  1754. #
  1755. # When OpenSSL is used this file may also contain a
  1756. # chain of intermediate CA certificates to send in the
  1757. # TLS handshake.
  1758. #
  1759. # When GnuTLS is used this option (and any paired
  1760. # tls-key= option) may be repeated to load multiple
  1761. # certificates for different domains.
  1762. #
  1763. # Also, when generate-host-certificates=on is configured
  1764. # the first tls-cert= option must be a CA certificate
  1765. # capable of signing the automatically generated
  1766. # certificates.
  1767. #
  1768. # tls-key= Path to a file containing private key file (PEM format)
  1769. # for the previous tls-cert= option.
  1770. #
  1771. # If tls-key= is not specified tls-cert= is assumed to
  1772. # reference a PEM file containing both the certificate
  1773. # and private key.
  1774. #
  1775. # cipher= Colon separated list of supported ciphers.
  1776. # NOTE: some ciphers such as EDH ciphers depend on
  1777. # additional settings. If those settings are
  1778. # omitted the ciphers may be silently ignored
  1779. # by the OpenSSL library.
  1780. #
  1781. # options= Various SSL implementation options. The most important
  1782. # being:
  1783. #
  1784. # NO_SSLv3 Disallow the use of SSLv3
  1785. #
  1786. # NO_TLSv1 Disallow the use of TLSv1.0
  1787. #
  1788. # NO_TLSv1_1 Disallow the use of TLSv1.1
  1789. #
  1790. # NO_TLSv1_2 Disallow the use of TLSv1.2
  1791. #
  1792. # SINGLE_DH_USE
  1793. # Always create a new key when using
  1794. # temporary/ephemeral DH key exchanges
  1795. #
  1796. # SINGLE_ECDH_USE
  1797. # Enable ephemeral ECDH key exchange.
  1798. # The adopted curve should be specified
  1799. # using the tls-dh option.
  1800. #
  1801. # NO_TICKET
  1802. # Disable use of RFC5077 session tickets.
  1803. # Some servers may have problems
  1804. # understanding the TLS extension due
  1805. # to ambiguous specification in RFC4507.
  1806. #
  1807. # ALL Enable various bug workarounds
  1808. # suggested as "harmless" by OpenSSL
  1809. # Be warned that this reduces SSL/TLS
  1810. # strength to some attacks.
  1811. #
  1812. # See the OpenSSL SSL_CTX_set_options documentation for a
  1813. # more complete list.
  1814. #
  1815. # clientca= File containing the list of CAs to use when
  1816. # requesting a client certificate.
  1817. #
  1818. # tls-cafile= PEM file containing CA certificates to use when verifying
  1819. # client certificates. If not configured clientca will be
  1820. # used. May be repeated to load multiple files.
  1821. #
  1822. # capath= Directory containing additional CA certificates
  1823. # and CRL lists to use when verifying client certificates.
  1824. # Requires OpenSSL or LibreSSL.
  1825. #
  1826. # crlfile= File of additional CRL lists to use when verifying
  1827. # the client certificate, in addition to CRLs stored in
  1828. # the capath. Implies VERIFY_CRL flag below.
  1829. #
  1830. # tls-dh=[curve:]file
  1831. # File containing DH parameters for temporary/ephemeral DH key
  1832. # exchanges, optionally prefixed by a curve for ephemeral ECDH
  1833. # key exchanges.
  1834. # See OpenSSL documentation for details on how to create the
  1835. # DH parameter file. Supported curves for ECDH can be listed
  1836. # using the "openssl ecparam -list_curves" command.
  1837. # WARNING: EDH and EECDH ciphers will be silently disabled if
  1838. # this option is not set.
  1839. #
  1840. # sslflags= Various flags modifying the use of SSL:
  1841. # DELAYED_AUTH
  1842. # Don't request client certificates
  1843. # immediately, but wait until acl processing
  1844. # requires a certificate (not yet implemented).
  1845. # NO_SESSION_REUSE
  1846. # Don't allow for session reuse. Each connection
  1847. # will result in a new SSL session.
  1848. # VERIFY_CRL
  1849. # Verify CRL lists when accepting client
  1850. # certificates.
  1851. # VERIFY_CRL_ALL
  1852. # Verify CRL lists for all certificates in the
  1853. # client certificate chain.
  1854. #
  1855. # tls-default-ca[=off]
  1856. # Whether to use the system Trusted CAs. Default is OFF.
  1857. #
  1858. # tls-no-npn Do not use the TLS NPN extension to advertise HTTP/1.1.
  1859. #
  1860. # sslcontext= SSL session ID context identifier.
  1861. #
  1862. # Other Options:
  1863. #
  1864. # connection-auth[=on|off]
  1865. # use connection-auth=off to tell Squid to prevent
  1866. # forwarding Microsoft connection oriented authentication
  1867. # (NTLM, Negotiate and Kerberos)
  1868. #
  1869. # disable-pmtu-discovery=
  1870. # Control Path-MTU discovery usage:
  1871. # off lets OS decide on what to do (default).
  1872. # transparent disable PMTU discovery when transparent
  1873. # support is enabled.
  1874. # always disable always PMTU discovery.
  1875. #
  1876. # In many setups of transparently intercepting proxies
  1877. # Path-MTU discovery can not work on traffic towards the
  1878. # clients. This is the case when the intercepting device
  1879. # does not fully track connections and fails to forward
  1880. # ICMP must fragment messages to the cache server. If you
  1881. # have such setup and experience that certain clients
  1882. # sporadically hang or never complete requests set
  1883. # disable-pmtu-discovery option to 'transparent'.
  1884. #
  1885. # name= Specifies a internal name for the port. Defaults to
  1886. # the port specification (port or addr:port)
  1887. #
  1888. # tcpkeepalive[=idle,interval,timeout]
  1889. # Enable TCP keepalive probes of idle connections.
  1890. # In seconds; idle is the initial time before TCP starts
  1891. # probing the connection, interval how often to probe, and
  1892. # timeout the time before giving up.
  1893. #
  1894. # require-proxy-header
  1895. # Require PROXY protocol version 1 or 2 connections.
  1896. # The proxy_protocol_access is required to whitelist
  1897. # downstream proxies which can be trusted.
  1898. #
  1899. # If you run Squid on a dual-homed machine with an internal
  1900. # and an external interface we recommend you to specify the
  1901. # internal address:port in http_port. This way Squid will only be
  1902. # visible on the internal address.
  1903. #
  1904. #
  1905.  
  1906. # Squid normally listens to port 3128
  1907. http_port 3128
  1908.  
  1909. # TAG: https_port
  1910. # Usage: [ip:]port [mode] tls-cert=certificate.pem [options]
  1911. #
  1912. # The socket address where Squid will listen for client requests made
  1913. # over TLS or SSL connections. Commonly referred to as HTTPS.
  1914. #
  1915. # This is most useful for situations where you are running squid in
  1916. # accelerator mode and you want to do the TLS work at the accelerator
  1917. # level.
  1918. #
  1919. # You may specify multiple socket addresses on multiple lines,
  1920. # each with their own certificate and/or options.
  1921. #
  1922. # The tls-cert= option is mandatory on HTTPS ports.
  1923. #
  1924. # See http_port for a list of modes and options.
  1925. #Default:
  1926. # none
  1927.  
  1928. # TAG: ftp_port
  1929. # Enables Native FTP proxy by specifying the socket address where Squid
  1930. # listens for FTP client requests. See http_port directive for various
  1931. # ways to specify the listening address and mode.
  1932. #
  1933. # Usage: ftp_port address [mode] [options]
  1934. #
  1935. # WARNING: This is a new, experimental, complex feature that has seen
  1936. # limited production exposure. Some Squid modules (e.g., caching) do not
  1937. # currently work with native FTP proxying, and many features have not
  1938. # even been tested for compatibility. Test well before deploying!
  1939. #
  1940. # Native FTP proxying differs substantially from proxying HTTP requests
  1941. # with ftp:// URIs because Squid works as an FTP server and receives
  1942. # actual FTP commands (rather than HTTP requests with FTP URLs).
  1943. #
  1944. # Native FTP commands accepted at ftp_port are internally converted or
  1945. # wrapped into HTTP-like messages. The same happens to Native FTP
  1946. # responses received from FTP origin servers. Those HTTP-like messages
  1947. # are shoveled through regular access control and adaptation layers
  1948. # between the FTP client and the FTP origin server. This allows Squid to
  1949. # examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP
  1950. # mechanisms when shoveling wrapped FTP messages. For example,
  1951. # http_access and adaptation_access directives are used.
  1952. #
  1953. # Modes:
  1954. #
  1955. # intercept Same as http_port intercept. The FTP origin address is
  1956. # determined based on the intended destination of the
  1957. # intercepted connection.
  1958. #
  1959. # tproxy Support Linux TPROXY for spoofing outgoing
  1960. # connections using the client IP address.
  1961. # NP: disables authentication and maybe IPv6 on the port.
  1962. #
  1963. # By default (i.e., without an explicit mode option), Squid extracts the
  1964. # FTP origin address from the login@origin parameter of the FTP USER
  1965. # command. Many popular FTP clients support such native FTP proxying.
  1966. #
  1967. # Options:
  1968. #
  1969. # name=token Specifies an internal name for the port. Defaults to
  1970. # the port address. Usable with myportname ACL.
  1971. #
  1972. # ftp-track-dirs
  1973. # Enables tracking of FTP directories by injecting extra
  1974. # PWD commands and adjusting Request-URI (in wrapping
  1975. # HTTP requests) to reflect the current FTP server
  1976. # directory. Tracking is disabled by default.
  1977. #
  1978. # protocol=FTP Protocol to reconstruct accelerated and intercepted
  1979. # requests with. Defaults to FTP. No other accepted
  1980. # values have been tested with. An unsupported value
  1981. # results in a FATAL error. Accepted values are FTP,
  1982. # HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1).
  1983. #
  1984. # Other http_port modes and options that are not specific to HTTP and
  1985. # HTTPS may also work.
  1986. #Default:
  1987. # none
  1988.  
  1989. # TAG: tcp_outgoing_tos
  1990. # Allows you to select a TOS/Diffserv value for packets outgoing
  1991. # on the server side, based on an ACL.
  1992. #
  1993. # tcp_outgoing_tos ds-field [!]aclname ...
  1994. #
  1995. # Example where normal_service_net uses the TOS value 0x00
  1996. # and good_service_net uses 0x20
  1997. #
  1998. # acl normal_service_net src 10.0.0.0/24
  1999. # acl good_service_net src 10.0.1.0/24
  2000. # tcp_outgoing_tos 0x00 normal_service_net
  2001. # tcp_outgoing_tos 0x20 good_service_net
  2002. #
  2003. # TOS/DSCP values really only have local significance - so you should
  2004. # know what you're specifying. For more information, see RFC2474,
  2005. # RFC2475, and RFC3260.
  2006. #
  2007. # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
  2008. # "default" to use whatever default your host has.
  2009. # Note that only multiples of 4 are usable as the two rightmost bits have
  2010. # been redefined for use by ECN (RFC 3168 section 23.1).
  2011. # The squid parser will enforce this by masking away the ECN bits.
  2012. #
  2013. # Processing proceeds in the order specified, and stops at first fully
  2014. # matching line.
  2015. #
  2016. # Only fast ACLs are supported.
  2017. #Default:
  2018. # none
  2019.  
  2020. # TAG: clientside_tos
  2021. # Allows you to select a TOS/DSCP value for packets being transmitted
  2022. # on the client-side, based on an ACL.
  2023. #
  2024. # clientside_tos ds-field [!]aclname ...
  2025. #
  2026. # Example where normal_service_net uses the TOS value 0x00
  2027. # and good_service_net uses 0x20
  2028. #
  2029. # acl normal_service_net src 10.0.0.0/24
  2030. # acl good_service_net src 10.0.1.0/24
  2031. # clientside_tos 0x00 normal_service_net
  2032. # clientside_tos 0x20 good_service_net
  2033. #
  2034. # Note: This feature is incompatible with qos_flows. Any TOS values set here
  2035. # will be overwritten by TOS values in qos_flows.
  2036. #
  2037. # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
  2038. # "default" to use whatever default your host has.
  2039. # Note that only multiples of 4 are usable as the two rightmost bits have
  2040. # been redefined for use by ECN (RFC 3168 section 23.1).
  2041. # The squid parser will enforce this by masking away the ECN bits.
  2042. #
  2043. # This clause only supports fast acl types.
  2044. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  2045. #Default:
  2046. # none
  2047.  
  2048. # TAG: tcp_outgoing_mark
  2049. # Note: This option is only available if Squid is rebuilt with the
  2050. # Packet MARK (Linux)
  2051. #
  2052. # Allows you to apply a Netfilter mark value to outgoing packets
  2053. # on the server side, based on an ACL.
  2054. #
  2055. # tcp_outgoing_mark mark-value [!]aclname ...
  2056. #
  2057. # Example where normal_service_net uses the mark value 0x00
  2058. # and good_service_net uses 0x20
  2059. #
  2060. # acl normal_service_net src 10.0.0.0/24
  2061. # acl good_service_net src 10.0.1.0/24
  2062. # tcp_outgoing_mark 0x00 normal_service_net
  2063. # tcp_outgoing_mark 0x20 good_service_net
  2064. #
  2065. # Only fast ACLs are supported.
  2066. #Default:
  2067. # none
  2068.  
  2069. # TAG: clientside_mark
  2070. # Note: This option is only available if Squid is rebuilt with the
  2071. # Packet MARK (Linux)
  2072. #
  2073. # Allows you to apply a Netfilter mark value to packets being transmitted
  2074. # on the client-side, based on an ACL.
  2075. #
  2076. # clientside_mark mark-value [!]aclname ...
  2077. #
  2078. # Example where normal_service_net uses the mark value 0x00
  2079. # and good_service_net uses 0x20
  2080. #
  2081. # acl normal_service_net src 10.0.0.0/24
  2082. # acl good_service_net src 10.0.1.0/24
  2083. # clientside_mark 0x00 normal_service_net
  2084. # clientside_mark 0x20 good_service_net
  2085. #
  2086. # Note: This feature is incompatible with qos_flows. Any mark values set here
  2087. # will be overwritten by mark values in qos_flows.
  2088. #
  2089. # This clause only supports fast acl types.
  2090. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  2091. #Default:
  2092. # none
  2093.  
  2094. # TAG: qos_flows
  2095. # Allows you to select a TOS/DSCP value to mark outgoing
  2096. # connections to the client, based on where the reply was sourced.
  2097. # For platforms using netfilter, allows you to set a netfilter mark
  2098. # value instead of, or in addition to, a TOS value.
  2099. #
  2100. # By default this functionality is disabled. To enable it with the default
  2101. # settings simply use "qos_flows mark" or "qos_flows tos". Default
  2102. # settings will result in the netfilter mark or TOS value being copied
  2103. # from the upstream connection to the client. Note that it is the connection
  2104. # CONNMARK value not the packet MARK value that is copied.
  2105. #
  2106. # It is not currently possible to copy the mark or TOS value from the
  2107. # client to the upstream connection request.
  2108. #
  2109. # TOS values really only have local significance - so you should
  2110. # know what you're specifying. For more information, see RFC2474,
  2111. # RFC2475, and RFC3260.
  2112. #
  2113. # The TOS/DSCP byte must be exactly that - a octet value 0 - 255.
  2114. # Note that only multiples of 4 are usable as the two rightmost bits have
  2115. # been redefined for use by ECN (RFC 3168 section 23.1).
  2116. # The squid parser will enforce this by masking away the ECN bits.
  2117. #
  2118. # Mark values can be any unsigned 32-bit integer value.
  2119. #
  2120. # This setting is configured by setting the following values:
  2121. #
  2122. # tos|mark Whether to set TOS or netfilter mark values
  2123. #
  2124. # local-hit=0xFF Value to mark local cache hits.
  2125. #
  2126. # sibling-hit=0xFF Value to mark hits from sibling peers.
  2127. #
  2128. # parent-hit=0xFF Value to mark hits from parent peers.
  2129. #
  2130. # miss=0xFF[/mask] Value to mark cache misses. Takes precedence
  2131. # over the preserve-miss feature (see below), unless
  2132. # mask is specified, in which case only the bits
  2133. # specified in the mask are written.
  2134. #
  2135. # The TOS variant of the following features are only possible on Linux
  2136. # and require your kernel to be patched with the TOS preserving ZPH
  2137. # patch, available from http://zph.bratcheda.org
  2138. # No patch is needed to preserve the netfilter mark, which will work
  2139. # with all variants of netfilter.
  2140. #
  2141. # disable-preserve-miss
  2142. # This option disables the preservation of the TOS or netfilter
  2143. # mark. By default, the existing TOS or netfilter mark value of
  2144. # the response coming from the remote server will be retained
  2145. # and masked with miss-mark.
  2146. # NOTE: in the case of a netfilter mark, the mark must be set on
  2147. # the connection (using the CONNMARK target) not on the packet
  2148. # (MARK target).
  2149. #
  2150. # miss-mask=0xFF
  2151. # Allows you to mask certain bits in the TOS or mark value
  2152. # received from the remote server, before copying the value to
  2153. # the TOS sent towards clients.
  2154. # Default for tos: 0xFF (TOS from server is not changed).
  2155. # Default for mark: 0xFFFFFFFF (mark from server is not changed).
  2156. #
  2157. # All of these features require the --enable-zph-qos compilation flag
  2158. # (enabled by default). Netfilter marking also requires the
  2159. # libnetfilter_conntrack libraries (--with-netfilter-conntrack) and
  2160. # libcap 2.09+ (--with-libcap).
  2161. #
  2162. #Default:
  2163. # none
  2164.  
  2165. # TAG: tcp_outgoing_address
  2166. # Allows you to map requests to different outgoing IP addresses
  2167. # based on the username or source address of the user making
  2168. # the request.
  2169. #
  2170. # tcp_outgoing_address ipaddr [[!]aclname] ...
  2171. #
  2172. # For example;
  2173. # Forwarding clients with dedicated IPs for certain subnets.
  2174. #
  2175. # acl normal_service_net src 10.0.0.0/24
  2176. # acl good_service_net src 10.0.2.0/24
  2177. #
  2178. # tcp_outgoing_address 2001:db8::c001 good_service_net
  2179. # tcp_outgoing_address 10.1.0.2 good_service_net
  2180. #
  2181. # tcp_outgoing_address 2001:db8::beef normal_service_net
  2182. # tcp_outgoing_address 10.1.0.1 normal_service_net
  2183. #
  2184. # tcp_outgoing_address 2001:db8::1
  2185. # tcp_outgoing_address 10.1.0.3
  2186. #
  2187. # Processing proceeds in the order specified, and stops at first fully
  2188. # matching line.
  2189. #
  2190. # Squid will add an implicit IP version test to each line.
  2191. # Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses.
  2192. # Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses.
  2193. #
  2194. #
  2195. # NOTE: The use of this directive using client dependent ACLs is
  2196. # incompatible with the use of server side persistent connections. To
  2197. # ensure correct results it is best to set server_persistent_connections
  2198. # to off when using this directive in such configurations.
  2199. #
  2200. # NOTE: The use of this directive to set a local IP on outgoing TCP links
  2201. # is incompatible with using TPROXY to set client IP out outbound TCP links.
  2202. # When needing to contact peers use the no-tproxy cache_peer option and the
  2203. # client_dst_passthru directive re-enable normal forwarding such as this.
  2204. #
  2205. # This clause only supports fast acl types.
  2206. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  2207. #Default:
  2208. # Address selection is performed by the operating system.
  2209.  
  2210. # TAG: host_verify_strict
  2211. # Regardless of this option setting, when dealing with intercepted
  2212. # traffic, Squid always verifies that the destination IP address matches
  2213. # the Host header domain or IP (called 'authority form URL').
  2214. #
  2215. # This enforcement is performed to satisfy a MUST-level requirement in
  2216. # RFC 2616 section 14.23: "The Host field value MUST represent the naming
  2217. # authority of the origin server or gateway given by the original URL".
  2218. #
  2219. # When set to ON:
  2220. # Squid always responds with an HTTP 409 (Conflict) error
  2221. # page and logs a security warning if there is no match.
  2222. #
  2223. # Squid verifies that the destination IP address matches
  2224. # the Host header for forward-proxy and reverse-proxy traffic
  2225. # as well. For those traffic types, Squid also enables the
  2226. # following checks, comparing the corresponding Host header
  2227. # and Request-URI components:
  2228. #
  2229. # * The host names (domain or IP) must be identical,
  2230. # but valueless or missing Host header disables all checks.
  2231. # For the two host names to match, both must be either IP
  2232. # or FQDN.
  2233. #
  2234. # * Port numbers must be identical, but if a port is missing
  2235. # the scheme-default port is assumed.
  2236. #
  2237. #
  2238. # When set to OFF (the default):
  2239. # Squid allows suspicious requests to continue but logs a
  2240. # security warning and blocks caching of the response.
  2241. #
  2242. # * Forward-proxy traffic is not checked at all.
  2243. #
  2244. # * Reverse-proxy traffic is not checked at all.
  2245. #
  2246. # * Intercepted traffic which passes verification is handled
  2247. # according to client_dst_passthru.
  2248. #
  2249. # * Intercepted requests which fail verification are sent
  2250. # to the client original destination instead of DIRECT.
  2251. # This overrides 'client_dst_passthru off'.
  2252. #
  2253. # For now suspicious intercepted CONNECT requests are always
  2254. # responded to with an HTTP 409 (Conflict) error page.
  2255. #
  2256. #
  2257. # SECURITY NOTE:
  2258. #
  2259. # As described in CVE-2009-0801 when the Host: header alone is used
  2260. # to determine the destination of a request it becomes trivial for
  2261. # malicious scripts on remote websites to bypass browser same-origin
  2262. # security policy and sandboxing protections.
  2263. #
  2264. # The cause of this is that such applets are allowed to perform their
  2265. # own HTTP stack, in which case the same-origin policy of the browser
  2266. # sandbox only verifies that the applet tries to contact the same IP
  2267. # as from where it was loaded at the IP level. The Host: header may
  2268. # be different from the connected IP and approved origin.
  2269. #
  2270. #Default:
  2271. # host_verify_strict off
  2272.  
  2273. # TAG: client_dst_passthru
  2274. # With NAT or TPROXY intercepted traffic Squid may pass the request
  2275. # directly to the original client destination IP or seek a faster
  2276. # source using the HTTP Host header.
  2277. #
  2278. # Using Host to locate alternative servers can provide faster
  2279. # connectivity with a range of failure recovery options.
  2280. # But can also lead to connectivity trouble when the client and
  2281. # server are attempting stateful interactions unaware of the proxy.
  2282. #
  2283. # This option (on by default) prevents alternative DNS entries being
  2284. # located to send intercepted traffic DIRECT to an origin server.
  2285. # The clients original destination IP and port will be used instead.
  2286. #
  2287. # Regardless of this option setting, when dealing with intercepted
  2288. # traffic Squid will verify the Host: header and any traffic which
  2289. # fails Host verification will be treated as if this option were ON.
  2290. #
  2291. # see host_verify_strict for details on the verification process.
  2292. #Default:
  2293. # client_dst_passthru on
  2294.  
  2295. # TLS OPTIONS
  2296. # -----------------------------------------------------------------------------
  2297.  
  2298. # TAG: tls_outgoing_options
  2299. # disable Do not support https:// URLs.
  2300. #
  2301. # cert=/path/to/client/certificate
  2302. # A client X.509 certificate to use when connecting.
  2303. #
  2304. # key=/path/to/client/private_key
  2305. # The private key corresponding to the cert= above.
  2306. #
  2307. # If key= is not specified cert= is assumed to
  2308. # reference a PEM file containing both the certificate
  2309. # and private key.
  2310. #
  2311. # cipher=... The list of valid TLS ciphers to use.
  2312. #
  2313. # min-version=1.N
  2314. # The minimum TLS protocol version to permit.
  2315. # To control SSLv3 use the options= parameter.
  2316. # Supported Values: 1.0 (default), 1.1, 1.2
  2317. #
  2318. # options=... Specify various TLS/SSL implementation options.
  2319. #
  2320. # OpenSSL options most important are:
  2321. #
  2322. # NO_SSLv3 Disallow the use of SSLv3
  2323. #
  2324. # SINGLE_DH_USE
  2325. # Always create a new key when using
  2326. # temporary/ephemeral DH key exchanges
  2327. #
  2328. # NO_TICKET
  2329. # Disable use of RFC5077 session tickets.
  2330. # Some servers may have problems
  2331. # understanding the TLS extension due
  2332. # to ambiguous specification in RFC4507.
  2333. #
  2334. # ALL Enable various bug workarounds
  2335. # suggested as "harmless" by OpenSSL
  2336. # Be warned that this reduces SSL/TLS
  2337. # strength to some attacks.
  2338. #
  2339. # See the OpenSSL SSL_CTX_set_options documentation
  2340. # for a more complete list.
  2341. #
  2342. # GnuTLS options most important are:
  2343. #
  2344. # %NO_TICKETS
  2345. # Disable use of RFC5077 session tickets.
  2346. # Some servers may have problems
  2347. # understanding the TLS extension due
  2348. # to ambiguous specification in RFC4507.
  2349. #
  2350. # See the GnuTLS Priority Strings documentation
  2351. # for a more complete list.
  2352. # http://www.gnutls.org/manual/gnutls.html#Priority-Strings
  2353. #
  2354. #
  2355. # cafile= PEM file containing CA certificates to use when verifying
  2356. # the peer certificate. May be repeated to load multiple files.
  2357. #
  2358. # capath= A directory containing additional CA certificates to
  2359. # use when verifying the peer certificate.
  2360. # Requires OpenSSL or LibreSSL.
  2361. #
  2362. # crlfile=... A certificate revocation list file to use when
  2363. # verifying the peer certificate.
  2364. #
  2365. # flags=... Specify various flags modifying the TLS implementation:
  2366. #
  2367. # DONT_VERIFY_PEER
  2368. # Accept certificates even if they fail to
  2369. # verify.
  2370. # DONT_VERIFY_DOMAIN
  2371. # Don't verify the peer certificate
  2372. # matches the server name
  2373. #
  2374. # default-ca[=off]
  2375. # Whether to use the system Trusted CAs. Default is ON.
  2376. #
  2377. # domain= The peer name as advertised in its certificate.
  2378. # Used for verifying the correctness of the received peer
  2379. # certificate. If not specified the peer hostname will be
  2380. # used.
  2381. #Default:
  2382. # tls_outgoing_options min-version=1.0
  2383.  
  2384. # SSL OPTIONS
  2385. # -----------------------------------------------------------------------------
  2386.  
  2387. # TAG: ssl_unclean_shutdown
  2388. # Note: This option is only available if Squid is rebuilt with the
  2389. # --with-openssl
  2390. #
  2391. # Some browsers (especially MSIE) bugs out on SSL shutdown
  2392. # messages.
  2393. #Default:
  2394. # ssl_unclean_shutdown off
  2395.  
  2396. # TAG: ssl_engine
  2397. # Note: This option is only available if Squid is rebuilt with the
  2398. # --with-openssl
  2399. #
  2400. # The OpenSSL engine to use. You will need to set this if you
  2401. # would like to use hardware SSL acceleration for example.
  2402. #Default:
  2403. # none
  2404.  
  2405. # TAG: sslproxy_session_ttl
  2406. # Note: This option is only available if Squid is rebuilt with the
  2407. # --with-openssl
  2408. #
  2409. # Sets the timeout value for SSL sessions
  2410. #Default:
  2411. # sslproxy_session_ttl 300
  2412.  
  2413. # TAG: sslproxy_session_cache_size
  2414. # Note: This option is only available if Squid is rebuilt with the
  2415. # --with-openssl
  2416. #
  2417. # Sets the cache size to use for ssl session
  2418. #Default:
  2419. # sslproxy_session_cache_size 2 MB
  2420.  
  2421. # TAG: sslproxy_foreign_intermediate_certs
  2422. # Note: This option is only available if Squid is rebuilt with the
  2423. # --with-openssl
  2424. #
  2425. # Many origin servers fail to send their full server certificate
  2426. # chain for verification, assuming the client already has or can
  2427. # easily locate any missing intermediate certificates.
  2428. #
  2429. # Squid uses the certificates from the specified file to fill in
  2430. # these missing chains when trying to validate origin server
  2431. # certificate chains.
  2432. #
  2433. # The file is expected to contain zero or more PEM-encoded
  2434. # intermediate certificates. These certificates are not treated
  2435. # as trusted root certificates, and any self-signed certificate in
  2436. # this file will be ignored.
  2437. #Default:
  2438. # none
  2439.  
  2440. # TAG: sslproxy_cert_sign_hash
  2441. # Note: This option is only available if Squid is rebuilt with the
  2442. # --with-openssl
  2443. #
  2444. # Sets the hashing algorithm to use when signing generated certificates.
  2445. # Valid algorithm names depend on the OpenSSL library used. The following
  2446. # names are usually available: sha1, sha256, sha512, and md5. Please see
  2447. # your OpenSSL library manual for the available hashes. By default, Squids
  2448. # that support this option use sha256 hashes.
  2449. #
  2450. # Squid does not forcefully purge cached certificates that were generated
  2451. # with an algorithm other than the currently configured one. They remain
  2452. # in the cache, subject to the regular cache eviction policy, and become
  2453. # useful if the algorithm changes again.
  2454. #Default:
  2455. # none
  2456.  
  2457. # TAG: ssl_bump
  2458. # Note: This option is only available if Squid is rebuilt with the
  2459. # --with-openssl
  2460. #
  2461. # This option is consulted when a CONNECT request is received on
  2462. # an http_port (or a new connection is intercepted at an
  2463. # https_port), provided that port was configured with an ssl-bump
  2464. # flag. The subsequent data on the connection is either treated as
  2465. # HTTPS and decrypted OR tunneled at TCP level without decryption,
  2466. # depending on the first matching bumping "action".
  2467. #
  2468. # ssl_bump <action> [!]acl ...
  2469. #
  2470. # The following bumping actions are currently supported:
  2471. #
  2472. # splice
  2473. # Become a TCP tunnel without decrypting proxied traffic.
  2474. # This is the default action.
  2475. #
  2476. # bump
  2477. # When used on step SslBump1, establishes a secure connection
  2478. # with the client first, then connect to the server.
  2479. # When used on step SslBump2 or SslBump3, establishes a secure
  2480. # connection with the server and, using a mimicked server
  2481. # certificate, with the client.
  2482. #
  2483. # peek
  2484. # Receive client (step SslBump1) or server (step SslBump2)
  2485. # certificate while preserving the possibility of splicing the
  2486. # connection. Peeking at the server certificate (during step 2)
  2487. # usually precludes bumping of the connection at step 3.
  2488. #
  2489. # stare
  2490. # Receive client (step SslBump1) or server (step SslBump2)
  2491. # certificate while preserving the possibility of bumping the
  2492. # connection. Staring at the server certificate (during step 2)
  2493. # usually precludes splicing of the connection at step 3.
  2494. #
  2495. # terminate
  2496. # Close client and server connections.
  2497. #
  2498. # Backward compatibility actions available at step SslBump1:
  2499. #
  2500. # client-first
  2501. # Bump the connection. Establish a secure connection with the
  2502. # client first, then connect to the server. This old mode does
  2503. # not allow Squid to mimic server SSL certificate and does not
  2504. # work with intercepted SSL connections.
  2505. #
  2506. # server-first
  2507. # Bump the connection. Establish a secure connection with the
  2508. # server first, then establish a secure connection with the
  2509. # client, using a mimicked server certificate. Works with both
  2510. # CONNECT requests and intercepted SSL connections, but does
  2511. # not allow to make decisions based on SSL handshake info.
  2512. #
  2513. # peek-and-splice
  2514. # Decide whether to bump or splice the connection based on
  2515. # client-to-squid and server-to-squid SSL hello messages.
  2516. # XXX: Remove.
  2517. #
  2518. # none
  2519. # Same as the "splice" action.
  2520. #
  2521. # All ssl_bump rules are evaluated at each of the supported bumping
  2522. # steps. Rules with actions that are impossible at the current step are
  2523. # ignored. The first matching ssl_bump action wins and is applied at the
  2524. # end of the current step. If no rules match, the splice action is used.
  2525. # See the at_step ACL for a list of the supported SslBump steps.
  2526. #
  2527. # This clause supports both fast and slow acl types.
  2528. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  2529. #
  2530. # See also: http_port ssl-bump, https_port ssl-bump, and acl at_step.
  2531. #
  2532. #
  2533. # # Example: Bump all TLS connections except those originating from
  2534. # # localhost or those going to example.com.
  2535. #
  2536. # acl broken_sites ssl::server_name .example.com
  2537. # ssl_bump splice localhost
  2538. # ssl_bump splice broken_sites
  2539. # ssl_bump bump all
  2540. #Default:
  2541. # Become a TCP tunnel without decrypting proxied traffic.
  2542.  
  2543. # TAG: sslproxy_cert_error
  2544. # Note: This option is only available if Squid is rebuilt with the
  2545. # --with-openssl
  2546. #
  2547. # Use this ACL to bypass server certificate validation errors.
  2548. #
  2549. # For example, the following lines will bypass all validation errors
  2550. # when talking to servers for example.com. All other
  2551. # validation errors will result in ERR_SECURE_CONNECT_FAIL error.
  2552. #
  2553. # acl BrokenButTrustedServers dstdomain example.com
  2554. # sslproxy_cert_error allow BrokenButTrustedServers
  2555. # sslproxy_cert_error deny all
  2556. #
  2557. # This clause only supports fast acl types.
  2558. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  2559. # Using slow acl types may result in server crashes
  2560. #
  2561. # Without this option, all server certificate validation errors
  2562. # terminate the transaction to protect Squid and the client.
  2563. #
  2564. # SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed
  2565. # but should not happen unless your OpenSSL library is buggy.
  2566. #
  2567. # SECURITY WARNING:
  2568. # Bypassing validation errors is dangerous because an
  2569. # error usually implies that the server cannot be trusted
  2570. # and the connection may be insecure.
  2571. #
  2572. # See also: sslproxy_flags and DONT_VERIFY_PEER.
  2573. #Default:
  2574. # Server certificate errors terminate the transaction.
  2575.  
  2576. # TAG: sslproxy_cert_sign
  2577. # Note: This option is only available if Squid is rebuilt with the
  2578. # --with-openssl
  2579. #
  2580. #
  2581. # sslproxy_cert_sign <signing algorithm> acl ...
  2582. #
  2583. # The following certificate signing algorithms are supported:
  2584. #
  2585. # signTrusted
  2586. # Sign using the configured CA certificate which is usually
  2587. # placed in and trusted by end-user browsers. This is the
  2588. # default for trusted origin server certificates.
  2589. #
  2590. # signUntrusted
  2591. # Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error.
  2592. # This is the default for untrusted origin server certificates
  2593. # that are not self-signed (see ssl::certUntrusted).
  2594. #
  2595. # signSelf
  2596. # Sign using a self-signed certificate with the right CN to
  2597. # generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the
  2598. # browser. This is the default for self-signed origin server
  2599. # certificates (see ssl::certSelfSigned).
  2600. #
  2601. # This clause only supports fast acl types.
  2602. #
  2603. # When sslproxy_cert_sign acl(s) match, Squid uses the corresponding
  2604. # signing algorithm to generate the certificate and ignores all
  2605. # subsequent sslproxy_cert_sign options (the first match wins). If no
  2606. # acl(s) match, the default signing algorithm is determined by errors
  2607. # detected when obtaining and validating the origin server certificate.
