Guest User

Untitled

a guest
Jan 31st, 2023
33
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 317.72 KB | None | 0 0
  1. # WELCOME TO SQUID 4.13
  2. # ----------------------------
  3. #
  4. # This is the documentation for the Squid configuration file.
  5. # This documentation can also be found online at:
  6. # http://www.squid-cache.org/Doc/config/
  7. #
  8. # You may wish to look at the Squid home page and wiki for the
  9. # FAQ and other documentation:
  10. # http://www.squid-cache.org/
  11. # http://wiki.squid-cache.org/SquidFaq
  12. # http://wiki.squid-cache.org/ConfigExamples
  13. #
  14. # This documentation shows what the defaults for various directives
  15. # happen to be. If you don't need to change the default, you should
  16. # leave the line out of your squid.conf in most cases.
  17. #
  18. # In some cases "none" refers to no default setting at all,
  19. # while in other cases it refers to the value of the option
  20. # - the comments for that keyword indicate if this is the case.
  21. #
  22.  
  23. # Configuration options can be included using the "include" directive.
  24. # Include takes a list of files to include. Quoting and wildcards are
  25. # supported.
  26. #
  27. # For example,
  28. #
  29. # include /path/to/included/file/squid.acl.config
  30. #
  31. # Includes can be nested up to a hard-coded depth of 16 levels.
  32. # This arbitrary restriction is to prevent recursive include references
  33. # from causing Squid entering an infinite loop whilst trying to load
  34. # configuration files.
  35. #
  36. # Values with byte units
  37. #
  38. # Squid accepts size units on some size related directives. All
  39. # such directives are documented with a default value displaying
  40. # a unit.
  41. #
  42. # Units accepted by Squid are:
  43. # bytes - byte
  44. # KB - Kilobyte (1024 bytes)
  45. # MB - Megabyte
  46. # GB - Gigabyte
  47. #
  48. # Values with spaces, quotes, and other special characters
  49. #
  50. # Squid supports directive parameters with spaces, quotes, and other
  51. # special characters. Surround such parameters with "double quotes". Use
  52. # the configuration_includes_quoted_values directive to enable or
  53. # disable that support.
  54. #
  55. # Squid supports reading configuration option parameters from external
  56. # files using the syntax:
  57. # parameters("/path/filename")
  58. # For example:
  59. # acl whitelist dstdomain parameters("/etc/squid/whitelist.txt")
  60. #
  61. # Conditional configuration
  62. #
  63. # If-statements can be used to make configuration directives
  64. # depend on conditions:
  65. #
  66. # if <CONDITION>
  67. # ... regular configuration directives ...
  68. # [else
  69. # ... regular configuration directives ...]
  70. # endif
  71. #
  72. # The else part is optional. The keywords "if", "else", and "endif"
  73. # must be typed on their own lines, as if they were regular
  74. # configuration directives.
  75. #
  76. # NOTE: An else-if condition is not supported.
  77. #
  78. # These individual conditions types are supported:
  79. #
  80. # true
  81. # Always evaluates to true.
  82. # false
  83. # Always evaluates to false.
  84. # <integer> = <integer>
  85. # Equality comparison of two integer numbers.
  86. #
  87. #
  88. # SMP-Related Macros
  89. #
  90. # The following SMP-related preprocessor macros can be used.
  91. #
  92. # ${process_name} expands to the current Squid process "name"
  93. # (e.g., squid1, squid2, or cache1).
  94. #
  95. # ${process_number} expands to the current Squid process
  96. # identifier, which is an integer number (e.g., 1, 2, 3) unique
  97. # across all Squid processes of the current service instance.
  98. #
  99. # ${service_name} expands into the current Squid service instance
  100. # name identifier which is provided by -n on the command line.
  101. #
  102. # Logformat Macros
  103. #
  104. # Logformat macros can be used in many places outside of the logformat
  105. # directive. In theory, all of the logformat codes can be used as %macros,
  106. # where they are supported. In practice, a %macro expands as a dash (-) when
  107. # the transaction does not yet have enough information and a value is needed.
  108. #
  109. # There is no definitive list of what tokens are available at the various
  110. # stages of the transaction.
  111. #
  112. # And some information may already be available to Squid but not yet
  113. # committed where the macro expansion code can access it (report
  114. # such instances!). The macro will be expanded into a single dash
  115. # ('-') in such cases. Not all macros have been tested.
  116. #
  117.  
  118. # TAG: broken_vary_encoding
  119. # This option is not yet supported by Squid-3.
  120. #Default:
  121. # none
  122.  
  123. # TAG: cache_vary
  124. # This option is not yet supported by Squid-3.
  125. #Default:
  126. # none
  127.  
  128. # TAG: error_map
  129. # This option is not yet supported by Squid-3.
  130. #Default:
  131. # none
  132.  
  133. # TAG: external_refresh_check
  134. # This option is not yet supported by Squid-3.
  135. #Default:
  136. # none
  137.  
  138. # TAG: location_rewrite_program
  139. # This option is not yet supported by Squid-3.
  140. #Default:
  141. # none
  142.  
  143. # TAG: refresh_stale_hit
  144. # This option is not yet supported by Squid-3.
  145. #Default:
  146. # none
  147.  
  148. # TAG: cache_peer_domain
  149. # Replace with dstdomain ACLs and cache_peer_access.
  150. #Default:
  151. # none
  152.  
  153. # TAG: ie_refresh
  154. # Remove this line. The behaviour enabled by this is no longer needed.
  155. #Default:
  156. # none
  157.  
  158. # TAG: sslproxy_cafile
  159. # Remove this line. Use tls_outgoing_options cafile= instead.
  160. #Default:
  161. # none
  162.  
  163. # TAG: sslproxy_capath
  164. # Remove this line. Use tls_outgoing_options capath= instead.
  165. #Default:
  166. # none
  167.  
  168. # TAG: sslproxy_cipher
  169. # Remove this line. Use tls_outgoing_options cipher= instead.
  170. #Default:
  171. # none
  172.  
  173. # TAG: sslproxy_client_certificate
  174. # Remove this line. Use tls_outgoing_options cert= instead.
  175. #Default:
  176. # none
  177.  
  178. # TAG: sslproxy_client_key
  179. # Remove this line. Use tls_outgoing_options key= instead.
  180. #Default:
  181. # none
  182.  
  183. # TAG: sslproxy_flags
  184. # Remove this line. Use tls_outgoing_options flags= instead.
  185. #Default:
  186. # none
  187.  
  188. # TAG: sslproxy_options
  189. # Remove this line. Use tls_outgoing_options options= instead.
  190. #Default:
  191. # none
  192.  
  193. # TAG: sslproxy_version
  194. # Remove this line. Use tls_outgoing_options options= instead.
  195. #Default:
  196. # none
  197.  
  198. # TAG: hierarchy_stoplist
  199. # Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use.
  200. #Default:
  201. # none
  202.  
  203. # TAG: log_access
  204. # Remove this line. Use acls with access_log directives to control access logging
  205. #Default:
  206. # none
  207.  
  208. # TAG: log_icap
  209. # Remove this line. Use acls with icap_log directives to control icap logging
  210. #Default:
  211. # none
  212.  
  213. # TAG: ignore_ims_on_miss
  214. # Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'.
  215. #Default:
  216. # none
  217.  
  218. # TAG: balance_on_multiple_ip
  219. # Remove this line. Squid performs a 'Happy Eyeballs' algorithm, this multiple-IP algorithm is not longer relevant.
  220. #Default:
  221. # none
  222.  
  223. # TAG: chunked_request_body_max_size
  224. # Remove this line. Squid is now HTTP/1.1 compliant.
  225. #Default:
  226. # none
  227.  
  228. # TAG: dns_v4_fallback
  229. # Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant.
  230. #Default:
  231. # none
  232.  
  233. # TAG: emulate_httpd_log
  234. # Replace this with an access_log directive using the format 'common' or 'combined'.
  235. #Default:
  236. # none
  237.  
  238. # TAG: forward_log
  239. # Use a regular access.log with ACL limiting it to MISS events.
  240. #Default:
  241. # none
  242.  
  243. # TAG: ftp_list_width
  244. # Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead.
  245. #Default:
  246. # none
  247.  
  248. # TAG: ignore_expect_100
  249. # Remove this line. The HTTP/1.1 feature is now fully supported by default.
  250. #Default:
  251. # none
  252.  
  253. # TAG: log_fqdn
  254. # Remove this option from your config. To log FQDN use %>A in the log format.
  255. #Default:
  256. # none
  257.  
  258. # TAG: log_ip_on_direct
  259. # Remove this option from your config. To log server or peer names use %<A in the log format.
  260. #Default:
  261. # none
  262.  
  263. # TAG: maximum_single_addr_tries
  264. # Replaced by connect_retries. The behaviour has changed, please read the documentation before altering.
  265. #Default:
  266. # none
  267.  
  268. # TAG: referer_log
  269. # Replace this with an access_log directive using the format 'referrer'.
  270. #Default:
  271. # none
  272.  
  273. # TAG: update_headers
  274. # Remove this line. The feature is supported by default in storage types where update is implemented.
  275. #Default:
  276. # none
  277.  
  278. # TAG: url_rewrite_concurrency
  279. # Remove this line. Set the 'concurrency=' option of url_rewrite_children instead.
  280. #Default:
  281. # none
  282.  
  283. # TAG: useragent_log
  284. # Replace this with an access_log directive using the format 'useragent'.
  285. #Default:
  286. # none
  287.  
  288. # TAG: dns_testnames
  289. # Remove this line. DNS is no longer tested on startup.
  290. #Default:
  291. # none
  292.  
  293. # TAG: extension_methods
  294. # Remove this line. All valid methods for HTTP are accepted by default.
  295. #Default:
  296. # none
  297.  
  298. # TAG: zero_buffers
  299. #Default:
  300. # none
  301.  
  302. # TAG: incoming_rate
  303. #Default:
  304. # none
  305.  
  306. # TAG: server_http11
  307. # Remove this line. HTTP/1.1 is supported by default.
  308. #Default:
  309. # none
  310.  
  311. # TAG: upgrade_http0.9
  312. # Remove this line. ICY/1.0 streaming protocol is supported by default.
  313. #Default:
  314. # none
  315.  
  316. # TAG: zph_local
  317. # Alter these entries. Use the qos_flows directive instead.
  318. #Default:
  319. # none
  320.  
  321. # TAG: header_access
  322. # Since squid-3.0 replace with request_header_access or reply_header_access
  323. # depending on whether you wish to match client requests or server replies.
  324. #Default:
  325. # none
  326.  
  327. # TAG: httpd_accel_no_pmtu_disc
  328. # Since squid-3.0 use the 'disable-pmtu-discovery' flag on http_port instead.
  329. #Default:
  330. # none
  331.  
  332. # TAG: wais_relay_host
  333. # Replace this line with 'cache_peer' configuration.
  334. #Default:
  335. # none
  336.  
  337. # TAG: wais_relay_port
  338. # Replace this line with 'cache_peer' configuration.
  339. #Default:
  340. # none
  341.  
  342. # OPTIONS FOR SMP
  343. # -----------------------------------------------------------------------------
  344.  
  345. # TAG: workers
  346. # Number of main Squid processes or "workers" to fork and maintain.
  347. # 0: "no daemon" mode, like running "squid -N ..."
  348. # 1: "no SMP" mode, start one main Squid process daemon (default)
  349. # N: start N main Squid process daemons (i.e., SMP mode)
  350. #
  351. # In SMP mode, each worker does nearly all what a single Squid daemon
  352. # does (e.g., listen on http_port and forward HTTP requests).
  353. #Default:
  354. # SMP support disabled.
  355.  
  356. # TAG: cpu_affinity_map
  357. # Usage: cpu_affinity_map process_numbers=P1,P2,... cores=C1,C2,...
  358. #
  359. # Sets 1:1 mapping between Squid processes and CPU cores. For example,
  360. #
  361. # cpu_affinity_map process_numbers=1,2,3,4 cores=1,3,5,7
  362. #
  363. # affects processes 1 through 4 only and places them on the first
  364. # four even cores, starting with core #1.
  365. #
  366. # CPU cores are numbered starting from 1. Requires support for
  367. # sched_getaffinity(2) and sched_setaffinity(2) system calls.
  368. #
  369. # Multiple cpu_affinity_map options are merged.
  370. #
  371. # See also: workers
  372. #Default:
  373. # Let operating system decide.
  374.  
  375. # TAG: shared_memory_locking on|off
  376. # Whether to ensure that all required shared memory is available by
  377. # "locking" that shared memory into RAM when Squid starts. The
  378. # alternative is faster startup time followed by slightly slower
  379. # performance and, if not enough RAM is actually available during
  380. # runtime, mysterious crashes.
  381. #
  382. # SMP Squid uses many shared memory segments. These segments are
  383. # brought into Squid memory space using an mmap(2) system call. During
  384. # Squid startup, the mmap() call often succeeds regardless of whether
  385. # the system has enough RAM. In general, Squid cannot tell whether the
  386. # kernel applies this "optimistic" memory allocation policy (but
  387. # popular modern kernels usually use it).
  388. #
  389. # Later, if Squid attempts to actually access the mapped memory
  390. # regions beyond what the kernel is willing to allocate, the
  391. # "optimistic" kernel simply kills Squid kid with a SIGBUS signal.
  392. # Some of the memory limits enforced by the kernel are currently
  393. # poorly understood: We do not know how to detect and check them. This
  394. # option ensures that the mapped memory will be available.
  395. #
  396. # This option may have a positive performance side-effect: Locking
  397. # memory at start avoids runtime paging I/O. Paging slows Squid down.
  398. #
  399. # Locking memory may require a large enough RLIMIT_MEMLOCK OS limit,
  400. # CAP_IPC_LOCK capability, or equivalent.
  401. #Default:
  402. # shared_memory_locking off
  403.  
  404. # TAG: hopeless_kid_revival_delay time-units
  405. # Normally, when a kid process dies, Squid immediately restarts the
  406. # kid. A kid experiencing frequent deaths is marked as "hopeless" for
  407. # the duration specified by this directive. Hopeless kids are not
  408. # automatically restarted.
  409. #
  410. # Currently, zero values are not supported because they result in
  411. # misconfigured SMP Squid instances running forever, endlessly
  412. # restarting each dying kid. To effectively disable hopeless kids
  413. # revival, set the delay to a huge value (e.g., 1 year).
  414. #
  415. # Reconfiguration also clears all hopeless kids designations, allowing
  416. # for manual revival of hopeless kids.
  417. #Default:
  418. # hopeless_kid_revival_delay 1 hour
  419.  
  420. # OPTIONS FOR AUTHENTICATION
  421. # -----------------------------------------------------------------------------
  422.  
  423. # TAG: auth_param
  424. # This is used to define parameters for the various authentication
  425. # schemes supported by Squid.
  426. #
  427. # format: auth_param scheme parameter [setting]
  428. #
  429. # The order in which authentication schemes are presented to the client is
  430. # dependent on the order the scheme first appears in config file. IE
  431. # has a bug (it's not RFC 2617 compliant) in that it will use the basic
  432. # scheme if basic is the first entry presented, even if more secure
  433. # schemes are presented. For now use the order in the recommended
  434. # settings section below. If other browsers have difficulties (don't
  435. # recognize the schemes offered even if you are using basic) either
  436. # put basic first, or disable the other schemes (by commenting out their
  437. # program entry).
  438. #
  439. # Once an authentication scheme is fully configured, it can only be
  440. # shutdown by shutting squid down and restarting. Changes can be made on
  441. # the fly and activated with a reconfigure. I.E. You can change to a
  442. # different helper, but not unconfigure the helper completely.
  443. #
  444. # Please note that while this directive defines how Squid processes
  445. # authentication it does not automatically activate authentication.
  446. # To use authentication you must in addition make use of ACLs based
  447. # on login name in http_access (proxy_auth, proxy_auth_regex or
  448. # external with %LOGIN used in the format tag). The browser will be
  449. # challenged for authentication on the first such acl encountered
  450. # in http_access processing and will also be re-challenged for new
  451. # login credentials if the request is being denied by a proxy_auth
  452. # type acl.
  453. #
  454. # WARNING: authentication can't be used in a transparently intercepting
  455. # proxy as the client then thinks it is talking to an origin server and
  456. # not the proxy. This is a limitation of bending the TCP/IP protocol to
  457. # transparently intercepting port 80, not a limitation in Squid.
  458. # Ports flagged 'transparent', 'intercept', or 'tproxy' have
  459. # authentication disabled.
  460. #
  461. # === Parameters common to all schemes. ===
  462. #
  463. # "program" cmdline
  464. # Specifies the command for the external authenticator.
  465. #
  466. # By default, each authentication scheme is not used unless a
  467. # program is specified.
  468. #
  469. # See http://wiki.squid-cache.org/Features/AddonHelpers for
  470. # more details on helper operations and creating your own.
  471. #
  472. # "key_extras" format
  473. # Specifies a string to be append to request line format for
  474. # the authentication helper. "Quoted" format values may contain
  475. # spaces and logformat %macros. In theory, any logformat %macro
  476. # can be used. In practice, a %macro expands as a dash (-) if
  477. # the helper request is sent before the required macro
  478. # information is available to Squid.
  479. #
  480. # By default, Squid uses request formats provided in
  481. # scheme-specific examples below (search for %credentials).
  482. #
  483. # The expanded key_extras value is added to the Squid credentials
  484. # cache and, hence, will affect authentication. It can be used to
  485. # autenticate different users with identical user names (e.g.,
  486. # when user authentication depends on http_port).
  487. #
  488. # Avoid adding frequently changing information to key_extras. For
  489. # example, if you add user source IP, and it changes frequently
  490. # in your environment, then max_user_ip ACL is going to treat
  491. # every user+IP combination as a unique "user", breaking the ACL
  492. # and wasting a lot of memory on those user records. It will also
  493. # force users to authenticate from scratch whenever their IP
  494. # changes.
  495. #
  496. # "realm" string
  497. # Specifies the protection scope (aka realm name) which is to be
  498. # reported to the client for the authentication scheme. It is
  499. # commonly part of the text the user will see when prompted for
  500. # their username and password.
  501. #
  502. # For Basic the default is "Squid proxy-caching web server".
  503. # For Digest there is no default, this parameter is mandatory.
  504. # For NTLM and Negotiate this parameter is ignored.
  505. #
  506. # "children" numberofchildren [startup=N] [idle=N] [concurrency=N]
  507. # [queue-size=N] [on-persistent-overload=action]
  508. #
  509. # The maximum number of authenticator processes to spawn. If
  510. # you start too few Squid will have to wait for them to process
  511. # a backlog of credential verifications, slowing it down. When
  512. # password verifications are done via a (slow) network you are
  513. # likely to need lots of authenticator processes.
  514. #
  515. # The startup= and idle= options permit some skew in the exact
  516. # amount run. A minimum of startup=N will begin during startup
  517. # and reconfigure. Squid will start more in groups of up to
  518. # idle=N in an attempt to meet traffic needs and to keep idle=N
  519. # free above those traffic needs up to the maximum.
  520. #
  521. # The concurrency= option sets the number of concurrent requests
  522. # the helper can process. The default of 0 is used for helpers
  523. # who only supports one request at a time. Setting this to a
  524. # number greater than 0 changes the protocol used to include a
  525. # channel ID field first on the request/response line, allowing
  526. # multiple requests to be sent to the same helper in parallel
  527. # without waiting for the response.
  528. #
  529. # Concurrency must not be set unless it's known the helper
  530. # supports the input format with channel-ID fields.
  531. #
  532. # The queue-size option sets the maximum number of queued
  533. # requests. A request is queued when no existing child can
  534. # accept it due to concurrency limit and no new child can be
  535. # started due to numberofchildren limit. The default maximum is
  536. # 2*numberofchildren. Squid is allowed to temporarily exceed the
  537. # configured maximum, marking the affected helper as
  538. # "overloaded". If the helper overload lasts more than 3
  539. # minutes, the action prescribed by the on-persistent-overload
  540. # option applies.
  541. #
  542. # The on-persistent-overload=action option specifies Squid
  543. # reaction to a new helper request arriving when the helper
  544. # has been overloaded for more that 3 minutes already. The number
  545. # of queued requests determines whether the helper is overloaded
  546. # (see the queue-size option).
  547. #
  548. # Two actions are supported:
  549. #
  550. # die Squid worker quits. This is the default behavior.
  551. #
  552. # ERR Squid treats the helper request as if it was
  553. # immediately submitted, and the helper immediately
  554. # replied with an ERR response. This action has no effect
  555. # on the already queued and in-progress helper requests.
  556. #
  557. # NOTE: NTLM and Negotiate schemes do not support concurrency
  558. # in the Squid code module even though some helpers can.
  559. #
  560. #
  561. #
  562. # === Example Configuration ===
  563. #
  564. # This configuration displays the recommended authentication scheme
  565. # order from most to least secure with recommended minimum configuration
  566. # settings for each scheme:
  567. #
  568. ##auth_param negotiate program <uncomment and complete this line to activate>
  569. ##auth_param negotiate children 20 startup=0 idle=1
  570. ##auth_param negotiate keep_alive on
  571. ##
  572. ##auth_param digest program <uncomment and complete this line to activate>
  573. ##auth_param digest children 20 startup=0 idle=1
  574. ##auth_param digest realm Squid proxy-caching web server
  575. ##auth_param digest nonce_garbage_interval 5 minutes
  576. ##auth_param digest nonce_max_duration 30 minutes
  577. ##auth_param digest nonce_max_count 50
  578. ##
  579. ##auth_param ntlm program <uncomment and complete this line to activate>
  580. ##auth_param ntlm children 20 startup=0 idle=1
  581. ##auth_param ntlm keep_alive on
  582. ##
  583. ##auth_param basic program <uncomment and complete this line>
  584. ##auth_param basic children 5 startup=5 idle=1
  585. ##auth_param basic realm Squid proxy-caching web server
  586. ##auth_param basic credentialsttl 2 hours
  587. #Default:
  588. # none
  589.  
  590. # TAG: authenticate_cache_garbage_interval
  591. # The time period between garbage collection across the username cache.
  592. # This is a trade-off between memory utilization (long intervals - say
  593. # 2 days) and CPU (short intervals - say 1 minute). Only change if you
  594. # have good reason to.
  595. #Default:
  596. # authenticate_cache_garbage_interval 1 hour
  597.  
  598. # TAG: authenticate_ttl
  599. # The time a user & their credentials stay in the logged in
  600. # user cache since their last request. When the garbage
  601. # interval passes, all user credentials that have passed their
  602. # TTL are removed from memory.
  603. #Default:
  604. # authenticate_ttl 1 hour
  605.  
  606. # TAG: authenticate_ip_ttl
  607. # If you use proxy authentication and the 'max_user_ip' ACL,
  608. # this directive controls how long Squid remembers the IP
  609. # addresses associated with each user. Use a small value
  610. # (e.g., 60 seconds) if your users might change addresses
  611. # quickly, as is the case with dialup. You might be safe
  612. # using a larger value (e.g., 2 hours) in a corporate LAN
  613. # environment with relatively static address assignments.
  614. #Default:
  615. # authenticate_ip_ttl 1 second
  616.  
  617. # ACCESS CONTROLS
  618. # -----------------------------------------------------------------------------
  619.  
  620. # TAG: external_acl_type
  621. # This option defines external acl classes using a helper program
  622. # to look up the status
  623. #
  624. # external_acl_type name [options] FORMAT /path/to/helper [helper arguments]
  625. #
  626. # Options:
  627. #
  628. # ttl=n TTL in seconds for cached results (defaults to 3600
  629. # for 1 hour)
  630. #
  631. # negative_ttl=n
  632. # TTL for cached negative lookups (default same
  633. # as ttl)
  634. #
  635. # grace=n Percentage remaining of TTL where a refresh of a
  636. # cached entry should be initiated without needing to
  637. # wait for a new reply. (default is for no grace period)
  638. #
  639. # cache=n The maximum number of entries in the result cache. The
  640. # default limit is 262144 entries. Each cache entry usually
  641. # consumes at least 256 bytes. Squid currently does not remove
  642. # expired cache entries until the limit is reached, so a proxy
  643. # will sooner or later reach the limit. The expanded FORMAT
  644. # value is used as the cache key, so if the details in FORMAT
  645. # are highly variable, a larger cache may be needed to produce
  646. # reduction in helper load.
  647. #
  648. # children-max=n
  649. # Maximum number of acl helper processes spawned to service
  650. # external acl lookups of this type. (default 5)
  651. #
  652. # children-startup=n
  653. # Minimum number of acl helper processes to spawn during
  654. # startup and reconfigure to service external acl lookups
  655. # of this type. (default 0)
  656. #
  657. # children-idle=n
  658. # Number of acl helper processes to keep ahead of traffic
  659. # loads. Squid will spawn this many at once whenever load
  660. # rises above the capabilities of existing processes.
  661. # Up to the value of children-max. (default 1)
  662. #
  663. # concurrency=n concurrency level per process. Only used with helpers
  664. # capable of processing more than one query at a time.
  665. #
  666. # queue-size=N The queue-size option sets the maximum number of
  667. # queued requests. A request is queued when no existing
  668. # helper can accept it due to concurrency limit and no
  669. # new helper can be started due to children-max limit.
  670. # If the queued requests exceed queue size, the acl is
  671. # ignored. The default value is set to 2*children-max.
  672. #
  673. # protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers.
  674. #
  675. # ipv4 / ipv6 IP protocol used to communicate with this helper.
  676. # The default is to auto-detect IPv6 and use it when available.
  677. #
  678. #
  679. # FORMAT is a series of %macro codes. See logformat directive for a full list
  680. # of the accepted codes. Although note that at the time of any external ACL
  681. # being tested data may not be available and thus some %macro expand to '-'.
  682. #
  683. # In addition to the logformat codes; when processing external ACLs these
  684. # additional macros are made available:
  685. #
  686. # %ACL The name of the ACL being tested.
  687. #
  688. # %DATA The ACL arguments specified in the referencing config
  689. # 'acl ... external' line, separated by spaces (an
  690. # "argument string"). see acl external.
  691. #
  692. # If there are no ACL arguments %DATA expands to '-'.
  693. #
  694. # If you do not specify a DATA macro inside FORMAT,
  695. # Squid automatically appends %DATA to your FORMAT.
  696. # Note that Squid-3.x may expand %DATA to whitespace
  697. # or nothing in this case.
  698. #
  699. # By default, Squid applies URL-encoding to each ACL
  700. # argument inside the argument string. If an explicit
  701. # encoding modifier is used (e.g., %#DATA), then Squid
  702. # encodes the whole argument string as a single token
  703. # (e.g., with %#DATA, spaces between arguments become
  704. # %20).
  705. #
  706. # If SSL is enabled, the following formating codes become available:
  707. #
  708. # %USER_CERT SSL User certificate in PEM format
  709. # %USER_CERTCHAIN SSL User certificate chain in PEM format
  710. # %USER_CERT_xx SSL User certificate subject attribute xx
  711. # %USER_CA_CERT_xx SSL User certificate issuer attribute xx
  712. #
  713. #
  714. # NOTE: all other format codes accepted by older Squid versions
  715. # are deprecated.
  716. #
  717. #
  718. # General request syntax:
  719. #
  720. # [channel-ID] FORMAT-values
  721. #
  722. #
  723. # FORMAT-values consists of transaction details expanded with
  724. # whitespace separation per the config file FORMAT specification
  725. # using the FORMAT macros listed above.
  726. #
  727. # Request values sent to the helper are URL escaped to protect
  728. # each value in requests against whitespaces.
  729. #
  730. # If using protocol=2.5 then the request sent to the helper is not
  731. # URL escaped to protect against whitespace.
  732. #
  733. # NOTE: protocol=3.0 is deprecated as no longer necessary.
  734. #
  735. # When using the concurrency= option the protocol is changed by
  736. # introducing a query channel tag in front of the request/response.
  737. # The query channel tag is a number between 0 and concurrency-1.
  738. # This value must be echoed back unchanged to Squid as the first part
  739. # of the response relating to its request.
  740. #
  741. #
  742. # The helper receives lines expanded per the above format specification
  743. # and for each input line returns 1 line starting with OK/ERR/BH result
  744. # code and optionally followed by additional keywords with more details.
  745. #
  746. #
  747. # General result syntax:
  748. #
  749. # [channel-ID] result keyword=value ...
  750. #
  751. # Result consists of one of the codes:
  752. #
  753. # OK
  754. # the ACL test produced a match.
  755. #
  756. # ERR
  757. # the ACL test does not produce a match.
  758. #
  759. # BH
  760. # An internal error occurred in the helper, preventing
  761. # a result being identified.
  762. #
  763. # The meaning of 'a match' is determined by your squid.conf
  764. # access control configuration. See the Squid wiki for details.
  765. #
  766. # Defined keywords:
  767. #
  768. # user= The users name (login)
  769. #
  770. # password= The users password (for login= cache_peer option)
  771. #
  772. # message= Message describing the reason for this response.
  773. # Available as %o in error pages.
  774. # Useful on (ERR and BH results).
  775. #
  776. # tag= Apply a tag to a request. Only sets a tag once,
  777. # does not alter existing tags.
  778. #
  779. # log= String to be logged in access.log. Available as
  780. # %ea in logformat specifications.
  781. #
  782. # clt_conn_tag= Associates a TAG with the client TCP connection.
  783. # Please see url_rewrite_program related documentation
  784. # for this kv-pair.
  785. #
  786. # Any keywords may be sent on any response whether OK, ERR or BH.
  787. #
  788. # All response keyword values need to be a single token with URL
  789. # escaping, or enclosed in double quotes (") and escaped using \ on
  790. # any double quotes or \ characters within the value. The wrapping
  791. # double quotes are removed before the value is interpreted by Squid.
  792. # \r and \n are also replace by CR and LF.
  793. #
  794. # Some example key values:
  795. #
  796. # user=John%20Smith
  797. # user="John Smith"
  798. # user="J. \"Bob\" Smith"
  799. #Default:
  800. # none
  801.  
  802. # TAG: acl
  803. # Defining an Access List
  804. #
  805. # Every access list definition must begin with an aclname and acltype,
  806. # followed by either type-specific arguments or a quoted filename that
  807. # they are read from.
  808. #
  809. # acl aclname acltype argument ...
  810. # acl aclname acltype "file" ...
  811. #
  812. # When using "file", the file should contain one item per line.
  813. #
  814. #
  815. # ACL Options
  816. #
  817. # Some acl types supports options which changes their default behaviour:
  818. #
  819. # -i,+i By default, regular expressions are CASE-SENSITIVE. To make them
  820. # case-insensitive, use the -i option. To return case-sensitive
  821. # use the +i option between patterns, or make a new ACL line
  822. # without -i.
  823. #
  824. # -n Disable lookups and address type conversions. If lookup or
  825. # conversion is required because the parameter type (IP or
  826. # domain name) does not match the message address type (domain
  827. # name or IP), then the ACL would immediately declare a mismatch
  828. # without any warnings or lookups.
  829. #
  830. # -m[=delimiters]
  831. # Perform a list membership test, interpreting values as
  832. # comma-separated token lists and matching against individual
  833. # tokens instead of whole values.
  834. # The optional "delimiters" parameter specifies one or more
  835. # alternative non-alphanumeric delimiter characters.
  836. # non-alphanumeric delimiter characters.
  837. #
  838. # -- Used to stop processing all options, in the case the first acl
  839. # value has '-' character as first character (for example the '-'
  840. # is a valid domain name)
  841. #
  842. # Some acl types require suspending the current request in order
  843. # to access some external data source.
  844. # Those which do are marked with the tag [slow], those which
  845. # don't are marked as [fast].
  846. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl
  847. # for further information
  848. #
  849. # ***** ACL TYPES AVAILABLE *****
  850. #
  851. # acl aclname src ip-address/mask ... # clients IP address [fast]
  852. # acl aclname src addr1-addr2/mask ... # range of addresses [fast]
  853. # acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow]
  854. # acl aclname localip ip-address/mask ... # IP address the client connected to [fast]
  855. #
  856. #if USE_SQUID_EUI
  857. # acl aclname arp mac-address ...
  858. # acl aclname eui64 eui64-address ...
  859. # # [fast]
  860. # # MAC (EUI-48) and EUI-64 addresses use xx:xx:xx:xx:xx:xx notation.
  861. # #
  862. # # The 'arp' ACL code is not portable to all operating systems.
  863. # # It works on Linux, Solaris, Windows, FreeBSD, and some other
  864. # # BSD variants.
  865. # #
  866. # # The eui_lookup directive is required to be 'on' (the default)
  867. # # and Squid built with --enable-eui for MAC/EUI addresses to be
  868. # # available for this ACL.
  869. # #
  870. # # Squid can only determine the MAC/EUI address for IPv4
  871. # # clients that are on the same subnet. If the client is on a
  872. # # different subnet, then Squid cannot find out its address.
  873. # #
  874. # # IPv6 protocol does not contain ARP. MAC/EUI is either
  875. # # encoded directly in the IPv6 address or not available.
  876. #endif
  877. # acl aclname clientside_mark mark[/mask] ...
  878. # # matches CONNMARK of an accepted connection [fast]
  879. # #
  880. # # mark and mask are unsigned integers (hex, octal, or decimal).
  881. # # If multiple marks are given, then the ACL matches if at least
  882. # # one mark matches.
  883. # #
  884. # # Uses netfilter-conntrack library.
  885. # # Requires building Squid with --enable-linux-netfilter.
  886. # #
  887. # # The client, various intermediaries, and Squid itself may set
  888. # # CONNMARK at various times. The last CONNMARK set wins. This ACL
  889. # # checks the mark present on an accepted connection or set by
  890. # # Squid afterwards, depending on the ACL check timing. This ACL
  891. # # effectively ignores any mark set by other agents after Squid has
  892. # # accepted the connection.
  893. #
  894. # acl aclname srcdomain .foo.com ...
  895. # # reverse lookup, from client IP [slow]
  896. # acl aclname dstdomain [-n] .foo.com ...
  897. # # Destination server from URL [fast]
  898. # acl aclname srcdom_regex [-i] \.foo\.com ...
  899. # # regex matching client name [slow]
  900. # acl aclname dstdom_regex [-n] [-i] \.foo\.com ...
  901. # # regex matching server [fast]
  902. # #
  903. # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
  904. # # based URL is used and no match is found. The name "none" is used
  905. # # if the reverse lookup fails.
  906. #
  907. # acl aclname src_as number ...
  908. # acl aclname dst_as number ...
  909. # # [fast]
  910. # # Except for access control, AS numbers can be used for
  911. # # routing of requests to specific caches. Here's an
  912. # # example for routing all requests for AS#1241 and only
  913. # # those to mycache.mydomain.net:
  914. # # acl asexample dst_as 1241
  915. # # cache_peer_access mycache.mydomain.net allow asexample
  916. # # cache_peer_access mycache_mydomain.net deny all
  917. #
  918. # acl aclname peername myPeer ...
  919. # acl aclname peername_regex [-i] regex-pattern ...
  920. # # [fast]
  921. # # match against a named cache_peer entry
  922. # # set unique name= on cache_peer lines for reliable use.
  923. #
  924. # acl aclname time [day-abbrevs] [h1:m1-h2:m2]
  925. # # [fast]
  926. # # day-abbrevs:
  927. # # S - Sunday
  928. # # M - Monday
  929. # # T - Tuesday
  930. # # W - Wednesday
  931. # # H - Thursday
  932. # # F - Friday
  933. # # A - Saturday
  934. # # h1:m1 must be less than h2:m2
  935. #
  936. # acl aclname url_regex [-i] ^http:// ...
  937. # # regex matching on whole URL [fast]
  938. # acl aclname urllogin [-i] [^a-zA-Z0-9] ...
  939. # # regex matching on URL login field
  940. # acl aclname urlpath_regex [-i] \.gif$ ...
  941. # # regex matching on URL path [fast]
  942. #
  943. # acl aclname port 80 70 21 0-1024... # destination TCP port [fast]
  944. # # ranges are alloed
  945. # acl aclname localport 3128 ... # TCP port the client connected to [fast]
  946. # # NP: for interception mode this is usually '80'
  947. #
  948. # acl aclname myportname 3128 ... # *_port name [fast]
  949. #
  950. # acl aclname proto HTTP FTP ... # request protocol [fast]
  951. #
  952. # acl aclname method GET POST ... # HTTP request method [fast]
  953. #
  954. # acl aclname http_status 200 301 500- 400-403 ...
  955. # # status code in reply [fast]
  956. #
  957. # acl aclname browser [-i] regexp ...
  958. # # pattern match on User-Agent header (see also req_header below) [fast]
  959. #
  960. # acl aclname referer_regex [-i] regexp ...
  961. # # pattern match on Referer header [fast]
  962. # # Referer is highly unreliable, so use with care
  963. #
  964. # acl aclname ident [-i] username ...
  965. # acl aclname ident_regex [-i] pattern ...
  966. # # string match on ident output [slow]
  967. # # use REQUIRED to accept any non-null ident.
  968. #
  969. # acl aclname proxy_auth [-i] username ...
  970. # acl aclname proxy_auth_regex [-i] pattern ...
  971. # # perform http authentication challenge to the client and match against
  972. # # supplied credentials [slow]
  973. # #
  974. # # takes a list of allowed usernames.
  975. # # use REQUIRED to accept any valid username.
  976. # #
  977. # # Will use proxy authentication in forward-proxy scenarios, and plain
  978. # # http authenticaiton in reverse-proxy scenarios
  979. # #
  980. # # NOTE: when a Proxy-Authentication header is sent but it is not
  981. # # needed during ACL checking the username is NOT logged
  982. # # in access.log.
  983. # #
  984. # # NOTE: proxy_auth requires a EXTERNAL authentication program
  985. # # to check username/password combinations (see
  986. # # auth_param directive).
  987. # #
  988. # # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
  989. # # as the browser needs to be configured for using a proxy in order
  990. # # to respond to proxy authentication.
  991. #
  992. # acl aclname snmp_community string ...
  993. # # A community string to limit access to your SNMP Agent [fast]
  994. # # Example:
  995. # #
  996. # # acl snmppublic snmp_community public
  997. #
  998. # acl aclname maxconn number
  999. # # This will be matched when the client's IP address has
  1000. # # more than <number> TCP connections established. [fast]
  1001. # # NOTE: This only measures direct TCP links so X-Forwarded-For
  1002. # # indirect clients are not counted.
  1003. #
  1004. # acl aclname max_user_ip [-s] number
  1005. # # This will be matched when the user attempts to log in from more
  1006. # # than <number> different ip addresses. The authenticate_ip_ttl
  1007. # # parameter controls the timeout on the ip entries. [fast]
  1008. # # If -s is specified the limit is strict, denying browsing
  1009. # # from any further IP addresses until the ttl has expired. Without
  1010. # # -s Squid will just annoy the user by "randomly" denying requests.
  1011. # # (the counter is reset each time the limit is reached and a
  1012. # # request is denied)
  1013. # # NOTE: in acceleration mode or where there is mesh of child proxies,
  1014. # # clients may appear to come from multiple addresses if they are
  1015. # # going through proxy farms, so a limit of 1 may cause user problems.
  1016. #
  1017. # acl aclname random probability
  1018. # # Pseudo-randomly match requests. Based on the probability given.
  1019. # # Probability may be written as a decimal (0.333), fraction (1/3)
  1020. # # or ratio of matches:non-matches (3:5).
  1021. #
  1022. # acl aclname req_mime_type [-i] mime-type ...
  1023. # # regex match against the mime type of the request generated
  1024. # # by the client. Can be used to detect file upload or some
  1025. # # types HTTP tunneling requests [fast]
  1026. # # NOTE: This does NOT match the reply. You cannot use this
  1027. # # to match the returned file type.
  1028. #
  1029. # acl aclname req_header header-name [-i] any\.regex\.here
  1030. # # regex match against any of the known request headers. May be
  1031. # # thought of as a superset of "browser", "referer" and "mime-type"
  1032. # # ACL [fast]
  1033. #
  1034. # acl aclname rep_mime_type [-i] mime-type ...
  1035. # # regex match against the mime type of the reply received by
  1036. # # squid. Can be used to detect file download or some
  1037. # # types HTTP tunneling requests. [fast]
  1038. # # NOTE: This has no effect in http_access rules. It only has
  1039. # # effect in rules that affect the reply data stream such as
  1040. # # http_reply_access.
  1041. #
  1042. # acl aclname rep_header header-name [-i] any\.regex\.here
  1043. # # regex match against any of the known reply headers. May be
  1044. # # thought of as a superset of "browser", "referer" and "mime-type"
  1045. # # ACLs [fast]
  1046. #
  1047. # acl aclname external class_name [arguments...]
  1048. # # external ACL lookup via a helper class defined by the
  1049. # # external_acl_type directive [slow]
  1050. #
  1051. # acl aclname user_cert attribute values...
  1052. # # match against attributes in a user SSL certificate
  1053. # # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast]
  1054. #
  1055. # acl aclname ca_cert attribute values...
  1056. # # match against attributes a users issuing CA SSL certificate
  1057. # # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast]
  1058. #
  1059. # acl aclname ext_user [-i] username ...
  1060. # acl aclname ext_user_regex [-i] pattern ...
  1061. # # string match on username returned by external acl helper [slow]
  1062. # # use REQUIRED to accept any non-null user name.
  1063. #
  1064. # acl aclname tag tagvalue ...
  1065. # # string match on tag returned by external acl helper [fast]
  1066. # # DEPRECATED. Only the first tag will match with this ACL.
  1067. # # Use the 'note' ACL instead for handling multiple tag values.
  1068. #
  1069. # acl aclname hier_code codename ...
  1070. # # string match against squid hierarchy code(s); [fast]
  1071. # # e.g., DIRECT, PARENT_HIT, NONE, etc.
  1072. # #
  1073. # # NOTE: This has no effect in http_access rules. It only has
  1074. # # effect in rules that affect the reply data stream such as
  1075. # # http_reply_access.
  1076. #
  1077. # acl aclname note [-m[=delimiters]] name [value ...]
  1078. # # match transaction annotation [fast]
  1079. # # Without values, matches any annotation with a given name.
  1080. # # With value(s), matches any annotation with a given name that
  1081. # # also has one of the given values.
  1082. # # If the -m flag is used, then the value of the named
  1083. # # annotation is interpreted as a list of tokens, and the ACL
  1084. # # matches individual name=token pairs rather than whole
  1085. # # name=value pairs. See "ACL Options" above for more info.
  1086. # # Annotation sources include note and adaptation_meta directives
  1087. # # as well as helper and eCAP responses.
  1088. #
  1089. # acl aclname adaptation_service service ...
  1090. # # Matches the name of any icap_service, ecap_service,
  1091. # # adaptation_service_set, or adaptation_service_chain that Squid
  1092. # # has used (or attempted to use) for the master transaction.
  1093. # # This ACL must be defined after the corresponding adaptation
  1094. # # service is named in squid.conf. This ACL is usable with
  1095. # # adaptation_meta because it starts matching immediately after
  1096. # # the service has been selected for adaptation.
  1097. #
  1098. # acl aclname transaction_initiator initiator ...
  1099. # # Matches transaction's initiator [fast]
  1100. # #
  1101. # # Supported initiators are:
  1102. # # esi: matches transactions fetching ESI resources
  1103. # # certificate-fetching: matches transactions fetching
  1104. # # a missing intermediate TLS certificate
  1105. # # cache-digest: matches transactions fetching Cache Digests
  1106. # # from a cache_peer
  1107. # # htcp: matches HTCP requests from peers
  1108. # # icp: matches ICP requests to peers
  1109. # # icmp: matches ICMP RTT database (NetDB) requests to peers
  1110. # # asn: matches asns db requests
  1111. # # internal: matches any of the above
  1112. # # client: matches transactions containing an HTTP or FTP
  1113. # # client request received at a Squid *_port
  1114. # # all: matches any transaction, including internal transactions
  1115. # # without a configurable initiator and hopefully rare
  1116. # # transactions without a known-to-Squid initiator
  1117. # #
  1118. # # Multiple initiators are ORed.
