SHARE
TWEET

Untitled

a guest Mar 20th, 2016 180 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2. #   WELCOME TO SQUID 2.7.STABLE9
  3. #   ----------------------------
  4. #
  5. #   This is the default Squid configuration file. You may wish
  6. #   to look at the Squid home page (http://www.squid-cache.org/)
  7. #   for the FAQ and other documentation.
  8. #
  9. #   The default Squid config file shows what the defaults for
  10. #   various options happen to be.  If you don't need to change the
  11. #   default, you shouldn't uncomment the line.  Doing so may cause
  12. #   run-time problems.  In some cases "none" refers to no default
  13. #   setting at all, while in other cases it refers to a valid
  14. #   option - the comments for that keyword indicate if this is the
  15. #   case.
  16. #
  17.  
  18.  
  19. #  Configuration options can be included using the "include" directive.
  20. #  Include takes a list of files to include. Quoting and wildcards is
  21. #  supported.
  22. #
  23. #  For example,
  24. #
  25. #  include /path/to/included/file/squid.acl.config
  26. #
  27. #  Includes can be nested up to a hard-coded depth of 16 levels.
  28. #  This arbitrary restriction is to prevent recursive include references
  29. #  from causing Squid entering an infinite loop whilst trying to load
  30. #  configuration files.
  31.  
  32.  
  33. # OPTIONS FOR AUTHENTICATION
  34. # -----------------------------------------------------------------------------
  35.  
  36. #  TAG: auth_param
  37. #   This is used to define parameters for the various authentication
  38. #   schemes supported by Squid.
  39. #
  40. #   format: auth_param scheme parameter [setting]
  41. #
  42. #   The order in which authentication schemes are presented to the client is
  43. #   dependent on the order the scheme first appears in config file. IE
  44. #   has a bug (it's not RFC 2617 compliant) in that it will use the basic
  45. #   scheme if basic is the first entry presented, even if more secure
  46. #   schemes are presented. For now use the order in the recommended
  47. #   settings section below. If other browsers have difficulties (don't
  48. #   recognize the schemes offered even if you are using basic) either
  49. #   put basic first, or disable the other schemes (by commenting out their
  50. #   program entry).
  51. #
  52. #   Once an authentication scheme is fully configured, it can only be
  53. #   shutdown by shutting squid down and restarting. Changes can be made on
  54. #   the fly and activated with a reconfigure. I.E. You can change to a
  55. #   different helper, but not unconfigure the helper completely.
  56. #
  57. #   Please note that while this directive defines how Squid processes
  58. #   authentication it does not automatically activate authentication.
  59. #   To use authentication you must in addition make use of ACLs based
  60. #   on login name in http_access (proxy_auth, proxy_auth_regex or
  61. #   external with %LOGIN used in the format tag). The browser will be
  62. #   challenged for authentication on the first such acl encountered
  63. #   in http_access processing and will also be re-challenged for new
  64. #   login credentials if the request is being denied by a proxy_auth
  65. #   type acl.
  66. #
  67. #   WARNING: authentication can't be used in a transparently intercepting
  68. #   proxy as the client then thinks it is talking to an origin server and
  69. #   not the proxy. This is a limitation of bending the TCP/IP protocol to
  70. #   transparently intercepting port 80, not a limitation in Squid.
  71. #
  72. #   === Parameters for the basic scheme follow. ===
  73. #
  74. #   "program" cmdline
  75. #   Specify the command for the external authenticator.  Such a program
  76. #   reads a line containing "username password" and replies "OK" or
  77. #   "ERR" in an endless loop. "ERR" responses may optionally be followed
  78. #   by a error description available as %m in the returned error page.
  79. #
  80. #   By default, the basic authentication scheme is not used unless a
  81. #   program is specified.
  82. #
  83. #   If you want to use the traditional proxy authentication, jump over to
  84. #   the helpers/basic_auth/NCSA directory and type:
  85. #       % make
  86. #       % make install
  87. #
  88. #   Then, set this line to something like
  89. #
  90. #   auth_param basic program /usr/lib/squid/ncsa_auth /usr/etc/passwd
  91. #
  92. #   "children" numberofchildren
  93. #   The number of authenticator processes to spawn. If you start too few
  94. #   squid will have to wait for them to process a backlog of credential
  95. #   verifications, slowing it down. When credential verifications are
  96. #   done via a (slow) network you are likely to need lots of
  97. #   authenticator processes.
  98. #   auth_param basic children 5
  99. #
  100. #   "concurrency" numberofconcurrentrequests
  101. #   The number of concurrent requests/channels the helper supports.
  102. #   Changes the protocol used to include a channel number first on
  103. #   the request/response line, allowing multiple requests to be sent
  104. #   to the same helper in parallell without wating for the response.
  105. #   Must not be set unless it's known the helper supports this.
  106. #
  107. #   "realm" realmstring
  108. #   Specifies the realm name which is to be reported to the client for
  109. #   the basic proxy authentication scheme (part of the text the user
  110. #   will see when prompted their username and password).
  111. #   auth_param basic realm Squid proxy-caching web server
  112. #
  113. #   "credentialsttl" timetolive
  114. #   Specifies how long squid assumes an externally validated
  115. #   username:password pair is valid for - in other words how often the
  116. #   helper program is called for that user. Set this low to force
  117. #   revalidation with short lived passwords.  Note that setting this high
  118. #   does not impact your susceptibility to replay attacks unless you are
  119. #   using an one-time password system (such as SecureID). If you are using
  120. #   such a system, you will be vulnerable to replay attacks unless you
  121. #   also use the max_user_ip ACL in an http_access rule.
  122. #   auth_param basic credentialsttl 2 hours
  123. #
  124. #   "casesensitive" on|off
  125. #   Specifies if usernames are case sensitive. Most user databases are
  126. #   case insensitive allowing the same username to be spelled using both
  127. #   lower and upper case letters, but some are case sensitive. This
  128. #   makes a big difference for user_max_ip ACL processing and similar.
  129. #   auth_param basic casesensitive off
  130. #
  131. #   "blankpassword" on|off
  132. #   Specifies if blank passwords should be supported. Defaults to off
  133. #   as there is multiple authentication backends which handles blank
  134. #   passwords as "guest" access.
  135. #
  136. #   === Parameters for the digest scheme follow ===
  137. #
  138. #   "program" cmdline
  139. #   Specify the command for the external authenticator.  Such a program
  140. #   reads a line containing "username":"realm" and replies with the
  141. #   appropriate H(A1) value hex encoded or ERR if the user (or his H(A1)
  142. #   hash) does not exists.  See RFC 2616 for the definition of H(A1).
  143. #   "ERR" responses may optionally be followed by a error description
  144. #   available as %m in the returned error page.
  145. #
  146. #   By default, the digest authentication scheme is not used unless a
  147. #   program is specified.
  148. #
  149. #   If you want to use a digest authenticator, jump over to the
  150. #   helpers/digest_auth/ directory and choose the authenticator to use.
  151. #   It it's directory type
  152. #       % make
  153. #       % make install
  154. #
  155. #   Then, set this line to something like
  156. #
  157. #   auth_param digest program /usr/lib/squid/digest_auth_pw /usr/etc/digpass
  158. #
  159. #   "children" numberofchildren
  160. #   The number of authenticator processes to spawn. If you start too few
  161. #   squid will have to wait for them to process a backlog of credential
  162. #   verifications, slowing it down. When credential verifications are
  163. #   done via a (slow) network you are likely to need lots of
  164. #   authenticator processes.
  165. #   auth_param digest children 5
  166. #
  167. #   "concurrency" numberofconcurrentrequests
  168. #   The number of concurrent requests/channels the helper supports.
  169. #   Changes the protocol used to include a channel number first on
  170. #   the request/response line, allowing multiple requests to be sent
  171. #   to the same helper in parallell without wating for the response.
  172. #   Must not be set unless it's known the helper supports this.
  173. #
  174. #   "realm" realmstring
  175. #   Specifies the realm name which is to be reported to the client for the
  176. #   digest proxy authentication scheme (part of the text the user will see
  177. #   when prompted their username and password).
  178. #   auth_param digest realm Squid proxy-caching web server
  179. #
  180. #   "nonce_garbage_interval" timeinterval
  181. #   Specifies the interval that nonces that have been issued to clients are
  182. #   checked for validity.
  183. #   auth_param digest nonce_garbage_interval 5 minutes
  184. #
  185. #   "nonce_max_duration" timeinterval
  186. #   Specifies the maximum length of time a given nonce will be valid for.
  187. #   auth_param digest nonce_max_duration 30 minutes
  188. #
  189. #   "nonce_max_count" number
  190. #   Specifies the maximum number of times a given nonce can be used.
  191. #   auth_param digest nonce_max_count 50
  192. #
  193. #   "nonce_strictness" on|off
  194. #   Determines if squid requires strict increment-by-1 behavior for nonce
  195. #   counts, or just incrementing (off - for use when useragents generate
  196. #   nonce counts that occasionally miss 1 (ie, 1,2,4,6)).
  197. #   auth_param digest nonce_strictness off
  198. #
  199. #   "check_nonce_count" on|off
  200. #   This directive if set to off can disable the nonce count check
  201. #   completely to work around buggy digest qop implementations in certain
  202. #   mainstream browser versions. Default on to check the nonce count to
  203. #   protect from authentication replay attacks.
  204. #   auth_param digest check_nonce_count on
  205. #
  206. #   "post_workaround" on|off
  207. #   This is a workaround to certain buggy browsers who sends an incorrect
  208. #   request digest in POST requests when reusing the same nonce as acquired
  209. #   earlier in response to a GET request.
  210. #   auth_param digest post_workaround off
  211. #
  212. #   === NTLM scheme options follow ===
  213. #
  214. #   "program" cmdline
  215. #   Specify the command for the external NTLM authenticator. Such a
  216. #   program participates in the NTLMSSP exchanges between Squid and the
  217. #   client and reads commands according to the Squid NTLMSSP helper
  218. #   protocol. See helpers/ntlm_auth/ for details. Recommended ntlm
  219. #   authenticator is ntlm_auth from Samba-3.X, but a number of other
  220. #   ntlm authenticators is available.
  221. #
  222. #   By default, the ntlm authentication scheme is not used unless a
  223. #   program is specified.
  224. #
  225. #   auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
  226. #
  227. #   "children" numberofchildren
  228. #   The number of authenticator processes to spawn. If you start too few
  229. #   squid will have to wait for them to process a backlog of credential
  230. #   verifications, slowing it down. When credential verifications are
  231. #   done via a (slow) network you are likely to need lots of
  232. #   authenticator processes.
  233. #   auth_param ntlm children 5
  234. #
  235. #   "keep_alive" on|off
  236. #   This option enables the use of keep-alive on the initial
  237. #   authentication request. It has been reported some versions of MSIE
  238. #   have problems if this is enabled, but performance will be increased
  239. #   if enabled.
  240. #
  241. #   auth_param ntlm keep_alive on
  242. #
  243. #   === Negotiate scheme options follow ===
  244. #
  245. #   "program" cmdline
  246. #   Specify the command for the external Negotiate authenticator. Such a
  247. #   program participates in the SPNEGO exchanges between Squid and the
  248. #   client and reads commands according to the Squid ntlmssp helper
  249. #   protocol. See helpers/ntlm_auth/ for details. Recommended SPNEGO
  250. #   authenticator is ntlm_auth from Samba-4.X.
  251. #
  252. #   By default, the Negotiate authentication scheme is not used unless a
  253. #   program is specified.
  254. #
  255. #   auth_param negotiate program /path/to/samba/bin/ntlm_auth --helper-protocol=gss-spnego
  256. #
  257. #   "children" numberofchildren
  258. #   The number of authenticator processes to spawn. If you start too few
  259. #   squid will have to wait for them to process a backlog of credential
  260. #   verifications, slowing it down. When credential verifications are
  261. #   done via a (slow) network you are likely to need lots of
  262. #   authenticator processes.
  263. #   auth_param negotiate children 5
  264. #
  265. #   "keep_alive" on|off
  266. #   If you experience problems with PUT/POST requests when using the
  267. #   Negotiate authentication scheme then you can try setting this to
  268. #   off. This will cause Squid to forcibly close the connection on
  269. #   the initial requests where the browser asks which schemes are
  270. #   supported by the proxy.
  271. #
  272. #   auth_param negotiate keep_alive on
  273. #
  274. #Recommended minimum configuration per scheme:
  275. #auth_param negotiate program <uncomment and complete this line to activate>
  276. #auth_param negotiate children 5
  277. #auth_param negotiate keep_alive on
  278. #auth_param ntlm program <uncomment and complete this line to activate>
  279. #auth_param ntlm children 5
  280. #auth_param ntlm keep_alive on
  281. #auth_param digest program <uncomment and complete this line>
  282. #auth_param digest children 5
  283. #auth_param digest realm Squid proxy-caching web server
  284. #auth_param digest nonce_garbage_interval 5 minutes
  285. #auth_param digest nonce_max_duration 30 minutes
  286. #auth_param digest nonce_max_count 50
  287. #auth_param basic program <uncomment and complete this line>
  288. #auth_param basic children 5
  289. #auth_param basic realm Squid proxy-caching web server
  290. #auth_param basic credentialsttl 2 hours
  291. #auth_param basic casesensitive off
  292.  
  293. #  TAG: authenticate_cache_garbage_interval
  294. #   The time period between garbage collection across the username cache.
  295. #   This is a tradeoff between memory utilization (long intervals - say
  296. #   2 days) and CPU (short intervals - say 1 minute). Only change if you
  297. #   have good reason to.
  298. #
  299. #Default:
  300. # authenticate_cache_garbage_interval 1 hour
  301.  
  302. #  TAG: authenticate_ttl
  303. #   The time a user & their credentials stay in the logged in user cache
  304. #   since their last request. When the garbage interval passes, all user
  305. #   credentials that have passed their TTL are removed from memory.
  306. #
  307. #Default:
  308. # authenticate_ttl 1 hour
  309.  
  310. #  TAG: authenticate_ip_ttl
  311. #   If you use proxy authentication and the 'max_user_ip' ACL, this
  312. #   directive controls how long Squid remembers the IP addresses
  313. #   associated with each user.  Use a small value (e.g., 60 seconds) if
  314. #   your users might change addresses quickly, as is the case with
  315. #   dialups. You might be safe using a larger value (e.g., 2 hours) in a
  316. #   corporate LAN environment with relatively static address assignments.
  317. #
  318. #Default:
  319. # authenticate_ip_ttl 0 seconds
  320.  