  2608. #
  2609. # WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
  2610. # be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
  2611. # CONNECT request that carries a domain name. In all other cases (CONNECT
  2612. # to an IP address or an intercepted SSL connection), Squid cannot detect
  2613. # the domain mismatch at certificate generation time when
  2614. # bump-server-first is used.
  2615. #Default:
  2616. # none
  2617.  
  2618. # TAG: sslproxy_cert_adapt
  2619. # Note: This option is only available if Squid is rebuilt with the
  2620. # --with-openssl
  2621. #
  2622. #
  2623. # sslproxy_cert_adapt <adaptation algorithm> acl ...
  2624. #
  2625. # The following certificate adaptation algorithms are supported:
  2626. #
  2627. # setValidAfter
  2628. # Sets the "Not After" property to the "Not After" property of
  2629. # the CA certificate used to sign generated certificates.
  2630. #
  2631. # setValidBefore
  2632. # Sets the "Not Before" property to the "Not Before" property of
  2633. # the CA certificate used to sign generated certificates.
  2634. #
  2635. # setCommonName or setCommonName{CN}
  2636. # Sets Subject.CN property to the host name specified as a
  2637. # CN parameter or, if no explicit CN parameter was specified,
  2638. # extracted from the CONNECT request. It is a misconfiguration
  2639. # to use setCommonName without an explicit parameter for
  2640. # intercepted or tproxied SSL connections.
  2641. #
  2642. # This clause only supports fast acl types.
  2643. #
  2644. # Squid first groups sslproxy_cert_adapt options by adaptation algorithm.
  2645. # Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the
  2646. # corresponding adaptation algorithm to generate the certificate and
  2647. # ignores all subsequent sslproxy_cert_adapt options in that algorithm's
  2648. # group (i.e., the first match wins within each algorithm group). If no
  2649. # acl(s) match, the default mimicking action takes place.
  2650. #
  2651. # WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
  2652. # be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
  2653. # CONNECT request that carries a domain name. In all other cases (CONNECT
  2654. # to an IP address or an intercepted SSL connection), Squid cannot detect
  2655. # the domain mismatch at certificate generation time when
  2656. # bump-server-first is used.
  2657. #Default:
  2658. # none
  2659.  
  2660. # TAG: sslpassword_program
  2661. # Note: This option is only available if Squid is rebuilt with the
  2662. # --with-openssl
  2663. #
  2664. # Specify a program used for entering SSL key passphrases
  2665. # when using encrypted SSL certificate keys. If not specified
  2666. # keys must either be unencrypted, or Squid started with the -N
  2667. # option to allow it to query interactively for the passphrase.
  2668. #
  2669. # The key file name is given as argument to the program allowing
  2670. # selection of the right password if you have multiple encrypted
  2671. # keys.
  2672. #Default:
  2673. # none
  2674.  
  2675. # OPTIONS RELATING TO EXTERNAL SSL_CRTD
  2676. # -----------------------------------------------------------------------------
  2677.  
  2678. # TAG: sslcrtd_program
  2679. # Note: This option is only available if Squid is rebuilt with the
  2680. # --enable-ssl-crtd
  2681. #
  2682. # Specify the location and options of the executable for certificate
  2683. # generator.
  2684. #
  2685. # /usr/lib/squid/security_file_certgen program can use a disk cache to improve response
  2686. # times on repeated requests. To enable caching, specify -s and -M
  2687. # parameters. If those parameters are not given, the program generates
  2688. # a new certificate on every request.
  2689. #
  2690. # For more information use:
  2691. # /usr/lib/squid/security_file_certgen -h
  2692. #Default:
  2693. # sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 4MB
  2694.  
  2695. # TAG: sslcrtd_children
  2696. # Note: This option is only available if Squid is rebuilt with the
  2697. # --enable-ssl-crtd
  2698. #
  2699. # Specifies the maximum number of certificate generation processes that
  2700. # Squid may spawn (numberofchildren) and several related options. Using
  2701. # too few of these helper processes (a.k.a. "helpers") creates request
  2702. # queues. Using too many helpers wastes your system resources. Squid
  2703. # does not support spawning more than 32 helpers.
  2704. #
  2705. # Usage: numberofchildren [option]...
  2706. #
  2707. # The startup= and idle= options allow some measure of skew in your
  2708. # tuning.
  2709. #
  2710. # startup=N
  2711. #
  2712. # Sets the minimum number of processes to spawn when Squid
  2713. # starts or reconfigures. When set to zero the first request will
  2714. # cause spawning of the first child process to handle it.
  2715. #
  2716. # Starting too few children temporary slows Squid under load while it
  2717. # tries to spawn enough additional processes to cope with traffic.
  2718. #
  2719. # idle=N
  2720. #
  2721. # Sets a minimum of how many processes Squid is to try and keep available
  2722. # at all times. When traffic begins to rise above what the existing
  2723. # processes can handle this many more will be spawned up to the maximum
  2724. # configured. A minimum setting of 1 is required.
  2725. #
  2726. # queue-size=N
  2727. #
  2728. # Sets the maximum number of queued requests. A request is queued when
  2729. # no existing child is idle and no new child can be started due to
  2730. # numberofchildren limit. If the queued requests exceed queue size for
  2731. # more than 3 minutes squid aborts its operation. The default value is
  2732. # set to 2*numberofchildren.
  2733. #
  2734. # You must have at least one ssl_crtd process.
  2735. #Default:
  2736. # sslcrtd_children 32 startup=5 idle=1
  2737.  
  2738. # TAG: sslcrtvalidator_program
  2739. # Note: This option is only available if Squid is rebuilt with the
  2740. # --with-openssl
  2741. #
  2742. # Specify the location and options of the executable for ssl_crt_validator
  2743. # process.
  2744. #
  2745. # Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ...
  2746. #
  2747. # Options:
  2748. # ttl=n TTL in seconds for cached results. The default is 60 secs
  2749. # cache=n limit the result cache size. The default value is 2048
  2750. #Default:
  2751. # none
  2752.  
  2753. # TAG: sslcrtvalidator_children
  2754. # Note: This option is only available if Squid is rebuilt with the
  2755. # --with-openssl
  2756. #
  2757. # Specifies the maximum number of certificate validation processes that
  2758. # Squid may spawn (numberofchildren) and several related options. Using
  2759. # too few of these helper processes (a.k.a. "helpers") creates request
  2760. # queues. Using too many helpers wastes your system resources. Squid
  2761. # does not support spawning more than 32 helpers.
  2762. #
  2763. # Usage: numberofchildren [option]...
  2764. #
  2765. # The startup= and idle= options allow some measure of skew in your
  2766. # tuning.
  2767. #
  2768. # startup=N
  2769. #
  2770. # Sets the minimum number of processes to spawn when Squid
  2771. # starts or reconfigures. When set to zero the first request will
  2772. # cause spawning of the first child process to handle it.
  2773. #
  2774. # Starting too few children temporary slows Squid under load while it
  2775. # tries to spawn enough additional processes to cope with traffic.
  2776. #
  2777. # idle=N
  2778. #
  2779. # Sets a minimum of how many processes Squid is to try and keep available
  2780. # at all times. When traffic begins to rise above what the existing
  2781. # processes can handle this many more will be spawned up to the maximum
  2782. # configured. A minimum setting of 1 is required.
  2783. #
  2784. # concurrency=
  2785. #
  2786. # The number of requests each certificate validator helper can handle in
  2787. # parallel. A value of 0 indicates the certficate validator does not
  2788. # support concurrency. Defaults to 1.
  2789. #
  2790. # When this directive is set to a value >= 1 then the protocol
  2791. # used to communicate with the helper is modified to include
  2792. # a request ID in front of the request/response. The request
  2793. # ID from the request must be echoed back with the response
  2794. # to that request.
  2795. #
  2796. # queue-size=N
  2797. #
  2798. # Sets the maximum number of queued requests. A request is queued when
  2799. # no existing child can accept it due to concurrency limit and no new
  2800. # child can be started due to numberofchildren limit. If the queued
  2801. # requests exceed queue size for more than 3 minutes squid aborts its
  2802. # operation. The default value is set to 2*numberofchildren.
  2803. #
  2804. # You must have at least one ssl_crt_validator process.
  2805. #Default:
  2806. # sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1
  2807.  
  2808. # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
  2809. # -----------------------------------------------------------------------------
  2810.  
  2811. # TAG: cache_peer
  2812. # To specify other caches in a hierarchy, use the format:
  2813. #
  2814. # cache_peer hostname type http-port icp-port [options]
  2815. #
  2816. # For example,
  2817. #
  2818. # # proxy icp
  2819. # # hostname type port port options
  2820. # # -------------------- -------- ----- ----- -----------
  2821. # cache_peer parent.foo.net parent 3128 3130 default
  2822. # cache_peer sib1.foo.net sibling 3128 3130 proxy-only
  2823. # cache_peer sib2.foo.net sibling 3128 3130 proxy-only
  2824. # cache_peer example.com parent 80 0 default
  2825. # cache_peer cdn.example.com sibling 3128 0
  2826. #
  2827. # type: either 'parent', 'sibling', or 'multicast'.
  2828. #
  2829. # proxy-port: The port number where the peer accept HTTP requests.
  2830. # For other Squid proxies this is usually 3128
  2831. # For web servers this is usually 80
  2832. #
  2833. # icp-port: Used for querying neighbor caches about objects.
  2834. # Set to 0 if the peer does not support ICP or HTCP.
  2835. # See ICP and HTCP options below for additional details.
  2836. #
  2837. #
  2838. # ==== ICP OPTIONS ====
  2839. #
  2840. # You MUST also set icp_port and icp_access explicitly when using these options.
  2841. # The defaults will prevent peer traffic using ICP.
  2842. #
  2843. #
  2844. # no-query Disable ICP queries to this neighbor.
  2845. #
  2846. # multicast-responder
  2847. # Indicates the named peer is a member of a multicast group.
  2848. # ICP queries will not be sent directly to the peer, but ICP
  2849. # replies will be accepted from it.
  2850. #
  2851. # closest-only Indicates that, for ICP_OP_MISS replies, we'll only forward
  2852. # CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.
  2853. #
  2854. # background-ping
  2855. # To only send ICP queries to this neighbor infrequently.
  2856. # This is used to keep the neighbor round trip time updated
  2857. # and is usually used in conjunction with weighted-round-robin.
  2858. #
  2859. #
  2860. # ==== HTCP OPTIONS ====
  2861. #
  2862. # You MUST also set htcp_port and htcp_access explicitly when using these options.
  2863. # The defaults will prevent peer traffic using HTCP.
  2864. #
  2865. #
  2866. # htcp Send HTCP, instead of ICP, queries to the neighbor.
  2867. # You probably also want to set the "icp-port" to 4827
  2868. # instead of 3130. This directive accepts a comma separated
  2869. # list of options described below.
  2870. #
  2871. # htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier).
  2872. #
  2873. # htcp=no-clr Send HTCP to the neighbor but without
  2874. # sending any CLR requests. This cannot be used with
  2875. # only-clr.
  2876. #
  2877. # htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests.
  2878. # This cannot be used with no-clr.
  2879. #
  2880. # htcp=no-purge-clr
  2881. # Send HTCP to the neighbor including CLRs but only when
  2882. # they do not result from PURGE requests.
  2883. #
  2884. # htcp=forward-clr
  2885. # Forward any HTCP CLR requests this proxy receives to the peer.
  2886. #
  2887. #
  2888. # ==== PEER SELECTION METHODS ====
  2889. #
  2890. # The default peer selection method is ICP, with the first responding peer
  2891. # being used as source. These options can be used for better load balancing.
  2892. #
  2893. #
  2894. # default This is a parent cache which can be used as a "last-resort"
  2895. # if a peer cannot be located by any of the peer-selection methods.
  2896. # If specified more than once, only the first is used.
  2897. #
  2898. # round-robin Load-Balance parents which should be used in a round-robin
  2899. # fashion in the absence of any ICP queries.
  2900. # weight=N can be used to add bias.
  2901. #
  2902. # weighted-round-robin
  2903. # Load-Balance parents which should be used in a round-robin
  2904. # fashion with the frequency of each parent being based on the
  2905. # round trip time. Closer parents are used more often.
  2906. # Usually used for background-ping parents.
  2907. # weight=N can be used to add bias.
  2908. #
  2909. # carp Load-Balance parents which should be used as a CARP array.
  2910. # The requests will be distributed among the parents based on the
  2911. # CARP load balancing hash function based on their weight.
  2912. #
  2913. # userhash Load-balance parents based on the client proxy_auth or ident username.
  2914. #
  2915. # sourcehash Load-balance parents based on the client source IP.
  2916. #
  2917. # multicast-siblings
  2918. # To be used only for cache peers of type "multicast".
  2919. # ALL members of this multicast group have "sibling"
  2920. # relationship with it, not "parent". This is to a multicast
  2921. # group when the requested object would be fetched only from
  2922. # a "parent" cache, anyway. It's useful, e.g., when
  2923. # configuring a pool of redundant Squid proxies, being
  2924. # members of the same multicast group.
  2925. #
  2926. #
  2927. # ==== PEER SELECTION OPTIONS ====
  2928. #
  2929. # weight=N use to affect the selection of a peer during any weighted
  2930. # peer-selection mechanisms.
  2931. # The weight must be an integer; default is 1,
  2932. # larger weights are favored more.
  2933. # This option does not affect parent selection if a peering
  2934. # protocol is not in use.
  2935. #
  2936. # basetime=N Specify a base amount to be subtracted from round trip
  2937. # times of parents.
  2938. # It is subtracted before division by weight in calculating
  2939. # which parent to fectch from. If the rtt is less than the
  2940. # base time the rtt is set to a minimal value.
  2941. #
  2942. # ttl=N Specify a TTL to use when sending multicast ICP queries
  2943. # to this address.
  2944. # Only useful when sending to a multicast group.
  2945. # Because we don't accept ICP replies from random
  2946. # hosts, you must configure other group members as
  2947. # peers with the 'multicast-responder' option.
  2948. #
  2949. # no-delay To prevent access to this neighbor from influencing the
  2950. # delay pools.
  2951. #
  2952. # digest-url=URL Tell Squid to fetch the cache digest (if digests are
  2953. # enabled) for this host from the specified URL rather
  2954. # than the Squid default location.
  2955. #
  2956. #
  2957. # ==== CARP OPTIONS ====
  2958. #
  2959. # carp-key=key-specification
  2960. # use a different key than the full URL to hash against the peer.
  2961. # the key-specification is a comma-separated list of the keywords
  2962. # scheme, host, port, path, params
  2963. # Order is not important.
  2964. #
  2965. # ==== ACCELERATOR / REVERSE-PROXY OPTIONS ====
  2966. #
  2967. # originserver Causes this parent to be contacted as an origin server.
  2968. # Meant to be used in accelerator setups when the peer
  2969. # is a web server.
  2970. #
  2971. # forceddomain=name
  2972. # Set the Host header of requests forwarded to this peer.
  2973. # Useful in accelerator setups where the server (peer)
  2974. # expects a certain domain name but clients may request
  2975. # others. ie example.com or www.example.com
  2976. #
  2977. # no-digest Disable request of cache digests.
  2978. #
  2979. # no-netdb-exchange
  2980. # Disables requesting ICMP RTT database (NetDB).
  2981. #
  2982. #
  2983. # ==== AUTHENTICATION OPTIONS ====
  2984. #
  2985. # login=user:password
  2986. # If this is a personal/workgroup proxy and your parent
  2987. # requires proxy authentication.
  2988. #
  2989. # Note: The string can include URL escapes (i.e. %20 for
  2990. # spaces). This also means % must be written as %%.
  2991. #
  2992. # login=PASSTHRU
  2993. # Send login details received from client to this peer.
  2994. # Both Proxy- and WWW-Authorization headers are passed
  2995. # without alteration to the peer.
  2996. # Authentication is not required by Squid for this to work.
  2997. #
  2998. # Note: This will pass any form of authentication but
  2999. # only Basic auth will work through a proxy unless the
  3000. # connection-auth options are also used.
  3001. #
  3002. # login=PASS Send login details received from client to this peer.
  3003. # Authentication is not required by this option.
  3004. #
  3005. # If there are no client-provided authentication headers
  3006. # to pass on, but username and password are available
  3007. # from an external ACL user= and password= result tags
  3008. # they may be sent instead.
  3009. #
  3010. # Note: To combine this with proxy_auth both proxies must
  3011. # share the same user database as HTTP only allows for
  3012. # a single login (one for proxy, one for origin server).
  3013. # Also be warned this will expose your users proxy
  3014. # password to the peer. USE WITH CAUTION
  3015. #
  3016. # login=*:password
  3017. # Send the username to the upstream cache, but with a
  3018. # fixed password. This is meant to be used when the peer
  3019. # is in another administrative domain, but it is still
  3020. # needed to identify each user.
  3021. # The star can optionally be followed by some extra
  3022. # information which is added to the username. This can
  3023. # be used to identify this proxy to the peer, similar to
  3024. # the login=username:password option above.
  3025. #
  3026. # login=NEGOTIATE
  3027. # If this is a personal/workgroup proxy and your parent
  3028. # requires a secure proxy authentication.
  3029. # The first principal from the default keytab or defined by
  3030. # the environment variable KRB5_KTNAME will be used.
  3031. #
  3032. # WARNING: The connection may transmit requests from multiple
  3033. # clients. Negotiate often assumes end-to-end authentication
  3034. # and a single-client. Which is not strictly true here.
  3035. #
  3036. # login=NEGOTIATE:principal_name
  3037. # If this is a personal/workgroup proxy and your parent
  3038. # requires a secure proxy authentication.
  3039. # The principal principal_name from the default keytab or
  3040. # defined by the environment variable KRB5_KTNAME will be
  3041. # used.
  3042. #
  3043. # WARNING: The connection may transmit requests from multiple
  3044. # clients. Negotiate often assumes end-to-end authentication
  3045. # and a single-client. Which is not strictly true here.
  3046. #
  3047. # connection-auth=on|off
  3048. # Tell Squid that this peer does or not support Microsoft
  3049. # connection oriented authentication, and any such
  3050. # challenges received from there should be ignored.
  3051. # Default is auto to automatically determine the status
  3052. # of the peer.
  3053. #
  3054. # auth-no-keytab
  3055. # Do not use a keytab to authenticate to a peer when
  3056. # login=NEGOTIATE is specified. Let the GSSAPI
  3057. # implementation determine which already existing
  3058. # credentials cache to use instead.
  3059. #
  3060. #
  3061. # ==== SSL / HTTPS / TLS OPTIONS ====
  3062. #
  3063. # tls Encrypt connections to this peer with TLS.
  3064. #
  3065. # sslcert=/path/to/ssl/certificate
  3066. # A client X.509 certificate to use when connecting to
  3067. # this peer.
  3068. #
  3069. # sslkey=/path/to/ssl/key
  3070. # The private key corresponding to sslcert above.
  3071. #
  3072. # If sslkey= is not specified sslcert= is assumed to
  3073. # reference a PEM file containing both the certificate
  3074. # and private key.
  3075. #
  3076. # sslcipher=... The list of valid SSL ciphers to use when connecting
  3077. # to this peer.
  3078. #
  3079. # tls-min-version=1.N
  3080. # The minimum TLS protocol version to permit. To control
  3081. # SSLv3 use the tls-options= parameter.
  3082. # Supported Values: 1.0 (default), 1.1, 1.2
  3083. #
  3084. # tls-options=... Specify various TLS implementation options.
  3085. #
  3086. # OpenSSL options most important are:
  3087. #
  3088. # NO_SSLv3 Disallow the use of SSLv3
  3089. #
  3090. # SINGLE_DH_USE
  3091. # Always create a new key when using
  3092. # temporary/ephemeral DH key exchanges
  3093. #
  3094. # NO_TICKET
  3095. # Disable use of RFC5077 session tickets.
  3096. # Some servers may have problems
  3097. # understanding the TLS extension due
  3098. # to ambiguous specification in RFC4507.
  3099. #
  3100. # ALL Enable various bug workarounds
  3101. # suggested as "harmless" by OpenSSL
  3102. # Be warned that this reduces SSL/TLS
  3103. # strength to some attacks.
  3104. #
  3105. # See the OpenSSL SSL_CTX_set_options documentation for a
  3106. # more complete list.
  3107. #
  3108. # GnuTLS options most important are:
  3109. #
  3110. # %NO_TICKETS
  3111. # Disable use of RFC5077 session tickets.
  3112. # Some servers may have problems
  3113. # understanding the TLS extension due
  3114. # to ambiguous specification in RFC4507.
  3115. #
  3116. # See the GnuTLS Priority Strings documentation
  3117. # for a more complete list.
  3118. # http://www.gnutls.org/manual/gnutls.html#Priority-Strings
  3119. #
  3120. # tls-cafile= PEM file containing CA certificates to use when verifying
  3121. # the peer certificate. May be repeated to load multiple files.
  3122. #
  3123. # sslcapath=... A directory containing additional CA certificates to
  3124. # use when verifying the peer certificate.
  3125. # Requires OpenSSL or LibreSSL.
  3126. #
  3127. # sslcrlfile=... A certificate revocation list file to use when
  3128. # verifying the peer certificate.
  3129. #
  3130. # sslflags=... Specify various flags modifying the SSL implementation:
  3131. #
  3132. # DONT_VERIFY_PEER
  3133. # Accept certificates even if they fail to
  3134. # verify.
  3135. #
  3136. # DONT_VERIFY_DOMAIN
  3137. # Don't verify the peer certificate
  3138. # matches the server name
  3139. #
  3140. # ssldomain= The peer name as advertised in it's certificate.
  3141. # Used for verifying the correctness of the received peer
  3142. # certificate. If not specified the peer hostname will be
  3143. # used.
  3144. #
  3145. # front-end-https[=off|on|auto]
  3146. # Enable the "Front-End-Https: On" header needed when
  3147. # using Squid as a SSL frontend in front of Microsoft OWA.
  3148. # See MS KB document Q307347 for details on this header.
  3149. # If set to auto the header will only be added if the
  3150. # request is forwarded as a https:// URL.
  3151. #
  3152. # tls-default-ca[=off]
  3153. # Whether to use the system Trusted CAs. Default is ON.
  3154. #
  3155. # tls-no-npn Do not use the TLS NPN extension to advertise HTTP/1.1.
  3156. #
  3157. # ==== GENERAL OPTIONS ====
  3158. #
  3159. # connect-timeout=N
  3160. # A peer-specific connect timeout.
  3161. # Also see the peer_connect_timeout directive.
  3162. #
  3163. # connect-fail-limit=N
  3164. # How many times connecting to a peer must fail before
  3165. # it is marked as down. Standby connection failures
  3166. # count towards this limit. Default is 10.
  3167. #
  3168. # allow-miss Disable Squid's use of only-if-cached when forwarding
  3169. # requests to siblings. This is primarily useful when
  3170. # icp_hit_stale is used by the sibling. Excessive use
  3171. # of this option may result in forwarding loops. One way
  3172. # to prevent peering loops when using this option, is to
  3173. # deny cache peer usage on requests from a peer:
  3174. # acl fromPeer ...
  3175. # cache_peer_access peerName deny fromPeer
  3176. #
  3177. # max-conn=N Limit the number of concurrent connections the Squid
  3178. # may open to this peer, including already opened idle
  3179. # and standby connections. There is no peer-specific
  3180. # connection limit by default.
  3181. #
  3182. # A peer exceeding the limit is not used for new
  3183. # requests unless a standby connection is available.
  3184. #
  3185. # max-conn currently works poorly with idle persistent
  3186. # connections: When a peer reaches its max-conn limit,
  3187. # and there are idle persistent connections to the peer,
  3188. # the peer may not be selected because the limiting code
  3189. # does not know whether Squid can reuse those idle
  3190. # connections.
  3191. #
  3192. # standby=N Maintain a pool of N "hot standby" connections to an
  3193. # UP peer, available for requests when no idle
  3194. # persistent connection is available (or safe) to use.
  3195. # By default and with zero N, no such pool is maintained.
  3196. # N must not exceed the max-conn limit (if any).
  3197. #
  3198. # At start or after reconfiguration, Squid opens new TCP
  3199. # standby connections until there are N connections
  3200. # available and then replenishes the standby pool as
  3201. # opened connections are used up for requests. A used
  3202. # connection never goes back to the standby pool, but
  3203. # may go to the regular idle persistent connection pool
  3204. # shared by all peers and origin servers.
  3205. #
  3206. # Squid never opens multiple new standby connections
  3207. # concurrently. This one-at-a-time approach minimizes
  3208. # flooding-like effect on peers. Furthermore, just a few
  3209. # standby connections should be sufficient in most cases
  3210. # to supply most new requests with a ready-to-use
  3211. # connection.
  3212. #
  3213. # Standby connections obey server_idle_pconn_timeout.
  3214. # For the feature to work as intended, the peer must be
  3215. # configured to accept and keep them open longer than
  3216. # the idle timeout at the connecting Squid, to minimize
  3217. # race conditions typical to idle used persistent
  3218. # connections. Default request_timeout and
  3219. # server_idle_pconn_timeout values ensure such a
  3220. # configuration.
  3221. #
  3222. # name=xxx Unique name for the peer.
  3223. # Required if you have multiple peers on the same host
  3224. # but different ports.
  3225. # This name can be used in cache_peer_access and similar
  3226. # directives to identify the peer.
  3227. # Can be used by outgoing access controls through the
  3228. # peername ACL type.
  3229. #
  3230. # no-tproxy Do not use the client-spoof TPROXY support when forwarding
  3231. # requests to this peer. Use normal address selection instead.
  3232. # This overrides the spoof_client_ip ACL.
  3233. #
  3234. # proxy-only objects fetched from the peer will not be stored locally.
  3235. #
  3236. #Default:
  3237. # none
  3238.  
  3239. # TAG: cache_peer_access
  3240. # Restricts usage of cache_peer proxies.
  3241. #
  3242. # Usage:
  3243. # cache_peer_access peer-name allow|deny [!]aclname ...
  3244. #
  3245. # For the required peer-name parameter, use either the value of the
  3246. # cache_peer name=value parameter or, if name=value is missing, the
  3247. # cache_peer hostname parameter.
  3248. #
  3249. # This directive narrows down the selection of peering candidates, but
  3250. # does not determine the order in which the selected candidates are
  3251. # contacted. That order is determined by the peer selection algorithms
  3252. # (see PEER SELECTION sections in the cache_peer documentation).
  3253. #
  3254. # If a deny rule matches, the corresponding peer will not be contacted
  3255. # for the current transaction -- Squid will not send ICP queries and
  3256. # will not forward HTTP requests to that peer. An allow match leaves
  3257. # the corresponding peer in the selection. The first match for a given
  3258. # peer wins for that peer.
  3259. #
  3260. # The relative order of cache_peer_access directives for the same peer
  3261. # matters. The relative order of any two cache_peer_access directives
  3262. # for different peers does not matter. To ease interpretation, it is a
  3263. # good idea to group cache_peer_access directives for the same peer
  3264. # together.
  3265. #
  3266. # A single cache_peer_access directive may be evaluated multiple times
  3267. # for a given transaction because individual peer selection algorithms
  3268. # may check it independently from each other. These redundant checks
  3269. # may be optimized away in future Squid versions.
  3270. #
  3271. # This clause only supports fast acl types.
  3272. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  3273. #
  3274. #Default:
  3275. # No peer usage restrictions.
  3276.  
  3277. # TAG: neighbor_type_domain
  3278. # Modify the cache_peer neighbor type when passing requests
  3279. # about specific domains to the peer.
  3280. #
  3281. # Usage:
  3282. # neighbor_type_domain neighbor parent|sibling domain domain ...
  3283. #
  3284. # For example:
  3285. # cache_peer foo.example.com parent 3128 3130
  3286. # neighbor_type_domain foo.example.com sibling .au .de
  3287. #
  3288. # The above configuration treats all requests to foo.example.com as a
  3289. # parent proxy unless the request is for a .au or .de ccTLD domain name.
  3290. #Default:
  3291. # The peer type from cache_peer directive is used for all requests to that peer.
  3292.  
  3293. # TAG: dead_peer_timeout (seconds)
  3294. # This controls how long Squid waits to declare a peer cache
  3295. # as "dead." If there are no ICP replies received in this
  3296. # amount of time, Squid will declare the peer dead and not
  3297. # expect to receive any further ICP replies. However, it
  3298. # continues to send ICP queries, and will mark the peer as
  3299. # alive upon receipt of the first subsequent ICP reply.
  3300. #
  3301. # This timeout also affects when Squid expects to receive ICP
  3302. # replies from peers. If more than 'dead_peer' seconds have
  3303. # passed since the last ICP reply was received, Squid will not
  3304. # expect to receive an ICP reply on the next query. Thus, if
  3305. # your time between requests is greater than this timeout, you
  3306. # will see a lot of requests sent DIRECT to origin servers
  3307. # instead of to your parents.
  3308. #Default:
  3309. # dead_peer_timeout 10 seconds
  3310.  
  3311. # TAG: forward_max_tries
  3312. # Limits the number of attempts to forward the request.
  3313. #
  3314. # For the purpose of this limit, Squid counts all high-level request
  3315. # forwarding attempts, including any same-destination retries after
  3316. # certain persistent connection failures and any attempts to use a
  3317. # different peer. However, low-level connection reopening attempts
  3318. # (enabled using connect_retries) are not counted.
  3319. #
  3320. # See also: forward_timeout and connect_retries.
  3321. #Default:
  3322. # forward_max_tries 25
  3323.  
  3324. # MEMORY CACHE OPTIONS
  3325. # -----------------------------------------------------------------------------
  3326.  
  3327. # TAG: cache_mem (bytes)
  3328. # NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
  3329. # IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
  3330. # USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
  3331. # THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
  3332. #
  3333. # 'cache_mem' specifies the ideal amount of memory to be used
  3334. # for:
  3335. # * In-Transit objects
  3336. # * Hot Objects
  3337. # * Negative-Cached objects
  3338. #
  3339. # Data for these objects are stored in 4 KB blocks. This
  3340. # parameter specifies the ideal upper limit on the total size of
  3341. # 4 KB blocks allocated. In-Transit objects take the highest
  3342. # priority.
  3343. #
  3344. # In-transit objects have priority over the others. When
  3345. # additional space is needed for incoming data, negative-cached
  3346. # and hot objects will be released. In other words, the
  3347. # negative-cached and hot objects will fill up any unused space
  3348. # not needed for in-transit objects.
  3349. #
  3350. # If circumstances require, this limit will be exceeded.
  3351. # Specifically, if your incoming request rate requires more than
  3352. # 'cache_mem' of memory to hold in-transit objects, Squid will
  3353. # exceed this limit to satisfy the new requests. When the load
  3354. # decreases, blocks will be freed until the high-water mark is
  3355. # reached. Thereafter, blocks will be used to store hot
  3356. # objects.
  3357. #
  3358. # If shared memory caching is enabled, Squid does not use the shared
  3359. # cache space for in-transit objects, but they still consume as much
  3360. # local memory as they need. For more details about the shared memory
  3361. # cache, see memory_cache_shared.
  3362. #Default:
  3363. # cache_mem 256 MB
  3364.  
  3365. # TAG: maximum_object_size_in_memory (bytes)
  3366. # Objects greater than this size will not be attempted to kept in
  3367. # the memory cache. This should be set high enough to keep objects
  3368. # accessed frequently in memory to improve performance whilst low
  3369. # enough to keep larger objects from hoarding cache_mem.
  3370. #Default:
  3371. # maximum_object_size_in_memory 512 KB
  3372.  
  3373. # TAG: memory_cache_shared on|off
  3374. # Controls whether the memory cache is shared among SMP workers.
  3375. #
  3376. # The shared memory cache is meant to occupy cache_mem bytes and replace
  3377. # the non-shared memory cache, although some entities may still be
  3378. # cached locally by workers for now (e.g., internal and in-transit
  3379. # objects may be served from a local memory cache even if shared memory
  3380. # caching is enabled).
  3381. #
  3382. # By default, the memory cache is shared if and only if all of the
  3383. # following conditions are satisfied: Squid runs in SMP mode with
  3384. # multiple workers, cache_mem is positive, and Squid environment
  3385. # supports required IPC primitives (e.g., POSIX shared memory segments
  3386. # and GCC-style atomic operations).
  3387. #
  3388. # To avoid blocking locks, shared memory uses opportunistic algorithms
  3389. # that do not guarantee that every cachable entity that could have been
  3390. # shared among SMP workers will actually be shared.
  3391. #Default:
  3392. # "on" where supported if doing memory caching with multiple SMP workers.
  3393.  
  3394. # TAG: memory_cache_mode
  3395. # Controls which objects to keep in the memory cache (cache_mem)
  3396. #
  3397. # always Keep most recently fetched objects in memory (default)
  3398. #
  3399. # disk Only disk cache hits are kept in memory, which means
  3400. # an object must first be cached on disk and then hit
  3401. # a second time before cached in memory.
  3402. #
  3403. # network Only objects fetched from network is kept in memory
  3404. #Default:
  3405. # Keep the most recently fetched objects in memory
  3406.  
  3407. # TAG: memory_replacement_policy
  3408. # The memory replacement policy parameter determines which
  3409. # objects are purged from memory when memory space is needed.
  3410. #
  3411. # See cache_replacement_policy for details on algorithms.
  3412. #Default:
  3413. # memory_replacement_policy lru
  3414.  
  3415. # DISK CACHE OPTIONS
  3416. # -----------------------------------------------------------------------------
  3417.  
  3418. # TAG: cache_replacement_policy
  3419. # The cache replacement policy parameter determines which
  3420. # objects are evicted (replaced) when disk space is needed.
  3421. #
  3422. # lru : Squid's original list based LRU policy
  3423. # heap GDSF : Greedy-Dual Size Frequency
  3424. # heap LFUDA: Least Frequently Used with Dynamic Aging
  3425. # heap LRU : LRU policy implemented using a heap
  3426. #
  3427. # Applies to any cache_dir lines listed below this directive.
  3428. #
  3429. # The LRU policies keeps recently referenced objects.
  3430. #
  3431. # The heap GDSF policy optimizes object hit rate by keeping smaller
  3432. # popular objects in cache so it has a better chance of getting a
  3433. # hit. It achieves a lower byte hit rate than LFUDA though since
  3434. # it evicts larger (possibly popular) objects.
  3435. #
  3436. # The heap LFUDA policy keeps popular objects in cache regardless of
  3437. # their size and thus optimizes byte hit rate at the expense of
  3438. # hit rate since one large, popular object will prevent many
  3439. # smaller, slightly less popular objects from being cached.
  3440. #
  3441. # Both policies utilize a dynamic aging mechanism that prevents
  3442. # cache pollution that can otherwise occur with frequency-based
  3443. # replacement policies.
  3444. #
  3445. # NOTE: if using the LFUDA replacement policy you should increase
  3446. # the value of maximum_object_size above its default of 4 MB to
  3447. # to maximize the potential byte hit rate improvement of LFUDA.
  3448. #
  3449. # For more information about the GDSF and LFUDA cache replacement
  3450. # policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
  3451. # and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
  3452. #Default:
  3453. # cache_replacement_policy lru
  3454.  
  3455. # TAG: minimum_object_size (bytes)
  3456. # Objects smaller than this size will NOT be saved on disk. The
  3457. # value is specified in bytes, and the default is 0 KB, which
  3458. # means all responses can be stored.