  1119. #
  1120. # acl aclname has component
  1121. # # matches a transaction "component" [fast]
  1122. # #
  1123. # # Supported transaction components are:
  1124. # # request: transaction has a request header (at least)
  1125. # # response: transaction has a response header (at least)
  1126. # # ALE: transaction has an internally-generated Access Log Entry
  1127. # # structure; bugs notwithstanding, all transaction have it
  1128. # #
  1129. # # For example, the following configuration helps when dealing with HTTP
  1130. # # clients that close connections without sending a request header:
  1131. # #
  1132. # # acl hasRequest has request
  1133. # # acl logMe note important_transaction
  1134. # # # avoid "logMe ACL is used in context without an HTTP request" warnings
  1135. # # access_log ... logformat=detailed hasRequest logMe
  1136. # # # log request-less transactions, instead of ignoring them
  1137. # # access_log ... logformat=brief !hasRequest
  1138. # #
  1139. # # Multiple components are not supported for one "acl" rule, but
  1140. # # can be specified (and are ORed) using multiple same-name rules:
  1141. # #
  1142. # # # OK, this strange logging daemon needs request or response,
  1143. # # # but can work without either a request or a response:
  1144. # # acl hasWhatMyLoggingDaemonNeeds has request
  1145. # # acl hasWhatMyLoggingDaemonNeeds has response
  1146. #
  1147. # acl aclname any-of acl1 acl2 ...
  1148. # # match any one of the acls [fast or slow]
  1149. # # The first matching ACL stops further ACL evaluation.
  1150. # #
  1151. # # ACLs from multiple any-of lines with the same name are ORed.
  1152. # # For example, A = (a1 or a2) or (a3 or a4) can be written as
  1153. # # acl A any-of a1 a2
  1154. # # acl A any-of a3 a4
  1155. # #
  1156. # # This group ACL is fast if all evaluated ACLs in the group are fast
  1157. # # and slow otherwise.
  1158. #
  1159. # acl aclname all-of acl1 acl2 ...
  1160. # # match all of the acls [fast or slow]
  1161. # # The first mismatching ACL stops further ACL evaluation.
  1162. # #
  1163. # # ACLs from multiple all-of lines with the same name are ORed.
  1164. # # For example, B = (b1 and b2) or (b3 and b4) can be written as
  1165. # # acl B all-of b1 b2
  1166. # # acl B all-of b3 b4
  1167. # #
  1168. # # This group ACL is fast if all evaluated ACLs in the group are fast
  1169. # # and slow otherwise.
  1170. #
  1171. # Examples:
  1172. # acl macaddress arp 09:00:2b:23:45:67
  1173. # acl myexample dst_as 1241
  1174. # acl password proxy_auth REQUIRED
  1175. # acl fileupload req_mime_type -i ^multipart/form-data$
  1176. # acl javascript rep_mime_type -i ^application/x-javascript$
  1177. #
  1178. #Default:
  1179. # ACLs all, manager, localhost, and to_localhost are predefined.
  1180. #
  1181. #
  1182. # Recommended minimum configuration:
  1183. #
  1184.  
  1185. # Example rule allowing access from your local networks.
  1186. # Adapt to list your (internal) IP networks from where browsing
  1187. # should be allowed
  1188. #acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
  1189. #acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
  1190. #acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
  1191. #acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
  1192. #acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
  1193. acl localnet src 192.168.0.1-192.168.0.125/16 # RFC 1918 local private network (LAN)
  1194. #acl localnet src fc00::/7 # RFC 4193 local private network range
  1195. #acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
  1196.  
  1197. acl localnet src 192.168.0.1-192.168.0.125
  1198. acl localnet src 192.168.0.1/25
  1199.  
  1200. acl SSL_ports port 443
  1201. acl Safe_ports port 80 # http
  1202. acl Safe_ports port 21 # ftp
  1203. acl Safe_ports port 443 # https
  1204. acl Safe_ports port 70 # gopher
  1205. acl Safe_ports port 210 # wais
  1206. acl Safe_ports port 1025-65535 # unregistered ports
  1207. acl Safe_ports port 280 # http-mgmt
  1208. acl Safe_ports port 488 # gss-http
  1209. acl Safe_ports port 591 # filemaker
  1210. acl Safe_ports port 777 # multiling http
  1211. acl CONNECT method CONNECT
  1212.  
  1213. # TAG: proxy_protocol_access
  1214. # Determine which client proxies can be trusted to provide correct
  1215. # information regarding real client IP address using PROXY protocol.
  1216. #
  1217. # Requests may pass through a chain of several other proxies
  1218. # before reaching us. The original source details may by sent in:
  1219. # * HTTP message Forwarded header, or
  1220. # * HTTP message X-Forwarded-For header, or
  1221. # * PROXY protocol connection header.
  1222. #
  1223. # This directive is solely for validating new PROXY protocol
  1224. # connections received from a port flagged with require-proxy-header.
  1225. # It is checked only once after TCP connection setup.
  1226. #
  1227. # A deny match results in TCP connection closure.
  1228. #
  1229. # An allow match is required for Squid to permit the corresponding
  1230. # TCP connection, before Squid even looks for HTTP request headers.
  1231. # If there is an allow match, Squid starts using PROXY header information
  1232. # to determine the source address of the connection for all future ACL
  1233. # checks, logging, etc.
  1234. #
  1235. # SECURITY CONSIDERATIONS:
  1236. #
  1237. # Any host from which we accept client IP details can place
  1238. # incorrect information in the relevant header, and Squid
  1239. # will use the incorrect information as if it were the
  1240. # source address of the request. This may enable remote
  1241. # hosts to bypass any access control restrictions that are
  1242. # based on the client's source addresses.
  1243. #
  1244. # This clause only supports fast acl types.
  1245. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1246. #Default:
  1247. # all TCP connections to ports with require-proxy-header will be denied
  1248.  
  1249. # TAG: follow_x_forwarded_for
  1250. # Determine which client proxies can be trusted to provide correct
  1251. # information regarding real client IP address.
  1252. #
  1253. # Requests may pass through a chain of several other proxies
  1254. # before reaching us. The original source details may by sent in:
  1255. # * HTTP message Forwarded header, or
  1256. # * HTTP message X-Forwarded-For header, or
  1257. # * PROXY protocol connection header.
  1258. #
  1259. # PROXY protocol connections are controlled by the proxy_protocol_access
  1260. # directive which is checked before this.
  1261. #
  1262. # If a request reaches us from a source that is allowed by this
  1263. # directive, then we trust the information it provides regarding
  1264. # the IP of the client it received from (if any).
  1265. #
  1266. # For the purpose of ACLs used in this directive the src ACL type always
  1267. # matches the address we are testing and srcdomain matches its rDNS.
  1268. #
  1269. # On each HTTP request Squid checks for X-Forwarded-For header fields.
  1270. # If found the header values are iterated in reverse order and an allow
  1271. # match is required for Squid to continue on to the next value.
  1272. # The verification ends when a value receives a deny match, cannot be
  1273. # tested, or there are no more values to test.
  1274. # NOTE: Squid does not yet follow the Forwarded HTTP header.
  1275. #
  1276. # The end result of this process is an IP address that we will
  1277. # refer to as the indirect client address. This address may
  1278. # be treated as the client address for access control, ICAP, delay
  1279. # pools and logging, depending on the acl_uses_indirect_client,
  1280. # icap_uses_indirect_client, delay_pool_uses_indirect_client,
  1281. # log_uses_indirect_client and tproxy_uses_indirect_client options.
  1282. #
  1283. # This clause only supports fast acl types.
  1284. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1285. #
  1286. # SECURITY CONSIDERATIONS:
  1287. #
  1288. # Any host from which we accept client IP details can place
  1289. # incorrect information in the relevant header, and Squid
  1290. # will use the incorrect information as if it were the
  1291. # source address of the request. This may enable remote
  1292. # hosts to bypass any access control restrictions that are
  1293. # based on the client's source addresses.
  1294. #
  1295. # For example:
  1296. #
  1297. # acl localhost src 127.0.0.1
  1298. # acl my_other_proxy srcdomain .proxy.example.com
  1299. # follow_x_forwarded_for allow localhost
  1300. # follow_x_forwarded_for allow my_other_proxy
  1301. #Default:
  1302. # X-Forwarded-For header will be ignored.
  1303.  
  1304. # TAG: acl_uses_indirect_client on|off
  1305. # Controls whether the indirect client address
  1306. # (see follow_x_forwarded_for) is used instead of the
  1307. # direct client address in acl matching.
  1308. #
  1309. # NOTE: maxconn ACL considers direct TCP links and indirect
  1310. # clients will always have zero. So no match.
  1311. #Default:
  1312. # acl_uses_indirect_client on
  1313.  
  1314. # TAG: delay_pool_uses_indirect_client on|off
  1315. # Controls whether the indirect client address
  1316. # (see follow_x_forwarded_for) is used instead of the
  1317. # direct client address in delay pools.
  1318. #Default:
  1319. # delay_pool_uses_indirect_client on
  1320.  
  1321. # TAG: log_uses_indirect_client on|off
  1322. # Controls whether the indirect client address
  1323. # (see follow_x_forwarded_for) is used instead of the
  1324. # direct client address in the access log.
  1325. #Default:
  1326. # log_uses_indirect_client on
  1327.  
  1328. # TAG: tproxy_uses_indirect_client on|off
  1329. # Controls whether the indirect client address
  1330. # (see follow_x_forwarded_for) is used instead of the
  1331. # direct client address when spoofing the outgoing client.
  1332. #
  1333. # This has no effect on requests arriving in non-tproxy
  1334. # mode ports.
  1335. #
  1336. # SECURITY WARNING: Usage of this option is dangerous
  1337. # and should not be used trivially. Correct configuration
  1338. # of follow_x_forwarded_for with a limited set of trusted
  1339. # sources is required to prevent abuse of your proxy.
  1340. #Default:
  1341. # tproxy_uses_indirect_client off
  1342.  
  1343. # TAG: spoof_client_ip
  1344. # Control client IP address spoofing of TPROXY traffic based on
  1345. # defined access lists.
  1346. #
  1347. # spoof_client_ip allow|deny [!]aclname ...
  1348. #
  1349. # If there are no "spoof_client_ip" lines present, the default
  1350. # is to "allow" spoofing of any suitable request.
  1351. #
  1352. # Note that the cache_peer "no-tproxy" option overrides this ACL.
  1353. #
  1354. # This clause supports fast acl types.
  1355. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1356. #Default:
  1357. # Allow spoofing on all TPROXY traffic.
  1358.  
  1359. # TAG: http_access
  1360. # Allowing or Denying access based on defined access lists
  1361. #
  1362. # To allow or deny a message received on an HTTP, HTTPS, or FTP port:
  1363. # http_access allow|deny [!]aclname ...
  1364. #
  1365. # NOTE on default values:
  1366. #
  1367. # If there are no "access" lines present, the default is to deny
  1368. # the request.
  1369. #
  1370. # If none of the "access" lines cause a match, the default is the
  1371. # opposite of the last line in the list. If the last line was
  1372. # deny, the default is allow. Conversely, if the last line
  1373. # is allow, the default will be deny. For these reasons, it is a
  1374. # good idea to have an "deny all" entry at the end of your access
  1375. # lists to avoid potential confusion.
  1376. #
  1377. # This clause supports both fast and slow acl types.
  1378. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1379. #
  1380. #Default:
  1381. # Deny, unless rules exist in squid.conf.
  1382. #
  1383.  
  1384. #
  1385. # Recommended minimum Access Permission configuration:
  1386. #
  1387. # Deny requests to certain unsafe ports
  1388. http_access deny !Safe_ports
  1389.  
  1390. # Deny CONNECT to other than secure SSL ports
  1391. http_access deny CONNECT !SSL_ports
  1392.  
  1393. # Only allow cachemgr access from localhost
  1394. http_access allow localhost manager
  1395. http_access allow localnet
  1396.  
  1397. #http_access allow localnet src 192.168.0.1/25
  1398.  
  1399. http_access deny manager
  1400.  
  1401. # We strongly recommend the following be uncommented to protect innocent
  1402. # web applications running on the proxy server who think the only
  1403. # one who can access services on "localhost" is a local user
  1404. #http_access deny to_localhost
  1405.  
  1406. #
  1407. # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
  1408. #
  1409. include /etc/squid/conf.d/*
  1410.  
  1411. # Example rule allowing access from your local networks.
  1412. # Adapt localnet in the ACL section to list your (internal) IP networks
  1413. # from where browsing should be allowed
  1414. #http_access allow localnet
  1415. http_access allow localhost localnet
  1416. #http_access allow localnet
  1417.  
  1418. # And finally deny all other access to this proxy
  1419. http_access deny all
  1420.  
  1421. # TAG: adapted_http_access
  1422. # Allowing or Denying access based on defined access lists
  1423. #
  1424. # Essentially identical to http_access, but runs after redirectors
  1425. # and ICAP/eCAP adaptation. Allowing access control based on their
  1426. # output.
  1427. #
  1428. # If not set then only http_access is used.
  1429. #Default:
  1430. # Allow, unless rules exist in squid.conf.
  1431.  
  1432. # TAG: http_reply_access
  1433. # Allow replies to client requests. This is complementary to http_access.
  1434. #
  1435. # http_reply_access allow|deny [!] aclname ...
  1436. #
  1437. # NOTE: if there are no access lines present, the default is to allow
  1438. # all replies.
  1439. #
  1440. # If none of the access lines cause a match the opposite of the
  1441. # last line will apply. Thus it is good practice to end the rules
  1442. # with an "allow all" or "deny all" entry.
  1443. #
  1444. # This clause supports both fast and slow acl types.
  1445. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1446. #Default:
  1447. # Allow, unless rules exist in squid.conf.
  1448.  
  1449. # TAG: icp_access
  1450. # Allowing or Denying access to the ICP port based on defined
  1451. # access lists
  1452. #
  1453. # icp_access allow|deny [!]aclname ...
  1454. #
  1455. # NOTE: The default if no icp_access lines are present is to
  1456. # deny all traffic. This default may cause problems with peers
  1457. # using ICP.
  1458. #
  1459. # This clause only supports fast acl types.
  1460. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1461. #
  1462. ## Allow ICP queries from local networks only
  1463. ##icp_access allow localnet
  1464. ##icp_access deny all
  1465. #Default:
  1466. # Deny, unless rules exist in squid.conf.
  1467.  
  1468. # TAG: htcp_access
  1469. # Allowing or Denying access to the HTCP port based on defined
  1470. # access lists
  1471. #
  1472. # htcp_access allow|deny [!]aclname ...
  1473. #
  1474. # See also htcp_clr_access for details on access control for
  1475. # cache purge (CLR) HTCP messages.
  1476. #
  1477. # NOTE: The default if no htcp_access lines are present is to
  1478. # deny all traffic. This default may cause problems with peers
  1479. # using the htcp option.
  1480. #
  1481. # This clause only supports fast acl types.
  1482. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1483. #
  1484. ## Allow HTCP queries from local networks only
  1485. ##htcp_access allow localnet
  1486. ##htcp_access deny all
  1487. #Default:
  1488. # Deny, unless rules exist in squid.conf.
  1489.  
  1490. # TAG: htcp_clr_access
  1491. # Allowing or Denying access to purge content using HTCP based
  1492. # on defined access lists.
  1493. # See htcp_access for details on general HTCP access control.
  1494. #
  1495. # htcp_clr_access allow|deny [!]aclname ...
  1496. #
  1497. # This clause only supports fast acl types.
  1498. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1499. #
  1500. ## Allow HTCP CLR requests from trusted peers
  1501. #acl htcp_clr_peer src 192.0.2.2 2001:DB8::2
  1502. #htcp_clr_access allow htcp_clr_peer
  1503. #htcp_clr_access deny all
  1504. #Default:
  1505. # Deny, unless rules exist in squid.conf.
  1506.  
  1507. # TAG: miss_access
  1508. # Determines whether network access is permitted when satisfying a request.
  1509. #
  1510. # For example;
  1511. # to force your neighbors to use you as a sibling instead of
  1512. # a parent.
  1513. #
  1514. # acl localclients src 192.0.2.0/24 2001:DB8::a:0/64
  1515. # miss_access deny !localclients
  1516. # miss_access allow all
  1517. #
  1518. # This means only your local clients are allowed to fetch relayed/MISS
  1519. # replies from the network and all other clients can only fetch cached
  1520. # objects (HITs).
  1521. #
  1522. # The default for this setting allows all clients who passed the
  1523. # http_access rules to relay via this proxy.
  1524. #
  1525. # This clause only supports fast acl types.
  1526. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1527. #Default:
  1528. # Allow, unless rules exist in squid.conf.
  1529.  
  1530. # TAG: ident_lookup_access
  1531. # A list of ACL elements which, if matched, cause an ident
  1532. # (RFC 931) lookup to be performed for this request. For
  1533. # example, you might choose to always perform ident lookups
  1534. # for your main multi-user Unix boxes, but not for your Macs
  1535. # and PCs. By default, ident lookups are not performed for
  1536. # any requests.
  1537. #
  1538. # To enable ident lookups for specific client addresses, you
  1539. # can follow this example:
  1540. #
  1541. # acl ident_aware_hosts src 198.168.1.0/24
  1542. # ident_lookup_access allow ident_aware_hosts
  1543. # ident_lookup_access deny all
  1544. #
  1545. # Only src type ACL checks are fully supported. A srcdomain
  1546. # ACL might work at times, but it will not always provide
  1547. # the correct result.
  1548. #
  1549. # This clause only supports fast acl types.
  1550. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  1551. #Default:
  1552. # Unless rules exist in squid.conf, IDENT is not fetched.
  1553.  
  1554. # TAG: reply_body_max_size size [acl acl...]
  1555. # This option specifies the maximum size of a reply body. It can be
  1556. # used to prevent users from downloading very large files, such as
  1557. # MP3's and movies. When the reply headers are received, the
  1558. # reply_body_max_size lines are processed, and the first line where
  1559. # all (if any) listed ACLs are true is used as the maximum body size
  1560. # for this reply.
  1561. #
  1562. # This size is checked twice. First when we get the reply headers,
  1563. # we check the content-length value. If the content length value exists
  1564. # and is larger than the allowed size, the request is denied and the
  1565. # user receives an error message that says "the request or reply
  1566. # is too large." If there is no content-length, and the reply
  1567. # size exceeds this limit, the client's connection is just closed
  1568. # and they will receive a partial reply.
  1569. #
  1570. # WARNING: downstream caches probably can not detect a partial reply
  1571. # if there is no content-length header, so they will cache
  1572. # partial responses and give them out as hits. You should NOT
  1573. # use this option if you have downstream caches.
  1574. #
  1575. # WARNING: A maximum size smaller than the size of squid's error messages
  1576. # will cause an infinite loop and crash squid. Ensure that the smallest
  1577. # non-zero value you use is greater that the maximum header size plus
  1578. # the size of your largest error page.
  1579. #
  1580. # If you set this parameter none (the default), there will be
  1581. # no limit imposed.
  1582. #
  1583. # Configuration Format is:
  1584. # reply_body_max_size SIZE UNITS [acl ...]
  1585. # ie.
  1586. # reply_body_max_size 10 MB
  1587. #
  1588. #Default:
  1589. # No limit is applied.
  1590.  
  1591. # TAG: on_unsupported_protocol
  1592. # Determines Squid behavior when encountering strange requests at the
  1593. # beginning of an accepted TCP connection or the beginning of a bumped
  1594. # CONNECT tunnel. Controlling Squid reaction to unexpected traffic is
  1595. # especially useful in interception environments where Squid is likely
  1596. # to see connections for unsupported protocols that Squid should either
  1597. # terminate or tunnel at TCP level.
  1598. #
  1599. # on_unsupported_protocol <action> [!]acl ...
  1600. #
  1601. # The first matching action wins. Only fast ACLs are supported.
  1602. #
  1603. # Supported actions are:
  1604. #
  1605. # tunnel: Establish a TCP connection with the intended server and
  1606. # blindly shovel TCP packets between the client and server.
  1607. #
  1608. # respond: Respond with an error message, using the transfer protocol
  1609. # for the Squid port that received the request (e.g., HTTP
  1610. # for connections intercepted at the http_port). This is the
  1611. # default.
  1612. #
  1613. # Squid expects the following traffic patterns:
  1614. #
  1615. # http_port: a plain HTTP request
  1616. # https_port: SSL/TLS handshake followed by an [encrypted] HTTP request
  1617. # ftp_port: a plain FTP command (no on_unsupported_protocol support yet!)
  1618. # CONNECT tunnel on http_port: same as https_port
  1619. # CONNECT tunnel on https_port: same as https_port
  1620. #
  1621. # Currently, this directive has effect on intercepted connections and
  1622. # bumped tunnels only. Other cases are not supported because Squid
  1623. # cannot know the intended destination of other traffic.
  1624. #
  1625. # For example:
  1626. # # define what Squid errors indicate receiving non-HTTP traffic:
  1627. # acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG
  1628. # # define what Squid errors indicate receiving nothing:
  1629. # acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT
  1630. # # tunnel everything that does not look like HTTP:
  1631. # on_unsupported_protocol tunnel foreignProtocol
  1632. # # tunnel if we think the client waits for the server to talk first:
  1633. # on_unsupported_protocol tunnel serverTalksFirstProtocol
  1634. # # in all other error cases, just send an HTTP "error page" response:
  1635. # on_unsupported_protocol respond all
  1636. #
  1637. # See also: squid_error ACL
  1638. #Default:
  1639. # Respond with an error message to unidentifiable traffic
  1640.  
  1641. # NETWORK OPTIONS
  1642. # -----------------------------------------------------------------------------
  1643.  
  1644. # TAG: http_port
  1645. # Usage: port [mode] [options]
  1646. # hostname:port [mode] [options]
  1647. # 1.2.3.4:port [mode] [options]
  1648. #
  1649. # The socket addresses where Squid will listen for HTTP client
  1650. # requests. You may specify multiple socket addresses.
  1651. # There are three forms: port alone, hostname with port, and
  1652. # IP address with port. If you specify a hostname or IP
  1653. # address, Squid binds the socket to that specific
  1654. # address. Most likely, you do not need to bind to a specific
  1655. # address, so you can use the port number alone.
  1656. #
  1657. # If you are running Squid in accelerator mode, you
  1658. # probably want to listen on port 80 also, or instead.
  1659. #
  1660. # The -a command line option may be used to specify additional
  1661. # port(s) where Squid listens for proxy request. Such ports will
  1662. # be plain proxy ports with no options.
  1663. #
  1664. # You may specify multiple socket addresses on multiple lines.
  1665. #
  1666. # Modes:
  1667. #
  1668. # intercept Support for IP-Layer NAT interception delivering
  1669. # traffic to this Squid port.
  1670. # NP: disables authentication on the port.
  1671. #
  1672. # tproxy Support Linux TPROXY (or BSD divert-to) with spoofing
  1673. # of outgoing connections using the client IP address.
  1674. # NP: disables authentication on the port.
  1675. #
  1676. # accel Accelerator / reverse proxy mode
  1677. #
  1678. # ssl-bump For each CONNECT request allowed by ssl_bump ACLs,
  1679. # establish secure connection with the client and with
  1680. # the server, decrypt HTTPS messages as they pass through
  1681. # Squid, and treat them as unencrypted HTTP messages,
  1682. # becoming the man-in-the-middle.
  1683. #
  1684. # The ssl_bump option is required to fully enable
  1685. # bumping of CONNECT requests.
  1686. #
  1687. # Omitting the mode flag causes default forward proxy mode to be used.
  1688. #
  1689. #
  1690. # Accelerator Mode Options:
  1691. #
  1692. # defaultsite=domainname
  1693. # What to use for the Host: header if it is not present
  1694. # in a request. Determines what site (not origin server)
  1695. # accelerators should consider the default.
  1696. #
  1697. # no-vhost Disable using HTTP/1.1 Host header for virtual domain support.
  1698. #
  1699. # protocol= Protocol to reconstruct accelerated and intercepted
  1700. # requests with. Defaults to HTTP/1.1 for http_port and
  1701. # HTTPS/1.1 for https_port.
  1702. # When an unsupported value is configured Squid will
  1703. # produce a FATAL error.
  1704. # Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1
  1705. #
  1706. # vport Virtual host port support. Using the http_port number
  1707. # instead of the port passed on Host: headers.
  1708. #
  1709. # vport=NN Virtual host port support. Using the specified port
  1710. # number instead of the port passed on Host: headers.
  1711. #
  1712. # act-as-origin
  1713. # Act as if this Squid is the origin server.
  1714. # This currently means generate new Date: and Expires:
  1715. # headers on HIT instead of adding Age:.
  1716. #
  1717. # ignore-cc Ignore request Cache-Control headers.
  1718. #
  1719. # WARNING: This option violates HTTP specifications if
  1720. # used in non-accelerator setups.
  1721. #
  1722. # allow-direct Allow direct forwarding in accelerator mode. Normally
  1723. # accelerated requests are denied direct forwarding as if
  1724. # never_direct was used.
  1725. #
  1726. # WARNING: this option opens accelerator mode to security
  1727. # vulnerabilities usually only affecting in interception
  1728. # mode. Make sure to protect forwarding with suitable
  1729. # http_access rules when using this.
  1730. #
  1731. #
  1732. # SSL Bump Mode Options:
  1733. # In addition to these options ssl-bump requires TLS/SSL options.
  1734. #
  1735. # generate-host-certificates[=<on|off>]
  1736. # Dynamically create SSL server certificates for the
  1737. # destination hosts of bumped CONNECT requests.When
  1738. # enabled, the cert and key options are used to sign
  1739. # generated certificates. Otherwise generated
  1740. # certificate will be selfsigned.
  1741. # If there is a CA certificate lifetime of the generated
  1742. # certificate equals lifetime of the CA certificate. If
  1743. # generated certificate is selfsigned lifetime is three
  1744. # years.
  1745. # This option is enabled by default when ssl-bump is used.
  1746. # See the ssl-bump option above for more information.
  1747. #
  1748. # dynamic_cert_mem_cache_size=SIZE
  1749. # Approximate total RAM size spent on cached generated
  1750. # certificates. If set to zero, caching is disabled. The
  1751. # default value is 4MB.
  1752. #
  1753. # TLS / SSL Options:
  1754. #
  1755. # tls-cert= Path to file containing an X.509 certificate (PEM format)
  1756. # to be used in the TLS handshake ServerHello.
  1757. #
  1758. # If this certificate is constrained by KeyUsage TLS
  1759. # feature it must allow HTTP server usage, along with
  1760. # any additional restrictions imposed by your choice
  1761. # of options= settings.
  1762. #
  1763. # When OpenSSL is used this file may also contain a
  1764. # chain of intermediate CA certificates to send in the
  1765. # TLS handshake.
  1766. #
  1767. # When GnuTLS is used this option (and any paired
  1768. # tls-key= option) may be repeated to load multiple
  1769. # certificates for different domains.
  1770. #
  1771. # Also, when generate-host-certificates=on is configured
  1772. # the first tls-cert= option must be a CA certificate
  1773. # capable of signing the automatically generated
  1774. # certificates.
  1775. #
  1776. # tls-key= Path to a file containing private key file (PEM format)
  1777. # for the previous tls-cert= option.
  1778. #
  1779. # If tls-key= is not specified tls-cert= is assumed to
  1780. # reference a PEM file containing both the certificate
  1781. # and private key.
  1782. #
  1783. # cipher= Colon separated list of supported ciphers.
  1784. # NOTE: some ciphers such as EDH ciphers depend on
  1785. # additional settings. If those settings are
  1786. # omitted the ciphers may be silently ignored
  1787. # by the OpenSSL library.
  1788. #
  1789. # options= Various SSL implementation options. The most important
  1790. # being:
  1791. #
  1792. # NO_SSLv3 Disallow the use of SSLv3
  1793. #
  1794. # NO_TLSv1 Disallow the use of TLSv1.0
  1795. #
  1796. # NO_TLSv1_1 Disallow the use of TLSv1.1
  1797. #
  1798. # NO_TLSv1_2 Disallow the use of TLSv1.2
  1799. #
  1800. # SINGLE_DH_USE
  1801. # Always create a new key when using
  1802. # temporary/ephemeral DH key exchanges
  1803. #
  1804. # SINGLE_ECDH_USE
  1805. # Enable ephemeral ECDH key exchange.
  1806. # The adopted curve should be specified
  1807. # using the tls-dh option.
  1808. #
  1809. # NO_TICKET
  1810. # Disable use of RFC5077 session tickets.
  1811. # Some servers may have problems
  1812. # understanding the TLS extension due
  1813. # to ambiguous specification in RFC4507.
  1814. #
  1815. # ALL Enable various bug workarounds
  1816. # suggested as "harmless" by OpenSSL
  1817. # Be warned that this reduces SSL/TLS
  1818. # strength to some attacks.
  1819. #
  1820. # See the OpenSSL SSL_CTX_set_options documentation for a
  1821. # more complete list.
  1822. #
  1823. # clientca= File containing the list of CAs to use when
  1824. # requesting a client certificate.
  1825. #
  1826. # tls-cafile= PEM file containing CA certificates to use when verifying
  1827. # client certificates. If not configured clientca will be
  1828. # used. May be repeated to load multiple files.
  1829. #
  1830. # capath= Directory containing additional CA certificates
  1831. # and CRL lists to use when verifying client certificates.
  1832. # Requires OpenSSL or LibreSSL.
  1833. #
  1834. # crlfile= File of additional CRL lists to use when verifying
  1835. # the client certificate, in addition to CRLs stored in
  1836. # the capath. Implies VERIFY_CRL flag below.
  1837. #
  1838. # tls-dh=[curve:]file
  1839. # File containing DH parameters for temporary/ephemeral DH key
  1840. # exchanges, optionally prefixed by a curve for ephemeral ECDH
  1841. # key exchanges.
  1842. # See OpenSSL documentation for details on how to create the
  1843. # DH parameter file. Supported curves for ECDH can be listed
  1844. # using the "openssl ecparam -list_curves" command.
  1845. # WARNING: EDH and EECDH ciphers will be silently disabled if
  1846. # this option is not set.
  1847. #
  1848. # sslflags= Various flags modifying the use of SSL:
  1849. # DELAYED_AUTH
  1850. # Don't request client certificates
  1851. # immediately, but wait until acl processing
  1852. # requires a certificate (not yet implemented).
  1853. # NO_SESSION_REUSE
  1854. # Don't allow for session reuse. Each connection
  1855. # will result in a new SSL session.
  1856. # VERIFY_CRL
  1857. # Verify CRL lists when accepting client
  1858. # certificates.
  1859. # VERIFY_CRL_ALL
  1860. # Verify CRL lists for all certificates in the
  1861. # client certificate chain.
  1862. #
  1863. # tls-default-ca[=off]
  1864. # Whether to use the system Trusted CAs. Default is OFF.
  1865. #
  1866. # tls-no-npn Do not use the TLS NPN extension to advertise HTTP/1.1.
  1867. #
  1868. # sslcontext= SSL session ID context identifier.
  1869. #
  1870. # Other Options:
  1871. #
  1872. # connection-auth[=on|off]
  1873. # use connection-auth=off to tell Squid to prevent
  1874. # forwarding Microsoft connection oriented authentication
  1875. # (NTLM, Negotiate and Kerberos)
  1876. #
  1877. # disable-pmtu-discovery=
  1878. # Control Path-MTU discovery usage:
  1879. # off lets OS decide on what to do (default).
  1880. # transparent disable PMTU discovery when transparent
  1881. # support is enabled.
  1882. # always disable always PMTU discovery.
  1883. #
  1884. # In many setups of transparently intercepting proxies
  1885. # Path-MTU discovery can not work on traffic towards the
  1886. # clients. This is the case when the intercepting device
  1887. # does not fully track connections and fails to forward
  1888. # ICMP must fragment messages to the cache server. If you
  1889. # have such setup and experience that certain clients
  1890. # sporadically hang or never complete requests set
  1891. # disable-pmtu-discovery option to 'transparent'.
  1892. #
  1893. # name= Specifies a internal name for the port. Defaults to
  1894. # the port specification (port or addr:port)
  1895. #
  1896. # tcpkeepalive[=idle,interval,timeout]
  1897. # Enable TCP keepalive probes of idle connections.
  1898. # In seconds; idle is the initial time before TCP starts
  1899. # probing the connection, interval how often to probe, and
  1900. # timeout the time before giving up.
  1901. #
  1902. # require-proxy-header
  1903. # Require PROXY protocol version 1 or 2 connections.
  1904. # The proxy_protocol_access is required to whitelist
  1905. # downstream proxies which can be trusted.
  1906. #
  1907. # If you run Squid on a dual-homed machine with an internal
  1908. # and an external interface we recommend you to specify the
  1909. # internal address:port in http_port. This way Squid will only be
  1910. # visible on the internal address.
  1911. #
  1912. #
  1913.  
  1914. # Squid normally listens to port 3128
  1915. http_port 3128
  1916.  
  1917. # TAG: https_port
  1918. # Usage: [ip:]port [mode] tls-cert=certificate.pem [options]
  1919. #
  1920. # The socket address where Squid will listen for client requests made
  1921. # over TLS or SSL connections. Commonly referred to as HTTPS.
  1922. #
  1923. # This is most useful for situations where you are running squid in
  1924. # accelerator mode and you want to do the TLS work at the accelerator
  1925. # level.
  1926. #
  1927. # You may specify multiple socket addresses on multiple lines,
  1928. # each with their own certificate and/or options.
  1929. #
  1930. # The tls-cert= option is mandatory on HTTPS ports.
  1931. #
  1932. # See http_port for a list of modes and options.
  1933. #Default:
  1934. # none
  1935.  
  1936. # TAG: ftp_port
  1937. # Enables Native FTP proxy by specifying the socket address where Squid
  1938. # listens for FTP client requests. See http_port directive for various
  1939. # ways to specify the listening address and mode.
  1940. #
  1941. # Usage: ftp_port address [mode] [options]
  1942. #
  1943. # WARNING: This is a new, experimental, complex feature that has seen
  1944. # limited production exposure. Some Squid modules (e.g., caching) do not
  1945. # currently work with native FTP proxying, and many features have not
  1946. # even been tested for compatibility. Test well before deploying!
  1947. #
  1948. # Native FTP proxying differs substantially from proxying HTTP requests
  1949. # with ftp:// URIs because Squid works as an FTP server and receives
  1950. # actual FTP commands (rather than HTTP requests with FTP URLs).
  1951. #
  1952. # Native FTP commands accepted at ftp_port are internally converted or
  1953. # wrapped into HTTP-like messages. The same happens to Native FTP
  1954. # responses received from FTP origin servers. Those HTTP-like messages
  1955. # are shoveled through regular access control and adaptation layers
  1956. # between the FTP client and the FTP origin server. This allows Squid to
  1957. # examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP
  1958. # mechanisms when shoveling wrapped FTP messages. For example,
  1959. # http_access and adaptation_access directives are used.
  1960. #
  1961. # Modes:
  1962. #
  1963. # intercept Same as http_port intercept. The FTP origin address is
  1964. # determined based on the intended destination of the
  1965. # intercepted connection.
  1966. #
  1967. # tproxy Support Linux TPROXY for spoofing outgoing
  1968. # connections using the client IP address.
  1969. # NP: disables authentication and maybe IPv6 on the port.
  1970. #
  1971. # By default (i.e., without an explicit mode option), Squid extracts the
  1972. # FTP origin address from the login@origin parameter of the FTP USER
  1973. # command. Many popular FTP clients support such native FTP proxying.
  1974. #
  1975. # Options:
  1976. #
  1977. # name=token Specifies an internal name for the port. Defaults to
  1978. # the port address. Usable with myportname ACL.
  1979. #
  1980. # ftp-track-dirs
  1981. # Enables tracking of FTP directories by injecting extra
  1982. # PWD commands and adjusting Request-URI (in wrapping
  1983. # HTTP requests) to reflect the current FTP server
  1984. # directory. Tracking is disabled by default.
  1985. #
  1986. # protocol=FTP Protocol to reconstruct accelerated and intercepted
  1987. # requests with. Defaults to FTP. No other accepted
  1988. # values have been tested with. An unsupported value
  1989. # results in a FATAL error. Accepted values are FTP,
  1990. # HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1).
  1991. #
  1992. # Other http_port modes and options that are not specific to HTTP and
  1993. # HTTPS may also work.
  1994. #Default:
  1995. # none
  1996.  
  1997. # TAG: tcp_outgoing_tos
  1998. # Allows you to select a TOS/Diffserv value for packets outgoing
  1999. # on the server side, based on an ACL.
  2000. #
  2001. # tcp_outgoing_tos ds-field [!]aclname ...
  2002. #
  2003. # Example where normal_service_net uses the TOS value 0x00
  2004. # and good_service_net uses 0x20
  2005. #
  2006. # acl normal_service_net src 10.0.0.0/24
  2007. # acl good_service_net src 10.0.1.0/24
  2008. # tcp_outgoing_tos 0x00 normal_service_net
  2009. # tcp_outgoing_tos 0x20 good_service_net
  2010. #
  2011. # TOS/DSCP values really only have local significance - so you should
  2012. # know what you're specifying. For more information, see RFC2474,
  2013. # RFC2475, and RFC3260.
  2014. #
  2015. # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
  2016. # "default" to use whatever default your host has.
  2017. # Note that only multiples of 4 are usable as the two rightmost bits have
  2018. # been redefined for use by ECN (RFC 3168 section 23.1).
  2019. # The squid parser will enforce this by masking away the ECN bits.
  2020. #
  2021. # Processing proceeds in the order specified, and stops at first fully
  2022. # matching line.
  2023. #
  2024. # Only fast ACLs are supported.
  2025. #Default:
  2026. # none
  2027.  
  2028. # TAG: clientside_tos
  2029. # Allows you to select a TOS/DSCP value for packets being transmitted
  2030. # on the client-side, based on an ACL.
  2031. #
  2032. # clientside_tos ds-field [!]aclname ...
  2033. #
  2034. # Example where normal_service_net uses the TOS value 0x00
  2035. # and good_service_net uses 0x20
  2036. #
  2037. # acl normal_service_net src 10.0.0.0/24
  2038. # acl good_service_net src 10.0.1.0/24
  2039. # clientside_tos 0x00 normal_service_net
  2040. # clientside_tos 0x20 good_service_net
  2041. #
  2042. # Note: This feature is incompatible with qos_flows. Any TOS values set here
  2043. # will be overwritten by TOS values in qos_flows.
  2044. #
  2045. # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
  2046. # "default" to use whatever default your host has.
  2047. # Note that only multiples of 4 are usable as the two rightmost bits have
  2048. # been redefined for use by ECN (RFC 3168 section 23.1).
  2049. # The squid parser will enforce this by masking away the ECN bits.
  2050. #
  2051. # This clause only supports fast acl types.
  2052. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  2053. #Default:
  2054. # none
  2055.  
  2056. # TAG: tcp_outgoing_mark
  2057. # Note: This option is only available if Squid is rebuilt with the
  2058. # Packet MARK (Linux)
  2059. #
  2060. # Allows you to apply a Netfilter mark value to outgoing packets
  2061. # on the server side, based on an ACL.
  2062. #
  2063. # tcp_outgoing_mark mark-value [!]aclname ...
  2064. #
  2065. # Example where normal_service_net uses the mark value 0x00
  2066. # and good_service_net uses 0x20
  2067. #
  2068. # acl normal_service_net src 10.0.0.0/24
  2069. # acl good_service_net src 10.0.1.0/24
  2070. # tcp_outgoing_mark 0x00 normal_service_net
  2071. # tcp_outgoing_mark 0x20 good_service_net
  2072. #
  2073. # Only fast ACLs are supported.
  2074. #Default:
  2075. # none
  2076.  
  2077. # TAG: clientside_mark
  2078. # Note: This option is only available if Squid is rebuilt with the
  2079. # Packet MARK (Linux)
  2080. #
  2081. # Allows you to apply a Netfilter mark value to packets being transmitted
  2082. # on the client-side, based on an ACL.
  2083. #
  2084. # clientside_mark mark-value [!]aclname ...
  2085. #
  2086. # Example where normal_service_net uses the mark value 0x00
  2087. # and good_service_net uses 0x20
  2088. #
  2089. # acl normal_service_net src 10.0.0.0/24
  2090. # acl good_service_net src 10.0.1.0/24
  2091. # clientside_mark 0x00 normal_service_net
  2092. # clientside_mark 0x20 good_service_net
  2093. #
  2094. # Note: This feature is incompatible with qos_flows. Any mark values set here
  2095. # will be overwritten by mark values in qos_flows.
  2096. #
  2097. # This clause only supports fast acl types.
  2098. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  2099. #Default:
  2100. # none
  2101.  
  2102. # TAG: qos_flows
  2103. # Allows you to select a TOS/DSCP value to mark outgoing
  2104. # connections to the client, based on where the reply was sourced.
  2105. # For platforms using netfilter, allows you to set a netfilter mark
  2106. # value instead of, or in addition to, a TOS value.
  2107. #
  2108. # By default this functionality is disabled. To enable it with the default
  2109. # settings simply use "qos_flows mark" or "qos_flows tos". Default
  2110. # settings will result in the netfilter mark or TOS value being copied
  2111. # from the upstream connection to the client. Note that it is the connection
  2112. # CONNMARK value not the packet MARK value that is copied.
  2113. #
  2114. # It is not currently possible to copy the mark or TOS value from the
  2115. # client to the upstream connection request.
  2116. #
  2117. # TOS values really only have local significance - so you should
  2118. # know what you're specifying. For more information, see RFC2474,
  2119. # RFC2475, and RFC3260.
  2120. #
  2121. # The TOS/DSCP byte must be exactly that - a octet value 0 - 255.
  2122. # Note that only multiples of 4 are usable as the two rightmost bits have
  2123. # been redefined for use by ECN (RFC 3168 section 23.1).
  2124. # The squid parser will enforce this by masking away the ECN bits.
  2125. #
  2126. # Mark values can be any unsigned 32-bit integer value.
  2127. #
  2128. # This setting is configured by setting the following values:
  2129. #
  2130. # tos|mark Whether to set TOS or netfilter mark values
  2131. #
  2132. # local-hit=0xFF Value to mark local cache hits.
  2133. #
  2134. # sibling-hit=0xFF Value to mark hits from sibling peers.
  2135. #
  2136. # parent-hit=0xFF Value to mark hits from parent peers.
  2137. #
  2138. # miss=0xFF[/mask] Value to mark cache misses. Takes precedence
  2139. # over the preserve-miss feature (see below), unless
  2140. # mask is specified, in which case only the bits
  2141. # specified in the mask are written.
  2142. #
  2143. # The TOS variant of the following features are only possible on Linux
  2144. # and require your kernel to be patched with the TOS preserving ZPH
  2145. # patch, available from http://zph.bratcheda.org
  2146. # No patch is needed to preserve the netfilter mark, which will work
  2147. # with all variants of netfilter.
  2148. #
  2149. # disable-preserve-miss
  2150. # This option disables the preservation of the TOS or netfilter
  2151. # mark. By default, the existing TOS or netfilter mark value of
  2152. # the response coming from the remote server will be retained
  2153. # and masked with miss-mark.
  2154. # NOTE: in the case of a netfilter mark, the mark must be set on
  2155. # the connection (using the CONNMARK target) not on the packet
  2156. # (MARK target).
  2157. #
  2158. # miss-mask=0xFF
  2159. # Allows you to mask certain bits in the TOS or mark value
  2160. # received from the remote server, before copying the value to
  2161. # the TOS sent towards clients.
  2162. # Default for tos: 0xFF (TOS from server is not changed).
  2163. # Default for mark: 0xFFFFFFFF (mark from server is not changed).
  2164. #
  2165. # All of these features require the --enable-zph-qos compilation flag
  2166. # (enabled by default). Netfilter marking also requires the
  2167. # libnetfilter_conntrack libraries (--with-netfilter-conntrack) and
  2168. # libcap 2.09+ (--with-libcap).
  2169. #
  2170. #Default:
  2171. # none
  2172.  
  2173. # TAG: tcp_outgoing_address
  2174. # Allows you to map requests to different outgoing IP addresses
  2175. # based on the username or source address of the user making
  2176. # the request.
  2177. #
  2178. # tcp_outgoing_address ipaddr [[!]aclname] ...
  2179. #
  2180. # For example;
  2181. # Forwarding clients with dedicated IPs for certain subnets.