  321. #  TAG: authenticate_ip_shortcircuit_ttl
  322. #   Cache authentication credentials per client IP address for this
  323. #   long. Default is 0 seconds (disabled).
  324. #
  325. #   See also authenticate_ip_shortcircuit_access directive.
  326. #
  327. #Default:
  328. # authenticate_ip_shortcircuit_ttl 0 seconds
  329.  
  330.  
  331. # ACCESS CONTROLS
  332. # -----------------------------------------------------------------------------
  333.  
  334. #  TAG: external_acl_type
  335. #   This option defines external acl classes using a helper program to
  336. #   look up the status
  337. #
  338. #     external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
  339. #
  340. #   Options:
  341. #
  342. #     ttl=n     TTL in seconds for cached results (defaults to 3600
  343. #           for 1 hour)
  344. #     negative_ttl=n
  345. #           TTL for cached negative lookups (default same
  346. #           as ttl)
  347. #     children=n    number of processes spawn to service external acl
  348. #           lookups of this type. (default 5).
  349. #     concurrency=n concurrency level per process. Only used with helpers
  350. #           capable of processing more than one query at a time.
  351. #           Note: see compatibility note below
  352. #     cache=n   result cache size, 0 is unbounded (default)
  353. #     grace=    Percentage remaining of TTL where a refresh of a
  354. #           cached entry should be initiated without needing to
  355. #           wait for a new reply. (default 0 for no grace period)
  356. #     protocol=2.5  Compatibility mode for Squid-2.5 external acl helpers
  357. #
  358. #   FORMAT specifications
  359. #
  360. #     %LOGIN    Authenticated user login name
  361. #     %EXT_USER Username from external acl
  362. #     %IDENT    Ident user name
  363. #     %SRC      Client IP
  364. #     %SRCPORT  Client source port
  365. #     %URI      Requested URI
  366. #     %DST      Requested host
  367. #     %PROTO    Requested protocol
  368. #     %PORT     Requested port
  369. #     %METHOD   Request method
  370. #     %MYADDR   Squid interface address
  371. #     %MYPORT   Squid http_port number
  372. #     %PATH     Requested URL-path (including query-string if any)
  373. #     %USER_CERT    SSL User certificate in PEM format
  374. #     %USER_CERTCHAIN SSL User certificate chain in PEM format
  375. #     %USER_CERT_xx SSL User certificate subject attribute xx
  376. #     %USER_CA_xx   SSL User certificate issuer attribute xx
  377. #     %{Header} HTTP request header "Header"
  378. #     %{Hdr:member} HTTP request header "Hdr" list member "member"
  379. #     %{Hdr:;member}
  380. #           HTTP request header list member using ; as
  381. #           list separator. ; can be any non-alphanumeric
  382. #           character.
  383. #    %ACL       The ACL name
  384. #    %DATA      The ACL arguments. If not used then any arguments
  385. #           is automatically added at the end
  386. #
  387. #   In addition to the above, any string specified in the referencing
  388. #   acl will also be included in the helper request line, after the
  389. #   specified formats (see the "acl external" directive)
  390. #
  391. #   The helper receives lines per the above format specification,
  392. #   and returns lines starting with OK or ERR indicating the validity
  393. #   of the request and optionally followed by additional keywords with
  394. #   more details.
  395. #
  396. #   General result syntax:
  397. #
  398. #     OK/ERR keyword=value ...
  399. #
  400. #   Defined keywords:
  401. #
  402. #     user=     The users name (login also understood)
  403. #     password= The users password (for PROXYPASS login= cache_peer)
  404. #     message=  Error message or similar used as %o in error messages
  405. #           (error also understood)
  406. #     log=      String to be logged in access.log. Available as
  407. #           %ea in logformat specifications
  408. #
  409. #   If protocol=3.0 (the default) then URL escaping is used to protect
  410. #   each value in both requests and responses.
  411. #
  412. #   If using protocol=2.5 then all values need to be enclosed in quotes
  413. #   if they may contain whitespace, or the whitespace escaped using \.
  414. #   And quotes or \ characters within the keyword value must be \ escaped.
  415. #
  416. #   When using the concurrency= option the protocol is changed by
  417. #   introducing a query channel tag infront of the request/response.
  418. #   The query channel tag is a number between 0 and concurrency-1.
  419. #
  420. #   Compatibility Note: The children= option was named concurrency= in
  421. #   Squid-2.5.STABLE3 and earlier, and was accepted as an alias for the
  422. #   duration of the Squid-2.5 releases to keep compatibility. However,
  423. #   the meaning of concurrency= option has changed in Squid-2.6 to match
  424. #   that of Squid-3 and the old syntax no longer works.
  425. #
  426. #Default:
  427. # none
  428.  
  429. #  TAG: acl
  430. #   Defining an Access List
  431. #
  432. #    Every access list definition must begin with an aclname and acltype,
  433. #    followed by either type-specific arguments or a quoted filename that
  434. #    they are read from.
  435. #
  436. #   acl aclname acltype argument ...
  437. #   acl aclname acltype "file" ...
  438. #
  439. #   when using "file", the file should contain one item per line.
  440. #
  441. #   By default, regular expressions are CASE-SENSITIVE.  To make
  442. #   them case-insensitive, use the -i option.
  443. #
  444. #   acl aclname src      ip-address/netmask ... (clients IP address)
  445. #   acl aclname src      addr1-addr2/netmask ... (range of addresses)
  446. #   acl aclname dst      ip-address/netmask ... (URL host's IP address)
  447. #   acl aclname myip     ip-address/netmask ... (local socket IP address)
  448. #
  449. #   acl aclname arp      mac-address ... (xx:xx:xx:xx:xx:xx notation)
  450. #     # The arp ACL requires the special configure option --enable-arp-acl.
  451. #     # Furthermore, the arp ACL code is not portable to all operating systems.
  452. #     # It works on Linux, Solaris, FreeBSD and some other *BSD variants.
  453. #     #
  454. #     # NOTE: Squid can only determine the MAC address for clients that are on
  455. #     # the same subnet. If the client is on a different subnet, then Squid cannot
  456. #     # find out its MAC address.
  457. #
  458. #   acl aclname srcdomain   .foo.com ...    # reverse lookup, client IP
  459. #   acl aclname dstdomain   .foo.com ...    # Destination server from URL
  460. #   acl aclname srcdom_regex [-i] xxx ...   # regex matching client name
  461. #   acl aclname dstdom_regex [-i] xxx ...   # regex matching server
  462. #     # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
  463. #     # based URL is used and no match is found. The name "none" is used
  464. #     # if the reverse lookup fails.
  465. #
  466. #   acl aclname time     [day-abbrevs]  [h1:m1-h2:m2]
  467. #       # day-abbrevs:
  468. #       # S - Sunday
  469. #       # M - Monday
  470. #       # T - Tuesday
  471. #       # W - Wednesday
  472. #       # H - Thursday
  473. #       # F - Friday
  474. #       # A - Saturday
  475. #       # h1:m1 must be less than h2:m2
  476. #   acl aclname url_regex [-i] ^http:// ...     # regex matching on whole URL
  477. #   acl aclname urlpath_regex [-i] \.gif$ ...   # regex matching on URL path
  478. #   acl aclname urllogin [-i] [^a-zA-Z0-9] ...  # regex matching on URL login field
  479. #   acl aclname port     80 70 21 ...
  480. #   acl aclname port     0-1024 ...     # ranges allowed
  481. #   acl aclname myport   3128 ...       # (local socket TCP port)
  482. #   acl aclname myportname 3128 ...     # http(s)_port name
  483. #   acl aclname proto    HTTP FTP ...
  484. #   acl aclname method   GET POST ...
  485. #   acl aclname browser  [-i] regexp ...
  486. #     # pattern match on User-Agent header (see also req_header below)
  487. #   acl aclname referer_regex  [-i] regexp ...
  488. #     # pattern match on Referer header
  489. #     # Referer is highly unreliable, so use with care
  490. #   acl aclname ident    username ...
  491. #   acl aclname ident_regex [-i] pattern ...
  492. #     # string match on ident output.
  493. #     # use REQUIRED to accept any non-null ident.
  494. #   acl aclname src_as   number ...
  495. #   acl aclname dst_as   number ...
  496. #     # Except for access control, AS numbers can be used for
  497. #     # routing of requests to specific caches. Here's an
  498. #     # example for routing all requests for AS#1241 and only
  499. #     # those to mycache.mydomain.net:
  500. #     # acl asexample dst_as 1241
  501. #     # cache_peer_access mycache.mydomain.net allow asexample
  502. #     # cache_peer_access mycache_mydomain.net deny all
  503. #
  504. #   acl aclname proxy_auth [-i] username ...
  505. #   acl aclname proxy_auth_regex [-i] pattern ...
  506. #     # list of valid usernames
  507. #     # use REQUIRED to accept any valid username.
  508. #     #
  509. #     # NOTE: when a Proxy-Authentication header is sent but it is not
  510. #     # needed during ACL checking the username is NOT logged
  511. #     # in access.log.
  512. #     #
  513. #     # NOTE: proxy_auth requires a EXTERNAL authentication program
  514. #     # to check username/password combinations (see
  515. #     # auth_param directive).
  516. #     #
  517. #     # NOTE: proxy_auth can't be used in a transparent proxy as
  518. #     # the browser needs to be configured for using a proxy in order
  519. #     # to respond to proxy authentication.
  520. #
  521. #   acl aclname snmp_community string ...
  522. #     # A community string to limit access to your SNMP Agent
  523. #     # Example:
  524. #     #
  525. #     # acl snmppublic snmp_community public
  526. #
  527. #   acl aclname maxconn number
  528. #     # This will be matched when the client's IP address has
  529. #     # more than <number> HTTP connections established.
  530. #
  531. #   acl aclname max_user_ip [-s] number
  532. #     # This will be matched when the user attempts to log in from more
  533. #     # than <number> different ip addresses. The authenticate_ip_ttl
  534. #     # parameter controls the timeout on the ip entries.
  535. #     # If -s is specified the limit is strict, denying browsing
  536. #     # from any further IP addresses until the ttl has expired. Without
  537. #     # -s Squid will just annoy the user by "randomly" denying requests.
  538. #     # (the counter is reset each time the limit is reached and a
  539. #     # request is denied)
  540. #     # NOTE: in acceleration mode or where there is mesh of child proxies,
  541. #     # clients may appear to come from multiple addresses if they are
  542. #     # going through proxy farms, so a limit of 1 may cause user problems.
  543. #
  544. #   acl aclname req_mime_type mime-type ...
  545. #     # regex match against the mime type of the request generated
  546. #     # by the client. Can be used to detect file upload or some
  547. #     # types HTTP tunneling requests.
  548. #     # NOTE: This does NOT match the reply. You cannot use this
  549. #     # to match the returned file type.
  550. #
  551. #   acl aclname req_header header-name [-i] any\.regex\.here
  552. #     # regex match against any of the known request headers.  May be
  553. #     # thought of as a superset of "browser", "referer" and "mime-type"
  554. #     # ACLs.
  555. #
  556. #   acl aclname rep_mime_type mime-type ...
  557. #     # regex match against the mime type of the reply received by
  558. #     # squid. Can be used to detect file download or some
  559. #     # types HTTP tunneling requests.
  560. #     # NOTE: This has no effect in http_access rules. It only has
  561. #     # effect in rules that affect the reply data stream such as
  562. #     # http_reply_access.
  563. #
  564. #   acl aclname rep_header header-name [-i] any\.regex\.here
  565. #     # regex match against any of the known reply headers. May be
  566. #     # thought of as a superset of "browser", "referer" and "mime-type"
  567. #     # ACLs.
  568. #     #
  569. #     # Example:
  570. #     #
  571. #     # acl many_spaces rep_header Content-Disposition -i [[:space:]]{3,}
  572. #
  573. #   acl aclname external class_name [arguments...]
  574. #     # external ACL lookup via a helper class defined by the
  575. #     # external_acl_type directive.
  576. #
  577. #   acl aclname urlgroup group1 ...
  578. #     # match against the urlgroup as indicated by redirectors
  579. #
  580. #   acl aclname user_cert attribute values...
  581. #     # match against attributes in a user SSL certificate
  582. #     # attribute is one of DN/C/O/CN/L/ST
  583. #
  584. #   acl aclname ca_cert attribute values...
  585. #     # match against attributes a users issuing CA SSL certificate
  586. #     # attribute is one of DN/C/O/CN/L/ST
  587. #
  588. #   acl aclname ext_user username ...
  589. #   acl aclname ext_user_regex [-i] pattern ...
  590. #     # string match on username returned by external acl helper
  591. #     # use REQUIRED to accept any non-null user name.
  592. #
  593. #Examples:
  594. #acl macaddress arp 09:00:2b:23:45:67
  595. #acl myexample dst_as 1241
  596. #acl password proxy_auth REQUIRED
  597. #acl fileupload req_mime_type -i ^multipart/form-data$
  598. #acl javascript rep_mime_type -i ^application/x-javascript$
  599. #
  600. #Recommended minimum configuration:
  601. acl all src all
  602. acl manager proto cache_object
  603. acl localhost src 127.0.0.1/32
  604. acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
  605. #
  606. # Example rule allowing access from your local networks.
  607. # Adapt to list your (internal) IP networks from where browsing
  608. # should be allowed
  609. acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
  610. acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
  611. acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
  612. acl localnet src 192.168.1.0/24 # RFC1918 possible internal network
  613. #
  614. acl SSL_ports port 443      # https
  615. acl SSL_ports port 563      # snews
  616. acl SSL_ports port 873      # rsync
  617. acl Safe_ports port 80      # http
  618. acl Safe_ports port 21      # ftp
  619. acl Safe_ports port 443     # https
  620. acl Safe_ports port 70      # gopher
  621. acl Safe_ports port 210     # wais
  622. acl Safe_ports port 1025-65535  # unregistered ports
  623. acl Safe_ports port 280     # http-mgmt
  624. acl Safe_ports port 488     # gss-http
  625. acl Safe_ports port 591     # filemaker
  626. acl Safe_ports port 777     # multiling http
  627. acl Safe_ports port 631     # cups
  628. acl Safe_ports port 873     # rsync
  629. acl Safe_ports port 901     # SWAT
  630. acl purge method PURGE
  631. acl CONNECT method CONNECT
  632.  
  633. #  TAG: http_access
  634. #   Allowing or Denying access based on defined access lists
  635. #
  636. #   Access to the HTTP port:
  637. #   http_access allow|deny [!]aclname ...