  3459. #Default:
  3460. # no limit
  3461.  
  3462. # TAG: maximum_object_size (bytes)
  3463. # Set the default value for max-size parameter on any cache_dir.
  3464. # The value is specified in bytes, and the default is 4 MB.
  3465. #
  3466. # If you wish to get a high BYTES hit ratio, you should probably
  3467. # increase this (one 32 MB object hit counts for 3200 10KB
  3468. # hits).
  3469. #
  3470. # If you wish to increase hit ratio more than you want to
  3471. # save bandwidth you should leave this low.
  3472. #
  3473. # NOTE: if using the LFUDA replacement policy you should increase
  3474. # this value to maximize the byte hit rate improvement of LFUDA!
  3475. # See cache_replacement_policy for a discussion of this policy.
  3476. #Default:
  3477. # maximum_object_size 4 MB
  3478.  
  3479. # TAG: cache_dir
  3480. # Format:
  3481. # cache_dir Type Directory-Name Fs-specific-data [options]
  3482. #
  3483. # You can specify multiple cache_dir lines to spread the
  3484. # cache among different disk partitions.
  3485. #
  3486. # Type specifies the kind of storage system to use. Only "ufs"
  3487. # is built by default. To enable any of the other storage systems
  3488. # see the --enable-storeio configure option.
  3489. #
  3490. # 'Directory' is a top-level directory where cache swap
  3491. # files will be stored. If you want to use an entire disk
  3492. # for caching, this can be the mount-point directory.
  3493. # The directory must exist and be writable by the Squid
  3494. # process. Squid will NOT create this directory for you.
  3495. #
  3496. # In SMP configurations, cache_dir must not precede the workers option
  3497. # and should use configuration macros or conditionals to give each
  3498. # worker interested in disk caching a dedicated cache directory.
  3499. #
  3500. #
  3501. # ==== The ufs store type ====
  3502. #
  3503. # "ufs" is the old well-known Squid storage format that has always
  3504. # been there.
  3505. #
  3506. # Usage:
  3507. # cache_dir ufs Directory-Name Mbytes L1 L2 [options]
  3508. #
  3509. # 'Mbytes' is the amount of disk space (MB) to use under this
  3510. # directory. The default is 100 MB. Change this to suit your
  3511. # configuration. Do NOT put the size of your disk drive here.
  3512. # Instead, if you want Squid to use the entire disk drive,
  3513. # subtract 20% and use that value.
  3514. #
  3515. # 'L1' is the number of first-level subdirectories which
  3516. # will be created under the 'Directory'. The default is 16.
  3517. #
  3518. # 'L2' is the number of second-level subdirectories which
  3519. # will be created under each first-level directory. The default
  3520. # is 256.
  3521. #
  3522. #
  3523. # ==== The aufs store type ====
  3524. #
  3525. # "aufs" uses the same storage format as "ufs", utilizing
  3526. # POSIX-threads to avoid blocking the main Squid process on
  3527. # disk-I/O. This was formerly known in Squid as async-io.
  3528. #
  3529. # Usage:
  3530. # cache_dir aufs Directory-Name Mbytes L1 L2 [options]
  3531. #
  3532. # see argument descriptions under ufs above
  3533. #
  3534. #
  3535. # ==== The diskd store type ====
  3536. #
  3537. # "diskd" uses the same storage format as "ufs", utilizing a
  3538. # separate process to avoid blocking the main Squid process on
  3539. # disk-I/O.
  3540. #
  3541. # Usage:
  3542. # cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
  3543. #
  3544. # see argument descriptions under ufs above
  3545. #
  3546. # Q1 specifies the number of unacknowledged I/O requests when Squid
  3547. # stops opening new files. If this many messages are in the queues,
  3548. # Squid won't open new files. Default is 64
  3549. #
  3550. # Q2 specifies the number of unacknowledged messages when Squid
  3551. # starts blocking. If this many messages are in the queues,
  3552. # Squid blocks until it receives some replies. Default is 72
  3553. #
  3554. # When Q1 < Q2 (the default), the cache directory is optimized
  3555. # for lower response time at the expense of a decrease in hit
  3556. # ratio. If Q1 > Q2, the cache directory is optimized for
  3557. # higher hit ratio at the expense of an increase in response
  3558. # time.
  3559. #
  3560. #
  3561. # ==== The rock store type ====
  3562. #
  3563. # Usage:
  3564. # cache_dir rock Directory-Name Mbytes [options]
  3565. #
  3566. # The Rock Store type is a database-style storage. All cached
  3567. # entries are stored in a "database" file, using fixed-size slots.
  3568. # A single entry occupies one or more slots.
  3569. #
  3570. # If possible, Squid using Rock Store creates a dedicated kid
  3571. # process called "disker" to avoid blocking Squid worker(s) on disk
  3572. # I/O. One disker kid is created for each rock cache_dir. Diskers
  3573. # are created only when Squid, running in daemon mode, has support
  3574. # for the IpcIo disk I/O module.
  3575. #
  3576. # swap-timeout=msec: Squid will not start writing a miss to or
  3577. # reading a hit from disk if it estimates that the swap operation
  3578. # will take more than the specified number of milliseconds. By
  3579. # default and when set to zero, disables the disk I/O time limit
  3580. # enforcement. Ignored when using blocking I/O module because
  3581. # blocking synchronous I/O does not allow Squid to estimate the
  3582. # expected swap wait time.
  3583. #
  3584. # max-swap-rate=swaps/sec: Artificially limits disk access using
  3585. # the specified I/O rate limit. Swap out requests that
  3586. # would cause the average I/O rate to exceed the limit are
  3587. # delayed. Individual swap in requests (i.e., hits or reads) are
  3588. # not delayed, but they do contribute to measured swap rate and
  3589. # since they are placed in the same FIFO queue as swap out
  3590. # requests, they may wait longer if max-swap-rate is smaller.
  3591. # This is necessary on file systems that buffer "too
  3592. # many" writes and then start blocking Squid and other processes
  3593. # while committing those writes to disk. Usually used together
  3594. # with swap-timeout to avoid excessive delays and queue overflows
  3595. # when disk demand exceeds available disk "bandwidth". By default
  3596. # and when set to zero, disables the disk I/O rate limit
  3597. # enforcement. Currently supported by IpcIo module only.
  3598. #
  3599. # slot-size=bytes: The size of a database "record" used for
  3600. # storing cached responses. A cached response occupies at least
  3601. # one slot and all database I/O is done using individual slots so
  3602. # increasing this parameter leads to more disk space waste while
  3603. # decreasing it leads to more disk I/O overheads. Should be a
  3604. # multiple of your operating system I/O page size. Defaults to
  3605. # 16KBytes. A housekeeping header is stored with each slot and
  3606. # smaller slot-sizes will be rejected. The header is smaller than
  3607. # 100 bytes.
  3608. #
  3609. #
  3610. # ==== COMMON OPTIONS ====
  3611. #
  3612. # no-store no new objects should be stored to this cache_dir.
  3613. #
  3614. # min-size=n the minimum object size in bytes this cache_dir
  3615. # will accept. It's used to restrict a cache_dir
  3616. # to only store large objects (e.g. AUFS) while
  3617. # other stores are optimized for smaller objects
  3618. # (e.g. Rock).
  3619. # Defaults to 0.
  3620. #
  3621. # max-size=n the maximum object size in bytes this cache_dir
  3622. # supports.
  3623. # The value in maximum_object_size directive sets
  3624. # the default unless more specific details are
  3625. # available (ie a small store capacity).
  3626. #
  3627. # Note: To make optimal use of the max-size limits you should order
  3628. # the cache_dir lines with the smallest max-size value first.
  3629. #
  3630. #Default:
  3631. # No disk cache. Store cache ojects only in memory.
  3632. #
  3633.  
  3634. # Uncomment and adjust the following to add a disk cache directory.
  3635. #cache_dir ufs /var/spool/squid 100 16 256
  3636.  
  3637. # TAG: store_dir_select_algorithm
  3638. # How Squid selects which cache_dir to use when the response
  3639. # object will fit into more than one.
  3640. #
  3641. # Regardless of which algorithm is used the cache_dir min-size
  3642. # and max-size parameters are obeyed. As such they can affect
  3643. # the selection algorithm by limiting the set of considered
  3644. # cache_dir.
  3645. #
  3646. # Algorithms:
  3647. #
  3648. # least-load
  3649. #
  3650. # This algorithm is suited to caches with similar cache_dir
  3651. # sizes and disk speeds.
  3652. #
  3653. # The disk with the least I/O pending is selected.
  3654. # When there are multiple disks with the same I/O load ranking
  3655. # the cache_dir with most available capacity is selected.
  3656. #
  3657. # When a mix of cache_dir sizes are configured the faster disks
  3658. # have a naturally lower I/O loading and larger disks have more
  3659. # capacity. So space used to store objects and data throughput
  3660. # may be very unbalanced towards larger disks.
  3661. #
  3662. #
  3663. # round-robin
  3664. #
  3665. # This algorithm is suited to caches with unequal cache_dir
  3666. # disk sizes.
  3667. #
  3668. # Each cache_dir is selected in a rotation. The next suitable
  3669. # cache_dir is used.
  3670. #
  3671. # Available cache_dir capacity is only considered in relation
  3672. # to whether the object will fit and meets the min-size and
  3673. # max-size parameters.
  3674. #
  3675. # Disk I/O loading is only considered to prevent overload on slow
  3676. # disks. This algorithm does not spread objects by size, so any
  3677. # I/O loading per-disk may appear very unbalanced and volatile.
  3678. #
  3679. # If several cache_dirs use similar min-size, max-size, or other
  3680. # limits to to reject certain responses, then do not group such
  3681. # cache_dir lines together, to avoid round-robin selection bias
  3682. # towards the first cache_dir after the group. Instead, interleave
  3683. # cache_dir lines from different groups. For example:
  3684. #
  3685. # store_dir_select_algorithm round-robin
  3686. # cache_dir rock /hdd1 ... min-size=100000
  3687. # cache_dir rock /ssd1 ... max-size=99999
  3688. # cache_dir rock /hdd2 ... min-size=100000
  3689. # cache_dir rock /ssd2 ... max-size=99999
  3690. # cache_dir rock /hdd3 ... min-size=100000
  3691. # cache_dir rock /ssd3 ... max-size=99999
  3692. cache_dir ufs /var/spool/squid 100 16 256
  3693. #Default:
  3694. # store_dir_select_algorithm least-load
  3695.  
  3696. # TAG: max_open_disk_fds
  3697. # To avoid having disk as the I/O bottleneck Squid can optionally
  3698. # bypass the on-disk cache if more than this amount of disk file
  3699. # descriptors are open.
  3700. #
  3701. # A value of 0 indicates no limit.
  3702. #Default:
  3703. # no limit
  3704.  
  3705. # TAG: cache_swap_low (percent, 0-100)
  3706. # The low-water mark for AUFS/UFS/diskd cache object eviction by
  3707. # the cache_replacement_policy algorithm.
  3708. #
  3709. # Removal begins when the swap (disk) usage of a cache_dir is
  3710. # above this low-water mark and attempts to maintain utilization
  3711. # near the low-water mark.
  3712. #
  3713. # As swap utilization increases towards the high-water mark set
  3714. # by cache_swap_high object eviction becomes more agressive.
  3715. #
  3716. # The value difference in percentages between low- and high-water
  3717. # marks represent an eviction rate of 300 objects per second and
  3718. # the rate continues to scale in agressiveness by multiples of
  3719. # this above the high-water mark.
  3720. #
  3721. # Defaults are 90% and 95%. If you have a large cache, 5% could be
  3722. # hundreds of MB. If this is the case you may wish to set these
  3723. # numbers closer together.
  3724. #
  3725. # See also cache_swap_high and cache_replacement_policy
  3726. #Default:
  3727. # cache_swap_low 90
  3728.  
  3729. # TAG: cache_swap_high (percent, 0-100)
  3730. # The high-water mark for AUFS/UFS/diskd cache object eviction by
  3731. # the cache_replacement_policy algorithm.
  3732. #
  3733. # Removal begins when the swap (disk) usage of a cache_dir is
  3734. # above the low-water mark set by cache_swap_low and attempts to
  3735. # maintain utilization near the low-water mark.
  3736. #
  3737. # As swap utilization increases towards this high-water mark object
  3738. # eviction becomes more agressive.
  3739. #
  3740. # The value difference in percentages between low- and high-water
  3741. # marks represent an eviction rate of 300 objects per second and
  3742. # the rate continues to scale in agressiveness by multiples of
  3743. # this above the high-water mark.
  3744. #
  3745. # Defaults are 90% and 95%. If you have a large cache, 5% could be
  3746. # hundreds of MB. If this is the case you may wish to set these
  3747. # numbers closer together.
  3748. #
  3749. # See also cache_swap_low and cache_replacement_policy
  3750. #Default:
  3751. # cache_swap_high 95
  3752.  
  3753. # LOGFILE OPTIONS
  3754. # -----------------------------------------------------------------------------
  3755.  
  3756. # TAG: logformat
  3757. # Usage:
  3758. #
  3759. # logformat <name> <format specification>
  3760. #
  3761. # Defines an access log format.
  3762. #
  3763. # The <format specification> is a string with embedded % format codes
  3764. #
  3765. # % format codes all follow the same basic structure where all
  3766. # components but the formatcode are optional and usually unnecessary,
  3767. # especially when dealing with common codes.
  3768. #
  3769. # % [encoding] [-] [[0]width] [{arg}] formatcode [{arg}]
  3770. #
  3771. # encoding escapes or otherwise protects "special" characters:
  3772. #
  3773. # " Quoted string encoding where quote(") and
  3774. # backslash(\) characters are \-escaped while
  3775. # CR, LF, and TAB characters are encoded as \r,
  3776. # \n, and \t two-character sequences.
  3777. #
  3778. # [ Custom Squid encoding where percent(%), square
  3779. # brackets([]), backslash(\) and characters with
  3780. # codes outside of [32,126] range are %-encoded.
  3781. # SP is not encoded. Used by log_mime_hdrs.
  3782. #
  3783. # # URL encoding (a.k.a. percent-encoding) where
  3784. # all URL unsafe and control characters (per RFC
  3785. # 1738) are %-encoded.
  3786. #
  3787. # / Shell-like encoding where quote(") and
  3788. # backslash(\) characters are \-escaped while CR
  3789. # and LF characters are encoded as \r and \n
  3790. # two-character sequences. Values containing SP
  3791. # character(s) are surrounded by quotes(").
  3792. #
  3793. # ' Raw/as-is encoding with no escaping/quoting.
  3794. #
  3795. # Default encoding: When no explicit encoding is
  3796. # specified, each %code determines its own encoding.
  3797. # Most %codes use raw/as-is encoding, but some codes use
  3798. # a so called "pass-through URL encoding" where all URL
  3799. # unsafe and control characters (per RFC 1738) are
  3800. # %-encoded, but the percent character(%) is left as is.
  3801. #
  3802. # - left aligned
  3803. #
  3804. # width minimum and/or maximum field width:
  3805. # [width_min][.width_max]
  3806. # When minimum starts with 0, the field is zero-padded.
  3807. # String values exceeding maximum width are truncated.
  3808. #
  3809. # {arg} argument such as header name etc. This field may be
  3810. # placed before or after the token, but not both at once.
  3811. #
  3812. # Format codes:
  3813. #
  3814. # % a literal % character
  3815. # sn Unique sequence number per log line entry
  3816. # err_code The ID of an error response served by Squid or
  3817. # a similar internal error identifier.
  3818. # err_detail Additional err_code-dependent error information.
  3819. # note The annotation specified by the argument. Also
  3820. # logs the adaptation meta headers set by the
  3821. # adaptation_meta configuration parameter.
  3822. # If no argument given all annotations logged.
  3823. # The argument may include a separator to use with
  3824. # annotation values:
  3825. # name[:separator]
  3826. # By default, multiple note values are separated with ","
  3827. # and multiple notes are separated with "\r\n".
  3828. # When logging named notes with %{name}note, the
  3829. # explicitly configured separator is used between note
  3830. # values. When logging all notes with %note, the
  3831. # explicitly configured separator is used between
  3832. # individual notes. There is currently no way to
  3833. # specify both value and notes separators when logging
  3834. # all notes with %note.
  3835. #
  3836. # Connection related format codes:
  3837. #
  3838. # >a Client source IP address
  3839. # >A Client FQDN
  3840. # >p Client source port
  3841. # >eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier)
  3842. # >la Local IP address the client connected to
  3843. # >lp Local port number the client connected to
  3844. # >qos Client connection TOS/DSCP value set by Squid
  3845. # >nfmark Client connection netfilter mark set by Squid
  3846. #
  3847. # la Local listening IP address the client connection was connected to.
  3848. # lp Local listening port number the client connection was connected to.
  3849. #
  3850. # <a Server IP address of the last server or peer connection
  3851. # <A Server FQDN or peer name
  3852. # <p Server port number of the last server or peer connection
  3853. # <la Local IP address of the last server or peer connection
  3854. # <lp Local port number of the last server or peer connection
  3855. # <qos Server connection TOS/DSCP value set by Squid
  3856. # <nfmark Server connection netfilter mark set by Squid
  3857. #
  3858. # >handshake Raw client handshake
  3859. # Initial client bytes received by Squid on a newly
  3860. # accepted TCP connection or inside a just established
  3861. # CONNECT tunnel. Squid stops accumulating handshake
  3862. # bytes as soon as the handshake parser succeeds or
  3863. # fails (determining whether the client is using the
  3864. # expected protocol).
  3865. #
  3866. # For HTTP clients, the handshake is the request line.
  3867. # For TLS clients, the handshake consists of all TLS
  3868. # records up to and including the TLS record that
  3869. # contains the last byte of the first ClientHello
  3870. # message. For clients using an unsupported protocol,
  3871. # this field contains the bytes received by Squid at the
  3872. # time of the handshake parsing failure.
  3873. #
  3874. # See the on_unsupported_protocol directive for more
  3875. # information on Squid handshake traffic expectations.
  3876. #
  3877. # Current support is limited to these contexts:
  3878. # - http_port connections, but only when the
  3879. # on_unsupported_protocol directive is in use.
  3880. # - https_port connections (and CONNECT tunnels) that
  3881. # are subject to the ssl_bump peek or stare action.
  3882. #
  3883. # To protect binary handshake data, this field is always
  3884. # base64-encoded (RFC 4648 Section 4). If logformat
  3885. # field encoding is configured, that encoding is applied
  3886. # on top of base64. Otherwise, the computed base64 value
  3887. # is recorded as is.
  3888. #
  3889. # Time related format codes:
  3890. #
  3891. # ts Seconds since epoch
  3892. # tu subsecond time (milliseconds)
  3893. # tl Local time. Optional strftime format argument
  3894. # default %d/%b/%Y:%H:%M:%S %z
  3895. # tg GMT time. Optional strftime format argument
  3896. # default %d/%b/%Y:%H:%M:%S %z
  3897. # tr Response time (milliseconds)
  3898. # dt Total time spent making DNS lookups (milliseconds)
  3899. # tS Approximate master transaction start time in
  3900. # <full seconds since epoch>.<fractional seconds> format.
  3901. # Currently, Squid considers the master transaction
  3902. # started when a complete HTTP request header initiating
  3903. # the transaction is received from the client. This is
  3904. # the same value that Squid uses to calculate transaction
  3905. # response time when logging %tr to access.log. Currently,
  3906. # Squid uses millisecond resolution for %tS values,
  3907. # similar to the default access.log "current time" field
  3908. # (%ts.%03tu).
  3909. #
  3910. # Access Control related format codes:
  3911. #
  3912. # et Tag returned by external acl
  3913. # ea Log string returned by external acl
  3914. # un User name (any available)
  3915. # ul User name from authentication
  3916. # ue User name from external acl helper
  3917. # ui User name from ident
  3918. # un A user name. Expands to the first available name
  3919. # from the following list of information sources:
  3920. # - authenticated user name, like %ul
  3921. # - user name supplied by an external ACL, like %ue
  3922. # - SSL client name, like %us
  3923. # - ident user name, like %ui
  3924. # credentials Client credentials. The exact meaning depends on
  3925. # the authentication scheme: For Basic authentication,
  3926. # it is the password; for Digest, the realm sent by the
  3927. # client; for NTLM and Negotiate, the client challenge
  3928. # or client credentials prefixed with "YR " or "KK ".
  3929. #
  3930. # HTTP related format codes:
  3931. #
  3932. # REQUEST
  3933. #
  3934. # [http::]rm Request method (GET/POST etc)
  3935. # [http::]>rm Request method from client
  3936. # [http::]<rm Request method sent to server or peer
  3937. #
  3938. # [http::]ru Request URL received (or computed) and sanitized
  3939. #
  3940. # Logs request URI received from the client, a
  3941. # request adaptation service, or a request
  3942. # redirector (whichever was applied last).
  3943. #
  3944. # Computed URLs are URIs of internally generated
  3945. # requests and various "error:..." URIs.
  3946. #
  3947. # Honors strip_query_terms and uri_whitespace.
  3948. #
  3949. # This field is not encoded by default. Encoding
  3950. # this field using variants of %-encoding will
  3951. # clash with uri_whitespace modifications that
  3952. # also use %-encoding.
  3953. #
  3954. # [http::]>ru Request URL received from the client (or computed)
  3955. #
  3956. # Computed URLs are URIs of internally generated
  3957. # requests and various "error:..." URIs.
  3958. #
  3959. # Unlike %ru, this request URI is not affected
  3960. # by request adaptation, URL rewriting services,
  3961. # and strip_query_terms.
  3962. #
  3963. # Honors uri_whitespace.
  3964. #
  3965. # This field is using pass-through URL encoding
  3966. # by default. Encoding this field using other
  3967. # variants of %-encoding will clash with
  3968. # uri_whitespace modifications that also use
  3969. # %-encoding.
  3970. #
  3971. # [http::]<ru Request URL sent to server or peer
  3972. # [http::]>rs Request URL scheme from client
  3973. # [http::]<rs Request URL scheme sent to server or peer
  3974. # [http::]>rd Request URL domain from client
  3975. # [http::]<rd Request URL domain sent to server or peer
  3976. # [http::]>rP Request URL port from client
  3977. # [http::]<rP Request URL port sent to server or peer
  3978. # [http::]rp Request URL path excluding hostname
  3979. # [http::]>rp Request URL path excluding hostname from client
  3980. # [http::]<rp Request URL path excluding hostname sent to server or peer
  3981. # [http::]rv Request protocol version
  3982. # [http::]>rv Request protocol version from client
  3983. # [http::]<rv Request protocol version sent to server or peer
  3984. #
  3985. # [http::]>h Original received request header.
  3986. # Usually differs from the request header sent by
  3987. # Squid, although most fields are often preserved.
  3988. # Accepts optional header field name/value filter
  3989. # argument using name[:[separator]element] format.
  3990. # [http::]>ha Received request header after adaptation and
  3991. # redirection (pre-cache REQMOD vectoring point).
  3992. # Usually differs from the request header sent by
  3993. # Squid, although most fields are often preserved.
  3994. # Optional header name argument as for >h
  3995. #
  3996. # RESPONSE
  3997. #
  3998. # [http::]<Hs HTTP status code received from the next hop
  3999. # [http::]>Hs HTTP status code sent to the client
  4000. #
  4001. # [http::]<h Reply header. Optional header name argument
  4002. # as for >h
  4003. #
  4004. # [http::]mt MIME content type
  4005. #
  4006. #
  4007. # SIZE COUNTERS
  4008. #
  4009. # [http::]st Total size of request + reply traffic with client
  4010. # [http::]>st Total size of request received from client.
  4011. # Excluding chunked encoding bytes.
  4012. # [http::]<st Total size of reply sent to client (after adaptation)
  4013. #
  4014. # [http::]>sh Size of request headers received from client
  4015. # [http::]<sh Size of reply headers sent to client (after adaptation)
  4016. #
  4017. # [http::]<sH Reply high offset sent
  4018. # [http::]<sS Upstream object size
  4019. #
  4020. # [http::]<bs Number of HTTP-equivalent message body bytes
  4021. # received from the next hop, excluding chunked
  4022. # transfer encoding and control messages.
  4023. # Generated FTP/Gopher listings are treated as
  4024. # received bodies.
  4025. #
  4026. # TIMING
  4027. #
  4028. # [http::]<pt Peer response time in milliseconds. The timer starts
  4029. # when the last request byte is sent to the next hop
  4030. # and stops when the last response byte is received.
  4031. # [http::]<tt Total time in milliseconds. The timer
  4032. # starts with the first connect request (or write I/O)
  4033. # sent to the first selected peer. The timer stops
  4034. # with the last I/O with the last peer.
  4035. #
  4036. # Squid handling related format codes:
  4037. #
  4038. # Ss Squid request status (TCP_MISS etc)
  4039. # Sh Squid hierarchy status (DEFAULT_PARENT etc)
  4040. #
  4041. # SSL-related format codes:
  4042. #
  4043. # ssl::bump_mode SslBump decision for the transaction:
  4044. #
  4045. # For CONNECT requests that initiated bumping of
  4046. # a connection and for any request received on
  4047. # an already bumped connection, Squid logs the
  4048. # corresponding SslBump mode ("splice", "bump",
  4049. # "peek", "stare", "terminate", "server-first"
  4050. # or "client-first"). See the ssl_bump option
  4051. # for more information about these modes.
  4052. #
  4053. # A "none" token is logged for requests that
  4054. # triggered "ssl_bump" ACL evaluation matching
  4055. # a "none" rule.
  4056. #
  4057. # In all other cases, a single dash ("-") is
  4058. # logged.
  4059. #
  4060. # ssl::>sni SSL client SNI sent to Squid.
  4061. #
  4062. # ssl::>cert_subject
  4063. # The Subject field of the received client
  4064. # SSL certificate or a dash ('-') if Squid has
  4065. # received an invalid/malformed certificate or
  4066. # no certificate at all. Consider encoding the
  4067. # logged value because Subject often has spaces.
  4068. #
  4069. # ssl::>cert_issuer
  4070. # The Issuer field of the received client
  4071. # SSL certificate or a dash ('-') if Squid has
  4072. # received an invalid/malformed certificate or
  4073. # no certificate at all. Consider encoding the
  4074. # logged value because Issuer often has spaces.
  4075. #
  4076. # ssl::<cert_subject
  4077. # The Subject field of the received server
  4078. # TLS certificate or a dash ('-') if this is
  4079. # not available. Consider encoding the logged
  4080. # value because Subject often has spaces.
  4081. #
  4082. # ssl::<cert_issuer
  4083. # The Issuer field of the received server
  4084. # TLS certificate or a dash ('-') if this is
  4085. # not available. Consider encoding the logged
  4086. # value because Issuer often has spaces.
  4087. #
  4088. # ssl::<cert_errors
  4089. # The list of certificate validation errors
  4090. # detected by Squid (including OpenSSL and
  4091. # certificate validation helper components). The
  4092. # errors are listed in the discovery order. By
  4093. # default, the error codes are separated by ':'.
  4094. # Accepts an optional separator argument.
  4095. #
  4096. # %ssl::>negotiated_version The negotiated TLS version of the
  4097. # client connection.
  4098. #
  4099. # %ssl::<negotiated_version The negotiated TLS version of the
  4100. # last server or peer connection.
  4101. #
  4102. # %ssl::>received_hello_version The TLS version of the Hello
  4103. # message received from TLS client.
  4104. #
  4105. # %ssl::<received_hello_version The TLS version of the Hello
  4106. # message received from TLS server.
  4107. #
  4108. # %ssl::>received_supported_version The maximum TLS version
  4109. # supported by the TLS client.
  4110. #
  4111. # %ssl::<received_supported_version The maximum TLS version
  4112. # supported by the TLS server.
  4113. #
  4114. # %ssl::>negotiated_cipher The negotiated cipher of the
  4115. # client connection.
  4116. #
  4117. # %ssl::<negotiated_cipher The negotiated cipher of the
  4118. # last server or peer connection.
  4119. #
  4120. # If ICAP is enabled, the following code becomes available (as
  4121. # well as ICAP log codes documented with the icap_log option):
  4122. #
  4123. # icap::tt Total ICAP processing time for the HTTP
  4124. # transaction. The timer ticks when ICAP
  4125. # ACLs are checked and when ICAP
  4126. # transaction is in progress.
  4127. #
  4128. # If adaptation is enabled the following codes become available:
  4129. #
  4130. # adapt::<last_h The header of the last ICAP response or
  4131. # meta-information from the last eCAP
  4132. # transaction related to the HTTP transaction.
  4133. # Like <h, accepts an optional header name
  4134. # argument.
  4135. #
  4136. # adapt::sum_trs Summed adaptation transaction response
  4137. # times recorded as a comma-separated list in
  4138. # the order of transaction start time. Each time
  4139. # value is recorded as an integer number,
  4140. # representing response time of one or more
  4141. # adaptation (ICAP or eCAP) transaction in
  4142. # milliseconds. When a failed transaction is
  4143. # being retried or repeated, its time is not
  4144. # logged individually but added to the
  4145. # replacement (next) transaction. See also:
  4146. # adapt::all_trs.
  4147. #
  4148. # adapt::all_trs All adaptation transaction response times.
  4149. # Same as adaptation_strs but response times of
  4150. # individual transactions are never added
  4151. # together. Instead, all transaction response
  4152. # times are recorded individually.
  4153. #
  4154. # You can prefix adapt::*_trs format codes with adaptation
  4155. # service name in curly braces to record response time(s) specific
  4156. # to that service. For example: %{my_service}adapt::sum_trs
  4157. #
  4158. # The default formats available (which do not need re-defining) are:
  4159. #
  4160. #logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
  4161. #logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
  4162. #logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
  4163. #logformat referrer %ts.%03tu %>a %{Referer}>h %ru
  4164. #logformat useragent %>a [%tl] "%{User-Agent}>h"
  4165. #
  4166. # NOTE: When the log_mime_hdrs directive is set to ON.
  4167. # The squid, common and combined formats have a safely encoded copy
  4168. # of the mime headers appended to each line within a pair of brackets.
  4169. #
  4170. # NOTE: The common and combined formats are not quite true to the Apache definition.
  4171. # The logs from Squid contain an extra status and hierarchy code appended.
  4172. #
  4173. #Default:
  4174. # The format definitions squid, common, combined, referrer, useragent are built in.
  4175.  
  4176. # TAG: access_log
  4177. # Configures whether and how Squid logs HTTP and ICP transactions.
  4178. # If access logging is enabled, a single line is logged for every
  4179. # matching HTTP or ICP request. The recommended directive formats are:
  4180. #
  4181. # access_log <module>:<place> [option ...] [acl acl ...]
  4182. # access_log none [acl acl ...]
  4183. #
  4184. # The following directive format is accepted but may be deprecated:
  4185. # access_log <module>:<place> [<logformat name> [acl acl ...]]
  4186. #
  4187. # In most cases, the first ACL name must not contain the '=' character
  4188. # and should not be equal to an existing logformat name. You can always
  4189. # start with an 'all' ACL to work around those restrictions.
  4190. #
  4191. # Will log to the specified module:place using the specified format (which
  4192. # must be defined in a logformat directive) those entries which match
  4193. # ALL the acl's specified (which must be defined in acl clauses).
  4194. # If no acl is specified, all requests will be logged to this destination.
  4195. #
  4196. # ===== Available options for the recommended directive format =====
  4197. #
  4198. # logformat=name Names log line format (either built-in or
  4199. # defined by a logformat directive). Defaults
  4200. # to 'squid'.
  4201. #
  4202. # buffer-size=64KB Defines approximate buffering limit for log
  4203. # records (see buffered_logs). Squid should not
  4204. # keep more than the specified size and, hence,
  4205. # should flush records before the buffer becomes
  4206. # full to avoid overflows under normal
  4207. # conditions (the exact flushing algorithm is
  4208. # module-dependent though). The on-error option
  4209. # controls overflow handling.
  4210. #
  4211. # on-error=die|drop Defines action on unrecoverable errors. The
  4212. # 'drop' action ignores (i.e., does not log)
  4213. # affected log records. The default 'die' action
  4214. # kills the affected worker. The drop action
  4215. # support has not been tested for modules other
  4216. # than tcp.
  4217. #
  4218. # rotate=N Specifies the number of log file rotations to
  4219. # make when you run 'squid -k rotate'. The default
  4220. # is to obey the logfile_rotate directive. Setting
  4221. # rotate=0 will disable the file name rotation,
  4222. # but the log files are still closed and re-opened.
  4223. # This will enable you to rename the logfiles
  4224. # yourself just before sending the rotate signal.
  4225. # Only supported by the stdio module.
  4226. #
  4227. # ===== Modules Currently available =====
  4228. #
  4229. # none Do not log any requests matching these ACL.
  4230. # Do not specify Place or logformat name.
  4231. #
  4232. # stdio Write each log line to disk immediately at the completion of
  4233. # each request.
  4234. # Place: the filename and path to be written.
  4235. #
  4236. # daemon Very similar to stdio. But instead of writing to disk the log
  4237. # line is passed to a daemon helper for asychronous handling instead.
  4238. # Place: varies depending on the daemon.
  4239. #
  4240. # log_file_daemon Place: the file name and path to be written.
  4241. #
  4242. # syslog To log each request via syslog facility.
  4243. # Place: The syslog facility and priority level for these entries.
  4244. # Place Format: facility.priority
  4245. #
  4246. # where facility could be any of:
  4247. # authpriv, daemon, local0 ... local7 or user.
  4248. #
  4249. # And priority could be any of:
  4250. # err, warning, notice, info, debug.
  4251. #
  4252. # udp To send each log line as text data to a UDP receiver.
  4253. # Place: The destination host name or IP and port.
  4254. # Place Format: //host:port
  4255. #
  4256. # tcp To send each log line as text data to a TCP receiver.
  4257. # Lines may be accumulated before sending (see buffered_logs).
  4258. # Place: The destination host name or IP and port.
  4259. # Place Format: //host:port
  4260. #
  4261. # Default:
  4262. # access_log daemon:/var/log/squid/access.log squid
  4263. #Default:
  4264. # access_log daemon:/var/log/squid/access.log squid
  4265.  
  4266. # TAG: icap_log
  4267. # ICAP log files record ICAP transaction summaries, one line per
  4268. # transaction.
  4269. #
  4270. # The icap_log option format is:
  4271. # icap_log <filepath> [<logformat name> [acl acl ...]]
  4272. # icap_log none [acl acl ...]]
  4273. #
  4274. # Please see access_log option documentation for details. The two
  4275. # kinds of logs share the overall configuration approach and many
  4276. # features.
  4277. #
  4278. # ICAP processing of a single HTTP message or transaction may
  4279. # require multiple ICAP transactions. In such cases, multiple
  4280. # ICAP transaction log lines will correspond to a single access
  4281. # log line.
  4282. #
  4283. # ICAP log supports many access.log logformat %codes. In ICAP context,
  4284. # HTTP message-related %codes are applied to the HTTP message embedded
  4285. # in an ICAP message. Logformat "%http::>..." codes are used for HTTP
  4286. # messages embedded in ICAP requests while "%http::<..." codes are used
  4287. # for HTTP messages embedded in ICAP responses. For example:
  4288. #
  4289. # http::>h To-be-adapted HTTP message headers sent by Squid to
  4290. # the ICAP service. For REQMOD transactions, these are
  4291. # HTTP request headers. For RESPMOD, these are HTTP
  4292. # response headers, but Squid currently cannot log them
  4293. # (i.e., %http::>h will expand to "-" for RESPMOD).