  2182. #
  2183. # acl normal_service_net src 10.0.0.0/24
  2184. # acl good_service_net src 10.0.2.0/24
  2185. #
  2186. # tcp_outgoing_address 2001:db8::c001 good_service_net
  2187. # tcp_outgoing_address 10.1.0.2 good_service_net
  2188. #
  2189. # tcp_outgoing_address 2001:db8::beef normal_service_net
  2190. # tcp_outgoing_address 10.1.0.1 normal_service_net
  2191. #
  2192. # tcp_outgoing_address 2001:db8::1
  2193. # tcp_outgoing_address 10.1.0.3
  2194. #
  2195. # Processing proceeds in the order specified, and stops at first fully
  2196. # matching line.
  2197. #
  2198. # Squid will add an implicit IP version test to each line.
  2199. # Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses.
  2200. # Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses.
  2201. #
  2202. #
  2203. # NOTE: The use of this directive using client dependent ACLs is
  2204. # incompatible with the use of server side persistent connections. To
  2205. # ensure correct results it is best to set server_persistent_connections
  2206. # to off when using this directive in such configurations.
  2207. #
  2208. # NOTE: The use of this directive to set a local IP on outgoing TCP links
  2209. # is incompatible with using TPROXY to set client IP out outbound TCP links.
  2210. # When needing to contact peers use the no-tproxy cache_peer option and the
  2211. # client_dst_passthru directive re-enable normal forwarding such as this.
  2212. #
  2213. # This clause only supports fast acl types.
  2214. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  2215. #Default:
  2216. # Address selection is performed by the operating system.
  2217.  
  2218. # TAG: host_verify_strict
  2219. # Regardless of this option setting, when dealing with intercepted
  2220. # traffic, Squid always verifies that the destination IP address matches
  2221. # the Host header domain or IP (called 'authority form URL').
  2222. #
  2223. # This enforcement is performed to satisfy a MUST-level requirement in
  2224. # RFC 2616 section 14.23: "The Host field value MUST represent the naming
  2225. # authority of the origin server or gateway given by the original URL".
  2226. #
  2227. # When set to ON:
  2228. # Squid always responds with an HTTP 409 (Conflict) error
  2229. # page and logs a security warning if there is no match.
  2230. #
  2231. # Squid verifies that the destination IP address matches
  2232. # the Host header for forward-proxy and reverse-proxy traffic
  2233. # as well. For those traffic types, Squid also enables the
  2234. # following checks, comparing the corresponding Host header
  2235. # and Request-URI components:
  2236. #
  2237. # * The host names (domain or IP) must be identical,
  2238. # but valueless or missing Host header disables all checks.
  2239. # For the two host names to match, both must be either IP
  2240. # or FQDN.
  2241. #
  2242. # * Port numbers must be identical, but if a port is missing
  2243. # the scheme-default port is assumed.
  2244. #
  2245. #
  2246. # When set to OFF (the default):
  2247. # Squid allows suspicious requests to continue but logs a
  2248. # security warning and blocks caching of the response.
  2249. #
  2250. # * Forward-proxy traffic is not checked at all.
  2251. #
  2252. # * Reverse-proxy traffic is not checked at all.
  2253. #
  2254. # * Intercepted traffic which passes verification is handled
  2255. # according to client_dst_passthru.
  2256. #
  2257. # * Intercepted requests which fail verification are sent
  2258. # to the client original destination instead of DIRECT.
  2259. # This overrides 'client_dst_passthru off'.
  2260. #
  2261. # For now suspicious intercepted CONNECT requests are always
  2262. # responded to with an HTTP 409 (Conflict) error page.
  2263. #
  2264. #
  2265. # SECURITY NOTE:
  2266. #
  2267. # As described in CVE-2009-0801 when the Host: header alone is used
  2268. # to determine the destination of a request it becomes trivial for
  2269. # malicious scripts on remote websites to bypass browser same-origin
  2270. # security policy and sandboxing protections.
  2271. #
  2272. # The cause of this is that such applets are allowed to perform their
  2273. # own HTTP stack, in which case the same-origin policy of the browser
  2274. # sandbox only verifies that the applet tries to contact the same IP
  2275. # as from where it was loaded at the IP level. The Host: header may
  2276. # be different from the connected IP and approved origin.
  2277. #
  2278. #Default:
  2279. # host_verify_strict off
  2280.  
  2281. # TAG: client_dst_passthru
  2282. # With NAT or TPROXY intercepted traffic Squid may pass the request
  2283. # directly to the original client destination IP or seek a faster
  2284. # source using the HTTP Host header.
  2285. #
  2286. # Using Host to locate alternative servers can provide faster
  2287. # connectivity with a range of failure recovery options.
  2288. # But can also lead to connectivity trouble when the client and
  2289. # server are attempting stateful interactions unaware of the proxy.
  2290. #
  2291. # This option (on by default) prevents alternative DNS entries being
  2292. # located to send intercepted traffic DIRECT to an origin server.
  2293. # The clients original destination IP and port will be used instead.
  2294. #
  2295. # Regardless of this option setting, when dealing with intercepted
  2296. # traffic Squid will verify the Host: header and any traffic which
  2297. # fails Host verification will be treated as if this option were ON.
  2298. #
  2299. # see host_verify_strict for details on the verification process.
  2300. #Default:
  2301. # client_dst_passthru on
  2302.  
  2303. # TLS OPTIONS
  2304. # -----------------------------------------------------------------------------
  2305.  
  2306. # TAG: tls_outgoing_options
  2307. # disable Do not support https:// URLs.
  2308. #
  2309. # cert=/path/to/client/certificate
  2310. # A client X.509 certificate to use when connecting.
  2311. #
  2312. # key=/path/to/client/private_key
  2313. # The private key corresponding to the cert= above.
  2314. #
  2315. # If key= is not specified cert= is assumed to
  2316. # reference a PEM file containing both the certificate
  2317. # and private key.
  2318. #
  2319. # cipher=... The list of valid TLS ciphers to use.
  2320. #
  2321. # min-version=1.N
  2322. # The minimum TLS protocol version to permit.
  2323. # To control SSLv3 use the options= parameter.
  2324. # Supported Values: 1.0 (default), 1.1, 1.2, 1.3
  2325. #
  2326. # options=... Specify various TLS/SSL implementation options.
  2327. #
  2328. # OpenSSL options most important are:
  2329. #
  2330. # NO_SSLv3 Disallow the use of SSLv3
  2331. #
  2332. # SINGLE_DH_USE
  2333. # Always create a new key when using
  2334. # temporary/ephemeral DH key exchanges
  2335. #
  2336. # NO_TICKET
  2337. # Disable use of RFC5077 session tickets.
  2338. # Some servers may have problems
  2339. # understanding the TLS extension due
  2340. # to ambiguous specification in RFC4507.
  2341. #
  2342. # ALL Enable various bug workarounds
  2343. # suggested as "harmless" by OpenSSL
  2344. # Be warned that this reduces SSL/TLS
  2345. # strength to some attacks.
  2346. #
  2347. # See the OpenSSL SSL_CTX_set_options documentation
  2348. # for a more complete list.
  2349. #
  2350. # GnuTLS options most important are:
  2351. #
  2352. # %NO_TICKETS
  2353. # Disable use of RFC5077 session tickets.
  2354. # Some servers may have problems
  2355. # understanding the TLS extension due
  2356. # to ambiguous specification in RFC4507.
  2357. #
  2358. # See the GnuTLS Priority Strings documentation
  2359. # for a more complete list.
  2360. # http://www.gnutls.org/manual/gnutls.html#Priority-Strings
  2361. #
  2362. #
  2363. # cafile= PEM file containing CA certificates to use when verifying
  2364. # the peer certificate. May be repeated to load multiple files.
  2365. #
  2366. # capath= A directory containing additional CA certificates to
  2367. # use when verifying the peer certificate.
  2368. # Requires OpenSSL or LibreSSL.
  2369. #
  2370. # crlfile=... A certificate revocation list file to use when
  2371. # verifying the peer certificate.
  2372. #
  2373. # flags=... Specify various flags modifying the TLS implementation:
  2374. #
  2375. # DONT_VERIFY_PEER
  2376. # Accept certificates even if they fail to
  2377. # verify.
  2378. # DONT_VERIFY_DOMAIN
  2379. # Don't verify the peer certificate
  2380. # matches the server name
  2381. #
  2382. # default-ca[=off]
  2383. # Whether to use the system Trusted CAs. Default is ON.
  2384. #
  2385. # domain= The peer name as advertised in its certificate.
  2386. # Used for verifying the correctness of the received peer
  2387. # certificate. If not specified the peer hostname will be
  2388. # used.
  2389. #Default:
  2390. # tls_outgoing_options min-version=1.0
  2391.  
  2392. # SSL OPTIONS
  2393. # -----------------------------------------------------------------------------
  2394.  
  2395. # TAG: ssl_unclean_shutdown
  2396. # Note: This option is only available if Squid is rebuilt with the
  2397. # --with-openssl
  2398. #
  2399. # Some browsers (especially MSIE) bugs out on SSL shutdown
  2400. # messages.
  2401. #Default:
  2402. # ssl_unclean_shutdown off
  2403.  
  2404. # TAG: ssl_engine
  2405. # Note: This option is only available if Squid is rebuilt with the
  2406. # --with-openssl
  2407. #
  2408. # The OpenSSL engine to use. You will need to set this if you
  2409. # would like to use hardware SSL acceleration for example.
  2410. #Default:
  2411. # none
  2412.  
  2413. # TAG: sslproxy_session_ttl
  2414. # Note: This option is only available if Squid is rebuilt with the
  2415. # --with-openssl
  2416. #
  2417. # Sets the timeout value for SSL sessions
  2418. #Default:
  2419. # sslproxy_session_ttl 300
  2420.  
  2421. # TAG: sslproxy_session_cache_size
  2422. # Note: This option is only available if Squid is rebuilt with the
  2423. # --with-openssl
  2424. #
  2425. # Sets the cache size to use for ssl session
  2426. #Default:
  2427. # sslproxy_session_cache_size 2 MB
  2428.  
  2429. # TAG: sslproxy_foreign_intermediate_certs
  2430. # Note: This option is only available if Squid is rebuilt with the
  2431. # --with-openssl
  2432. #
  2433. # Many origin servers fail to send their full server certificate
  2434. # chain for verification, assuming the client already has or can
  2435. # easily locate any missing intermediate certificates.
  2436. #
  2437. # Squid uses the certificates from the specified file to fill in
  2438. # these missing chains when trying to validate origin server
  2439. # certificate chains.
  2440. #
  2441. # The file is expected to contain zero or more PEM-encoded
  2442. # intermediate certificates. These certificates are not treated
  2443. # as trusted root certificates, and any self-signed certificate in
  2444. # this file will be ignored.
  2445. #Default:
  2446. # none
  2447.  
  2448. # TAG: sslproxy_cert_sign_hash
  2449. # Note: This option is only available if Squid is rebuilt with the
  2450. # --with-openssl
  2451. #
  2452. # Sets the hashing algorithm to use when signing generated certificates.
  2453. # Valid algorithm names depend on the OpenSSL library used. The following
  2454. # names are usually available: sha1, sha256, sha512, and md5. Please see
  2455. # your OpenSSL library manual for the available hashes. By default, Squids
  2456. # that support this option use sha256 hashes.
  2457. #
  2458. # Squid does not forcefully purge cached certificates that were generated
  2459. # with an algorithm other than the currently configured one. They remain
  2460. # in the cache, subject to the regular cache eviction policy, and become
  2461. # useful if the algorithm changes again.
  2462. #Default:
  2463. # none
  2464.  
  2465. # TAG: ssl_bump
  2466. # Note: This option is only available if Squid is rebuilt with the
  2467. # --with-openssl
  2468. #
  2469. # This option is consulted when a CONNECT request is received on
  2470. # an http_port (or a new connection is intercepted at an
  2471. # https_port), provided that port was configured with an ssl-bump
  2472. # flag. The subsequent data on the connection is either treated as
  2473. # HTTPS and decrypted OR tunneled at TCP level without decryption,
  2474. # depending on the first matching bumping "action".
  2475. #
  2476. # ssl_bump <action> [!]acl ...
  2477. #
  2478. # The following bumping actions are currently supported:
  2479. #
  2480. # splice
  2481. # Become a TCP tunnel without decrypting proxied traffic.
  2482. # This is the default action.
  2483. #
  2484. # bump
  2485. # When used on step SslBump1, establishes a secure connection
  2486. # with the client first, then connect to the server.
  2487. # When used on step SslBump2 or SslBump3, establishes a secure
  2488. # connection with the server and, using a mimicked server
  2489. # certificate, with the client.
  2490. #
  2491. # peek
  2492. # Receive client (step SslBump1) or server (step SslBump2)
  2493. # certificate while preserving the possibility of splicing the
  2494. # connection. Peeking at the server certificate (during step 2)
  2495. # usually precludes bumping of the connection at step 3.
  2496. #
  2497. # stare
  2498. # Receive client (step SslBump1) or server (step SslBump2)
  2499. # certificate while preserving the possibility of bumping the
  2500. # connection. Staring at the server certificate (during step 2)
  2501. # usually precludes splicing of the connection at step 3.
  2502. #
  2503. # terminate
  2504. # Close client and server connections.
  2505. #
  2506. # Backward compatibility actions available at step SslBump1:
  2507. #
  2508. # client-first
  2509. # Bump the connection. Establish a secure connection with the
  2510. # client first, then connect to the server. This old mode does
  2511. # not allow Squid to mimic server SSL certificate and does not
  2512. # work with intercepted SSL connections.
  2513. #
  2514. # server-first
  2515. # Bump the connection. Establish a secure connection with the
  2516. # server first, then establish a secure connection with the
  2517. # client, using a mimicked server certificate. Works with both
  2518. # CONNECT requests and intercepted SSL connections, but does
  2519. # not allow to make decisions based on SSL handshake info.
  2520. #
  2521. # peek-and-splice
  2522. # Decide whether to bump or splice the connection based on
  2523. # client-to-squid and server-to-squid SSL hello messages.
  2524. # XXX: Remove.
  2525. #
  2526. # none
  2527. # Same as the "splice" action.
  2528. #
  2529. # All ssl_bump rules are evaluated at each of the supported bumping
  2530. # steps. Rules with actions that are impossible at the current step are
  2531. # ignored. The first matching ssl_bump action wins and is applied at the
  2532. # end of the current step. If no rules match, the splice action is used.
  2533. # See the at_step ACL for a list of the supported SslBump steps.
  2534. #
  2535. # This clause supports both fast and slow acl types.
  2536. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  2537. #
  2538. # See also: http_port ssl-bump, https_port ssl-bump, and acl at_step.
  2539. #
  2540. #
  2541. # # Example: Bump all TLS connections except those originating from
  2542. # # localhost or those going to example.com.
  2543. #
  2544. # acl broken_sites ssl::server_name .example.com
  2545. # ssl_bump splice localhost
  2546. # ssl_bump splice broken_sites
  2547. # ssl_bump bump all
  2548. #Default:
  2549. # Become a TCP tunnel without decrypting proxied traffic.
  2550.  
  2551. # TAG: sslproxy_cert_error
  2552. # Note: This option is only available if Squid is rebuilt with the
  2553. # --with-openssl
  2554. #
  2555. # Use this ACL to bypass server certificate validation errors.
  2556. #
  2557. # For example, the following lines will bypass all validation errors
  2558. # when talking to servers for example.com. All other
  2559. # validation errors will result in ERR_SECURE_CONNECT_FAIL error.
  2560. #
  2561. # acl BrokenButTrustedServers dstdomain example.com
  2562. # sslproxy_cert_error allow BrokenButTrustedServers
  2563. # sslproxy_cert_error deny all
  2564. #
  2565. # This clause only supports fast acl types.
  2566. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  2567. # Using slow acl types may result in server crashes
  2568. #
  2569. # Without this option, all server certificate validation errors
  2570. # terminate the transaction to protect Squid and the client.
  2571. #
  2572. # SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed
  2573. # but should not happen unless your OpenSSL library is buggy.
  2574. #
  2575. # SECURITY WARNING:
  2576. # Bypassing validation errors is dangerous because an
  2577. # error usually implies that the server cannot be trusted
  2578. # and the connection may be insecure.
  2579. #
  2580. # See also: sslproxy_flags and DONT_VERIFY_PEER.
  2581. #Default:
  2582. # Server certificate errors terminate the transaction.
  2583.  
  2584. # TAG: sslproxy_cert_sign
  2585. # Note: This option is only available if Squid is rebuilt with the
  2586. # --with-openssl
  2587. #
  2588. #
  2589. # sslproxy_cert_sign <signing algorithm> acl ...
  2590. #
  2591. # The following certificate signing algorithms are supported:
  2592. #
  2593. # signTrusted
  2594. # Sign using the configured CA certificate which is usually
  2595. # placed in and trusted by end-user browsers. This is the
  2596. # default for trusted origin server certificates.
  2597. #
  2598. # signUntrusted
  2599. # Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error.
  2600. # This is the default for untrusted origin server certificates
  2601. # that are not self-signed (see ssl::certUntrusted).
  2602. #
  2603. # signSelf
  2604. # Sign using a self-signed certificate with the right CN to
  2605. # generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the
  2606. # browser. This is the default for self-signed origin server
  2607. # certificates (see ssl::certSelfSigned).
  2608. #
  2609. # This clause only supports fast acl types.
  2610. #
  2611. # When sslproxy_cert_sign acl(s) match, Squid uses the corresponding
  2612. # signing algorithm to generate the certificate and ignores all
  2613. # subsequent sslproxy_cert_sign options (the first match wins). If no
  2614. # acl(s) match, the default signing algorithm is determined by errors
  2615. # detected when obtaining and validating the origin server certificate.
  2616. #
  2617. # WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
  2618. # be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
  2619. # CONNECT request that carries a domain name. In all other cases (CONNECT
  2620. # to an IP address or an intercepted SSL connection), Squid cannot detect
  2621. # the domain mismatch at certificate generation time when
  2622. # bump-server-first is used.
  2623. #Default:
  2624. # none
  2625.  
  2626. # TAG: sslproxy_cert_adapt
  2627. # Note: This option is only available if Squid is rebuilt with the
  2628. # --with-openssl
  2629. #
  2630. #
  2631. # sslproxy_cert_adapt <adaptation algorithm> acl ...
  2632. #
  2633. # The following certificate adaptation algorithms are supported:
  2634. #
  2635. # setValidAfter
  2636. # Sets the "Not After" property to the "Not After" property of
  2637. # the CA certificate used to sign generated certificates.
  2638. #
  2639. # setValidBefore
  2640. # Sets the "Not Before" property to the "Not Before" property of
  2641. # the CA certificate used to sign generated certificates.
  2642. #
  2643. # setCommonName or setCommonName{CN}
  2644. # Sets Subject.CN property to the host name specified as a
  2645. # CN parameter or, if no explicit CN parameter was specified,
  2646. # extracted from the CONNECT request. It is a misconfiguration
  2647. # to use setCommonName without an explicit parameter for
  2648. # intercepted or tproxied SSL connections.
  2649. #
  2650. # This clause only supports fast acl types.
  2651. #
  2652. # Squid first groups sslproxy_cert_adapt options by adaptation algorithm.
  2653. # Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the
  2654. # corresponding adaptation algorithm to generate the certificate and
  2655. # ignores all subsequent sslproxy_cert_adapt options in that algorithm's
  2656. # group (i.e., the first match wins within each algorithm group). If no
  2657. # acl(s) match, the default mimicking action takes place.
  2658. #
  2659. # WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
  2660. # be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
  2661. # CONNECT request that carries a domain name. In all other cases (CONNECT
  2662. # to an IP address or an intercepted SSL connection), Squid cannot detect
  2663. # the domain mismatch at certificate generation time when
  2664. # bump-server-first is used.
  2665. #Default:
  2666. # none
  2667.  
  2668. # TAG: sslpassword_program
  2669. # Note: This option is only available if Squid is rebuilt with the
  2670. # --with-openssl
  2671. #
  2672. # Specify a program used for entering SSL key passphrases
  2673. # when using encrypted SSL certificate keys. If not specified
  2674. # keys must either be unencrypted, or Squid started with the -N
  2675. # option to allow it to query interactively for the passphrase.
  2676. #
  2677. # The key file name is given as argument to the program allowing
  2678. # selection of the right password if you have multiple encrypted
  2679. # keys.
  2680. #Default:
  2681. # none
  2682.  
  2683. # OPTIONS RELATING TO EXTERNAL SSL_CRTD
  2684. # -----------------------------------------------------------------------------
  2685.  
  2686. # TAG: sslcrtd_program
  2687. # Note: This option is only available if Squid is rebuilt with the
  2688. # --enable-ssl-crtd
  2689. #
  2690. # Specify the location and options of the executable for certificate
  2691. # generator.
  2692. #
  2693. # /usr/lib/squid/security_file_certgen program can use a disk cache to improve response
  2694. # times on repeated requests. To enable caching, specify -s and -M
  2695. # parameters. If those parameters are not given, the program generates
  2696. # a new certificate on every request.
  2697. #
  2698. # For more information use:
  2699. # /usr/lib/squid/security_file_certgen -h
  2700. #Default:
  2701. # sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 4MB
  2702.  
  2703. # TAG: sslcrtd_children
  2704. # Note: This option is only available if Squid is rebuilt with the
  2705. # --enable-ssl-crtd
  2706. #
  2707. # Specifies the maximum number of certificate generation processes that
  2708. # Squid may spawn (numberofchildren) and several related options. Using
  2709. # too few of these helper processes (a.k.a. "helpers") creates request
  2710. # queues. Using too many helpers wastes your system resources. Squid
  2711. # does not support spawning more than 32 helpers.
  2712. #
  2713. # Usage: numberofchildren [option]...
  2714. #
  2715. # The startup= and idle= options allow some measure of skew in your
  2716. # tuning.
  2717. #
  2718. # startup=N
  2719. #
  2720. # Sets the minimum number of processes to spawn when Squid
  2721. # starts or reconfigures. When set to zero the first request will
  2722. # cause spawning of the first child process to handle it.
  2723. #
  2724. # Starting too few children temporary slows Squid under load while it
  2725. # tries to spawn enough additional processes to cope with traffic.
  2726. #
  2727. # idle=N
  2728. #
  2729. # Sets a minimum of how many processes Squid is to try and keep available
  2730. # at all times. When traffic begins to rise above what the existing
  2731. # processes can handle this many more will be spawned up to the maximum
  2732. # configured. A minimum setting of 1 is required.
  2733. #
  2734. # queue-size=N
  2735. #
  2736. # Sets the maximum number of queued requests. A request is queued when
  2737. # no existing child is idle and no new child can be started due to
  2738. # numberofchildren limit. If the queued requests exceed queue size for
  2739. # more than 3 minutes squid aborts its operation. The default value is
  2740. # set to 2*numberofchildren.
  2741. #
  2742. # You must have at least one ssl_crtd process.
  2743. #Default:
  2744. # sslcrtd_children 32 startup=5 idle=1
  2745.  
  2746. # TAG: sslcrtvalidator_program
  2747. # Note: This option is only available if Squid is rebuilt with the
  2748. # --with-openssl
  2749. #
  2750. # Specify the location and options of the executable for ssl_crt_validator
  2751. # process.
  2752. #
  2753. # Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ...
  2754. #
  2755. # Options:
  2756. # ttl=n TTL in seconds for cached results. The default is 60 secs
  2757. # cache=n limit the result cache size. The default value is 2048
  2758. #Default:
  2759. # none
  2760.  
  2761. # TAG: sslcrtvalidator_children
  2762. # Note: This option is only available if Squid is rebuilt with the
  2763. # --with-openssl
  2764. #
  2765. # Specifies the maximum number of certificate validation processes that
  2766. # Squid may spawn (numberofchildren) and several related options. Using
  2767. # too few of these helper processes (a.k.a. "helpers") creates request
  2768. # queues. Using too many helpers wastes your system resources. Squid
  2769. # does not support spawning more than 32 helpers.
  2770. #
  2771. # Usage: numberofchildren [option]...
  2772. #
  2773. # The startup= and idle= options allow some measure of skew in your
  2774. # tuning.
  2775. #
  2776. # startup=N
  2777. #
  2778. # Sets the minimum number of processes to spawn when Squid
  2779. # starts or reconfigures. When set to zero the first request will
  2780. # cause spawning of the first child process to handle it.
  2781. #
  2782. # Starting too few children temporary slows Squid under load while it
  2783. # tries to spawn enough additional processes to cope with traffic.
  2784. #
  2785. # idle=N
  2786. #
  2787. # Sets a minimum of how many processes Squid is to try and keep available
  2788. # at all times. When traffic begins to rise above what the existing
  2789. # processes can handle this many more will be spawned up to the maximum
  2790. # configured. A minimum setting of 1 is required.
  2791. #
  2792. # concurrency=
  2793. #
  2794. # The number of requests each certificate validator helper can handle in
  2795. # parallel. A value of 0 indicates the certficate validator does not
  2796. # support concurrency. Defaults to 1.
  2797. #
  2798. # When this directive is set to a value >= 1 then the protocol
  2799. # used to communicate with the helper is modified to include
  2800. # a request ID in front of the request/response. The request
  2801. # ID from the request must be echoed back with the response
  2802. # to that request.
  2803. #
  2804. # queue-size=N
  2805. #
  2806. # Sets the maximum number of queued requests. A request is queued when
  2807. # no existing child can accept it due to concurrency limit and no new
  2808. # child can be started due to numberofchildren limit. If the queued
  2809. # requests exceed queue size for more than 3 minutes squid aborts its
  2810. # operation. The default value is set to 2*numberofchildren.
  2811. #
  2812. # You must have at least one ssl_crt_validator process.
  2813. #Default:
  2814. # sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1
  2815.  
  2816. # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
  2817. # -----------------------------------------------------------------------------
  2818.  
  2819. # TAG: cache_peer
  2820. # To specify other caches in a hierarchy, use the format:
  2821. #
  2822. # cache_peer hostname type http-port icp-port [options]
  2823. #
  2824. # For example,
  2825. #
  2826. # # proxy icp
  2827. # # hostname type port port options
  2828. # # -------------------- -------- ----- ----- -----------
  2829. # cache_peer parent.foo.net parent 3128 3130 default
  2830. # cache_peer sib1.foo.net sibling 3128 3130 proxy-only
  2831. # cache_peer sib2.foo.net sibling 3128 3130 proxy-only
  2832. # cache_peer example.com parent 80 0 default
  2833. # cache_peer cdn.example.com sibling 3128 0
  2834. #
  2835. # type: either 'parent', 'sibling', or 'multicast'.
  2836. #
  2837. # proxy-port: The port number where the peer accept HTTP requests.
  2838. # For other Squid proxies this is usually 3128
  2839. # For web servers this is usually 80
  2840. #
  2841. # icp-port: Used for querying neighbor caches about objects.
  2842. # Set to 0 if the peer does not support ICP or HTCP.
  2843. # See ICP and HTCP options below for additional details.
  2844. #
  2845. #
  2846. # ==== ICP OPTIONS ====
  2847. #
  2848. # You MUST also set icp_port and icp_access explicitly when using these options.
  2849. # The defaults will prevent peer traffic using ICP.
  2850. #
  2851. #
  2852. # no-query Disable ICP queries to this neighbor.
  2853. #
  2854. # multicast-responder
  2855. # Indicates the named peer is a member of a multicast group.
  2856. # ICP queries will not be sent directly to the peer, but ICP
  2857. # replies will be accepted from it.
  2858. #
  2859. # closest-only Indicates that, for ICP_OP_MISS replies, we'll only forward
  2860. # CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.
  2861. #
  2862. # background-ping
  2863. # To only send ICP queries to this neighbor infrequently.
  2864. # This is used to keep the neighbor round trip time updated
  2865. # and is usually used in conjunction with weighted-round-robin.
  2866. #
  2867. #
  2868. # ==== HTCP OPTIONS ====
  2869. #
  2870. # You MUST also set htcp_port and htcp_access explicitly when using these options.
  2871. # The defaults will prevent peer traffic using HTCP.
  2872. #
  2873. #
  2874. # htcp Send HTCP, instead of ICP, queries to the neighbor.
  2875. # You probably also want to set the "icp-port" to 4827
  2876. # instead of 3130. This directive accepts a comma separated
  2877. # list of options described below.
  2878. #
  2879. # htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier).
  2880. #
  2881. # htcp=no-clr Send HTCP to the neighbor but without
  2882. # sending any CLR requests. This cannot be used with
  2883. # only-clr.
  2884. #
  2885. # htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests.
  2886. # This cannot be used with no-clr.
  2887. #
  2888. # htcp=no-purge-clr
  2889. # Send HTCP to the neighbor including CLRs but only when
  2890. # they do not result from PURGE requests.
  2891. #
  2892. # htcp=forward-clr
  2893. # Forward any HTCP CLR requests this proxy receives to the peer.
  2894. #
  2895. #
  2896. # ==== PEER SELECTION METHODS ====
  2897. #
  2898. # The default peer selection method is ICP, with the first responding peer
  2899. # being used as source. These options can be used for better load balancing.
  2900. #
  2901. #
  2902. # default This is a parent cache which can be used as a "last-resort"
  2903. # if a peer cannot be located by any of the peer-selection methods.
  2904. # If specified more than once, only the first is used.
  2905. #
  2906. # round-robin Load-Balance parents which should be used in a round-robin
  2907. # fashion in the absence of any ICP queries.
  2908. # weight=N can be used to add bias.
  2909. #
  2910. # weighted-round-robin
  2911. # Load-Balance parents which should be used in a round-robin
  2912. # fashion with the frequency of each parent being based on the
  2913. # round trip time. Closer parents are used more often.
  2914. # Usually used for background-ping parents.
  2915. # weight=N can be used to add bias.
  2916. #
  2917. # carp Load-Balance parents which should be used as a CARP array.
  2918. # The requests will be distributed among the parents based on the
  2919. # CARP load balancing hash function based on their weight.
  2920. #
  2921. # userhash Load-balance parents based on the client proxy_auth or ident username.
  2922. #
  2923. # sourcehash Load-balance parents based on the client source IP.
  2924. #
  2925. # multicast-siblings
  2926. # To be used only for cache peers of type "multicast".
  2927. # ALL members of this multicast group have "sibling"
  2928. # relationship with it, not "parent". This is to a multicast
  2929. # group when the requested object would be fetched only from
  2930. # a "parent" cache, anyway. It's useful, e.g., when
  2931. # configuring a pool of redundant Squid proxies, being
  2932. # members of the same multicast group.
  2933. #
  2934. #
  2935. # ==== PEER SELECTION OPTIONS ====
  2936. #
  2937. # weight=N use to affect the selection of a peer during any weighted
  2938. # peer-selection mechanisms.
  2939. # The weight must be an integer; default is 1,
  2940. # larger weights are favored more.
  2941. # This option does not affect parent selection if a peering
  2942. # protocol is not in use.
  2943. #
  2944. # basetime=N Specify a base amount to be subtracted from round trip
  2945. # times of parents.
  2946. # It is subtracted before division by weight in calculating
  2947. # which parent to fectch from. If the rtt is less than the
  2948. # base time the rtt is set to a minimal value.
  2949. #
  2950. # ttl=N Specify a TTL to use when sending multicast ICP queries
  2951. # to this address.
  2952. # Only useful when sending to a multicast group.
  2953. # Because we don't accept ICP replies from random
  2954. # hosts, you must configure other group members as
  2955. # peers with the 'multicast-responder' option.
  2956. #
  2957. # no-delay To prevent access to this neighbor from influencing the
  2958. # delay pools.
  2959. #
  2960. # digest-url=URL Tell Squid to fetch the cache digest (if digests are
  2961. # enabled) for this host from the specified URL rather
  2962. # than the Squid default location.
  2963. #
  2964. #
  2965. # ==== CARP OPTIONS ====
  2966. #
  2967. # carp-key=key-specification
  2968. # use a different key than the full URL to hash against the peer.
  2969. # the key-specification is a comma-separated list of the keywords
  2970. # scheme, host, port, path, params
  2971. # Order is not important.
  2972. #
  2973. # ==== ACCELERATOR / REVERSE-PROXY OPTIONS ====
  2974. #
  2975. # originserver Causes this parent to be contacted as an origin server.
  2976. # Meant to be used in accelerator setups when the peer
  2977. # is a web server.
  2978. #
  2979. # forceddomain=name
  2980. # Set the Host header of requests forwarded to this peer.
  2981. # Useful in accelerator setups where the server (peer)
  2982. # expects a certain domain name but clients may request
  2983. # others. ie example.com or www.example.com
  2984. #
  2985. # no-digest Disable request of cache digests.
  2986. #
  2987. # no-netdb-exchange
  2988. # Disables requesting ICMP RTT database (NetDB).
  2989. #
  2990. #
  2991. # ==== AUTHENTICATION OPTIONS ====
  2992. #
  2993. # login=user:password
  2994. # If this is a personal/workgroup proxy and your parent
  2995. # requires proxy authentication.
  2996. #
  2997. # Note: The string can include URL escapes (i.e. %20 for
  2998. # spaces). This also means % must be written as %%.
  2999. #
  3000. # login=PASSTHRU
  3001. # Send login details received from client to this peer.
  3002. # Both Proxy- and WWW-Authorization headers are passed
  3003. # without alteration to the peer.
  3004. # Authentication is not required by Squid for this to work.
  3005. #
  3006. # Note: This will pass any form of authentication but
  3007. # only Basic auth will work through a proxy unless the
  3008. # connection-auth options are also used.
  3009. #
  3010. # login=PASS Send login details received from client to this peer.
  3011. # Authentication is not required by this option.
  3012. #
  3013. # If there are no client-provided authentication headers
  3014. # to pass on, but username and password are available
  3015. # from an external ACL user= and password= result tags
  3016. # they may be sent instead.
  3017. #
  3018. # Note: To combine this with proxy_auth both proxies must
  3019. # share the same user database as HTTP only allows for
  3020. # a single login (one for proxy, one for origin server).
  3021. # Also be warned this will expose your users proxy
  3022. # password to the peer. USE WITH CAUTION
  3023. #
  3024. # login=*:password
  3025. # Send the username to the upstream cache, but with a
  3026. # fixed password. This is meant to be used when the peer
  3027. # is in another administrative domain, but it is still
  3028. # needed to identify each user.
  3029. # The star can optionally be followed by some extra
  3030. # information which is added to the username. This can
  3031. # be used to identify this proxy to the peer, similar to
  3032. # the login=username:password option above.
  3033. #
  3034. # login=NEGOTIATE
  3035. # If this is a personal/workgroup proxy and your parent
  3036. # requires a secure proxy authentication.
  3037. # The first principal from the default keytab or defined by
  3038. # the environment variable KRB5_KTNAME will be used.
  3039. #
  3040. # WARNING: The connection may transmit requests from multiple
  3041. # clients. Negotiate often assumes end-to-end authentication
  3042. # and a single-client. Which is not strictly true here.
  3043. #
  3044. # login=NEGOTIATE:principal_name
  3045. # If this is a personal/workgroup proxy and your parent
  3046. # requires a secure proxy authentication.
  3047. # The principal principal_name from the default keytab or
  3048. # defined by the environment variable KRB5_KTNAME will be
  3049. # used.
  3050. #
  3051. # WARNING: The connection may transmit requests from multiple
  3052. # clients. Negotiate often assumes end-to-end authentication
  3053. # and a single-client. Which is not strictly true here.
  3054. #
  3055. # connection-auth=on|off
  3056. # Tell Squid that this peer does or not support Microsoft
  3057. # connection oriented authentication, and any such
  3058. # challenges received from there should be ignored.
  3059. # Default is auto to automatically determine the status
  3060. # of the peer.
  3061. #
  3062. # auth-no-keytab
  3063. # Do not use a keytab to authenticate to a peer when
  3064. # login=NEGOTIATE is specified. Let the GSSAPI
  3065. # implementation determine which already existing
  3066. # credentials cache to use instead.
  3067. #
  3068. #
  3069. # ==== SSL / HTTPS / TLS OPTIONS ====
  3070. #
  3071. # tls Encrypt connections to this peer with TLS.
  3072. #
  3073. # sslcert=/path/to/ssl/certificate
  3074. # A client X.509 certificate to use when connecting to
  3075. # this peer.
  3076. #
  3077. # sslkey=/path/to/ssl/key
  3078. # The private key corresponding to sslcert above.
  3079. #
  3080. # If sslkey= is not specified sslcert= is assumed to
  3081. # reference a PEM file containing both the certificate
  3082. # and private key.
  3083. #
  3084. # sslcipher=... The list of valid SSL ciphers to use when connecting
  3085. # to this peer.
  3086. #
  3087. # tls-min-version=1.N
  3088. # The minimum TLS protocol version to permit. To control
  3089. # SSLv3 use the tls-options= parameter.
  3090. # Supported Values: 1.0 (default), 1.1, 1.2
  3091. #
  3092. # tls-options=... Specify various TLS implementation options.
  3093. #
  3094. # OpenSSL options most important are:
  3095. #
  3096. # NO_SSLv3 Disallow the use of SSLv3
  3097. #
  3098. # SINGLE_DH_USE
  3099. # Always create a new key when using
  3100. # temporary/ephemeral DH key exchanges
  3101. #
  3102. # NO_TICKET
  3103. # Disable use of RFC5077 session tickets.
  3104. # Some servers may have problems
  3105. # understanding the TLS extension due
  3106. # to ambiguous specification in RFC4507.
  3107. #
  3108. # ALL Enable various bug workarounds
  3109. # suggested as "harmless" by OpenSSL
  3110. # Be warned that this reduces SSL/TLS
  3111. # strength to some attacks.
  3112. #
  3113. # See the OpenSSL SSL_CTX_set_options documentation for a
  3114. # more complete list.
  3115. #
  3116. # GnuTLS options most important are:
  3117. #
  3118. # %NO_TICKETS
  3119. # Disable use of RFC5077 session tickets.
  3120. # Some servers may have problems
  3121. # understanding the TLS extension due
  3122. # to ambiguous specification in RFC4507.
  3123. #
  3124. # See the GnuTLS Priority Strings documentation
  3125. # for a more complete list.
  3126. # http://www.gnutls.org/manual/gnutls.html#Priority-Strings
  3127. #
  3128. # tls-cafile= PEM file containing CA certificates to use when verifying
  3129. # the peer certificate. May be repeated to load multiple files.
  3130. #
  3131. # sslcapath=... A directory containing additional CA certificates to
  3132. # use when verifying the peer certificate.
  3133. # Requires OpenSSL or LibreSSL.
  3134. #
  3135. # sslcrlfile=... A certificate revocation list file to use when
  3136. # verifying the peer certificate.
  3137. #
  3138. # sslflags=... Specify various flags modifying the SSL implementation:
  3139. #
  3140. # DONT_VERIFY_PEER
  3141. # Accept certificates even if they fail to
  3142. # verify.
  3143. #
  3144. # DONT_VERIFY_DOMAIN
  3145. # Don't verify the peer certificate
  3146. # matches the server name
  3147. #
  3148. # ssldomain= The peer name as advertised in it's certificate.
  3149. # Used for verifying the correctness of the received peer
  3150. # certificate. If not specified the peer hostname will be
  3151. # used.
  3152. #
  3153. # front-end-https[=off|on|auto]
  3154. # Enable the "Front-End-Https: On" header needed when
  3155. # using Squid as a SSL frontend in front of Microsoft OWA.
  3156. # See MS KB document Q307347 for details on this header.
  3157. # If set to auto the header will only be added if the
  3158. # request is forwarded as a https:// URL.
  3159. #
  3160. # tls-default-ca[=off]
  3161. # Whether to use the system Trusted CAs. Default is ON.
  3162. #
  3163. # tls-no-npn Do not use the TLS NPN extension to advertise HTTP/1.1.
  3164. #
  3165. # ==== GENERAL OPTIONS ====
  3166. #
  3167. # connect-timeout=N
  3168. # A peer-specific connect timeout.
  3169. # Also see the peer_connect_timeout directive.
  3170. #
  3171. # connect-fail-limit=N
  3172. # How many times connecting to a peer must fail before
  3173. # it is marked as down. Standby connection failures
  3174. # count towards this limit. Default is 10.
  3175. #
  3176. # allow-miss Disable Squid's use of only-if-cached when forwarding
  3177. # requests to siblings. This is primarily useful when
  3178. # icp_hit_stale is used by the sibling. Excessive use
  3179. # of this option may result in forwarding loops. One way
  3180. # to prevent peering loops when using this option, is to
  3181. # deny cache peer usage on requests from a peer:
  3182. # acl fromPeer ...
  3183. # cache_peer_access peerName deny fromPeer
  3184. #
  3185. # max-conn=N Limit the number of concurrent connections the Squid
  3186. # may open to this peer, including already opened idle
  3187. # and standby connections. There is no peer-specific
  3188. # connection limit by default.
  3189. #
  3190. # A peer exceeding the limit is not used for new
  3191. # requests unless a standby connection is available.
  3192. #
  3193. # max-conn currently works poorly with idle persistent
  3194. # connections: When a peer reaches its max-conn limit,
  3195. # and there are idle persistent connections to the peer,
  3196. # the peer may not be selected because the limiting code
  3197. # does not know whether Squid can reuse those idle
  3198. # connections.
  3199. #
  3200. # standby=N Maintain a pool of N "hot standby" connections to an
  3201. # UP peer, available for requests when no idle
  3202. # persistent connection is available (or safe) to use.
  3203. # By default and with zero N, no such pool is maintained.
  3204. # N must not exceed the max-conn limit (if any).
  3205. #
  3206. # At start or after reconfiguration, Squid opens new TCP
  3207. # standby connections until there are N connections
  3208. # available and then replenishes the standby pool as
  3209. # opened connections are used up for requests. A used
  3210. # connection never goes back to the standby pool, but
  3211. # may go to the regular idle persistent connection pool
  3212. # shared by all peers and origin servers.
  3213. #
  3214. # Squid never opens multiple new standby connections
  3215. # concurrently. This one-at-a-time approach minimizes
  3216. # flooding-like effect on peers. Furthermore, just a few
  3217. # standby connections should be sufficient in most cases
  3218. # to supply most new requests with a ready-to-use
  3219. # connection.
  3220. #
  3221. # Standby connections obey server_idle_pconn_timeout.
  3222. # For the feature to work as intended, the peer must be
  3223. # configured to accept and keep them open longer than
  3224. # the idle timeout at the connecting Squid, to minimize
  3225. # race conditions typical to idle used persistent
  3226. # connections. Default request_timeout and
  3227. # server_idle_pconn_timeout values ensure such a
  3228. # configuration.
  3229. #
  3230. # name=xxx Unique name for the peer.
  3231. # Required if you have multiple peers on the same host
  3232. # but different ports.
  3233. # This name can be used in cache_peer_access and similar
  3234. # directives to identify the peer.
  3235. # Can be used by outgoing access controls through the
  3236. # peername ACL type.
  3237. #
  3238. # no-tproxy Do not use the client-spoof TPROXY support when forwarding
  3239. # requests to this peer. Use normal address selection instead.
  3240. # This overrides the spoof_client_ip ACL.
  3241. #
  3242. # proxy-only objects fetched from the peer will not be stored locally.
  3243. #
  3244. #Default:
  3245. # none
  3246.  
  3247. # TAG: cache_peer_access
  3248. # Restricts usage of cache_peer proxies.
  3249. #
  3250. # Usage:
  3251. # cache_peer_access peer-name allow|deny [!]aclname ...
  3252. #
  3253. # For the required peer-name parameter, use either the value of the
  3254. # cache_peer name=value parameter or, if name=value is missing, the
  3255. # cache_peer hostname parameter.
  3256. #
  3257. # This directive narrows down the selection of peering candidates, but
  3258. # does not determine the order in which the selected candidates are
  3259. # contacted. That order is determined by the peer selection algorithms
  3260. # (see PEER SELECTION sections in the cache_peer documentation).
  3261. #
  3262. # If a deny rule matches, the corresponding peer will not be contacted
  3263. # for the current transaction -- Squid will not send ICP queries and
  3264. # will not forward HTTP requests to that peer. An allow match leaves
  3265. # the corresponding peer in the selection. The first match for a given
  3266. # peer wins for that peer.