  638. #
  639. #   NOTE on default values:
  640. #
  641. #   If there are no "access" lines present, the default is to deny
  642. #   the request.
  643. #
  644. #   If none of the "access" lines cause a match, the default is the
  645. #   opposite of the last line in the list.  If the last line was
  646. #   deny, the default is allow.  Conversely, if the last line
  647. #   is allow, the default will be deny.  For these reasons, it is a
  648. #   good idea to have an "deny all" or "allow all" entry at the end
  649. #   of your access lists to avoid potential confusion.
  650. #
  651. #Default:
  652. # http_access deny all
  653. #
  654. #Recommended minimum configuration:
  655. #
  656. # Only allow cachemgr access from localhost
  657. http_access allow manager localhost
  658. http_access deny manager
  659. # Only allow purge requests from localhost
  660. http_access allow purge localhost
  661. http_access deny purge
  662. # Deny requests to unknown ports
  663. http_access deny !Safe_ports
  664. # Deny CONNECT to other than SSL ports
  665. http_access deny CONNECT !SSL_ports
  666. #
  667. # We strongly recommend the following be uncommented to protect innocent
  668. # web applications running on the proxy server who think the only
  669. # one who can access services on "localhost" is a local user
  670. #http_access deny to_localhost
  671. #
  672. # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
  673.  
  674. # Example rule allowing access from your local networks.
  675. # Adapt localnet in the ACL section to list your (internal) IP networks
  676. # from where browsing should be allowed
  677. #http_access allow localnet
  678. http_access allow localhost
  679.  
  680. # And finally deny all other access to this proxy
  681. http_access deny all
  682.  
  683. #  TAG: http_access2
  684. #   Allowing or Denying access based on defined access lists
  685. #
  686. #   Identical to http_access, but runs after redirectors. If not set
  687. #   then only http_access is used.
  688. #
  689. #Default:
  690. # none
  691.  
  692. #  TAG: http_reply_access
  693. #   Allow replies to client requests. This is complementary to http_access.
  694. #
  695. #   http_reply_access allow|deny [!] aclname ...
  696. #
  697. #   NOTE: if there are no access lines present, the default is to allow
  698. #   all replies
  699. #
  700. #   If none of the access lines cause a match the opposite of the
  701. #   last line will apply. Thus it is good practice to end the rules
  702. #   with an "allow all" or "deny all" entry.
  703. #
  704. #Default:
  705. # http_reply_access allow all
  706.  
  707. #  TAG: icp_access
  708. #   Allowing or Denying access to the ICP port based on defined
  709. #   access lists
  710. #
  711. #   icp_access  allow|deny [!]aclname ...
  712. #
  713. #   See http_access for details
  714. #
  715. #Default:
  716. # icp_access deny all
  717. #
  718. #Allow ICP queries from local networks only
  719. icp_access allow localnet
  720. icp_access deny all
  721.  
  722. #  TAG: htcp_access
  723. #   Allowing or Denying access to the HTCP port based on defined
  724. #   access lists
  725. #
  726. #   htcp_access  allow|deny [!]aclname ...
  727. #
  728. #   See http_access for details
  729. #
  730. #   NOTE: The default if no htcp_access lines are present is to
  731. #   deny all traffic. This default may cause problems with peers
  732. #   using the htcp or htcp-oldsquid options.
  733. #
  734. #Default:
  735. # htcp_access deny all
  736. #
  737. #Allow HTCP queries from local networks only
  738. # htcp_access allow localnet
  739. # htcp_access deny all
  740.  
  741. #  TAG: htcp_clr_access
  742. #   Allowing or Denying access to purge content using HTCP based
  743. #   on defined access lists
  744. #
  745. #   htcp_clr_access  allow|deny [!]aclname ...
  746. #
  747. #   See http_access for details
  748. #
  749. ##Allow HTCP CLR requests from trusted peers
  750. #acl htcp_clr_peer src 172.16.1.2
  751. #htcp_clr_access allow htcp_clr_peer
  752. #
  753. #Default:
  754. # htcp_clr_access deny all
  755.  
  756. #  TAG: miss_access
  757. #   Use to force your neighbors to use you as a sibling instead of
  758. #   a parent.  For example:
  759. #
  760. #       acl localclients src 172.16.0.0/16
  761. #       miss_access allow localclients
  762. #       miss_access deny  !localclients
  763. #
  764. #   This means only your local clients are allowed to fetch
  765. #   MISSES and all other clients can only fetch HITS.
  766. #
  767. #   By default, allow all clients who passed the http_access rules
  768. #   to fetch MISSES from us.
  769. #
  770. #Default setting:
  771. # miss_access allow all
  772.  
  773. #  TAG: ident_lookup_access
  774. #   A list of ACL elements which, if matched, cause an ident
  775. #   (RFC931) lookup to be performed for this request.  For
  776. #   example, you might choose to always perform ident lookups
  777. #   for your main multi-user Unix boxes, but not for your Macs
  778. #   and PCs.  By default, ident lookups are not performed for
  779. #   any requests.
  780. #
  781. #   To enable ident lookups for specific client addresses, you
  782. #   can follow this example:
  783. #
  784. #   acl ident_aware_hosts src 198.168.1.0/255.255.255.0
  785. #   ident_lookup_access allow ident_aware_hosts
  786. #   ident_lookup_access deny all
  787. #
  788. #   Only src type ACL checks are fully supported.  A src_domain
  789. #   ACL might work at times, but it will not always provide
  790. #   the correct result.
  791. #
  792. #Default:
  793. # ident_lookup_access deny all
  794.  
  795. #  TAG: reply_body_max_size bytes deny acl acl...
  796. #   This option specifies the maximum size of a reply body in bytes.
  797. #   It can be used to prevent users from downloading very large files,
  798. #   such as MP3's and movies. When the reply headers are received,
  799. #   the reply_body_max_size lines are processed, and the first line with
  800. #   a result of "deny" is used as the maximum body size for this reply.
  801. #   This size is checked twice. First when we get the reply headers,
  802. #   we check the content-length value.  If the content length value exists
  803. #   and is larger than the allowed size, the request is denied and the
  804. #   user receives an error message that says "the request or reply
  805. #   is too large." If there is no content-length, and the reply
  806. #   size exceeds this limit, the client's connection is just closed
  807. #   and they will receive a partial reply.
  808. #
  809. #   WARNING: downstream caches probably can not detect a partial reply
  810. #   if there is no content-length header, so they will cache
  811. #   partial responses and give them out as hits.  You should NOT
  812. #   use this option if you have downstream caches.
  813. #
  814. #   If you set this parameter to zero (the default), there will be
  815. #   no limit imposed.
  816. #
  817. #Default:
  818. # reply_body_max_size 0 allow all
  819.  
  820. #  TAG: authenticate_ip_shortcircuit_access
  821. #   Access list determining when shortcicuiting the authentication process
  822. #   based on source IP cached credentials is acceptable. Use this to deny
  823. #   using the ip auth cache on requests from child proxies or other source
  824. #   ip's having multiple users.
  825. #
  826. #   See also authenticate_ip_shortcircuit_ttl directive
  827. #
  828. #Default:
  829. # none
  830.  
  831.  
  832. # OPTIONS FOR X-Forwarded-For
  833. # -----------------------------------------------------------------------------
  834.  
  835. #  TAG: follow_x_forwarded_for
  836. #   Allowing or Denying the X-Forwarded-For header to be followed to
  837. #   find the original source of a request.
  838. #
  839. #   Requests may pass through a chain of several other proxies
  840. #   before reaching us.  The X-Forwarded-For header will contain a
  841. #   comma-separated list of the IP addresses in the chain, with the
  842. #   rightmost address being the most recent.
  843. #
  844. #   If a request reaches us from a source that is allowed by this
  845. #   configuration item, then we consult the X-Forwarded-For header
  846. #   to see where that host received the request from.  If the
  847. #   X-Forwarded-For header contains multiple addresses, and if
  848. #   acl_uses_indirect_client is on, then we continue backtracking
  849. #   until we reach an address for which we are not allowed to
  850. #   follow the X-Forwarded-For header, or until we reach the first
  851. #   address in the list.  (If acl_uses_indirect_client is off, then
  852. #   it's impossible to backtrack through more than one level of
  853. #   X-Forwarded-For addresses.)
  854. #
  855. #   The end result of this process is an IP address that we will
  856. #   refer to as the indirect client address.  This address may
  857. #   be treated as the client address for access control, delay
  858. #   pools and logging, depending on the acl_uses_indirect_client,
  859. #   delay_pool_uses_indirect_client and log_uses_indirect_client
  860. #   options.
  861. #
  862. #   SECURITY CONSIDERATIONS:
  863. #
  864. #       Any host for which we follow the X-Forwarded-For header
  865. #       can place incorrect information in the header, and Squid
  866. #       will use the incorrect information as if it were the
  867. #       source address of the request.  This may enable remote
  868. #       hosts to bypass any access control restrictions that are
  869. #       based on the client's source addresses.
  870. #
  871. #   For example:
  872. #
  873. #       acl localhost src 127.0.0.1
  874. #       acl my_other_proxy srcdomain .proxy.example.com
  875. #       follow_x_forwarded_for allow localhost
  876. #       follow_x_forwarded_for allow my_other_proxy
  877. #
  878. #Default:
  879. # follow_x_forwarded_for deny all
  880.  
  881. #  TAG: acl_uses_indirect_client    on|off
  882. #   Controls whether the indirect client address
  883. #   (see follow_x_forwarded_for) is used instead of the
  884. #   direct client address in acl matching.
  885. #
  886. #Default:
  887. # acl_uses_indirect_client on
  888.  
  889. #  TAG: delay_pool_uses_indirect_client on|off
  890. #   Controls whether the indirect client address
  891. #   (see follow_x_forwarded_for) is used instead of the
  892. #   direct client address in delay pools.
  893. #
  894. #Default:
  895. # delay_pool_uses_indirect_client on
  896.  
  897. #  TAG: log_uses_indirect_client    on|off
  898. #   Controls whether the indirect client address
  899. #   (see follow_x_forwarded_for) is used instead of the
  900. #   direct client address in the access log.
  901. #
  902. #Default:
  903. # log_uses_indirect_client on
  904.  
  905.  
  906. # SSL OPTIONS
  907. # -----------------------------------------------------------------------------
  908.  
  909. #  TAG: ssl_unclean_shutdown
  910. # Note: This option is only available if Squid is rebuilt with the
  911. #       --enable-ssl option
  912. #
  913. #   Some browsers (especially MSIE) bugs out on SSL shutdown
  914. #   messages.
  915. #
  916. #Default:
  917. # ssl_unclean_shutdown off
  918.  
  919. #  TAG: ssl_engine
  920. # Note: This option is only available if Squid is rebuilt with the
  921. #       --enable-ssl option
  922. #
  923. #   The OpenSSL engine to use. You will need to set this if you
  924. #   would like to use hardware SSL acceleration for example.
  925. #
  926. #Default:
  927. # none
  928.  
  929. #  TAG: sslproxy_client_certificate
  930. # Note: This option is only available if Squid is rebuilt with the
  931. #       --enable-ssl option
  932. #
  933. #   Client SSL Certificate to use when proxying https:// URLs
  934. #
  935. #Default:
  936. # none
  937.  
  938. #  TAG: sslproxy_client_key
  939. # Note: This option is only available if Squid is rebuilt with the
  940. #       --enable-ssl option
  941. #
  942. #   Client SSL Key to use when proxying https:// URLs
  943. #
  944. #Default:
  945. # none
  946.  
  947. #  TAG: sslproxy_version
  948. # Note: This option is only available if Squid is rebuilt with the
  949. #       --enable-ssl option
  950. #
  951. #   SSL version level to use when proxying https:// URLs
  952. #
  953. #Default:
  954. # sslproxy_version 1
  955.  
  956. #  TAG: sslproxy_options
  957. # Note: This option is only available if Squid is rebuilt with the
  958. #       --enable-ssl option
  959. #
  960. #   SSL engine options to use when proxying https:// URLs
  961. #
  962. #Default:
  963. # none
  964.  
  965. #  TAG: sslproxy_cipher
  966. # Note: This option is only available if Squid is rebuilt with the
  967. #       --enable-ssl option
  968. #
  969. #   SSL cipher list to use when proxying https:// URLs
  970. #
  971. #Default:
  972. # none
  973.  
  974. #  TAG: sslproxy_cafile
  975. # Note: This option is only available if Squid is rebuilt with the
  976. #       --enable-ssl option
  977. #
  978. #   file containing CA certificates to use when verifying server
  979. #   certificates while proxying https:// URLs
  980. #
  981. #Default:
  982. # none
  983.  
  984. #  TAG: sslproxy_capath
  985. # Note: This option is only available if Squid is rebuilt with the
  986. #       --enable-ssl option
  987. #
  988. #   directory containing CA certificates to use when verifying
  989. #   server certificates while proxying https:// URLs
  990. #
  991. #Default:
  992. # none
  993.  
  994. #  TAG: sslproxy_flags
  995. # Note: This option is only available if Squid is rebuilt with the
  996. #       --enable-ssl option
  997. #
  998. #   Various flags modifying the use of SSL while proxying https:// URLs:
  999. #       DONT_VERIFY_PEER    Accept certificates even if they fail to
  1000. #               verify.
  1001. #       NO_DEFAULT_CA       Don't use the default CA list built in
  1002. #               to OpenSSL.
  1003. #
  1004. #Default:
  1005. # none
  1006.  
  1007. #  TAG: sslpassword_program
  1008. # Note: This option is only available if Squid is rebuilt with the
  1009. #       --enable-ssl option
  1010. #
  1011. #   Specify a program used for entering SSL key passphrases
  1012. #   when using encrypted SSL certificate keys. If not specified
  1013. #   keys must either be unencrypted, or Squid started with the -N
  1014. #   option to allow it to query interactively for the passphrase.
  1015. #
  1016. #Default:
  1017. # none
  1018.  
  1019.  
  1020. # NETWORK OPTIONS
  1021. # -----------------------------------------------------------------------------
  1022.  
  1023. #  TAG: http_port
  1024. #   Usage:  port [options]
  1025. #       hostname:port [options]
  1026. #       1.2.3.4:port [options]
  1027. #
  1028. #   The socket addresses where Squid will listen for HTTP client
  1029. #   requests.  You may specify multiple socket addresses.