  4294. #
  4295. # http::<h Adapted HTTP message headers sent by the ICAP
  4296. # service to Squid (i.e., HTTP request headers in regular
  4297. # REQMOD; HTTP response headers in RESPMOD and during
  4298. # request satisfaction in REQMOD).
  4299. #
  4300. # ICAP OPTIONS transactions do not embed HTTP messages.
  4301. #
  4302. # Several logformat codes below deal with ICAP message bodies. An ICAP
  4303. # message body, if any, typically includes a complete HTTP message
  4304. # (required HTTP headers plus optional HTTP message body). When
  4305. # computing HTTP message body size for these logformat codes, Squid
  4306. # either includes or excludes chunked encoding overheads; see
  4307. # code-specific documentation for details.
  4308. #
  4309. # For Secure ICAP services, all size-related information is currently
  4310. # computed before/after TLS encryption/decryption, as if TLS was not
  4311. # in use at all.
  4312. #
  4313. # The following format codes are also available for ICAP logs:
  4314. #
  4315. # icap::<A ICAP server IP address. Similar to <A.
  4316. #
  4317. # icap::<service_name ICAP service name from the icap_service
  4318. # option in Squid configuration file.
  4319. #
  4320. # icap::ru ICAP Request-URI. Similar to ru.
  4321. #
  4322. # icap::rm ICAP request method (REQMOD, RESPMOD, or
  4323. # OPTIONS). Similar to existing rm.
  4324. #
  4325. # icap::>st The total size of the ICAP request sent to the ICAP
  4326. # server (ICAP headers + ICAP body), including chunking
  4327. # metadata (if any).
  4328. #
  4329. # icap::<st The total size of the ICAP response received from the
  4330. # ICAP server (ICAP headers + ICAP body), including
  4331. # chunking metadata (if any).
  4332. #
  4333. # icap::<bs The size of the ICAP response body received from the
  4334. # ICAP server, excluding chunking metadata (if any).
  4335. #
  4336. # icap::tr Transaction response time (in
  4337. # milliseconds). The timer starts when
  4338. # the ICAP transaction is created and
  4339. # stops when the transaction is completed.
  4340. # Similar to tr.
  4341. #
  4342. # icap::tio Transaction I/O time (in milliseconds). The
  4343. # timer starts when the first ICAP request
  4344. # byte is scheduled for sending. The timers
  4345. # stops when the last byte of the ICAP response
  4346. # is received.
  4347. #
  4348. # icap::to Transaction outcome: ICAP_ERR* for all
  4349. # transaction errors, ICAP_OPT for OPTION
  4350. # transactions, ICAP_ECHO for 204
  4351. # responses, ICAP_MOD for message
  4352. # modification, and ICAP_SAT for request
  4353. # satisfaction. Similar to Ss.
  4354. #
  4355. # icap::Hs ICAP response status code. Similar to Hs.
  4356. #
  4357. # icap::>h ICAP request header(s). Similar to >h.
  4358. #
  4359. # icap::<h ICAP response header(s). Similar to <h.
  4360. #
  4361. # The default ICAP log format, which can be used without an explicit
  4362. # definition, is called icap_squid:
  4363. #
  4364. #logformat icap_squid %ts.%03tu %6icap::tr %>A %icap::to/%03icap::Hs %icap::<st %icap::rm %icap::ru %un -/%icap::<A -
  4365. #
  4366. # See also: logformat and %adapt::<last_h
  4367. #Default:
  4368. # none
  4369.  
  4370. # TAG: logfile_daemon
  4371. # Specify the path to the logfile-writing daemon. This daemon is
  4372. # used to write the access and store logs, if configured.
  4373. #
  4374. # Squid sends a number of commands to the log daemon:
  4375. # L<data>\n - logfile data
  4376. # R\n - rotate file
  4377. # T\n - truncate file
  4378. # O\n - reopen file
  4379. # F\n - flush file
  4380. # r<n>\n - set rotate count to <n>
  4381. # b<n>\n - 1 = buffer output, 0 = don't buffer output
  4382. #
  4383. # No responses is expected.
  4384. #Default:
  4385. # logfile_daemon /usr/lib/squid/log_file_daemon
  4386.  
  4387. # TAG: stats_collection allow|deny acl acl...
  4388. # This options allows you to control which requests gets accounted
  4389. # in performance counters.
  4390. #
  4391. # This clause only supports fast acl types.
  4392. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  4393. #Default:
  4394. # Allow logging for all transactions.
  4395.  
  4396. # TAG: cache_store_log
  4397. # Logs the activities of the storage manager. Shows which
  4398. # objects are ejected from the cache, and which objects are
  4399. # saved and for how long.
  4400. # There are not really utilities to analyze this data, so you can safely
  4401. # disable it (the default).
  4402. #
  4403. # Store log uses modular logging outputs. See access_log for the list
  4404. # of modules supported.
  4405. #
  4406. # Example:
  4407. # cache_store_log stdio:/var/log/squid/store.log
  4408. # cache_store_log daemon:/var/log/squid/store.log
  4409. #Default:
  4410. # none
  4411.  
  4412. # TAG: cache_swap_state
  4413. # Location for the cache "swap.state" file. This index file holds
  4414. # the metadata of objects saved on disk. It is used to rebuild
  4415. # the cache during startup. Normally this file resides in each
  4416. # 'cache_dir' directory, but you may specify an alternate
  4417. # pathname here. Note you must give a full filename, not just
  4418. # a directory. Since this is the index for the whole object
  4419. # list you CANNOT periodically rotate it!
  4420. #
  4421. # If %s can be used in the file name it will be replaced with a
  4422. # a representation of the cache_dir name where each / is replaced
  4423. # with '.'. This is needed to allow adding/removing cache_dir
  4424. # lines when cache_swap_log is being used.
  4425. #
  4426. # If have more than one 'cache_dir', and %s is not used in the name
  4427. # these swap logs will have names such as:
  4428. #
  4429. # cache_swap_log.00
  4430. # cache_swap_log.01
  4431. # cache_swap_log.02
  4432. #
  4433. # The numbered extension (which is added automatically)
  4434. # corresponds to the order of the 'cache_dir' lines in this
  4435. # configuration file. If you change the order of the 'cache_dir'
  4436. # lines in this file, these index files will NOT correspond to
  4437. # the correct 'cache_dir' entry (unless you manually rename
  4438. # them). We recommend you do NOT use this option. It is
  4439. # better to keep these index files in each 'cache_dir' directory.
  4440. #Default:
  4441. # Store the journal inside its cache_dir
  4442.  
  4443. # TAG: logfile_rotate
  4444. # Specifies the default number of logfile rotations to make when you
  4445. # type 'squid -k rotate'. The default is 10, which will rotate
  4446. # with extensions 0 through 9. Setting logfile_rotate to 0 will
  4447. # disable the file name rotation, but the logfiles are still closed
  4448. # and re-opened. This will enable you to rename the logfiles
  4449. # yourself just before sending the rotate signal.
  4450. #
  4451. # Note, from Squid-3.1 this option is only a default for cache.log,
  4452. # that log can be rotated separately by using debug_options.
  4453. #
  4454. # Note, from Squid-4 this option is only a default for access.log
  4455. # recorded by stdio: module. Those logs can be rotated separately by
  4456. # using the rotate=N option on their access_log directive.
  4457. #
  4458. # Note, the 'squid -k rotate' command normally sends a USR1
  4459. # signal to the running squid process. In certain situations
  4460. # (e.g. on Linux with Async I/O), USR1 is used for other
  4461. # purposes, so -k rotate uses another signal. It is best to get
  4462. # in the habit of using 'squid -k rotate' instead of 'kill -USR1
  4463. # <pid>'.
  4464. #
  4465. # Note, for Debian/Linux the default of logfile_rotate is
  4466. # zero, since it includes external logfile-rotation methods.
  4467. #Default:
  4468. # logfile_rotate 0
  4469.  
  4470. # TAG: mime_table
  4471. # Path to Squid's icon configuration file.
  4472. #
  4473. # You shouldn't need to change this, but the default file contains
  4474. # examples and formatting information if you do.
  4475. #Default:
  4476. # mime_table /usr/share/squid/mime.conf
  4477.  
  4478. # TAG: log_mime_hdrs on|off
  4479. # The Cache can record both the request and the response MIME
  4480. # headers for each HTTP transaction. The headers are encoded
  4481. # safely and will appear as two bracketed fields at the end of
  4482. # the access log (for either the native or httpd-emulated log
  4483. # formats). To enable this logging set log_mime_hdrs to 'on'.
  4484. #Default:
  4485. # log_mime_hdrs off
  4486.  
  4487. # TAG: pid_filename
  4488. # A filename to write the process-id to. To disable, enter "none".
  4489. #Default:
  4490. # pid_filename /var/run/squid.pid
  4491.  
  4492. # TAG: client_netmask
  4493. # A netmask for client addresses in logfiles and cachemgr output.
  4494. # Change this to protect the privacy of your cache clients.
  4495. # A netmask of 255.255.255.0 will log all IP's in that range with
  4496. # the last digit set to '0'.
  4497. #Default:
  4498. # Log full client IP address
  4499.  
  4500. # TAG: strip_query_terms
  4501. # By default, Squid strips query terms from requested URLs before
  4502. # logging. This protects your user's privacy and reduces log size.
  4503. #
  4504. # When investigating HIT/MISS or other caching behaviour you
  4505. # will need to disable this to see the full URL used by Squid.
  4506. #Default:
  4507. # strip_query_terms on
  4508.  
  4509. # TAG: buffered_logs on|off
  4510. # Whether to write/send access_log records ASAP or accumulate them and
  4511. # then write/send them in larger chunks. Buffering may improve
  4512. # performance because it decreases the number of I/Os. However,
  4513. # buffering increases the delay before log records become available to
  4514. # the final recipient (e.g., a disk file or logging daemon) and,
  4515. # hence, increases the risk of log records loss.
  4516. #
  4517. # Note that even when buffered_logs are off, Squid may have to buffer
  4518. # records if it cannot write/send them immediately due to pending I/Os
  4519. # (e.g., the I/O writing the previous log record) or connectivity loss.
  4520. #
  4521. # Currently honored by 'daemon' and 'tcp' access_log modules only.
  4522. #Default:
  4523. # buffered_logs off
  4524.  
  4525. # TAG: netdb_filename
  4526. # Where Squid stores it's netdb journal.
  4527. # When enabled this journal preserves netdb state between restarts.
  4528. #
  4529. # To disable, enter "none".
  4530. #Default:
  4531. # netdb_filename stdio:/var/spool/squid/netdb.state
  4532.  
  4533. # OPTIONS FOR TROUBLESHOOTING
  4534. # -----------------------------------------------------------------------------
  4535.  
  4536. # TAG: cache_log
  4537. # Squid administrative logging file.
  4538. #
  4539. # This is where general information about Squid behavior goes. You can
  4540. # increase the amount of data logged to this file and how often it is
  4541. # rotated with "debug_options"
  4542. #Default:
  4543. # cache_log /var/log/squid/cache.log
  4544.  
  4545. # TAG: debug_options
  4546. # Logging options are set as section,level where each source file
  4547. # is assigned a unique section. Lower levels result in less
  4548. # output, Full debugging (level 9) can result in a very large
  4549. # log file, so be careful.
  4550. #
  4551. # The magic word "ALL" sets debugging levels for all sections.
  4552. # The default is to run with "ALL,1" to record important warnings.
  4553. #
  4554. # The rotate=N option can be used to keep more or less of these logs
  4555. # than would otherwise be kept by logfile_rotate.
  4556. # For most uses a single log should be enough to monitor current
  4557. # events affecting Squid.
  4558. #Default:
  4559. # Log all critical and important messages.
  4560.  
  4561. # TAG: coredump_dir
  4562. # By default Squid leaves core files in the directory from where
  4563. # it was started. If you set 'coredump_dir' to a directory
  4564. # that exists, Squid will chdir() to that directory at startup
  4565. # and coredump files will be left there.
  4566. #
  4567. #Default:
  4568. # Use the directory from where Squid was started.
  4569. #
  4570.  
  4571. # Leave coredumps in the first cache dir
  4572. coredump_dir /var/spool/squid
  4573.  
  4574. # OPTIONS FOR FTP GATEWAYING
  4575. # -----------------------------------------------------------------------------
  4576.  
  4577. # TAG: ftp_user
  4578. # If you want the anonymous login password to be more informative
  4579. # (and enable the use of picky FTP servers), set this to something
  4580. # reasonable for your domain, like wwwuser@somewhere.net
  4581. #
  4582. # The reason why this is domainless by default is the
  4583. # request can be made on the behalf of a user in any domain,
  4584. # depending on how the cache is used.
  4585. # Some FTP server also validate the email address is valid
  4586. # (for example perl.com).
  4587. #Default:
  4588. # ftp_user Squid@
  4589.  
  4590. # TAG: ftp_passive
  4591. # If your firewall does not allow Squid to use passive
  4592. # connections, turn off this option.
  4593. #
  4594. # Use of ftp_epsv_all option requires this to be ON.
  4595. #Default:
  4596. # ftp_passive on
  4597.  
  4598. # TAG: ftp_epsv_all
  4599. # FTP Protocol extensions permit the use of a special "EPSV ALL" command.
  4600. #
  4601. # NATs may be able to put the connection on a "fast path" through the
  4602. # translator, as the EPRT command will never be used and therefore,
  4603. # translation of the data portion of the segments will never be needed.
  4604. #
  4605. # When a client only expects to do two-way FTP transfers this may be
  4606. # useful.
  4607. # If squid finds that it must do a three-way FTP transfer after issuing
  4608. # an EPSV ALL command, the FTP session will fail.
  4609. #
  4610. # If you have any doubts about this option do not use it.
  4611. # Squid will nicely attempt all other connection methods.
  4612. #
  4613. # Requires ftp_passive to be ON (default) for any effect.
  4614. #Default:
  4615. # ftp_epsv_all off
  4616.  
  4617. # TAG: ftp_epsv
  4618. # FTP Protocol extensions permit the use of a special "EPSV" command.
  4619. #
  4620. # NATs may be able to put the connection on a "fast path" through the
  4621. # translator using EPSV, as the EPRT command will never be used
  4622. # and therefore, translation of the data portion of the segments
  4623. # will never be needed.
  4624. #
  4625. # EPSV is often required to interoperate with FTP servers on IPv6
  4626. # networks. On the other hand, it may break some IPv4 servers.
  4627. #
  4628. # By default, EPSV may try EPSV with any FTP server. To fine tune
  4629. # that decision, you may restrict EPSV to certain clients or servers
  4630. # using ACLs:
  4631. #
  4632. # ftp_epsv allow|deny al1 acl2 ...
  4633. #
  4634. # WARNING: Disabling EPSV may cause problems with external NAT and IPv6.
  4635. #
  4636. # Only fast ACLs are supported.
  4637. # Requires ftp_passive to be ON (default) for any effect.
  4638. #Default:
  4639. # none
  4640.  
  4641. # TAG: ftp_eprt
  4642. # FTP Protocol extensions permit the use of a special "EPRT" command.
  4643. #
  4644. # This extension provides a protocol neutral alternative to the
  4645. # IPv4-only PORT command. When supported it enables active FTP data
  4646. # channels over IPv6 and efficient NAT handling.
  4647. #
  4648. # Turning this OFF will prevent EPRT being attempted and will skip
  4649. # straight to using PORT for IPv4 servers.
  4650. #
  4651. # Some devices are known to not handle this extension correctly and
  4652. # may result in crashes. Devices which suport EPRT enough to fail
  4653. # cleanly will result in Squid attempting PORT anyway. This directive
  4654. # should only be disabled when EPRT results in device failures.
  4655. #
  4656. # WARNING: Doing so will convert Squid back to the old behavior with all
  4657. # the related problems with external NAT devices/layers and IPv4-only FTP.
  4658. #Default:
  4659. # ftp_eprt on
  4660.  
  4661. # TAG: ftp_sanitycheck
  4662. # For security and data integrity reasons Squid by default performs
  4663. # sanity checks of the addresses of FTP data connections ensure the
  4664. # data connection is to the requested server. If you need to allow
  4665. # FTP connections to servers using another IP address for the data
  4666. # connection turn this off.
  4667. #Default:
  4668. # ftp_sanitycheck on
  4669.  
  4670. # TAG: ftp_telnet_protocol
  4671. # The FTP protocol is officially defined to use the telnet protocol
  4672. # as transport channel for the control connection. However, many
  4673. # implementations are broken and does not respect this aspect of
  4674. # the FTP protocol.
  4675. #
  4676. # If you have trouble accessing files with ASCII code 255 in the
  4677. # path or similar problems involving this ASCII code you can
  4678. # try setting this directive to off. If that helps, report to the
  4679. # operator of the FTP server in question that their FTP server
  4680. # is broken and does not follow the FTP standard.
  4681. #Default:
  4682. # ftp_telnet_protocol on
  4683.  
  4684. # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
  4685. # -----------------------------------------------------------------------------
  4686.  
  4687. # TAG: diskd_program
  4688. # Specify the location of the diskd executable.
  4689. # Note this is only useful if you have compiled in
  4690. # diskd as one of the store io modules.
  4691. #Default:
  4692. # diskd_program /usr/lib/squid/diskd
  4693.  
  4694. # TAG: unlinkd_program
  4695. # Specify the location of the executable for file deletion process.
  4696. #Default:
  4697. # unlinkd_program /usr/lib/squid/unlinkd
  4698.  
  4699. # TAG: pinger_program
  4700. # Specify the location of the executable for the pinger process.
  4701. #Default:
  4702. # pinger_program /usr/lib/squid/pinger
  4703.  
  4704. # TAG: pinger_enable
  4705. # Control whether the pinger is active at run-time.
  4706. # Enables turning ICMP pinger on and off with a simple
  4707. # squid -k reconfigure.
  4708. #Default:
  4709. # pinger_enable on
  4710.  
  4711. # OPTIONS FOR URL REWRITING
  4712. # -----------------------------------------------------------------------------
  4713.  
  4714. # TAG: url_rewrite_program
  4715. # Specify the location of the executable URL rewriter to use.
  4716. # Since they can perform almost any function there isn't one included.
  4717. #
  4718. # For each requested URL, the rewriter will receive on line with the format
  4719. #
  4720. # [channel-ID <SP>] URL [<SP> extras]<NL>
  4721. #
  4722. # See url_rewrite_extras on how to send "extras" with optional values to
  4723. # the helper.
  4724. # After processing the request the helper must reply using the following format:
  4725. #
  4726. # [channel-ID <SP>] result [<SP> kv-pairs]
  4727. #
  4728. # The result code can be:
  4729. #
  4730. # OK status=30N url="..."
  4731. # Redirect the URL to the one supplied in 'url='.
  4732. # 'status=' is optional and contains the status code to send
  4733. # the client in Squids HTTP response. It must be one of the
  4734. # HTTP redirect status codes: 301, 302, 303, 307, 308.
  4735. # When no status is given Squid will use 302.
  4736. #
  4737. # OK rewrite-url="..."
  4738. # Rewrite the URL to the one supplied in 'rewrite-url='.
  4739. # The new URL is fetched directly by Squid and returned to
  4740. # the client as the response to its request.
  4741. #
  4742. # OK
  4743. # When neither of url= and rewrite-url= are sent Squid does
  4744. # not change the URL.
  4745. #
  4746. # ERR
  4747. # Do not change the URL.
  4748. #
  4749. # BH
  4750. # An internal error occurred in the helper, preventing
  4751. # a result being identified. The 'message=' key name is
  4752. # reserved for delivering a log message.
  4753. #
  4754. #
  4755. # In addition to the above kv-pairs Squid also understands the following
  4756. # optional kv-pairs received from URL rewriters:
  4757. # clt_conn_tag=TAG
  4758. # Associates a TAG with the client TCP connection.
  4759. # The TAG is treated as a regular annotation but persists across
  4760. # future requests on the client connection rather than just the
  4761. # current request. A helper may update the TAG during subsequent
  4762. # requests be returning a new kv-pair.
  4763. #
  4764. # When using the concurrency= option the protocol is changed by
  4765. # introducing a query channel tag in front of the request/response.
  4766. # The query channel tag is a number between 0 and concurrency-1.
  4767. # This value must be echoed back unchanged to Squid as the first part
  4768. # of the response relating to its request.
  4769. #
  4770. # WARNING: URL re-writing ability should be avoided whenever possible.
  4771. # Use the URL redirect form of response instead.
  4772. #
  4773. # Re-write creates a difference in the state held by the client
  4774. # and server. Possibly causing confusion when the server response
  4775. # contains snippets of its view state. Embeded URLs, response
  4776. # and content Location headers, etc. are not re-written by this
  4777. # interface.
  4778. #
  4779. # By default, a URL rewriter is not used.
  4780. #Default:
  4781. # none
  4782.  
  4783. # TAG: url_rewrite_children
  4784. # Specifies the maximum number of redirector processes that Squid may
  4785. # spawn (numberofchildren) and several related options. Using too few of
  4786. # these helper processes (a.k.a. "helpers") creates request queues.
  4787. # Using too many helpers wastes your system resources.
  4788. #
  4789. # Usage: numberofchildren [option]...
  4790. #
  4791. # The startup= and idle= options allow some measure of skew in your
  4792. # tuning.
  4793. #
  4794. # startup=
  4795. #
  4796. # Sets a minimum of how many processes are to be spawned when Squid
  4797. # starts or reconfigures. When set to zero the first request will
  4798. # cause spawning of the first child process to handle it.
  4799. #
  4800. # Starting too few will cause an initial slowdown in traffic as Squid
  4801. # attempts to simultaneously spawn enough processes to cope.
  4802. #
  4803. # idle=
  4804. #
  4805. # Sets a minimum of how many processes Squid is to try and keep available
  4806. # at all times. When traffic begins to rise above what the existing
  4807. # processes can handle this many more will be spawned up to the maximum
  4808. # configured. A minimum setting of 1 is required.
  4809. #
  4810. # concurrency=
  4811. #
  4812. # The number of requests each redirector helper can handle in
  4813. # parallel. Defaults to 0 which indicates the redirector
  4814. # is a old-style single threaded redirector.
  4815. #
  4816. # When this directive is set to a value >= 1 then the protocol
  4817. # used to communicate with the helper is modified to include
  4818. # an ID in front of the request/response. The ID from the request
  4819. # must be echoed back with the response to that request.
  4820. #
  4821. # queue-size=N
  4822. #
  4823. # Sets the maximum number of queued requests. A request is queued when
  4824. # no existing child can accept it due to concurrency limit and no new
  4825. # child can be started due to numberofchildren limit. The default
  4826. # maximum is zero if url_rewrite_bypass is enabled and
  4827. # 2*numberofchildren otherwise. If the queued requests exceed queue size
  4828. # and redirector_bypass configuration option is set, then redirector is
  4829. # bypassed. Otherwise, Squid is allowed to temporarily exceed the
  4830. # configured maximum, marking the affected helper as "overloaded". If
  4831. # the helper overload lasts more than 3 minutes, the action prescribed
  4832. # by the on-persistent-overload option applies.
  4833. #
  4834. # on-persistent-overload=action
  4835. #
  4836. # Specifies Squid reaction to a new helper request arriving when the helper
  4837. # has been overloaded for more that 3 minutes already. The number of queued
  4838. # requests determines whether the helper is overloaded (see the queue-size
  4839. # option).
  4840. #
  4841. # Two actions are supported:
  4842. #
  4843. # die Squid worker quits. This is the default behavior.
  4844. #
  4845. # ERR Squid treats the helper request as if it was
  4846. # immediately submitted, and the helper immediately
  4847. # replied with an ERR response. This action has no effect
  4848. # on the already queued and in-progress helper requests.
  4849. #Default:
  4850. # url_rewrite_children 20 startup=0 idle=1 concurrency=0
  4851.  
  4852. # TAG: url_rewrite_host_header
  4853. # To preserve same-origin security policies in browsers and
  4854. # prevent Host: header forgery by redirectors Squid rewrites
  4855. # any Host: header in redirected requests.
  4856. #
  4857. # If you are running an accelerator this may not be a wanted
  4858. # effect of a redirector. This directive enables you disable
  4859. # Host: alteration in reverse-proxy traffic.
  4860. #
  4861. # WARNING: Entries are cached on the result of the URL rewriting
  4862. # process, so be careful if you have domain-virtual hosts.
  4863. #
  4864. # WARNING: Squid and other software verifies the URL and Host
  4865. # are matching, so be careful not to relay through other proxies
  4866. # or inspecting firewalls with this disabled.
  4867. #Default:
  4868. # url_rewrite_host_header on
  4869.  
  4870. # TAG: url_rewrite_access
  4871. # If defined, this access list specifies which requests are
  4872. # sent to the redirector processes.
  4873. #
  4874. # This clause supports both fast and slow acl types.
  4875. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  4876. #Default:
  4877. # Allow, unless rules exist in squid.conf.
  4878.  
  4879. # TAG: url_rewrite_bypass
  4880. # When this is 'on', a request will not go through the
  4881. # redirector if all the helpers are busy. If this is 'off' and the
  4882. # redirector queue grows too large, the action is prescribed by the
  4883. # on-persistent-overload option. You should only enable this if the
  4884. # redirectors are not critical to your caching system. If you use
  4885. # redirectors for access control, and you enable this option,
  4886. # users may have access to pages they should not
  4887. # be allowed to request.
  4888. #
  4889. # Enabling this option sets the default url_rewrite_children queue-size
  4890. # option value to 0.
  4891. #Default:
  4892. # url_rewrite_bypass off
  4893.  
  4894. # TAG: url_rewrite_extras
  4895. # Specifies a string to be append to request line format for the
  4896. # rewriter helper. "Quoted" format values may contain spaces and
  4897. # logformat %macros. In theory, any logformat %macro can be used.
  4898. # In practice, a %macro expands as a dash (-) if the helper request is
  4899. # sent before the required macro information is available to Squid.
  4900. #Default:
  4901. # url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp"
  4902.  
  4903. # TAG: url_rewrite_timeout
  4904. # Squid times active requests to redirector. The timeout value and Squid
  4905. # reaction to a timed out request are configurable using the following
  4906. # format:
  4907. #
  4908. # url_rewrite_timeout timeout time-units on_timeout=<action> [response=<quoted-response>]
  4909. #
  4910. # supported timeout actions:
  4911. # fail Squid return a ERR_GATEWAY_FAILURE error page
  4912. #
  4913. # bypass Do not re-write the URL
  4914. #
  4915. # retry Send the lookup to the helper again
  4916. #
  4917. # use_configured_response
  4918. # Use the <quoted-response> as helper response
  4919. #Default:
  4920. # Squid waits for the helper response forever
  4921.  
  4922. # OPTIONS FOR STORE ID
  4923. # -----------------------------------------------------------------------------
  4924.  
  4925. # TAG: store_id_program
  4926. # Specify the location of the executable StoreID helper to use.
  4927. # Since they can perform almost any function there isn't one included.
  4928. #
  4929. # For each requested URL, the helper will receive one line with the format
  4930. #
  4931. # [channel-ID <SP>] URL [<SP> extras]<NL>
  4932. #
  4933. #
  4934. # After processing the request the helper must reply using the following format:
  4935. #
  4936. # [channel-ID <SP>] result [<SP> kv-pairs]
  4937. #
  4938. # The result code can be:
  4939. #
  4940. # OK store-id="..."
  4941. # Use the StoreID supplied in 'store-id='.
  4942. #
  4943. # ERR
  4944. # The default is to use HTTP request URL as the store ID.
  4945. #
  4946. # BH
  4947. # An internal error occurred in the helper, preventing
  4948. # a result being identified.
  4949. #
  4950. # In addition to the above kv-pairs Squid also understands the following
  4951. # optional kv-pairs received from URL rewriters:
  4952. # clt_conn_tag=TAG
  4953. # Associates a TAG with the client TCP connection.
  4954. # Please see url_rewrite_program related documentation for this
  4955. # kv-pair
  4956. #
  4957. # Helper programs should be prepared to receive and possibly ignore
  4958. # additional whitespace-separated tokens on each input line.
  4959. #
  4960. # When using the concurrency= option the protocol is changed by
  4961. # introducing a query channel tag in front of the request/response.
  4962. # The query channel tag is a number between 0 and concurrency-1.
  4963. # This value must be echoed back unchanged to Squid as the first part
  4964. # of the response relating to its request.
  4965. #
  4966. # NOTE: when using StoreID refresh_pattern will apply to the StoreID
  4967. # returned from the helper and not the URL.
  4968. #
  4969. # WARNING: Wrong StoreID value returned by a careless helper may result
  4970. # in the wrong cached response returned to the user.
  4971. #
  4972. # By default, a StoreID helper is not used.
  4973. #Default:
  4974. # none
  4975.  
  4976. # TAG: store_id_extras
  4977. # Specifies a string to be append to request line format for the
  4978. # StoreId helper. "Quoted" format values may contain spaces and
  4979. # logformat %macros. In theory, any logformat %macro can be used.
  4980. # In practice, a %macro expands as a dash (-) if the helper request is
  4981. # sent before the required macro information is available to Squid.
  4982. #Default:
  4983. # store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp"
  4984.  
  4985. # TAG: store_id_children
  4986. # Specifies the maximum number of StoreID helper processes that Squid
  4987. # may spawn (numberofchildren) and several related options. Using
  4988. # too few of these helper processes (a.k.a. "helpers") creates request
  4989. # queues. Using too many helpers wastes your system resources.
  4990. #
  4991. # Usage: numberofchildren [option]...
  4992. #
  4993. # The startup= and idle= options allow some measure of skew in your
  4994. # tuning.
  4995. #
  4996. # startup=
  4997. #
  4998. # Sets a minimum of how many processes are to be spawned when Squid
  4999. # starts or reconfigures. When set to zero the first request will
  5000. # cause spawning of the first child process to handle it.
  5001. #
  5002. # Starting too few will cause an initial slowdown in traffic as Squid
  5003. # attempts to simultaneously spawn enough processes to cope.
  5004. #
  5005. # idle=
  5006. #
  5007. # Sets a minimum of how many processes Squid is to try and keep available
  5008. # at all times. When traffic begins to rise above what the existing
  5009. # processes can handle this many more will be spawned up to the maximum
  5010. # configured. A minimum setting of 1 is required.
  5011. #
  5012. # concurrency=
  5013. #
  5014. # The number of requests each storeID helper can handle in
  5015. # parallel. Defaults to 0 which indicates the helper
  5016. # is a old-style single threaded program.
  5017. #
  5018. # When this directive is set to a value >= 1 then the protocol
  5019. # used to communicate with the helper is modified to include
  5020. # an ID in front of the request/response. The ID from the request
  5021. # must be echoed back with the response to that request.
  5022. #
  5023. # queue-size=N
  5024. #
  5025. # Sets the maximum number of queued requests to N. A request is queued
  5026. # when no existing child can accept it due to concurrency limit and no
  5027. # new child can be started due to numberofchildren limit. The default
  5028. # maximum is 2*numberofchildren. If the queued requests exceed queue
  5029. # size and redirector_bypass configuration option is set, then
  5030. # redirector is bypassed. Otherwise, Squid is allowed to temporarily
  5031. # exceed the configured maximum, marking the affected helper as
  5032. # "overloaded". If the helper overload lasts more than 3 minutes, the
  5033. # action prescribed by the on-persistent-overload option applies.
  5034. #
  5035. # on-persistent-overload=action
  5036. #
  5037. # Specifies Squid reaction to a new helper request arriving when the helper
  5038. # has been overloaded for more that 3 minutes already. The number of queued
  5039. # requests determines whether the helper is overloaded (see the queue-size
  5040. # option).
  5041. #
  5042. # Two actions are supported:
  5043. #
  5044. # die Squid worker quits. This is the default behavior.
  5045. #
  5046. # ERR Squid treats the helper request as if it was
  5047. # immediately submitted, and the helper immediately
  5048. # replied with an ERR response. This action has no effect
  5049. # on the already queued and in-progress helper requests.
  5050. #Default:
  5051. # store_id_children 20 startup=0 idle=1 concurrency=0
  5052.  
  5053. # TAG: store_id_access
  5054. # If defined, this access list specifies which requests are
  5055. # sent to the StoreID processes. By default all requests
  5056. # are sent.
  5057. #
  5058. # This clause supports both fast and slow acl types.
  5059. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  5060. #Default:
  5061. # Allow, unless rules exist in squid.conf.
  5062.  
  5063. # TAG: store_id_bypass
  5064. # When this is 'on', a request will not go through the
  5065. # helper if all helpers are busy. If this is 'off' and the helper
  5066. # queue grows too large, the action is prescribed by the
  5067. # on-persistent-overload option. You should only enable this if the
  5068. # helpers are not critical to your caching system. If you use
  5069. # helpers for critical caching components, and you enable this
  5070. # option, users may not get objects from cache.
  5071. # This options sets default queue-size option of the store_id_children
  5072. # to 0.
  5073. #Default:
  5074. # store_id_bypass on
  5075.  
  5076. # OPTIONS FOR TUNING THE CACHE
  5077. # -----------------------------------------------------------------------------
  5078.  
  5079. # TAG: cache
  5080. # Requests denied by this directive will not be served from the cache
  5081. # and their responses will not be stored in the cache. This directive
  5082. # has no effect on other transactions and on already cached responses.
  5083. #
  5084. # This clause supports both fast and slow acl types.
  5085. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  5086. #
  5087. # This and the two other similar caching directives listed below are
  5088. # checked at different transaction processing stages, have different
  5089. # access to response information, affect different cache operations,
  5090. # and differ in slow ACLs support:
  5091. #
  5092. # * cache: Checked before Squid makes a hit/miss determination.
  5093. # No access to reply information!
  5094. # Denies both serving a hit and storing a miss.
  5095. # Supports both fast and slow ACLs.
  5096. # * send_hit: Checked after a hit was detected.
  5097. # Has access to reply (hit) information.
  5098. # Denies serving a hit only.
  5099. # Supports fast ACLs only.
  5100. # * store_miss: Checked before storing a cachable miss.
  5101. # Has access to reply (miss) information.
  5102. # Denies storing a miss only.
  5103. # Supports fast ACLs only.
  5104. #
  5105. # If you are not sure which of the three directives to use, apply the
  5106. # following decision logic:
  5107. #
  5108. # * If your ACL(s) are of slow type _and_ need response info, redesign.
  5109. # Squid does not support that particular combination at this time.
  5110. # Otherwise:
  5111. # * If your directive ACL(s) are of slow type, use "cache"; and/or
  5112. # * if your directive ACL(s) need no response info, use "cache".
  5113. # Otherwise:
  5114. # * If you do not want the response cached, use store_miss; and/or
  5115. # * if you do not want a hit on a cached response, use send_hit.
  5116. #Default:
  5117. # By default, this directive is unused and has no effect.
  5118.  
  5119. # TAG: send_hit
  5120. # Responses denied by this directive will not be served from the cache
  5121. # (but may still be cached, see store_miss). This directive has no
  5122. # effect on the responses it allows and on the cached objects.
  5123. #
  5124. # Please see the "cache" directive for a summary of differences among
  5125. # store_miss, send_hit, and cache directives.
  5126. #
  5127. # Unlike the "cache" directive, send_hit only supports fast acl
  5128. # types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  5129. #
  5130. # For example:
  5131. #
  5132. # # apply custom Store ID mapping to some URLs
  5133. # acl MapMe dstdomain .c.example.com
  5134. # store_id_program ...