  3267. #
  3268. # The relative order of cache_peer_access directives for the same peer
  3269. # matters. The relative order of any two cache_peer_access directives
  3270. # for different peers does not matter. To ease interpretation, it is a
  3271. # good idea to group cache_peer_access directives for the same peer
  3272. # together.
  3273. #
  3274. # A single cache_peer_access directive may be evaluated multiple times
  3275. # for a given transaction because individual peer selection algorithms
  3276. # may check it independently from each other. These redundant checks
  3277. # may be optimized away in future Squid versions.
  3278. #
  3279. # This clause only supports fast acl types.
  3280. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  3281. #
  3282. #Default:
  3283. # No peer usage restrictions.
  3284.  
  3285. # TAG: neighbor_type_domain
  3286. # Modify the cache_peer neighbor type when passing requests
  3287. # about specific domains to the peer.
  3288. #
  3289. # Usage:
  3290. # neighbor_type_domain neighbor parent|sibling domain domain ...
  3291. #
  3292. # For example:
  3293. # cache_peer foo.example.com parent 3128 3130
  3294. # neighbor_type_domain foo.example.com sibling .au .de
  3295. #
  3296. # The above configuration treats all requests to foo.example.com as a
  3297. # parent proxy unless the request is for a .au or .de ccTLD domain name.
  3298. #Default:
  3299. # The peer type from cache_peer directive is used for all requests to that peer.
  3300.  
  3301. # TAG: dead_peer_timeout (seconds)
  3302. # This controls how long Squid waits to declare a peer cache
  3303. # as "dead." If there are no ICP replies received in this
  3304. # amount of time, Squid will declare the peer dead and not
  3305. # expect to receive any further ICP replies. However, it
  3306. # continues to send ICP queries, and will mark the peer as
  3307. # alive upon receipt of the first subsequent ICP reply.
  3308. #
  3309. # This timeout also affects when Squid expects to receive ICP
  3310. # replies from peers. If more than 'dead_peer' seconds have
  3311. # passed since the last ICP reply was received, Squid will not
  3312. # expect to receive an ICP reply on the next query. Thus, if
  3313. # your time between requests is greater than this timeout, you
  3314. # will see a lot of requests sent DIRECT to origin servers
  3315. # instead of to your parents.
  3316. #Default:
  3317. # dead_peer_timeout 10 seconds
  3318.  
  3319. # TAG: forward_max_tries
  3320. # Limits the number of attempts to forward the request.
  3321. #
  3322. # For the purpose of this limit, Squid counts all high-level request
  3323. # forwarding attempts, including any same-destination retries after
  3324. # certain persistent connection failures and any attempts to use a
  3325. # different peer. However, low-level connection reopening attempts
  3326. # (enabled using connect_retries) are not counted.
  3327. #
  3328. # See also: forward_timeout and connect_retries.
  3329. #Default:
  3330. # forward_max_tries 25
  3331.  
  3332. # MEMORY CACHE OPTIONS
  3333. # -----------------------------------------------------------------------------
  3334.  
  3335. # TAG: cache_mem (bytes)
  3336. # NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
  3337. # IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
  3338. # USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
  3339. # THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
  3340. #
  3341. # 'cache_mem' specifies the ideal amount of memory to be used
  3342. # for:
  3343. # * In-Transit objects
  3344. # * Hot Objects
  3345. # * Negative-Cached objects
  3346. #
  3347. # Data for these objects are stored in 4 KB blocks. This
  3348. # parameter specifies the ideal upper limit on the total size of
  3349. # 4 KB blocks allocated. In-Transit objects take the highest
  3350. # priority.
  3351. #
  3352. # In-transit objects have priority over the others. When
  3353. # additional space is needed for incoming data, negative-cached
  3354. # and hot objects will be released. In other words, the
  3355. # negative-cached and hot objects will fill up any unused space
  3356. # not needed for in-transit objects.
  3357. #
  3358. # If circumstances require, this limit will be exceeded.
  3359. # Specifically, if your incoming request rate requires more than
  3360. # 'cache_mem' of memory to hold in-transit objects, Squid will
  3361. # exceed this limit to satisfy the new requests. When the load
  3362. # decreases, blocks will be freed until the high-water mark is
  3363. # reached. Thereafter, blocks will be used to store hot
  3364. # objects.
  3365. #
  3366. # If shared memory caching is enabled, Squid does not use the shared
  3367. # cache space for in-transit objects, but they still consume as much
  3368. # local memory as they need. For more details about the shared memory
  3369. # cache, see memory_cache_shared.
  3370. #Default:
  3371. # cache_mem 256 MB
  3372. cache_mem 256 MB
  3373.  
  3374. # TAG: maximum_object_size_in_memory (bytes)
  3375. # Objects greater than this size will not be attempted to kept in
  3376. # the memory cache. This should be set high enough to keep objects
  3377. # accessed frequently in memory to improve performance whilst low
  3378. # enough to keep larger objects from hoarding cache_mem.
  3379. #Default:
  3380. # maximum_object_size_in_memory 512 KB
  3381.  
  3382. # TAG: memory_cache_shared on|off
  3383. # Controls whether the memory cache is shared among SMP workers.
  3384. #
  3385. # The shared memory cache is meant to occupy cache_mem bytes and replace
  3386. # the non-shared memory cache, although some entities may still be
  3387. # cached locally by workers for now (e.g., internal and in-transit
  3388. # objects may be served from a local memory cache even if shared memory
  3389. # caching is enabled).
  3390. #
  3391. # By default, the memory cache is shared if and only if all of the
  3392. # following conditions are satisfied: Squid runs in SMP mode with
  3393. # multiple workers, cache_mem is positive, and Squid environment
  3394. # supports required IPC primitives (e.g., POSIX shared memory segments
  3395. # and GCC-style atomic operations).
  3396. #
  3397. # To avoid blocking locks, shared memory uses opportunistic algorithms
  3398. # that do not guarantee that every cachable entity that could have been
  3399. # shared among SMP workers will actually be shared.
  3400. #Default:
  3401. # "on" where supported if doing memory caching with multiple SMP workers.
  3402.  
  3403. # TAG: memory_cache_mode
  3404. # Controls which objects to keep in the memory cache (cache_mem)
  3405. #
  3406. # always Keep most recently fetched objects in memory (default)
  3407. #
  3408. # disk Only disk cache hits are kept in memory, which means
  3409. # an object must first be cached on disk and then hit
  3410. # a second time before cached in memory.
  3411. #
  3412. # network Only objects fetched from network is kept in memory
  3413. #Default:
  3414. # Keep the most recently fetched objects in memory
  3415.  
  3416. # TAG: memory_replacement_policy
  3417. # The memory replacement policy parameter determines which
  3418. # objects are purged from memory when memory space is needed.
  3419. #
  3420. # See cache_replacement_policy for details on algorithms.
  3421. #Default:
  3422. # memory_replacement_policy lru
  3423.  
  3424. # DISK CACHE OPTIONS
  3425. # -----------------------------------------------------------------------------
  3426.  
  3427. # TAG: cache_replacement_policy
  3428. # The cache replacement policy parameter determines which
  3429. # objects are evicted (replaced) when disk space is needed.
  3430. #
  3431. # lru : Squid's original list based LRU policy
  3432. # heap GDSF : Greedy-Dual Size Frequency
  3433. # heap LFUDA: Least Frequently Used with Dynamic Aging
  3434. # heap LRU : LRU policy implemented using a heap
  3435. #
  3436. # Applies to any cache_dir lines listed below this directive.
  3437. #
  3438. # The LRU policies keeps recently referenced objects.
  3439. #
  3440. # The heap GDSF policy optimizes object hit rate by keeping smaller
  3441. # popular objects in cache so it has a better chance of getting a
  3442. # hit. It achieves a lower byte hit rate than LFUDA though since
  3443. # it evicts larger (possibly popular) objects.
  3444. #
  3445. # The heap LFUDA policy keeps popular objects in cache regardless of
  3446. # their size and thus optimizes byte hit rate at the expense of
  3447. # hit rate since one large, popular object will prevent many
  3448. # smaller, slightly less popular objects from being cached.
  3449. #
  3450. # Both policies utilize a dynamic aging mechanism that prevents
  3451. # cache pollution that can otherwise occur with frequency-based
  3452. # replacement policies.
  3453. #
  3454. # NOTE: if using the LFUDA replacement policy you should increase
  3455. # the value of maximum_object_size above its default of 4 MB to
  3456. # to maximize the potential byte hit rate improvement of LFUDA.
  3457. #
  3458. # For more information about the GDSF and LFUDA cache replacement
  3459. # policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
  3460. # and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
  3461. #Default:
  3462. # cache_replacement_policy lru
  3463.  
  3464. # TAG: minimum_object_size (bytes)
  3465. # Objects smaller than this size will NOT be saved on disk. The
  3466. # value is specified in bytes, and the default is 0 KB, which
  3467. # means all responses can be stored.
  3468. #Default:
  3469. # no limit
  3470.  
  3471. # TAG: maximum_object_size (bytes)
  3472. # Set the default value for max-size parameter on any cache_dir.
  3473. # The value is specified in bytes, and the default is 4 MB.
  3474. #
  3475. # If you wish to get a high BYTES hit ratio, you should probably
  3476. # increase this (one 32 MB object hit counts for 3200 10KB
  3477. # hits).
  3478. #
  3479. # If you wish to increase hit ratio more than you want to
  3480. # save bandwidth you should leave this low.
  3481. #
  3482. # NOTE: if using the LFUDA replacement policy you should increase
  3483. # this value to maximize the byte hit rate improvement of LFUDA!
  3484. # See cache_replacement_policy for a discussion of this policy.
  3485. #Default:
  3486. # maximum_object_size 4 MB
  3487.  
  3488. # TAG: cache_dir
  3489. # Format:
  3490. # cache_dir Type Directory-Name Fs-specific-data [options]
  3491. #
  3492. # You can specify multiple cache_dir lines to spread the
  3493. # cache among different disk partitions.
  3494. #
  3495. # Type specifies the kind of storage system to use. Only "ufs"
  3496. # is built by default. To enable any of the other storage systems
  3497. # see the --enable-storeio configure option.
  3498. #
  3499. # 'Directory' is a top-level directory where cache swap
  3500. # files will be stored. If you want to use an entire disk
  3501. # for caching, this can be the mount-point directory.
  3502. # The directory must exist and be writable by the Squid
  3503. # process. Squid will NOT create this directory for you.
  3504. #
  3505. # In SMP configurations, cache_dir must not precede the workers option
  3506. # and should use configuration macros or conditionals to give each
  3507. # worker interested in disk caching a dedicated cache directory.
  3508. #
  3509. #
  3510. # ==== The ufs store type ====
  3511. #
  3512. # "ufs" is the old well-known Squid storage format that has always
  3513. # been there.
  3514. #
  3515. # Usage:
  3516. # cache_dir ufs Directory-Name Mbytes L1 L2 [options]
  3517. #
  3518. # 'Mbytes' is the amount of disk space (MB) to use under this
  3519. # directory. The default is 100 MB. Change this to suit your
  3520. # configuration. Do NOT put the size of your disk drive here.
  3521. # Instead, if you want Squid to use the entire disk drive,
  3522. # subtract 20% and use that value.
  3523. #
  3524. # 'L1' is the number of first-level subdirectories which
  3525. # will be created under the 'Directory'. The default is 16.
  3526. #
  3527. # 'L2' is the number of second-level subdirectories which
  3528. # will be created under each first-level directory. The default
  3529. # is 256.
  3530. #
  3531. #
  3532. # ==== The aufs store type ====
  3533. #
  3534. # "aufs" uses the same storage format as "ufs", utilizing
  3535. # POSIX-threads to avoid blocking the main Squid process on
  3536. # disk-I/O. This was formerly known in Squid as async-io.
  3537. #
  3538. # Usage:
  3539. # cache_dir aufs Directory-Name Mbytes L1 L2 [options]
  3540. #
  3541. # see argument descriptions under ufs above
  3542. #
  3543. #
  3544. # ==== The diskd store type ====
  3545. #
  3546. # "diskd" uses the same storage format as "ufs", utilizing a
  3547. # separate process to avoid blocking the main Squid process on
  3548. # disk-I/O.
  3549. #
  3550. # Usage:
  3551. # cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
  3552. #
  3553. # see argument descriptions under ufs above
  3554. #
  3555. # Q1 specifies the number of unacknowledged I/O requests when Squid
  3556. # stops opening new files. If this many messages are in the queues,
  3557. # Squid won't open new files. Default is 64
  3558. #
  3559. # Q2 specifies the number of unacknowledged messages when Squid
  3560. # starts blocking. If this many messages are in the queues,
  3561. # Squid blocks until it receives some replies. Default is 72
  3562. #
  3563. # When Q1 < Q2 (the default), the cache directory is optimized
  3564. # for lower response time at the expense of a decrease in hit
  3565. # ratio. If Q1 > Q2, the cache directory is optimized for
  3566. # higher hit ratio at the expense of an increase in response
  3567. # time.
  3568. #
  3569. #
  3570. # ==== The rock store type ====
  3571. #
  3572. # Usage:
  3573. # cache_dir rock Directory-Name Mbytes [options]
  3574. #
  3575. # The Rock Store type is a database-style storage. All cached
  3576. # entries are stored in a "database" file, using fixed-size slots.
  3577. # A single entry occupies one or more slots.
  3578. #
  3579. # If possible, Squid using Rock Store creates a dedicated kid
  3580. # process called "disker" to avoid blocking Squid worker(s) on disk
  3581. # I/O. One disker kid is created for each rock cache_dir. Diskers
  3582. # are created only when Squid, running in daemon mode, has support
  3583. # for the IpcIo disk I/O module.
  3584. #
  3585. # swap-timeout=msec: Squid will not start writing a miss to or
  3586. # reading a hit from disk if it estimates that the swap operation
  3587. # will take more than the specified number of milliseconds. By
  3588. # default and when set to zero, disables the disk I/O time limit
  3589. # enforcement. Ignored when using blocking I/O module because
  3590. # blocking synchronous I/O does not allow Squid to estimate the
  3591. # expected swap wait time.
  3592. #
  3593. # max-swap-rate=swaps/sec: Artificially limits disk access using
  3594. # the specified I/O rate limit. Swap out requests that
  3595. # would cause the average I/O rate to exceed the limit are
  3596. # delayed. Individual swap in requests (i.e., hits or reads) are
  3597. # not delayed, but they do contribute to measured swap rate and
  3598. # since they are placed in the same FIFO queue as swap out
  3599. # requests, they may wait longer if max-swap-rate is smaller.
  3600. # This is necessary on file systems that buffer "too
  3601. # many" writes and then start blocking Squid and other processes
  3602. # while committing those writes to disk. Usually used together
  3603. # with swap-timeout to avoid excessive delays and queue overflows
  3604. # when disk demand exceeds available disk "bandwidth". By default
  3605. # and when set to zero, disables the disk I/O rate limit
  3606. # enforcement. Currently supported by IpcIo module only.
  3607. #
  3608. # slot-size=bytes: The size of a database "record" used for
  3609. # storing cached responses. A cached response occupies at least
  3610. # one slot and all database I/O is done using individual slots so
  3611. # increasing this parameter leads to more disk space waste while
  3612. # decreasing it leads to more disk I/O overheads. Should be a
  3613. # multiple of your operating system I/O page size. Defaults to
  3614. # 16KBytes. A housekeeping header is stored with each slot and
  3615. # smaller slot-sizes will be rejected. The header is smaller than
  3616. # 100 bytes.
  3617. #
  3618. #
  3619. # ==== COMMON OPTIONS ====
  3620. #
  3621. # no-store no new objects should be stored to this cache_dir.
  3622. #
  3623. # min-size=n the minimum object size in bytes this cache_dir
  3624. # will accept. It's used to restrict a cache_dir
  3625. # to only store large objects (e.g. AUFS) while
  3626. # other stores are optimized for smaller objects
  3627. # (e.g. Rock).
  3628. # Defaults to 0.
  3629. #
  3630. # max-size=n the maximum object size in bytes this cache_dir
  3631. # supports.
  3632. # The value in maximum_object_size directive sets
  3633. # the default unless more specific details are
  3634. # available (ie a small store capacity).
  3635. #
  3636. # Note: To make optimal use of the max-size limits you should order
  3637. # the cache_dir lines with the smallest max-size value first.
  3638. #
  3639. #Default:
  3640. # No disk cache. Store cache ojects only in memory.
  3641. #
  3642.  
  3643. # Uncomment and adjust the following to add a disk cache directory.
  3644. #cache_dir ufs /var/spool/squid 100 16 256
  3645.  
  3646. # TAG: store_dir_select_algorithm
  3647. # How Squid selects which cache_dir to use when the response
  3648. # object will fit into more than one.
  3649. #
  3650. # Regardless of which algorithm is used the cache_dir min-size
  3651. # and max-size parameters are obeyed. As such they can affect
  3652. # the selection algorithm by limiting the set of considered
  3653. # cache_dir.
  3654. #
  3655. # Algorithms:
  3656. #
  3657. # least-load
  3658. #
  3659. # This algorithm is suited to caches with similar cache_dir
  3660. # sizes and disk speeds.
  3661. #
  3662. # The disk with the least I/O pending is selected.
  3663. # When there are multiple disks with the same I/O load ranking
  3664. # the cache_dir with most available capacity is selected.
  3665. #
  3666. # When a mix of cache_dir sizes are configured the faster disks
  3667. # have a naturally lower I/O loading and larger disks have more
  3668. # capacity. So space used to store objects and data throughput
  3669. # may be very unbalanced towards larger disks.
  3670. #
  3671. #
  3672. # round-robin
  3673. #
  3674. # This algorithm is suited to caches with unequal cache_dir
  3675. # disk sizes.
  3676. #
  3677. # Each cache_dir is selected in a rotation. The next suitable
  3678. # cache_dir is used.
  3679. #
  3680. # Available cache_dir capacity is only considered in relation
  3681. # to whether the object will fit and meets the min-size and
  3682. # max-size parameters.
  3683. #
  3684. # Disk I/O loading is only considered to prevent overload on slow
  3685. # disks. This algorithm does not spread objects by size, so any
  3686. # I/O loading per-disk may appear very unbalanced and volatile.
  3687. #
  3688. # If several cache_dirs use similar min-size, max-size, or other
  3689. # limits to to reject certain responses, then do not group such
  3690. # cache_dir lines together, to avoid round-robin selection bias
  3691. # towards the first cache_dir after the group. Instead, interleave
  3692. # cache_dir lines from different groups. For example:
  3693. #
  3694. # store_dir_select_algorithm round-robin
  3695. # cache_dir rock /hdd1 ... min-size=100000
  3696. # cache_dir rock /ssd1 ... max-size=99999
  3697. # cache_dir rock /hdd2 ... min-size=100000
  3698. # cache_dir rock /ssd2 ... max-size=99999
  3699. # cache_dir rock /hdd3 ... min-size=100000
  3700. # cache_dir rock /ssd3 ... max-size=99999
  3701. #cache_dir ufs /var/spool/squid 100 16 256
  3702. #Default:
  3703. # store_dir_select_algorithm least-load
  3704.  
  3705.  
  3706. # TAG: max_open_disk_fds
  3707. # To avoid having disk as the I/O bottleneck Squid can optionally
  3708. # bypass the on-disk cache if more than this amount of disk file
  3709. # descriptors are open.
  3710. #
  3711. # A value of 0 indicates no limit.
  3712. #Default:
  3713. # no limit
  3714.  
  3715. # TAG: cache_swap_low (percent, 0-100)
  3716. # The low-water mark for AUFS/UFS/diskd cache object eviction by
  3717. # the cache_replacement_policy algorithm.
  3718. #
  3719. # Removal begins when the swap (disk) usage of a cache_dir is
  3720. # above this low-water mark and attempts to maintain utilization
  3721. # near the low-water mark.
  3722. #
  3723. # As swap utilization increases towards the high-water mark set
  3724. # by cache_swap_high object eviction becomes more agressive.
  3725. #
  3726. # The value difference in percentages between low- and high-water
  3727. # marks represent an eviction rate of 300 objects per second and
  3728. # the rate continues to scale in agressiveness by multiples of
  3729. # this above the high-water mark.
  3730. #
  3731. # Defaults are 90% and 95%. If you have a large cache, 5% could be
  3732. # hundreds of MB. If this is the case you may wish to set these
  3733. # numbers closer together.
  3734. #
  3735. # See also cache_swap_high and cache_replacement_policy
  3736. #Default:
  3737. # cache_swap_low 90
  3738.  
  3739. # TAG: cache_swap_high (percent, 0-100)
  3740. # The high-water mark for AUFS/UFS/diskd cache object eviction by
  3741. # the cache_replacement_policy algorithm.
  3742. #
  3743. # Removal begins when the swap (disk) usage of a cache_dir is
  3744. # above the low-water mark set by cache_swap_low and attempts to
  3745. # maintain utilization near the low-water mark.
  3746. #
  3747. # As swap utilization increases towards this high-water mark object
  3748. # eviction becomes more agressive.
  3749. #
  3750. # The value difference in percentages between low- and high-water
  3751. # marks represent an eviction rate of 300 objects per second and
  3752. # the rate continues to scale in agressiveness by multiples of
  3753. # this above the high-water mark.
  3754. #
  3755. # Defaults are 90% and 95%. If you have a large cache, 5% could be
  3756. # hundreds of MB. If this is the case you may wish to set these
  3757. # numbers closer together.
  3758. #
  3759. # See also cache_swap_low and cache_replacement_policy
  3760. #Default:
  3761. # cache_swap_high 95
  3762.  
  3763. # LOGFILE OPTIONS
  3764. # -----------------------------------------------------------------------------
  3765.  
  3766. # TAG: logformat
  3767. # Usage:
  3768. #
  3769. # logformat <name> <format specification>
  3770. #
  3771. # Defines an access log format.
  3772. #
  3773. # The <format specification> is a string with embedded % format codes
  3774. #
  3775. # % format codes all follow the same basic structure where all
  3776. # components but the formatcode are optional and usually unnecessary,
  3777. # especially when dealing with common codes.
  3778. #
  3779. # % [encoding] [-] [[0]width] [{arg}] formatcode [{arg}]
  3780. #
  3781. # encoding escapes or otherwise protects "special" characters:
  3782. #
  3783. # " Quoted string encoding where quote(") and
  3784. # backslash(\) characters are \-escaped while
  3785. # CR, LF, and TAB characters are encoded as \r,
  3786. # \n, and \t two-character sequences.
  3787. #
  3788. # [ Custom Squid encoding where percent(%), square
  3789. # brackets([]), backslash(\) and characters with
  3790. # codes outside of [32,126] range are %-encoded.
  3791. # SP is not encoded. Used by log_mime_hdrs.
  3792. #
  3793. # # URL encoding (a.k.a. percent-encoding) where
  3794. # all URL unsafe and control characters (per RFC
  3795. # 1738) are %-encoded.
  3796. #
  3797. # / Shell-like encoding where quote(") and
  3798. # backslash(\) characters are \-escaped while CR
  3799. # and LF characters are encoded as \r and \n
  3800. # two-character sequences. Values containing SP
  3801. # character(s) are surrounded by quotes(").
  3802. #
  3803. # ' Raw/as-is encoding with no escaping/quoting.
  3804. #
  3805. # Default encoding: When no explicit encoding is
  3806. # specified, each %code determines its own encoding.
  3807. # Most %codes use raw/as-is encoding, but some codes use
  3808. # a so called "pass-through URL encoding" where all URL
  3809. # unsafe and control characters (per RFC 1738) are
  3810. # %-encoded, but the percent character(%) is left as is.
  3811. #
  3812. # - left aligned
  3813. #
  3814. # width minimum and/or maximum field width:
  3815. # [width_min][.width_max]
  3816. # When minimum starts with 0, the field is zero-padded.
  3817. # String values exceeding maximum width are truncated.
  3818. #
  3819. # {arg} argument such as header name etc. This field may be
  3820. # placed before or after the token, but not both at once.
  3821. #
  3822. # Format codes:
  3823. #
  3824. # % a literal % character
  3825. # sn Unique sequence number per log line entry
  3826. # err_code The ID of an error response served by Squid or
  3827. # a similar internal error identifier.
  3828. # err_detail Additional err_code-dependent error information.
  3829. # note The annotation specified by the argument. Also
  3830. # logs the adaptation meta headers set by the
  3831. # adaptation_meta configuration parameter.
  3832. # If no argument given all annotations logged.
  3833. # The argument may include a separator to use with
  3834. # annotation values:
  3835. # name[:separator]
  3836. # By default, multiple note values are separated with ","
  3837. # and multiple notes are separated with "\r\n".
  3838. # When logging named notes with %{name}note, the
  3839. # explicitly configured separator is used between note
  3840. # values. When logging all notes with %note, the
  3841. # explicitly configured separator is used between
  3842. # individual notes. There is currently no way to
  3843. # specify both value and notes separators when logging
  3844. # all notes with %note.
  3845. #
  3846. # Connection related format codes:
  3847. #
  3848. # >a Client source IP address
  3849. # >A Client FQDN
  3850. # >p Client source port
  3851. # >eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier)
  3852. # >la Local IP address the client connected to
  3853. # >lp Local port number the client connected to
  3854. # >qos Client connection TOS/DSCP value set by Squid
  3855. # >nfmark Client connection netfilter mark set by Squid
  3856. #
  3857. # la Local listening IP address the client connection was connected to.
  3858. # lp Local listening port number the client connection was connected to.
  3859. #
  3860. # <a Server IP address of the last server or peer connection
  3861. # <A Server FQDN or peer name
  3862. # <p Server port number of the last server or peer connection
  3863. # <la Local IP address of the last server or peer connection
  3864. # <lp Local port number of the last server or peer connection
  3865. # <qos Server connection TOS/DSCP value set by Squid
  3866. # <nfmark Server connection netfilter mark set by Squid
  3867. #
  3868. # >handshake Raw client handshake
  3869. # Initial client bytes received by Squid on a newly
  3870. # accepted TCP connection or inside a just established
  3871. # CONNECT tunnel. Squid stops accumulating handshake
  3872. # bytes as soon as the handshake parser succeeds or
  3873. # fails (determining whether the client is using the
  3874. # expected protocol).
  3875. #
  3876. # For HTTP clients, the handshake is the request line.
  3877. # For TLS clients, the handshake consists of all TLS
  3878. # records up to and including the TLS record that
  3879. # contains the last byte of the first ClientHello
  3880. # message. For clients using an unsupported protocol,
  3881. # this field contains the bytes received by Squid at the
  3882. # time of the handshake parsing failure.
  3883. #
  3884. # See the on_unsupported_protocol directive for more
  3885. # information on Squid handshake traffic expectations.
  3886. #
  3887. # Current support is limited to these contexts:
  3888. # - http_port connections, but only when the
  3889. # on_unsupported_protocol directive is in use.
  3890. # - https_port connections (and CONNECT tunnels) that
  3891. # are subject to the ssl_bump peek or stare action.
  3892. #
  3893. # To protect binary handshake data, this field is always
  3894. # base64-encoded (RFC 4648 Section 4). If logformat
  3895. # field encoding is configured, that encoding is applied
  3896. # on top of base64. Otherwise, the computed base64 value
  3897. # is recorded as is.
  3898. #
  3899. # Time related format codes:
  3900. #
  3901. # ts Seconds since epoch
  3902. # tu subsecond time (milliseconds)
  3903. # tl Local time. Optional strftime format argument
  3904. # default %d/%b/%Y:%H:%M:%S %z
  3905. # tg GMT time. Optional strftime format argument
  3906. # default %d/%b/%Y:%H:%M:%S %z
  3907. # tr Response time (milliseconds)
  3908. # dt Total time spent making DNS lookups (milliseconds)
  3909. # tS Approximate master transaction start time in
  3910. # <full seconds since epoch>.<fractional seconds> format.
  3911. # Currently, Squid considers the master transaction
  3912. # started when a complete HTTP request header initiating
  3913. # the transaction is received from the client. This is
  3914. # the same value that Squid uses to calculate transaction
  3915. # response time when logging %tr to access.log. Currently,
  3916. # Squid uses millisecond resolution for %tS values,
  3917. # similar to the default access.log "current time" field
  3918. # (%ts.%03tu).
  3919. #
  3920. # Access Control related format codes:
  3921. #
  3922. # et Tag returned by external acl
  3923. # ea Log string returned by external acl
  3924. # un User name (any available)
  3925. # ul User name from authentication
  3926. # ue User name from external acl helper
  3927. # ui User name from ident
  3928. # un A user name. Expands to the first available name
  3929. # from the following list of information sources:
  3930. # - authenticated user name, like %ul
  3931. # - user name supplied by an external ACL, like %ue
  3932. # - SSL client name, like %us
  3933. # - ident user name, like %ui
  3934. # credentials Client credentials. The exact meaning depends on
  3935. # the authentication scheme: For Basic authentication,
  3936. # it is the password; for Digest, the realm sent by the
  3937. # client; for NTLM and Negotiate, the client challenge
  3938. # or client credentials prefixed with "YR " or "KK ".
  3939. #
  3940. # HTTP related format codes:
  3941. #
  3942. # REQUEST
  3943. #
  3944. # [http::]rm Request method (GET/POST etc)
  3945. # [http::]>rm Request method from client
  3946. # [http::]<rm Request method sent to server or peer
  3947. #
  3948. # [http::]ru Request URL received (or computed) and sanitized
  3949. #
  3950. # Logs request URI received from the client, a
  3951. # request adaptation service, or a request
  3952. # redirector (whichever was applied last).
  3953. #
  3954. # Computed URLs are URIs of internally generated
  3955. # requests and various "error:..." URIs.
  3956. #
  3957. # Honors strip_query_terms and uri_whitespace.
  3958. #
  3959. # This field is not encoded by default. Encoding
  3960. # this field using variants of %-encoding will
  3961. # clash with uri_whitespace modifications that
  3962. # also use %-encoding.
  3963. #
  3964. # [http::]>ru Request URL received from the client (or computed)
  3965. #
  3966. # Computed URLs are URIs of internally generated
  3967. # requests and various "error:..." URIs.
  3968. #
  3969. # Unlike %ru, this request URI is not affected
  3970. # by request adaptation, URL rewriting services,
  3971. # and strip_query_terms.
  3972. #
  3973. # Honors uri_whitespace.
  3974. #
  3975. # This field is using pass-through URL encoding
  3976. # by default. Encoding this field using other
  3977. # variants of %-encoding will clash with
  3978. # uri_whitespace modifications that also use
  3979. # %-encoding.
  3980. #
  3981. # [http::]<ru Request URL sent to server or peer
  3982. # [http::]>rs Request URL scheme from client
  3983. # [http::]<rs Request URL scheme sent to server or peer
  3984. # [http::]>rd Request URL domain from client
  3985. # [http::]<rd Request URL domain sent to server or peer
  3986. # [http::]>rP Request URL port from client
  3987. # [http::]<rP Request URL port sent to server or peer
  3988. # [http::]rp Request URL path excluding hostname
  3989. # [http::]>rp Request URL path excluding hostname from client
  3990. # [http::]<rp Request URL path excluding hostname sent to server or peer
  3991. # [http::]rv Request protocol version
  3992. # [http::]>rv Request protocol version from client
  3993. # [http::]<rv Request protocol version sent to server or peer
  3994. #
  3995. # [http::]>h Original received request header.
  3996. # Usually differs from the request header sent by
  3997. # Squid, although most fields are often preserved.
  3998. # Accepts optional header field name/value filter
  3999. # argument using name[:[separator]element] format.
  4000. # [http::]>ha Received request header after adaptation and
  4001. # redirection (pre-cache REQMOD vectoring point).
  4002. # Usually differs from the request header sent by
  4003. # Squid, although most fields are often preserved.
  4004. # Optional header name argument as for >h
  4005. #
  4006. # RESPONSE
  4007. #
  4008. # [http::]<Hs HTTP status code received from the next hop
  4009. # [http::]>Hs HTTP status code sent to the client
  4010. #
  4011. # [http::]<h Reply header. Optional header name argument
  4012. # as for >h
  4013. #
  4014. # [http::]mt MIME content type
  4015. #
  4016. #
  4017. # SIZE COUNTERS
  4018. #
  4019. # [http::]st Total size of request + reply traffic with client
  4020. # [http::]>st Total size of request received from client.
  4021. # Excluding chunked encoding bytes.
  4022. # [http::]<st Total size of reply sent to client (after adaptation)
  4023. #
  4024. # [http::]>sh Size of request headers received from client
  4025. # [http::]<sh Size of reply headers sent to client (after adaptation)
  4026. #
  4027. # [http::]<sH Reply high offset sent
  4028. # [http::]<sS Upstream object size
  4029. #
  4030. # [http::]<bs Number of HTTP-equivalent message body bytes
  4031. # received from the next hop, excluding chunked
  4032. # transfer encoding and control messages.
  4033. # Generated FTP/Gopher listings are treated as
  4034. # received bodies.
  4035. #
  4036. # TIMING
  4037. #
  4038. # [http::]<pt Peer response time in milliseconds. The timer starts
  4039. # when the last request byte is sent to the next hop
  4040. # and stops when the last response byte is received.
  4041. # [http::]<tt Total time in milliseconds. The timer
  4042. # starts with the first connect request (or write I/O)
  4043. # sent to the first selected peer. The timer stops
  4044. # with the last I/O with the last peer.
  4045. #
  4046. # Squid handling related format codes:
  4047. #
  4048. # Ss Squid request status (TCP_MISS etc)
  4049. # Sh Squid hierarchy status (DEFAULT_PARENT etc)
  4050. #
  4051. # SSL-related format codes:
  4052. #
  4053. # ssl::bump_mode SslBump decision for the transaction:
  4054. #
  4055. # For CONNECT requests that initiated bumping of
  4056. # a connection and for any request received on
  4057. # an already bumped connection, Squid logs the
  4058. # corresponding SslBump mode ("splice", "bump",
  4059. # "peek", "stare", "terminate", "server-first"
  4060. # or "client-first"). See the ssl_bump option
  4061. # for more information about these modes.
  4062. #
  4063. # A "none" token is logged for requests that
  4064. # triggered "ssl_bump" ACL evaluation matching
  4065. # a "none" rule.
  4066. #
  4067. # In all other cases, a single dash ("-") is
  4068. # logged.
  4069. #
  4070. # ssl::>sni SSL client SNI sent to Squid.
  4071. #
  4072. # ssl::>cert_subject
  4073. # The Subject field of the received client
  4074. # SSL certificate or a dash ('-') if Squid has
  4075. # received an invalid/malformed certificate or
  4076. # no certificate at all. Consider encoding the
  4077. # logged value because Subject often has spaces.
  4078. #
  4079. # ssl::>cert_issuer
  4080. # The Issuer field of the received client
  4081. # SSL certificate or a dash ('-') if Squid has
  4082. # received an invalid/malformed certificate or
  4083. # no certificate at all. Consider encoding the
  4084. # logged value because Issuer often has spaces.
  4085. #
  4086. # ssl::<cert_subject
  4087. # The Subject field of the received server
  4088. # TLS certificate or a dash ('-') if this is
  4089. # not available. Consider encoding the logged
  4090. # value because Subject often has spaces.
  4091. #
  4092. # ssl::<cert_issuer
  4093. # The Issuer field of the received server
  4094. # TLS certificate or a dash ('-') if this is
  4095. # not available. Consider encoding the logged
  4096. # value because Issuer often has spaces.
  4097. #
  4098. # ssl::<cert_errors
  4099. # The list of certificate validation errors
  4100. # detected by Squid (including OpenSSL and
  4101. # certificate validation helper components). The
  4102. # errors are listed in the discovery order. By
  4103. # default, the error codes are separated by ':'.
  4104. # Accepts an optional separator argument.
  4105. #
  4106. # %ssl::>negotiated_version The negotiated TLS version of the
  4107. # client connection.
  4108. #
  4109. # %ssl::<negotiated_version The negotiated TLS version of the
  4110. # last server or peer connection.
  4111. #
  4112. # %ssl::>received_hello_version The TLS version of the Hello
  4113. # message received from TLS client.
  4114. #
  4115. # %ssl::<received_hello_version The TLS version of the Hello
  4116. # message received from TLS server.
  4117. #
  4118. # %ssl::>received_supported_version The maximum TLS version
  4119. # supported by the TLS client.
  4120. #
  4121. # %ssl::<received_supported_version The maximum TLS version
  4122. # supported by the TLS server.
  4123. #
  4124. # %ssl::>negotiated_cipher The negotiated cipher of the
  4125. # client connection.
  4126. #
  4127. # %ssl::<negotiated_cipher The negotiated cipher of the
  4128. # last server or peer connection.
  4129. #
  4130. # If ICAP is enabled, the following code becomes available (as
  4131. # well as ICAP log codes documented with the icap_log option):
  4132. #
  4133. # icap::tt Total ICAP processing time for the HTTP
  4134. # transaction. The timer ticks when ICAP
  4135. # ACLs are checked and when ICAP
  4136. # transaction is in progress.
  4137. #
  4138. # If adaptation is enabled the following codes become available:
  4139. #
  4140. # adapt::<last_h The header of the last ICAP response or
  4141. # meta-information from the last eCAP
  4142. # transaction related to the HTTP transaction.
  4143. # Like <h, accepts an optional header name
  4144. # argument.
  4145. #
  4146. # adapt::sum_trs Summed adaptation transaction response
  4147. # times recorded as a comma-separated list in
  4148. # the order of transaction start time. Each time
  4149. # value is recorded as an integer number,
  4150. # representing response time of one or more
  4151. # adaptation (ICAP or eCAP) transaction in
  4152. # milliseconds. When a failed transaction is
  4153. # being retried or repeated, its time is not
  4154. # logged individually but added to the
  4155. # replacement (next) transaction. See also:
  4156. # adapt::all_trs.
  4157. #
  4158. # adapt::all_trs All adaptation transaction response times.
  4159. # Same as adaptation_strs but response times of
  4160. # individual transactions are never added
  4161. # together. Instead, all transaction response
  4162. # times are recorded individually.
  4163. #
  4164. # You can prefix adapt::*_trs format codes with adaptation
  4165. # service name in curly braces to record response time(s) specific
  4166. # to that service. For example: %{my_service}adapt::sum_trs
  4167. #
  4168. # The default formats available (which do not need re-defining) are:
  4169. #
  4170. #logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
  4171. #logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
  4172. #logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
  4173. #logformat referrer %ts.%03tu %>a %{Referer}>h %ru
  4174. #logformat useragent %>a [%tl] "%{User-Agent}>h"
  4175. #
  4176. # NOTE: When the log_mime_hdrs directive is set to ON.
  4177. # The squid, common and combined formats have a safely encoded copy
  4178. # of the mime headers appended to each line within a pair of brackets.
  4179. #
  4180. # NOTE: The common and combined formats are not quite true to the Apache definition.
  4181. # The logs from Squid contain an extra status and hierarchy code appended.
  4182. #
  4183. #Default:
  4184. # The format definitions squid, common, combined, referrer, useragent are built in.
  4185.  
  4186. # TAG: access_log
  4187. # Configures whether and how Squid logs HTTP and ICP transactions.
  4188. # If access logging is enabled, a single line is logged for every
  4189. # matching HTTP or ICP request. The recommended directive formats are:
  4190. #
  4191. # access_log <module>:<place> [option ...] [acl acl ...]
  4192. # access_log none [acl acl ...]
  4193. #
  4194. # The following directive format is accepted but may be deprecated:
  4195. # access_log <module>:<place> [<logformat name> [acl acl ...]]
  4196. #
  4197. # In most cases, the first ACL name must not contain the '=' character
  4198. # and should not be equal to an existing logformat name. You can always
  4199. # start with an 'all' ACL to work around those restrictions.
  4200. #
  4201. # Will log to the specified module:place using the specified format (which
  4202. # must be defined in a logformat directive) those entries which match
  4203. # ALL the acl's specified (which must be defined in acl clauses).
  4204. # If no acl is specified, all requests will be logged to this destination.
  4205. #
  4206. # ===== Available options for the recommended directive format =====
  4207. #
  4208. # logformat=name Names log line format (either built-in or
  4209. # defined by a logformat directive). Defaults
  4210. # to 'squid'.
  4211. #
  4212. # buffer-size=64KB Defines approximate buffering limit for log
  4213. # records (see buffered_logs). Squid should not
  4214. # keep more than the specified size and, hence,
  4215. # should flush records before the buffer becomes
  4216. # full to avoid overflows under normal
  4217. # conditions (the exact flushing algorithm is
  4218. # module-dependent though). The on-error option
  4219. # controls overflow handling.
  4220. #
  4221. # on-error=die|drop Defines action on unrecoverable errors. The
  4222. # 'drop' action ignores (i.e., does not log)
  4223. # affected log records. The default 'die' action
  4224. # kills the affected worker. The drop action
  4225. # support has not been tested for modules other
  4226. # than tcp.
  4227. #
  4228. # rotate=N Specifies the number of log file rotations to
  4229. # make when you run 'squid -k rotate'. The default
  4230. # is to obey the logfile_rotate directive. Setting
  4231. # rotate=0 will disable the file name rotation,
  4232. # but the log files are still closed and re-opened.
  4233. # This will enable you to rename the logfiles
  4234. # yourself just before sending the rotate signal.
  4235. # Only supported by the stdio module.
  4236. #
  4237. # ===== Modules Currently available =====
  4238. #
  4239. # none Do not log any requests matching these ACL.
  4240. # Do not specify Place or logformat name.
  4241. #
  4242. # stdio Write each log line to disk immediately at the completion of
  4243. # each request.
  4244. # Place: the filename and path to be written.
  4245. #
  4246. # daemon Very similar to stdio. But instead of writing to disk the log
  4247. # line is passed to a daemon helper for asychronous handling instead.
  4248. # Place: varies depending on the daemon.
  4249. #
  4250. # log_file_daemon Place: the file name and path to be written.
  4251. #
  4252. # syslog To log each request via syslog facility.
  4253. # Place: The syslog facility and priority level for these entries.
  4254. # Place Format: facility.priority
  4255. #
  4256. # where facility could be any of:
  4257. # authpriv, daemon, local0 ... local7 or user.
  4258. #
  4259. # And priority could be any of:
  4260. # err, warning, notice, info, debug.
  4261. #
  4262. # udp To send each log line as text data to a UDP receiver.
  4263. # Place: The destination host name or IP and port.
  4264. # Place Format: //host:port
  4265. #
  4266. # tcp To send each log line as text data to a TCP receiver.
  4267. # Lines may be accumulated before sending (see buffered_logs).
  4268. # Place: The destination host name or IP and port.
  4269. # Place Format: //host:port
  4270. #
  4271. # Default:
  4272. # access_log daemon:/var/log/squid/access.log squid
  4273. #Default:
  4274. # access_log daemon:/var/log/squid/access.log squid
  4275.  
  4276. # TAG: icap_log
  4277. # ICAP log files record ICAP transaction summaries, one line per
  4278. # transaction.
  4279. #
  4280. # The icap_log option format is:
  4281. # icap_log <filepath> [<logformat name> [acl acl ...]]
  4282. # icap_log none [acl acl ...]]
  4283. #
  4284. # Please see access_log option documentation for details. The two
  4285. # kinds of logs share the overall configuration approach and many
  4286. # features.
  4287. #
  4288. # ICAP processing of a single HTTP message or transaction may
  4289. # require multiple ICAP transactions. In such cases, multiple
  4290. # ICAP transaction log lines will correspond to a single access
  4291. # log line.
  4292. #
  4293. # ICAP log supports many access.log logformat %codes. In ICAP context,
  4294. # HTTP message-related %codes are applied to the HTTP message embedded
  4295. # in an ICAP message. Logformat "%http::>..." codes are used for HTTP
  4296. # messages embedded in ICAP requests while "%http::<..." codes are used
  4297. # for HTTP messages embedded in ICAP responses. For example:
  4298. #
  4299. # http::>h To-be-adapted HTTP message headers sent by Squid to
  4300. # the ICAP service. For REQMOD transactions, these are
  4301. # HTTP request headers. For RESPMOD, these are HTTP
  4302. # response headers, but Squid currently cannot log them
  4303. # (i.e., %http::>h will expand to "-" for RESPMOD).
  4304. #
  4305. # http::<h Adapted HTTP message headers sent by the ICAP
  4306. # service to Squid (i.e., HTTP request headers in regular
  4307. # REQMOD; HTTP response headers in RESPMOD and during
  4308. # request satisfaction in REQMOD).