  1030. #   There are three forms: port alone, hostname with port, and
  1031. #   IP address with port.  If you specify a hostname or IP
  1032. #   address, Squid binds the socket to that specific
  1033. #   address.  This replaces the old 'tcp_incoming_address'
  1034. #   option.  Most likely, you do not need to bind to a specific
  1035. #   address, so you can use the port number alone.
  1036. #
  1037. #   If you are running Squid in accelerator mode, you
  1038. #   probably want to listen on port 80 also, or instead.
  1039. #
  1040. #   The -I command line option will override the *first* port
  1041. #   specified here.
  1042. #
  1043. #   You may specify multiple socket addresses on multiple lines.
  1044. #
  1045. #   Options:
  1046. #
  1047. #      transparent  Support for transparent interception of
  1048. #           outgoing requests without browser settings.
  1049. #
  1050. #      tproxy   Support Linux TPROXY for spoofing outgoing
  1051. #           connections using the client IP address.
  1052. #
  1053. #      accel    Accelerator mode. See also the related vhost,
  1054. #           vport and defaultsite directives.
  1055. #
  1056. #      defaultsite=domainname
  1057. #           What to use for the Host: header if it is not present
  1058. #           in a request. Determines what site (not origin server)
  1059. #           accelerators should consider the default.
  1060. #           Defaults to visible_hostname:port if not set
  1061. #           May be combined with vport=NN to override the port number.
  1062. #           Implies accel.
  1063. #
  1064. #      vhost    Accelerator mode using Host header for virtual
  1065. #           domain support. Implies accel.
  1066. #
  1067. #      vport    Accelerator with IP based virtual host support.
  1068. #           Implies accel.
  1069. #
  1070. #      vport=NN As above, but uses specified port number rather
  1071. #           than the http_port number. Implies accel.
  1072. #
  1073. #      allow-direct Allow direct forwarding in accelerator mode. Normally
  1074. #           accelerated requests is denied direct forwarding as it
  1075. #           never_direct was used.
  1076. #
  1077. #      urlgroup=    Default urlgroup to mark requests with (see
  1078. #           also acl urlgroup and url_rewrite_program)
  1079. #
  1080. #      protocol=    Protocol to reconstruct accelerated requests with.
  1081. #           Defaults to http.
  1082. #
  1083. #      no-connection-auth
  1084. #           Prevent forwarding of Microsoft connection oriented
  1085. #           authentication (NTLM, Negotiate and Kerberos)
  1086. #
  1087. #      act-as-origin
  1088. #           Act is if this Squid is the origin server.
  1089. #           This currently means generate own Date: and
  1090. #           Expires: headers. Implies accel.
  1091. #
  1092. #      http11   Enables HTTP/1.1 support to clients. The HTTP/1.1
  1093. #           support is still incomplete with an internal HTTP/1.0
  1094. #           hop, but should work with most clients. The main
  1095. #           HTTP/1.1 features missing due to this is forwarding
  1096. #           of requests using chunked transfer encoding (results
  1097. #           in 411) and forwarding of 1xx responses (silently
  1098. #           dropped)
  1099. #
  1100. #      name=    Specifies a internal name for the port. Defaults to
  1101. #           the port specification (port or addr:port)
  1102. #
  1103. #      tcpkeepalive[=idle,interval,timeout]
  1104. #           Enable TCP keepalive probes of idle connections
  1105. #           idle is the initial time before TCP starts probing
  1106. #           the connection, interval how often to probe, and
  1107. #           timeout the time before giving up.
  1108. #
  1109. #   If you run Squid on a dual-homed machine with an internal
  1110. #   and an external interface we recommend you to specify the
  1111. #   internal address:port in http_port. This way Squid will only be
  1112. #   visible on the internal address.
  1113. #
  1114. # Squid normally listens to port 3128
  1115. http_port 3128
  1116.  
  1117. #  TAG: https_port
  1118. # Note: This option is only available if Squid is rebuilt with the
  1119. #       --enable-ssl option
  1120. #
  1121. #   Usage:  [ip:]port cert=certificate.pem [key=key.pem] [options...]
  1122. #
  1123. #   The socket address where Squid will listen for HTTPS client
  1124. #   requests.
  1125. #
  1126. #   This is really only useful for situations where you are running
  1127. #   squid in accelerator mode and you want to do the SSL work at the
  1128. #   accelerator level.
  1129. #
  1130. #   You may specify multiple socket addresses on multiple lines,
  1131. #   each with their own SSL certificate and/or options.
  1132. #
  1133. #   Options:
  1134. #
  1135. #   In addition to the options specified for http_port the folling
  1136. #   SSL related options is supported:
  1137. #
  1138. #      cert=    Path to SSL certificate (PEM format).
  1139. #
  1140. #      key=     Path to SSL private key file (PEM format)
  1141. #           if not specified, the certificate file is
  1142. #           assumed to be a combined certificate and
  1143. #           key file.
  1144. #
  1145. #      version= The version of SSL/TLS supported
  1146. #               1   automatic (default)
  1147. #               2   SSLv2 only
  1148. #               3   SSLv3 only
  1149. #               4   TLSv1 only
  1150. #
  1151. #      cipher=  Colon separated list of supported ciphers.
  1152. #
  1153. #      options= Various SSL engine options. The most important
  1154. #           being:
  1155. #               NO_SSLv2  Disallow the use of SSLv2
  1156. #               NO_SSLv3  Disallow the use of SSLv3
  1157. #               NO_TLSv1  Disallow the use of TLSv1
  1158. #               SINGLE_DH_USE Always create a new key when using
  1159. #                     temporary/ephemeral DH key exchanges
  1160. #           See src/ssl_support.c or OpenSSL SSL_CTX_set_options
  1161. #           documentation for a complete list of options.
  1162. #
  1163. #      clientca=    File containing the list of CAs to use when
  1164. #           requesting a client certificate.
  1165. #
  1166. #      cafile=  File containing additional CA certificates to
  1167. #           use when verifying client certificates. If unset
  1168. #           clientca will be used.
  1169. #
  1170. #      capath=  Directory containing additional CA certificates
  1171. #           and CRL lists to use when verifying client certificates.
  1172. #
  1173. #      crlfile= File of additional CRL lists to use when verifying
  1174. #           the client certificate, in addition to CRLs stored in
  1175. #           the capath. Implies VERIFY_CRL flag below.
  1176. #
  1177. #      dhparams=    File containing DH parameters for temporary/ephemeral
  1178. #           DH key exchanges.
  1179. #
  1180. #      sslflags=    Various flags modifying the use of SSL:
  1181. #               DELAYED_AUTH
  1182. #               Don't request client certificates
  1183. #               immediately, but wait until acl processing
  1184. #               requires a certificate (not yet implemented).
  1185. #               NO_DEFAULT_CA
  1186. #               Don't use the default CA lists built in
  1187. #               to OpenSSL.
  1188. #               NO_SESSION_REUSE
  1189. #               Don't allow for session reuse. Each connection
  1190. #               will result in a new SSL session.
  1191. #               VERIFY_CRL
  1192. #               Verify CRL lists when accepting client
  1193. #               certificates.
  1194. #               VERIFY_CRL_ALL
  1195. #               Verify CRL lists for all certificates in the
  1196. #               client certificate chain.
  1197. #
  1198. #      sslcontext=  SSL session ID context identifier.
  1199. #
  1200. #
  1201. #Default:
  1202. # none
  1203.  
  1204. #  TAG: tcp_outgoing_tos
  1205. #   Allows you to select a TOS/Diffserv value to mark outgoing
  1206. #   connections with, based on the username or source address
  1207. #   making the request.
  1208. #
  1209. #   tcp_outgoing_tos ds-field [!]aclname ...
  1210. #
  1211. #   Example where normal_service_net uses the TOS value 0x00
  1212. #   and good_service_net uses 0x20
  1213. #
  1214. #   acl normal_service_net src 10.0.0.0/255.255.255.0
  1215. #   acl good_service_net src 10.0.1.0/255.255.255.0
  1216. #   tcp_outgoing_tos 0x00 normal_service_net
  1217. #   tcp_outgoing_tos 0x20 good_service_net
  1218. #
  1219. #   TOS/DSCP values really only have local significance - so you should
  1220. #   know what you're specifying. For more information, see RFC2474 and
  1221. #   RFC3260.
  1222. #
  1223. #   The TOS/DSCP byte must be exactly that - a octet value  0 - 255, or
  1224. #   "default" to use whatever default your host has. Note that in
  1225. #   practice often only values 0 - 63 is usable as the two highest bits
  1226. #   have been redefined for use by ECN (RFC3168).
  1227. #
  1228. #   Processing proceeds in the order specified, and stops at first fully
  1229. #   matching line.
  1230. #
  1231. #   Note: The use of this directive using client dependent ACLs is
  1232. #   incompatible with the use of server side persistent connections. To
  1233. #   ensure correct results it is best to set server_persisten_connections
  1234. #   to off when using this directive in such configurations.
  1235. #
  1236. #Default:
  1237. # none
  1238.  
  1239. #  TAG: tcp_outgoing_address
  1240. #   Allows you to map requests to different outgoing IP addresses
  1241. #   based on the username or source address of the user making
  1242. #   the request.
  1243. #
  1244. #   tcp_outgoing_address ipaddr [[!]aclname] ...
  1245. #
  1246. #   Example where requests from 10.0.0.0/24 will be forwarded
  1247. #   with source address 10.1.0.1, 10.0.2.0/24 forwarded with
  1248. #   source address 10.1.0.2 and the rest will be forwarded with
  1249. #   source address 10.1.0.3.
  1250. #
  1251. #   acl normal_service_net src 10.0.0.0/24
  1252. #   acl good_service_net src 10.0.1.0/24 10.0.2.0/24
  1253. #   tcp_outgoing_address 10.1.0.1 normal_service_net
  1254. #   tcp_outgoing_address 10.1.0.2 good_service_net
  1255. #   tcp_outgoing_address 10.1.0.3
  1256. #
  1257. #   Processing proceeds in the order specified, and stops at first fully
  1258. #   matching line.
  1259. #
  1260. #   Note: The use of this directive using client dependent ACLs is
  1261. #   incompatible with the use of server side persistent connections. To
  1262. #   ensure correct results it is best to set server_persistent_connections
  1263. #   to off when using this directive in such configurations.
  1264. #
  1265. #Default:
  1266. # none
  1267.  
  1268. #  TAG: zph_mode
  1269. #   This option enables packet level marking of HIT/MISS responses,
  1270. #   either using IP TOS or socket priority.
  1271. #       off     Feature disabled
  1272. #       tos     Set the IP TOS/Diffserv field
  1273. #       priority    Set the socket priority (may get mapped to TOS by OS,
  1274. #           otherwise only usable in local rulesets)
  1275. #       option  Embed the mark in an IP option field. See also
  1276. #               zph_option.
  1277. #
  1278. #   See also tcp_outgoing_tos for details/requirements about TOS usage.
  1279. #
  1280. #Default:
  1281. # zph_mode off
  1282.  
  1283. #  TAG: zph_local
  1284. #   Allows you to select a TOS/Diffserv/Priority value to mark local hits.
  1285. #   Default: 0 (disabled).
  1286. #
  1287. #Default:
  1288. # zph_local 0
  1289.  
  1290. #  TAG: zph_sibling
  1291. #   Allows you to select a TOS/Diffserv/Priority value to mark sibling hits.
  1292. #   Default: 0 (disabled).
  1293. #
  1294. #Default:
  1295. # zph_sibling 0
  1296.  
  1297. #  TAG: zph_parent
  1298. #   Allows you to select a TOS/Diffserv/Priority value to mark parent hits.
  1299. #   Default: 0 (disabled).
  1300. #
  1301. #Default:
  1302. # zph_parent 0
  1303.  
  1304. #  TAG: zph_option
  1305. #   The IP option to use when zph_mode is set to "option". Defaults to
  1306. #   136 which is officially registered as "SATNET Stream ID".
  1307. #
  1308. #Default:
  1309. # zph_option 136
  1310.  
  1311.  
  1312. # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
  1313. # -----------------------------------------------------------------------------
  1314.  
  1315. #  TAG: cache_peer
  1316. #   To specify other caches in a hierarchy, use the format:
  1317. #
  1318. #       cache_peer hostname type http-port icp-port [options]
  1319. #
  1320. #   For example,
  1321. #
  1322. #   #                                        proxy  icp
  1323. #   #          hostname             type     port   port  options
  1324. #   #          -------------------- -------- ----- -----  -----------
  1325. #   cache_peer parent.foo.net       parent    3128  3130  proxy-only default
  1326. #   cache_peer sib1.foo.net         sibling   3128  3130  proxy-only
  1327. #   cache_peer sib2.foo.net         sibling   3128  3130  proxy-only
  1328. #
  1329. #         type:  either 'parent', 'sibling', or 'multicast'.
  1330. #
  1331. #   proxy-port:  The port number where the cache listens for proxy
  1332. #            requests.
  1333. #
  1334. #     icp-port:  Used for querying neighbor caches about
  1335. #            objects.  To have a non-ICP neighbor
  1336. #            specify '7' for the ICP port and make sure the
  1337. #            neighbor machine has the UDP echo port
  1338. #            enabled in its /etc/inetd.conf file.
  1339. #       NOTE: Also requires icp_port option enabled to send/receive
  1340. #             requests via this method.
  1341. #
  1342. #       options: proxy-only
  1343. #            weight=n
  1344. #            ttl=n
  1345. #            no-query
  1346. #            default
  1347. #            round-robin
  1348. #            carp
  1349. #            multicast-responder
  1350. #            multicast-siblings
  1351. #            closest-only
  1352. #            no-digest
  1353. #            no-netdb-exchange
  1354. #            no-delay
  1355. #            login=user:password | PASS | *:password
  1356. #            connect-timeout=nn
  1357. #            digest-url=url
  1358. #            allow-miss
  1359. #            max-conn=n
  1360. #            htcp
  1361. #            htcp-oldsquid
  1362. #            originserver
  1363. #            userhash
  1364. #            sourcehash
  1365. #            name=xxx
  1366. #            monitorurl=url
  1367. #            monitorsize=sizespec
  1368. #            monitorinterval=seconds
  1369. #            monitortimeout=seconds
  1370. #            forceddomain=name
  1371. #            ssl
  1372. #            sslcert=/path/to/ssl/certificate
  1373. #            sslkey=/path/to/ssl/key
  1374. #            sslversion=1|2|3|4
  1375. #            sslcipher=...
  1376. #            ssloptions=...