  5135. # store_id_access allow MapMe
  5136. #
  5137. # # but prevent caching of special responses
  5138. # # such as 302 redirects that cause StoreID loops
  5139. # acl Ordinary http_status 200-299
  5140. # store_miss deny MapMe !Ordinary
  5141. #
  5142. # # and do not serve any previously stored special responses
  5143. # # from the cache (in case they were already cached before
  5144. # # the above store_miss rule was in effect).
  5145. # send_hit deny MapMe !Ordinary
  5146. #Default:
  5147. # By default, this directive is unused and has no effect.
  5148.  
  5149. # TAG: store_miss
  5150. # Responses denied by this directive will not be cached (but may still
  5151. # be served from the cache, see send_hit). This directive has no
  5152. # effect on the responses it allows and on the already cached responses.
  5153. #
  5154. # Please see the "cache" directive for a summary of differences among
  5155. # store_miss, send_hit, and cache directives. See the
  5156. # send_hit directive for a usage example.
  5157. #
  5158. # Unlike the "cache" directive, store_miss only supports fast acl
  5159. # types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  5160. #Default:
  5161. # By default, this directive is unused and has no effect.
  5162.  
  5163. # TAG: max_stale time-units
  5164. # This option puts an upper limit on how stale content Squid
  5165. # will serve from the cache if cache validation fails.
  5166. # Can be overriden by the refresh_pattern max-stale option.
  5167. #Default:
  5168. # max_stale 1 week
  5169.  
  5170. # TAG: refresh_pattern
  5171. # usage: refresh_pattern [-i] regex min percent max [options]
  5172. #
  5173. # By default, regular expressions are CASE-SENSITIVE. To make
  5174. # them case-insensitive, use the -i option.
  5175. #
  5176. # 'Min' is the time (in minutes) an object without an explicit
  5177. # expiry time should be considered fresh. The recommended
  5178. # value is 0, any higher values may cause dynamic applications
  5179. # to be erroneously cached unless the application designer
  5180. # has taken the appropriate actions.
  5181. #
  5182. # 'Percent' is a percentage of the objects age (time since last
  5183. # modification age) an object without explicit expiry time
  5184. # will be considered fresh.
  5185. #
  5186. # 'Max' is an upper limit on how long objects without an explicit
  5187. # expiry time will be considered fresh. The value is also used
  5188. # to form Cache-Control: max-age header for a request sent from
  5189. # Squid to origin/parent.
  5190. #
  5191. # options: override-expire
  5192. # override-lastmod
  5193. # reload-into-ims
  5194. # ignore-reload
  5195. # ignore-no-store
  5196. # ignore-private
  5197. # max-stale=NN
  5198. # refresh-ims
  5199. # store-stale
  5200. #
  5201. # override-expire enforces min age even if the server
  5202. # sent an explicit expiry time (e.g., with the
  5203. # Expires: header or Cache-Control: max-age). Doing this
  5204. # VIOLATES the HTTP standard. Enabling this feature
  5205. # could make you liable for problems which it causes.
  5206. #
  5207. # Note: override-expire does not enforce staleness - it only extends
  5208. # freshness / min. If the server returns a Expires time which
  5209. # is longer than your max time, Squid will still consider
  5210. # the object fresh for that period of time.
  5211. #
  5212. # override-lastmod enforces min age even on objects
  5213. # that were modified recently.
  5214. #
  5215. # reload-into-ims changes a client no-cache or ``reload''
  5216. # request for a cached entry into a conditional request using
  5217. # If-Modified-Since and/or If-None-Match headers, provided the
  5218. # cached entry has a Last-Modified and/or a strong ETag header.
  5219. # Doing this VIOLATES the HTTP standard. Enabling this feature
  5220. # could make you liable for problems which it causes.
  5221. #
  5222. # ignore-reload ignores a client no-cache or ``reload''
  5223. # header. Doing this VIOLATES the HTTP standard. Enabling
  5224. # this feature could make you liable for problems which
  5225. # it causes.
  5226. #
  5227. # ignore-no-store ignores any ``Cache-control: no-store''
  5228. # headers received from a server. Doing this VIOLATES
  5229. # the HTTP standard. Enabling this feature could make you
  5230. # liable for problems which it causes.
  5231. #
  5232. # ignore-private ignores any ``Cache-control: private''
  5233. # headers received from a server. Doing this VIOLATES
  5234. # the HTTP standard. Enabling this feature could make you
  5235. # liable for problems which it causes.
  5236. #
  5237. # refresh-ims causes squid to contact the origin server
  5238. # when a client issues an If-Modified-Since request. This
  5239. # ensures that the client will receive an updated version
  5240. # if one is available.
  5241. #
  5242. # store-stale stores responses even if they don't have explicit
  5243. # freshness or a validator (i.e., Last-Modified or an ETag)
  5244. # present, or if they're already stale. By default, Squid will
  5245. # not cache such responses because they usually can't be
  5246. # reused. Note that such responses will be stale by default.
  5247. #
  5248. # max-stale=NN provide a maximum staleness factor. Squid won't
  5249. # serve objects more stale than this even if it failed to
  5250. # validate the object. Default: use the max_stale global limit.
  5251. #
  5252. # Basically a cached object is:
  5253. #
  5254. # FRESH if expire > now, else STALE
  5255. # STALE if age > max
  5256. # FRESH if lm-factor < percent, else STALE
  5257. # FRESH if age < min
  5258. # else STALE
  5259. #
  5260. # The refresh_pattern lines are checked in the order listed here.
  5261. # The first entry which matches is used. If none of the entries
  5262. # match the default will be used.
  5263. #
  5264. # Note, you must uncomment all the default lines if you want
  5265. # to change one. The default setting is only active if none is
  5266. # used.
  5267. #
  5268. #
  5269.  
  5270. #
  5271. # Add any of your own refresh_pattern entries above these.
  5272. #
  5273. refresh_pattern ^ftp: 1440 20% 10080
  5274. refresh_pattern ^gopher: 1440 0% 1440
  5275. refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
  5276. refresh_pattern . 0 20% 4320
  5277.  
  5278. # TAG: quick_abort_min (KB)
  5279. #Default:
  5280. # quick_abort_min 16 KB
  5281.  
  5282. # TAG: quick_abort_max (KB)
  5283. #Default:
  5284. # quick_abort_max 16 KB
  5285.  
  5286. # TAG: quick_abort_pct (percent)
  5287. # The cache by default continues downloading aborted requests
  5288. # which are almost completed (less than 16 KB remaining). This
  5289. # may be undesirable on slow (e.g. SLIP) links and/or very busy
  5290. # caches. Impatient users may tie up file descriptors and
  5291. # bandwidth by repeatedly requesting and immediately aborting
  5292. # downloads.
  5293. #
  5294. # When the user aborts a request, Squid will check the
  5295. # quick_abort values to the amount of data transferred until
  5296. # then.
  5297. #
  5298. # If the transfer has less than 'quick_abort_min' KB remaining,
  5299. # it will finish the retrieval.
  5300. #
  5301. # If the transfer has more than 'quick_abort_max' KB remaining,
  5302. # it will abort the retrieval.
  5303. #
  5304. # If more than 'quick_abort_pct' of the transfer has completed,
  5305. # it will finish the retrieval.
  5306. #
  5307. # If you do not want any retrieval to continue after the client
  5308. # has aborted, set both 'quick_abort_min' and 'quick_abort_max'
  5309. # to '0 KB'.
  5310. #
  5311. # If you want retrievals to always continue if they are being
  5312. # cached set 'quick_abort_min' to '-1 KB'.
  5313. #Default:
  5314. # quick_abort_pct 95
  5315.  
  5316. # TAG: read_ahead_gap buffer-size
  5317. # The amount of data the cache will buffer ahead of what has been
  5318. # sent to the client when retrieving an object from another server.
  5319. #Default:
  5320. # read_ahead_gap 16 KB
  5321.  
  5322. # TAG: negative_ttl time-units
  5323. # Set the Default Time-to-Live (TTL) for failed requests.
  5324. # Certain types of failures (such as "connection refused" and
  5325. # "404 Not Found") are able to be negatively-cached for a short time.
  5326. # Modern web servers should provide Expires: header, however if they
  5327. # do not this can provide a minimum TTL.
  5328. # The default is not to cache errors with unknown expiry details.
  5329. #
  5330. # Note that this is different from negative caching of DNS lookups.
  5331. #
  5332. # WARNING: Doing this VIOLATES the HTTP standard. Enabling
  5333. # this feature could make you liable for problems which it
  5334. # causes.
  5335. #Default:
  5336. # negative_ttl 0 seconds
  5337.  
  5338. # TAG: positive_dns_ttl time-units
  5339. # Upper limit on how long Squid will cache positive DNS responses.
  5340. # Default is 6 hours (360 minutes). This directive must be set
  5341. # larger than negative_dns_ttl.
  5342. #Default:
  5343. # positive_dns_ttl 6 hours
  5344.  
  5345. # TAG: negative_dns_ttl time-units
  5346. # Time-to-Live (TTL) for negative caching of failed DNS lookups.
  5347. # This also sets the lower cache limit on positive lookups.
  5348. # Minimum value is 1 second, and it is not recommendable to go
  5349. # much below 10 seconds.
  5350. #Default:
  5351. # negative_dns_ttl 1 minutes
  5352.  
  5353. # TAG: range_offset_limit size [acl acl...]
  5354. # usage: (size) [units] [[!]aclname]
  5355. #
  5356. # Sets an upper limit on how far (number of bytes) into the file
  5357. # a Range request may be to cause Squid to prefetch the whole file.
  5358. # If beyond this limit, Squid forwards the Range request as it is and
  5359. # the result is NOT cached.
  5360. #
  5361. # This is to stop a far ahead range request (lets say start at 17MB)
  5362. # from making Squid fetch the whole object up to that point before
  5363. # sending anything to the client.
  5364. #
  5365. # Multiple range_offset_limit lines may be specified, and they will
  5366. # be searched from top to bottom on each request until a match is found.
  5367. # The first match found will be used. If no line matches a request, the
  5368. # default limit of 0 bytes will be used.
  5369. #
  5370. # 'size' is the limit specified as a number of units.
  5371. #
  5372. # 'units' specifies whether to use bytes, KB, MB, etc.
  5373. # If no units are specified bytes are assumed.
  5374. #
  5375. # A size of 0 causes Squid to never fetch more than the
  5376. # client requested. (default)
  5377. #
  5378. # A size of 'none' causes Squid to always fetch the object from the
  5379. # beginning so it may cache the result. (2.0 style)
  5380. #
  5381. # 'aclname' is the name of a defined ACL.
  5382. #
  5383. # NP: Using 'none' as the byte value here will override any quick_abort settings
  5384. # that may otherwise apply to the range request. The range request will
  5385. # be fully fetched from start to finish regardless of the client
  5386. # actions. This affects bandwidth usage.
  5387. #Default:
  5388. # none
  5389.  
  5390. # TAG: minimum_expiry_time (seconds)
  5391. # The minimum caching time according to (Expires - Date)
  5392. # headers Squid honors if the object can't be revalidated.
  5393. # The default is 60 seconds.
  5394. #
  5395. # In reverse proxy environments it might be desirable to honor
  5396. # shorter object lifetimes. It is most likely better to make
  5397. # your server return a meaningful Last-Modified header however.
  5398. #
  5399. # In ESI environments where page fragments often have short
  5400. # lifetimes, this will often be best set to 0.
  5401. #Default:
  5402. # minimum_expiry_time 60 seconds
  5403.  
  5404. # TAG: store_avg_object_size (bytes)
  5405. # Average object size, used to estimate number of objects your
  5406. # cache can hold. The default is 13 KB.
  5407. #
  5408. # This is used to pre-seed the cache index memory allocation to
  5409. # reduce expensive reallocate operations while handling clients
  5410. # traffic. Too-large values may result in memory allocation during
  5411. # peak traffic, too-small values will result in wasted memory.
  5412. #
  5413. # Check the cache manager 'info' report metrics for the real
  5414. # object sizes seen by your Squid before tuning this.
  5415. #Default:
  5416. # store_avg_object_size 13 KB
  5417.  
  5418. # TAG: store_objects_per_bucket
  5419. # Target number of objects per bucket in the store hash table.
  5420. # Lowering this value increases the total number of buckets and
  5421. # also the storage maintenance rate. The default is 20.
  5422. #Default:
  5423. # store_objects_per_bucket 20
  5424.  
  5425. # HTTP OPTIONS
  5426. # -----------------------------------------------------------------------------
  5427.  
  5428. # TAG: request_header_max_size (KB)
  5429. # This specifies the maximum size for HTTP headers in a request.
  5430. # Request headers are usually relatively small (about 512 bytes).
  5431. # Placing a limit on the request header size will catch certain
  5432. # bugs (for example with persistent connections) and possibly
  5433. # buffer-overflow or denial-of-service attacks.
  5434. #Default:
  5435. # request_header_max_size 64 KB
  5436.  
  5437. # TAG: reply_header_max_size (KB)
  5438. # This specifies the maximum size for HTTP headers in a reply.
  5439. # Reply headers are usually relatively small (about 512 bytes).
  5440. # Placing a limit on the reply header size will catch certain
  5441. # bugs (for example with persistent connections) and possibly
  5442. # buffer-overflow or denial-of-service attacks.
  5443. #Default:
  5444. # reply_header_max_size 64 KB
  5445.  
  5446. # TAG: request_body_max_size (bytes)
  5447. # This specifies the maximum size for an HTTP request body.
  5448. # In other words, the maximum size of a PUT/POST request.
  5449. # A user who attempts to send a request with a body larger
  5450. # than this limit receives an "Invalid Request" error message.
  5451. # If you set this parameter to a zero (the default), there will
  5452. # be no limit imposed.
  5453. #
  5454. # See also client_request_buffer_max_size for an alternative
  5455. # limitation on client uploads which can be configured.
  5456. #Default:
  5457. # No limit.
  5458.  
  5459. # TAG: client_request_buffer_max_size (bytes)
  5460. # This specifies the maximum buffer size of a client request.
  5461. # It prevents squid eating too much memory when somebody uploads
  5462. # a large file.
  5463. #Default:
  5464. # client_request_buffer_max_size 512 KB
  5465.  
  5466. # TAG: broken_posts
  5467. # A list of ACL elements which, if matched, causes Squid to send
  5468. # an extra CRLF pair after the body of a PUT/POST request.
  5469. #
  5470. # Some HTTP servers has broken implementations of PUT/POST,
  5471. # and rely on an extra CRLF pair sent by some WWW clients.
  5472. #
  5473. # Quote from RFC2616 section 4.1 on this matter:
  5474. #
  5475. # Note: certain buggy HTTP/1.0 client implementations generate an
  5476. # extra CRLF's after a POST request. To restate what is explicitly
  5477. # forbidden by the BNF, an HTTP/1.1 client must not preface or follow
  5478. # a request with an extra CRLF.
  5479. #
  5480. # This clause only supports fast acl types.
  5481. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  5482. #
  5483. #Example:
  5484. # acl buggy_server url_regex ^http://....
  5485. # broken_posts allow buggy_server
  5486. #Default:
  5487. # Obey RFC 2616.
  5488.  
  5489. # TAG: adaptation_uses_indirect_client on|off
  5490. # Controls whether the indirect client IP address (instead of the direct
  5491. # client IP address) is passed to adaptation services.
  5492. #
  5493. # See also: follow_x_forwarded_for adaptation_send_client_ip
  5494. #Default:
  5495. # adaptation_uses_indirect_client on
  5496.  
  5497. # TAG: via on|off
  5498. # If set (default), Squid will include a Via header in requests and
  5499. # replies as required by RFC2616.
  5500. #Default:
  5501. # via on
  5502.  
  5503. # TAG: vary_ignore_expire on|off
  5504. # Many HTTP servers supporting Vary gives such objects
  5505. # immediate expiry time with no cache-control header
  5506. # when requested by a HTTP/1.0 client. This option
  5507. # enables Squid to ignore such expiry times until
  5508. # HTTP/1.1 is fully implemented.
  5509. #
  5510. # WARNING: If turned on this may eventually cause some
  5511. # varying objects not intended for caching to get cached.
  5512. #Default:
  5513. # vary_ignore_expire off
  5514.  
  5515. # TAG: request_entities
  5516. # Squid defaults to deny GET and HEAD requests with request entities,
  5517. # as the meaning of such requests are undefined in the HTTP standard
  5518. # even if not explicitly forbidden.
  5519. #
  5520. # Set this directive to on if you have clients which insists
  5521. # on sending request entities in GET or HEAD requests. But be warned
  5522. # that there is server software (both proxies and web servers) which
  5523. # can fail to properly process this kind of request which may make you
  5524. # vulnerable to cache pollution attacks if enabled.
  5525. #Default:
  5526. # request_entities off
  5527.  
  5528. # TAG: request_header_access
  5529. # Usage: request_header_access header_name allow|deny [!]aclname ...
  5530. #
  5531. # WARNING: Doing this VIOLATES the HTTP standard. Enabling
  5532. # this feature could make you liable for problems which it
  5533. # causes.
  5534. #
  5535. # This option replaces the old 'anonymize_headers' and the
  5536. # older 'http_anonymizer' option with something that is much
  5537. # more configurable. A list of ACLs for each header name allows
  5538. # removal of specific header fields under specific conditions.
  5539. #
  5540. # This option only applies to outgoing HTTP request headers (i.e.,
  5541. # headers sent by Squid to the next HTTP hop such as a cache peer
  5542. # or an origin server). The option has no effect during cache hit
  5543. # detection. The equivalent adaptation vectoring point in ICAP
  5544. # terminology is post-cache REQMOD.
  5545. #
  5546. # The option is applied to individual outgoing request header
  5547. # fields. For each request header field F, Squid uses the first
  5548. # qualifying sets of request_header_access rules:
  5549. #
  5550. # 1. Rules with header_name equal to F's name.
  5551. # 2. Rules with header_name 'Other', provided F's name is not
  5552. # on the hard-coded list of commonly used HTTP header names.
  5553. # 3. Rules with header_name 'All'.
  5554. #
  5555. # Within that qualifying rule set, rule ACLs are checked as usual.
  5556. # If ACLs of an "allow" rule match, the header field is allowed to
  5557. # go through as is. If ACLs of a "deny" rule match, the header is
  5558. # removed and request_header_replace is then checked to identify
  5559. # if the removed header has a replacement. If no rules within the
  5560. # set have matching ACLs, the header field is left as is.
  5561. #
  5562. # For example, to achieve the same behavior as the old
  5563. # 'http_anonymizer standard' option, you should use:
  5564. #
  5565. # request_header_access From deny all
  5566. # request_header_access Referer deny all
  5567. # request_header_access User-Agent deny all
  5568. #
  5569. # Or, to reproduce the old 'http_anonymizer paranoid' feature
  5570. # you should use:
  5571. #
  5572. # request_header_access Authorization allow all
  5573. # request_header_access Proxy-Authorization allow all
  5574. # request_header_access Cache-Control allow all
  5575. # request_header_access Content-Length allow all
  5576. # request_header_access Content-Type allow all
  5577. # request_header_access Date allow all
  5578. # request_header_access Host allow all
  5579. # request_header_access If-Modified-Since allow all
  5580. # request_header_access Pragma allow all
  5581. # request_header_access Accept allow all
  5582. # request_header_access Accept-Charset allow all
  5583. # request_header_access Accept-Encoding allow all
  5584. # request_header_access Accept-Language allow all
  5585. # request_header_access Connection allow all
  5586. # request_header_access All deny all
  5587. #
  5588. # HTTP reply headers are controlled with the reply_header_access directive.
  5589. #
  5590. # By default, all headers are allowed (no anonymizing is performed).
  5591. #Default:
  5592. # No limits.
  5593.  
  5594. # TAG: reply_header_access
  5595. # Usage: reply_header_access header_name allow|deny [!]aclname ...
  5596. #
  5597. # WARNING: Doing this VIOLATES the HTTP standard. Enabling
  5598. # this feature could make you liable for problems which it
  5599. # causes.
  5600. #
  5601. # This option only applies to reply headers, i.e., from the
  5602. # server to the client.
  5603. #
  5604. # This is the same as request_header_access, but in the other
  5605. # direction. Please see request_header_access for detailed
  5606. # documentation.
  5607. #
  5608. # For example, to achieve the same behavior as the old
  5609. # 'http_anonymizer standard' option, you should use:
  5610. #
  5611. # reply_header_access Server deny all
  5612. # reply_header_access WWW-Authenticate deny all
  5613. # reply_header_access Link deny all
  5614. #
  5615. # Or, to reproduce the old 'http_anonymizer paranoid' feature
  5616. # you should use:
  5617. #
  5618. # reply_header_access Allow allow all
  5619. # reply_header_access WWW-Authenticate allow all
  5620. # reply_header_access Proxy-Authenticate allow all
  5621. # reply_header_access Cache-Control allow all
  5622. # reply_header_access Content-Encoding allow all
  5623. # reply_header_access Content-Length allow all
  5624. # reply_header_access Content-Type allow all
  5625. # reply_header_access Date allow all
  5626. # reply_header_access Expires allow all
  5627. # reply_header_access Last-Modified allow all
  5628. # reply_header_access Location allow all
  5629. # reply_header_access Pragma allow all
  5630. # reply_header_access Content-Language allow all
  5631. # reply_header_access Retry-After allow all
  5632. # reply_header_access Title allow all
  5633. # reply_header_access Content-Disposition allow all
  5634. # reply_header_access Connection allow all
  5635. # reply_header_access All deny all
  5636. #
  5637. # HTTP request headers are controlled with the request_header_access directive.
  5638. #
  5639. # By default, all headers are allowed (no anonymizing is
  5640. # performed).
  5641. #Default:
  5642. # No limits.
  5643.  
  5644. # TAG: request_header_replace
  5645. # Usage: request_header_replace header_name message
  5646. # Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
  5647. #
  5648. # This option allows you to change the contents of headers
  5649. # denied with request_header_access above, by replacing them
  5650. # with some fixed string.
  5651. #
  5652. # This only applies to request headers, not reply headers.
  5653. #
  5654. # By default, headers are removed if denied.
  5655. #Default:
  5656. # none
  5657.  
  5658. # TAG: reply_header_replace
  5659. # Usage: reply_header_replace header_name message
  5660. # Example: reply_header_replace Server Foo/1.0
  5661. #
  5662. # This option allows you to change the contents of headers
  5663. # denied with reply_header_access above, by replacing them
  5664. # with some fixed string.
  5665. #
  5666. # This only applies to reply headers, not request headers.
  5667. #
  5668. # By default, headers are removed if denied.
  5669. #Default:
  5670. # none
  5671.  
  5672. # TAG: request_header_add
  5673. # Usage: request_header_add field-name field-value [ acl ... ]
  5674. # Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all
  5675. #
  5676. # This option adds header fields to outgoing HTTP requests (i.e.,
  5677. # request headers sent by Squid to the next HTTP hop such as a
  5678. # cache peer or an origin server). The option has no effect during
  5679. # cache hit detection. The equivalent adaptation vectoring point
  5680. # in ICAP terminology is post-cache REQMOD.
  5681. #
  5682. # Field-name is a token specifying an HTTP header name. If a
  5683. # standard HTTP header name is used, Squid does not check whether
  5684. # the new header conflicts with any existing headers or violates
  5685. # HTTP rules. If the request to be modified already contains a
  5686. # field with the same name, the old field is preserved but the
  5687. # header field values are not merged.
  5688. #
  5689. # Field-value is either a token or a quoted string. If quoted
  5690. # string format is used, then the surrounding quotes are removed
  5691. # while escape sequences and %macros are processed.
  5692. #
  5693. # One or more Squid ACLs may be specified to restrict header
  5694. # injection to matching requests. As always in squid.conf, all
  5695. # ACLs in the ACL list must be satisfied for the insertion to
  5696. # happen. The request_header_add supports fast ACLs only.
  5697. #
  5698. # See also: reply_header_add.
  5699. #Default:
  5700. # none
  5701.  
  5702. # TAG: reply_header_add
  5703. # Usage: reply_header_add field-name field-value [ acl ... ]
  5704. # Example: reply_header_add X-Client-CA "CA=%ssl::>cert_issuer" all
  5705. #
  5706. # This option adds header fields to outgoing HTTP responses (i.e., response
  5707. # headers delivered by Squid to the client). This option has no effect on
  5708. # cache hit detection. The equivalent adaptation vectoring point in
  5709. # ICAP terminology is post-cache RESPMOD. This option does not apply to
  5710. # successful CONNECT replies.
  5711. #
  5712. # Field-name is a token specifying an HTTP header name. If a
  5713. # standard HTTP header name is used, Squid does not check whether
  5714. # the new header conflicts with any existing headers or violates
  5715. # HTTP rules. If the response to be modified already contains a
  5716. # field with the same name, the old field is preserved but the
  5717. # header field values are not merged.
  5718. #
  5719. # Field-value is either a token or a quoted string. If quoted
  5720. # string format is used, then the surrounding quotes are removed
  5721. # while escape sequences and %macros are processed.
  5722. #
  5723. # One or more Squid ACLs may be specified to restrict header
  5724. # injection to matching responses. As always in squid.conf, all
  5725. # ACLs in the ACL list must be satisfied for the insertion to
  5726. # happen. The reply_header_add option supports fast ACLs only.
  5727. #
  5728. # See also: request_header_add.
  5729. #Default:
  5730. # none
  5731.  
  5732. # TAG: note
  5733. # This option used to log custom information about the master
  5734. # transaction. For example, an admin may configure Squid to log
  5735. # which "user group" the transaction belongs to, where "user group"
  5736. # will be determined based on a set of ACLs and not [just]
  5737. # authentication information.
  5738. # Values of key/value pairs can be logged using %{key}note macros:
  5739. #
  5740. # note key value acl ...
  5741. # logformat myFormat ... %{key}note ...
  5742. #Default:
  5743. # none
  5744.  
  5745. # TAG: relaxed_header_parser on|off|warn
  5746. # In the default "on" setting Squid accepts certain forms
  5747. # of non-compliant HTTP messages where it is unambiguous
  5748. # what the sending application intended even if the message
  5749. # is not correctly formatted. The messages is then normalized
  5750. # to the correct form when forwarded by Squid.
  5751. #
  5752. # If set to "warn" then a warning will be emitted in cache.log
  5753. # each time such HTTP error is encountered.
  5754. #
  5755. # If set to "off" then such HTTP errors will cause the request
  5756. # or response to be rejected.
  5757. #Default:
  5758. # relaxed_header_parser on
  5759.  
  5760. # TAG: collapsed_forwarding (on|off)
  5761. # This option controls whether Squid is allowed to merge multiple
  5762. # potentially cachable requests for the same URI before Squid knows
  5763. # whether the response is going to be cachable.
  5764. #
  5765. # When enabled, instead of forwarding each concurrent request for
  5766. # the same URL, Squid just sends the first of them. The other, so
  5767. # called "collapsed" requests, wait for the response to the first
  5768. # request and, if it happens to be cachable, use that response.
  5769. # Here, "concurrent requests" means "received after the first
  5770. # request headers were parsed and before the corresponding response
  5771. # headers were parsed".
  5772. #
  5773. # This feature is disabled by default: enabling collapsed
  5774. # forwarding needlessly delays forwarding requests that look
  5775. # cachable (when they are collapsed) but then need to be forwarded
  5776. # individually anyway because they end up being for uncachable
  5777. # content. However, in some cases, such as acceleration of highly
  5778. # cachable content with periodic or grouped expiration times, the
  5779. # gains from collapsing [large volumes of simultaneous refresh
  5780. # requests] outweigh losses from such delays.
  5781. #
  5782. # Squid collapses two kinds of requests: regular client requests
  5783. # received on one of the listening ports and internal "cache
  5784. # revalidation" requests which are triggered by those regular
  5785. # requests hitting a stale cached object. Revalidation collapsing
  5786. # is currently disabled for Squid instances containing SMP-aware
  5787. # disk or memory caches and for Vary-controlled cached objects.
  5788. #Default:
  5789. # collapsed_forwarding off
  5790.  
  5791. # TAG: collapsed_forwarding_shared_entries_limit (number of entries)
  5792. # This limits the size of a table used for sharing information
  5793. # about collapsible entries among SMP workers. Limiting sharing
  5794. # too much results in cache content duplication and missed
  5795. # collapsing opportunities. Using excessively large values
  5796. # wastes shared memory.
  5797. #
  5798. # The limit should be significantly larger then the number of
  5799. # concurrent collapsible entries one wants to share. For a cache
  5800. # that handles less than 5000 concurrent requests, the default
  5801. # setting of 16384 should be plenty.
  5802. #
  5803. # If the limit is set to zero, it disables sharing of collapsed
  5804. # forwarding between SMP workers.
  5805. #Default:
  5806. # collapsed_forwarding_shared_entries_limit 16384
  5807.  
  5808. # TIMEOUTS
  5809. # -----------------------------------------------------------------------------
  5810.  
  5811. # TAG: forward_timeout time-units
  5812. # This parameter specifies how long Squid should at most attempt in
  5813. # finding a forwarding path for the request before giving up.
  5814. #Default:
  5815. # forward_timeout 4 minutes
  5816.  
  5817. # TAG: connect_timeout time-units
  5818. # This parameter specifies how long to wait for the TCP connect to
  5819. # the requested server or peer to complete before Squid should
  5820. # attempt to find another path where to forward the request.
  5821. #Default:
  5822. # connect_timeout 1 minute
  5823.  
  5824. # TAG: peer_connect_timeout time-units
  5825. # This parameter specifies how long to wait for a pending TCP
  5826. # connection to a peer cache. The default is 30 seconds. You
  5827. # may also set different timeout values for individual neighbors
  5828. # with the 'connect-timeout' option on a 'cache_peer' line.
  5829. #Default:
  5830. # peer_connect_timeout 30 seconds
  5831.  
  5832. # TAG: read_timeout time-units
  5833. # Applied on peer server connections.
  5834. #
  5835. # After each successful read(), the timeout will be extended by this
  5836. # amount. If no data is read again after this amount of time,
  5837. # the request is aborted and logged with ERR_READ_TIMEOUT.
  5838. #
  5839. # The default is 15 minutes.
  5840. #Default:
  5841. # read_timeout 15 minutes
  5842.  
  5843. # TAG: write_timeout time-units
  5844. # This timeout is tracked for all connections that have data
  5845. # available for writing and are waiting for the socket to become
  5846. # ready. After each successful write, the timeout is extended by
  5847. # the configured amount. If Squid has data to write but the
  5848. # connection is not ready for the configured duration, the
  5849. # transaction associated with the connection is terminated. The
  5850. # default is 15 minutes.
  5851. #Default:
  5852. # write_timeout 15 minutes
  5853.  
  5854. # TAG: request_timeout
  5855. # How long to wait for complete HTTP request headers after initial
  5856. # connection establishment.
  5857. #Default:
  5858. # request_timeout 5 minutes
  5859.  
  5860. # TAG: request_start_timeout
  5861. # How long to wait for the first request byte after initial
  5862. # connection establishment.
  5863. #Default:
  5864. # request_start_timeout 5 minutes
  5865.  
  5866. # TAG: client_idle_pconn_timeout
  5867. # How long to wait for the next HTTP request on a persistent
  5868. # client connection after the previous request completes.
  5869. #Default:
  5870. # client_idle_pconn_timeout 2 minutes
  5871.  
  5872. # TAG: ftp_client_idle_timeout
  5873. # How long to wait for an FTP request on a connection to Squid ftp_port.
  5874. # Many FTP clients do not deal with idle connection closures well,
  5875. # necessitating a longer default timeout than client_idle_pconn_timeout
  5876. # used for incoming HTTP requests.
  5877. #Default:
  5878. # ftp_client_idle_timeout 30 minutes
  5879.  
  5880. # TAG: client_lifetime time-units
  5881. # The maximum amount of time a client (browser) is allowed to
  5882. # remain connected to the cache process. This protects the Cache
  5883. # from having a lot of sockets (and hence file descriptors) tied up
  5884. # in a CLOSE_WAIT state from remote clients that go away without
  5885. # properly shutting down (either because of a network failure or
  5886. # because of a poor client implementation). The default is one
  5887. # day, 1440 minutes.
  5888. #
  5889. # NOTE: The default value is intended to be much larger than any
  5890. # client would ever need to be connected to your cache. You
  5891. # should probably change client_lifetime only as a last resort.
  5892. # If you seem to have many client connections tying up
  5893. # filedescriptors, we recommend first tuning the read_timeout,
  5894. # request_timeout, persistent_request_timeout and quick_abort values.
  5895. #Default:
  5896. # client_lifetime 1 day
  5897.  
  5898. # TAG: pconn_lifetime time-units
  5899. # Desired maximum lifetime of a persistent connection.
  5900. # When set, Squid will close a now-idle persistent connection that
  5901. # exceeded configured lifetime instead of moving the connection into
  5902. # the idle connection pool (or equivalent). No effect on ongoing/active
  5903. # transactions. Connection lifetime is the time period from the
  5904. # connection acceptance or opening time until "now".
  5905. #
  5906. # This limit is useful in environments with long-lived connections
  5907. # where Squid configuration or environmental factors change during a
  5908. # single connection lifetime. If unrestricted, some connections may
  5909. # last for hours and even days, ignoring those changes that should
  5910. # have affected their behavior or their existence.
  5911. #
  5912. # Currently, a new lifetime value supplied via Squid reconfiguration
  5913. # has no effect on already idle connections unless they become busy.
  5914. #
  5915. # When set to '0' this limit is not used.
  5916. #Default:
  5917. # pconn_lifetime 0 seconds
  5918.  
  5919. # TAG: half_closed_clients
  5920. # Some clients may shutdown the sending side of their TCP
  5921. # connections, while leaving their receiving sides open. Sometimes,
  5922. # Squid can not tell the difference between a half-closed and a
  5923. # fully-closed TCP connection.
  5924. #
  5925. # By default, Squid will immediately close client connections when
  5926. # read(2) returns "no more data to read."
  5927. #
  5928. # Change this option to 'on' and Squid will keep open connections
  5929. # until a read(2) or write(2) on the socket returns an error.
  5930. # This may show some benefits for reverse proxies. But if not
  5931. # it is recommended to leave OFF.
  5932. #Default:
  5933. # half_closed_clients off
  5934.  
  5935. # TAG: server_idle_pconn_timeout
  5936. # Timeout for idle persistent connections to servers and other
  5937. # proxies.
  5938. #Default:
  5939. # server_idle_pconn_timeout 1 minute
  5940.  
  5941. # TAG: ident_timeout
  5942. # Maximum time to wait for IDENT lookups to complete.
  5943. #
  5944. # If this is too high, and you enabled IDENT lookups from untrusted
  5945. # users, you might be susceptible to denial-of-service by having
  5946. # many ident requests going at once.
  5947. #Default:
  5948. # ident_timeout 10 seconds
  5949.  
  5950. # TAG: shutdown_lifetime time-units
  5951. # When SIGTERM or SIGHUP is received, the cache is put into
  5952. # "shutdown pending" mode until all active sockets are closed.
  5953. # This value is the lifetime to set for all open descriptors
  5954. # during shutdown mode. Any active clients after this many
  5955. # seconds will receive a 'timeout' message.
  5956. #Default:
  5957. # shutdown_lifetime 30 seconds
  5958.  