  4309. #
  4310. # ICAP OPTIONS transactions do not embed HTTP messages.
  4311. #
  4312. # Several logformat codes below deal with ICAP message bodies. An ICAP
  4313. # message body, if any, typically includes a complete HTTP message
  4314. # (required HTTP headers plus optional HTTP message body). When
  4315. # computing HTTP message body size for these logformat codes, Squid
  4316. # either includes or excludes chunked encoding overheads; see
  4317. # code-specific documentation for details.
  4318. #
  4319. # For Secure ICAP services, all size-related information is currently
  4320. # computed before/after TLS encryption/decryption, as if TLS was not
  4321. # in use at all.
  4322. #
  4323. # The following format codes are also available for ICAP logs:
  4324. #
  4325. # icap::<A ICAP server IP address. Similar to <A.
  4326. #
  4327. # icap::<service_name ICAP service name from the icap_service
  4328. # option in Squid configuration file.
  4329. #
  4330. # icap::ru ICAP Request-URI. Similar to ru.
  4331. #
  4332. # icap::rm ICAP request method (REQMOD, RESPMOD, or
  4333. # OPTIONS). Similar to existing rm.
  4334. #
  4335. # icap::>st The total size of the ICAP request sent to the ICAP
  4336. # server (ICAP headers + ICAP body), including chunking
  4337. # metadata (if any).
  4338. #
  4339. # icap::<st The total size of the ICAP response received from the
  4340. # ICAP server (ICAP headers + ICAP body), including
  4341. # chunking metadata (if any).
  4342. #
  4343. # icap::<bs The size of the ICAP response body received from the
  4344. # ICAP server, excluding chunking metadata (if any).
  4345. #
  4346. # icap::tr Transaction response time (in
  4347. # milliseconds). The timer starts when
  4348. # the ICAP transaction is created and
  4349. # stops when the transaction is completed.
  4350. # Similar to tr.
  4351. #
  4352. # icap::tio Transaction I/O time (in milliseconds). The
  4353. # timer starts when the first ICAP request
  4354. # byte is scheduled for sending. The timers
  4355. # stops when the last byte of the ICAP response
  4356. # is received.
  4357. #
  4358. # icap::to Transaction outcome: ICAP_ERR* for all
  4359. # transaction errors, ICAP_OPT for OPTION
  4360. # transactions, ICAP_ECHO for 204
  4361. # responses, ICAP_MOD for message
  4362. # modification, and ICAP_SAT for request
  4363. # satisfaction. Similar to Ss.
  4364. #
  4365. # icap::Hs ICAP response status code. Similar to Hs.
  4366. #
  4367. # icap::>h ICAP request header(s). Similar to >h.
  4368. #
  4369. # icap::<h ICAP response header(s). Similar to <h.
  4370. #
  4371. # The default ICAP log format, which can be used without an explicit
  4372. # definition, is called icap_squid:
  4373. #
  4374. #logformat icap_squid %ts.%03tu %6icap::tr %>A %icap::to/%03icap::Hs %icap::<st %icap::rm %icap::ru %un -/%icap::<A -
  4375. #
  4376. # See also: logformat and %adapt::<last_h
  4377. #Default:
  4378. # none
  4379.  
  4380. # TAG: logfile_daemon
  4381. # Specify the path to the logfile-writing daemon. This daemon is
  4382. # used to write the access and store logs, if configured.
  4383. #
  4384. # Squid sends a number of commands to the log daemon:
  4385. # L<data>\n - logfile data
  4386. # R\n - rotate file
  4387. # T\n - truncate file
  4388. # O\n - reopen file
  4389. # F\n - flush file
  4390. # r<n>\n - set rotate count to <n>
  4391. # b<n>\n - 1 = buffer output, 0 = don't buffer output
  4392. #
  4393. # No responses is expected.
  4394. #Default:
  4395. # logfile_daemon /usr/lib/squid/log_file_daemon
  4396.  
  4397. # TAG: stats_collection allow|deny acl acl...
  4398. # This options allows you to control which requests gets accounted
  4399. # in performance counters.
  4400. #
  4401. # This clause only supports fast acl types.
  4402. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  4403. #Default:
  4404. # Allow logging for all transactions.
  4405.  
  4406. # TAG: cache_store_log
  4407. # Logs the activities of the storage manager. Shows which
  4408. # objects are ejected from the cache, and which objects are
  4409. # saved and for how long.
  4410. # There are not really utilities to analyze this data, so you can safely
  4411. # disable it (the default).
  4412. #
  4413. # Store log uses modular logging outputs. See access_log for the list
  4414. # of modules supported.
  4415. #
  4416. # Example:
  4417. # cache_store_log stdio:/var/log/squid/store.log
  4418. # cache_store_log daemon:/var/log/squid/store.log
  4419. cache_store_log none
  4420. #Default:
  4421. # none
  4422.  
  4423. # TAG: cache_swap_state
  4424. # Location for the cache "swap.state" file. This index file holds
  4425. # the metadata of objects saved on disk. It is used to rebuild
  4426. # the cache during startup. Normally this file resides in each
  4427. # 'cache_dir' directory, but you may specify an alternate
  4428. # pathname here. Note you must give a full filename, not just
  4429. # a directory. Since this is the index for the whole object
  4430. # list you CANNOT periodically rotate it!
  4431. #
  4432. # If %s can be used in the file name it will be replaced with a
  4433. # a representation of the cache_dir name where each / is replaced
  4434. # with '.'. This is needed to allow adding/removing cache_dir
  4435. # lines when cache_swap_log is being used.
  4436. #
  4437. # If have more than one 'cache_dir', and %s is not used in the name
  4438. # these swap logs will have names such as:
  4439. #
  4440. # cache_swap_log.00
  4441. # cache_swap_log.01
  4442. # cache_swap_log.02
  4443. #
  4444. # The numbered extension (which is added automatically)
  4445. # corresponds to the order of the 'cache_dir' lines in this
  4446. # configuration file. If you change the order of the 'cache_dir'
  4447. # lines in this file, these index files will NOT correspond to
  4448. # the correct 'cache_dir' entry (unless you manually rename
  4449. # them). We recommend you do NOT use this option. It is
  4450. # better to keep these index files in each 'cache_dir' directory.
  4451. #Default:
  4452. # Store the journal inside its cache_dir
  4453.  
  4454. # TAG: logfile_rotate
  4455. # Specifies the default number of logfile rotations to make when you
  4456. # type 'squid -k rotate'. The default is 10, which will rotate
  4457. # with extensions 0 through 9. Setting logfile_rotate to 0 will
  4458. # disable the file name rotation, but the logfiles are still closed
  4459. # and re-opened. This will enable you to rename the logfiles
  4460. # yourself just before sending the rotate signal.
  4461. #
  4462. # Note, from Squid-3.1 this option is only a default for cache.log,
  4463. # that log can be rotated separately by using debug_options.
  4464. #
  4465. # Note, from Squid-4 this option is only a default for access.log
  4466. # recorded by stdio: module. Those logs can be rotated separately by
  4467. # using the rotate=N option on their access_log directive.
  4468. #
  4469. # Note, the 'squid -k rotate' command normally sends a USR1
  4470. # signal to the running squid process. In certain situations
  4471. # (e.g. on Linux with Async I/O), USR1 is used for other
  4472. # purposes, so -k rotate uses another signal. It is best to get
  4473. # in the habit of using 'squid -k rotate' instead of 'kill -USR1
  4474. # <pid>'.
  4475. #
  4476. # Note, for Debian/Linux the default of logfile_rotate is
  4477. # zero, since it includes external logfile-rotation methods.
  4478. #Default:
  4479. # logfile_rotate 0
  4480.  
  4481. # TAG: mime_table
  4482. # Path to Squid's icon configuration file.
  4483. #
  4484. # You shouldn't need to change this, but the default file contains
  4485. # examples and formatting information if you do.
  4486. #Default:
  4487. # mime_table /usr/share/squid/mime.conf
  4488.  
  4489. # TAG: log_mime_hdrs on|off
  4490. # The Cache can record both the request and the response MIME
  4491. # headers for each HTTP transaction. The headers are encoded
  4492. # safely and will appear as two bracketed fields at the end of
  4493. # the access log (for either the native or httpd-emulated log
  4494. # formats). To enable this logging set log_mime_hdrs to 'on'.
  4495. #Default:
  4496. # log_mime_hdrs off
  4497.  
  4498. # TAG: pid_filename
  4499. # A filename to write the process-id to. To disable, enter "none".
  4500. #Default:
  4501. # pid_filename /run/squid.pid
  4502.  
  4503. # TAG: client_netmask
  4504. # A netmask for client addresses in logfiles and cachemgr output.
  4505. # Change this to protect the privacy of your cache clients.
  4506. # A netmask of 255.255.255.0 will log all IP's in that range with
  4507. # the last digit set to '0'.
  4508. #Default:
  4509. # Log full client IP address
  4510.  
  4511. # TAG: strip_query_terms
  4512. # By default, Squid strips query terms from requested URLs before
  4513. # logging. This protects your user's privacy and reduces log size.
  4514. #
  4515. # When investigating HIT/MISS or other caching behaviour you
  4516. # will need to disable this to see the full URL used by Squid.
  4517. #Default:
  4518. # strip_query_terms on
  4519.  
  4520. # TAG: buffered_logs on|off
  4521. # Whether to write/send access_log records ASAP or accumulate them and
  4522. # then write/send them in larger chunks. Buffering may improve
  4523. # performance because it decreases the number of I/Os. However,
  4524. # buffering increases the delay before log records become available to
  4525. # the final recipient (e.g., a disk file or logging daemon) and,
  4526. # hence, increases the risk of log records loss.
  4527. #
  4528. # Note that even when buffered_logs are off, Squid may have to buffer
  4529. # records if it cannot write/send them immediately due to pending I/Os
  4530. # (e.g., the I/O writing the previous log record) or connectivity loss.
  4531. #
  4532. # Currently honored by 'daemon' and 'tcp' access_log modules only.
  4533. #Default:
  4534. # buffered_logs off
  4535.  
  4536. # TAG: netdb_filename
  4537. # Where Squid stores it's netdb journal.
  4538. # When enabled this journal preserves netdb state between restarts.
  4539. #
  4540. # To disable, enter "none".
  4541. #Default:
  4542. # netdb_filename stdio:/var/spool/squid/netdb.state
  4543.  
  4544. # OPTIONS FOR TROUBLESHOOTING
  4545. # -----------------------------------------------------------------------------
  4546.  
  4547. # TAG: cache_log
  4548. # Squid administrative logging file.
  4549. #
  4550. # This is where general information about Squid behavior goes. You can
  4551. # increase the amount of data logged to this file and how often it is
  4552. # rotated with "debug_options"
  4553. #Default:
  4554. # cache_log /var/log/squid/cache.log
  4555.  
  4556. # TAG: debug_options
  4557. # Logging options are set as section,level where each source file
  4558. # is assigned a unique section. Lower levels result in less
  4559. # output, Full debugging (level 9) can result in a very large
  4560. # log file, so be careful.
  4561. #
  4562. # The magic word "ALL" sets debugging levels for all sections.
  4563. # The default is to run with "ALL,1" to record important warnings.
  4564. #
  4565. # The rotate=N option can be used to keep more or less of these logs
  4566. # than would otherwise be kept by logfile_rotate.
  4567. # For most uses a single log should be enough to monitor current
  4568. # events affecting Squid.
  4569. #Default:
  4570. # Log all critical and important messages.
  4571.  
  4572. # TAG: coredump_dir
  4573. # By default Squid leaves core files in the directory from where
  4574. # it was started. If you set 'coredump_dir' to a directory
  4575. # that exists, Squid will chdir() to that directory at startup
  4576. # and coredump files will be left there.
  4577. #
  4578. #Default:
  4579. # Use the directory from where Squid was started.
  4580. #
  4581.  
  4582. # Leave coredumps in the first cache dir
  4583. #coredump_dir /var/spool/squid
  4584.  
  4585. #coredump_dir /dev/null
  4586.  
  4587. # OPTIONS FOR FTP GATEWAYING
  4588. # -----------------------------------------------------------------------------
  4589.  
  4590. # TAG: ftp_user
  4591. # If you want the anonymous login password to be more informative
  4592. # (and enable the use of picky FTP servers), set this to something
  4593. # reasonable for your domain, like wwwuser@somewhere.net
  4594. #
  4595. # The reason why this is domainless by default is the
  4596. # request can be made on the behalf of a user in any domain,
  4597. # depending on how the cache is used.
  4598. # Some FTP server also validate the email address is valid
  4599. # (for example perl.com).
  4600. #Default:
  4601. # ftp_user Squid@
  4602.  
  4603. # TAG: ftp_passive
  4604. # If your firewall does not allow Squid to use passive
  4605. # connections, turn off this option.
  4606. #
  4607. # Use of ftp_epsv_all option requires this to be ON.
  4608. #Default:
  4609. # ftp_passive on
  4610.  
  4611. # TAG: ftp_epsv_all
  4612. # FTP Protocol extensions permit the use of a special "EPSV ALL" command.
  4613. #
  4614. # NATs may be able to put the connection on a "fast path" through the
  4615. # translator, as the EPRT command will never be used and therefore,
  4616. # translation of the data portion of the segments will never be needed.
  4617. #
  4618. # When a client only expects to do two-way FTP transfers this may be
  4619. # useful.
  4620. # If squid finds that it must do a three-way FTP transfer after issuing
  4621. # an EPSV ALL command, the FTP session will fail.
  4622. #
  4623. # If you have any doubts about this option do not use it.
  4624. # Squid will nicely attempt all other connection methods.
  4625. #
  4626. # Requires ftp_passive to be ON (default) for any effect.
  4627. #Default:
  4628. # ftp_epsv_all off
  4629.  
  4630. # TAG: ftp_epsv
  4631. # FTP Protocol extensions permit the use of a special "EPSV" command.
  4632. #
  4633. # NATs may be able to put the connection on a "fast path" through the
  4634. # translator using EPSV, as the EPRT command will never be used
  4635. # and therefore, translation of the data portion of the segments
  4636. # will never be needed.
  4637. #
  4638. # EPSV is often required to interoperate with FTP servers on IPv6
  4639. # networks. On the other hand, it may break some IPv4 servers.
  4640. #
  4641. # By default, EPSV may try EPSV with any FTP server. To fine tune
  4642. # that decision, you may restrict EPSV to certain clients or servers
  4643. # using ACLs:
  4644. #
  4645. # ftp_epsv allow|deny al1 acl2 ...
  4646. #
  4647. # WARNING: Disabling EPSV may cause problems with external NAT and IPv6.
  4648. #
  4649. # Only fast ACLs are supported.
  4650. # Requires ftp_passive to be ON (default) for any effect.
  4651. #Default:
  4652. # none
  4653.  
  4654. # TAG: ftp_eprt
  4655. # FTP Protocol extensions permit the use of a special "EPRT" command.
  4656. #
  4657. # This extension provides a protocol neutral alternative to the
  4658. # IPv4-only PORT command. When supported it enables active FTP data
  4659. # channels over IPv6 and efficient NAT handling.
  4660. #
  4661. # Turning this OFF will prevent EPRT being attempted and will skip
  4662. # straight to using PORT for IPv4 servers.
  4663. #
  4664. # Some devices are known to not handle this extension correctly and
  4665. # may result in crashes. Devices which suport EPRT enough to fail
  4666. # cleanly will result in Squid attempting PORT anyway. This directive
  4667. # should only be disabled when EPRT results in device failures.
  4668. #
  4669. # WARNING: Doing so will convert Squid back to the old behavior with all
  4670. # the related problems with external NAT devices/layers and IPv4-only FTP.
  4671. #Default:
  4672. # ftp_eprt on
  4673.  
  4674. # TAG: ftp_sanitycheck
  4675. # For security and data integrity reasons Squid by default performs
  4676. # sanity checks of the addresses of FTP data connections ensure the
  4677. # data connection is to the requested server. If you need to allow
  4678. # FTP connections to servers using another IP address for the data
  4679. # connection turn this off.
  4680. #Default:
  4681. # ftp_sanitycheck on
  4682.  
  4683. # TAG: ftp_telnet_protocol
  4684. # The FTP protocol is officially defined to use the telnet protocol
  4685. # as transport channel for the control connection. However, many
  4686. # implementations are broken and does not respect this aspect of
  4687. # the FTP protocol.
  4688. #
  4689. # If you have trouble accessing files with ASCII code 255 in the
  4690. # path or similar problems involving this ASCII code you can
  4691. # try setting this directive to off. If that helps, report to the
  4692. # operator of the FTP server in question that their FTP server
  4693. # is broken and does not follow the FTP standard.
  4694. #Default:
  4695. # ftp_telnet_protocol on
  4696.  
  4697. # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
  4698. # -----------------------------------------------------------------------------
  4699.  
  4700. # TAG: diskd_program
  4701. # Specify the location of the diskd executable.
  4702. # Note this is only useful if you have compiled in
  4703. # diskd as one of the store io modules.
  4704. #Default:
  4705. # diskd_program /usr/lib/squid/diskd
  4706.  
  4707. # TAG: unlinkd_program
  4708. # Specify the location of the executable for file deletion process.
  4709. #Default:
  4710. # unlinkd_program /usr/lib/squid/unlinkd
  4711.  
  4712. # TAG: pinger_program
  4713. # Specify the location of the executable for the pinger process.
  4714. #Default:
  4715. # pinger_program /usr/lib/squid/pinger
  4716.  
  4717. # TAG: pinger_enable
  4718. # Control whether the pinger is active at run-time.
  4719. # Enables turning ICMP pinger on and off with a simple
  4720. # squid -k reconfigure.
  4721. #Default:
  4722. # pinger_enable on
  4723.  
  4724. # OPTIONS FOR URL REWRITING
  4725. # -----------------------------------------------------------------------------
  4726.  
  4727. # TAG: url_rewrite_program
  4728. # Specify the location of the executable URL rewriter to use.
  4729. # Since they can perform almost any function there isn't one included.
  4730. #
  4731. # For each requested URL, the rewriter will receive on line with the format
  4732. #
  4733. # [channel-ID <SP>] URL [<SP> extras]<NL>
  4734. #
  4735. # See url_rewrite_extras on how to send "extras" with optional values to
  4736. # the helper.
  4737. # After processing the request the helper must reply using the following format:
  4738. #
  4739. # [channel-ID <SP>] result [<SP> kv-pairs]
  4740. #
  4741. # The result code can be:
  4742. #
  4743. # OK status=30N url="..."
  4744. # Redirect the URL to the one supplied in 'url='.
  4745. # 'status=' is optional and contains the status code to send
  4746. # the client in Squids HTTP response. It must be one of the
  4747. # HTTP redirect status codes: 301, 302, 303, 307, 308.
  4748. # When no status is given Squid will use 302.
  4749. #
  4750. # OK rewrite-url="..."
  4751. # Rewrite the URL to the one supplied in 'rewrite-url='.
  4752. # The new URL is fetched directly by Squid and returned to
  4753. # the client as the response to its request.
  4754. #
  4755. # OK
  4756. # When neither of url= and rewrite-url= are sent Squid does
  4757. # not change the URL.
  4758. #
  4759. # ERR
  4760. # Do not change the URL.
  4761. #
  4762. # BH
  4763. # An internal error occurred in the helper, preventing
  4764. # a result being identified. The 'message=' key name is
  4765. # reserved for delivering a log message.
  4766. #
  4767. #
  4768. # In addition to the above kv-pairs Squid also understands the following
  4769. # optional kv-pairs received from URL rewriters:
  4770. # clt_conn_tag=TAG
  4771. # Associates a TAG with the client TCP connection.
  4772. # The TAG is treated as a regular annotation but persists across
  4773. # future requests on the client connection rather than just the
  4774. # current request. A helper may update the TAG during subsequent
  4775. # requests be returning a new kv-pair.
  4776. #
  4777. # When using the concurrency= option the protocol is changed by
  4778. # introducing a query channel tag in front of the request/response.
  4779. # The query channel tag is a number between 0 and concurrency-1.
  4780. # This value must be echoed back unchanged to Squid as the first part
  4781. # of the response relating to its request.
  4782. #
  4783. # WARNING: URL re-writing ability should be avoided whenever possible.
  4784. # Use the URL redirect form of response instead.
  4785. #
  4786. # Re-write creates a difference in the state held by the client
  4787. # and server. Possibly causing confusion when the server response
  4788. # contains snippets of its view state. Embeded URLs, response
  4789. # and content Location headers, etc. are not re-written by this
  4790. # interface.
  4791. #
  4792. # By default, a URL rewriter is not used.
  4793. #Default:
  4794. # none
  4795.  
  4796. # TAG: url_rewrite_children
  4797. # Specifies the maximum number of redirector processes that Squid may
  4798. # spawn (numberofchildren) and several related options. Using too few of
  4799. # these helper processes (a.k.a. "helpers") creates request queues.
  4800. # Using too many helpers wastes your system resources.
  4801. #
  4802. # Usage: numberofchildren [option]...
  4803. #
  4804. # The startup= and idle= options allow some measure of skew in your
  4805. # tuning.
  4806. #
  4807. # startup=
  4808. #
  4809. # Sets a minimum of how many processes are to be spawned when Squid
  4810. # starts or reconfigures. When set to zero the first request will
  4811. # cause spawning of the first child process to handle it.
  4812. #
  4813. # Starting too few will cause an initial slowdown in traffic as Squid
  4814. # attempts to simultaneously spawn enough processes to cope.
  4815. #
  4816. # idle=
  4817. #
  4818. # Sets a minimum of how many processes Squid is to try and keep available
  4819. # at all times. When traffic begins to rise above what the existing
  4820. # processes can handle this many more will be spawned up to the maximum
  4821. # configured. A minimum setting of 1 is required.
  4822. #
  4823. # concurrency=
  4824. #
  4825. # The number of requests each redirector helper can handle in
  4826. # parallel. Defaults to 0 which indicates the redirector
  4827. # is a old-style single threaded redirector.
  4828. #
  4829. # When this directive is set to a value >= 1 then the protocol
  4830. # used to communicate with the helper is modified to include
  4831. # an ID in front of the request/response. The ID from the request
  4832. # must be echoed back with the response to that request.
  4833. #
  4834. # queue-size=N
  4835. #
  4836. # Sets the maximum number of queued requests. A request is queued when
  4837. # no existing child can accept it due to concurrency limit and no new
  4838. # child can be started due to numberofchildren limit. The default
  4839. # maximum is zero if url_rewrite_bypass is enabled and
  4840. # 2*numberofchildren otherwise. If the queued requests exceed queue size
  4841. # and redirector_bypass configuration option is set, then redirector is
  4842. # bypassed. Otherwise, Squid is allowed to temporarily exceed the
  4843. # configured maximum, marking the affected helper as "overloaded". If
  4844. # the helper overload lasts more than 3 minutes, the action prescribed
  4845. # by the on-persistent-overload option applies.
  4846. #
  4847. # on-persistent-overload=action
  4848. #
  4849. # Specifies Squid reaction to a new helper request arriving when the helper
  4850. # has been overloaded for more that 3 minutes already. The number of queued
  4851. # requests determines whether the helper is overloaded (see the queue-size
  4852. # option).
  4853. #
  4854. # Two actions are supported:
  4855. #
  4856. # die Squid worker quits. This is the default behavior.
  4857. #
  4858. # ERR Squid treats the helper request as if it was
  4859. # immediately submitted, and the helper immediately
  4860. # replied with an ERR response. This action has no effect
  4861. # on the already queued and in-progress helper requests.
  4862. #Default:
  4863. # url_rewrite_children 20 startup=0 idle=1 concurrency=0
  4864.  
  4865. # TAG: url_rewrite_host_header
  4866. # To preserve same-origin security policies in browsers and
  4867. # prevent Host: header forgery by redirectors Squid rewrites
  4868. # any Host: header in redirected requests.
  4869. #
  4870. # If you are running an accelerator this may not be a wanted
  4871. # effect of a redirector. This directive enables you disable
  4872. # Host: alteration in reverse-proxy traffic.
  4873. #
  4874. # WARNING: Entries are cached on the result of the URL rewriting
  4875. # process, so be careful if you have domain-virtual hosts.
  4876. #
  4877. # WARNING: Squid and other software verifies the URL and Host
  4878. # are matching, so be careful not to relay through other proxies
  4879. # or inspecting firewalls with this disabled.
  4880. #Default:
  4881. # url_rewrite_host_header on
  4882.  
  4883. # TAG: url_rewrite_access
  4884. # If defined, this access list specifies which requests are
  4885. # sent to the redirector processes.
  4886. #
  4887. # This clause supports both fast and slow acl types.
  4888. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  4889. #Default:
  4890. # Allow, unless rules exist in squid.conf.
  4891.  
  4892. # TAG: url_rewrite_bypass
  4893. # When this is 'on', a request will not go through the
  4894. # redirector if all the helpers are busy. If this is 'off' and the
  4895. # redirector queue grows too large, the action is prescribed by the
  4896. # on-persistent-overload option. You should only enable this if the
  4897. # redirectors are not critical to your caching system. If you use
  4898. # redirectors for access control, and you enable this option,
  4899. # users may have access to pages they should not
  4900. # be allowed to request.
  4901. #
  4902. # Enabling this option sets the default url_rewrite_children queue-size
  4903. # option value to 0.
  4904. #Default:
  4905. # url_rewrite_bypass off
  4906.  
  4907. # TAG: url_rewrite_extras
  4908. # Specifies a string to be append to request line format for the
  4909. # rewriter helper. "Quoted" format values may contain spaces and
  4910. # logformat %macros. In theory, any logformat %macro can be used.
  4911. # In practice, a %macro expands as a dash (-) if the helper request is
  4912. # sent before the required macro information is available to Squid.
  4913. #Default:
  4914. # url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp"
  4915.  
  4916. # TAG: url_rewrite_timeout
  4917. # Squid times active requests to redirector. The timeout value and Squid
  4918. # reaction to a timed out request are configurable using the following
  4919. # format:
  4920. #
  4921. # url_rewrite_timeout timeout time-units on_timeout=<action> [response=<quoted-response>]
  4922. #
  4923. # supported timeout actions:
  4924. # fail Squid return a ERR_GATEWAY_FAILURE error page
  4925. #
  4926. # bypass Do not re-write the URL
  4927. #
  4928. # retry Send the lookup to the helper again
  4929. #
  4930. # use_configured_response
  4931. # Use the <quoted-response> as helper response
  4932. #Default:
  4933. # Squid waits for the helper response forever
  4934.  
  4935. # OPTIONS FOR STORE ID
  4936. # -----------------------------------------------------------------------------
  4937.  
  4938. # TAG: store_id_program
  4939. # Specify the location of the executable StoreID helper to use.
  4940. # Since they can perform almost any function there isn't one included.
  4941. #
  4942. # For each requested URL, the helper will receive one line with the format
  4943. #
  4944. # [channel-ID <SP>] URL [<SP> extras]<NL>
  4945. #
  4946. #
  4947. # After processing the request the helper must reply using the following format:
  4948. #
  4949. # [channel-ID <SP>] result [<SP> kv-pairs]
  4950. #
  4951. # The result code can be:
  4952. #
  4953. # OK store-id="..."
  4954. # Use the StoreID supplied in 'store-id='.
  4955. #
  4956. # ERR
  4957. # The default is to use HTTP request URL as the store ID.
  4958. #
  4959. # BH
  4960. # An internal error occurred in the helper, preventing
  4961. # a result being identified.
  4962. #
  4963. # In addition to the above kv-pairs Squid also understands the following
  4964. # optional kv-pairs received from URL rewriters:
  4965. # clt_conn_tag=TAG
  4966. # Associates a TAG with the client TCP connection.
  4967. # Please see url_rewrite_program related documentation for this
  4968. # kv-pair
  4969. #
  4970. # Helper programs should be prepared to receive and possibly ignore
  4971. # additional whitespace-separated tokens on each input line.
  4972. #
  4973. # When using the concurrency= option the protocol is changed by
  4974. # introducing a query channel tag in front of the request/response.
  4975. # The query channel tag is a number between 0 and concurrency-1.
  4976. # This value must be echoed back unchanged to Squid as the first part
  4977. # of the response relating to its request.
  4978. #
  4979. # NOTE: when using StoreID refresh_pattern will apply to the StoreID
  4980. # returned from the helper and not the URL.
  4981. #
  4982. # WARNING: Wrong StoreID value returned by a careless helper may result
  4983. # in the wrong cached response returned to the user.
  4984. #
  4985. # By default, a StoreID helper is not used.
  4986. #Default:
  4987. # none
  4988.  
  4989. # TAG: store_id_extras
  4990. # Specifies a string to be append to request line format for the
  4991. # StoreId helper. "Quoted" format values may contain spaces and
  4992. # logformat %macros. In theory, any logformat %macro can be used.
  4993. # In practice, a %macro expands as a dash (-) if the helper request is
  4994. # sent before the required macro information is available to Squid.
  4995. #Default:
  4996. # store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp"
  4997.  
  4998. # TAG: store_id_children
  4999. # Specifies the maximum number of StoreID helper processes that Squid
  5000. # may spawn (numberofchildren) and several related options. Using
  5001. # too few of these helper processes (a.k.a. "helpers") creates request
  5002. # queues. Using too many helpers wastes your system resources.
  5003. #
  5004. # Usage: numberofchildren [option]...
  5005. #
  5006. # The startup= and idle= options allow some measure of skew in your
  5007. # tuning.
  5008. #
  5009. # startup=
  5010. #
  5011. # Sets a minimum of how many processes are to be spawned when Squid
  5012. # starts or reconfigures. When set to zero the first request will
  5013. # cause spawning of the first child process to handle it.
  5014. #
  5015. # Starting too few will cause an initial slowdown in traffic as Squid
  5016. # attempts to simultaneously spawn enough processes to cope.
  5017. #
  5018. # idle=
  5019. #
  5020. # Sets a minimum of how many processes Squid is to try and keep available
  5021. # at all times. When traffic begins to rise above what the existing
  5022. # processes can handle this many more will be spawned up to the maximum
  5023. # configured. A minimum setting of 1 is required.
  5024. #
  5025. # concurrency=
  5026. #
  5027. # The number of requests each storeID helper can handle in
  5028. # parallel. Defaults to 0 which indicates the helper
  5029. # is a old-style single threaded program.
  5030. #
  5031. # When this directive is set to a value >= 1 then the protocol
  5032. # used to communicate with the helper is modified to include
  5033. # an ID in front of the request/response. The ID from the request
  5034. # must be echoed back with the response to that request.
  5035. #
  5036. # queue-size=N
  5037. #
  5038. # Sets the maximum number of queued requests to N. A request is queued
  5039. # when no existing child can accept it due to concurrency limit and no
  5040. # new child can be started due to numberofchildren limit. The default
  5041. # maximum is 2*numberofchildren. If the queued requests exceed queue
  5042. # size and redirector_bypass configuration option is set, then
  5043. # redirector is bypassed. Otherwise, Squid is allowed to temporarily
  5044. # exceed the configured maximum, marking the affected helper as
  5045. # "overloaded". If the helper overload lasts more than 3 minutes, the
  5046. # action prescribed by the on-persistent-overload option applies.
  5047. #
  5048. # on-persistent-overload=action
  5049. #
  5050. # Specifies Squid reaction to a new helper request arriving when the helper
  5051. # has been overloaded for more that 3 minutes already. The number of queued
  5052. # requests determines whether the helper is overloaded (see the queue-size
  5053. # option).
  5054. #
  5055. # Two actions are supported:
  5056. #
  5057. # die Squid worker quits. This is the default behavior.
  5058. #
  5059. # ERR Squid treats the helper request as if it was
  5060. # immediately submitted, and the helper immediately
  5061. # replied with an ERR response. This action has no effect
  5062. # on the already queued and in-progress helper requests.
  5063. #Default:
  5064. # store_id_children 20 startup=0 idle=1 concurrency=0
  5065.  
  5066. # TAG: store_id_access
  5067. # If defined, this access list specifies which requests are
  5068. # sent to the StoreID processes. By default all requests
  5069. # are sent.
  5070. #
  5071. # This clause supports both fast and slow acl types.
  5072. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  5073. #Default:
  5074. # Allow, unless rules exist in squid.conf.
  5075.  
  5076. # TAG: store_id_bypass
  5077. # When this is 'on', a request will not go through the
  5078. # helper if all helpers are busy. If this is 'off' and the helper
  5079. # queue grows too large, the action is prescribed by the
  5080. # on-persistent-overload option. You should only enable this if the
  5081. # helpers are not critical to your caching system. If you use
  5082. # helpers for critical caching components, and you enable this
  5083. # option, users may not get objects from cache.
  5084. # This options sets default queue-size option of the store_id_children
  5085. # to 0.
  5086. #Default:
  5087. # store_id_bypass on
  5088.  
  5089. # OPTIONS FOR TUNING THE CACHE
  5090. # -----------------------------------------------------------------------------
  5091.  
  5092. # TAG: cache
  5093. # Requests denied by this directive will not be served from the cache
  5094. # and their responses will not be stored in the cache. This directive
  5095. # has no effect on other transactions and on already cached responses.
  5096. #
  5097. # This clause supports both fast and slow acl types.
  5098. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  5099. #
  5100. # This and the two other similar caching directives listed below are
  5101. # checked at different transaction processing stages, have different
  5102. # access to response information, affect different cache operations,
  5103. # and differ in slow ACLs support:
  5104. #
  5105. # * cache: Checked before Squid makes a hit/miss determination.
  5106. # No access to reply information!
  5107. # Denies both serving a hit and storing a miss.
  5108. # Supports both fast and slow ACLs.
  5109. # * send_hit: Checked after a hit was detected.
  5110. # Has access to reply (hit) information.
  5111. # Denies serving a hit only.
  5112. # Supports fast ACLs only.
  5113. # * store_miss: Checked before storing a cachable miss.
  5114. # Has access to reply (miss) information.
  5115. # Denies storing a miss only.
  5116. # Supports fast ACLs only.
  5117. #
  5118. # If you are not sure which of the three directives to use, apply the
  5119. # following decision logic:
  5120. #
  5121. # * If your ACL(s) are of slow type _and_ need response info, redesign.
  5122. # Squid does not support that particular combination at this time.
  5123. # Otherwise:
  5124. # * If your directive ACL(s) are of slow type, use "cache"; and/or
  5125. # * if your directive ACL(s) need no response info, use "cache".
  5126. # Otherwise:
  5127. # * If you do not want the response cached, use store_miss; and/or
  5128. # * if you do not want a hit on a cached response, use send_hit.
  5129. #Default:
  5130. # By default, this directive is unused and has no effect.
  5131.  
  5132. # TAG: send_hit
  5133. # Responses denied by this directive will not be served from the cache
  5134. # (but may still be cached, see store_miss). This directive has no
  5135. # effect on the responses it allows and on the cached objects.
  5136. #
  5137. # Please see the "cache" directive for a summary of differences among
  5138. # store_miss, send_hit, and cache directives.
  5139. #
  5140. # Unlike the "cache" directive, send_hit only supports fast acl
  5141. # types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  5142. #
  5143. # For example:
  5144. #
  5145. # # apply custom Store ID mapping to some URLs
  5146. # acl MapMe dstdomain .c.example.com
  5147. # store_id_program ...
  5148. # store_id_access allow MapMe
  5149. #
  5150. # # but prevent caching of special responses
  5151. # # such as 302 redirects that cause StoreID loops
  5152. # acl Ordinary http_status 200-299
  5153. # store_miss deny MapMe !Ordinary
  5154. #
  5155. # # and do not serve any previously stored special responses
  5156. # # from the cache (in case they were already cached before
  5157. # # the above store_miss rule was in effect).
  5158. # send_hit deny MapMe !Ordinary
  5159. #Default:
  5160. # By default, this directive is unused and has no effect.
  5161.  
  5162. # TAG: store_miss
  5163. # Responses denied by this directive will not be cached (but may still
  5164. # be served from the cache, see send_hit). This directive has no
  5165. # effect on the responses it allows and on the already cached responses.
  5166. #
  5167. # Please see the "cache" directive for a summary of differences among
  5168. # store_miss, send_hit, and cache directives. See the
  5169. # send_hit directive for a usage example.
  5170. #
  5171. # Unlike the "cache" directive, store_miss only supports fast acl
  5172. # types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  5173. #Default:
  5174. # By default, this directive is unused and has no effect.
  5175.  
  5176. # TAG: max_stale time-units
  5177. # This option puts an upper limit on how stale content Squid
  5178. # will serve from the cache if cache validation fails.
  5179. # Can be overriden by the refresh_pattern max-stale option.
  5180. #Default:
  5181. # max_stale 1 week
  5182.  
  5183. # TAG: refresh_pattern
  5184. # usage: refresh_pattern [-i] regex min percent max [options]
  5185. #
  5186. # By default, regular expressions are CASE-SENSITIVE. To make
  5187. # them case-insensitive, use the -i option.
  5188. #
  5189. # 'Min' is the time (in minutes) an object without an explicit
  5190. # expiry time should be considered fresh. The recommended
  5191. # value is 0, any higher values may cause dynamic applications
  5192. # to be erroneously cached unless the application designer
  5193. # has taken the appropriate actions.
  5194. #
  5195. # 'Percent' is a percentage of the objects age (time since last
  5196. # modification age) an object without explicit expiry time
  5197. # will be considered fresh.
  5198. #
  5199. # 'Max' is an upper limit on how long objects without an explicit
  5200. # expiry time will be considered fresh. The value is also used
  5201. # to form Cache-Control: max-age header for a request sent from
  5202. # Squid to origin/parent.
  5203. #
  5204. # options: override-expire
  5205. # override-lastmod
  5206. # reload-into-ims
  5207. # ignore-reload
  5208. # ignore-no-store
  5209. # ignore-private
  5210. # max-stale=NN
  5211. # refresh-ims
  5212. # store-stale
  5213. #
  5214. # override-expire enforces min age even if the server
  5215. # sent an explicit expiry time (e.g., with the
  5216. # Expires: header or Cache-Control: max-age). Doing this
  5217. # VIOLATES the HTTP standard. Enabling this feature
  5218. # could make you liable for problems which it causes.
  5219. #
  5220. # Note: override-expire does not enforce staleness - it only extends
  5221. # freshness / min. If the server returns a Expires time which
  5222. # is longer than your max time, Squid will still consider
  5223. # the object fresh for that period of time.
  5224. #
  5225. # override-lastmod enforces min age even on objects
  5226. # that were modified recently.
  5227. #
  5228. # reload-into-ims changes a client no-cache or ``reload''
  5229. # request for a cached entry into a conditional request using
  5230. # If-Modified-Since and/or If-None-Match headers, provided the
  5231. # cached entry has a Last-Modified and/or a strong ETag header.
  5232. # Doing this VIOLATES the HTTP standard. Enabling this feature
  5233. # could make you liable for problems which it causes.
  5234. #
  5235. # ignore-reload ignores a client no-cache or ``reload''
  5236. # header. Doing this VIOLATES the HTTP standard. Enabling
  5237. # this feature could make you liable for problems which
  5238. # it causes.
  5239. #
  5240. # ignore-no-store ignores any ``Cache-control: no-store''
  5241. # headers received from a server. Doing this VIOLATES
  5242. # the HTTP standard. Enabling this feature could make you
  5243. # liable for problems which it causes.
  5244. #
  5245. # ignore-private ignores any ``Cache-control: private''
  5246. # headers received from a server. Doing this VIOLATES
  5247. # the HTTP standard. Enabling this feature could make you
  5248. # liable for problems which it causes.
  5249. #
  5250. # refresh-ims causes squid to contact the origin server
  5251. # when a client issues an If-Modified-Since request. This
  5252. # ensures that the client will receive an updated version
  5253. # if one is available.
  5254. #
  5255. # store-stale stores responses even if they don't have explicit
  5256. # freshness or a validator (i.e., Last-Modified or an ETag)
  5257. # present, or if they're already stale. By default, Squid will
  5258. # not cache such responses because they usually can't be
  5259. # reused. Note that such responses will be stale by default.
  5260. #
  5261. # max-stale=NN provide a maximum staleness factor. Squid won't
  5262. # serve objects more stale than this even if it failed to
  5263. # validate the object. Default: use the max_stale global limit.
  5264. #
  5265. # Basically a cached object is:
  5266. #
  5267. # FRESH if expire > now, else STALE
  5268. # STALE if age > max
  5269. # FRESH if lm-factor < percent, else STALE
  5270. # FRESH if age < min
  5271. # else STALE
  5272. #
  5273. # The refresh_pattern lines are checked in the order listed here.
  5274. # The first entry which matches is used. If none of the entries
  5275. # match the default will be used.
  5276. #
  5277. # Note, you must uncomment all the default lines if you want
  5278. # to change one. The default setting is only active if none is
  5279. # used.
  5280. #
  5281. #
  5282.  
  5283. #
  5284. # Add any of your own refresh_pattern entries above these.
  5285. #
  5286.  
  5287. refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 3600 90% 43200
  5288.  
  5289. refresh_pattern ^ftp: 1440 20% 10080
  5290. refresh_pattern ^gopher: 1440 0% 1440
  5291. refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
  5292. refresh_pattern . 0 20% 4320
  5293.  
  5294. # TAG: quick_abort_min (KB)
  5295. #Default:
  5296. # quick_abort_min 16 KB
  5297.  
  5298. # TAG: quick_abort_max (KB)
  5299. #Default:
  5300. # quick_abort_max 16 KB
  5301.  
  5302. # TAG: quick_abort_pct (percent)
  5303. # The cache by default continues downloading aborted requests
  5304. # which are almost completed (less than 16 KB remaining). This
  5305. # may be undesirable on slow (e.g. SLIP) links and/or very busy
  5306. # caches. Impatient users may tie up file descriptors and
  5307. # bandwidth by repeatedly requesting and immediately aborting
  5308. # downloads.
  5309. #
  5310. # When the user aborts a request, Squid will check the
  5311. # quick_abort values to the amount of data transferred until
  5312. # then.
  5313. #
  5314. # If the transfer has less than 'quick_abort_min' KB remaining,
  5315. # it will finish the retrieval.
  5316. #
  5317. # If the transfer has more than 'quick_abort_max' KB remaining,
  5318. # it will abort the retrieval.
  5319. #
  5320. # If more than 'quick_abort_pct' of the transfer has completed,
  5321. # it will finish the retrieval.
  5322. #
  5323. # If you do not want any retrieval to continue after the client
  5324. # has aborted, set both 'quick_abort_min' and 'quick_abort_max'
  5325. # to '0 KB'.
  5326. #
  5327. # If you want retrievals to always continue if they are being
  5328. # cached set 'quick_abort_min' to '-1 KB'.
  5329. #Default:
  5330. # quick_abort_pct 95
  5331.  
  5332. # TAG: read_ahead_gap buffer-size
  5333. # The amount of data the cache will buffer ahead of what has been
  5334. # sent to the client when retrieving an object from another server.
  5335. #Default:
  5336. # read_ahead_gap 16 KB
  5337.  
  5338. # TAG: negative_ttl time-units
  5339. # Set the Default Time-to-Live (TTL) for failed requests.
  5340. # Certain types of failures (such as "connection refused" and
  5341. # "404 Not Found") are able to be negatively-cached for a short time.
  5342. # Modern web servers should provide Expires: header, however if they
  5343. # do not this can provide a minimum TTL.
  5344. # The default is not to cache errors with unknown expiry details.
  5345. #
  5346. # Note that this is different from negative caching of DNS lookups.
  5347. #
  5348. # WARNING: Doing this VIOLATES the HTTP standard. Enabling
  5349. # this feature could make you liable for problems which it
  5350. # causes.
  5351. #Default:
  5352. # negative_ttl 0 seconds
  5353.  
  5354. # TAG: positive_dns_ttl time-units
  5355. # Upper limit on how long Squid will cache positive DNS responses.
  5356. # Default is 6 hours (360 minutes). This directive must be set
  5357. # larger than negative_dns_ttl.
  5358. #Default:
  5359. # positive_dns_ttl 6 hours
  5360.  
  5361. # TAG: negative_dns_ttl time-units
  5362. # Time-to-Live (TTL) for negative caching of failed DNS lookups.
  5363. # This also sets the lower cache limit on positive lookups.