  1377. #            front-end-https[=on|auto]
  1378. #            connection-auth[=on|off|auto]
  1379. #            idle=n
  1380. #            http11
  1381. #
  1382. #            use 'proxy-only' to specify objects fetched
  1383. #            from this cache should not be saved locally.
  1384. #
  1385. #            use 'weight=n' to affect the selection of a peer
  1386. #            during any weighted peer-selection mechanisms.
  1387. #            The weight must be an integer; default is 1,
  1388. #            larger weights are favored more.
  1389. #            This option does not affect parent selection if a peering
  1390. #            protocol is not in use.
  1391. #
  1392. #            use 'ttl=n' to specify a IP multicast TTL to use
  1393. #            when sending an ICP queries to this address.
  1394. #            Only useful when sending to a multicast group.
  1395. #            Because we don't accept ICP replies from random
  1396. #            hosts, you must configure other group members as
  1397. #            peers with the 'multicast-responder' option below.
  1398. #
  1399. #            use 'no-query' to NOT send ICP queries to this
  1400. #            neighbor.
  1401. #
  1402. #            use 'default' if this is a parent cache which can
  1403. #            be used as a "last-resort" if a peer cannot be located
  1404. #            by any of the peer-selection mechanisms.
  1405. #            If specified more than once, only the first is used.
  1406. #
  1407. #            use 'round-robin' to define a set of parents which
  1408. #            should be used in a round-robin fashion in the
  1409. #            absence of any ICP queries.
  1410. #
  1411. #            use 'carp' to define a set of parents which should
  1412. #            be used as a CARP array. The requests will be
  1413. #            distributed among the parents based on the CARP load
  1414. #            balancing hash function based on their weight.
  1415. #
  1416. #            'multicast-responder' indicates the named peer
  1417. #            is a member of a multicast group.  ICP queries will
  1418. #            not be sent directly to the peer, but ICP replies
  1419. #            will be accepted from it.
  1420. #
  1421. #            the 'multicast-siblings' option is meant to be used
  1422. #            only for cache peers of type "multicast". It instructs
  1423. #            Squid that ALL members of this multicast group have
  1424. #            "sibling" relationship with it, not "parent".  This is
  1425. #            an optimization that avoids useless multicast queries
  1426. #            to a multicast group when the requested object would
  1427. #            be fetched only from a "parent" cache, anyway.  It's
  1428. #            useful, e.g., when configuring a pool of redundant
  1429. #            Squid proxies, being members of the same
  1430. #            multicast group.
  1431. #
  1432. #            'closest-only' indicates that, for ICP_OP_MISS
  1433. #            replies, we'll only forward CLOSEST_PARENT_MISSes
  1434. #            and never FIRST_PARENT_MISSes.
  1435. #
  1436. #            use 'no-digest' to NOT request cache digests from
  1437. #            this neighbor.
  1438. #
  1439. #            'no-netdb-exchange' disables requesting ICMP
  1440. #            RTT database (NetDB) from the neighbor.
  1441. #
  1442. #            use 'no-delay' to prevent access to this neighbor
  1443. #            from influencing the delay pools.
  1444. #
  1445. #            use 'login=user:password' if this is a personal/workgroup
  1446. #            proxy and your parent requires proxy authentication.
  1447. #            Note: The string can include URL escapes (i.e. %20 for
  1448. #            spaces). This also means % must be written as %%.
  1449. #
  1450. #            use 'login=PASS' if users must authenticate against
  1451. #            the upstream proxy or in the case of a reverse proxy
  1452. #            configuration, the origin web server.  This will pass
  1453. #            the users credentials as they are to the peer.
  1454. #            Note: To combine this with local authentication the Basic
  1455. #            authentication scheme must be used, and both servers must
  1456. #            share the same user database as HTTP only allows for
  1457. #            a single login (one for proxy, one for origin server).
  1458. #            Also be warned this will expose your users proxy
  1459. #            password to the peer. USE WITH CAUTION
  1460. #
  1461. #            use 'login=*:password' to pass the username to the
  1462. #            upstream cache, but with a fixed password. This is meant
  1463. #            to be used when the peer is in another administrative
  1464. #            domain, but it is still needed to identify each user.
  1465. #            The star can optionally be followed by some extra
  1466. #            information which is added to the username. This can
  1467. #            be used to identify this proxy to the peer, similar to
  1468. #            the login=username:password option above.
  1469. #
  1470. #            use 'connect-timeout=nn' to specify a peer
  1471. #            specific connect timeout (also see the
  1472. #            peer_connect_timeout directive)
  1473. #
  1474. #            use 'digest-url=url' to tell Squid to fetch the cache
  1475. #            digest (if digests are enabled) for this host from
  1476. #            the specified URL rather than the Squid default
  1477. #            location.
  1478. #
  1479. #            use 'allow-miss' to disable Squid's use of only-if-cached
  1480. #            when forwarding requests to siblings. This is primarily
  1481. #            useful when icp_hit_stale is used by the sibling. To
  1482. #            extensive use of this option may result in forwarding
  1483. #            loops, and you should avoid having two-way peerings
  1484. #            with this option. (for example to deny peer usage on
  1485. #            requests from peer by denying cache_peer_access if the
  1486. #            source is a peer)
  1487. #
  1488. #            use 'max-conn=n' to limit the amount of connections Squid
  1489. #            may open to this peer.
  1490. #
  1491. #            use 'htcp' to send HTCP, instead of ICP, queries
  1492. #            to the neighbor.  You probably also want to
  1493. #            set the "icp port" to 4827 instead of 3130.
  1494. #            You must also allow this Squid htcp_access and
  1495. #            http_access in the peer Squid configuration.
  1496. #
  1497. #            use 'htcp-oldsquid' to send HTCP to old Squid versions
  1498. #            You must also allow this Squid htcp_access and
  1499. #            http_access in the peer Squid configuration.
  1500. #
  1501. #            'originserver' causes this parent peer to be contacted as
  1502. #            a origin server. Meant to be used in accelerator setups.
  1503. #
  1504. #            use 'userhash' to load-balance amongst a set of parents
  1505. #            based on the client proxy_auth or ident username.
  1506. #
  1507. #            use 'sourcehash' to load-balance amongst a set of parents
  1508. #            based on the client source ip.
  1509. #
  1510. #            use 'name=xxx' if you have multiple peers on the same
  1511. #            host but different ports. This name can be used to
  1512. #            differentiate the peers in cache_peer_access and similar
  1513. #            directives.
  1514. #
  1515. #            use 'monitorurl=url' to have periodically request a given
  1516. #            URL from the peer, and only consider the peer as alive
  1517. #            if this monitoring is successful (default none)
  1518. #
  1519. #            use 'monitorsize=min[-max]' to limit the size range of
  1520. #            'monitorurl' replies considered valid. Defaults to 0 to
  1521. #            accept any size replies as valid.
  1522. #
  1523. #            use 'monitorinterval=seconds' to change frequency of
  1524. #            how often the peer is monitored with 'monitorurl'
  1525. #            (default 300 for a 5 minute interval). If set to 0
  1526. #            then monitoring is disabled even if a URL is defined.
  1527. #
  1528. #            use 'monitortimeout=seconds' to change the timeout of
  1529. #            'monitorurl'. Defaults to 'monitorinterval'.
  1530. #
  1531. #            use 'forceddomain=name' to forcibly set the Host header
  1532. #            of requests forwarded to this peer. Useful in accelerator
  1533. #            setups where the server (peer) expects a certain domain
  1534. #            name and using redirectors to feed this domain name
  1535. #            is not feasible.
  1536. #
  1537. #            use 'ssl' to indicate connections to this peer should
  1538. #            be SSL/TLS encrypted.
  1539. #
  1540. #            use 'sslcert=/path/to/ssl/certificate' to specify a client
  1541. #            SSL certificate to use when connecting to this peer.
  1542. #
  1543. #            use 'sslkey=/path/to/ssl/key' to specify the private SSL
  1544. #            key corresponding to sslcert above. If 'sslkey' is not
  1545. #            specified 'sslcert' is assumed to reference a
  1546. #            combined file containing both the certificate and the key.
  1547. #
  1548. #            use sslversion=1|2|3|4 to specify the SSL version to use
  1549. #            when connecting to this peer
  1550. #           1 = automatic (default)
  1551. #           2 = SSL v2 only
  1552. #           3 = SSL v3 only
  1553. #           4 = TLS v1 only
  1554. #
  1555. #            use sslcipher=... to specify the list of valid SSL ciphers
  1556. #            to use when connecting to this peer.
  1557. #
  1558. #            use ssloptions=... to specify various SSL engine options:
  1559. #           NO_SSLv2  Disallow the use of SSLv2
  1560. #           NO_SSLv3  Disallow the use of SSLv3
  1561. #           NO_TLSv1  Disallow the use of TLSv1
  1562. #            See src/ssl_support.c or the OpenSSL documentation for
  1563. #            a more complete list.
  1564. #
  1565. #            use sslcafile=... to specify a file containing
  1566. #            additional CA certificates to use when verifying the
  1567. #            peer certificate.
  1568. #
  1569. #            use sslcapath=... to specify a directory containing
  1570. #            additional CA certificates to use when verifying the
  1571. #            peer certificate.
  1572. #
  1573. #            use sslcrlfile=... to specify a certificate revocation
  1574. #            list file to use when verifying the peer certificate.
  1575. #
  1576. #            use sslflags=... to specify various flags modifying the
  1577. #            SSL implementation:
  1578. #           DONT_VERIFY_PEER
  1579. #               Accept certificates even if they fail to
  1580. #               verify.
  1581. #           NO_DEFAULT_CA
  1582. #               Don't use the default CA list built in
  1583. #               to OpenSSL.
  1584. #
  1585. #            use ssldomain= to specify the peer name as advertised
  1586. #            in it's certificate. Used for verifying the correctness
  1587. #            of the received peer certificate. If not specified the
  1588. #            peer hostname will be used.
  1589. #
  1590. #            use front-end-https to enable the "Front-End-Https: On"
  1591. #            header needed when using Squid as a SSL frontend in front
  1592. #            of Microsoft OWA. See MS KB document Q307347 for details
  1593. #            on this header. If set to auto the header will
  1594. #            only be added if the request is forwarded as a https://
  1595. #            URL.
  1596. #
  1597. #            use connection-auth=off to tell Squid that this peer does
  1598. #            not support Microsoft connection oriented authentication,
  1599. #            and any such challenges received from there should be
  1600. #            ignored. Default is auto to automatically determine the
  1601. #            status of the peer.
  1602. #
  1603. #            use idle=n to specify a minimum number of idle connections
  1604. #            that should be kept open to this peer.
  1605. #
  1606. #            use http11 to send requests using HTTP/1.1 to this peer.
  1607. #            Note: The HTTP/1.1 support is still incomplete, with an
  1608. #            internal HTTP/1.0 hop. As result 1xx responses will not
  1609. #            be forwarded.
  1610. #
  1611. #Default:
  1612. # none
  1613.  
  1614. #  TAG: cache_peer_domain
  1615. #   Use to limit the domains for which a neighbor cache will be
  1616. #   queried.  Usage:
  1617. #
  1618. #   cache_peer_domain cache-host domain [domain ...]
  1619. #   cache_peer_domain cache-host !domain
  1620. #
  1621. #   For example, specifying
  1622. #
  1623. #       cache_peer_domain parent.foo.net    .edu
  1624. #
  1625. #   has the effect such that UDP query packets are sent to
  1626. #   'bigserver' only when the requested object exists on a
  1627. #   server in the .edu domain.  Prefixing the domain name
  1628. #   with '!' means the cache will be queried for objects
  1629. #   NOT in that domain.
  1630. #
  1631. #   NOTE:   * Any number of domains may be given for a cache-host,
  1632. #         either on the same or separate lines.
  1633. #       * When multiple domains are given for a particular
  1634. #         cache-host, the first matched domain is applied.
  1635. #       * Cache hosts with no domain restrictions are queried
  1636. #         for all requests.
  1637. #       * There are no defaults.
  1638. #       * There is also a 'cache_peer_access' tag in the ACL
  1639. #         section.
  1640. #
  1641. #Default:
  1642. # none
  1643.  
  1644. #  TAG: cache_peer_access
  1645. #   Similar to 'cache_peer_domain' but provides more flexibility by
  1646. #   using ACL elements.
  1647. #
  1648. #   cache_peer_access cache-host allow|deny [!]aclname ...
  1649. #
  1650. #   The syntax is identical to 'http_access' and the other lists of
  1651. #   ACL elements.  See the comments for 'http_access' below, or
  1652. #   the Squid FAQ (http://www.squid-cache.org/FAQ/FAQ-10.html).
  1653. #
  1654. #Default:
  1655. # none
  1656.  
  1657. #  TAG: neighbor_type_domain
  1658. #   usage: neighbor_type_domain neighbor parent|sibling domain domain ...
  1659. #
  1660. #   Modifying the neighbor type for specific domains is now
  1661. #   possible.  You can treat some domains differently than the the
  1662. #   default neighbor type specified on the 'cache_peer' line.
  1663. #   Normally it should only be necessary to list domains which
  1664. #   should be treated differently because the default neighbor type
  1665. #   applies for hostnames which do not match domains listed here.
  1666. #
  1667. #EXAMPLE:
  1668. #   cache_peer cache.foo.org parent 3128 3130
  1669. #   neighbor_type_domain cache.foo.org sibling .com .net
  1670. #   neighbor_type_domain cache.foo.org sibling .au .de
  1671. #
  1672. #Default:
  1673. # none
  1674.  
  1675. #  TAG: dead_peer_timeout   (seconds)
  1676. #   This controls how long Squid waits to declare a peer cache
  1677. #   as "dead."  If there are no ICP replies received in this
  1678. #   amount of time, Squid will declare the peer dead and not
  1679. #   expect to receive any further ICP replies.  However, it
  1680. #   continues to send ICP queries, and will mark the peer as
  1681. #   alive upon receipt of the first subsequent ICP reply.
  1682. #
  1683. #   This timeout also affects when Squid expects to receive ICP
  1684. #   replies from peers.  If more than 'dead_peer' seconds have
  1685. #   passed since the last ICP reply was received, Squid will not
  1686. #   expect to receive an ICP reply on the next query.  Thus, if
  1687. #   your time between requests is greater than this timeout, you
  1688. #   will see a lot of requests sent DIRECT to origin servers
  1689. #   instead of to your parents.
  1690. #
  1691. #Default:
  1692. # dead_peer_timeout 10 seconds
  1693.  