  5959. # ADMINISTRATIVE PARAMETERS
  5960. # -----------------------------------------------------------------------------
  5961.  
  5962. # TAG: cache_mgr
  5963. # Email-address of local cache manager who will receive
  5964. # mail if the cache dies. The default is "webmaster".
  5965. #Default:
  5966. # cache_mgr webmaster
  5967.  
  5968. # TAG: mail_from
  5969. # From: email-address for mail sent when the cache dies.
  5970. # The default is to use 'squid@unique_hostname'.
  5971. #
  5972. # See also: unique_hostname directive.
  5973. #Default:
  5974. # none
  5975.  
  5976. # TAG: mail_program
  5977. # Email program used to send mail if the cache dies.
  5978. # The default is "mail". The specified program must comply
  5979. # with the standard Unix mail syntax:
  5980. # mail-program recipient < mailfile
  5981. #
  5982. # Optional command line options can be specified.
  5983. #Default:
  5984. # mail_program mail
  5985.  
  5986. # TAG: cache_effective_user
  5987. # If you start Squid as root, it will change its effective/real
  5988. # UID/GID to the user specified below. The default is to change
  5989. # to UID of proxy.
  5990. # see also; cache_effective_group
  5991. #Default:
  5992. # cache_effective_user proxy
  5993. cache_effective_user proxy
  5994.  
  5995. # TAG: cache_effective_group
  5996. # Squid sets the GID to the effective user's default group ID
  5997. # (taken from the password file) and supplementary group list
  5998. # from the groups membership.
  5999. #
  6000. # If you want Squid to run with a specific GID regardless of
  6001. # the group memberships of the effective user then set this
  6002. # to the group (or GID) you want Squid to run as. When set
  6003. # all other group privileges of the effective user are ignored
  6004. # and only this GID is effective. If Squid is not started as
  6005. # root the user starting Squid MUST be member of the specified
  6006. # group.
  6007. #
  6008. # This option is not recommended by the Squid Team.
  6009. # Our preference is for administrators to configure a secure
  6010. # user account for squid with UID/GID matching system policies.
  6011. #Default:
  6012. # Use system group memberships of the cache_effective_user account
  6013.  
  6014. # TAG: httpd_suppress_version_string on|off
  6015. # Suppress Squid version string info in HTTP headers and HTML error pages.
  6016. #Default:
  6017. # httpd_suppress_version_string off
  6018.  
  6019. # TAG: visible_hostname
  6020. # If you want to present a special hostname in error messages, etc,
  6021. # define this. Otherwise, the return value of gethostname()
  6022. # will be used. If you have multiple caches in a cluster and
  6023. # get errors about IP-forwarding you must set them to have individual
  6024. # names with this setting.
  6025. #Default:
  6026. # Automatically detect the system host name
  6027.  
  6028. # TAG: unique_hostname
  6029. # If you want to have multiple machines with the same
  6030. # 'visible_hostname' you must give each machine a different
  6031. # 'unique_hostname' so forwarding loops can be detected.
  6032. #Default:
  6033. # Copy the value from visible_hostname
  6034.  
  6035. # TAG: hostname_aliases
  6036. # A list of other DNS names your cache has.
  6037. #Default:
  6038. # none
  6039.  
  6040. # TAG: umask
  6041. # Minimum umask which should be enforced while the proxy
  6042. # is running, in addition to the umask set at startup.
  6043. #
  6044. # For a traditional octal representation of umasks, start
  6045. # your value with 0.
  6046. #Default:
  6047. # umask 027
  6048.  
  6049. # OPTIONS FOR THE CACHE REGISTRATION SERVICE
  6050. # -----------------------------------------------------------------------------
  6051. #
  6052. # This section contains parameters for the (optional) cache
  6053. # announcement service. This service is provided to help
  6054. # cache administrators locate one another in order to join or
  6055. # create cache hierarchies.
  6056. #
  6057. # An 'announcement' message is sent (via UDP) to the registration
  6058. # service by Squid. By default, the announcement message is NOT
  6059. # SENT unless you enable it with 'announce_period' below.
  6060. #
  6061. # The announcement message includes your hostname, plus the
  6062. # following information from this configuration file:
  6063. #
  6064. # http_port
  6065. # icp_port
  6066. # cache_mgr
  6067. #
  6068. # All current information is processed regularly and made
  6069. # available on the Web at http://www.ircache.net/Cache/Tracker/.
  6070.  
  6071. # TAG: announce_period
  6072. # This is how frequently to send cache announcements.
  6073. #
  6074. # To enable announcing your cache, just set an announce period.
  6075. #
  6076. # Example:
  6077. # announce_period 1 day
  6078. #Default:
  6079. # Announcement messages disabled.
  6080.  
  6081. # TAG: announce_host
  6082. # Set the hostname where announce registration messages will be sent.
  6083. #
  6084. # See also announce_port and announce_file
  6085. #Default:
  6086. # announce_host tracker.ircache.net
  6087.  
  6088. # TAG: announce_file
  6089. # The contents of this file will be included in the announce
  6090. # registration messages.
  6091. #Default:
  6092. # none
  6093.  
  6094. # TAG: announce_port
  6095. # Set the port where announce registration messages will be sent.
  6096. #
  6097. # See also announce_host and announce_file
  6098. #Default:
  6099. # announce_port 3131
  6100.  
  6101. # HTTPD-ACCELERATOR OPTIONS
  6102. # -----------------------------------------------------------------------------
  6103.  
  6104. # TAG: httpd_accel_surrogate_id
  6105. # Surrogates (http://www.esi.org/architecture_spec_1.0.html)
  6106. # need an identification token to allow control targeting. Because
  6107. # a farm of surrogates may all perform the same tasks, they may share
  6108. # an identification token.
  6109. #Default:
  6110. # visible_hostname is used if no specific ID is set.
  6111.  
  6112. # TAG: http_accel_surrogate_remote on|off
  6113. # Remote surrogates (such as those in a CDN) honour the header
  6114. # "Surrogate-Control: no-store-remote".
  6115. #
  6116. # Set this to on to have squid behave as a remote surrogate.
  6117. #Default:
  6118. # http_accel_surrogate_remote off
  6119.  
  6120. # TAG: esi_parser libxml2|expat
  6121. # Selects the XML parsing library to use when interpreting responses with
  6122. # Edge Side Includes.
  6123. #
  6124. # To disable ESI handling completely, ./configure Squid with --disable-esi.
  6125. #Default:
  6126. # Selects libxml2 if available at ./configure time or libexpat otherwise.
  6127.  
  6128. # DELAY POOL PARAMETERS
  6129. # -----------------------------------------------------------------------------
  6130.  
  6131. # TAG: delay_pools
  6132. # This represents the number of delay pools to be used. For example,
  6133. # if you have one class 2 delay pool and one class 3 delays pool, you
  6134. # have a total of 2 delay pools.
  6135. #
  6136. # See also delay_parameters, delay_class, delay_access for pool
  6137. # configuration details.
  6138. #Default:
  6139. # delay_pools 0
  6140.  
  6141. # TAG: delay_class
  6142. # This defines the class of each delay pool. There must be exactly one
  6143. # delay_class line for each delay pool. For example, to define two
  6144. # delay pools, one of class 2 and one of class 3, the settings above
  6145. # and here would be:
  6146. #
  6147. # Example:
  6148. # delay_pools 4 # 4 delay pools
  6149. # delay_class 1 2 # pool 1 is a class 2 pool
  6150. # delay_class 2 3 # pool 2 is a class 3 pool
  6151. # delay_class 3 4 # pool 3 is a class 4 pool
  6152. # delay_class 4 5 # pool 4 is a class 5 pool
  6153. #
  6154. # The delay pool classes are:
  6155. #
  6156. # class 1 Everything is limited by a single aggregate
  6157. # bucket.
  6158. #
  6159. # class 2 Everything is limited by a single aggregate
  6160. # bucket as well as an "individual" bucket chosen
  6161. # from bits 25 through 32 of the IPv4 address.
  6162. #
  6163. # class 3 Everything is limited by a single aggregate
  6164. # bucket as well as a "network" bucket chosen
  6165. # from bits 17 through 24 of the IP address and a
  6166. # "individual" bucket chosen from bits 17 through
  6167. # 32 of the IPv4 address.
  6168. #
  6169. # class 4 Everything in a class 3 delay pool, with an
  6170. # additional limit on a per user basis. This
  6171. # only takes effect if the username is established
  6172. # in advance - by forcing authentication in your
  6173. # http_access rules.
  6174. #
  6175. # class 5 Requests are grouped according their tag (see
  6176. # external_acl's tag= reply).
  6177. #
  6178. #
  6179. # Each pool also requires a delay_parameters directive to configure the pool size
  6180. # and speed limits used whenever the pool is applied to a request. Along with
  6181. # a set of delay_access directives to determine when it is used.
  6182. #
  6183. # NOTE: If an IP address is a.b.c.d
  6184. # -> bits 25 through 32 are "d"
  6185. # -> bits 17 through 24 are "c"
  6186. # -> bits 17 through 32 are "c * 256 + d"
  6187. #
  6188. # NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to
  6189. # IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic.
  6190. #
  6191. # This clause only supports fast acl types.
  6192. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  6193. #
  6194. # See also delay_parameters and delay_access.
  6195. #Default:
  6196. # none
  6197.  
  6198. # TAG: delay_access
  6199. # This is used to determine which delay pool a request falls into.
  6200. #
  6201. # delay_access is sorted per pool and the matching starts with pool 1,
  6202. # then pool 2, ..., and finally pool N. The first delay pool where the
  6203. # request is allowed is selected for the request. If it does not allow
  6204. # the request to any pool then the request is not delayed (default).
  6205. #
  6206. # For example, if you want some_big_clients in delay
  6207. # pool 1 and lotsa_little_clients in delay pool 2:
  6208. #
  6209. # delay_access 1 allow some_big_clients
  6210. # delay_access 1 deny all
  6211. # delay_access 2 allow lotsa_little_clients
  6212. # delay_access 2 deny all
  6213. # delay_access 3 allow authenticated_clients
  6214. #
  6215. # See also delay_parameters and delay_class.
  6216. #
  6217. #Default:
  6218. # Deny using the pool, unless allow rules exist in squid.conf for the pool.
  6219.  
  6220. # TAG: delay_parameters
  6221. # This defines the parameters for a delay pool. Each delay pool has
  6222. # a number of "buckets" associated with it, as explained in the
  6223. # description of delay_class.
  6224. #
  6225. # For a class 1 delay pool, the syntax is:
  6226. # delay_class pool 1
  6227. # delay_parameters pool aggregate
  6228. #
  6229. # For a class 2 delay pool:
  6230. # delay_class pool 2
  6231. # delay_parameters pool aggregate individual
  6232. #
  6233. # For a class 3 delay pool:
  6234. # delay_class pool 3
  6235. # delay_parameters pool aggregate network individual
  6236. #
  6237. # For a class 4 delay pool:
  6238. # delay_class pool 4
  6239. # delay_parameters pool aggregate network individual user
  6240. #
  6241. # For a class 5 delay pool:
  6242. # delay_class pool 5
  6243. # delay_parameters pool tagrate
  6244. #
  6245. # The option variables are:
  6246. #
  6247. # pool a pool number - ie, a number between 1 and the
  6248. # number specified in delay_pools as used in
  6249. # delay_class lines.
  6250. #
  6251. # aggregate the speed limit parameters for the aggregate bucket
  6252. # (class 1, 2, 3).
  6253. #
  6254. # individual the speed limit parameters for the individual
  6255. # buckets (class 2, 3).
  6256. #
  6257. # network the speed limit parameters for the network buckets
  6258. # (class 3).
  6259. #
  6260. # user the speed limit parameters for the user buckets
  6261. # (class 4).
  6262. #
  6263. # tagrate the speed limit parameters for the tag buckets
  6264. # (class 5).
  6265. #
  6266. # A pair of delay parameters is written restore/maximum, where restore is
  6267. # the number of bytes (not bits - modem and network speeds are usually
  6268. # quoted in bits) per second placed into the bucket, and maximum is the
  6269. # maximum number of bytes which can be in the bucket at any time.
  6270. #
  6271. # There must be one delay_parameters line for each delay pool.
  6272. #
  6273. #
  6274. # For example, if delay pool number 1 is a class 2 delay pool as in the
  6275. # above example, and is being used to strictly limit each host to 64Kbit/sec
  6276. # (plus overheads), with no overall limit, the line is:
  6277. #
  6278. # delay_parameters 1 none 8000/8000
  6279. #
  6280. # Note that 8 x 8K Byte/sec -> 64K bit/sec.
  6281. #
  6282. # Note that the word 'none' is used to represent no limit.
  6283. #
  6284. #
  6285. # And, if delay pool number 2 is a class 3 delay pool as in the above
  6286. # example, and you want to limit it to a total of 256Kbit/sec (strict limit)
  6287. # with each 8-bit network permitted 64Kbit/sec (strict limit) and each
  6288. # individual host permitted 4800bit/sec with a bucket maximum size of 64Kbits
  6289. # to permit a decent web page to be downloaded at a decent speed
  6290. # (if the network is not being limited due to overuse) but slow down
  6291. # large downloads more significantly:
  6292. #
  6293. # delay_parameters 2 32000/32000 8000/8000 600/8000
  6294. #
  6295. # Note that 8 x 32K Byte/sec -> 256K bit/sec.
  6296. # 8 x 8K Byte/sec -> 64K bit/sec.
  6297. # 8 x 600 Byte/sec -> 4800 bit/sec.
  6298. #
  6299. #
  6300. # Finally, for a class 4 delay pool as in the example - each user will
  6301. # be limited to 128Kbits/sec no matter how many workstations they are logged into.:
  6302. #
  6303. # delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
  6304. #
  6305. #
  6306. # See also delay_class and delay_access.
  6307. #
  6308. #Default:
  6309. # none
  6310.  
  6311. # TAG: delay_initial_bucket_level (percent, 0-100)
  6312. # The initial bucket percentage is used to determine how much is put
  6313. # in each bucket when squid starts, is reconfigured, or first notices
  6314. # a host accessing it (in class 2 and class 3, individual hosts and
  6315. # networks only have buckets associated with them once they have been
  6316. # "seen" by squid).
  6317. #Default:
  6318. # delay_initial_bucket_level 50
  6319.  
  6320. # CLIENT DELAY POOL PARAMETERS
  6321. # -----------------------------------------------------------------------------
  6322.  
  6323. # TAG: client_delay_pools
  6324. # This option specifies the number of client delay pools used. It must
  6325. # preceed other client_delay_* options.
  6326. #
  6327. # Example:
  6328. # client_delay_pools 2
  6329. #
  6330. # See also client_delay_parameters and client_delay_access.
  6331. #Default:
  6332. # client_delay_pools 0
  6333.  
  6334. # TAG: client_delay_initial_bucket_level (percent, 0-no_limit)
  6335. # This option determines the initial bucket size as a percentage of
  6336. # max_bucket_size from client_delay_parameters. Buckets are created
  6337. # at the time of the "first" connection from the matching IP. Idle
  6338. # buckets are periodically deleted up.
  6339. #
  6340. # You can specify more than 100 percent but note that such "oversized"
  6341. # buckets are not refilled until their size goes down to max_bucket_size
  6342. # from client_delay_parameters.
  6343. #
  6344. # Example:
  6345. # client_delay_initial_bucket_level 50
  6346. #Default:
  6347. # client_delay_initial_bucket_level 50
  6348.  
  6349. # TAG: client_delay_parameters
  6350. #
  6351. # This option configures client-side bandwidth limits using the
  6352. # following format:
  6353. #
  6354. # client_delay_parameters pool speed_limit max_bucket_size
  6355. #
  6356. # pool is an integer ID used for client_delay_access matching.
  6357. #
  6358. # speed_limit is bytes added to the bucket per second.
  6359. #
  6360. # max_bucket_size is the maximum size of a bucket, enforced after any
  6361. # speed_limit additions.
  6362. #
  6363. # Please see the delay_parameters option for more information and
  6364. # examples.
  6365. #
  6366. # Example:
  6367. # client_delay_parameters 1 1024 2048
  6368. # client_delay_parameters 2 51200 16384
  6369. #
  6370. # See also client_delay_access.
  6371. #
  6372. #Default:
  6373. # none
  6374.  
  6375. # TAG: client_delay_access
  6376. # This option determines the client-side delay pool for the
  6377. # request:
  6378. #
  6379. # client_delay_access pool_ID allow|deny acl_name
  6380. #
  6381. # All client_delay_access options are checked in their pool ID
  6382. # order, starting with pool 1. The first checked pool with allowed
  6383. # request is selected for the request. If no ACL matches or there
  6384. # are no client_delay_access options, the request bandwidth is not
  6385. # limited.
  6386. #
  6387. # The ACL-selected pool is then used to find the
  6388. # client_delay_parameters for the request. Client-side pools are
  6389. # not used to aggregate clients. Clients are always aggregated
  6390. # based on their source IP addresses (one bucket per source IP).
  6391. #
  6392. # This clause only supports fast acl types.
  6393. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  6394. # Additionally, only the client TCP connection details are available.
  6395. # ACLs testing HTTP properties will not work.
  6396. #
  6397. # Please see delay_access for more examples.
  6398. #
  6399. # Example:
  6400. # client_delay_access 1 allow low_rate_network
  6401. # client_delay_access 2 allow vips_network
  6402. #
  6403. #
  6404. # See also client_delay_parameters and client_delay_pools.
  6405. #Default:
  6406. # Deny use of the pool, unless allow rules exist in squid.conf for the pool.
  6407.  
  6408. # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
  6409. # -----------------------------------------------------------------------------
  6410.  
  6411. # TAG: wccp_router
  6412. # Use this option to define your WCCP ``home'' router for
  6413. # Squid.
  6414. #
  6415. # wccp_router supports a single WCCP(v1) router
  6416. #
  6417. # wccp2_router supports multiple WCCPv2 routers
  6418. #
  6419. # only one of the two may be used at the same time and defines
  6420. # which version of WCCP to use.
  6421. #Default:
  6422. # WCCP disabled.
  6423.  
  6424. # TAG: wccp2_router
  6425. # Use this option to define your WCCP ``home'' router for
  6426. # Squid.
  6427. #
  6428. # wccp_router supports a single WCCP(v1) router
  6429. #
  6430. # wccp2_router supports multiple WCCPv2 routers
  6431. #
  6432. # only one of the two may be used at the same time and defines
  6433. # which version of WCCP to use.
  6434. #Default:
  6435. # WCCPv2 disabled.
  6436.  
  6437. # TAG: wccp_version
  6438. # This directive is only relevant if you need to set up WCCP(v1)
  6439. # to some very old and end-of-life Cisco routers. In all other
  6440. # setups it must be left unset or at the default setting.
  6441. # It defines an internal version in the WCCP(v1) protocol,
  6442. # with version 4 being the officially documented protocol.
  6443. #
  6444. # According to some users, Cisco IOS 11.2 and earlier only
  6445. # support WCCP version 3. If you're using that or an earlier
  6446. # version of IOS, you may need to change this value to 3, otherwise
  6447. # do not specify this parameter.
  6448. #Default:
  6449. # wccp_version 4
  6450.  
  6451. # TAG: wccp2_rebuild_wait
  6452. # If this is enabled Squid will wait for the cache dir rebuild to finish
  6453. # before sending the first wccp2 HereIAm packet
  6454. #Default:
  6455. # wccp2_rebuild_wait on
  6456.  
  6457. # TAG: wccp2_forwarding_method
  6458. # WCCP2 allows the setting of forwarding methods between the
  6459. # router/switch and the cache. Valid values are as follows:
  6460. #
  6461. # gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
  6462. # l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
  6463. #
  6464. # Currently (as of IOS 12.4) cisco routers only support GRE.
  6465. # Cisco switches only support the L2 redirect assignment method.
  6466. #Default:
  6467. # wccp2_forwarding_method gre
  6468.  
  6469. # TAG: wccp2_return_method
  6470. # WCCP2 allows the setting of return methods between the
  6471. # router/switch and the cache for packets that the cache
  6472. # decides not to handle. Valid values are as follows:
  6473. #
  6474. # gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
  6475. # l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
  6476. #
  6477. # Currently (as of IOS 12.4) cisco routers only support GRE.
  6478. # Cisco switches only support the L2 redirect assignment.
  6479. #
  6480. # If the "ip wccp redirect exclude in" command has been
  6481. # enabled on the cache interface, then it is still safe for
  6482. # the proxy server to use a l2 redirect method even if this
  6483. # option is set to GRE.
  6484. #Default:
  6485. # wccp2_return_method gre
  6486.  
  6487. # TAG: wccp2_assignment_method
  6488. # WCCP2 allows the setting of methods to assign the WCCP hash
  6489. # Valid values are as follows:
  6490. #
  6491. # hash - Hash assignment
  6492. # mask - Mask assignment
  6493. #
  6494. # As a general rule, cisco routers support the hash assignment method
  6495. # and cisco switches support the mask assignment method.
  6496. #Default:
  6497. # wccp2_assignment_method hash
  6498.  
  6499. # TAG: wccp2_service
  6500. # WCCP2 allows for multiple traffic services. There are two
  6501. # types: "standard" and "dynamic". The standard type defines
  6502. # one service id - http (id 0). The dynamic service ids can be from
  6503. # 51 to 255 inclusive. In order to use a dynamic service id
  6504. # one must define the type of traffic to be redirected; this is done
  6505. # using the wccp2_service_info option.
  6506. #
  6507. # The "standard" type does not require a wccp2_service_info option,
  6508. # just specifying the service id will suffice.
  6509. #
  6510. # MD5 service authentication can be enabled by adding
  6511. # "password=<password>" to the end of this service declaration.
  6512. #
  6513. # Examples:
  6514. #
  6515. # wccp2_service standard 0 # for the 'web-cache' standard service
  6516. # wccp2_service dynamic 80 # a dynamic service type which will be
  6517. # # fleshed out with subsequent options.
  6518. # wccp2_service standard 0 password=foo
  6519. #Default:
  6520. # Use the 'web-cache' standard service.
  6521.  
  6522. # TAG: wccp2_service_info
  6523. # Dynamic WCCPv2 services require further information to define the
  6524. # traffic you wish to have diverted.
  6525. #
  6526. # The format is:
  6527. #
  6528. # wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
  6529. # priority=<priority> ports=<port>,<port>..
  6530. #
  6531. # The relevant WCCPv2 flags:
  6532. # + src_ip_hash, dst_ip_hash
  6533. # + source_port_hash, dst_port_hash
  6534. # + src_ip_alt_hash, dst_ip_alt_hash
  6535. # + src_port_alt_hash, dst_port_alt_hash
  6536. # + ports_source
  6537. #
  6538. # The port list can be one to eight entries.
  6539. #
  6540. # Example:
  6541. #
  6542. # wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source
  6543. # priority=240 ports=80
  6544. #
  6545. # Note: the service id must have been defined by a previous
  6546. # 'wccp2_service dynamic <id>' entry.
  6547. #Default:
  6548. # none
  6549.  
  6550. # TAG: wccp2_weight
  6551. # Each cache server gets assigned a set of the destination
  6552. # hash proportional to their weight.
  6553. #Default:
  6554. # wccp2_weight 10000
  6555.  
  6556. # TAG: wccp_address
  6557. # Use this option if you require WCCPv2 to use a specific
  6558. # interface address.
  6559. #
  6560. # The default behavior is to not bind to any specific address.
  6561. #Default:
  6562. # Address selected by the operating system.
  6563.  
  6564. # TAG: wccp2_address
  6565. # Use this option if you require WCCP to use a specific
  6566. # interface address.
  6567. #
  6568. # The default behavior is to not bind to any specific address.
  6569. #Default:
  6570. # Address selected by the operating system.
  6571.  
  6572. # PERSISTENT CONNECTION HANDLING
  6573. # -----------------------------------------------------------------------------
  6574. #
  6575. # Also see "pconn_timeout" in the TIMEOUTS section
  6576.  
  6577. # TAG: client_persistent_connections
  6578. # Persistent connection support for clients.
  6579. # Squid uses persistent connections (when allowed). You can use
  6580. # this option to disable persistent connections with clients.
  6581. #Default:
  6582. # client_persistent_connections on
  6583.  
  6584. # TAG: server_persistent_connections
  6585. # Persistent connection support for servers.
  6586. # Squid uses persistent connections (when allowed). You can use
  6587. # this option to disable persistent connections with servers.
  6588. #Default:
  6589. # server_persistent_connections on
  6590.  
  6591. # TAG: persistent_connection_after_error
  6592. # With this directive the use of persistent connections after
  6593. # HTTP errors can be disabled. Useful if you have clients
  6594. # who fail to handle errors on persistent connections proper.
  6595. #Default:
  6596. # persistent_connection_after_error on
  6597.  
  6598. # TAG: detect_broken_pconn
  6599. # Some servers have been found to incorrectly signal the use
  6600. # of HTTP/1.0 persistent connections even on replies not
  6601. # compatible, causing significant delays. This server problem
  6602. # has mostly been seen on redirects.
  6603. #
  6604. # By enabling this directive Squid attempts to detect such
  6605. # broken replies and automatically assume the reply is finished
  6606. # after 10 seconds timeout.
  6607. #Default:
  6608. # detect_broken_pconn off
  6609.  
  6610. # CACHE DIGEST OPTIONS
  6611. # -----------------------------------------------------------------------------
  6612.  
  6613. # TAG: digest_generation
  6614. # This controls whether the server will generate a Cache Digest
  6615. # of its contents. By default, Cache Digest generation is
  6616. # enabled if Squid is compiled with --enable-cache-digests defined.
  6617. #Default:
  6618. # digest_generation on
  6619.  
  6620. # TAG: digest_bits_per_entry
  6621. # This is the number of bits of the server's Cache Digest which
  6622. # will be associated with the Digest entry for a given HTTP
  6623. # Method and URL (public key) combination. The default is 5.
  6624. #Default:
  6625. # digest_bits_per_entry 5
  6626.  
  6627. # TAG: digest_rebuild_period (seconds)
  6628. # This is the wait time between Cache Digest rebuilds.
  6629. #Default:
  6630. # digest_rebuild_period 1 hour
  6631.  
  6632. # TAG: digest_rewrite_period (seconds)
  6633. # This is the wait time between Cache Digest writes to
  6634. # disk.
  6635. #Default:
  6636. # digest_rewrite_period 1 hour
  6637.  
  6638. # TAG: digest_swapout_chunk_size (bytes)
  6639. # This is the number of bytes of the Cache Digest to write to
  6640. # disk at a time. It defaults to 4096 bytes (4KB), the Squid
  6641. # default swap page.
  6642. #Default:
  6643. # digest_swapout_chunk_size 4096 bytes
  6644.  
  6645. # TAG: digest_rebuild_chunk_percentage (percent, 0-100)
  6646. # This is the percentage of the Cache Digest to be scanned at a
  6647. # time. By default it is set to 10% of the Cache Digest.
  6648. #Default:
  6649. # digest_rebuild_chunk_percentage 10
  6650.  
  6651. # SNMP OPTIONS
  6652. # -----------------------------------------------------------------------------
  6653.  
  6654. # TAG: snmp_port
  6655. # The port number where Squid listens for SNMP requests. To enable
  6656. # SNMP support set this to a suitable port number. Port number
  6657. # 3401 is often used for the Squid SNMP agent. By default it's
  6658. # set to "0" (disabled)
  6659. #
  6660. # Example:
  6661. # snmp_port 3401
  6662. #Default:
  6663. # SNMP disabled.
  6664.  
  6665. # TAG: snmp_access
  6666. # Allowing or denying access to the SNMP port.
  6667. #
  6668. # All access to the agent is denied by default.
  6669. # usage:
  6670. #
  6671. # snmp_access allow|deny [!]aclname ...
  6672. #
  6673. # This clause only supports fast acl types.
  6674. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  6675. #
  6676. #Example:
  6677. # snmp_access allow snmppublic localhost
  6678. # snmp_access deny all
  6679. #Default:
  6680. # Deny, unless rules exist in squid.conf.
  6681.  
  6682. # TAG: snmp_incoming_address
  6683. # Just like 'udp_incoming_address', but for the SNMP port.
  6684. #
  6685. # snmp_incoming_address is used for the SNMP socket receiving
  6686. # messages from SNMP agents.
  6687. #
  6688. # The default snmp_incoming_address is to listen on all
  6689. # available network interfaces.
  6690. #Default:
  6691. # Accept SNMP packets from all machine interfaces.
  6692.  
  6693. # TAG: snmp_outgoing_address
  6694. # Just like 'udp_outgoing_address', but for the SNMP port.
  6695. #
  6696. # snmp_outgoing_address is used for SNMP packets returned to SNMP
  6697. # agents.
  6698. #
  6699. # If snmp_outgoing_address is not set it will use the same socket
  6700. # as snmp_incoming_address. Only change this if you want to have
  6701. # SNMP replies sent using another address than where this Squid
  6702. # listens for SNMP queries.
  6703. #
  6704. # NOTE, snmp_incoming_address and snmp_outgoing_address can not have
  6705. # the same value since they both use the same port.
  6706. #Default:
  6707. # Use snmp_incoming_address or an address selected by the operating system.
  6708.  
  6709. # ICP OPTIONS
  6710. # -----------------------------------------------------------------------------
  6711.  
  6712. # TAG: icp_port
  6713. # The port number where Squid sends and receives ICP queries to
  6714. # and from neighbor caches. The standard UDP port for ICP is 3130.
  6715. #
  6716. # Example:
  6717. # icp_port 3130
  6718. #Default:
  6719. # ICP disabled.
  6720.  
  6721. # TAG: htcp_port
  6722. # The port number where Squid sends and receives HTCP queries to
  6723. # and from neighbor caches. To turn it on you want to set it to
  6724. # 4827.
  6725. #
  6726. # Example:
  6727. # htcp_port 4827
  6728. #Default:
  6729. # HTCP disabled.
  6730.  
  6731. # TAG: log_icp_queries on|off
  6732. # If set, ICP queries are logged to access.log. You may wish
  6733. # do disable this if your ICP load is VERY high to speed things
  6734. # up or to simplify log analysis.
  6735. #Default:
  6736. # log_icp_queries on
  6737.  
  6738. # TAG: udp_incoming_address
  6739. # udp_incoming_address is used for UDP packets received from other
  6740. # caches.
  6741. #
  6742. # The default behavior is to not bind to any specific address.
  6743. #
  6744. # Only change this if you want to have all UDP queries received on
  6745. # a specific interface/address.
  6746. #
  6747. # NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS
  6748. # modules. Altering it will affect all of them in the same manner.
  6749. #
  6750. # see also; udp_outgoing_address
  6751. #
  6752. # NOTE, udp_incoming_address and udp_outgoing_address can not
  6753. # have the same value since they both use the same port.
  6754. #Default:
  6755. # Accept packets from all machine interfaces.
  6756.  
  6757. # TAG: udp_outgoing_address
  6758. # udp_outgoing_address is used for UDP packets sent out to other
  6759. # caches.
  6760. #
  6761. # The default behavior is to not bind to any specific address.
  6762. #
  6763. # Instead it will use the same socket as udp_incoming_address.
  6764. # Only change this if you want to have UDP queries sent using another
  6765. # address than where this Squid listens for UDP queries from other
  6766. # caches.
  6767. #
  6768. # NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS
  6769. # modules. Altering it will affect all of them in the same manner.
  6770. #
  6771. # see also; udp_incoming_address
  6772. #
  6773. # NOTE, udp_incoming_address and udp_outgoing_address can not
  6774. # have the same value since they both use the same port.
  6775. #Default:
  6776. # Use udp_incoming_address or an address selected by the operating system.
  6777.  
  6778. # TAG: icp_hit_stale on|off
  6779. # If you want to return ICP_HIT for stale cache objects, set this
  6780. # option to 'on'. If you have sibling relationships with caches
  6781. # in other administrative domains, this should be 'off'. If you only
  6782. # have sibling relationships with caches under your control,
  6783. # it is probably okay to set this to 'on'.
  6784. # If set to 'on', your siblings should use the option "allow-miss"
  6785. # on their cache_peer lines for connecting to you.
  6786. #Default:
  6787. # icp_hit_stale off
  6788.  
  6789. # TAG: minimum_direct_hops
  6790. # If using the ICMP pinging stuff, do direct fetches for sites
  6791. # which are no more than this many hops away.
  6792. #Default:
  6793. # minimum_direct_hops 4
  6794.  
  6795. # TAG: minimum_direct_rtt (msec)
  6796. # If using the ICMP pinging stuff, do direct fetches for sites
  6797. # which are no more than this many rtt milliseconds away.
  6798. #Default:
  6799. # minimum_direct_rtt 400
  6800.  
  6801. # TAG: netdb_low
  6802. # The low water mark for the ICMP measurement database.
  6803. #
  6804. # Note: high watermark controlled by netdb_high directive.
  6805. #
  6806. # These watermarks are counts, not percents. The defaults are
  6807. # (low) 900 and (high) 1000. When the high water mark is
  6808. # reached, database entries will be deleted until the low
  6809. # mark is reached.
  6810. #Default:
  6811. # netdb_low 900
  6812.  
  6813. # TAG: netdb_high
  6814. # The high water mark for the ICMP measurement database.
  6815. #
  6816. # Note: low watermark controlled by netdb_low directive.
  6817. #
  6818. # These watermarks are counts, not percents. The defaults are
  6819. # (low) 900 and (high) 1000. When the high water mark is
  6820. # reached, database entries will be deleted until the low
  6821. # mark is reached.
  6822. #Default:
  6823. # netdb_high 1000
  6824.  
  6825. # TAG: netdb_ping_period
  6826. # The minimum period for measuring a site. There will be at
  6827. # least this much delay between successive pings to the same
  6828. # network. The default is five minutes.
  6829. #Default:
  6830. # netdb_ping_period 5 minutes
  6831.  
  6832. # TAG: query_icmp on|off
  6833. # If you want to ask your peers to include ICMP data in their ICP
  6834. # replies, enable this option.
  6835. #
  6836. # If your peer has configured Squid (during compilation) with
  6837. # '--enable-icmp' that peer will send ICMP pings to origin server
  6838. # sites of the URLs it receives. If you enable this option the
  6839. # ICP replies from that peer will include the ICMP data (if available).
  6840. # Then, when choosing a parent cache, Squid will choose the parent with
  6841. # the minimal RTT to the origin server. When this happens, the
  6842. # hierarchy field of the access.log will be
  6843. # "CLOSEST_PARENT_MISS". This option is off by default.
  6844. #Default:
  6845. # query_icmp off
  6846.  
  6847. # TAG: test_reachability on|off
  6848. # When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
  6849. # instead of ICP_MISS if the target host is NOT in the ICMP
  6850. # database, or has a zero RTT.
  6851. #Default:
  6852. # test_reachability off
  6853.  
  6854. # TAG: icp_query_timeout (msec)
  6855. # Normally Squid will automatically determine an optimal ICP
  6856. # query timeout value based on the round-trip-time of recent ICP
  6857. # queries. If you want to override the value determined by
  6858. # Squid, set this 'icp_query_timeout' to a non-zero value. This
  6859. # value is specified in MILLISECONDS, so, to use a 2-second
  6860. # timeout (the old default), you would write:
  6861. #
  6862. # icp_query_timeout 2000
  6863. #Default:
  6864. # Dynamic detection.
  6865.  
  6866. # TAG: maximum_icp_query_timeout (msec)
  6867. # Normally the ICP query timeout is determined dynamically. But
  6868. # sometimes it can lead to very large values (say 5 seconds).