  5364. # Minimum value is 1 second, and it is not recommendable to go
  5365. # much below 10 seconds.
  5366. #Default:
  5367. # negative_dns_ttl 1 minutes
  5368.  
  5369. # TAG: range_offset_limit size [acl acl...]
  5370. # usage: (size) [units] [[!]aclname]
  5371. #
  5372. # Sets an upper limit on how far (number of bytes) into the file
  5373. # a Range request may be to cause Squid to prefetch the whole file.
  5374. # If beyond this limit, Squid forwards the Range request as it is and
  5375. # the result is NOT cached.
  5376. #
  5377. # This is to stop a far ahead range request (lets say start at 17MB)
  5378. # from making Squid fetch the whole object up to that point before
  5379. # sending anything to the client.
  5380. #
  5381. # Multiple range_offset_limit lines may be specified, and they will
  5382. # be searched from top to bottom on each request until a match is found.
  5383. # The first match found will be used. If no line matches a request, the
  5384. # default limit of 0 bytes will be used.
  5385. #
  5386. # 'size' is the limit specified as a number of units.
  5387. #
  5388. # 'units' specifies whether to use bytes, KB, MB, etc.
  5389. # If no units are specified bytes are assumed.
  5390. #
  5391. # A size of 0 causes Squid to never fetch more than the
  5392. # client requested. (default)
  5393. #
  5394. # A size of 'none' causes Squid to always fetch the object from the
  5395. # beginning so it may cache the result. (2.0 style)
  5396. #
  5397. # 'aclname' is the name of a defined ACL.
  5398. #
  5399. # NP: Using 'none' as the byte value here will override any quick_abort settings
  5400. # that may otherwise apply to the range request. The range request will
  5401. # be fully fetched from start to finish regardless of the client
  5402. # actions. This affects bandwidth usage.
  5403. #Default:
  5404. # none
  5405.  
  5406. # TAG: minimum_expiry_time (seconds)
  5407. # The minimum caching time according to (Expires - Date)
  5408. # headers Squid honors if the object can't be revalidated.
  5409. # The default is 60 seconds.
  5410. #
  5411. # In reverse proxy environments it might be desirable to honor
  5412. # shorter object lifetimes. It is most likely better to make
  5413. # your server return a meaningful Last-Modified header however.
  5414. #
  5415. # In ESI environments where page fragments often have short
  5416. # lifetimes, this will often be best set to 0.
  5417. #Default:
  5418. # minimum_expiry_time 60 seconds
  5419.  
  5420. # TAG: store_avg_object_size (bytes)
  5421. # Average object size, used to estimate number of objects your
  5422. # cache can hold. The default is 13 KB.
  5423. #
  5424. # This is used to pre-seed the cache index memory allocation to
  5425. # reduce expensive reallocate operations while handling clients
  5426. # traffic. Too-large values may result in memory allocation during
  5427. # peak traffic, too-small values will result in wasted memory.
  5428. #
  5429. # Check the cache manager 'info' report metrics for the real
  5430. # object sizes seen by your Squid before tuning this.
  5431. #Default:
  5432. # store_avg_object_size 13 KB
  5433.  
  5434. # TAG: store_objects_per_bucket
  5435. # Target number of objects per bucket in the store hash table.
  5436. # Lowering this value increases the total number of buckets and
  5437. # also the storage maintenance rate. The default is 20.
  5438. #Default:
  5439. # store_objects_per_bucket 20
  5440.  
  5441. # HTTP OPTIONS
  5442. # -----------------------------------------------------------------------------
  5443.  
  5444. # TAG: request_header_max_size (KB)
  5445. # This specifies the maximum size for HTTP headers in a request.
  5446. # Request headers are usually relatively small (about 512 bytes).
  5447. # Placing a limit on the request header size will catch certain
  5448. # bugs (for example with persistent connections) and possibly
  5449. # buffer-overflow or denial-of-service attacks.
  5450. #Default:
  5451. # request_header_max_size 64 KB
  5452.  
  5453. # TAG: reply_header_max_size (KB)
  5454. # This specifies the maximum size for HTTP headers in a reply.
  5455. # Reply headers are usually relatively small (about 512 bytes).
  5456. # Placing a limit on the reply header size will catch certain
  5457. # bugs (for example with persistent connections) and possibly
  5458. # buffer-overflow or denial-of-service attacks.
  5459. #Default:
  5460. # reply_header_max_size 64 KB
  5461.  
  5462. # TAG: request_body_max_size (bytes)
  5463. # This specifies the maximum size for an HTTP request body.
  5464. # In other words, the maximum size of a PUT/POST request.
  5465. # A user who attempts to send a request with a body larger
  5466. # than this limit receives an "Invalid Request" error message.
  5467. # If you set this parameter to a zero (the default), there will
  5468. # be no limit imposed.
  5469. #
  5470. # See also client_request_buffer_max_size for an alternative
  5471. # limitation on client uploads which can be configured.
  5472. #Default:
  5473. # No limit.
  5474.  
  5475. # TAG: client_request_buffer_max_size (bytes)
  5476. # This specifies the maximum buffer size of a client request.
  5477. # It prevents squid eating too much memory when somebody uploads
  5478. # a large file.
  5479. #Default:
  5480. # client_request_buffer_max_size 512 KB
  5481.  
  5482. # TAG: broken_posts
  5483. # A list of ACL elements which, if matched, causes Squid to send
  5484. # an extra CRLF pair after the body of a PUT/POST request.
  5485. #
  5486. # Some HTTP servers has broken implementations of PUT/POST,
  5487. # and rely on an extra CRLF pair sent by some WWW clients.
  5488. #
  5489. # Quote from RFC2616 section 4.1 on this matter:
  5490. #
  5491. # Note: certain buggy HTTP/1.0 client implementations generate an
  5492. # extra CRLF's after a POST request. To restate what is explicitly
  5493. # forbidden by the BNF, an HTTP/1.1 client must not preface or follow
  5494. # a request with an extra CRLF.
  5495. #
  5496. # This clause only supports fast acl types.
  5497. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  5498. #
  5499. #Example:
  5500. # acl buggy_server url_regex ^http://....
  5501. # broken_posts allow buggy_server
  5502. #Default:
  5503. # Obey RFC 2616.
  5504.  
  5505. # TAG: adaptation_uses_indirect_client on|off
  5506. # Controls whether the indirect client IP address (instead of the direct
  5507. # client IP address) is passed to adaptation services.
  5508. #
  5509. # See also: follow_x_forwarded_for adaptation_send_client_ip
  5510. #Default:
  5511. # adaptation_uses_indirect_client on
  5512.  
  5513. # TAG: via on|off
  5514. # If set (default), Squid will include a Via header in requests and
  5515. # replies as required by RFC2616.
  5516. #Default:
  5517. # via on
  5518.  
  5519. # TAG: vary_ignore_expire on|off
  5520. # Many HTTP servers supporting Vary gives such objects
  5521. # immediate expiry time with no cache-control header
  5522. # when requested by a HTTP/1.0 client. This option
  5523. # enables Squid to ignore such expiry times until
  5524. # HTTP/1.1 is fully implemented.
  5525. #
  5526. # WARNING: If turned on this may eventually cause some
  5527. # varying objects not intended for caching to get cached.
  5528. #Default:
  5529. # vary_ignore_expire off
  5530.  
  5531. # TAG: request_entities
  5532. # Squid defaults to deny GET and HEAD requests with request entities,
  5533. # as the meaning of such requests are undefined in the HTTP standard
  5534. # even if not explicitly forbidden.
  5535. #
  5536. # Set this directive to on if you have clients which insists
  5537. # on sending request entities in GET or HEAD requests. But be warned
  5538. # that there is server software (both proxies and web servers) which
  5539. # can fail to properly process this kind of request which may make you
  5540. # vulnerable to cache pollution attacks if enabled.
  5541. #Default:
  5542. # request_entities off
  5543.  
  5544. # TAG: request_header_access
  5545. # Usage: request_header_access header_name allow|deny [!]aclname ...
  5546. #
  5547. # WARNING: Doing this VIOLATES the HTTP standard. Enabling
  5548. # this feature could make you liable for problems which it
  5549. # causes.
  5550. #
  5551. # This option replaces the old 'anonymize_headers' and the
  5552. # older 'http_anonymizer' option with something that is much
  5553. # more configurable. A list of ACLs for each header name allows
  5554. # removal of specific header fields under specific conditions.
  5555. #
  5556. # This option only applies to outgoing HTTP request headers (i.e.,
  5557. # headers sent by Squid to the next HTTP hop such as a cache peer
  5558. # or an origin server). The option has no effect during cache hit
  5559. # detection. The equivalent adaptation vectoring point in ICAP
  5560. # terminology is post-cache REQMOD.
  5561. #
  5562. # The option is applied to individual outgoing request header
  5563. # fields. For each request header field F, Squid uses the first
  5564. # qualifying sets of request_header_access rules:
  5565. #
  5566. # 1. Rules with header_name equal to F's name.
  5567. # 2. Rules with header_name 'Other', provided F's name is not
  5568. # on the hard-coded list of commonly used HTTP header names.
  5569. # 3. Rules with header_name 'All'.
  5570. #
  5571. # Within that qualifying rule set, rule ACLs are checked as usual.
  5572. # If ACLs of an "allow" rule match, the header field is allowed to
  5573. # go through as is. If ACLs of a "deny" rule match, the header is
  5574. # removed and request_header_replace is then checked to identify
  5575. # if the removed header has a replacement. If no rules within the
  5576. # set have matching ACLs, the header field is left as is.
  5577. #
  5578. # For example, to achieve the same behavior as the old
  5579. # 'http_anonymizer standard' option, you should use:
  5580. #
  5581. # request_header_access From deny all
  5582. # request_header_access Referer deny all
  5583. # request_header_access User-Agent deny all
  5584. #
  5585. # Or, to reproduce the old 'http_anonymizer paranoid' feature
  5586. # you should use:
  5587. #
  5588. # request_header_access Authorization allow all
  5589. # request_header_access Proxy-Authorization allow all
  5590. # request_header_access Cache-Control allow all
  5591. # request_header_access Content-Length allow all
  5592. # request_header_access Content-Type allow all
  5593. # request_header_access Date allow all
  5594. # request_header_access Host allow all
  5595. # request_header_access If-Modified-Since allow all
  5596. # request_header_access Pragma allow all
  5597. # request_header_access Accept allow all
  5598. # request_header_access Accept-Charset allow all
  5599. # request_header_access Accept-Encoding allow all
  5600. # request_header_access Accept-Language allow all
  5601. # request_header_access Connection allow all
  5602. # request_header_access All deny all
  5603. #
  5604. # HTTP reply headers are controlled with the reply_header_access directive.
  5605. #
  5606. # By default, all headers are allowed (no anonymizing is performed).
  5607. #Default:
  5608. # No limits.
  5609.  
  5610. # TAG: reply_header_access
  5611. # Usage: reply_header_access header_name allow|deny [!]aclname ...
  5612. #
  5613. # WARNING: Doing this VIOLATES the HTTP standard. Enabling
  5614. # this feature could make you liable for problems which it
  5615. # causes.
  5616. #
  5617. # This option only applies to reply headers, i.e., from the
  5618. # server to the client.
  5619. #
  5620. # This is the same as request_header_access, but in the other
  5621. # direction. Please see request_header_access for detailed
  5622. # documentation.
  5623. #
  5624. # For example, to achieve the same behavior as the old
  5625. # 'http_anonymizer standard' option, you should use:
  5626. #
  5627. # reply_header_access Server deny all
  5628. # reply_header_access WWW-Authenticate deny all
  5629. # reply_header_access Link deny all
  5630. #
  5631. # Or, to reproduce the old 'http_anonymizer paranoid' feature
  5632. # you should use:
  5633. #
  5634. # reply_header_access Allow allow all
  5635. # reply_header_access WWW-Authenticate allow all
  5636. # reply_header_access Proxy-Authenticate allow all
  5637. # reply_header_access Cache-Control allow all
  5638. # reply_header_access Content-Encoding allow all
  5639. # reply_header_access Content-Length allow all
  5640. # reply_header_access Content-Type allow all
  5641. # reply_header_access Date allow all
  5642. # reply_header_access Expires allow all
  5643. # reply_header_access Last-Modified allow all
  5644. # reply_header_access Location allow all
  5645. # reply_header_access Pragma allow all
  5646. # reply_header_access Content-Language allow all
  5647. # reply_header_access Retry-After allow all
  5648. # reply_header_access Title allow all
  5649. # reply_header_access Content-Disposition allow all
  5650. # reply_header_access Connection allow all
  5651. # reply_header_access All deny all
  5652. #
  5653. # HTTP request headers are controlled with the request_header_access directive.
  5654. #
  5655. # By default, all headers are allowed (no anonymizing is
  5656. # performed).
  5657. #Default:
  5658. # No limits.
  5659.  
  5660. # TAG: request_header_replace
  5661. # Usage: request_header_replace header_name message
  5662. # Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
  5663. #
  5664. # This option allows you to change the contents of headers
  5665. # denied with request_header_access above, by replacing them
  5666. # with some fixed string.
  5667. #
  5668. # This only applies to request headers, not reply headers.
  5669. #
  5670. # By default, headers are removed if denied.
  5671. #Default:
  5672. # none
  5673.  
  5674. # TAG: reply_header_replace
  5675. # Usage: reply_header_replace header_name message
  5676. # Example: reply_header_replace Server Foo/1.0
  5677. #
  5678. # This option allows you to change the contents of headers
  5679. # denied with reply_header_access above, by replacing them
  5680. # with some fixed string.
  5681. #
  5682. # This only applies to reply headers, not request headers.
  5683. #
  5684. # By default, headers are removed if denied.
  5685. #Default:
  5686. # none
  5687.  
  5688. # TAG: request_header_add
  5689. # Usage: request_header_add field-name field-value [ acl ... ]
  5690. # Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all
  5691. #
  5692. # This option adds header fields to outgoing HTTP requests (i.e.,
  5693. # request headers sent by Squid to the next HTTP hop such as a
  5694. # cache peer or an origin server). The option has no effect during
  5695. # cache hit detection. The equivalent adaptation vectoring point
  5696. # in ICAP terminology is post-cache REQMOD.
  5697. #
  5698. # Field-name is a token specifying an HTTP header name. If a
  5699. # standard HTTP header name is used, Squid does not check whether
  5700. # the new header conflicts with any existing headers or violates
  5701. # HTTP rules. If the request to be modified already contains a
  5702. # field with the same name, the old field is preserved but the
  5703. # header field values are not merged.
  5704. #
  5705. # Field-value is either a token or a quoted string. If quoted
  5706. # string format is used, then the surrounding quotes are removed
  5707. # while escape sequences and %macros are processed.
  5708. #
  5709. # One or more Squid ACLs may be specified to restrict header
  5710. # injection to matching requests. As always in squid.conf, all
  5711. # ACLs in the ACL list must be satisfied for the insertion to
  5712. # happen. The request_header_add supports fast ACLs only.
  5713. #
  5714. # See also: reply_header_add.
  5715. #Default:
  5716. # none
  5717.  
  5718. # TAG: reply_header_add
  5719. # Usage: reply_header_add field-name field-value [ acl ... ]
  5720. # Example: reply_header_add X-Client-CA "CA=%ssl::>cert_issuer" all
  5721. #
  5722. # This option adds header fields to outgoing HTTP responses (i.e., response
  5723. # headers delivered by Squid to the client). This option has no effect on
  5724. # cache hit detection. The equivalent adaptation vectoring point in
  5725. # ICAP terminology is post-cache RESPMOD. This option does not apply to
  5726. # successful CONNECT replies.
  5727. #
  5728. # Field-name is a token specifying an HTTP header name. If a
  5729. # standard HTTP header name is used, Squid does not check whether
  5730. # the new header conflicts with any existing headers or violates
  5731. # HTTP rules. If the response to be modified already contains a
  5732. # field with the same name, the old field is preserved but the
  5733. # header field values are not merged.
  5734. #
  5735. # Field-value is either a token or a quoted string. If quoted
  5736. # string format is used, then the surrounding quotes are removed
  5737. # while escape sequences and %macros are processed.
  5738. #
  5739. # One or more Squid ACLs may be specified to restrict header
  5740. # injection to matching responses. As always in squid.conf, all
  5741. # ACLs in the ACL list must be satisfied for the insertion to
  5742. # happen. The reply_header_add option supports fast ACLs only.
  5743. #
  5744. # See also: request_header_add.
  5745. #Default:
  5746. # none
  5747.  
  5748. # TAG: note
  5749. # This option used to log custom information about the master
  5750. # transaction. For example, an admin may configure Squid to log
  5751. # which "user group" the transaction belongs to, where "user group"
  5752. # will be determined based on a set of ACLs and not [just]
  5753. # authentication information.
  5754. # Values of key/value pairs can be logged using %{key}note macros:
  5755. #
  5756. # note key value acl ...
  5757. # logformat myFormat ... %{key}note ...
  5758. #
  5759. # This clause only supports fast acl types.
  5760. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  5761. #Default:
  5762. # none
  5763.  
  5764. # TAG: relaxed_header_parser on|off|warn
  5765. # In the default "on" setting Squid accepts certain forms
  5766. # of non-compliant HTTP messages where it is unambiguous
  5767. # what the sending application intended even if the message
  5768. # is not correctly formatted. The messages is then normalized
  5769. # to the correct form when forwarded by Squid.
  5770. #
  5771. # If set to "warn" then a warning will be emitted in cache.log
  5772. # each time such HTTP error is encountered.
  5773. #
  5774. # If set to "off" then such HTTP errors will cause the request
  5775. # or response to be rejected.
  5776. #Default:
  5777. # relaxed_header_parser on
  5778.  
  5779. # TAG: collapsed_forwarding (on|off)
  5780. # This option controls whether Squid is allowed to merge multiple
  5781. # potentially cachable requests for the same URI before Squid knows
  5782. # whether the response is going to be cachable.
  5783. #
  5784. # When enabled, instead of forwarding each concurrent request for
  5785. # the same URL, Squid just sends the first of them. The other, so
  5786. # called "collapsed" requests, wait for the response to the first
  5787. # request and, if it happens to be cachable, use that response.
  5788. # Here, "concurrent requests" means "received after the first
  5789. # request headers were parsed and before the corresponding response
  5790. # headers were parsed".
  5791. #
  5792. # This feature is disabled by default: enabling collapsed
  5793. # forwarding needlessly delays forwarding requests that look
  5794. # cachable (when they are collapsed) but then need to be forwarded
  5795. # individually anyway because they end up being for uncachable
  5796. # content. However, in some cases, such as acceleration of highly
  5797. # cachable content with periodic or grouped expiration times, the
  5798. # gains from collapsing [large volumes of simultaneous refresh
  5799. # requests] outweigh losses from such delays.
  5800. #
  5801. # Squid collapses two kinds of requests: regular client requests
  5802. # received on one of the listening ports and internal "cache
  5803. # revalidation" requests which are triggered by those regular
  5804. # requests hitting a stale cached object. Revalidation collapsing
  5805. # is currently disabled for Squid instances containing SMP-aware
  5806. # disk or memory caches and for Vary-controlled cached objects.
  5807. #Default:
  5808. # collapsed_forwarding off
  5809.  
  5810. # TAG: collapsed_forwarding_shared_entries_limit (number of entries)
  5811. # This limits the size of a table used for sharing information
  5812. # about collapsible entries among SMP workers. Limiting sharing
  5813. # too much results in cache content duplication and missed
  5814. # collapsing opportunities. Using excessively large values
  5815. # wastes shared memory.
  5816. #
  5817. # The limit should be significantly larger then the number of
  5818. # concurrent collapsible entries one wants to share. For a cache
  5819. # that handles less than 5000 concurrent requests, the default
  5820. # setting of 16384 should be plenty.
  5821. #
  5822. # If the limit is set to zero, it disables sharing of collapsed
  5823. # forwarding between SMP workers.
  5824. #Default:
  5825. # collapsed_forwarding_shared_entries_limit 16384
  5826.  
  5827. # TIMEOUTS
  5828. # -----------------------------------------------------------------------------
  5829.  
  5830. # TAG: forward_timeout time-units
  5831. # This parameter specifies how long Squid should at most attempt in
  5832. # finding a forwarding path for the request before giving up.
  5833. #Default:
  5834. # forward_timeout 4 minutes
  5835.  
  5836. # TAG: connect_timeout time-units
  5837. # This parameter specifies how long to wait for the TCP connect to
  5838. # the requested server or peer to complete before Squid should
  5839. # attempt to find another path where to forward the request.
  5840. #Default:
  5841. # connect_timeout 1 minute
  5842.  
  5843. # TAG: peer_connect_timeout time-units
  5844. # This parameter specifies how long to wait for a pending TCP
  5845. # connection to a peer cache. The default is 30 seconds. You
  5846. # may also set different timeout values for individual neighbors
  5847. # with the 'connect-timeout' option on a 'cache_peer' line.
  5848. #Default:
  5849. # peer_connect_timeout 30 seconds
  5850.  
  5851. # TAG: read_timeout time-units
  5852. # Applied on peer server connections.
  5853. #
  5854. # After each successful read(), the timeout will be extended by this
  5855. # amount. If no data is read again after this amount of time,
  5856. # the request is aborted and logged with ERR_READ_TIMEOUT.
  5857. #
  5858. # The default is 15 minutes.
  5859. #Default:
  5860. # read_timeout 15 minutes
  5861.  
  5862. # TAG: write_timeout time-units
  5863. # This timeout is tracked for all connections that have data
  5864. # available for writing and are waiting for the socket to become
  5865. # ready. After each successful write, the timeout is extended by
  5866. # the configured amount. If Squid has data to write but the
  5867. # connection is not ready for the configured duration, the
  5868. # transaction associated with the connection is terminated. The
  5869. # default is 15 minutes.
  5870. #Default:
  5871. # write_timeout 15 minutes
  5872.  
  5873. # TAG: request_timeout
  5874. # How long to wait for complete HTTP request headers after initial
  5875. # connection establishment.
  5876. #Default:
  5877. # request_timeout 5 minutes
  5878.  
  5879. # TAG: request_start_timeout
  5880. # How long to wait for the first request byte after initial
  5881. # connection establishment.
  5882. #Default:
  5883. # request_start_timeout 5 minutes
  5884.  
  5885. # TAG: client_idle_pconn_timeout
  5886. # How long to wait for the next HTTP request on a persistent
  5887. # client connection after the previous request completes.
  5888. #Default:
  5889. # client_idle_pconn_timeout 2 minutes
  5890.  
  5891. # TAG: ftp_client_idle_timeout
  5892. # How long to wait for an FTP request on a connection to Squid ftp_port.
  5893. # Many FTP clients do not deal with idle connection closures well,
  5894. # necessitating a longer default timeout than client_idle_pconn_timeout
  5895. # used for incoming HTTP requests.
  5896. #Default:
  5897. # ftp_client_idle_timeout 30 minutes
  5898.  
  5899. # TAG: client_lifetime time-units
  5900. # The maximum amount of time a client (browser) is allowed to
  5901. # remain connected to the cache process. This protects the Cache
  5902. # from having a lot of sockets (and hence file descriptors) tied up
  5903. # in a CLOSE_WAIT state from remote clients that go away without
  5904. # properly shutting down (either because of a network failure or
  5905. # because of a poor client implementation). The default is one
  5906. # day, 1440 minutes.
  5907. #
  5908. # NOTE: The default value is intended to be much larger than any
  5909. # client would ever need to be connected to your cache. You
  5910. # should probably change client_lifetime only as a last resort.
  5911. # If you seem to have many client connections tying up
  5912. # filedescriptors, we recommend first tuning the read_timeout,
  5913. # request_timeout, persistent_request_timeout and quick_abort values.
  5914. #Default:
  5915. # client_lifetime 1 day
  5916.  
  5917. # TAG: pconn_lifetime time-units
  5918. # Desired maximum lifetime of a persistent connection.
  5919. # When set, Squid will close a now-idle persistent connection that
  5920. # exceeded configured lifetime instead of moving the connection into
  5921. # the idle connection pool (or equivalent). No effect on ongoing/active
  5922. # transactions. Connection lifetime is the time period from the
  5923. # connection acceptance or opening time until "now".
  5924. #
  5925. # This limit is useful in environments with long-lived connections
  5926. # where Squid configuration or environmental factors change during a
  5927. # single connection lifetime. If unrestricted, some connections may
  5928. # last for hours and even days, ignoring those changes that should
  5929. # have affected their behavior or their existence.
  5930. #
  5931. # Currently, a new lifetime value supplied via Squid reconfiguration
  5932. # has no effect on already idle connections unless they become busy.
  5933. #
  5934. # When set to '0' this limit is not used.
  5935. #Default:
  5936. # pconn_lifetime 0 seconds
  5937.  
  5938. # TAG: half_closed_clients
  5939. # Some clients may shutdown the sending side of their TCP
  5940. # connections, while leaving their receiving sides open. Sometimes,
  5941. # Squid can not tell the difference between a half-closed and a
  5942. # fully-closed TCP connection.
  5943. #
  5944. # By default, Squid will immediately close client connections when
  5945. # read(2) returns "no more data to read."
  5946. #
  5947. # Change this option to 'on' and Squid will keep open connections
  5948. # until a read(2) or write(2) on the socket returns an error.
  5949. # This may show some benefits for reverse proxies. But if not
  5950. # it is recommended to leave OFF.
  5951. #Default:
  5952. # half_closed_clients off
  5953.  
  5954. # TAG: server_idle_pconn_timeout
  5955. # Timeout for idle persistent connections to servers and other
  5956. # proxies.
  5957. #Default:
  5958. # server_idle_pconn_timeout 1 minute
  5959.  
  5960. # TAG: ident_timeout
  5961. # Maximum time to wait for IDENT lookups to complete.
  5962. #
  5963. # If this is too high, and you enabled IDENT lookups from untrusted
  5964. # users, you might be susceptible to denial-of-service by having
  5965. # many ident requests going at once.
  5966. #Default:
  5967. # ident_timeout 10 seconds
  5968.  
  5969. # TAG: shutdown_lifetime time-units
  5970. # When SIGTERM or SIGHUP is received, the cache is put into
  5971. # "shutdown pending" mode until all active sockets are closed.
  5972. # This value is the lifetime to set for all open descriptors
  5973. # during shutdown mode. Any active clients after this many
  5974. # seconds will receive a 'timeout' message.
  5975. #Default:
  5976. # shutdown_lifetime 30 seconds
  5977.  
  5978. # ADMINISTRATIVE PARAMETERS
  5979. # -----------------------------------------------------------------------------
  5980.  
  5981. # TAG: cache_mgr
  5982. # Email-address of local cache manager who will receive
  5983. # mail if the cache dies. The default is "webmaster".
  5984. #Default:
  5985. # cache_mgr webmaster
  5986.  
  5987. # TAG: mail_from
  5988. # From: email-address for mail sent when the cache dies.
  5989. # The default is to use 'squid@unique_hostname'.
  5990. #
  5991. # See also: unique_hostname directive.
  5992. #Default:
  5993. # none
  5994.  
  5995. # TAG: mail_program
  5996. # Email program used to send mail if the cache dies.
  5997. # The default is "mail". The specified program must comply
  5998. # with the standard Unix mail syntax:
  5999. # mail-program recipient < mailfile
  6000. #
  6001. # Optional command line options can be specified.
  6002. #Default:
  6003. # mail_program mail
  6004.  
  6005. # TAG: cache_effective_user
  6006. # If you start Squid as root, it will change its effective/real
  6007. # UID/GID to the user specified below. The default is to change
  6008. # to UID of proxy.
  6009. # see also; cache_effective_group
  6010. #Default:
  6011. # cache_effective_user proxy
  6012. cache_effective_user proxy
  6013.  
  6014. # TAG: cache_effective_group
  6015. # Squid sets the GID to the effective user's default group ID
  6016. # (taken from the password file) and supplementary group list
  6017. # from the groups membership.
  6018. #
  6019. # If you want Squid to run with a specific GID regardless of
  6020. # the group memberships of the effective user then set this
  6021. # to the group (or GID) you want Squid to run as. When set
  6022. # all other group privileges of the effective user are ignored
  6023. # and only this GID is effective. If Squid is not started as
  6024. # root the user starting Squid MUST be member of the specified
  6025. # group.
  6026. #
  6027. # This option is not recommended by the Squid Team.
  6028. # Our preference is for administrators to configure a secure
  6029. # user account for squid with UID/GID matching system policies.
  6030. #Default:
  6031. # Use system group memberships of the cache_effective_user account
  6032.  
  6033. # TAG: httpd_suppress_version_string on|off
  6034. # Suppress Squid version string info in HTTP headers and HTML error pages.
  6035. #Default:
  6036. # httpd_suppress_version_string off
  6037.  
  6038. # TAG: visible_hostname
  6039. # If you want to present a special hostname in error messages, etc,
  6040. # define this. Otherwise, the return value of gethostname()
  6041. # will be used. If you have multiple caches in a cluster and
  6042. # get errors about IP-forwarding you must set them to have individual
  6043. # names with this setting.
  6044. #Default:
  6045. # Automatically detect the system host name
  6046.  
  6047. # TAG: unique_hostname
  6048. # If you want to have multiple machines with the same
  6049. # 'visible_hostname' you must give each machine a different
  6050. # 'unique_hostname' so forwarding loops can be detected.
  6051. #Default:
  6052. # Copy the value from visible_hostname
  6053.  
  6054. # TAG: hostname_aliases
  6055. # A list of other DNS names your cache has.
  6056. #Default:
  6057. # none
  6058.  
  6059. # TAG: umask
  6060. # Minimum umask which should be enforced while the proxy
  6061. # is running, in addition to the umask set at startup.
  6062. #
  6063. # For a traditional octal representation of umasks, start
  6064. # your value with 0.
  6065. #Default:
  6066. # umask 027
  6067.  
  6068. # OPTIONS FOR THE CACHE REGISTRATION SERVICE
  6069. # -----------------------------------------------------------------------------
  6070. #
  6071. # This section contains parameters for the (optional) cache
  6072. # announcement service. This service is provided to help
  6073. # cache administrators locate one another in order to join or
  6074. # create cache hierarchies.
  6075. #
  6076. # An 'announcement' message is sent (via UDP) to the registration
  6077. # service by Squid. By default, the announcement message is NOT
  6078. # SENT unless you enable it with 'announce_period' below.
  6079. #
  6080. # The announcement message includes your hostname, plus the
  6081. # following information from this configuration file:
  6082. #
  6083. # http_port
  6084. # icp_port
  6085. # cache_mgr
  6086. #
  6087. # All current information is processed regularly and made
  6088. # available on the Web at http://www.ircache.net/Cache/Tracker/.
  6089.  
  6090. # TAG: announce_period
  6091. # This is how frequently to send cache announcements.
  6092. #
  6093. # To enable announcing your cache, just set an announce period.
  6094. #
  6095. # Example:
  6096. # announce_period 1 day
  6097. #Default:
  6098. # Announcement messages disabled.
  6099.  
  6100. # TAG: announce_host
  6101. # Set the hostname where announce registration messages will be sent.
  6102. #
  6103. # See also announce_port and announce_file
  6104. #Default:
  6105. # announce_host tracker.ircache.net
  6106.  
  6107. # TAG: announce_file
  6108. # The contents of this file will be included in the announce
  6109. # registration messages.
  6110. #Default:
  6111. # none
  6112.  
  6113. # TAG: announce_port
  6114. # Set the port where announce registration messages will be sent.
  6115. #
  6116. # See also announce_host and announce_file
  6117. #Default:
  6118. # announce_port 3131
  6119.  
  6120. # HTTPD-ACCELERATOR OPTIONS
  6121. # -----------------------------------------------------------------------------
  6122.  
  6123. # TAG: httpd_accel_surrogate_id
  6124. # Surrogates (http://www.esi.org/architecture_spec_1.0.html)
  6125. # need an identification token to allow control targeting. Because
  6126. # a farm of surrogates may all perform the same tasks, they may share
  6127. # an identification token.
  6128. #Default:
  6129. # visible_hostname is used if no specific ID is set.
  6130.  
  6131. # TAG: http_accel_surrogate_remote on|off
  6132. # Remote surrogates (such as those in a CDN) honour the header
  6133. # "Surrogate-Control: no-store-remote".
  6134. #
  6135. # Set this to on to have squid behave as a remote surrogate.
  6136. #Default:
  6137. # http_accel_surrogate_remote off
  6138.  
  6139. # TAG: esi_parser libxml2|expat
  6140. # Selects the XML parsing library to use when interpreting responses with
  6141. # Edge Side Includes.
  6142. #
  6143. # To disable ESI handling completely, ./configure Squid with --disable-esi.
  6144. #Default:
  6145. # Selects libxml2 if available at ./configure time or libexpat otherwise.
  6146.  
  6147. # DELAY POOL PARAMETERS
  6148. # -----------------------------------------------------------------------------
  6149.  
  6150. # TAG: delay_pools
  6151. # This represents the number of delay pools to be used. For example,
  6152. # if you have one class 2 delay pool and one class 3 delays pool, you
  6153. # have a total of 2 delay pools.
  6154. #
  6155. # See also delay_parameters, delay_class, delay_access for pool
  6156. # configuration details.
  6157. #Default:
  6158. # delay_pools 0
  6159.  
  6160. # TAG: delay_class
  6161. # This defines the class of each delay pool. There must be exactly one
  6162. # delay_class line for each delay pool. For example, to define two
  6163. # delay pools, one of class 2 and one of class 3, the settings above
  6164. # and here would be:
  6165. #
  6166. # Example:
  6167. # delay_pools 4 # 4 delay pools
  6168. # delay_class 1 2 # pool 1 is a class 2 pool
  6169. # delay_class 2 3 # pool 2 is a class 3 pool
  6170. # delay_class 3 4 # pool 3 is a class 4 pool
  6171. # delay_class 4 5 # pool 4 is a class 5 pool
  6172. #
  6173. # The delay pool classes are:
  6174. #
  6175. # class 1 Everything is limited by a single aggregate
  6176. # bucket.
  6177. #
  6178. # class 2 Everything is limited by a single aggregate
  6179. # bucket as well as an "individual" bucket chosen
  6180. # from bits 25 through 32 of the IPv4 address.
  6181. #
  6182. # class 3 Everything is limited by a single aggregate
  6183. # bucket as well as a "network" bucket chosen
  6184. # from bits 17 through 24 of the IP address and a
  6185. # "individual" bucket chosen from bits 17 through
  6186. # 32 of the IPv4 address.
  6187. #
  6188. # class 4 Everything in a class 3 delay pool, with an
  6189. # additional limit on a per user basis. This
  6190. # only takes effect if the username is established
  6191. # in advance - by forcing authentication in your
  6192. # http_access rules.
  6193. #
  6194. # class 5 Requests are grouped according their tag (see
  6195. # external_acl's tag= reply).
  6196. #
  6197. #
  6198. # Each pool also requires a delay_parameters directive to configure the pool size
  6199. # and speed limits used whenever the pool is applied to a request. Along with
  6200. # a set of delay_access directives to determine when it is used.
  6201. #
  6202. # NOTE: If an IP address is a.b.c.d
  6203. # -> bits 25 through 32 are "d"
  6204. # -> bits 17 through 24 are "c"
  6205. # -> bits 17 through 32 are "c * 256 + d"
  6206. #
  6207. # NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to
  6208. # IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic.
  6209. #
  6210. # This clause only supports fast acl types.
  6211. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  6212. #
  6213. # See also delay_parameters and delay_access.
  6214. #Default:
  6215. # none
  6216.  
  6217. # TAG: delay_access
  6218. # This is used to determine which delay pool a request falls into.
  6219. #
  6220. # delay_access is sorted per pool and the matching starts with pool 1,
  6221. # then pool 2, ..., and finally pool N. The first delay pool where the
  6222. # request is allowed is selected for the request. If it does not allow
  6223. # the request to any pool then the request is not delayed (default).
  6224. #
  6225. # For example, if you want some_big_clients in delay
  6226. # pool 1 and lotsa_little_clients in delay pool 2:
  6227. #
  6228. # delay_access 1 allow some_big_clients
  6229. # delay_access 1 deny all
  6230. # delay_access 2 allow lotsa_little_clients
  6231. # delay_access 2 deny all
  6232. # delay_access 3 allow authenticated_clients
  6233. #
  6234. # See also delay_parameters and delay_class.
  6235. #
  6236. #Default:
  6237. # Deny using the pool, unless allow rules exist in squid.conf for the pool.
  6238.  
  6239. # TAG: delay_parameters
  6240. # This defines the parameters for a delay pool. Each delay pool has
  6241. # a number of "buckets" associated with it, as explained in the
  6242. # description of delay_class.
  6243. #
  6244. # For a class 1 delay pool, the syntax is:
  6245. # delay_class pool 1
  6246. # delay_parameters pool aggregate
  6247. #
  6248. # For a class 2 delay pool:
  6249. # delay_class pool 2
  6250. # delay_parameters pool aggregate individual
  6251. #
  6252. # For a class 3 delay pool:
  6253. # delay_class pool 3
  6254. # delay_parameters pool aggregate network individual
  6255. #
  6256. # For a class 4 delay pool:
  6257. # delay_class pool 4
  6258. # delay_parameters pool aggregate network individual user
  6259. #
  6260. # For a class 5 delay pool:
  6261. # delay_class pool 5
  6262. # delay_parameters pool tagrate
  6263. #
  6264. # The option variables are:
  6265. #
  6266. # pool a pool number - ie, a number between 1 and the
  6267. # number specified in delay_pools as used in
  6268. # delay_class lines.
  6269. #
  6270. # aggregate the speed limit parameters for the aggregate bucket
  6271. # (class 1, 2, 3).
  6272. #
  6273. # individual the speed limit parameters for the individual
  6274. # buckets (class 2, 3).
  6275. #
  6276. # network the speed limit parameters for the network buckets
  6277. # (class 3).
  6278. #
  6279. # user the speed limit parameters for the user buckets
  6280. # (class 4).
  6281. #
  6282. # tagrate the speed limit parameters for the tag buckets
  6283. # (class 5).
  6284. #
  6285. # A pair of delay parameters is written restore/maximum, where restore is
  6286. # the number of bytes (not bits - modem and network speeds are usually
  6287. # quoted in bits) per second placed into the bucket, and maximum is the
  6288. # maximum number of bytes which can be in the bucket at any time.
  6289. #
  6290. # There must be one delay_parameters line for each delay pool.
  6291. #
  6292. #
  6293. # For example, if delay pool number 1 is a class 2 delay pool as in the
  6294. # above example, and is being used to strictly limit each host to 64Kbit/sec
  6295. # (plus overheads), with no overall limit, the line is:
  6296. #
  6297. # delay_parameters 1 none 8000/8000
  6298. #
  6299. # Note that 8 x 8K Byte/sec -> 64K bit/sec.
  6300. #
  6301. # Note that the word 'none' is used to represent no limit.
  6302. #
  6303. #
  6304. # And, if delay pool number 2 is a class 3 delay pool as in the above
  6305. # example, and you want to limit it to a total of 256Kbit/sec (strict limit)
  6306. # with each 8-bit network permitted 64Kbit/sec (strict limit) and each
  6307. # individual host permitted 4800bit/sec with a bucket maximum size of 64Kbits
  6308. # to permit a decent web page to be downloaded at a decent speed
  6309. # (if the network is not being limited due to overuse) but slow down
  6310. # large downloads more significantly:
  6311. #
  6312. # delay_parameters 2 32000/32000 8000/8000 600/8000
  6313. #
  6314. # Note that 8 x 32K Byte/sec -> 256K bit/sec.
  6315. # 8 x 8K Byte/sec -> 64K bit/sec.
  6316. # 8 x 600 Byte/sec -> 4800 bit/sec.
  6317. #
  6318. #
  6319. # Finally, for a class 4 delay pool as in the example - each user will
  6320. # be limited to 128Kbits/sec no matter how many workstations they are logged into.:
  6321. #
  6322. # delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
  6323. #
  6324. #
  6325. # See also delay_class and delay_access.
  6326. #
  6327. #Default:
  6328. # none
  6329.  
  6330. # TAG: delay_initial_bucket_level (percent, 0-100)
  6331. # The initial bucket percentage is used to determine how much is put
  6332. # in each bucket when squid starts, is reconfigured, or first notices
  6333. # a host accessing it (in class 2 and class 3, individual hosts and
  6334. # networks only have buckets associated with them once they have been
  6335. # "seen" by squid).
  6336. #Default:
  6337. # delay_initial_bucket_level 50
  6338.  
  6339. # CLIENT DELAY POOL PARAMETERS
  6340. # -----------------------------------------------------------------------------
  6341.  
  6342. # TAG: client_delay_pools
  6343. # This option specifies the number of client delay pools used. It must
  6344. # preceed other client_delay_* options.
  6345. #
  6346. # Example:
  6347. # client_delay_pools 2
  6348. #
  6349. # See also client_delay_parameters and client_delay_access.
  6350. #Default:
  6351. # client_delay_pools 0
  6352.  
  6353. # TAG: client_delay_initial_bucket_level (percent, 0-no_limit)
  6354. # This option determines the initial bucket size as a percentage of
  6355. # max_bucket_size from client_delay_parameters. Buckets are created
  6356. # at the time of the "first" connection from the matching IP. Idle
  6357. # buckets are periodically deleted up.
  6358. #
  6359. # You can specify more than 100 percent but note that such "oversized"
  6360. # buckets are not refilled until their size goes down to max_bucket_size
  6361. # from client_delay_parameters.
  6362. #
  6363. # Example:
  6364. # client_delay_initial_bucket_level 50
  6365. #Default:
  6366. # client_delay_initial_bucket_level 50
  6367.  
  6368. # TAG: client_delay_parameters
  6369. #
  6370. # This option configures client-side bandwidth limits using the
  6371. # following format:
  6372. #
  6373. # client_delay_parameters pool speed_limit max_bucket_size
  6374. #
  6375. # pool is an integer ID used for client_delay_access matching.
  6376. #
  6377. # speed_limit is bytes added to the bucket per second.
  6378. #
  6379. # max_bucket_size is the maximum size of a bucket, enforced after any
  6380. # speed_limit additions.
  6381. #
  6382. # Please see the delay_parameters option for more information and
  6383. # examples.
  6384. #
  6385. # Example:
  6386. # client_delay_parameters 1 1024 2048
  6387. # client_delay_parameters 2 51200 16384
  6388. #
  6389. # See also client_delay_access.
  6390. #
  6391. #Default:
  6392. # none
  6393.  
  6394. # TAG: client_delay_access
  6395. # This option determines the client-side delay pool for the
  6396. # request:
  6397. #
  6398. # client_delay_access pool_ID allow|deny acl_name
  6399. #
  6400. # All client_delay_access options are checked in their pool ID
  6401. # order, starting with pool 1. The first checked pool with allowed
  6402. # request is selected for the request. If no ACL matches or there
  6403. # are no client_delay_access options, the request bandwidth is not
  6404. # limited.
  6405. #
  6406. # The ACL-selected pool is then used to find the
  6407. # client_delay_parameters for the request. Client-side pools are
  6408. # not used to aggregate clients. Clients are always aggregated
  6409. # based on their source IP addresses (one bucket per source IP).
  6410. #
  6411. # This clause only supports fast acl types.
  6412. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  6413. # Additionally, only the client TCP connection details are available.
  6414. # ACLs testing HTTP properties will not work.
  6415. #
  6416. # Please see delay_access for more examples.
  6417. #
  6418. # Example:
  6419. # client_delay_access 1 allow low_rate_network
  6420. # client_delay_access 2 allow vips_network
  6421. #
  6422. #
  6423. # See also client_delay_parameters and client_delay_pools.
  6424. #Default:
  6425. # Deny use of the pool, unless allow rules exist in squid.conf for the pool.
  6426.  
  6427. # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
  6428. # -----------------------------------------------------------------------------
  6429.  
  6430. # TAG: wccp_router
  6431. # Use this option to define your WCCP ``home'' router for
  6432. # Squid.
  6433. #
  6434. # wccp_router supports a single WCCP(v1) router
  6435. #
  6436. # wccp2_router supports multiple WCCPv2 routers
  6437. #
  6438. # only one of the two may be used at the same time and defines
  6439. # which version of WCCP to use.