  1694. #  TAG: hierarchy_stoplist
  1695. #   A list of words which, if found in a URL, cause the object to
  1696. #   be handled directly by this cache.  In other words, use this
  1697. #   to not query neighbor caches for certain objects.  You may
  1698. #   list this option multiple times. Note: never_direct overrides
  1699. #   this option.
  1700. #We recommend you to use at least the following line.
  1701. hierarchy_stoplist cgi-bin ?
  1702.  
  1703.  
  1704. # MEMORY CACHE OPTIONS
  1705. # -----------------------------------------------------------------------------
  1706.  
  1707. #  TAG: cache_mem   (bytes)
  1708. #   NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
  1709. #   IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
  1710. #   USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
  1711. #   THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
  1712. #
  1713. #   'cache_mem' specifies the ideal amount of memory to be used
  1714. #   for:
  1715. #       * In-Transit objects
  1716. #       * Hot Objects
  1717. #       * Negative-Cached objects
  1718. #
  1719. #   Data for these objects are stored in 4 KB blocks.  This
  1720. #   parameter specifies the ideal upper limit on the total size of
  1721. #   4 KB blocks allocated.  In-Transit objects take the highest
  1722. #   priority.
  1723. #
  1724. #   In-transit objects have priority over the others.  When
  1725. #   additional space is needed for incoming data, negative-cached
  1726. #   and hot objects will be released.  In other words, the
  1727. #   negative-cached and hot objects will fill up any unused space
  1728. #   not needed for in-transit objects.
  1729. #
  1730. #   If circumstances require, this limit will be exceeded.
  1731. #   Specifically, if your incoming request rate requires more than
  1732. #   'cache_mem' of memory to hold in-transit objects, Squid will
  1733. #   exceed this limit to satisfy the new requests.  When the load
  1734. #   decreases, blocks will be freed until the high-water mark is
  1735. #   reached.  Thereafter, blocks will be used to store hot
  1736. #   objects.
  1737. #
  1738. #Default:
  1739. # cache_mem 8 MB
  1740.  
  1741. #  TAG: maximum_object_size_in_memory   (bytes)
  1742. #   Objects greater than this size will not be attempted to kept in
  1743. #   the memory cache. This should be set high enough to keep objects
  1744. #   accessed frequently in memory to improve performance whilst low
  1745. #   enough to keep larger objects from hoarding cache_mem.
  1746. #
  1747. #Default:
  1748. # maximum_object_size_in_memory 8 KB
  1749.  
  1750. #  TAG: memory_replacement_policy
  1751. #   The memory replacement policy parameter determines which
  1752. #   objects are purged from memory when memory space is needed.
  1753. #
  1754. #   See cache_replacement_policy for details.
  1755. #
  1756. #Default:
  1757. # memory_replacement_policy lru
  1758.  
  1759.  
  1760. # DISK CACHE OPTIONS
  1761. # -----------------------------------------------------------------------------
  1762.  
  1763. #  TAG: cache_replacement_policy
  1764. #   The cache replacement policy parameter determines which
  1765. #   objects are evicted (replaced) when disk space is needed.
  1766. #
  1767. #       lru       : Squid's original list based LRU policy
  1768. #       heap GDSF : Greedy-Dual Size Frequency
  1769. #       heap LFUDA: Least Frequently Used with Dynamic Aging
  1770. #       heap LRU  : LRU policy implemented using a heap
  1771. #
  1772. #   Applies to any cache_dir lines listed below this.
  1773. #
  1774. #   The LRU policies keeps recently referenced objects.
  1775. #
  1776. #   The heap GDSF policy optimizes object hit rate by keeping smaller
  1777. #   popular objects in cache so it has a better chance of getting a
  1778. #   hit.  It achieves a lower byte hit rate than LFUDA though since
  1779. #   it evicts larger (possibly popular) objects.
  1780. #
  1781. #   The heap LFUDA policy keeps popular objects in cache regardless of
  1782. #   their size and thus optimizes byte hit rate at the expense of
  1783. #   hit rate since one large, popular object will prevent many
  1784. #   smaller, slightly less popular objects from being cached.
  1785. #
  1786. #   Both policies utilize a dynamic aging mechanism that prevents
  1787. #   cache pollution that can otherwise occur with frequency-based
  1788. #   replacement policies.
  1789. #
  1790. #   NOTE: if using the LFUDA replacement policy you should increase
  1791. #   the value of maximum_object_size above its default of 4096 KB to
  1792. #   to maximize the potential byte hit rate improvement of LFUDA.
  1793. #
  1794. #   For more information about the GDSF and LFUDA cache replacement
  1795. #   policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
  1796. #   and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
  1797. #
  1798. #Default:
  1799. # cache_replacement_policy lru
  1800.  
  1801. #  TAG: cache_dir
  1802. #   Usage:
  1803. #
  1804. #   cache_dir Type Directory-Name Fs-specific-data [options]
  1805. #
  1806. #   You can specify multiple cache_dir lines to spread the
  1807. #   cache among different disk partitions.
  1808. #
  1809. #   Type specifies the kind of storage system to use. Only "ufs"
  1810. #   is built by default. To enable any of the other storage systems
  1811. #   see the --enable-storeio configure option.
  1812. #
  1813. #   'Directory' is a top-level directory where cache swap
  1814. #   files will be stored. If you want to use an entire disk
  1815. #   for caching, this can be the mount-point directory.
  1816. #   The directory must exist and be writable by the Squid
  1817. #   process. Squid will NOT create this directory for you.
  1818. #   Only using COSS, a raw disk device or a stripe file can
  1819. #   be specified, but the configuration of the "cache_swap_log"
  1820. #   tag is mandatory.
  1821. #
  1822. #   The ufs store type:
  1823. #
  1824. #   "ufs" is the old well-known Squid storage format that has always
  1825. #   been there.
  1826. #
  1827. #   cache_dir ufs Directory-Name Mbytes L1 L2 [options]
  1828. #
  1829. #   'Mbytes' is the amount of disk space (MB) to use under this
  1830. #   directory.  The default is 100 MB.  Change this to suit your
  1831. #   configuration.  Do NOT put the size of your disk drive here.
  1832. #   Instead, if you want Squid to use the entire disk drive,
  1833. #   subtract 20% and use that value.
  1834. #
  1835. #   'Level-1' is the number of first-level subdirectories which
  1836. #   will be created under the 'Directory'.  The default is 16.
  1837. #
  1838. #   'Level-2' is the number of second-level subdirectories which
  1839. #   will be created under each first-level directory.  The default
  1840. #   is 256.
  1841. #
  1842. #   The aufs store type:
  1843. #
  1844. #   "aufs" uses the same storage format as "ufs", utilizing
  1845. #   POSIX-threads to avoid blocking the main Squid process on
  1846. #   disk-I/O. This was formerly known in Squid as async-io.
  1847. #
  1848. #   cache_dir aufs Directory-Name Mbytes L1 L2 [options]
  1849. #
  1850. #   see argument descriptions under ufs above
  1851. #
  1852. #   The diskd store type:
  1853. #
  1854. #   "diskd" uses the same storage format as "ufs", utilizing a
  1855. #   separate process to avoid blocking the main Squid process on
  1856. #   disk-I/O.
  1857. #
  1858. #   cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
  1859. #
  1860. #   see argument descriptions under ufs above
  1861. #
  1862. #   Q1 specifies the number of unacknowledged I/O requests when Squid
  1863. #   stops opening new files. If this many messages are in the queues,
  1864. #   Squid won't open new files. Default is 64
  1865. #
  1866. #   Q2 specifies the number of unacknowledged messages when Squid
  1867. #   starts blocking.  If this many messages are in the queues,
  1868. #   Squid blocks until it receives some replies. Default is 72
  1869. #
  1870. #   When Q1 < Q2 (the default), the cache directory is optimized
  1871. #   for lower response time at the expense of a decrease in hit
  1872. #   ratio.  If Q1 > Q2, the cache directory is optimized for
  1873. #   higher hit ratio at the expense of an increase in response
  1874. #   time.
  1875. #
  1876. #   The coss store type:
  1877. #
  1878. #   block-size=n defines the "block size" for COSS cache_dir's.
  1879. #   Squid uses file numbers as block numbers.  Since file numbers
  1880. #   are limited to 24 bits, the block size determines the maximum
  1881. #   size of the COSS partition.  The default is 512 bytes, which
  1882. #   leads to a maximum cache_dir size of 512<<24, or 8 GB.  Note
  1883. #   you should not change the COSS block size after Squid
  1884. #   has written some objects to the cache_dir.
  1885. #
  1886. #   overwrite-percent=n defines the percentage of disk that COSS
  1887. #   must write to before a given object will be moved to the
  1888. #   current stripe.  A value of "n" closer to 100 will cause COSS
  1889. #   to waste less disk space by having multiple copies of an object
  1890. #   on disk, but will increase the chances of overwriting a popular
  1891. #   object as COSS overwrites stripes.  A value of "n" close to 0
  1892. #   will cause COSS to keep all current objects in the current COSS
  1893. #   stripe at the expense of the hit rate.  The default value of 50
  1894. #   will allow any given object to be stored on disk a maximum of
  1895. #   2 times.
  1896. #
  1897. #   max-stripe-waste=n defines the maximum amount of space that COSS
  1898. #   will waste in a given stripe (in bytes).  When COSS writes data
  1899. #   to disk, it will potentially waste up to "max-size" worth of disk
  1900. #   space for each 1MB of data written.  If "max-size" is set to a
  1901. #   large value (ie >256k), this could potentially result in large
  1902. #   amounts of wasted disk space. Setting this value to a lower value
  1903. #   (ie 64k or 32k) will result in a COSS disk refusing to cache
  1904. #   larger objects until the COSS stripe has been filled to within
  1905. #   "max-stripe-waste" of the maximum size (1MB).
  1906. #
  1907. #   membufs=n defines the number of "memory-only" stripes that COSS
  1908. #   will use.  When an cache hit is performed on a COSS stripe before
  1909. #   COSS has reached the overwrite-percent value for that object,
  1910. #   COSS will use a series of memory buffers to hold the object in
  1911. #   while the data is sent to the client.  This will define the maximum
  1912. #   number of memory-only buffers that COSS will use.  The default value
  1913. #   is 10, which will use a maximum of 10MB of memory for buffers.
  1914. #
  1915. #   maxfullbufs=n defines the maximum number of stripes a COSS partition
  1916. #   will have in memory waiting to be freed (either because the disk is
  1917. #   under load and the stripe is unwritten, or because clients are still
  1918. #   transferring data from objects using the memory).  In order to try
  1919. #   and maintain a good hit rate under load, COSS will reserve the last
  1920. #   2 full stripes for object hits. (ie a COSS cache_dir will reject
  1921. #   new objects when the number of full stripes is 2 less than maxfullbufs)
  1922. #
  1923. #   The null store type:
  1924. #
  1925. #   no options are allowed or required
  1926. #
  1927. #   Common options:
  1928. #
  1929. #   no-store, no new objects should be stored to this cache_dir
  1930. #
  1931. #   min-size=n, refers to the min object size this storedir will accept.
  1932. #   It's used to restrict a storedir to only store large objects
  1933. #   (e.g. aufs) while other storedirs are optimized for smaller objects
  1934. #   (e.g. COSS). Defaults to 0.
  1935. #
  1936. #   max-size=n, refers to the max object size this storedir supports.
  1937. #   It is used to initially choose the storedir to dump the object.
  1938. #   Note: To make optimal use of the max-size limits you should order
  1939. #   the cache_dir lines with the smallest max-size value first and the
  1940. #   ones with no max-size specification last.
  1941. #
  1942. #   Note that for coss, max-size must be less than COSS_MEMBUF_SZ
  1943. #   (hard coded at 1 MB).
  1944. #
  1945. #Default:
  1946. cache_dir ufs /mnt/squidcache 7000 16 256
  1947.  
  1948. #  TAG: store_dir_select_algorithm
  1949. #   Set this to 'round-robin' as an alternative.
  1950. #
  1951. #Default:
  1952. # store_dir_select_algorithm least-load
  1953.  
  1954. #  TAG: max_open_disk_fds
  1955. #   To avoid having disk as the I/O bottleneck Squid can optionally
  1956. #   bypass the on-disk cache if more than this amount of disk file
  1957. #   descriptors are open.
  1958. #
  1959. #   A value of 0 indicates no limit.
  1960. #
  1961. #Default:
  1962. # max_open_disk_fds 0
  1963.  
  1964. #  TAG: minimum_object_size (bytes)
  1965. #   Objects smaller than this size will NOT be saved on disk.  The
  1966. #   value is specified in kilobytes, and the default is 0 KB, which
  1967. #   means there is no minimum.
  1968. #
  1969. #Default:
  1970. # minimum_object_size 0 KB
  1971.  
  1972. #  TAG: maximum_object_size (bytes)
  1973. #   Objects larger than this size will NOT be saved on disk.  The
  1974. #   value is specified in kilobytes, and the default is 4MB.  If
  1975. #   you wish to get a high BYTES hit ratio, you should probably
  1976. #   increase this (one 32 MB object hit counts for 3200 10KB
  1977. #   hits).  If you wish to increase speed more than your want to
  1978. #   save bandwidth you should leave this low.
  1979. #
  1980. #   NOTE: if using the LFUDA replacement policy you should increase
  1981. #   this value to maximize the byte hit rate improvement of LFUDA!
  1982. #   See replacement_policy below for a discussion of this policy.
  1983. #
  1984. #   NOTE 2: In Debian the default is raised to 20MB allowing cache
  1985. #   of Packages files in debian repositories. This makes squid a
  1986. #   proper proxy for APT.
  1987. #
  1988. #Default:
  1989. maximum_object_size 2000 MB
  1990.  
  1991. #  TAG: cache_swap_low  (percent, 0-100)
  1992. #  TAG: cache_swap_high (percent, 0-100)
  1993. #
  1994. #   The low- and high-water marks for cache object replacement.
  1995. #   Replacement begins when the swap (disk) usage is above the
  1996. #   low-water mark and attempts to maintain utilization near the
  1997. #   low-water mark.  As swap utilization gets close to high-water
  1998. #   mark object eviction becomes more aggressive.  If utilization is
  1999. #   close to the low-water mark less replacement is done each time.
  2000. #
  2001. #   Defaults are 90% and 95%. If you have a large cache, 5% could be
  2002. #   hundreds of MB. If this is the case you may wish to set these
  2003. #   numbers closer together.
  2004. #
  2005. #Default:
  2006. # cache_swap_low 90
  2007. # cache_swap_high 95
  2008.  