  6869. # Use this option to put an upper limit on the dynamic timeout
  6870. # value. Do NOT use this option to always use a fixed (instead
  6871. # of a dynamic) timeout value. To set a fixed timeout see the
  6872. # 'icp_query_timeout' directive.
  6873. #Default:
  6874. # maximum_icp_query_timeout 2000
  6875.  
  6876. # TAG: minimum_icp_query_timeout (msec)
  6877. # Normally the ICP query timeout is determined dynamically. But
  6878. # sometimes it can lead to very small timeouts, even lower than
  6879. # the normal latency variance on your link due to traffic.
  6880. # Use this option to put an lower limit on the dynamic timeout
  6881. # value. Do NOT use this option to always use a fixed (instead
  6882. # of a dynamic) timeout value. To set a fixed timeout see the
  6883. # 'icp_query_timeout' directive.
  6884. #Default:
  6885. # minimum_icp_query_timeout 5
  6886.  
  6887. # TAG: background_ping_rate time-units
  6888. # Controls how often the ICP pings are sent to siblings that
  6889. # have background-ping set.
  6890. #Default:
  6891. # background_ping_rate 10 seconds
  6892.  
  6893. # MULTICAST ICP OPTIONS
  6894. # -----------------------------------------------------------------------------
  6895.  
  6896. # TAG: mcast_groups
  6897. # This tag specifies a list of multicast groups which your server
  6898. # should join to receive multicasted ICP queries.
  6899. #
  6900. # NOTE! Be very careful what you put here! Be sure you
  6901. # understand the difference between an ICP _query_ and an ICP
  6902. # _reply_. This option is to be set only if you want to RECEIVE
  6903. # multicast queries. Do NOT set this option to SEND multicast
  6904. # ICP (use cache_peer for that). ICP replies are always sent via
  6905. # unicast, so this option does not affect whether or not you will
  6906. # receive replies from multicast group members.
  6907. #
  6908. # You must be very careful to NOT use a multicast address which
  6909. # is already in use by another group of caches.
  6910. #
  6911. # If you are unsure about multicast, please read the Multicast
  6912. # chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
  6913. #
  6914. # Usage: mcast_groups 239.128.16.128 224.0.1.20
  6915. #
  6916. # By default, Squid doesn't listen on any multicast groups.
  6917. #Default:
  6918. # none
  6919.  
  6920. # TAG: mcast_miss_addr
  6921. # Note: This option is only available if Squid is rebuilt with the
  6922. # -DMULTICAST_MISS_STREAM define
  6923. #
  6924. # If you enable this option, every "cache miss" URL will
  6925. # be sent out on the specified multicast address.
  6926. #
  6927. # Do not enable this option unless you are are absolutely
  6928. # certain you understand what you are doing.
  6929. #Default:
  6930. # disabled.
  6931.  
  6932. # TAG: mcast_miss_ttl
  6933. # Note: This option is only available if Squid is rebuilt with the
  6934. # -DMULTICAST_MISS_STREAM define
  6935. #
  6936. # This is the time-to-live value for packets multicasted
  6937. # when multicasting off cache miss URLs is enabled. By
  6938. # default this is set to 'site scope', i.e. 16.
  6939. #Default:
  6940. # mcast_miss_ttl 16
  6941.  
  6942. # TAG: mcast_miss_port
  6943. # Note: This option is only available if Squid is rebuilt with the
  6944. # -DMULTICAST_MISS_STREAM define
  6945. #
  6946. # This is the port number to be used in conjunction with
  6947. # 'mcast_miss_addr'.
  6948. #Default:
  6949. # mcast_miss_port 3135
  6950.  
  6951. # TAG: mcast_miss_encode_key
  6952. # Note: This option is only available if Squid is rebuilt with the
  6953. # -DMULTICAST_MISS_STREAM define
  6954. #
  6955. # The URLs that are sent in the multicast miss stream are
  6956. # encrypted. This is the encryption key.
  6957. #Default:
  6958. # mcast_miss_encode_key XXXXXXXXXXXXXXXX
  6959.  
  6960. # TAG: mcast_icp_query_timeout (msec)
  6961. # For multicast peers, Squid regularly sends out ICP "probes" to
  6962. # count how many other peers are listening on the given multicast
  6963. # address. This value specifies how long Squid should wait to
  6964. # count all the replies. The default is 2000 msec, or 2
  6965. # seconds.
  6966. #Default:
  6967. # mcast_icp_query_timeout 2000
  6968.  
  6969. # INTERNAL ICON OPTIONS
  6970. # -----------------------------------------------------------------------------
  6971.  
  6972. # TAG: icon_directory
  6973. # Where the icons are stored. These are normally kept in
  6974. # /usr/share/squid/icons
  6975. #Default:
  6976. # icon_directory /usr/share/squid/icons
  6977.  
  6978. # TAG: global_internal_static
  6979. # This directive controls is Squid should intercept all requests for
  6980. # /squid-internal-static/ no matter which host the URL is requesting
  6981. # (default on setting), or if nothing special should be done for
  6982. # such URLs (off setting). The purpose of this directive is to make
  6983. # icons etc work better in complex cache hierarchies where it may
  6984. # not always be possible for all corners in the cache mesh to reach
  6985. # the server generating a directory listing.
  6986. #Default:
  6987. # global_internal_static on
  6988.  
  6989. # TAG: short_icon_urls
  6990. # If this is enabled Squid will use short URLs for icons.
  6991. # If disabled it will revert to the old behavior of including
  6992. # it's own name and port in the URL.
  6993. #
  6994. # If you run a complex cache hierarchy with a mix of Squid and
  6995. # other proxies you may need to disable this directive.
  6996. #Default:
  6997. # short_icon_urls on
  6998.  
  6999. # ERROR PAGE OPTIONS
  7000. # -----------------------------------------------------------------------------
  7001.  
  7002. # TAG: error_directory
  7003. # If you wish to create your own versions of the default
  7004. # error files to customize them to suit your company copy
  7005. # the error/template files to another directory and point
  7006. # this tag at them.
  7007. #
  7008. # WARNING: This option will disable multi-language support
  7009. # on error pages if used.
  7010. #
  7011. # The squid developers are interested in making squid available in
  7012. # a wide variety of languages. If you are making translations for a
  7013. # language that Squid does not currently provide please consider
  7014. # contributing your translation back to the project.
  7015. # http://wiki.squid-cache.org/Translations
  7016. #
  7017. # The squid developers working on translations are happy to supply drop-in
  7018. # translated error files in exchange for any new language contributions.
  7019. #Default:
  7020. # Send error pages in the clients preferred language
  7021.  
  7022. # TAG: error_default_language
  7023. # Set the default language which squid will send error pages in
  7024. # if no existing translation matches the clients language
  7025. # preferences.
  7026. #
  7027. # If unset (default) generic English will be used.
  7028. #
  7029. # The squid developers are interested in making squid available in
  7030. # a wide variety of languages. If you are interested in making
  7031. # translations for any language see the squid wiki for details.
  7032. # http://wiki.squid-cache.org/Translations
  7033. #Default:
  7034. # Generate English language pages.
  7035.  
  7036. # TAG: error_log_languages
  7037. # Log to cache.log what languages users are attempting to
  7038. # auto-negotiate for translations.
  7039. #
  7040. # Successful negotiations are not logged. Only failures
  7041. # have meaning to indicate that Squid may need an upgrade
  7042. # of its error page translations.
  7043. #Default:
  7044. # error_log_languages on
  7045.  
  7046. # TAG: err_page_stylesheet
  7047. # CSS Stylesheet to pattern the display of Squid default error pages.
  7048. #
  7049. # For information on CSS see http://www.w3.org/Style/CSS/
  7050. #Default:
  7051. # err_page_stylesheet /etc/squid/errorpage.css
  7052.  
  7053. # TAG: err_html_text
  7054. # HTML text to include in error messages. Make this a "mailto"
  7055. # URL to your admin address, or maybe just a link to your
  7056. # organizations Web page.
  7057. #
  7058. # To include this in your error messages, you must rewrite
  7059. # the error template files (found in the "errors" directory).
  7060. # Wherever you want the 'err_html_text' line to appear,
  7061. # insert a %L tag in the error template file.
  7062. #Default:
  7063. # none
  7064.  
  7065. # TAG: email_err_data on|off
  7066. # If enabled, information about the occurred error will be
  7067. # included in the mailto links of the ERR pages (if %W is set)
  7068. # so that the email body contains the data.
  7069. # Syntax is <A HREF="mailto:%w%W">%w</A>
  7070. #Default:
  7071. # email_err_data on
  7072.  
  7073. # TAG: deny_info
  7074. # Usage: deny_info err_page_name acl
  7075. # or deny_info http://... acl
  7076. # or deny_info TCP_RESET acl
  7077. #
  7078. # This can be used to return a ERR_ page for requests which
  7079. # do not pass the 'http_access' rules. Squid remembers the last
  7080. # acl it evaluated in http_access, and if a 'deny_info' line exists
  7081. # for that ACL Squid returns a corresponding error page.
  7082. #
  7083. # The acl is typically the last acl on the http_access deny line which
  7084. # denied access. The exceptions to this rule are:
  7085. # - When Squid needs to request authentication credentials. It's then
  7086. # the first authentication related acl encountered
  7087. # - When none of the http_access lines matches. It's then the last
  7088. # acl processed on the last http_access line.
  7089. # - When the decision to deny access was made by an adaptation service,
  7090. # the acl name is the corresponding eCAP or ICAP service_name.
  7091. #
  7092. # NP: If providing your own custom error pages with error_directory
  7093. # you may also specify them by your custom file name:
  7094. # Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
  7095. #
  7096. # By defaut Squid will send "403 Forbidden". A different 4xx or 5xx
  7097. # may be specified by prefixing the file name with the code and a colon.
  7098. # e.g. 404:ERR_CUSTOM_ACCESS_DENIED
  7099. #
  7100. # Alternatively you can tell Squid to reset the TCP connection
  7101. # by specifying TCP_RESET.
  7102. #
  7103. # Or you can specify an error URL or URL pattern. The browsers will
  7104. # get redirected to the specified URL after formatting tags have
  7105. # been replaced. Redirect will be done with 302 or 307 according to
  7106. # HTTP/1.1 specs. A different 3xx code may be specified by prefixing
  7107. # the URL. e.g. 303:http://example.com/
  7108. #
  7109. # URL FORMAT TAGS:
  7110. # %a - username (if available. Password NOT included)
  7111. # %B - FTP path URL
  7112. # %e - Error number
  7113. # %E - Error description
  7114. # %h - Squid hostname
  7115. # %H - Request domain name
  7116. # %i - Client IP Address
  7117. # %M - Request Method
  7118. # %O - Unescaped message result from external ACL helper
  7119. # %o - Message result from external ACL helper
  7120. # %p - Request Port number
  7121. # %P - Request Protocol name
  7122. # %R - Request URL path
  7123. # %T - Timestamp in RFC 1123 format
  7124. # %U - Full canonical URL from client
  7125. # (HTTPS URLs terminate with *)
  7126. # %u - Full canonical URL from client
  7127. # %w - Admin email from squid.conf
  7128. # %x - Error name
  7129. # %% - Literal percent (%) code
  7130. #
  7131. #Default:
  7132. # none
  7133.  
  7134. # OPTIONS INFLUENCING REQUEST FORWARDING
  7135. # -----------------------------------------------------------------------------
  7136.  
  7137. # TAG: nonhierarchical_direct
  7138. # By default, Squid will send any non-hierarchical requests
  7139. # (not cacheable request type) direct to origin servers.
  7140. #
  7141. # When this is set to "off", Squid will prefer to send these
  7142. # requests to parents.
  7143. #
  7144. # Note that in most configurations, by turning this off you will only
  7145. # add latency to these request without any improvement in global hit
  7146. # ratio.
  7147. #
  7148. # This option only sets a preference. If the parent is unavailable a
  7149. # direct connection to the origin server may still be attempted. To
  7150. # completely prevent direct connections use never_direct.
  7151. #Default:
  7152. # nonhierarchical_direct on
  7153.  
  7154. # TAG: prefer_direct
  7155. # Normally Squid tries to use parents for most requests. If you for some
  7156. # reason like it to first try going direct and only use a parent if
  7157. # going direct fails set this to on.
  7158. #
  7159. # By combining nonhierarchical_direct off and prefer_direct on you
  7160. # can set up Squid to use a parent as a backup path if going direct
  7161. # fails.
  7162. #
  7163. # Note: If you want Squid to use parents for all requests see
  7164. # the never_direct directive. prefer_direct only modifies how Squid
  7165. # acts on cacheable requests.
  7166. #Default:
  7167. # prefer_direct off
  7168.  
  7169. # TAG: cache_miss_revalidate on|off
  7170. # RFC 7232 defines a conditional request mechanism to prevent
  7171. # response objects being unnecessarily transferred over the network.
  7172. # If that mechanism is used by the client and a cache MISS occurs
  7173. # it can prevent new cache entries being created.
  7174. #
  7175. # This option determines whether Squid on cache MISS will pass the
  7176. # client revalidation request to the server or tries to fetch new
  7177. # content for caching. It can be useful while the cache is mostly
  7178. # empty to more quickly have the cache populated by generating
  7179. # non-conditional GETs.
  7180. #
  7181. # When set to 'on' (default), Squid will pass all client If-* headers
  7182. # to the server. This permits server responses without a cacheable
  7183. # payload to be delivered and on MISS no new cache entry is created.
  7184. #
  7185. # When set to 'off' and if the request is cacheable, Squid will
  7186. # remove the clients If-Modified-Since and If-None-Match headers from
  7187. # the request sent to the server. This requests a 200 status response
  7188. # from the server to create a new cache entry with.
  7189. #Default:
  7190. # cache_miss_revalidate on
  7191.  
  7192. # TAG: always_direct
  7193. # Usage: always_direct allow|deny [!]aclname ...
  7194. #
  7195. # Here you can use ACL elements to specify requests which should
  7196. # ALWAYS be forwarded by Squid to the origin servers without using
  7197. # any peers. For example, to always directly forward requests for
  7198. # local servers ignoring any parents or siblings you may have use
  7199. # something like:
  7200. #
  7201. # acl local-servers dstdomain my.domain.net
  7202. # always_direct allow local-servers
  7203. #
  7204. # To always forward FTP requests directly, use
  7205. #
  7206. # acl FTP proto FTP
  7207. # always_direct allow FTP
  7208. #
  7209. # NOTE: There is a similar, but opposite option named
  7210. # 'never_direct'. You need to be aware that "always_direct deny
  7211. # foo" is NOT the same thing as "never_direct allow foo". You
  7212. # may need to use a deny rule to exclude a more-specific case of
  7213. # some other rule. Example:
  7214. #
  7215. # acl local-external dstdomain external.foo.net
  7216. # acl local-servers dstdomain .foo.net
  7217. # always_direct deny local-external
  7218. # always_direct allow local-servers
  7219. #
  7220. # NOTE: If your goal is to make the client forward the request
  7221. # directly to the origin server bypassing Squid then this needs
  7222. # to be done in the client configuration. Squid configuration
  7223. # can only tell Squid how Squid should fetch the object.
  7224. #
  7225. # NOTE: This directive is not related to caching. The replies
  7226. # is cached as usual even if you use always_direct. To not cache
  7227. # the replies see the 'cache' directive.
  7228. #
  7229. # This clause supports both fast and slow acl types.
  7230. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  7231. #Default:
  7232. # Prevent any cache_peer being used for this request.
  7233.  
  7234. # TAG: never_direct
  7235. # Usage: never_direct allow|deny [!]aclname ...
  7236. #
  7237. # never_direct is the opposite of always_direct. Please read
  7238. # the description for always_direct if you have not already.
  7239. #
  7240. # With 'never_direct' you can use ACL elements to specify
  7241. # requests which should NEVER be forwarded directly to origin
  7242. # servers. For example, to force the use of a proxy for all
  7243. # requests, except those in your local domain use something like:
  7244. #
  7245. # acl local-servers dstdomain .foo.net
  7246. # never_direct deny local-servers
  7247. # never_direct allow all
  7248. #
  7249. # or if Squid is inside a firewall and there are local intranet
  7250. # servers inside the firewall use something like:
  7251. #
  7252. # acl local-intranet dstdomain .foo.net
  7253. # acl local-external dstdomain external.foo.net
  7254. # always_direct deny local-external
  7255. # always_direct allow local-intranet
  7256. # never_direct allow all
  7257. #
  7258. # This clause supports both fast and slow acl types.
  7259. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  7260. #Default:
  7261. # Allow DNS results to be used for this request.
  7262.  
  7263. # ADVANCED NETWORKING OPTIONS
  7264. # -----------------------------------------------------------------------------
  7265.  
  7266. # TAG: incoming_udp_average
  7267. # Heavy voodoo here. I can't even believe you are reading this.
  7268. # Are you crazy? Don't even think about adjusting these unless
  7269. # you understand the algorithms in comm_select.c first!
  7270. #Default:
  7271. # incoming_udp_average 6
  7272.  
  7273. # TAG: incoming_tcp_average
  7274. # Heavy voodoo here. I can't even believe you are reading this.
  7275. # Are you crazy? Don't even think about adjusting these unless
  7276. # you understand the algorithms in comm_select.c first!
  7277. #Default:
  7278. # incoming_tcp_average 4
  7279.  
  7280. # TAG: incoming_dns_average
  7281. # Heavy voodoo here. I can't even believe you are reading this.
  7282. # Are you crazy? Don't even think about adjusting these unless
  7283. # you understand the algorithms in comm_select.c first!
  7284. #Default:
  7285. # incoming_dns_average 4
  7286.  
  7287. # TAG: min_udp_poll_cnt
  7288. # Heavy voodoo here. I can't even believe you are reading this.
  7289. # Are you crazy? Don't even think about adjusting these unless
  7290. # you understand the algorithms in comm_select.c first!
  7291. #Default:
  7292. # min_udp_poll_cnt 8
  7293.  
  7294. # TAG: min_dns_poll_cnt
  7295. # Heavy voodoo here. I can't even believe you are reading this.
  7296. # Are you crazy? Don't even think about adjusting these unless
  7297. # you understand the algorithms in comm_select.c first!
  7298. #Default:
  7299. # min_dns_poll_cnt 8
  7300.  
  7301. # TAG: min_tcp_poll_cnt
  7302. # Heavy voodoo here. I can't even believe you are reading this.
  7303. # Are you crazy? Don't even think about adjusting these unless
  7304. # you understand the algorithms in comm_select.c first!
  7305. #Default:
  7306. # min_tcp_poll_cnt 8
  7307.  
  7308. # TAG: accept_filter
  7309. # FreeBSD:
  7310. #
  7311. # The name of an accept(2) filter to install on Squid's
  7312. # listen socket(s). This feature is perhaps specific to
  7313. # FreeBSD and requires support in the kernel.
  7314. #
  7315. # The 'httpready' filter delays delivering new connections
  7316. # to Squid until a full HTTP request has been received.
  7317. # See the accf_http(9) man page for details.
  7318. #
  7319. # The 'dataready' filter delays delivering new connections
  7320. # to Squid until there is some data to process.
  7321. # See the accf_dataready(9) man page for details.
  7322. #
  7323. # Linux:
  7324. #
  7325. # The 'data' filter delays delivering of new connections
  7326. # to Squid until there is some data to process by TCP_ACCEPT_DEFER.
  7327. # You may optionally specify a number of seconds to wait by
  7328. # 'data=N' where N is the number of seconds. Defaults to 30
  7329. # if not specified. See the tcp(7) man page for details.
  7330. #EXAMPLE:
  7331. ## FreeBSD
  7332. #accept_filter httpready
  7333. ## Linux
  7334. #accept_filter data
  7335. #Default:
  7336. # none
  7337.  
  7338. # TAG: client_ip_max_connections
  7339. # Set an absolute limit on the number of connections a single
  7340. # client IP can use. Any more than this and Squid will begin to drop
  7341. # new connections from the client until it closes some links.
  7342. #
  7343. # Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP
  7344. # connections from the client. For finer control use the ACL access controls.
  7345. #
  7346. # Requires client_db to be enabled (the default).
  7347. #
  7348. # WARNING: This may noticably slow down traffic received via external proxies
  7349. # or NAT devices and cause them to rebound error messages back to their clients.
  7350. #Default:
  7351. # No limit.
  7352.  
  7353. # TAG: tcp_recv_bufsize (bytes)
  7354. # Size of receive buffer to set for TCP sockets. Probably just
  7355. # as easy to change your kernel's default.
  7356. # Omit from squid.conf to use the default buffer size.
  7357. #Default:
  7358. # Use operating system TCP defaults.
  7359.  
  7360. # ICAP OPTIONS
  7361. # -----------------------------------------------------------------------------
  7362.  
  7363. # TAG: icap_enable on|off
  7364. # If you want to enable the ICAP module support, set this to on.
  7365. #Default:
  7366. # icap_enable off
  7367.  
  7368. # TAG: icap_connect_timeout
  7369. # This parameter specifies how long to wait for the TCP connect to
  7370. # the requested ICAP server to complete before giving up and either
  7371. # terminating the HTTP transaction or bypassing the failure.
  7372. #
  7373. # The default for optional services is peer_connect_timeout.
  7374. # The default for essential services is connect_timeout.
  7375. # If this option is explicitly set, its value applies to all services.
  7376. #Default:
  7377. # none
  7378.  
  7379. # TAG: icap_io_timeout time-units
  7380. # This parameter specifies how long to wait for an I/O activity on
  7381. # an established, active ICAP connection before giving up and
  7382. # either terminating the HTTP transaction or bypassing the
  7383. # failure.
  7384. #Default:
  7385. # Use read_timeout.
  7386.  
  7387. # TAG: icap_service_failure_limit limit [in memory-depth time-units]
  7388. # The limit specifies the number of failures that Squid tolerates
  7389. # when establishing a new TCP connection with an ICAP service. If
  7390. # the number of failures exceeds the limit, the ICAP service is
  7391. # not used for new ICAP requests until it is time to refresh its
  7392. # OPTIONS.
  7393. #
  7394. # A negative value disables the limit. Without the limit, an ICAP
  7395. # service will not be considered down due to connectivity failures
  7396. # between ICAP OPTIONS requests.
  7397. #
  7398. # Squid forgets ICAP service failures older than the specified
  7399. # value of memory-depth. The memory fading algorithm
  7400. # is approximate because Squid does not remember individual
  7401. # errors but groups them instead, splitting the option
  7402. # value into ten time slots of equal length.
  7403. #
  7404. # When memory-depth is 0 and by default this option has no
  7405. # effect on service failure expiration.
  7406. #
  7407. # Squid always forgets failures when updating service settings
  7408. # using an ICAP OPTIONS transaction, regardless of this option
  7409. # setting.
  7410. #
  7411. # For example,
  7412. # # suspend service usage after 10 failures in 5 seconds:
  7413. # icap_service_failure_limit 10 in 5 seconds
  7414. #Default:
  7415. # icap_service_failure_limit 10
  7416.  
  7417. # TAG: icap_service_revival_delay
  7418. # The delay specifies the number of seconds to wait after an ICAP
  7419. # OPTIONS request failure before requesting the options again. The
  7420. # failed ICAP service is considered "down" until fresh OPTIONS are
  7421. # fetched.
  7422. #
  7423. # The actual delay cannot be smaller than the hardcoded minimum
  7424. # delay of 30 seconds.
  7425. #Default:
  7426. # icap_service_revival_delay 180
  7427.  
  7428. # TAG: icap_preview_enable on|off
  7429. # The ICAP Preview feature allows the ICAP server to handle the
  7430. # HTTP message by looking only at the beginning of the message body
  7431. # or even without receiving the body at all. In some environments,
  7432. # previews greatly speedup ICAP processing.
  7433. #
  7434. # During an ICAP OPTIONS transaction, the server may tell Squid what
  7435. # HTTP messages should be previewed and how big the preview should be.
  7436. # Squid will not use Preview if the server did not request one.
  7437. #
  7438. # To disable ICAP Preview for all ICAP services, regardless of
  7439. # individual ICAP server OPTIONS responses, set this option to "off".
  7440. #Example:
  7441. #icap_preview_enable off
  7442. #Default:
  7443. # icap_preview_enable on
  7444.  
  7445. # TAG: icap_preview_size
  7446. # The default size of preview data to be sent to the ICAP server.
  7447. # This value might be overwritten on a per server basis by OPTIONS requests.
  7448. #Default:
  7449. # No preview sent.
  7450.  
  7451. # TAG: icap_206_enable on|off
  7452. # 206 (Partial Content) responses is an ICAP extension that allows the
  7453. # ICAP agents to optionally combine adapted and original HTTP message
  7454. # content. The decision to combine is postponed until the end of the
  7455. # ICAP response. Squid supports Partial Content extension by default.
  7456. #
  7457. # Activation of the Partial Content extension is negotiated with each
  7458. # ICAP service during OPTIONS exchange. Most ICAP servers should handle
  7459. # negotation correctly even if they do not support the extension, but
  7460. # some might fail. To disable Partial Content support for all ICAP
  7461. # services and to avoid any negotiation, set this option to "off".
  7462. #
  7463. # Example:
  7464. # icap_206_enable off
  7465. #Default:
  7466. # icap_206_enable on
  7467.  
  7468. # TAG: icap_default_options_ttl
  7469. # The default TTL value for ICAP OPTIONS responses that don't have
  7470. # an Options-TTL header.
  7471. #Default:
  7472. # icap_default_options_ttl 60
  7473.  
  7474. # TAG: icap_persistent_connections on|off
  7475. # Whether or not Squid should use persistent connections to
  7476. # an ICAP server.
  7477. #Default:
  7478. # icap_persistent_connections on
  7479.  
  7480. # TAG: adaptation_send_client_ip on|off
  7481. # If enabled, Squid shares HTTP client IP information with adaptation
  7482. # services. For ICAP, Squid adds the X-Client-IP header to ICAP requests.
  7483. # For eCAP, Squid sets the libecap::metaClientIp transaction option.
  7484. #
  7485. # See also: adaptation_uses_indirect_client
  7486. #Default:
  7487. # adaptation_send_client_ip off
  7488.  
  7489. # TAG: adaptation_send_username on|off
  7490. # This sends authenticated HTTP client username (if available) to
  7491. # the adaptation service.
  7492. #
  7493. # For ICAP, the username value is encoded based on the
  7494. # icap_client_username_encode option and is sent using the header
  7495. # specified by the icap_client_username_header option.
  7496. #Default:
  7497. # adaptation_send_username off
  7498.  
  7499. # TAG: icap_client_username_header
  7500. # ICAP request header name to use for adaptation_send_username.
  7501. #Default:
  7502. # icap_client_username_header X-Client-Username
  7503.  
  7504. # TAG: icap_client_username_encode on|off
  7505. # Whether to base64 encode the authenticated client username.
  7506. #Default:
  7507. # icap_client_username_encode off
  7508.  
  7509. # TAG: icap_service
  7510. # Defines a single ICAP service using the following format:
  7511. #
  7512. # icap_service id vectoring_point uri [option ...]
  7513. #
  7514. # id: ID
  7515. # an opaque identifier or name which is used to direct traffic to
  7516. # this specific service. Must be unique among all adaptation
  7517. # services in squid.conf.
  7518. #
  7519. # vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
  7520. # This specifies at which point of transaction processing the
  7521. # ICAP service should be activated. *_postcache vectoring points
  7522. # are not yet supported.
  7523. #
  7524. # uri: icap://servername:port/servicepath
  7525. # ICAP server and service location.
  7526. # icaps://servername:port/servicepath
  7527. # The "icap:" URI scheme is used for traditional ICAP server and
  7528. # service location (default port is 1344, connections are not
  7529. # encrypted). The "icaps:" URI scheme is for Secure ICAP
  7530. # services that use SSL/TLS-encrypted ICAP connections (by
  7531. # default, on port 11344).
  7532. #
  7533. # ICAP does not allow a single service to handle both REQMOD and RESPMOD
  7534. # transactions. Squid does not enforce that requirement. You can specify
  7535. # services with the same service_url and different vectoring_points. You
  7536. # can even specify multiple identical services as long as their
  7537. # service_names differ.
  7538. #
  7539. # To activate a service, use the adaptation_access directive. To group
  7540. # services, use adaptation_service_chain and adaptation_service_set.
  7541. #
  7542. # Service options are separated by white space. ICAP services support
  7543. # the following name=value options:
  7544. #
  7545. # bypass=on|off|1|0
  7546. # If set to 'on' or '1', the ICAP service is treated as
  7547. # optional. If the service cannot be reached or malfunctions,
  7548. # Squid will try to ignore any errors and process the message as
  7549. # if the service was not enabled. No all ICAP errors can be
  7550. # bypassed. If set to 0, the ICAP service is treated as
  7551. # essential and all ICAP errors will result in an error page
  7552. # returned to the HTTP client.
  7553. #
  7554. # Bypass is off by default: services are treated as essential.
  7555. #
  7556. # routing=on|off|1|0
  7557. # If set to 'on' or '1', the ICAP service is allowed to
  7558. # dynamically change the current message adaptation plan by
  7559. # returning a chain of services to be used next. The services
  7560. # are specified using the X-Next-Services ICAP response header
  7561. # value, formatted as a comma-separated list of service names.
  7562. # Each named service should be configured in squid.conf. Other
  7563. # services are ignored. An empty X-Next-Services value results
  7564. # in an empty plan which ends the current adaptation.
  7565. #
  7566. # Dynamic adaptation plan may cross or cover multiple supported
  7567. # vectoring points in their natural processing order.
  7568. #
  7569. # Routing is not allowed by default: the ICAP X-Next-Services
  7570. # response header is ignored.
  7571. #
  7572. # ipv6=on|off
  7573. # Only has effect on split-stack systems. The default on those systems
  7574. # is to use IPv4-only connections. When set to 'on' this option will
  7575. # make Squid use IPv6-only connections to contact this ICAP service.
  7576. #
  7577. # on-overload=block|bypass|wait|force
  7578. # If the service Max-Connections limit has been reached, do
  7579. # one of the following for each new ICAP transaction:
  7580. # * block: send an HTTP error response to the client
  7581. # * bypass: ignore the "over-connected" ICAP service
  7582. # * wait: wait (in a FIFO queue) for an ICAP connection slot
  7583. # * force: proceed, ignoring the Max-Connections limit
  7584. #
  7585. # In SMP mode with N workers, each worker assumes the service
  7586. # connection limit is Max-Connections/N, even though not all
  7587. # workers may use a given service.
  7588. #
  7589. # The default value is "bypass" if service is bypassable,
  7590. # otherwise it is set to "wait".
  7591. #
  7592. #
  7593. # max-conn=number
  7594. # Use the given number as the Max-Connections limit, regardless
  7595. # of the Max-Connections value given by the service, if any.
  7596. #
  7597. # connection-encryption=on|off
  7598. # Determines the ICAP service effect on the connections_encrypted
  7599. # ACL.
  7600. #
  7601. # The default is "on" for Secure ICAP services (i.e., those
  7602. # with the icaps:// service URIs scheme) and "off" for plain ICAP
  7603. # services.
  7604. #
  7605. # Does not affect ICAP connections (e.g., does not turn Secure
  7606. # ICAP on or off).
  7607. #
  7608. # ==== ICAPS / TLS OPTIONS ====
  7609. #
  7610. # These options are used for Secure ICAP (icaps://....) services only.
  7611. #
  7612. # tls-cert=/path/to/ssl/certificate
  7613. # A client X.509 certificate to use when connecting to
  7614. # this ICAP server.
  7615. #
  7616. # tls-key=/path/to/ssl/key
  7617. # The private key corresponding to the previous
  7618. # tls-cert= option.
  7619. #
  7620. # If tls-key= is not specified tls-cert= is assumed to
  7621. # reference a PEM file containing both the certificate
  7622. # and private key.
  7623. #
  7624. # tls-cipher=... The list of valid TLS/SSL ciphers to use when connecting
  7625. # to this icap server.
  7626. #
  7627. # tls-min-version=1.N
  7628. # The minimum TLS protocol version to permit. To control
  7629. # SSLv3 use the tls-options= parameter.
  7630. # Supported Values: 1.0 (default), 1.1, 1.2
  7631. #
  7632. # tls-options=... Specify various OpenSSL library options:
  7633. #
  7634. # NO_SSLv3 Disallow the use of SSLv3
  7635. #
  7636. # SINGLE_DH_USE
  7637. # Always create a new key when using
  7638. # temporary/ephemeral DH key exchanges
  7639. #
  7640. # ALL Enable various bug workarounds
  7641. # suggested as "harmless" by OpenSSL
  7642. # Be warned that this reduces SSL/TLS
  7643. # strength to some attacks.
  7644. #
  7645. # See the OpenSSL SSL_CTX_set_options documentation for a
  7646. # more complete list. Options relevant only to SSLv2 are
  7647. # not supported.
  7648. #
  7649. # tls-cafile= PEM file containing CA certificates to use when verifying
  7650. # the icap server certificate.
  7651. # Use to specify intermediate CA certificate(s) if not sent
  7652. # by the server. Or the full CA chain for the server when
  7653. # using the tls-default-ca=off flag.
  7654. # May be repeated to load multiple files.
  7655. #
  7656. # tls-capath=... A directory containing additional CA certificates to
  7657. # use when verifying the icap server certificate.
  7658. # Requires OpenSSL or LibreSSL.
  7659. #
  7660. # tls-crlfile=... A certificate revocation list file to use when
  7661. # verifying the icap server certificate.
  7662. #
  7663. # tls-flags=... Specify various flags modifying the Squid TLS implementation:
  7664. #
  7665. # DONT_VERIFY_PEER
  7666. # Accept certificates even if they fail to
  7667. # verify.
  7668. # DONT_VERIFY_DOMAIN
  7669. # Don't verify the icap server certificate
  7670. # matches the server name
  7671. #
  7672. # tls-default-ca[=off]
  7673. # Whether to use the system Trusted CAs. Default is ON.
  7674. #
  7675. # tls-domain= The icap server name as advertised in it's certificate.
  7676. # Used for verifying the correctness of the received icap
  7677. # server certificate. If not specified the icap server
  7678. # hostname extracted from ICAP URI will be used.
  7679. #
  7680. # Older icap_service format without optional named parameters is
  7681. # deprecated but supported for backward compatibility.
  7682. #
  7683. #Example:
  7684. #icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0
  7685. #icap_service svcLogger reqmod_precache icaps://icap2.mydomain.net:11344/reqmod routing=on
  7686. #Default:
  7687. # none
  7688.  
  7689. # TAG: icap_class
  7690. # This deprecated option was documented to define an ICAP service
  7691. # chain, even though it actually defined a set of similar, redundant
  7692. # services, and the chains were not supported.
  7693. #
  7694. # To define a set of redundant services, please use the
  7695. # adaptation_service_set directive. For service chains, use
  7696. # adaptation_service_chain.
  7697. #Default:
  7698. # none
  7699.  
  7700. # TAG: icap_access
  7701. # This option is deprecated. Please use adaptation_access, which
  7702. # has the same ICAP functionality, but comes with better
  7703. # documentation, and eCAP support.
  7704. #Default:
  7705. # none
  7706.  
  7707. # eCAP OPTIONS
  7708. # -----------------------------------------------------------------------------
  7709.  
  7710. # TAG: ecap_enable on|off
  7711. # Controls whether eCAP support is enabled.
  7712. #Default:
  7713. # ecap_enable off
  7714.  