  6440. #Default:
  6441. # WCCP disabled.
  6442.  
  6443. # TAG: wccp2_router
  6444. # Use this option to define your WCCP ``home'' router for
  6445. # Squid.
  6446. #
  6447. # wccp_router supports a single WCCP(v1) router
  6448. #
  6449. # wccp2_router supports multiple WCCPv2 routers
  6450. #
  6451. # only one of the two may be used at the same time and defines
  6452. # which version of WCCP to use.
  6453. #Default:
  6454. # WCCPv2 disabled.
  6455.  
  6456. # TAG: wccp_version
  6457. # This directive is only relevant if you need to set up WCCP(v1)
  6458. # to some very old and end-of-life Cisco routers. In all other
  6459. # setups it must be left unset or at the default setting.
  6460. # It defines an internal version in the WCCP(v1) protocol,
  6461. # with version 4 being the officially documented protocol.
  6462. #
  6463. # According to some users, Cisco IOS 11.2 and earlier only
  6464. # support WCCP version 3. If you're using that or an earlier
  6465. # version of IOS, you may need to change this value to 3, otherwise
  6466. # do not specify this parameter.
  6467. #Default:
  6468. # wccp_version 4
  6469.  
  6470. # TAG: wccp2_rebuild_wait
  6471. # If this is enabled Squid will wait for the cache dir rebuild to finish
  6472. # before sending the first wccp2 HereIAm packet
  6473. #Default:
  6474. # wccp2_rebuild_wait on
  6475.  
  6476. # TAG: wccp2_forwarding_method
  6477. # WCCP2 allows the setting of forwarding methods between the
  6478. # router/switch and the cache. Valid values are as follows:
  6479. #
  6480. # gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
  6481. # l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
  6482. #
  6483. # Currently (as of IOS 12.4) cisco routers only support GRE.
  6484. # Cisco switches only support the L2 redirect assignment method.
  6485. #Default:
  6486. # wccp2_forwarding_method gre
  6487.  
  6488. # TAG: wccp2_return_method
  6489. # WCCP2 allows the setting of return methods between the
  6490. # router/switch and the cache for packets that the cache
  6491. # decides not to handle. Valid values are as follows:
  6492. #
  6493. # gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
  6494. # l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
  6495. #
  6496. # Currently (as of IOS 12.4) cisco routers only support GRE.
  6497. # Cisco switches only support the L2 redirect assignment.
  6498. #
  6499. # If the "ip wccp redirect exclude in" command has been
  6500. # enabled on the cache interface, then it is still safe for
  6501. # the proxy server to use a l2 redirect method even if this
  6502. # option is set to GRE.
  6503. #Default:
  6504. # wccp2_return_method gre
  6505.  
  6506. # TAG: wccp2_assignment_method
  6507. # WCCP2 allows the setting of methods to assign the WCCP hash
  6508. # Valid values are as follows:
  6509. #
  6510. # hash - Hash assignment
  6511. # mask - Mask assignment
  6512. #
  6513. # As a general rule, cisco routers support the hash assignment method
  6514. # and cisco switches support the mask assignment method.
  6515. #Default:
  6516. # wccp2_assignment_method hash
  6517.  
  6518. # TAG: wccp2_service
  6519. # WCCP2 allows for multiple traffic services. There are two
  6520. # types: "standard" and "dynamic". The standard type defines
  6521. # one service id - http (id 0). The dynamic service ids can be from
  6522. # 51 to 255 inclusive. In order to use a dynamic service id
  6523. # one must define the type of traffic to be redirected; this is done
  6524. # using the wccp2_service_info option.
  6525. #
  6526. # The "standard" type does not require a wccp2_service_info option,
  6527. # just specifying the service id will suffice.
  6528. #
  6529. # MD5 service authentication can be enabled by adding
  6530. # "password=<password>" to the end of this service declaration.
  6531. #
  6532. # Examples:
  6533. #
  6534. # wccp2_service standard 0 # for the 'web-cache' standard service
  6535. # wccp2_service dynamic 80 # a dynamic service type which will be
  6536. # # fleshed out with subsequent options.
  6537. # wccp2_service standard 0 password=foo
  6538. #Default:
  6539. # Use the 'web-cache' standard service.
  6540.  
  6541. # TAG: wccp2_service_info
  6542. # Dynamic WCCPv2 services require further information to define the
  6543. # traffic you wish to have diverted.
  6544. #
  6545. # The format is:
  6546. #
  6547. # wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
  6548. # priority=<priority> ports=<port>,<port>..
  6549. #
  6550. # The relevant WCCPv2 flags:
  6551. # + src_ip_hash, dst_ip_hash
  6552. # + source_port_hash, dst_port_hash
  6553. # + src_ip_alt_hash, dst_ip_alt_hash
  6554. # + src_port_alt_hash, dst_port_alt_hash
  6555. # + ports_source
  6556. #
  6557. # The port list can be one to eight entries.
  6558. #
  6559. # Example:
  6560. #
  6561. # wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source
  6562. # priority=240 ports=80
  6563. #
  6564. # Note: the service id must have been defined by a previous
  6565. # 'wccp2_service dynamic <id>' entry.
  6566. #Default:
  6567. # none
  6568.  
  6569. # TAG: wccp2_weight
  6570. # Each cache server gets assigned a set of the destination
  6571. # hash proportional to their weight.
  6572. #Default:
  6573. # wccp2_weight 10000
  6574.  
  6575. # TAG: wccp_address
  6576. # Use this option if you require WCCP(v1) to use a specific
  6577. # interface address.
  6578. #
  6579. # The default behavior is to not bind to any specific address.
  6580. #Default:
  6581. # Address selected by the operating system.
  6582.  
  6583. # TAG: wccp2_address
  6584. # Use this option if you require WCCPv2 to use a specific
  6585. # interface address.
  6586. #
  6587. # The default behavior is to not bind to any specific address.
  6588. #Default:
  6589. # Address selected by the operating system.
  6590.  
  6591. # PERSISTENT CONNECTION HANDLING
  6592. # -----------------------------------------------------------------------------
  6593. #
  6594. # Also see "pconn_timeout" in the TIMEOUTS section
  6595.  
  6596. # TAG: client_persistent_connections
  6597. # Persistent connection support for clients.
  6598. # Squid uses persistent connections (when allowed). You can use
  6599. # this option to disable persistent connections with clients.
  6600. #Default:
  6601. # client_persistent_connections on
  6602.  
  6603. # TAG: server_persistent_connections
  6604. # Persistent connection support for servers.
  6605. # Squid uses persistent connections (when allowed). You can use
  6606. # this option to disable persistent connections with servers.
  6607. #Default:
  6608. # server_persistent_connections on
  6609.  
  6610. # TAG: persistent_connection_after_error
  6611. # With this directive the use of persistent connections after
  6612. # HTTP errors can be disabled. Useful if you have clients
  6613. # who fail to handle errors on persistent connections proper.
  6614. #Default:
  6615. # persistent_connection_after_error on
  6616.  
  6617. # TAG: detect_broken_pconn
  6618. # Some servers have been found to incorrectly signal the use
  6619. # of HTTP/1.0 persistent connections even on replies not
  6620. # compatible, causing significant delays. This server problem
  6621. # has mostly been seen on redirects.
  6622. #
  6623. # By enabling this directive Squid attempts to detect such
  6624. # broken replies and automatically assume the reply is finished
  6625. # after 10 seconds timeout.
  6626. #Default:
  6627. # detect_broken_pconn off
  6628.  
  6629. # CACHE DIGEST OPTIONS
  6630. # -----------------------------------------------------------------------------
  6631.  
  6632. # TAG: digest_generation
  6633. # This controls whether the server will generate a Cache Digest
  6634. # of its contents. By default, Cache Digest generation is
  6635. # enabled if Squid is compiled with --enable-cache-digests defined.
  6636. #Default:
  6637. # digest_generation on
  6638.  
  6639. # TAG: digest_bits_per_entry
  6640. # This is the number of bits of the server's Cache Digest which
  6641. # will be associated with the Digest entry for a given HTTP
  6642. # Method and URL (public key) combination. The default is 5.
  6643. #Default:
  6644. # digest_bits_per_entry 5
  6645.  
  6646. # TAG: digest_rebuild_period (seconds)
  6647. # This is the wait time between Cache Digest rebuilds.
  6648. #Default:
  6649. # digest_rebuild_period 1 hour
  6650.  
  6651. # TAG: digest_rewrite_period (seconds)
  6652. # This is the wait time between Cache Digest writes to
  6653. # disk.
  6654. #Default:
  6655. # digest_rewrite_period 1 hour
  6656.  
  6657. # TAG: digest_swapout_chunk_size (bytes)
  6658. # This is the number of bytes of the Cache Digest to write to
  6659. # disk at a time. It defaults to 4096 bytes (4KB), the Squid
  6660. # default swap page.
  6661. #Default:
  6662. # digest_swapout_chunk_size 4096 bytes
  6663.  
  6664. # TAG: digest_rebuild_chunk_percentage (percent, 0-100)
  6665. # This is the percentage of the Cache Digest to be scanned at a
  6666. # time. By default it is set to 10% of the Cache Digest.
  6667. #Default:
  6668. # digest_rebuild_chunk_percentage 10
  6669.  
  6670. # SNMP OPTIONS
  6671. # -----------------------------------------------------------------------------
  6672.  
  6673. # TAG: snmp_port
  6674. # The port number where Squid listens for SNMP requests. To enable
  6675. # SNMP support set this to a suitable port number. Port number
  6676. # 3401 is often used for the Squid SNMP agent. By default it's
  6677. # set to "0" (disabled)
  6678. #
  6679. # Example:
  6680. # snmp_port 3401
  6681. #Default:
  6682. # SNMP disabled.
  6683.  
  6684. # TAG: snmp_access
  6685. # Allowing or denying access to the SNMP port.
  6686. #
  6687. # All access to the agent is denied by default.
  6688. # usage:
  6689. #
  6690. # snmp_access allow|deny [!]aclname ...
  6691. #
  6692. # This clause only supports fast acl types.
  6693. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  6694. #
  6695. #Example:
  6696. # snmp_access allow snmppublic localhost
  6697. # snmp_access deny all
  6698. #Default:
  6699. # Deny, unless rules exist in squid.conf.
  6700.  
  6701. # TAG: snmp_incoming_address
  6702. # Just like 'udp_incoming_address', but for the SNMP port.
  6703. #
  6704. # snmp_incoming_address is used for the SNMP socket receiving
  6705. # messages from SNMP agents.
  6706. #
  6707. # The default snmp_incoming_address is to listen on all
  6708. # available network interfaces.
  6709. #Default:
  6710. # Accept SNMP packets from all machine interfaces.
  6711.  
  6712. # TAG: snmp_outgoing_address
  6713. # Just like 'udp_outgoing_address', but for the SNMP port.
  6714. #
  6715. # snmp_outgoing_address is used for SNMP packets returned to SNMP
  6716. # agents.
  6717. #
  6718. # If snmp_outgoing_address is not set it will use the same socket
  6719. # as snmp_incoming_address. Only change this if you want to have
  6720. # SNMP replies sent using another address than where this Squid
  6721. # listens for SNMP queries.
  6722. #
  6723. # NOTE, snmp_incoming_address and snmp_outgoing_address can not have
  6724. # the same value since they both use the same port.
  6725. #Default:
  6726. # Use snmp_incoming_address or an address selected by the operating system.
  6727.  
  6728. # ICP OPTIONS
  6729. # -----------------------------------------------------------------------------
  6730.  
  6731. # TAG: icp_port
  6732. # The port number where Squid sends and receives ICP queries to
  6733. # and from neighbor caches. The standard UDP port for ICP is 3130.
  6734. #
  6735. # Example:
  6736. # icp_port 3130
  6737. #Default:
  6738. # ICP disabled.
  6739.  
  6740. # TAG: htcp_port
  6741. # The port number where Squid sends and receives HTCP queries to
  6742. # and from neighbor caches. To turn it on you want to set it to
  6743. # 4827.
  6744. #
  6745. # Example:
  6746. # htcp_port 4827
  6747. #Default:
  6748. # HTCP disabled.
  6749.  
  6750. # TAG: log_icp_queries on|off
  6751. # If set, ICP queries are logged to access.log. You may wish
  6752. # do disable this if your ICP load is VERY high to speed things
  6753. # up or to simplify log analysis.
  6754. #Default:
  6755. # log_icp_queries on
  6756.  
  6757. # TAG: udp_incoming_address
  6758. # udp_incoming_address is used for UDP packets received from other
  6759. # caches.
  6760. #
  6761. # The default behavior is to not bind to any specific address.
  6762. #
  6763. # Only change this if you want to have all UDP queries received on
  6764. # a specific interface/address.
  6765. #
  6766. # NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS
  6767. # modules. Altering it will affect all of them in the same manner.
  6768. #
  6769. # see also; udp_outgoing_address
  6770. #
  6771. # NOTE, udp_incoming_address and udp_outgoing_address can not
  6772. # have the same value since they both use the same port.
  6773. #Default:
  6774. # Accept packets from all machine interfaces.
  6775.  
  6776. # TAG: udp_outgoing_address
  6777. # udp_outgoing_address is used for UDP packets sent out to other
  6778. # caches.
  6779. #
  6780. # The default behavior is to not bind to any specific address.
  6781. #
  6782. # Instead it will use the same socket as udp_incoming_address.
  6783. # Only change this if you want to have UDP queries sent using another
  6784. # address than where this Squid listens for UDP queries from other
  6785. # caches.
  6786. #
  6787. # NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS
  6788. # modules. Altering it will affect all of them in the same manner.
  6789. #
  6790. # see also; udp_incoming_address
  6791. #
  6792. # NOTE, udp_incoming_address and udp_outgoing_address can not
  6793. # have the same value since they both use the same port.
  6794. #Default:
  6795. # Use udp_incoming_address or an address selected by the operating system.
  6796.  
  6797. # TAG: icp_hit_stale on|off
  6798. # If you want to return ICP_HIT for stale cache objects, set this
  6799. # option to 'on'. If you have sibling relationships with caches
  6800. # in other administrative domains, this should be 'off'. If you only
  6801. # have sibling relationships with caches under your control,
  6802. # it is probably okay to set this to 'on'.
  6803. # If set to 'on', your siblings should use the option "allow-miss"
  6804. # on their cache_peer lines for connecting to you.
  6805. #Default:
  6806. # icp_hit_stale off
  6807.  
  6808. # TAG: minimum_direct_hops
  6809. # If using the ICMP pinging stuff, do direct fetches for sites
  6810. # which are no more than this many hops away.
  6811. #Default:
  6812. # minimum_direct_hops 4
  6813.  
  6814. # TAG: minimum_direct_rtt (msec)
  6815. # If using the ICMP pinging stuff, do direct fetches for sites
  6816. # which are no more than this many rtt milliseconds away.
  6817. #Default:
  6818. # minimum_direct_rtt 400
  6819.  
  6820. # TAG: netdb_low
  6821. # The low water mark for the ICMP measurement database.
  6822. #
  6823. # Note: high watermark controlled by netdb_high directive.
  6824. #
  6825. # These watermarks are counts, not percents. The defaults are
  6826. # (low) 900 and (high) 1000. When the high water mark is
  6827. # reached, database entries will be deleted until the low
  6828. # mark is reached.
  6829. #Default:
  6830. # netdb_low 900
  6831.  
  6832. # TAG: netdb_high
  6833. # The high water mark for the ICMP measurement database.
  6834. #
  6835. # Note: low watermark controlled by netdb_low directive.
  6836. #
  6837. # These watermarks are counts, not percents. The defaults are
  6838. # (low) 900 and (high) 1000. When the high water mark is
  6839. # reached, database entries will be deleted until the low
  6840. # mark is reached.
  6841. #Default:
  6842. # netdb_high 1000
  6843.  
  6844. # TAG: netdb_ping_period
  6845. # The minimum period for measuring a site. There will be at
  6846. # least this much delay between successive pings to the same
  6847. # network. The default is five minutes.
  6848. #Default:
  6849. # netdb_ping_period 5 minutes
  6850.  
  6851. # TAG: query_icmp on|off
  6852. # If you want to ask your peers to include ICMP data in their ICP
  6853. # replies, enable this option.
  6854. #
  6855. # If your peer has configured Squid (during compilation) with
  6856. # '--enable-icmp' that peer will send ICMP pings to origin server
  6857. # sites of the URLs it receives. If you enable this option the
  6858. # ICP replies from that peer will include the ICMP data (if available).
  6859. # Then, when choosing a parent cache, Squid will choose the parent with
  6860. # the minimal RTT to the origin server. When this happens, the
  6861. # hierarchy field of the access.log will be
  6862. # "CLOSEST_PARENT_MISS". This option is off by default.
  6863. #Default:
  6864. # query_icmp off
  6865.  
  6866. # TAG: test_reachability on|off
  6867. # When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
  6868. # instead of ICP_MISS if the target host is NOT in the ICMP
  6869. # database, or has a zero RTT.
  6870. #Default:
  6871. # test_reachability off
  6872.  
  6873. # TAG: icp_query_timeout (msec)
  6874. # Normally Squid will automatically determine an optimal ICP
  6875. # query timeout value based on the round-trip-time of recent ICP
  6876. # queries. If you want to override the value determined by
  6877. # Squid, set this 'icp_query_timeout' to a non-zero value. This
  6878. # value is specified in MILLISECONDS, so, to use a 2-second
  6879. # timeout (the old default), you would write:
  6880. #
  6881. # icp_query_timeout 2000
  6882. #Default:
  6883. # Dynamic detection.
  6884.  
  6885. # TAG: maximum_icp_query_timeout (msec)
  6886. # Normally the ICP query timeout is determined dynamically. But
  6887. # sometimes it can lead to very large values (say 5 seconds).
  6888. # Use this option to put an upper limit on the dynamic timeout
  6889. # value. Do NOT use this option to always use a fixed (instead
  6890. # of a dynamic) timeout value. To set a fixed timeout see the
  6891. # 'icp_query_timeout' directive.
  6892. #Default:
  6893. # maximum_icp_query_timeout 2000
  6894.  
  6895. # TAG: minimum_icp_query_timeout (msec)
  6896. # Normally the ICP query timeout is determined dynamically. But
  6897. # sometimes it can lead to very small timeouts, even lower than
  6898. # the normal latency variance on your link due to traffic.
  6899. # Use this option to put an lower limit on the dynamic timeout
  6900. # value. Do NOT use this option to always use a fixed (instead
  6901. # of a dynamic) timeout value. To set a fixed timeout see the
  6902. # 'icp_query_timeout' directive.
  6903. #Default:
  6904. # minimum_icp_query_timeout 5
  6905.  
  6906. # TAG: background_ping_rate time-units
  6907. # Controls how often the ICP pings are sent to siblings that
  6908. # have background-ping set.
  6909. #Default:
  6910. # background_ping_rate 10 seconds
  6911.  
  6912. # MULTICAST ICP OPTIONS
  6913. # -----------------------------------------------------------------------------
  6914.  
  6915. # TAG: mcast_groups
  6916. # This tag specifies a list of multicast groups which your server
  6917. # should join to receive multicasted ICP queries.
  6918. #
  6919. # NOTE! Be very careful what you put here! Be sure you
  6920. # understand the difference between an ICP _query_ and an ICP
  6921. # _reply_. This option is to be set only if you want to RECEIVE
  6922. # multicast queries. Do NOT set this option to SEND multicast
  6923. # ICP (use cache_peer for that). ICP replies are always sent via
  6924. # unicast, so this option does not affect whether or not you will
  6925. # receive replies from multicast group members.
  6926. #
  6927. # You must be very careful to NOT use a multicast address which
  6928. # is already in use by another group of caches.
  6929. #
  6930. # If you are unsure about multicast, please read the Multicast
  6931. # chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
  6932. #
  6933. # Usage: mcast_groups 239.128.16.128 224.0.1.20
  6934. #
  6935. # By default, Squid doesn't listen on any multicast groups.
  6936. #Default:
  6937. # none
  6938.  
  6939. # TAG: mcast_miss_addr
  6940. # Note: This option is only available if Squid is rebuilt with the
  6941. # -DMULTICAST_MISS_STREAM define
  6942. #
  6943. # If you enable this option, every "cache miss" URL will
  6944. # be sent out on the specified multicast address.
  6945. #
  6946. # Do not enable this option unless you are are absolutely
  6947. # certain you understand what you are doing.
  6948. #Default:
  6949. # disabled.
  6950.  
  6951. # TAG: mcast_miss_ttl
  6952. # Note: This option is only available if Squid is rebuilt with the
  6953. # -DMULTICAST_MISS_STREAM define
  6954. #
  6955. # This is the time-to-live value for packets multicasted
  6956. # when multicasting off cache miss URLs is enabled. By
  6957. # default this is set to 'site scope', i.e. 16.
  6958. #Default:
  6959. # mcast_miss_ttl 16
  6960.  
  6961. # TAG: mcast_miss_port
  6962. # Note: This option is only available if Squid is rebuilt with the
  6963. # -DMULTICAST_MISS_STREAM define
  6964. #
  6965. # This is the port number to be used in conjunction with
  6966. # 'mcast_miss_addr'.
  6967. #Default:
  6968. # mcast_miss_port 3135
  6969.  
  6970. # TAG: mcast_miss_encode_key
  6971. # Note: This option is only available if Squid is rebuilt with the
  6972. # -DMULTICAST_MISS_STREAM define
  6973. #
  6974. # The URLs that are sent in the multicast miss stream are
  6975. # encrypted. This is the encryption key.
  6976. #Default:
  6977. # mcast_miss_encode_key XXXXXXXXXXXXXXXX
  6978.  
  6979. # TAG: mcast_icp_query_timeout (msec)
  6980. # For multicast peers, Squid regularly sends out ICP "probes" to
  6981. # count how many other peers are listening on the given multicast
  6982. # address. This value specifies how long Squid should wait to
  6983. # count all the replies. The default is 2000 msec, or 2
  6984. # seconds.
  6985. #Default:
  6986. # mcast_icp_query_timeout 2000
  6987.  
  6988. # INTERNAL ICON OPTIONS
  6989. # -----------------------------------------------------------------------------
  6990.  
  6991. # TAG: icon_directory
  6992. # Where the icons are stored. These are normally kept in
  6993. # /usr/share/squid/icons
  6994. #Default:
  6995. # icon_directory /usr/share/squid/icons
  6996.  
  6997. # TAG: global_internal_static
  6998. # This directive controls is Squid should intercept all requests for
  6999. # /squid-internal-static/ no matter which host the URL is requesting
  7000. # (default on setting), or if nothing special should be done for
  7001. # such URLs (off setting). The purpose of this directive is to make
  7002. # icons etc work better in complex cache hierarchies where it may
  7003. # not always be possible for all corners in the cache mesh to reach
  7004. # the server generating a directory listing.
  7005. #Default:
  7006. # global_internal_static on
  7007.  
  7008. # TAG: short_icon_urls
  7009. # If this is enabled Squid will use short URLs for icons.
  7010. # If disabled it will revert to the old behavior of including
  7011. # it's own name and port in the URL.
  7012. #
  7013. # If you run a complex cache hierarchy with a mix of Squid and
  7014. # other proxies you may need to disable this directive.
  7015. #Default:
  7016. # short_icon_urls on
  7017.  
  7018. # ERROR PAGE OPTIONS
  7019. # -----------------------------------------------------------------------------
  7020.  
  7021. # TAG: error_directory
  7022. # If you wish to create your own versions of the default
  7023. # error files to customize them to suit your company copy
  7024. # the error/template files to another directory and point
  7025. # this tag at them.
  7026. #
  7027. # WARNING: This option will disable multi-language support
  7028. # on error pages if used.
  7029. #
  7030. # The squid developers are interested in making squid available in
  7031. # a wide variety of languages. If you are making translations for a
  7032. # language that Squid does not currently provide please consider
  7033. # contributing your translation back to the project.
  7034. # http://wiki.squid-cache.org/Translations
  7035. #
  7036. # The squid developers working on translations are happy to supply drop-in
  7037. # translated error files in exchange for any new language contributions.
  7038. #Default:
  7039. # Send error pages in the clients preferred language
  7040.  
  7041. # TAG: error_default_language
  7042. # Set the default language which squid will send error pages in
  7043. # if no existing translation matches the clients language
  7044. # preferences.
  7045. #
  7046. # If unset (default) generic English will be used.
  7047. #
  7048. # The squid developers are interested in making squid available in
  7049. # a wide variety of languages. If you are interested in making
  7050. # translations for any language see the squid wiki for details.
  7051. # http://wiki.squid-cache.org/Translations
  7052. #Default:
  7053. # Generate English language pages.
  7054.  
  7055. # TAG: error_log_languages
  7056. # Log to cache.log what languages users are attempting to
  7057. # auto-negotiate for translations.
  7058. #
  7059. # Successful negotiations are not logged. Only failures
  7060. # have meaning to indicate that Squid may need an upgrade
  7061. # of its error page translations.
  7062. #Default:
  7063. # error_log_languages on
  7064.  
  7065. # TAG: err_page_stylesheet
  7066. # CSS Stylesheet to pattern the display of Squid default error pages.
  7067. #
  7068. # For information on CSS see http://www.w3.org/Style/CSS/
  7069. #Default:
  7070. # err_page_stylesheet /etc/squid/errorpage.css
  7071.  
  7072. # TAG: err_html_text
  7073. # HTML text to include in error messages. Make this a "mailto"
  7074. # URL to your admin address, or maybe just a link to your
  7075. # organizations Web page.
  7076. #
  7077. # To include this in your error messages, you must rewrite
  7078. # the error template files (found in the "errors" directory).
  7079. # Wherever you want the 'err_html_text' line to appear,
  7080. # insert a %L tag in the error template file.
  7081. #Default:
  7082. # none
  7083.  
  7084. # TAG: email_err_data on|off
  7085. # If enabled, information about the occurred error will be
  7086. # included in the mailto links of the ERR pages (if %W is set)
  7087. # so that the email body contains the data.
  7088. # Syntax is <A HREF="mailto:%w%W">%w</A>
  7089. #Default:
  7090. # email_err_data on
  7091.  
  7092. # TAG: deny_info
  7093. # Usage: deny_info err_page_name acl
  7094. # or deny_info http://... acl
  7095. # or deny_info TCP_RESET acl
  7096. #
  7097. # This can be used to return a ERR_ page for requests which
  7098. # do not pass the 'http_access' rules. Squid remembers the last
  7099. # acl it evaluated in http_access, and if a 'deny_info' line exists
  7100. # for that ACL Squid returns a corresponding error page.
  7101. #
  7102. # The acl is typically the last acl on the http_access deny line which
  7103. # denied access. The exceptions to this rule are:
  7104. # - When Squid needs to request authentication credentials. It's then
  7105. # the first authentication related acl encountered
  7106. # - When none of the http_access lines matches. It's then the last
  7107. # acl processed on the last http_access line.
  7108. # - When the decision to deny access was made by an adaptation service,
  7109. # the acl name is the corresponding eCAP or ICAP service_name.
  7110. #
  7111. # NP: If providing your own custom error pages with error_directory
  7112. # you may also specify them by your custom file name:
  7113. # Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
  7114. #
  7115. # By defaut Squid will send "403 Forbidden". A different 4xx or 5xx
  7116. # may be specified by prefixing the file name with the code and a colon.
  7117. # e.g. 404:ERR_CUSTOM_ACCESS_DENIED
  7118. #
  7119. # Alternatively you can tell Squid to reset the TCP connection
  7120. # by specifying TCP_RESET.
  7121. #
  7122. # Or you can specify an error URL or URL pattern. The browsers will
  7123. # get redirected to the specified URL after formatting tags have
  7124. # been replaced. Redirect will be done with 302 or 307 according to
  7125. # HTTP/1.1 specs. A different 3xx code may be specified by prefixing
  7126. # the URL. e.g. 303:http://example.com/
  7127. #
  7128. # URL FORMAT TAGS:
  7129. # %a - username (if available. Password NOT included)
  7130. # %B - FTP path URL
  7131. # %e - Error number
  7132. # %E - Error description
  7133. # %h - Squid hostname
  7134. # %H - Request domain name
  7135. # %i - Client IP Address
  7136. # %M - Request Method
  7137. # %O - Unescaped message result from external ACL helper
  7138. # %o - Message result from external ACL helper
  7139. # %p - Request Port number
  7140. # %P - Request Protocol name
  7141. # %R - Request URL path
  7142. # %T - Timestamp in RFC 1123 format
  7143. # %U - Full canonical URL from client
  7144. # (HTTPS URLs terminate with *)
  7145. # %u - Full canonical URL from client
  7146. # %w - Admin email from squid.conf
  7147. # %x - Error name
  7148. # %% - Literal percent (%) code
  7149. #
  7150. #Default:
  7151. # none
  7152.  
  7153. # OPTIONS INFLUENCING REQUEST FORWARDING
  7154. # -----------------------------------------------------------------------------
  7155.  
  7156. # TAG: nonhierarchical_direct
  7157. # By default, Squid will send any non-hierarchical requests
  7158. # (not cacheable request type) direct to origin servers.
  7159. #
  7160. # When this is set to "off", Squid will prefer to send these
  7161. # requests to parents.
  7162. #
  7163. # Note that in most configurations, by turning this off you will only
  7164. # add latency to these request without any improvement in global hit
  7165. # ratio.
  7166. #
  7167. # This option only sets a preference. If the parent is unavailable a
  7168. # direct connection to the origin server may still be attempted. To
  7169. # completely prevent direct connections use never_direct.
  7170. #Default:
  7171. # nonhierarchical_direct on
  7172.  
  7173. # TAG: prefer_direct
  7174. # Normally Squid tries to use parents for most requests. If you for some
  7175. # reason like it to first try going direct and only use a parent if
  7176. # going direct fails set this to on.
  7177. #
  7178. # By combining nonhierarchical_direct off and prefer_direct on you
  7179. # can set up Squid to use a parent as a backup path if going direct
  7180. # fails.
  7181. #
  7182. # Note: If you want Squid to use parents for all requests see
  7183. # the never_direct directive. prefer_direct only modifies how Squid
  7184. # acts on cacheable requests.
  7185. #Default:
  7186. # prefer_direct off
  7187.  
  7188. # TAG: cache_miss_revalidate on|off
  7189. # RFC 7232 defines a conditional request mechanism to prevent
  7190. # response objects being unnecessarily transferred over the network.
  7191. # If that mechanism is used by the client and a cache MISS occurs
  7192. # it can prevent new cache entries being created.
  7193. #
  7194. # This option determines whether Squid on cache MISS will pass the
  7195. # client revalidation request to the server or tries to fetch new
  7196. # content for caching. It can be useful while the cache is mostly
  7197. # empty to more quickly have the cache populated by generating
  7198. # non-conditional GETs.
  7199. #
  7200. # When set to 'on' (default), Squid will pass all client If-* headers
  7201. # to the server. This permits server responses without a cacheable
  7202. # payload to be delivered and on MISS no new cache entry is created.
  7203. #
  7204. # When set to 'off' and if the request is cacheable, Squid will
  7205. # remove the clients If-Modified-Since and If-None-Match headers from
  7206. # the request sent to the server. This requests a 200 status response
  7207. # from the server to create a new cache entry with.
  7208. #Default:
  7209. # cache_miss_revalidate on
  7210.  
  7211. # TAG: always_direct
  7212. # Usage: always_direct allow|deny [!]aclname ...
  7213. #
  7214. # Here you can use ACL elements to specify requests which should
  7215. # ALWAYS be forwarded by Squid to the origin servers without using
  7216. # any peers. For example, to always directly forward requests for
  7217. # local servers ignoring any parents or siblings you may have use
  7218. # something like:
  7219. #
  7220. # acl local-servers dstdomain my.domain.net
  7221. # always_direct allow local-servers
  7222. #
  7223. # To always forward FTP requests directly, use
  7224. #
  7225. # acl FTP proto FTP
  7226. # always_direct allow FTP
  7227. #
  7228. # NOTE: There is a similar, but opposite option named
  7229. # 'never_direct'. You need to be aware that "always_direct deny
  7230. # foo" is NOT the same thing as "never_direct allow foo". You
  7231. # may need to use a deny rule to exclude a more-specific case of
  7232. # some other rule. Example:
  7233. #
  7234. # acl local-external dstdomain external.foo.net
  7235. # acl local-servers dstdomain .foo.net
  7236. # always_direct deny local-external
  7237. # always_direct allow local-servers
  7238. #
  7239. # NOTE: If your goal is to make the client forward the request
  7240. # directly to the origin server bypassing Squid then this needs
  7241. # to be done in the client configuration. Squid configuration
  7242. # can only tell Squid how Squid should fetch the object.
  7243. #
  7244. # NOTE: This directive is not related to caching. The replies
  7245. # is cached as usual even if you use always_direct. To not cache
  7246. # the replies see the 'cache' directive.
  7247. #
  7248. # This clause supports both fast and slow acl types.
  7249. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  7250. #Default:
  7251. # Prevent any cache_peer being used for this request.
  7252.  
  7253. # TAG: never_direct
  7254. # Usage: never_direct allow|deny [!]aclname ...
  7255. #
  7256. # never_direct is the opposite of always_direct. Please read
  7257. # the description for always_direct if you have not already.
  7258. #
  7259. # With 'never_direct' you can use ACL elements to specify
  7260. # requests which should NEVER be forwarded directly to origin
  7261. # servers. For example, to force the use of a proxy for all
  7262. # requests, except those in your local domain use something like:
  7263. #
  7264. # acl local-servers dstdomain .foo.net
  7265. # never_direct deny local-servers
  7266. # never_direct allow all
  7267. #
  7268. # or if Squid is inside a firewall and there are local intranet
  7269. # servers inside the firewall use something like:
  7270. #
  7271. # acl local-intranet dstdomain .foo.net
  7272. # acl local-external dstdomain external.foo.net
  7273. # always_direct deny local-external
  7274. # always_direct allow local-intranet
  7275. # never_direct allow all
  7276. #
  7277. # This clause supports both fast and slow acl types.
  7278. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  7279. #Default:
  7280. # Allow DNS results to be used for this request.
  7281.  
  7282. # ADVANCED NETWORKING OPTIONS
  7283. # -----------------------------------------------------------------------------
  7284.  
  7285. # TAG: incoming_udp_average
  7286. # Heavy voodoo here. I can't even believe you are reading this.
  7287. # Are you crazy? Don't even think about adjusting these unless
  7288. # you understand the algorithms in comm_select.c first!
  7289. #Default:
  7290. # incoming_udp_average 6
  7291.  
  7292. # TAG: incoming_tcp_average
  7293. # Heavy voodoo here. I can't even believe you are reading this.
  7294. # Are you crazy? Don't even think about adjusting these unless
  7295. # you understand the algorithms in comm_select.c first!
  7296. #Default:
  7297. # incoming_tcp_average 4
  7298.  
  7299. # TAG: incoming_dns_average
  7300. # Heavy voodoo here. I can't even believe you are reading this.
  7301. # Are you crazy? Don't even think about adjusting these unless
  7302. # you understand the algorithms in comm_select.c first!
  7303. #Default:
  7304. # incoming_dns_average 4
  7305.  
  7306. # TAG: min_udp_poll_cnt
  7307. # Heavy voodoo here. I can't even believe you are reading this.
  7308. # Are you crazy? Don't even think about adjusting these unless
  7309. # you understand the algorithms in comm_select.c first!
  7310. #Default:
  7311. # min_udp_poll_cnt 8
  7312.  
  7313. # TAG: min_dns_poll_cnt
  7314. # Heavy voodoo here. I can't even believe you are reading this.
  7315. # Are you crazy? Don't even think about adjusting these unless
  7316. # you understand the algorithms in comm_select.c first!
  7317. #Default:
  7318. # min_dns_poll_cnt 8
  7319.  
  7320. # TAG: min_tcp_poll_cnt
  7321. # Heavy voodoo here. I can't even believe you are reading this.
  7322. # Are you crazy? Don't even think about adjusting these unless
  7323. # you understand the algorithms in comm_select.c first!
  7324. #Default:
  7325. # min_tcp_poll_cnt 8
  7326.  
  7327. # TAG: accept_filter
  7328. # FreeBSD:
  7329. #
  7330. # The name of an accept(2) filter to install on Squid's
  7331. # listen socket(s). This feature is perhaps specific to
  7332. # FreeBSD and requires support in the kernel.
  7333. #
  7334. # The 'httpready' filter delays delivering new connections
  7335. # to Squid until a full HTTP request has been received.
  7336. # See the accf_http(9) man page for details.
  7337. #
  7338. # The 'dataready' filter delays delivering new connections
  7339. # to Squid until there is some data to process.
  7340. # See the accf_dataready(9) man page for details.
  7341. #
  7342. # Linux:
  7343. #
  7344. # The 'data' filter delays delivering of new connections
  7345. # to Squid until there is some data to process by TCP_ACCEPT_DEFER.
  7346. # You may optionally specify a number of seconds to wait by
  7347. # 'data=N' where N is the number of seconds. Defaults to 30
  7348. # if not specified. See the tcp(7) man page for details.
  7349. #EXAMPLE:
  7350. ## FreeBSD
  7351. #accept_filter httpready
  7352. ## Linux
  7353. #accept_filter data
  7354. #Default:
  7355. # none
  7356.  
  7357. # TAG: client_ip_max_connections
  7358. # Set an absolute limit on the number of connections a single
  7359. # client IP can use. Any more than this and Squid will begin to drop
  7360. # new connections from the client until it closes some links.
  7361. #
  7362. # Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP
  7363. # connections from the client. For finer control use the ACL access controls.
  7364. #
  7365. # Requires client_db to be enabled (the default).
  7366. #
  7367. # WARNING: This may noticably slow down traffic received via external proxies
  7368. # or NAT devices and cause them to rebound error messages back to their clients.
  7369. #Default:
  7370. # No limit.
  7371.  
  7372. # TAG: tcp_recv_bufsize (bytes)
  7373. # Size of receive buffer to set for TCP sockets. Probably just
  7374. # as easy to change your kernel's default.
  7375. # Omit from squid.conf to use the default buffer size.
  7376. #Default:
  7377. # Use operating system TCP defaults.
  7378.  
  7379. # ICAP OPTIONS
  7380. # -----------------------------------------------------------------------------
  7381.  
  7382. # TAG: icap_enable on|off
  7383. # If you want to enable the ICAP module support, set this to on.
  7384. #Default:
  7385. # icap_enable off
  7386.  
  7387. # TAG: icap_connect_timeout
  7388. # This parameter specifies how long to wait for the TCP connect to
  7389. # the requested ICAP server to complete before giving up and either
  7390. # terminating the HTTP transaction or bypassing the failure.
  7391. #
  7392. # The default for optional services is peer_connect_timeout.
  7393. # The default for essential services is connect_timeout.
  7394. # If this option is explicitly set, its value applies to all services.
  7395. #Default:
  7396. # none
  7397.  
  7398. # TAG: icap_io_timeout time-units
  7399. # This parameter specifies how long to wait for an I/O activity on
  7400. # an established, active ICAP connection before giving up and
  7401. # either terminating the HTTP transaction or bypassing the
  7402. # failure.
  7403. #Default:
  7404. # Use read_timeout.
  7405.  
  7406. # TAG: icap_service_failure_limit limit [in memory-depth time-units]
  7407. # The limit specifies the number of failures that Squid tolerates
  7408. # when establishing a new TCP connection with an ICAP service. If
  7409. # the number of failures exceeds the limit, the ICAP service is
  7410. # not used for new ICAP requests until it is time to refresh its
  7411. # OPTIONS.
  7412. #
  7413. # A negative value disables the limit. Without the limit, an ICAP
  7414. # service will not be considered down due to connectivity failures
  7415. # between ICAP OPTIONS requests.
  7416. #
  7417. # Squid forgets ICAP service failures older than the specified
  7418. # value of memory-depth. The memory fading algorithm
  7419. # is approximate because Squid does not remember individual
  7420. # errors but groups them instead, splitting the option
  7421. # value into ten time slots of equal length.
  7422. #
  7423. # When memory-depth is 0 and by default this option has no
  7424. # effect on service failure expiration.
  7425. #
  7426. # Squid always forgets failures when updating service settings
  7427. # using an ICAP OPTIONS transaction, regardless of this option
  7428. # setting.
  7429. #
  7430. # For example,
  7431. # # suspend service usage after 10 failures in 5 seconds:
  7432. # icap_service_failure_limit 10 in 5 seconds
  7433. #Default:
  7434. # icap_service_failure_limit 10
  7435.  
  7436. # TAG: icap_service_revival_delay
  7437. # The delay specifies the number of seconds to wait after an ICAP
  7438. # OPTIONS request failure before requesting the options again. The
  7439. # failed ICAP service is considered "down" until fresh OPTIONS are
  7440. # fetched.
  7441. #
  7442. # The actual delay cannot be smaller than the hardcoded minimum
  7443. # delay of 30 seconds.
  7444. #Default:
  7445. # icap_service_revival_delay 180
  7446.  
  7447. # TAG: icap_preview_enable on|off
  7448. # The ICAP Preview feature allows the ICAP server to handle the
  7449. # HTTP message by looking only at the beginning of the message body
  7450. # or even without receiving the body at all. In some environments,
  7451. # previews greatly speedup ICAP processing.
  7452. #
  7453. # During an ICAP OPTIONS transaction, the server may tell Squid what
  7454. # HTTP messages should be previewed and how big the preview should be.
  7455. # Squid will not use Preview if the server did not request one.
  7456. #
  7457. # To disable ICAP Preview for all ICAP services, regardless of
  7458. # individual ICAP server OPTIONS responses, set this option to "off".
  7459. #Example:
  7460. #icap_preview_enable off
  7461. #Default:
  7462. # icap_preview_enable on
  7463.  
  7464. # TAG: icap_preview_size
  7465. # The default size of preview data to be sent to the ICAP server.
  7466. # This value might be overwritten on a per server basis by OPTIONS requests.
  7467. #Default:
  7468. # No preview sent.
  7469.  
  7470. # TAG: icap_206_enable on|off
  7471. # 206 (Partial Content) responses is an ICAP extension that allows the
  7472. # ICAP agents to optionally combine adapted and original HTTP message
  7473. # content. The decision to combine is postponed until the end of the
  7474. # ICAP response. Squid supports Partial Content extension by default.
  7475. #
  7476. # Activation of the Partial Content extension is negotiated with each
  7477. # ICAP service during OPTIONS exchange. Most ICAP servers should handle
  7478. # negotation correctly even if they do not support the extension, but
  7479. # some might fail. To disable Partial Content support for all ICAP
  7480. # services and to avoid any negotiation, set this option to "off".
  7481. #
  7482. # Example:
  7483. # icap_206_enable off
  7484. #Default:
  7485. # icap_206_enable on
  7486.  
  7487. # TAG: icap_default_options_ttl
  7488. # The default TTL value for ICAP OPTIONS responses that don't have
  7489. # an Options-TTL header.
  7490. #Default:
  7491. # icap_default_options_ttl 60
  7492.  
  7493. # TAG: icap_persistent_connections on|off
  7494. # Whether or not Squid should use persistent connections to
  7495. # an ICAP server.
  7496. #Default:
  7497. # icap_persistent_connections on
  7498.  
  7499. # TAG: adaptation_send_client_ip on|off
  7500. # If enabled, Squid shares HTTP client IP information with adaptation
  7501. # services. For ICAP, Squid adds the X-Client-IP header to ICAP requests.
  7502. # For eCAP, Squid sets the libecap::metaClientIp transaction option.
  7503. #
  7504. # See also: adaptation_uses_indirect_client
  7505. #Default:
  7506. # adaptation_send_client_ip off
  7507.  
  7508. # TAG: adaptation_send_username on|off
  7509. # This sends authenticated HTTP client username (if available) to
  7510. # the adaptation service.
  7511. #
  7512. # For ICAP, the username value is encoded based on the
  7513. # icap_client_username_encode option and is sent using the header
  7514. # specified by the icap_client_username_header option.
  7515. #Default:
  7516. # adaptation_send_username off
  7517.  
  7518. # TAG: icap_client_username_header
  7519. # ICAP request header name to use for adaptation_send_username.
  7520. #Default:
  7521. # icap_client_username_header X-Client-Username
  7522.  