  2009. #  TAG: update_headers  on|off
  2010. #   By default Squid updates stored HTTP headers when receiving
  2011. #   a 304 response. Set this to off if you want to disable this
  2012. #   for disk I/O performance reasons. Disabling this VIOLATES the
  2013. #   HTTP standard, and could make you liable for problems which it
  2014. #   causes.
  2015. #
  2016. #Default:
  2017. # update_headers on
  2018.  
  2019.  
  2020. # LOGFILE OPTIONS
  2021. # -----------------------------------------------------------------------------
  2022.  
  2023. #  TAG: logformat
  2024. #   Usage:
  2025. #
  2026. #   logformat <name> <format specification>
  2027. #
  2028. #   Defines an access log format.
  2029. #
  2030. #   The <format specification> is a string with embedded % format codes
  2031. #
  2032. #   % format codes all follow the same basic structure where all but
  2033. #   the formatcode is optional. Output strings are automatically escaped
  2034. #   as required according to their context and the output format
  2035. #   modifiers are usually not needed, but can be specified if an explicit
  2036. #   output format is desired.
  2037. #
  2038. #       % ["|[|'|#] [-] [[0]width] [{argument}] formatcode
  2039. #
  2040. #       "   output in quoted string format
  2041. #       [   output in squid text log format as used by log_mime_hdrs
  2042. #       #   output in URL quoted format
  2043. #       '   output as-is
  2044. #
  2045. #       -   left aligned
  2046. #       width   field width. If starting with 0 the
  2047. #           output is zero padded
  2048. #       {arg}   argument such as header name etc
  2049. #
  2050. #   Format codes:
  2051. #
  2052. #       >a  Client source IP address
  2053. #       >A  Client FQDN
  2054. #       >p  Client source port
  2055. #       <A  Server IP address or peer name
  2056. #       la  Local IP address (http_port)
  2057. #       lp  Local port number (http_port)
  2058. #       oa  Our outgoing IP address (tcp_outgoing_address)
  2059. #       ts  Seconds since epoch
  2060. #       tu  subsecond time (milliseconds)
  2061. #       tl  Local time. Optional strftime format argument
  2062. #           default %d/%b/%Y:%H:%M:%S %z
  2063. #       tg  GMT time. Optional strftime format argument
  2064. #           default %d/%b/%Y:%H:%M:%S %z
  2065. #       tr  Response time (milliseconds)
  2066. #       >h  Request header. Optional header name argument
  2067. #           on the format header[:[separator]element]
  2068. #       <h  Reply header. Optional header name argument
  2069. #           as for >h
  2070. #       un  User name
  2071. #       ul  User name from authentication
  2072. #       ui  User name from ident
  2073. #       us  User name from SSL
  2074. #       ue  User name from external acl helper
  2075. #       Hs  HTTP status code
  2076. #       Ss  Squid request status (TCP_MISS etc)
  2077. #       Sh  Squid hierarchy status (DEFAULT_PARENT etc)
  2078. #       mt  MIME content type
  2079. #       rm  Request method (GET/POST etc)
  2080. #       ru  Request URL
  2081. #       rp  Request URL-Path excluding hostname
  2082. #       rv  Request protocol version
  2083. #       ea  Log string returned by external acl
  2084. #       <st Reply size including HTTP headers
  2085. #       >st Request size including HTTP headers
  2086. #       st  Request+Reply size including HTTP headers
  2087. #       sn  Unique sequence number per log line entry
  2088. #       %   a literal % character
  2089. #
  2090. #   The default formats available (which do not need re-defining) are:
  2091. #
  2092. #logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
  2093. #logformat squidmime %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
  2094. #logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
  2095. #logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
  2096. #
  2097. #Default:
  2098. # none
  2099.  
  2100. #  TAG: access_log
  2101. #   These files log client request activities. Has a line every HTTP or
  2102. #   ICP request. The format is:
  2103. #   access_log <filepath> [<logformat name> [acl acl ...]]
  2104. #   access_log none [acl acl ...]]
  2105. #
  2106. #   Will log to the specified file using the specified format (which
  2107. #   must be defined in a logformat directive) those entries which match
  2108. #   ALL the acl's specified (which must be defined in acl clauses).
  2109. #   If no acl is specified, all requests will be logged to this file.
  2110. #
  2111. #   To disable logging of a request use the filepath "none", in which case
  2112. #   a logformat name should not be specified.
  2113. #
  2114. #   To log the request via syslog specify a filepath of "syslog":
  2115. #
  2116. #   access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]]
  2117. #   where facility could be any of:
  2118. #   authpriv, daemon, local0 .. local7 or user.
  2119. #
  2120. #   And priority could be any of:
  2121. #   err, warning, notice, info, debug.
  2122. access_log /var/log/squid/access.log squid
  2123.  
  2124. #  TAG: log_access  allow|deny acl acl...
  2125. #   This options allows you to control which requests gets logged
  2126. #   to access.log (see access_log directive). Requests denied for
  2127. #   logging will also not be accounted for in performance counters.
  2128. #
  2129. #Default:
  2130. # none
  2131.  
  2132. #  TAG: logfile_daemon
  2133. #   Specify the path to the logfile-writing daemon. This daemon is
  2134. #   used to write the access and store logs, if configured.
  2135. #
  2136. #Default:
  2137. # logfile_daemon /usr/lib/squid/logfile-daemon
  2138.  
  2139. #  TAG: cache_log
  2140. #   Cache logging file. This is where general information about
  2141. #   your cache's behavior goes. You can increase the amount of data
  2142. #   logged to this file with the "debug_options" tag below.
  2143. #
  2144. #Default:
  2145. # cache_log /var/log/squid/cache.log
  2146.  
  2147. #  TAG: cache_store_log
  2148. #   Logs the activities of the storage manager.  Shows which
  2149. #   objects are ejected from the cache, and which objects are
  2150. #   saved and for how long.  To disable, enter "none". There are
  2151. #   not really utilities to analyze this data, so you can safely
  2152. #   disable it.
  2153. #
  2154. #Default:
  2155. # cache_store_log /var/log/squid/store.log
  2156.  
  2157. #  TAG: cache_swap_state
  2158. #   Location for the cache "swap.state" file. This index file holds
  2159. #   the metadata of objects saved on disk.  It is used to rebuild
  2160. #   the cache during startup.  Normally this file resides in each
  2161. #   'cache_dir' directory, but you may specify an alternate
  2162. #   pathname here.  Note you must give a full filename, not just
  2163. #   a directory. Since this is the index for the whole object
  2164. #   list you CANNOT periodically rotate it!
  2165. #
  2166. #   If %s can be used in the file name it will be replaced with a
  2167. #   a representation of the cache_dir name where each / is replaced
  2168. #   with '.'. This is needed to allow adding/removing cache_dir
  2169. #   lines when cache_swap_log is being used.
  2170. #
  2171. #   If have more than one 'cache_dir', and %s is not used in the name
  2172. #   these swap logs will have names such as:
  2173. #
  2174. #       cache_swap_log.00
  2175. #       cache_swap_log.01
  2176. #       cache_swap_log.02
  2177. #
  2178. #   The numbered extension (which is added automatically)
  2179. #   corresponds to the order of the 'cache_dir' lines in this
  2180. #   configuration file.  If you change the order of the 'cache_dir'
  2181. #   lines in this file, these index files will NOT correspond to
  2182. #   the correct 'cache_dir' entry (unless you manually rename
  2183. #   them).  We recommend you do NOT use this option.  It is
  2184. #   better to keep these index files in each 'cache_dir' directory.
  2185. #
  2186. #Default:
  2187. # none
  2188.  
  2189. #  TAG: logfile_rotate
  2190. #   Specifies the number of logfile rotations to make when you
  2191. #   type 'squid -k rotate'.  The default is 10, which will rotate
  2192. #   with extensions 0 through 9.  Setting logfile_rotate to 0 will
  2193. #   disable the file name rotation, but the logfiles are still closed
  2194. #   and re-opened.  This will enable you to rename the logfiles
  2195. #   yourself just before sending the rotate signal.
  2196. #
  2197. #   Note, the 'squid -k rotate' command normally sends a USR1
  2198. #   signal to the running squid process.  In certain situations
  2199. #   (e.g. on Linux with Async I/O), USR1 is used for other
  2200. #   purposes, so -k rotate uses another signal.  It is best to get
  2201. #   in the habit of using 'squid -k rotate' instead of 'kill -USR1
  2202. #   <pid>'.
  2203. #
  2204. #   Note2, for Debian/Linux the default of logfile_rotate is
  2205. #   zero, since it includes external logfile-rotation methods.
  2206. #
  2207. #Default:
  2208. # logfile_rotate 0
  2209.  
  2210. #  TAG: emulate_httpd_log   on|off
  2211. #   The Cache can emulate the log file format which many 'httpd'
  2212. #   programs use.  To disable/enable this emulation, set
  2213. #   emulate_httpd_log to 'off' or 'on'.  The default
  2214. #   is to use the native log format since it includes useful
  2215. #   information Squid-specific log analyzers use.
  2216. #
  2217. #Default:
  2218. # emulate_httpd_log off
  2219.  
  2220. #  TAG: log_ip_on_direct    on|off
  2221. #   Log the destination IP address in the hierarchy log tag when going
  2222. #   direct. Earlier Squid versions logged the hostname here. If you
  2223. #   prefer the old way set this to off.
  2224. #
  2225. #Default:
  2226. # log_ip_on_direct on
  2227.  
  2228. #  TAG: mime_table
  2229. #   Pathname to Squid's MIME table. You shouldn't need to change
  2230. #   this, but the default file contains examples and formatting
  2231. #   information if you do.
  2232. #
  2233. #Default:
  2234. # mime_table /usr/share/squid/mime.conf
  2235.  
  2236. #  TAG: log_mime_hdrs   on|off
  2237. #   The Cache can record both the request and the response MIME
  2238. #   headers for each HTTP transaction.  The headers are encoded
  2239. #   safely and will appear as two bracketed fields at the end of
  2240. #   the access log (for either the native or httpd-emulated log
  2241. #   formats).  To enable this logging set log_mime_hdrs to 'on'.
  2242. #
  2243. #Default:
  2244. # log_mime_hdrs off
  2245.  
  2246. #  TAG: useragent_log
  2247. #   Squid will write the User-Agent field from HTTP requests
  2248. #   to the filename specified here.  By default useragent_log
  2249. #   is disabled.
  2250. #
  2251. #Default:
  2252. # none
  2253.  
  2254. #  TAG: referer_log
  2255. #   Squid will write the Referer field from HTTP requests to the
  2256. #   filename specified here.  By default referer_log is disabled.
  2257. #   Note that "referer" is actually a misspelling of "referrer"
  2258. #   however the misspelt version has been accepted into the HTTP RFCs
  2259. #   and we accept both.
  2260. #
  2261. #Default:
  2262. # none
  2263.  
  2264. #  TAG: pid_filename
  2265. #   A filename to write the process-id to.  To disable, enter "none".
  2266. #
  2267. #Default:
  2268. # pid_filename /var/run/squid.pid
  2269.  
  2270. #  TAG: debug_options
  2271. #   Logging options are set as section,level where each source file
  2272. #   is assigned a unique section.  Lower levels result in less
  2273. #   output,  Full debugging (level 9) can result in a very large
  2274. #   log file, so be careful.  The magic word "ALL" sets debugging
  2275. #   levels for all sections.  We recommend normally running with
  2276. #   "ALL,1".
  2277. #
  2278. #Default:
  2279. # debug_options ALL,1
  2280.  
  2281. #  TAG: log_fqdn    on|off
  2282. #   Turn this on if you wish to log fully qualified domain names
  2283. #   in the access.log. To do this Squid does a DNS lookup of all
  2284. #   IP's connecting to it. This can (in some situations) increase
  2285. #   latency, which makes your cache seem slower for interactive
  2286. #   browsing.
  2287. #
  2288. #Default:
  2289. # log_fqdn off
  2290.  
  2291. #  TAG: client_netmask
  2292. #   A netmask for client addresses in logfiles and cachemgr output.
  2293. #   Change this to protect the privacy of your cache clients.
  2294. #   A netmask of 255.255.255.0 will log all IP's in that range with
  2295. #   the last digit set to '0'.
  2296. #
  2297. #Default:
  2298. # client_netmask 255.255.255.255
  2299.  
  2300. #  TAG: forward_log
  2301. # Note: This option is only available if Squid is rebuilt with the
  2302. #       --enable-forward-log option
  2303. #
  2304. #   Logs the server-side requests.
  2305. #
  2306. #   This is currently work in progress.
  2307. #
  2308. #Default:
  2309. # none
  2310.  
  2311. #  TAG: strip_query_terms
  2312. #   By default, Squid strips query terms from requested URLs before
  2313. #   logging.  This protects your user's privacy.
  2314. #
  2315. #Default:
  2316. # strip_query_terms on
  2317.  
  2318. #  TAG: buffered_logs   on|off
  2319. #   cache.log log file is written with stdio functions, and as such
  2320. #   it can be buffered or unbuffered. By default it will be unbuffered.
  2321. #   Buffering it can speed up the writing slightly (though you are
  2322. #   unlikely to need to worry unless you run with tons of debugging
  2323. #   enabled in which case performance will suffer badly anyway..).
  2324. #
  2325. #Default:
  2326. # buffered_logs off
  2327.  
  2328. #  TAG: netdb_filename
  2329. #   A filename where Squid stores it's netdb state between restarts.
  2330. #   To disable, enter "none".
  2331. #
  2332. #Default:
  2333. # netdb_filename /var/spool/squid/logs/netdb.state
  2334.  
  2335.  
  2336. # OPTIONS FOR FTP GATEWAYING
  2337. # -----------------------------------------------------------------------------
  2338.  
  2339. #  TAG: ftp_user
  2340. #   If you want the anonymous login password to be more informative
  2341. #   (and enable the use of picky ftp servers), set this to something
  2342. #   reasonable for your domain, like wwwuser@somewhere.net
  2343. #
  2344. #   The reason why this is domainless by default is the
  2345. #   request can be made on the behalf of a user in any domain,
  2346. #   depending on how the cache is used.
  2347. #   Some ftp server also validate the email address is valid
  2348. #   (for example perl.com).
  2349. #
  2350. #Default:
  2351. # ftp_user Squid@
  2352.  
  2353. #  TAG: ftp_list_width
  2354. #   Sets the width of ftp listings. This should be set to fit in
  2355. #   the width of a standard browser. Setting this too small
  2356. #   can cut off long filenames when browsing ftp sites.