  7715. # TAG: ecap_service
  7716. # Defines a single eCAP service
  7717. #
  7718. # ecap_service id vectoring_point uri [option ...]
  7719. #
  7720. # id: ID
  7721. # an opaque identifier or name which is used to direct traffic to
  7722. # this specific service. Must be unique among all adaptation
  7723. # services in squid.conf.
  7724. #
  7725. # vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
  7726. # This specifies at which point of transaction processing the
  7727. # eCAP service should be activated. *_postcache vectoring points
  7728. # are not yet supported.
  7729. #
  7730. # uri: ecap://vendor/service_name?custom&cgi=style&parameters=optional
  7731. # Squid uses the eCAP service URI to match this configuration
  7732. # line with one of the dynamically loaded services. Each loaded
  7733. # eCAP service must have a unique URI. Obtain the right URI from
  7734. # the service provider.
  7735. #
  7736. # To activate a service, use the adaptation_access directive. To group
  7737. # services, use adaptation_service_chain and adaptation_service_set.
  7738. #
  7739. # Service options are separated by white space. eCAP services support
  7740. # the following name=value options:
  7741. #
  7742. # bypass=on|off|1|0
  7743. # If set to 'on' or '1', the eCAP service is treated as optional.
  7744. # If the service cannot be reached or malfunctions, Squid will try
  7745. # to ignore any errors and process the message as if the service
  7746. # was not enabled. No all eCAP errors can be bypassed.
  7747. # If set to 'off' or '0', the eCAP service is treated as essential
  7748. # and all eCAP errors will result in an error page returned to the
  7749. # HTTP client.
  7750. #
  7751. # Bypass is off by default: services are treated as essential.
  7752. #
  7753. # routing=on|off|1|0
  7754. # If set to 'on' or '1', the eCAP service is allowed to
  7755. # dynamically change the current message adaptation plan by
  7756. # returning a chain of services to be used next.
  7757. #
  7758. # Dynamic adaptation plan may cross or cover multiple supported
  7759. # vectoring points in their natural processing order.
  7760. #
  7761. # Routing is not allowed by default.
  7762. #
  7763. # connection-encryption=on|off
  7764. # Determines the eCAP service effect on the connections_encrypted
  7765. # ACL.
  7766. #
  7767. # Defaults to "on", which does not taint the master transaction
  7768. # w.r.t. that ACL.
  7769. #
  7770. # Does not affect eCAP API calls.
  7771. #
  7772. # Older ecap_service format without optional named parameters is
  7773. # deprecated but supported for backward compatibility.
  7774. #
  7775. #
  7776. #Example:
  7777. #ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off
  7778. #ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on
  7779. #Default:
  7780. # none
  7781.  
  7782. # TAG: loadable_modules
  7783. # Instructs Squid to load the specified dynamic module(s) or activate
  7784. # preloaded module(s).
  7785. #Example:
  7786. #loadable_modules /usr/lib/MinimalAdapter.so
  7787. #Default:
  7788. # none
  7789.  
  7790. # MESSAGE ADAPTATION OPTIONS
  7791. # -----------------------------------------------------------------------------
  7792.  
  7793. # TAG: adaptation_service_set
  7794. #
  7795. # Configures an ordered set of similar, redundant services. This is
  7796. # useful when hot standby or backup adaptation servers are available.
  7797. #
  7798. # adaptation_service_set set_name service_name1 service_name2 ...
  7799. #
  7800. # The named services are used in the set declaration order. The first
  7801. # applicable adaptation service from the set is used first. The next
  7802. # applicable service is tried if and only if the transaction with the
  7803. # previous service fails and the message waiting to be adapted is still
  7804. # intact.
  7805. #
  7806. # When adaptation starts, broken services are ignored as if they were
  7807. # not a part of the set. A broken service is a down optional service.
  7808. #
  7809. # The services in a set must be attached to the same vectoring point
  7810. # (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
  7811. #
  7812. # If all services in a set are optional then adaptation failures are
  7813. # bypassable. If all services in the set are essential, then a
  7814. # transaction failure with one service may still be retried using
  7815. # another service from the set, but when all services fail, the master
  7816. # transaction fails as well.
  7817. #
  7818. # A set may contain a mix of optional and essential services, but that
  7819. # is likely to lead to surprising results because broken services become
  7820. # ignored (see above), making previously bypassable failures fatal.
  7821. # Technically, it is the bypassability of the last failed service that
  7822. # matters.
  7823. #
  7824. # See also: adaptation_access adaptation_service_chain
  7825. #
  7826. #Example:
  7827. #adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup
  7828. #adaptation service_set svcLogger loggerLocal loggerRemote
  7829. #Default:
  7830. # none
  7831.  
  7832. # TAG: adaptation_service_chain
  7833. #
  7834. # Configures a list of complementary services that will be applied
  7835. # one-by-one, forming an adaptation chain or pipeline. This is useful
  7836. # when Squid must perform different adaptations on the same message.
  7837. #
  7838. # adaptation_service_chain chain_name service_name1 svc_name2 ...
  7839. #
  7840. # The named services are used in the chain declaration order. The first
  7841. # applicable adaptation service from the chain is used first. The next
  7842. # applicable service is applied to the successful adaptation results of
  7843. # the previous service in the chain.
  7844. #
  7845. # When adaptation starts, broken services are ignored as if they were
  7846. # not a part of the chain. A broken service is a down optional service.
  7847. #
  7848. # Request satisfaction terminates the adaptation chain because Squid
  7849. # does not currently allow declaration of RESPMOD services at the
  7850. # "reqmod_precache" vectoring point (see icap_service or ecap_service).
  7851. #
  7852. # The services in a chain must be attached to the same vectoring point
  7853. # (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
  7854. #
  7855. # A chain may contain a mix of optional and essential services. If an
  7856. # essential adaptation fails (or the failure cannot be bypassed for
  7857. # other reasons), the master transaction fails. Otherwise, the failure
  7858. # is bypassed as if the failed adaptation service was not in the chain.
  7859. #
  7860. # See also: adaptation_access adaptation_service_set
  7861. #
  7862. #Example:
  7863. #adaptation_service_chain svcRequest requestLogger urlFilter leakDetector
  7864. #Default:
  7865. # none
  7866.  
  7867. # TAG: adaptation_access
  7868. # Sends an HTTP transaction to an ICAP or eCAP adaptation service.
  7869. #
  7870. # adaptation_access service_name allow|deny [!]aclname...
  7871. # adaptation_access set_name allow|deny [!]aclname...
  7872. #
  7873. # At each supported vectoring point, the adaptation_access
  7874. # statements are processed in the order they appear in this
  7875. # configuration file. Statements pointing to the following services
  7876. # are ignored (i.e., skipped without checking their ACL):
  7877. #
  7878. # - services serving different vectoring points
  7879. # - "broken-but-bypassable" services
  7880. # - "up" services configured to ignore such transactions
  7881. # (e.g., based on the ICAP Transfer-Ignore header).
  7882. #
  7883. # When a set_name is used, all services in the set are checked
  7884. # using the same rules, to find the first applicable one. See
  7885. # adaptation_service_set for details.
  7886. #
  7887. # If an access list is checked and there is a match, the
  7888. # processing stops: For an "allow" rule, the corresponding
  7889. # adaptation service is used for the transaction. For a "deny"
  7890. # rule, no adaptation service is activated.
  7891. #
  7892. # It is currently not possible to apply more than one adaptation
  7893. # service at the same vectoring point to the same HTTP transaction.
  7894. #
  7895. # See also: icap_service and ecap_service
  7896. #
  7897. #Example:
  7898. #adaptation_access service_1 allow all
  7899. #Default:
  7900. # Allow, unless rules exist in squid.conf.
  7901.  
  7902. # TAG: adaptation_service_iteration_limit
  7903. # Limits the number of iterations allowed when applying adaptation
  7904. # services to a message. If your longest adaptation set or chain
  7905. # may have more than 16 services, increase the limit beyond its
  7906. # default value of 16. If detecting infinite iteration loops sooner
  7907. # is critical, make the iteration limit match the actual number
  7908. # of services in your longest adaptation set or chain.
  7909. #
  7910. # Infinite adaptation loops are most likely with routing services.
  7911. #
  7912. # See also: icap_service routing=1
  7913. #Default:
  7914. # adaptation_service_iteration_limit 16
  7915.  
  7916. # TAG: adaptation_masterx_shared_names
  7917. # For each master transaction (i.e., the HTTP request and response
  7918. # sequence, including all related ICAP and eCAP exchanges), Squid
  7919. # maintains a table of metadata. The table entries are (name, value)
  7920. # pairs shared among eCAP and ICAP exchanges. The table is destroyed
  7921. # with the master transaction.
  7922. #
  7923. # This option specifies the table entry names that Squid must accept
  7924. # from and forward to the adaptation transactions.
  7925. #
  7926. # An ICAP REQMOD or RESPMOD transaction may set an entry in the
  7927. # shared table by returning an ICAP header field with a name
  7928. # specified in adaptation_masterx_shared_names.
  7929. #
  7930. # An eCAP REQMOD or RESPMOD transaction may set an entry in the
  7931. # shared table by implementing the libecap::visitEachOption() API
  7932. # to provide an option with a name specified in
  7933. # adaptation_masterx_shared_names.
  7934. #
  7935. # Squid will store and forward the set entry to subsequent adaptation
  7936. # transactions within the same master transaction scope.
  7937. #
  7938. # Only one shared entry name is supported at this time.
  7939. #
  7940. #Example:
  7941. ## share authentication information among ICAP services
  7942. #adaptation_masterx_shared_names X-Subscriber-ID
  7943. #Default:
  7944. # none
  7945.  
  7946. # TAG: adaptation_meta
  7947. # This option allows Squid administrator to add custom ICAP request
  7948. # headers or eCAP options to Squid ICAP requests or eCAP transactions.
  7949. # Use it to pass custom authentication tokens and other
  7950. # transaction-state related meta information to an ICAP/eCAP service.
  7951. #
  7952. # The addition of a meta header is ACL-driven:
  7953. # adaptation_meta name value [!]aclname ...
  7954. #
  7955. # Processing for a given header name stops after the first ACL list match.
  7956. # Thus, it is impossible to add two headers with the same name. If no ACL
  7957. # lists match for a given header name, no such header is added. For
  7958. # example:
  7959. #
  7960. # # do not debug transactions except for those that need debugging
  7961. # adaptation_meta X-Debug 1 needs_debugging
  7962. #
  7963. # # log all transactions except for those that must remain secret
  7964. # adaptation_meta X-Log 1 !keep_secret
  7965. #
  7966. # # mark transactions from users in the "G 1" group
  7967. # adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1
  7968. #
  7969. # The "value" parameter may be a regular squid.conf token or a "double
  7970. # quoted string". Within the quoted string, use backslash (\) to escape
  7971. # any character, which is currently only useful for escaping backslashes
  7972. # and double quotes. For example,
  7973. # "this string has one backslash (\\) and two \"quotes\""
  7974. #
  7975. # Used adaptation_meta header values may be logged via %note
  7976. # logformat code. If multiple adaptation_meta headers with the same name
  7977. # are used during master transaction lifetime, the header values are
  7978. # logged in the order they were used and duplicate values are ignored
  7979. # (only the first repeated value will be logged).
  7980. #Default:
  7981. # none
  7982.  
  7983. # TAG: icap_retry
  7984. # This ACL determines which retriable ICAP transactions are
  7985. # retried. Transactions that received a complete ICAP response
  7986. # and did not have to consume or produce HTTP bodies to receive
  7987. # that response are usually retriable.
  7988. #
  7989. # icap_retry allow|deny [!]aclname ...
  7990. #
  7991. # Squid automatically retries some ICAP I/O timeouts and errors
  7992. # due to persistent connection race conditions.
  7993. #
  7994. # See also: icap_retry_limit
  7995. #Default:
  7996. # icap_retry deny all
  7997.  
  7998. # TAG: icap_retry_limit
  7999. # Limits the number of retries allowed.
  8000. #
  8001. # Communication errors due to persistent connection race
  8002. # conditions are unavoidable, automatically retried, and do not
  8003. # count against this limit.
  8004. #
  8005. # See also: icap_retry
  8006. #Default:
  8007. # No retries are allowed.
  8008.  
  8009. # DNS OPTIONS
  8010. # -----------------------------------------------------------------------------
  8011.  
  8012. # TAG: check_hostnames
  8013. # For security and stability reasons Squid can check
  8014. # hostnames for Internet standard RFC compliance. If you want
  8015. # Squid to perform these checks turn this directive on.
  8016. #Default:
  8017. # check_hostnames off
  8018.  
  8019. # TAG: allow_underscore
  8020. # Underscore characters is not strictly allowed in Internet hostnames
  8021. # but nevertheless used by many sites. Set this to off if you want
  8022. # Squid to be strict about the standard.
  8023. # This check is performed only when check_hostnames is set to on.
  8024. #Default:
  8025. # allow_underscore on
  8026.  
  8027. # TAG: dns_retransmit_interval
  8028. # Initial retransmit interval for DNS queries. The interval is
  8029. # doubled each time all configured DNS servers have been tried.
  8030. #Default:
  8031. # dns_retransmit_interval 5 seconds
  8032.  
  8033. # TAG: dns_timeout
  8034. # DNS Query timeout. If no response is received to a DNS query
  8035. # within this time all DNS servers for the queried domain
  8036. # are assumed to be unavailable.
  8037. #Default:
  8038. # dns_timeout 30 seconds
  8039.  
  8040. # TAG: dns_packet_max
  8041. # Maximum number of bytes packet size to advertise via EDNS.
  8042. # Set to "none" to disable EDNS large packet support.
  8043. #
  8044. # For legacy reasons DNS UDP replies will default to 512 bytes which
  8045. # is too small for many responses. EDNS provides a means for Squid to
  8046. # negotiate receiving larger responses back immediately without having
  8047. # to failover with repeat requests. Responses larger than this limit
  8048. # will retain the old behaviour of failover to TCP DNS.
  8049. #
  8050. # Squid has no real fixed limit internally, but allowing packet sizes
  8051. # over 1500 bytes requires network jumbogram support and is usually not
  8052. # necessary.
  8053. #
  8054. # WARNING: The RFC also indicates that some older resolvers will reply
  8055. # with failure of the whole request if the extension is added. Some
  8056. # resolvers have already been identified which will reply with mangled
  8057. # EDNS response on occasion. Usually in response to many-KB jumbogram
  8058. # sizes being advertised by Squid.
  8059. # Squid will currently treat these both as an unable-to-resolve domain
  8060. # even if it would be resolvable without EDNS.
  8061. #Default:
  8062. # EDNS disabled
  8063.  
  8064. # TAG: dns_defnames on|off
  8065. # Normally the RES_DEFNAMES resolver option is disabled
  8066. # (see res_init(3)). This prevents caches in a hierarchy
  8067. # from interpreting single-component hostnames locally. To allow
  8068. # Squid to handle single-component names, enable this option.
  8069. #Default:
  8070. # Search for single-label domain names is disabled.
  8071.  
  8072. # TAG: dns_multicast_local on|off
  8073. # When set to on, Squid sends multicast DNS lookups on the local
  8074. # network for domains ending in .local and .arpa.
  8075. # This enables local servers and devices to be contacted in an
  8076. # ad-hoc or zero-configuration network environment.
  8077. #Default:
  8078. # Search for .local and .arpa names is disabled.
  8079.  
  8080. # TAG: dns_nameservers
  8081. # Use this if you want to specify a list of DNS name servers
  8082. # (IP addresses) to use instead of those given in your
  8083. # /etc/resolv.conf file.
  8084. #
  8085. # On Windows platforms, if no value is specified here or in
  8086. # the /etc/resolv.conf file, the list of DNS name servers are
  8087. # taken from the Windows registry, both static and dynamic DHCP
  8088. # configurations are supported.
  8089. #
  8090. # Example: dns_nameservers 10.0.0.1 192.172.0.4
  8091. #Default:
  8092. # Use operating system definitions
  8093.  
  8094. # TAG: hosts_file
  8095. # Location of the host-local IP name-address associations
  8096. # database. Most Operating Systems have such a file on different
  8097. # default locations:
  8098. # - Un*X & Linux: /etc/hosts
  8099. # - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
  8100. # (%SystemRoot% value install default is c:\winnt)
  8101. # - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts
  8102. # (%SystemRoot% value install default is c:\windows)
  8103. # - Windows 9x/Me: %windir%\hosts
  8104. # (%windir% value is usually c:\windows)
  8105. # - Cygwin: /etc/hosts
  8106. #
  8107. # The file contains newline-separated definitions, in the
  8108. # form ip_address_in_dotted_form name [name ...] names are
  8109. # whitespace-separated. Lines beginning with an hash (#)
  8110. # character are comments.
  8111. #
  8112. # The file is checked at startup and upon configuration.
  8113. # If set to 'none', it won't be checked.
  8114. # If append_domain is used, that domain will be added to
  8115. # domain-local (i.e. not containing any dot character) host
  8116. # definitions.
  8117. #Default:
  8118. # hosts_file /etc/hosts
  8119.  
  8120. # TAG: append_domain
  8121. # Appends local domain name to hostnames without any dots in
  8122. # them. append_domain must begin with a period.
  8123. #
  8124. # Be warned there are now Internet names with no dots in
  8125. # them using only top-domain names, so setting this may
  8126. # cause some Internet sites to become unavailable.
  8127. #
  8128. #Example:
  8129. # append_domain .yourdomain.com
  8130. #Default:
  8131. # Use operating system definitions
  8132.  
  8133. # TAG: ignore_unknown_nameservers
  8134. # By default Squid checks that DNS responses are received
  8135. # from the same IP addresses they are sent to. If they
  8136. # don't match, Squid ignores the response and writes a warning
  8137. # message to cache.log. You can allow responses from unknown
  8138. # nameservers by setting this option to 'off'.
  8139. #Default:
  8140. # ignore_unknown_nameservers on
  8141.  
  8142. # TAG: dns_v4_first
  8143. # With the IPv6 Internet being as fast or faster than IPv4 Internet
  8144. # for most networks Squid prefers to contact websites over IPv6.
  8145. #
  8146. # This option reverses the order of preference to make Squid contact
  8147. # dual-stack websites over IPv4 first. Squid will still perform both
  8148. # IPv6 and IPv4 DNS lookups before connecting.
  8149. #
  8150. # WARNING:
  8151. # This option will restrict the situations under which IPv6
  8152. # connectivity is used (and tested), potentially hiding network
  8153. # problems which would otherwise be detected and warned about.
  8154. #Default:
  8155. # dns_v4_first off
  8156.  
  8157. # TAG: ipcache_size (number of entries)
  8158. # Maximum number of DNS IP cache entries.
  8159. #Default:
  8160. # ipcache_size 1024
  8161.  
  8162. # TAG: ipcache_low (percent)
  8163. #Default:
  8164. # ipcache_low 90
  8165.  
  8166. # TAG: ipcache_high (percent)
  8167. # The size, low-, and high-water marks for the IP cache.
  8168. #Default:
  8169. # ipcache_high 95
  8170.  
  8171. # TAG: fqdncache_size (number of entries)
  8172. # Maximum number of FQDN cache entries.
  8173. #Default:
  8174. # fqdncache_size 1024
  8175.  
  8176. # MISCELLANEOUS
  8177. # -----------------------------------------------------------------------------
  8178.  
  8179. # TAG: configuration_includes_quoted_values on|off
  8180. # If set, Squid will recognize each "quoted string" after a configuration
  8181. # directive as a single parameter. The quotes are stripped before the
  8182. # parameter value is interpreted or used.
  8183. # See "Values with spaces, quotes, and other special characters"
  8184. # section for more details.
  8185. #Default:
  8186. # configuration_includes_quoted_values off
  8187.  
  8188. # TAG: memory_pools on|off
  8189. # If set, Squid will keep pools of allocated (but unused) memory
  8190. # available for future use. If memory is a premium on your
  8191. # system and you believe your malloc library outperforms Squid
  8192. # routines, disable this.
  8193. #Default:
  8194. # memory_pools on
  8195.  
  8196. # TAG: memory_pools_limit (bytes)
  8197. # Used only with memory_pools on:
  8198. # memory_pools_limit 50 MB
  8199. #
  8200. # If set to a non-zero value, Squid will keep at most the specified
  8201. # limit of allocated (but unused) memory in memory pools. All free()
  8202. # requests that exceed this limit will be handled by your malloc
  8203. # library. Squid does not pre-allocate any memory, just safe-keeps
  8204. # objects that otherwise would be free()d. Thus, it is safe to set
  8205. # memory_pools_limit to a reasonably high value even if your
  8206. # configuration will use less memory.
  8207. #
  8208. # If set to none, Squid will keep all memory it can. That is, there
  8209. # will be no limit on the total amount of memory used for safe-keeping.
  8210. #
  8211. # To disable memory allocation optimization, do not set
  8212. # memory_pools_limit to 0 or none. Set memory_pools to "off" instead.
  8213. #
  8214. # An overhead for maintaining memory pools is not taken into account
  8215. # when the limit is checked. This overhead is close to four bytes per
  8216. # object kept. However, pools may actually _save_ memory because of
  8217. # reduced memory thrashing in your malloc library.
  8218. #Default:
  8219. # memory_pools_limit 5 MB
  8220.  
  8221. # TAG: forwarded_for on|off|transparent|truncate|delete
  8222. # If set to "on", Squid will append your client's IP address
  8223. # in the HTTP requests it forwards. By default it looks like:
  8224. #
  8225. # X-Forwarded-For: 192.1.2.3
  8226. #
  8227. # If set to "off", it will appear as
  8228. #
  8229. # X-Forwarded-For: unknown
  8230. #
  8231. # If set to "transparent", Squid will not alter the
  8232. # X-Forwarded-For header in any way.
  8233. #
  8234. # If set to "delete", Squid will delete the entire
  8235. # X-Forwarded-For header.
  8236. #
  8237. # If set to "truncate", Squid will remove all existing
  8238. # X-Forwarded-For entries, and place the client IP as the sole entry.
  8239. #Default:
  8240. # forwarded_for on
  8241.  
  8242. # TAG: cachemgr_passwd
  8243. # Specify passwords for cachemgr operations.
  8244. #
  8245. # Usage: cachemgr_passwd password action action ...
  8246. #
  8247. # Some valid actions are (see cache manager menu for a full list):
  8248. # 5min
  8249. # 60min
  8250. # asndb
  8251. # authenticator
  8252. # cbdata
  8253. # client_list
  8254. # comm_incoming
  8255. # config *
  8256. # counters
  8257. # delay
  8258. # digest_stats
  8259. # dns
  8260. # events
  8261. # filedescriptors
  8262. # fqdncache
  8263. # histograms
  8264. # http_headers
  8265. # info
  8266. # io
  8267. # ipcache
  8268. # mem
  8269. # menu
  8270. # netdb
  8271. # non_peers
  8272. # objects
  8273. # offline_toggle *
  8274. # pconn
  8275. # peer_select
  8276. # reconfigure *
  8277. # redirector
  8278. # refresh
  8279. # server_list
  8280. # shutdown *
  8281. # store_digest
  8282. # storedir
  8283. # utilization
  8284. # via_headers
  8285. # vm_objects
  8286. #
  8287. # * Indicates actions which will not be performed without a
  8288. # valid password, others can be performed if not listed here.
  8289. #
  8290. # To disable an action, set the password to "disable".
  8291. # To allow performing an action without a password, set the
  8292. # password to "none".
  8293. #
  8294. # Use the keyword "all" to set the same password for all actions.
  8295. #
  8296. #Example:
  8297. # cachemgr_passwd secret shutdown
  8298. # cachemgr_passwd lesssssssecret info stats/objects
  8299. # cachemgr_passwd disable all
  8300. #Default:
  8301. # No password. Actions which require password are denied.
  8302.  
  8303. # TAG: client_db on|off
  8304. # If you want to disable collecting per-client statistics,
  8305. # turn off client_db here.
  8306. #Default:
  8307. # client_db on
  8308.  
  8309. # TAG: refresh_all_ims on|off
  8310. # When you enable this option, squid will always check
  8311. # the origin server for an update when a client sends an
  8312. # If-Modified-Since request. Many browsers use IMS
  8313. # requests when the user requests a reload, and this
  8314. # ensures those clients receive the latest version.
  8315. #
  8316. # By default (off), squid may return a Not Modified response
  8317. # based on the age of the cached version.
  8318. #Default:
  8319. # refresh_all_ims off
  8320.  
  8321. # TAG: reload_into_ims on|off
  8322. # When you enable this option, client no-cache or ``reload''
  8323. # requests will be changed to If-Modified-Since requests.
  8324. # Doing this VIOLATES the HTTP standard. Enabling this
  8325. # feature could make you liable for problems which it
  8326. # causes.
  8327. #
  8328. # see also refresh_pattern for a more selective approach.
  8329. #Default:
  8330. # reload_into_ims off
  8331.  
  8332. # TAG: connect_retries
  8333. # Limits the number of reopening attempts when establishing a single
  8334. # TCP connection. All these attempts must still complete before the
  8335. # applicable connection opening timeout expires.
  8336. #
  8337. # By default and when connect_retries is set to zero, Squid does not
  8338. # retry failed connection opening attempts.
  8339. #
  8340. # The (not recommended) maximum is 10 tries. An attempt to configure a
  8341. # higher value results in the value of 10 being used (with a warning).
  8342. #
  8343. # Squid may open connections to retry various high-level forwarding
  8344. # failures. For an outside observer, that activity may look like a
  8345. # low-level connection reopening attempt, but those high-level retries
  8346. # are governed by forward_max_tries instead.
  8347. #
  8348. # See also: connect_timeout, forward_timeout, icap_connect_timeout,
  8349. # ident_timeout, and forward_max_tries.
  8350. #Default:
  8351. # Do not retry failed connections.
  8352.  
  8353. # TAG: retry_on_error
  8354. # If set to ON Squid will automatically retry requests when
  8355. # receiving an error response with status 403 (Forbidden),
  8356. # 500 (Internal Error), 501 or 503 (Service not available).
  8357. # Status 502 and 504 (Gateway errors) are always retried.
  8358. #
  8359. # This is mainly useful if you are in a complex cache hierarchy to
  8360. # work around access control errors.
  8361. #
  8362. # NOTE: This retry will attempt to find another working destination.
  8363. # Which is different from the server which just failed.
  8364. #Default:
  8365. # retry_on_error off
  8366.  
  8367. # TAG: as_whois_server
  8368. # WHOIS server to query for AS numbers. NOTE: AS numbers are
  8369. # queried only when Squid starts up, not for every request.
  8370. #Default:
  8371. # as_whois_server whois.ra.net
  8372.  
  8373. # TAG: offline_mode
  8374. # Enable this option and Squid will never try to validate cached
  8375. # objects.
  8376. #Default:
  8377. # offline_mode off
  8378.  
  8379. # TAG: uri_whitespace
  8380. # What to do with requests that have whitespace characters in the
  8381. # URI. Options:
  8382. #
  8383. # strip: The whitespace characters are stripped out of the URL.
  8384. # This is the behavior recommended by RFC2396 and RFC3986
  8385. # for tolerant handling of generic URI.
  8386. # NOTE: This is one difference between generic URI and HTTP URLs.
  8387. #
  8388. # deny: The request is denied. The user receives an "Invalid
  8389. # Request" message.
  8390. # This is the behaviour recommended by RFC2616 for safe
  8391. # handling of HTTP request URL.
  8392. #
  8393. # allow: The request is allowed and the URI is not changed. The
  8394. # whitespace characters remain in the URI. Note the
  8395. # whitespace is passed to redirector processes if they
  8396. # are in use.
  8397. # Note this may be considered a violation of RFC2616
  8398. # request parsing where whitespace is prohibited in the
  8399. # URL field.
  8400. #
  8401. # encode: The request is allowed and the whitespace characters are
  8402. # encoded according to RFC1738.
  8403. #
  8404. # chop: The request is allowed and the URI is chopped at the
  8405. # first whitespace.
  8406. #
  8407. #
  8408. # NOTE the current Squid implementation of encode and chop violates
  8409. # RFC2616 by not using a 301 redirect after altering the URL.
  8410. #Default:
  8411. # uri_whitespace strip
  8412.  
  8413. # TAG: chroot
  8414. # Specifies a directory where Squid should do a chroot() while
  8415. # initializing. This also causes Squid to fully drop root
  8416. # privileges after initializing. This means, for example, if you
  8417. # use a HTTP port less than 1024 and try to reconfigure, you may
  8418. # get an error saying that Squid can not open the port.
  8419. #Default:
  8420. # none
  8421.  
  8422. # TAG: pipeline_prefetch
  8423. # HTTP clients may send a pipeline of 1+N requests to Squid using a
  8424. # single connection, without waiting for Squid to respond to the first
  8425. # of those requests. This option limits the number of concurrent
  8426. # requests Squid will try to handle in parallel. If set to N, Squid
  8427. # will try to receive and process up to 1+N requests on the same
  8428. # connection concurrently.
  8429. #
  8430. # Defaults to 0 (off) for bandwidth management and access logging
  8431. # reasons.
  8432. #
  8433. # NOTE: pipelining requires persistent connections to clients.
  8434. #
  8435. # WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication.
  8436. #Default:
  8437. # Do not pre-parse pipelined requests.
  8438.  
  8439. # TAG: high_response_time_warning (msec)
  8440. # If the one-minute median response time exceeds this value,
  8441. # Squid prints a WARNING with debug level 0 to get the
  8442. # administrators attention. The value is in milliseconds.
  8443. #Default:
  8444. # disabled.
  8445.  
  8446. # TAG: high_page_fault_warning
  8447. # If the one-minute average page fault rate exceeds this
  8448. # value, Squid prints a WARNING with debug level 0 to get
  8449. # the administrators attention. The value is in page faults
  8450. # per second.
  8451. #Default:
  8452. # disabled.
  8453.  
  8454. # TAG: high_memory_warning
  8455. # Note: This option is only available if Squid is rebuilt with the
  8456. # GNU Malloc with mstats()
  8457. #
  8458. # If the memory usage (as determined by gnumalloc, if available and used)
  8459. # exceeds this amount, Squid prints a WARNING with debug level 0 to get
  8460. # the administrators attention.
  8461. #Default:
  8462. # disabled.
  8463.  
  8464. # TAG: sleep_after_fork (microseconds)
  8465. # When this is set to a non-zero value, the main Squid process
  8466. # sleeps the specified number of microseconds after a fork()
  8467. # system call. This sleep may help the situation where your
  8468. # system reports fork() failures due to lack of (virtual)
  8469. # memory. Note, however, if you have a lot of child
  8470. # processes, these sleep delays will add up and your
  8471. # Squid will not service requests for some amount of time
  8472. # until all the child processes have been started.
  8473. # On Windows value less then 1000 (1 milliseconds) are
  8474. # rounded to 1000.
  8475. #Default:
  8476. # sleep_after_fork 0
  8477.  
  8478. # TAG: windows_ipaddrchangemonitor on|off
  8479. # Note: This option is only available if Squid is rebuilt with the
  8480. # MS Windows
  8481. #
  8482. # On Windows Squid by default will monitor IP address changes and will
  8483. # reconfigure itself after any detected event. This is very useful for
  8484. # proxies connected to internet with dial-up interfaces.
  8485. # In some cases (a Proxy server acting as VPN gateway is one) it could be
  8486. # desiderable to disable this behaviour setting this to 'off'.
  8487. # Note: after changing this, Squid service must be restarted.
  8488. #Default:
  8489. # windows_ipaddrchangemonitor on
  8490.  
  8491. # TAG: eui_lookup
  8492. # Whether to lookup the EUI or MAC address of a connected client.
  8493. #Default:
  8494. # eui_lookup on
  8495.  
  8496. # TAG: max_filedescriptors
  8497. # Reduce the maximum number of filedescriptors supported below
  8498. # the usual operating system defaults.
  8499. #
  8500. # Remove from squid.conf to inherit the current ulimit setting.
  8501. #
  8502. # Note: Changing this requires a restart of Squid. Also
  8503. # not all I/O types supports large values (eg on Windows).
  8504. #Default:
  8505. # Use operating system limits set by ulimit.
  8506.  
  8507. # TAG: force_request_body_continuation
  8508. # This option controls how Squid handles data upload requests from HTTP
  8509. # and FTP agents that require a "Please Continue" control message response
  8510. # to actually send the request body to Squid. It is mostly useful in
  8511. # adaptation environments.
  8512. #
  8513. # When Squid receives an HTTP request with an "Expect: 100-continue"
  8514. # header or an FTP upload command (e.g., STOR), Squid normally sends the
  8515. # request headers or FTP command information to an adaptation service (or
  8516. # peer) and waits for a response. Most adaptation services (and some
  8517. # broken peers) may not respond to Squid at that stage because they may
  8518. # decide to wait for the HTTP request body or FTP data transfer. However,
  8519. # that request body or data transfer may never come because Squid has not
  8520. # responded with the HTTP 100 or FTP 150 (Please Continue) control message
  8521. # to the request sender yet!
  8522. #
  8523. # An allow match tells Squid to respond with the HTTP 100 or FTP 150
  8524. # (Please Continue) control message on its own, before forwarding the
  8525. # request to an adaptation service or peer. Such a response usually forces
  8526. # the request sender to proceed with sending the body. A deny match tells
  8527. # Squid to delay that control response until the origin server confirms
  8528. # that the request body is needed. Delaying is the default behavior.
  8529. #Default:
  8530. # Deny, unless rules exist in squid.conf.
  8531.  
  8532. # TAG: server_pconn_for_nonretriable
  8533. # This option provides fine-grained control over persistent connection
  8534. # reuse when forwarding HTTP requests that Squid cannot retry. It is useful
  8535. # in environments where opening new connections is very expensive
  8536. # (e.g., all connections are secured with TLS with complex client and server
  8537. # certificate validation) and race conditions associated with persistent
  8538. # connections are very rare and/or only cause minor problems.
  8539. #
  8540. # HTTP prohibits retrying unsafe and non-idempotent requests (e.g., POST).
  8541. # Squid limitations also prohibit retrying all requests with bodies (e.g., PUT).
  8542. # By default, when forwarding such "risky" requests, Squid opens a new
  8543. # connection to the server or cache_peer, even if there is an idle persistent
  8544. # connection available. When Squid is configured to risk sending a non-retriable
  8545. # request on a previously used persistent connection, and the server closes
  8546. # the connection before seeing that risky request, the user gets an error response
  8547. # from Squid. In most cases, that error response will be HTTP 502 (Bad Gateway)
  8548. # with ERR_ZERO_SIZE_OBJECT or ERR_WRITE_ERROR (peer connection reset) error detail.
  8549. #
  8550. # If an allow rule matches, Squid reuses an available idle persistent connection
  8551. # (if any) for the request that Squid cannot retry. If a deny rule matches, then
  8552. # Squid opens a new connection for the request that Squid cannot retry.
  8553. #
  8554. # This option does not affect requests that Squid can retry. They will reuse idle
  8555. # persistent connections (if any).
  8556. #
  8557. # This clause only supports fast acl types.
  8558. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  8559. #
  8560. # Example:
  8561. # acl SpeedIsWorthTheRisk method POST
  8562. # server_pconn_for_nonretriable allow SpeedIsWorthTheRisk
  8563. #Default:
  8564. # Open new connections for forwarding requests Squid cannot retry safely.
  8565.  
  8566. cache_effective_group proxy
RAW Paste Data