  7523. # TAG: icap_client_username_encode on|off
  7524. # Whether to base64 encode the authenticated client username.
  7525. #Default:
  7526. # icap_client_username_encode off
  7527.  
  7528. # TAG: icap_service
  7529. # Defines a single ICAP service using the following format:
  7530. #
  7531. # icap_service id vectoring_point uri [option ...]
  7532. #
  7533. # id: ID
  7534. # an opaque identifier or name which is used to direct traffic to
  7535. # this specific service. Must be unique among all adaptation
  7536. # services in squid.conf.
  7537. #
  7538. # vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
  7539. # This specifies at which point of transaction processing the
  7540. # ICAP service should be activated. *_postcache vectoring points
  7541. # are not yet supported.
  7542. #
  7543. # uri: icap://servername:port/servicepath
  7544. # ICAP server and service location.
  7545. # icaps://servername:port/servicepath
  7546. # The "icap:" URI scheme is used for traditional ICAP server and
  7547. # service location (default port is 1344, connections are not
  7548. # encrypted). The "icaps:" URI scheme is for Secure ICAP
  7549. # services that use SSL/TLS-encrypted ICAP connections (by
  7550. # default, on port 11344).
  7551. #
  7552. # ICAP does not allow a single service to handle both REQMOD and RESPMOD
  7553. # transactions. Squid does not enforce that requirement. You can specify
  7554. # services with the same service_url and different vectoring_points. You
  7555. # can even specify multiple identical services as long as their
  7556. # service_names differ.
  7557. #
  7558. # To activate a service, use the adaptation_access directive. To group
  7559. # services, use adaptation_service_chain and adaptation_service_set.
  7560. #
  7561. # Service options are separated by white space. ICAP services support
  7562. # the following name=value options:
  7563. #
  7564. # bypass=on|off|1|0
  7565. # If set to 'on' or '1', the ICAP service is treated as
  7566. # optional. If the service cannot be reached or malfunctions,
  7567. # Squid will try to ignore any errors and process the message as
  7568. # if the service was not enabled. No all ICAP errors can be
  7569. # bypassed. If set to 0, the ICAP service is treated as
  7570. # essential and all ICAP errors will result in an error page
  7571. # returned to the HTTP client.
  7572. #
  7573. # Bypass is off by default: services are treated as essential.
  7574. #
  7575. # routing=on|off|1|0
  7576. # If set to 'on' or '1', the ICAP service is allowed to
  7577. # dynamically change the current message adaptation plan by
  7578. # returning a chain of services to be used next. The services
  7579. # are specified using the X-Next-Services ICAP response header
  7580. # value, formatted as a comma-separated list of service names.
  7581. # Each named service should be configured in squid.conf. Other
  7582. # services are ignored. An empty X-Next-Services value results
  7583. # in an empty plan which ends the current adaptation.
  7584. #
  7585. # Dynamic adaptation plan may cross or cover multiple supported
  7586. # vectoring points in their natural processing order.
  7587. #
  7588. # Routing is not allowed by default: the ICAP X-Next-Services
  7589. # response header is ignored.
  7590. #
  7591. # ipv6=on|off
  7592. # Only has effect on split-stack systems. The default on those systems
  7593. # is to use IPv4-only connections. When set to 'on' this option will
  7594. # make Squid use IPv6-only connections to contact this ICAP service.
  7595. #
  7596. # on-overload=block|bypass|wait|force
  7597. # If the service Max-Connections limit has been reached, do
  7598. # one of the following for each new ICAP transaction:
  7599. # * block: send an HTTP error response to the client
  7600. # * bypass: ignore the "over-connected" ICAP service
  7601. # * wait: wait (in a FIFO queue) for an ICAP connection slot
  7602. # * force: proceed, ignoring the Max-Connections limit
  7603. #
  7604. # In SMP mode with N workers, each worker assumes the service
  7605. # connection limit is Max-Connections/N, even though not all
  7606. # workers may use a given service.
  7607. #
  7608. # The default value is "bypass" if service is bypassable,
  7609. # otherwise it is set to "wait".
  7610. #
  7611. #
  7612. # max-conn=number
  7613. # Use the given number as the Max-Connections limit, regardless
  7614. # of the Max-Connections value given by the service, if any.
  7615. #
  7616. # connection-encryption=on|off
  7617. # Determines the ICAP service effect on the connections_encrypted
  7618. # ACL.
  7619. #
  7620. # The default is "on" for Secure ICAP services (i.e., those
  7621. # with the icaps:// service URIs scheme) and "off" for plain ICAP
  7622. # services.
  7623. #
  7624. # Does not affect ICAP connections (e.g., does not turn Secure
  7625. # ICAP on or off).
  7626. #
  7627. # ==== ICAPS / TLS OPTIONS ====
  7628. #
  7629. # These options are used for Secure ICAP (icaps://....) services only.
  7630. #
  7631. # tls-cert=/path/to/ssl/certificate
  7632. # A client X.509 certificate to use when connecting to
  7633. # this ICAP server.
  7634. #
  7635. # tls-key=/path/to/ssl/key
  7636. # The private key corresponding to the previous
  7637. # tls-cert= option.
  7638. #
  7639. # If tls-key= is not specified tls-cert= is assumed to
  7640. # reference a PEM file containing both the certificate
  7641. # and private key.
  7642. #
  7643. # tls-cipher=... The list of valid TLS/SSL ciphers to use when connecting
  7644. # to this icap server.
  7645. #
  7646. # tls-min-version=1.N
  7647. # The minimum TLS protocol version to permit. To control
  7648. # SSLv3 use the tls-options= parameter.
  7649. # Supported Values: 1.0 (default), 1.1, 1.2
  7650. #
  7651. # tls-options=... Specify various OpenSSL library options:
  7652. #
  7653. # NO_SSLv3 Disallow the use of SSLv3
  7654. #
  7655. # SINGLE_DH_USE
  7656. # Always create a new key when using
  7657. # temporary/ephemeral DH key exchanges
  7658. #
  7659. # ALL Enable various bug workarounds
  7660. # suggested as "harmless" by OpenSSL
  7661. # Be warned that this reduces SSL/TLS
  7662. # strength to some attacks.
  7663. #
  7664. # See the OpenSSL SSL_CTX_set_options documentation for a
  7665. # more complete list. Options relevant only to SSLv2 are
  7666. # not supported.
  7667. #
  7668. # tls-cafile= PEM file containing CA certificates to use when verifying
  7669. # the icap server certificate.
  7670. # Use to specify intermediate CA certificate(s) if not sent
  7671. # by the server. Or the full CA chain for the server when
  7672. # using the tls-default-ca=off flag.
  7673. # May be repeated to load multiple files.
  7674. #
  7675. # tls-capath=... A directory containing additional CA certificates to
  7676. # use when verifying the icap server certificate.
  7677. # Requires OpenSSL or LibreSSL.
  7678. #
  7679. # tls-crlfile=... A certificate revocation list file to use when
  7680. # verifying the icap server certificate.
  7681. #
  7682. # tls-flags=... Specify various flags modifying the Squid TLS implementation:
  7683. #
  7684. # DONT_VERIFY_PEER
  7685. # Accept certificates even if they fail to
  7686. # verify.
  7687. # DONT_VERIFY_DOMAIN
  7688. # Don't verify the icap server certificate
  7689. # matches the server name
  7690. #
  7691. # tls-default-ca[=off]
  7692. # Whether to use the system Trusted CAs. Default is ON.
  7693. #
  7694. # tls-domain= The icap server name as advertised in it's certificate.
  7695. # Used for verifying the correctness of the received icap
  7696. # server certificate. If not specified the icap server
  7697. # hostname extracted from ICAP URI will be used.
  7698. #
  7699. # Older icap_service format without optional named parameters is
  7700. # deprecated but supported for backward compatibility.
  7701. #
  7702. #Example:
  7703. #icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0
  7704. #icap_service svcLogger reqmod_precache icaps://icap2.mydomain.net:11344/reqmod routing=on
  7705. #Default:
  7706. # none
  7707.  
  7708. # TAG: icap_class
  7709. # This deprecated option was documented to define an ICAP service
  7710. # chain, even though it actually defined a set of similar, redundant
  7711. # services, and the chains were not supported.
  7712. #
  7713. # To define a set of redundant services, please use the
  7714. # adaptation_service_set directive. For service chains, use
  7715. # adaptation_service_chain.
  7716. #Default:
  7717. # none
  7718.  
  7719. # TAG: icap_access
  7720. # This option is deprecated. Please use adaptation_access, which
  7721. # has the same ICAP functionality, but comes with better
  7722. # documentation, and eCAP support.
  7723. #Default:
  7724. # none
  7725.  
  7726. # eCAP OPTIONS
  7727. # -----------------------------------------------------------------------------
  7728.  
  7729. # TAG: ecap_enable on|off
  7730. # Controls whether eCAP support is enabled.
  7731. #Default:
  7732. # ecap_enable off
  7733.  
  7734. # TAG: ecap_service
  7735. # Defines a single eCAP service
  7736. #
  7737. # ecap_service id vectoring_point uri [option ...]
  7738. #
  7739. # id: ID
  7740. # an opaque identifier or name which is used to direct traffic to
  7741. # this specific service. Must be unique among all adaptation
  7742. # services in squid.conf.
  7743. #
  7744. # vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
  7745. # This specifies at which point of transaction processing the
  7746. # eCAP service should be activated. *_postcache vectoring points
  7747. # are not yet supported.
  7748. #
  7749. # uri: ecap://vendor/service_name?custom&cgi=style&parameters=optional
  7750. # Squid uses the eCAP service URI to match this configuration
  7751. # line with one of the dynamically loaded services. Each loaded
  7752. # eCAP service must have a unique URI. Obtain the right URI from
  7753. # the service provider.
  7754. #
  7755. # To activate a service, use the adaptation_access directive. To group
  7756. # services, use adaptation_service_chain and adaptation_service_set.
  7757. #
  7758. # Service options are separated by white space. eCAP services support
  7759. # the following name=value options:
  7760. #
  7761. # bypass=on|off|1|0
  7762. # If set to 'on' or '1', the eCAP service is treated as optional.
  7763. # If the service cannot be reached or malfunctions, Squid will try
  7764. # to ignore any errors and process the message as if the service
  7765. # was not enabled. No all eCAP errors can be bypassed.
  7766. # If set to 'off' or '0', the eCAP service is treated as essential
  7767. # and all eCAP errors will result in an error page returned to the
  7768. # HTTP client.
  7769. #
  7770. # Bypass is off by default: services are treated as essential.
  7771. #
  7772. # routing=on|off|1|0
  7773. # If set to 'on' or '1', the eCAP service is allowed to
  7774. # dynamically change the current message adaptation plan by
  7775. # returning a chain of services to be used next.
  7776. #
  7777. # Dynamic adaptation plan may cross or cover multiple supported
  7778. # vectoring points in their natural processing order.
  7779. #
  7780. # Routing is not allowed by default.
  7781. #
  7782. # connection-encryption=on|off
  7783. # Determines the eCAP service effect on the connections_encrypted
  7784. # ACL.
  7785. #
  7786. # Defaults to "on", which does not taint the master transaction
  7787. # w.r.t. that ACL.
  7788. #
  7789. # Does not affect eCAP API calls.
  7790. #
  7791. # Older ecap_service format without optional named parameters is
  7792. # deprecated but supported for backward compatibility.
  7793. #
  7794. #
  7795. #Example:
  7796. #ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off
  7797. #ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on
  7798. #Default:
  7799. # none
  7800.  
  7801. # TAG: loadable_modules
  7802. # Instructs Squid to load the specified dynamic module(s) or activate
  7803. # preloaded module(s).
  7804. #Example:
  7805. #loadable_modules /usr/lib/MinimalAdapter.so
  7806. #Default:
  7807. # none
  7808.  
  7809. # MESSAGE ADAPTATION OPTIONS
  7810. # -----------------------------------------------------------------------------
  7811.  
  7812. # TAG: adaptation_service_set
  7813. #
  7814. # Configures an ordered set of similar, redundant services. This is
  7815. # useful when hot standby or backup adaptation servers are available.
  7816. #
  7817. # adaptation_service_set set_name service_name1 service_name2 ...
  7818. #
  7819. # The named services are used in the set declaration order. The first
  7820. # applicable adaptation service from the set is used first. The next
  7821. # applicable service is tried if and only if the transaction with the
  7822. # previous service fails and the message waiting to be adapted is still
  7823. # intact.
  7824. #
  7825. # When adaptation starts, broken services are ignored as if they were
  7826. # not a part of the set. A broken service is a down optional service.
  7827. #
  7828. # The services in a set must be attached to the same vectoring point
  7829. # (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
  7830. #
  7831. # If all services in a set are optional then adaptation failures are
  7832. # bypassable. If all services in the set are essential, then a
  7833. # transaction failure with one service may still be retried using
  7834. # another service from the set, but when all services fail, the master
  7835. # transaction fails as well.
  7836. #
  7837. # A set may contain a mix of optional and essential services, but that
  7838. # is likely to lead to surprising results because broken services become
  7839. # ignored (see above), making previously bypassable failures fatal.
  7840. # Technically, it is the bypassability of the last failed service that
  7841. # matters.
  7842. #
  7843. # See also: adaptation_access adaptation_service_chain
  7844. #
  7845. #Example:
  7846. #adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup
  7847. #adaptation service_set svcLogger loggerLocal loggerRemote
  7848. #Default:
  7849. # none
  7850.  
  7851. # TAG: adaptation_service_chain
  7852. #
  7853. # Configures a list of complementary services that will be applied
  7854. # one-by-one, forming an adaptation chain or pipeline. This is useful
  7855. # when Squid must perform different adaptations on the same message.
  7856. #
  7857. # adaptation_service_chain chain_name service_name1 svc_name2 ...
  7858. #
  7859. # The named services are used in the chain declaration order. The first
  7860. # applicable adaptation service from the chain is used first. The next
  7861. # applicable service is applied to the successful adaptation results of
  7862. # the previous service in the chain.
  7863. #
  7864. # When adaptation starts, broken services are ignored as if they were
  7865. # not a part of the chain. A broken service is a down optional service.
  7866. #
  7867. # Request satisfaction terminates the adaptation chain because Squid
  7868. # does not currently allow declaration of RESPMOD services at the
  7869. # "reqmod_precache" vectoring point (see icap_service or ecap_service).
  7870. #
  7871. # The services in a chain must be attached to the same vectoring point
  7872. # (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
  7873. #
  7874. # A chain may contain a mix of optional and essential services. If an
  7875. # essential adaptation fails (or the failure cannot be bypassed for
  7876. # other reasons), the master transaction fails. Otherwise, the failure
  7877. # is bypassed as if the failed adaptation service was not in the chain.
  7878. #
  7879. # See also: adaptation_access adaptation_service_set
  7880. #
  7881. #Example:
  7882. #adaptation_service_chain svcRequest requestLogger urlFilter leakDetector
  7883. #Default:
  7884. # none
  7885.  
  7886. # TAG: adaptation_access
  7887. # Sends an HTTP transaction to an ICAP or eCAP adaptation service.
  7888. #
  7889. # adaptation_access service_name allow|deny [!]aclname...
  7890. # adaptation_access set_name allow|deny [!]aclname...
  7891. #
  7892. # At each supported vectoring point, the adaptation_access
  7893. # statements are processed in the order they appear in this
  7894. # configuration file. Statements pointing to the following services
  7895. # are ignored (i.e., skipped without checking their ACL):
  7896. #
  7897. # - services serving different vectoring points
  7898. # - "broken-but-bypassable" services
  7899. # - "up" services configured to ignore such transactions
  7900. # (e.g., based on the ICAP Transfer-Ignore header).
  7901. #
  7902. # When a set_name is used, all services in the set are checked
  7903. # using the same rules, to find the first applicable one. See
  7904. # adaptation_service_set for details.
  7905. #
  7906. # If an access list is checked and there is a match, the
  7907. # processing stops: For an "allow" rule, the corresponding
  7908. # adaptation service is used for the transaction. For a "deny"
  7909. # rule, no adaptation service is activated.
  7910. #
  7911. # It is currently not possible to apply more than one adaptation
  7912. # service at the same vectoring point to the same HTTP transaction.
  7913. #
  7914. # See also: icap_service and ecap_service
  7915. #
  7916. #Example:
  7917. #adaptation_access service_1 allow all
  7918. #Default:
  7919. # Allow, unless rules exist in squid.conf.
  7920.  
  7921. # TAG: adaptation_service_iteration_limit
  7922. # Limits the number of iterations allowed when applying adaptation
  7923. # services to a message. If your longest adaptation set or chain
  7924. # may have more than 16 services, increase the limit beyond its
  7925. # default value of 16. If detecting infinite iteration loops sooner
  7926. # is critical, make the iteration limit match the actual number
  7927. # of services in your longest adaptation set or chain.
  7928. #
  7929. # Infinite adaptation loops are most likely with routing services.
  7930. #
  7931. # See also: icap_service routing=1
  7932. #Default:
  7933. # adaptation_service_iteration_limit 16
  7934.  
  7935. # TAG: adaptation_masterx_shared_names
  7936. # For each master transaction (i.e., the HTTP request and response
  7937. # sequence, including all related ICAP and eCAP exchanges), Squid
  7938. # maintains a table of metadata. The table entries are (name, value)
  7939. # pairs shared among eCAP and ICAP exchanges. The table is destroyed
  7940. # with the master transaction.
  7941. #
  7942. # This option specifies the table entry names that Squid must accept
  7943. # from and forward to the adaptation transactions.
  7944. #
  7945. # An ICAP REQMOD or RESPMOD transaction may set an entry in the
  7946. # shared table by returning an ICAP header field with a name
  7947. # specified in adaptation_masterx_shared_names.
  7948. #
  7949. # An eCAP REQMOD or RESPMOD transaction may set an entry in the
  7950. # shared table by implementing the libecap::visitEachOption() API
  7951. # to provide an option with a name specified in
  7952. # adaptation_masterx_shared_names.
  7953. #
  7954. # Squid will store and forward the set entry to subsequent adaptation
  7955. # transactions within the same master transaction scope.
  7956. #
  7957. # Only one shared entry name is supported at this time.
  7958. #
  7959. #Example:
  7960. ## share authentication information among ICAP services
  7961. #adaptation_masterx_shared_names X-Subscriber-ID
  7962. #Default:
  7963. # none
  7964.  
  7965. # TAG: adaptation_meta
  7966. # This option allows Squid administrator to add custom ICAP request
  7967. # headers or eCAP options to Squid ICAP requests or eCAP transactions.
  7968. # Use it to pass custom authentication tokens and other
  7969. # transaction-state related meta information to an ICAP/eCAP service.
  7970. #
  7971. # The addition of a meta header is ACL-driven:
  7972. # adaptation_meta name value [!]aclname ...
  7973. #
  7974. # Processing for a given header name stops after the first ACL list match.
  7975. # Thus, it is impossible to add two headers with the same name. If no ACL
  7976. # lists match for a given header name, no such header is added. For
  7977. # example:
  7978. #
  7979. # # do not debug transactions except for those that need debugging
  7980. # adaptation_meta X-Debug 1 needs_debugging
  7981. #
  7982. # # log all transactions except for those that must remain secret
  7983. # adaptation_meta X-Log 1 !keep_secret
  7984. #
  7985. # # mark transactions from users in the "G 1" group
  7986. # adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1
  7987. #
  7988. # The "value" parameter may be a regular squid.conf token or a "double
  7989. # quoted string". Within the quoted string, use backslash (\) to escape
  7990. # any character, which is currently only useful for escaping backslashes
  7991. # and double quotes. For example,
  7992. # "this string has one backslash (\\) and two \"quotes\""
  7993. #
  7994. # Used adaptation_meta header values may be logged via %note
  7995. # logformat code. If multiple adaptation_meta headers with the same name
  7996. # are used during master transaction lifetime, the header values are
  7997. # logged in the order they were used and duplicate values are ignored
  7998. # (only the first repeated value will be logged).
  7999. #Default:
  8000. # none
  8001.  
  8002. # TAG: icap_retry
  8003. # This ACL determines which retriable ICAP transactions are
  8004. # retried. Transactions that received a complete ICAP response
  8005. # and did not have to consume or produce HTTP bodies to receive
  8006. # that response are usually retriable.
  8007. #
  8008. # icap_retry allow|deny [!]aclname ...
  8009. #
  8010. # Squid automatically retries some ICAP I/O timeouts and errors
  8011. # due to persistent connection race conditions.
  8012. #
  8013. # See also: icap_retry_limit
  8014. #Default:
  8015. # icap_retry deny all
  8016.  
  8017. # TAG: icap_retry_limit
  8018. # Limits the number of retries allowed.
  8019. #
  8020. # Communication errors due to persistent connection race
  8021. # conditions are unavoidable, automatically retried, and do not
  8022. # count against this limit.
  8023. #
  8024. # See also: icap_retry
  8025. #Default:
  8026. # No retries are allowed.
  8027.  
  8028. # DNS OPTIONS
  8029. # -----------------------------------------------------------------------------
  8030.  
  8031. # TAG: check_hostnames
  8032. # For security and stability reasons Squid can check
  8033. # hostnames for Internet standard RFC compliance. If you want
  8034. # Squid to perform these checks turn this directive on.
  8035. #Default:
  8036. # check_hostnames off
  8037.  
  8038. # TAG: allow_underscore
  8039. # Underscore characters is not strictly allowed in Internet hostnames
  8040. # but nevertheless used by many sites. Set this to off if you want
  8041. # Squid to be strict about the standard.
  8042. # This check is performed only when check_hostnames is set to on.
  8043. #Default:
  8044. # allow_underscore on
  8045.  
  8046. # TAG: dns_retransmit_interval
  8047. # Initial retransmit interval for DNS queries. The interval is
  8048. # doubled each time all configured DNS servers have been tried.
  8049. #Default:
  8050. # dns_retransmit_interval 5 seconds
  8051.  
  8052. # TAG: dns_timeout
  8053. # DNS Query timeout. If no response is received to a DNS query
  8054. # within this time all DNS servers for the queried domain
  8055. # are assumed to be unavailable.
  8056. #Default:
  8057. # dns_timeout 30 seconds
  8058.  
  8059. # TAG: dns_packet_max
  8060. # Maximum number of bytes packet size to advertise via EDNS.
  8061. # Set to "none" to disable EDNS large packet support.
  8062. #
  8063. # For legacy reasons DNS UDP replies will default to 512 bytes which
  8064. # is too small for many responses. EDNS provides a means for Squid to
  8065. # negotiate receiving larger responses back immediately without having
  8066. # to failover with repeat requests. Responses larger than this limit
  8067. # will retain the old behaviour of failover to TCP DNS.
  8068. #
  8069. # Squid has no real fixed limit internally, but allowing packet sizes
  8070. # over 1500 bytes requires network jumbogram support and is usually not
  8071. # necessary.
  8072. #
  8073. # WARNING: The RFC also indicates that some older resolvers will reply
  8074. # with failure of the whole request if the extension is added. Some
  8075. # resolvers have already been identified which will reply with mangled
  8076. # EDNS response on occasion. Usually in response to many-KB jumbogram
  8077. # sizes being advertised by Squid.
  8078. # Squid will currently treat these both as an unable-to-resolve domain
  8079. # even if it would be resolvable without EDNS.
  8080. #Default:
  8081. # EDNS disabled
  8082.  
  8083. # TAG: dns_defnames on|off
  8084. # Normally the RES_DEFNAMES resolver option is disabled
  8085. # (see res_init(3)). This prevents caches in a hierarchy
  8086. # from interpreting single-component hostnames locally. To allow
  8087. # Squid to handle single-component names, enable this option.
  8088. #Default:
  8089. # Search for single-label domain names is disabled.
  8090.  
  8091. # TAG: dns_multicast_local on|off
  8092. # When set to on, Squid sends multicast DNS lookups on the local
  8093. # network for domains ending in .local and .arpa.
  8094. # This enables local servers and devices to be contacted in an
  8095. # ad-hoc or zero-configuration network environment.
  8096. #Default:
  8097. # Search for .local and .arpa names is disabled.
  8098.  
  8099. # TAG: dns_nameservers
  8100. # Use this if you want to specify a list of DNS name servers
  8101. # (IP addresses) to use instead of those given in your
  8102. # /etc/resolv.conf file.
  8103. #
  8104. # On Windows platforms, if no value is specified here or in
  8105. # the /etc/resolv.conf file, the list of DNS name servers are
  8106. # taken from the Windows registry, both static and dynamic DHCP
  8107. # configurations are supported.
  8108. #
  8109. # Example: dns_nameservers 10.0.0.1 192.172.0.4
  8110. #Default:
  8111. # Use operating system definitions
  8112.  
  8113. #dns_nameservers 192.168.0.100
  8114. dns_nameservers 192.168.0.1
  8115.  
  8116. # TAG: hosts_file
  8117. # Location of the host-local IP name-address associations
  8118. # database. Most Operating Systems have such a file on different
  8119. # default locations:
  8120. # - Un*X & Linux: /etc/hosts
  8121. # - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
  8122. # (%SystemRoot% value install default is c:\winnt)
  8123. # - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts
  8124. # (%SystemRoot% value install default is c:\windows)
  8125. # - Windows 9x/Me: %windir%\hosts
  8126. # (%windir% value is usually c:\windows)
  8127. # - Cygwin: /etc/hosts
  8128. #
  8129. # The file contains newline-separated definitions, in the
  8130. # form ip_address_in_dotted_form name [name ...] names are
  8131. # whitespace-separated. Lines beginning with an hash (#)
  8132. # character are comments.
  8133. #
  8134. # The file is checked at startup and upon configuration.
  8135. # If set to 'none', it won't be checked.
  8136. # If append_domain is used, that domain will be added to
  8137. # domain-local (i.e. not containing any dot character) host
  8138. # definitions.
  8139. #Default:
  8140. # hosts_file /etc/hosts
  8141.  
  8142. # TAG: append_domain
  8143. # Appends local domain name to hostnames without any dots in
  8144. # them. append_domain must begin with a period.
  8145. #
  8146. # Be warned there are now Internet names with no dots in
  8147. # them using only top-domain names, so setting this may
  8148. # cause some Internet sites to become unavailable.
  8149. #
  8150. #Example:
  8151. # append_domain .yourdomain.com
  8152. #Default:
  8153. # Use operating system definitions
  8154.  
  8155. # TAG: ignore_unknown_nameservers
  8156. # By default Squid checks that DNS responses are received
  8157. # from the same IP addresses they are sent to. If they
  8158. # don't match, Squid ignores the response and writes a warning
  8159. # message to cache.log. You can allow responses from unknown
  8160. # nameservers by setting this option to 'off'.
  8161. #Default:
  8162. # ignore_unknown_nameservers on
  8163.  
  8164. # TAG: dns_v4_first
  8165. # With the IPv6 Internet being as fast or faster than IPv4 Internet
  8166. # for most networks Squid prefers to contact websites over IPv6.
  8167. #
  8168. # This option reverses the order of preference to make Squid contact
  8169. # dual-stack websites over IPv4 first. Squid will still perform both
  8170. # IPv6 and IPv4 DNS lookups before connecting.
  8171. #
  8172. # WARNING:
  8173. # This option will restrict the situations under which IPv6
  8174. # connectivity is used (and tested), potentially hiding network
  8175. # problems which would otherwise be detected and warned about.
  8176. #Default:
  8177. # dns_v4_first off
  8178.  
  8179. # TAG: ipcache_size (number of entries)
  8180. # Maximum number of DNS IP cache entries.
  8181. #Default:
  8182. # ipcache_size 1024
  8183.  
  8184. # TAG: ipcache_low (percent)
  8185. #Default:
  8186. # ipcache_low 90
  8187.  
  8188. # TAG: ipcache_high (percent)
  8189. # The size, low-, and high-water marks for the IP cache.
  8190. #Default:
  8191. # ipcache_high 95
  8192.  
  8193. # TAG: fqdncache_size (number of entries)
  8194. # Maximum number of FQDN cache entries.
  8195. #Default:
  8196. # fqdncache_size 1024
  8197.  
  8198. # MISCELLANEOUS
  8199. # -----------------------------------------------------------------------------
  8200.  
  8201. # TAG: configuration_includes_quoted_values on|off
  8202. # If set, Squid will recognize each "quoted string" after a configuration
  8203. # directive as a single parameter. The quotes are stripped before the
  8204. # parameter value is interpreted or used.
  8205. # See "Values with spaces, quotes, and other special characters"
  8206. # section for more details.
  8207. #Default:
  8208. # configuration_includes_quoted_values off
  8209.  
  8210. # TAG: memory_pools on|off
  8211. # If set, Squid will keep pools of allocated (but unused) memory
  8212. # available for future use. If memory is a premium on your
  8213. # system and you believe your malloc library outperforms Squid
  8214. # routines, disable this.
  8215. #Default:
  8216. # memory_pools on
  8217.  
  8218. # TAG: memory_pools_limit (bytes)
  8219. # Used only with memory_pools on:
  8220. # memory_pools_limit 50 MB
  8221. #
  8222. # If set to a non-zero value, Squid will keep at most the specified
  8223. # limit of allocated (but unused) memory in memory pools. All free()
  8224. # requests that exceed this limit will be handled by your malloc
  8225. # library. Squid does not pre-allocate any memory, just safe-keeps
  8226. # objects that otherwise would be free()d. Thus, it is safe to set
  8227. # memory_pools_limit to a reasonably high value even if your
  8228. # configuration will use less memory.
  8229. #
  8230. # If set to none, Squid will keep all memory it can. That is, there
  8231. # will be no limit on the total amount of memory used for safe-keeping.
  8232. #
  8233. # To disable memory allocation optimization, do not set
  8234. # memory_pools_limit to 0 or none. Set memory_pools to "off" instead.
  8235. #
  8236. # An overhead for maintaining memory pools is not taken into account
  8237. # when the limit is checked. This overhead is close to four bytes per
  8238. # object kept. However, pools may actually _save_ memory because of
  8239. # reduced memory thrashing in your malloc library.
  8240. #Default:
  8241. # memory_pools_limit 5 MB
  8242.  
  8243. # TAG: forwarded_for on|off|transparent|truncate|delete
  8244. # If set to "on", Squid will append your client's IP address
  8245. # in the HTTP requests it forwards. By default it looks like:
  8246. #
  8247. # X-Forwarded-For: 192.1.2.3
  8248. #
  8249. # If set to "off", it will appear as
  8250. #
  8251. # X-Forwarded-For: unknown
  8252. #
  8253. # If set to "transparent", Squid will not alter the
  8254. # X-Forwarded-For header in any way.
  8255. #
  8256. # If set to "delete", Squid will delete the entire
  8257. # X-Forwarded-For header.
  8258. #
  8259. # If set to "truncate", Squid will remove all existing
  8260. # X-Forwarded-For entries, and place the client IP as the sole entry.
  8261. #Default:
  8262. # forwarded_for on
  8263.  
  8264. # TAG: cachemgr_passwd
  8265. # Specify passwords for cachemgr operations.
  8266. #
  8267. # Usage: cachemgr_passwd password action action ...
  8268. #
  8269. # Some valid actions are (see cache manager menu for a full list):
  8270. # 5min
  8271. # 60min
  8272. # asndb
  8273. # authenticator
  8274. # cbdata
  8275. # client_list
  8276. # comm_incoming
  8277. # config *
  8278. # counters
  8279. # delay
  8280. # digest_stats
  8281. # dns
  8282. # events
  8283. # filedescriptors
  8284. # fqdncache
  8285. # histograms
  8286. # http_headers
  8287. # info
  8288. # io
  8289. # ipcache
  8290. # mem
  8291. # menu
  8292. # netdb
  8293. # non_peers
  8294. # objects
  8295. # offline_toggle *
  8296. # pconn
  8297. # peer_select
  8298. # reconfigure *
  8299. # redirector
  8300. # refresh
  8301. # server_list
  8302. # shutdown *
  8303. # store_digest
  8304. # storedir
  8305. # utilization
  8306. # via_headers
  8307. # vm_objects
  8308. #
  8309. # * Indicates actions which will not be performed without a
  8310. # valid password, others can be performed if not listed here.
  8311. #
  8312. # To disable an action, set the password to "disable".
  8313. # To allow performing an action without a password, set the
  8314. # password to "none".
  8315. #
  8316. # Use the keyword "all" to set the same password for all actions.
  8317. #
  8318. #Example:
  8319. # cachemgr_passwd secret shutdown
  8320. # cachemgr_passwd lesssssssecret info stats/objects
  8321. # cachemgr_passwd disable all
  8322. #Default:
  8323. # No password. Actions which require password are denied.
  8324.  
  8325. # TAG: client_db on|off
  8326. # If you want to disable collecting per-client statistics,
  8327. # turn off client_db here.
  8328. #Default:
  8329. # client_db on
  8330.  
  8331. # TAG: refresh_all_ims on|off
  8332. # When you enable this option, squid will always check
  8333. # the origin server for an update when a client sends an
  8334. # If-Modified-Since request. Many browsers use IMS
  8335. # requests when the user requests a reload, and this
  8336. # ensures those clients receive the latest version.
  8337. #
  8338. # By default (off), squid may return a Not Modified response
  8339. # based on the age of the cached version.
  8340. #Default:
  8341. # refresh_all_ims off
  8342.  
  8343. # TAG: reload_into_ims on|off
  8344. # When you enable this option, client no-cache or ``reload''
  8345. # requests will be changed to If-Modified-Since requests.
  8346. # Doing this VIOLATES the HTTP standard. Enabling this
  8347. # feature could make you liable for problems which it
  8348. # causes.
  8349. #
  8350. # see also refresh_pattern for a more selective approach.
  8351. #Default:
  8352. # reload_into_ims off
  8353.  
  8354. # TAG: connect_retries
  8355. # Limits the number of reopening attempts when establishing a single
  8356. # TCP connection. All these attempts must still complete before the
  8357. # applicable connection opening timeout expires.
  8358. #
  8359. # By default and when connect_retries is set to zero, Squid does not
  8360. # retry failed connection opening attempts.
  8361. #
  8362. # The (not recommended) maximum is 10 tries. An attempt to configure a
  8363. # higher value results in the value of 10 being used (with a warning).
  8364. #
  8365. # Squid may open connections to retry various high-level forwarding
  8366. # failures. For an outside observer, that activity may look like a
  8367. # low-level connection reopening attempt, but those high-level retries
  8368. # are governed by forward_max_tries instead.
  8369. #
  8370. # See also: connect_timeout, forward_timeout, icap_connect_timeout,
  8371. # ident_timeout, and forward_max_tries.
  8372. #Default:
  8373. # Do not retry failed connections.
  8374.  
  8375. # TAG: retry_on_error
  8376. # If set to ON Squid will automatically retry requests when
  8377. # receiving an error response with status 403 (Forbidden),
  8378. # 500 (Internal Error), 501 or 503 (Service not available).
  8379. # Status 502 and 504 (Gateway errors) are always retried.
  8380. #
  8381. # This is mainly useful if you are in a complex cache hierarchy to
  8382. # work around access control errors.
  8383. #
  8384. # NOTE: This retry will attempt to find another working destination.
  8385. # Which is different from the server which just failed.
  8386. #Default:
  8387. # retry_on_error off
  8388.  
  8389. # TAG: as_whois_server
  8390. # WHOIS server to query for AS numbers. NOTE: AS numbers are
  8391. # queried only when Squid starts up, not for every request.
  8392. #Default:
  8393. # as_whois_server whois.ra.net
  8394.  
  8395. # TAG: offline_mode
  8396. # Enable this option and Squid will never try to validate cached
  8397. # objects.
  8398. #Default:
  8399. # offline_mode off
  8400.  
  8401. # TAG: uri_whitespace
  8402. # What to do with requests that have whitespace characters in the
  8403. # URI. Options:
  8404. #
  8405. # strip: The whitespace characters are stripped out of the URL.
  8406. # This is the behavior recommended by RFC2396 and RFC3986
  8407. # for tolerant handling of generic URI.
  8408. # NOTE: This is one difference between generic URI and HTTP URLs.
  8409. #
  8410. # deny: The request is denied. The user receives an "Invalid
  8411. # Request" message.
  8412. # This is the behaviour recommended by RFC2616 for safe
  8413. # handling of HTTP request URL.
  8414. #
  8415. # allow: The request is allowed and the URI is not changed. The
  8416. # whitespace characters remain in the URI. Note the
  8417. # whitespace is passed to redirector processes if they
  8418. # are in use.
  8419. # Note this may be considered a violation of RFC2616
  8420. # request parsing where whitespace is prohibited in the
  8421. # URL field.
  8422. #
  8423. # encode: The request is allowed and the whitespace characters are
  8424. # encoded according to RFC1738.
  8425. #
  8426. # chop: The request is allowed and the URI is chopped at the
  8427. # first whitespace.
  8428. #
  8429. #
  8430. # NOTE the current Squid implementation of encode and chop violates
  8431. # RFC2616 by not using a 301 redirect after altering the URL.
  8432. #Default:
  8433. # uri_whitespace strip
  8434.  
  8435. # TAG: chroot
  8436. # Specifies a directory where Squid should do a chroot() while
  8437. # initializing. This also causes Squid to fully drop root
  8438. # privileges after initializing. This means, for example, if you
  8439. # use a HTTP port less than 1024 and try to reconfigure, you may
  8440. # get an error saying that Squid can not open the port.
  8441. #Default:
  8442. # none
  8443.  
  8444. # TAG: pipeline_prefetch
  8445. # HTTP clients may send a pipeline of 1+N requests to Squid using a
  8446. # single connection, without waiting for Squid to respond to the first
  8447. # of those requests. This option limits the number of concurrent
  8448. # requests Squid will try to handle in parallel. If set to N, Squid
  8449. # will try to receive and process up to 1+N requests on the same
  8450. # connection concurrently.
  8451. #
  8452. # Defaults to 0 (off) for bandwidth management and access logging
  8453. # reasons.
  8454. #
  8455. # NOTE: pipelining requires persistent connections to clients.
  8456. #
  8457. # WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication.
  8458. #Default:
  8459. # Do not pre-parse pipelined requests.
  8460.  
  8461. # TAG: high_response_time_warning (msec)
  8462. # If the one-minute median response time exceeds this value,
  8463. # Squid prints a WARNING with debug level 0 to get the
  8464. # administrators attention. The value is in milliseconds.
  8465. #Default:
  8466. # disabled.
  8467.  
  8468. # TAG: high_page_fault_warning
  8469. # If the one-minute average page fault rate exceeds this
  8470. # value, Squid prints a WARNING with debug level 0 to get
  8471. # the administrators attention. The value is in page faults
  8472. # per second.
  8473. #Default:
  8474. # disabled.
  8475.  
  8476. # TAG: high_memory_warning
  8477. # Note: This option is only available if Squid is rebuilt with the
  8478. # GNU Malloc with mstats()
  8479. #
  8480. # If the memory usage (as determined by gnumalloc, if available and used)
  8481. # exceeds this amount, Squid prints a WARNING with debug level 0 to get
  8482. # the administrators attention.
  8483. #Default:
  8484. # disabled.
  8485.  
  8486. # TAG: sleep_after_fork (microseconds)
  8487. # When this is set to a non-zero value, the main Squid process
  8488. # sleeps the specified number of microseconds after a fork()
  8489. # system call. This sleep may help the situation where your
  8490. # system reports fork() failures due to lack of (virtual)
  8491. # memory. Note, however, if you have a lot of child
  8492. # processes, these sleep delays will add up and your
  8493. # Squid will not service requests for some amount of time
  8494. # until all the child processes have been started.
  8495. # On Windows value less then 1000 (1 milliseconds) are
  8496. # rounded to 1000.
  8497. #Default:
  8498. # sleep_after_fork 0
  8499.  
  8500. # TAG: windows_ipaddrchangemonitor on|off
  8501. # Note: This option is only available if Squid is rebuilt with the
  8502. # MS Windows
  8503. #
  8504. # On Windows Squid by default will monitor IP address changes and will
  8505. # reconfigure itself after any detected event. This is very useful for
  8506. # proxies connected to internet with dial-up interfaces.
  8507. # In some cases (a Proxy server acting as VPN gateway is one) it could be
  8508. # desiderable to disable this behaviour setting this to 'off'.
  8509. # Note: after changing this, Squid service must be restarted.
  8510. #Default:
  8511. # windows_ipaddrchangemonitor on
  8512.  
  8513. # TAG: eui_lookup
  8514. # Whether to lookup the EUI or MAC address of a connected client.
  8515. #Default:
  8516. # eui_lookup on
  8517.  
  8518. # TAG: max_filedescriptors
  8519. # Set the maximum number of filedescriptors, either below the
  8520. # operating system default or up to the hard limit.
  8521. #
  8522. # Remove from squid.conf to inherit the current ulimit soft
  8523. # limit setting.
  8524. #
  8525. # Note: Changing this requires a restart of Squid. Also
  8526. # not all I/O types supports large values (eg on Windows).
  8527. #Default:
  8528. # Use operating system soft limit set by ulimit.
  8529.  
  8530. # TAG: force_request_body_continuation
  8531. # This option controls how Squid handles data upload requests from HTTP
  8532. # and FTP agents that require a "Please Continue" control message response
  8533. # to actually send the request body to Squid. It is mostly useful in
  8534. # adaptation environments.
  8535. #
  8536. # When Squid receives an HTTP request with an "Expect: 100-continue"
  8537. # header or an FTP upload command (e.g., STOR), Squid normally sends the
  8538. # request headers or FTP command information to an adaptation service (or
  8539. # peer) and waits for a response. Most adaptation services (and some
  8540. # broken peers) may not respond to Squid at that stage because they may
  8541. # decide to wait for the HTTP request body or FTP data transfer. However,
  8542. # that request body or data transfer may never come because Squid has not
  8543. # responded with the HTTP 100 or FTP 150 (Please Continue) control message
  8544. # to the request sender yet!
  8545. #
  8546. # An allow match tells Squid to respond with the HTTP 100 or FTP 150
  8547. # (Please Continue) control message on its own, before forwarding the
  8548. # request to an adaptation service or peer. Such a response usually forces
  8549. # the request sender to proceed with sending the body. A deny match tells
  8550. # Squid to delay that control response until the origin server confirms
  8551. # that the request body is needed. Delaying is the default behavior.
  8552. #Default:
  8553. # Deny, unless rules exist in squid.conf.
  8554.  
  8555. # TAG: server_pconn_for_nonretriable
  8556. # This option provides fine-grained control over persistent connection
  8557. # reuse when forwarding HTTP requests that Squid cannot retry. It is useful
  8558. # in environments where opening new connections is very expensive
  8559. # (e.g., all connections are secured with TLS with complex client and server
  8560. # certificate validation) and race conditions associated with persistent
  8561. # connections are very rare and/or only cause minor problems.
  8562. #
  8563. # HTTP prohibits retrying unsafe and non-idempotent requests (e.g., POST).
  8564. # Squid limitations also prohibit retrying all requests with bodies (e.g., PUT).
  8565. # By default, when forwarding such "risky" requests, Squid opens a new
  8566. # connection to the server or cache_peer, even if there is an idle persistent
  8567. # connection available. When Squid is configured to risk sending a non-retriable
  8568. # request on a previously used persistent connection, and the server closes
  8569. # the connection before seeing that risky request, the user gets an error response
  8570. # from Squid. In most cases, that error response will be HTTP 502 (Bad Gateway)
  8571. # with ERR_ZERO_SIZE_OBJECT or ERR_WRITE_ERROR (peer connection reset) error detail.
  8572. #
  8573. # If an allow rule matches, Squid reuses an available idle persistent connection
  8574. # (if any) for the request that Squid cannot retry. If a deny rule matches, then
  8575. # Squid opens a new connection for the request that Squid cannot retry.
  8576. #
  8577. # This option does not affect requests that Squid can retry. They will reuse idle
  8578. # persistent connections (if any).
  8579. #
  8580. # This clause only supports fast acl types.
  8581. # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
  8582. #
  8583. # Example:
  8584. # acl SpeedIsWorthTheRisk method POST
  8585. # server_pconn_for_nonretriable allow SpeedIsWorthTheRisk
  8586. #Default:
  8587. # Open new connections for forwarding requests Squid cannot retry safely.
  8588.  
  8589. cache_effective_group proxy
  8590.  
Add Comment
Please, Sign In to add comment