  2357. #
  2358. #Default:
  2359. # ftp_list_width 32
  2360.  
  2361. #  TAG: ftp_passive
  2362. #   If your firewall does not allow Squid to use passive
  2363. #   connections, turn off this option.
  2364. #
  2365. #Default:
  2366. # ftp_passive on
  2367.  
  2368. #  TAG: ftp_sanitycheck
  2369. #   For security and data integrity reasons Squid by default performs
  2370. #   sanity checks of the addresses of FTP data connections ensure the
  2371. #   data connection is to the requested server. If you need to allow
  2372. #   FTP connections to servers using another IP address for the data
  2373. #   connection turn this off.
  2374. #
  2375. #Default:
  2376. # ftp_sanitycheck on
  2377.  
  2378. #  TAG: ftp_telnet_protocol
  2379. #   The FTP protocol is officially defined to use the telnet protocol
  2380. #   as transport channel for the control connection. However, many
  2381. #   implementations are broken and does not respect this aspect of
  2382. #   the FTP protocol.
  2383. #
  2384. #   If you have trouble accessing files with ASCII code 255 in the
  2385. #   path or similar problems involving this ASCII code you can
  2386. #   try setting this directive to off. If that helps, report to the
  2387. #   operator of the FTP server in question that their FTP server
  2388. #   is broken and does not follow the FTP standard.
  2389. #
  2390. #Default:
  2391. # ftp_telnet_protocol on
  2392.  
  2393.  
  2394. # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
  2395. # -----------------------------------------------------------------------------
  2396.  
  2397. #  TAG: diskd_program
  2398. #   Specify the location of the diskd executable.
  2399. #   Note this is only useful if you have compiled in
  2400. #   diskd as one of the store io modules.
  2401. #
  2402. #Default:
  2403. # diskd_program /usr/lib/squid/diskd-daemon
  2404.  
  2405. #  TAG: unlinkd_program
  2406. #   Specify the location of the executable for file deletion process.
  2407. #
  2408. #Default:
  2409. # unlinkd_program /usr/lib/squid/unlinkd
  2410.  
  2411. #  TAG: pinger_program
  2412. # Note: This option is only available if Squid is rebuilt with the
  2413. #       --enable-icmp option
  2414. #
  2415. #   Specify the location of the executable for the pinger process.
  2416. #
  2417. #Default:
  2418. # pinger_program /usr/lib/squid/pinger
  2419.  
  2420.  
  2421. # OPTIONS FOR URL REWRITING
  2422. # -----------------------------------------------------------------------------
  2423.  
  2424. #  TAG: storeurl_rewrite_program
  2425. #   Specify the location of the executable for the Store URL rewriter.
  2426. #   The Store URL rewriter allows URLs to be "normalised" ; mapping
  2427. #   multiple URLs to a single URL representation for cache operations.
  2428. #
  2429. #   For example, if you request an object at:
  2430. #
  2431. #   http://srv1.example.com/image.gif
  2432. #
  2433. #   and a subsequent request for:
  2434. #
  2435. #   http://srv2.example.com/image.gif
  2436. #
  2437. #   then Squid will treat these both as different URLs and cache them
  2438. #   seperately.
  2439. #
  2440. #   This is almost the normal case, but an increasing number of sites
  2441. #   distribute the same content between multiple frontend hosts.
  2442. #   The Store URL rewriter allows you to rewrite these URLs to one URL
  2443. #   to use for cache operations, but not -fetches-. Fetches are still
  2444. #   made from the original site, but stored with the store URL rewritten
  2445. #   URL as the store key.
  2446. #
  2447. #   For each requested URL rewriter will receive on line with the format
  2448. #
  2449. #   URL <SP> client_ip "/" fqdn <SP> user <SP> method <SP> urlgroup
  2450. #    [<SP> kvpairs] <NL>
  2451. #
  2452. #   In the future, the rewriter interface will be extended with
  2453. #   key=value pairs ("kvpairs" shown above).  Rewriter programs
  2454. #   should be prepared to receive and possibly ignore additional
  2455. #   whitespace-separated tokens on each input line.
  2456. #
  2457. #   And the rewriter may return a rewritten URL. The other components of
  2458. #   the request line does not need to be returned (ignored if they are).
  2459. #
  2460. #   By default, a Store URL rewriter is not used.
  2461. #
  2462. #   Please note - the normal URL rewriter rewrites Squid's _destination_
  2463. #   URL - ie, what it fetches. The Store URL rewriter rewrites Squid's
  2464. #   _store_ URL - ie, what it uses to store and retrieve objects.
  2465. #
  2466. #Default:
  2467. # none
  2468.  
  2469. #  TAG: storeurl_rewrite_children
  2470. #
  2471. #
  2472. #Default:
  2473. # storeurl_rewrite_children 5
  2474.  
  2475. #  TAG: storeurl_rewrite_concurrency
  2476. #
  2477. #
  2478. #Default:
  2479. # storeurl_rewrite_concurrency 0
  2480.  
  2481. #  TAG: url_rewrite_program
  2482. #   Specify the location of the executable for the URL rewriter.
  2483. #   Since they can perform almost any function there isn't one included.
  2484. #
  2485. #   For each requested URL rewriter will receive on line with the format
  2486. #
  2487. #   URL <SP> client_ip "/" fqdn <SP> user <SP> method <SP> urlgroup
  2488. #    [<SP> kvpairs] <NL>
  2489. #
  2490. #   In the future, the rewriter interface will be extended with
  2491. #   key=value pairs ("kvpairs" shown above).  Rewriter programs
  2492. #   should be prepared to receive and possibly ignore additional
  2493. #   whitespace-separated tokens on each input line.
  2494. #
  2495. #   And the rewriter may return a rewritten URL. The other components of
  2496. #   the request line does not need to be returned (ignored if they are).
  2497. #
  2498. #   The rewriter can also indicate that a client-side redirect should
  2499. #   be performed to the new URL. This is done by prefixing the returned
  2500. #   URL with "301:" (moved permanently) or 302: (moved temporarily).
  2501. #
  2502. #   It can also return a "urlgroup" that can subsequently be matched
  2503. #   in cache_peer_access and similar ACL driven rules. An urlgroup is
  2504. #   returned by prefixing the returned URL with "!urlgroup!".
  2505. #
  2506. #   By default, a URL rewriter is not used.
  2507. #
  2508. #Default:
  2509. # none
  2510.  
  2511. #  TAG: url_rewrite_children
  2512. #   The number of redirector processes to spawn. If you start
  2513. #   too few Squid will have to wait for them to process a backlog of
  2514. #   URLs, slowing it down. If you start too many they will use RAM
  2515. #   and other system resources.
  2516. #
  2517. #Default:
  2518. # url_rewrite_children 5
  2519.  
  2520. #  TAG: url_rewrite_concurrency
  2521. #   The number of requests each redirector helper can handle in
  2522. #   parallel. Defaults to 0 which indicates the redirector
  2523. #   is a old-style single threaded redirector.
  2524. #
  2525. #   When this directive is set to a value >= 1 then the protocol
  2526. #   used to communicate with the helper is modified to include
  2527. #   a request ID in front of the request/response. The request
  2528. #   ID from the request must be echoed back with the response
  2529. #   to that request.
  2530. #
  2531. #Default:
  2532. # url_rewrite_concurrency 0
  2533.  
  2534. #  TAG: url_rewrite_host_header
  2535. #   By default Squid rewrites any Host: header in redirected
  2536. #   requests.  If you are running an accelerator this may
  2537. #   not be a wanted effect of a redirector.
  2538. #
  2539. #   WARNING: Entries are cached on the result of the URL rewriting
  2540. #   process, so be careful if you have domain-virtual hosts.
  2541. #
  2542. #Default:
  2543. # url_rewrite_host_header on
  2544.  
  2545. #  TAG: url_rewrite_access
  2546. #   If defined, this access list specifies which requests are
  2547. #   sent to the redirector processes.  By default all requests
  2548. #   are sent.
  2549. #
  2550. #Default:
  2551. # none
  2552.  
  2553. #  TAG: storeurl_access
  2554. #
  2555. #
  2556. #Default:
  2557. # none
  2558.  
  2559. #  TAG: redirector_bypass
  2560. #   When this is 'on', a request will not go through the
  2561. #   redirector if all redirectors are busy.  If this is 'off'
  2562. #   and the redirector queue grows too large, Squid will exit
  2563. #   with a FATAL error and ask you to increase the number of
  2564. #   redirectors.  You should only enable this if the redirectors
  2565. #   are not critical to your caching system.  If you use
  2566. #   redirectors for access control, and you enable this option,
  2567. #   users may have access to pages they should not
  2568. #   be allowed to request.
  2569. #
  2570. #Default:
  2571. # redirector_bypass off
  2572.  
  2573. #  TAG: location_rewrite_program
  2574. #   Specify the location of the executable for the Location rewriter,
  2575. #   used to rewrite server generated redirects. Usually used in
  2576. #   conjunction with a url_rewrite_program
  2577. #
  2578. #   For each Location header received the location rewriter will receive
  2579. #   one line with the format:
  2580. #
  2581. #      location URL <SP> requested URL <SP> urlgroup <NL>
  2582. #
  2583. #   And the rewriter may return a rewritten Location URL or a blank line.
  2584. #   The other components of the request line does not need to be returned
  2585. #   (ignored if they are).
  2586. #
  2587. #   By default, a Location rewriter is not used.
  2588. #
  2589. #Default:
  2590. # none
  2591.  
  2592. #  TAG: location_rewrite_children
  2593. #   The number of location rewriting processes to spawn. If you start
  2594. #   too few Squid will have to wait for them to process a backlog of
  2595. #   URLs, slowing it down. If you start too many they will use RAM
  2596. #   and other system resources.
  2597. #
  2598. #Default:
  2599. # location_rewrite_children 5
  2600.  
  2601. #  TAG: location_rewrite_concurrency
  2602. #   The number of requests each Location rewriter helper can handle in
  2603. #   parallel. Defaults to 0 which indicates that the helper
  2604. #   is a old-style singlethreaded helper.
  2605. #
  2606. #Default:
  2607. # location_rewrite_concurrency 0
  2608.  
  2609. #  TAG: location_rewrite_access
  2610. #   If defined, this access list specifies which requests are
  2611. #   sent to the location rewriting processes.  By default all Location
  2612. #   headers are sent.
  2613. #
  2614. #Default:
  2615. # none
  2616.  
  2617.  
  2618. # OPTIONS FOR TUNING THE CACHE
  2619. # -----------------------------------------------------------------------------
  2620.  
  2621. #  TAG: cache
  2622. #   A list of ACL elements which, if matched, cause the request to
  2623. #   not be satisfied from the cache and the reply to not be cached.
  2624. #   In other words, use this to force certain objects to never be cached.
  2625. #
  2626. #   You must use the word 'DENY' to indicate the ACL names which should
  2627. #   NOT be cached.
  2628. #
  2629. #   Default is to allow all to be cached.
  2630. #
  2631. #Default:
  2632. # none
  2633.  
  2634. #  TAG: max_stale   time-units
  2635. #   This option puts an upper limit on how stale content Squid
  2636. #   will serve from the cache if cache validation fails.
  2637. #
  2638. #Default:
  2639. # max_stale 1 week
  2640.  
  2641. #  TAG: refresh_pattern
  2642. #   usage: refresh_pattern [-i] regex min percent max [options]
  2643. #
  2644. #   By default, regular expressions are CASE-SENSITIVE.  To make
  2645. #   them case-insensitive, use the -i option.
  2646. #
  2647. #   'Min' is the time (in minutes) an object without an explicit
  2648. #   expiry time should be considered fresh. The recommended
  2649. #   value is 0, any higher values may cause dynamic applications
  2650. #   to be erroneously cached unless the application designer
  2651. #   has taken the appropriate actions.
  2652. #
  2653. #   'Percent' is a percentage of the objects age (time since last
  2654. #   modification age) an object without explicit expiry time
  2655. #   will be considered fresh.
  2656. #
  2657. #   'Max' is an upper limit on how long objects without an explicit
  2658. #   expiry time will be considered fresh.
  2659. #
  2660. #   options: override-expire
  2661. #        override-lastmod
  2662. #        reload-into-ims
  2663. #        ignore-reload
  2664. #        ignore-no-cache
  2665. #        ignore-private
  2666. #        ignore-auth
  2667. #        stale-while-revalidate=NN
  2668. #        ignore-stale-while-revalidate
  2669. #        max-stale=NN
  2670. #        negative-ttl=NN
  2671. #
  2672. #       override-expire enforces min age even if the server
  2673. #       sent an explicit expiry time (e.g., with the
  2674. #       Expires: header or Cache-Control: max-age). Doing this
  2675. #       VIOLATES the HTTP standard.  Enabling this feature
  2676. #       could make you liable for problems which it causes.
  2677. #
  2678. #       Note: this does not enforce staleness - it only extends
  2679. #       freshness / min. If the server returns a Expires time which
  2680. #       is longer than your max time, Squid will still consider
  2681. #       the object fresh for that period of time.
  2682. #
  2683. #       override-lastmod enforces min age even on objects
  2684. #       that were modified recently.
  2685. #
  2686. #       reload-into-ims changes client no-cache or ``reload''
  2687. #       to If-Modified-Since requests. Doing this VIOLATES the
  2688. #       HTTP standard. Enabling this feature could make you
  2689. #       liable for problems which it causes.
  2690. #
  2691. #       ignore-reload ignores a client no-cache or ``reload''
  2692. #       header. Doing this VIOLATES the HTTP standard. Enabling
  2693. #       this feature could make you liable for problems which
  2694. #       it causes.
  2695. #
  2696. #       ignore-no-cache ignores any ``Pragma: no-cache'' and
  2697. #       ``Cache-control: no-cache'' headers received from a server.
  2698. #       The HTTP RFC never allows the use of this (Pragma) header
  2699. #       from a server, only a client, though plenty of servers
  2700. #       send it anyway.
  2701. #
  2702. #       ignore-private ignores any ``Cache-control: private''
  2703. #       headers received from a server. Doing this VIOLATES
  2704. #       the HTTP standard. Enabling this feature could make you
  2705. #       liable for problems which it causes.
  2706. #
  2707. #       ignore-auth caches responses to requests with authorization,
  2708. #       as if the originserver had sent ``Cache-control: public''
  2709. #       in the response header. Doing this VIOLATES the HTTP standard.
  2710. #       Enabling this feature could make you liable for problems which
  2711. #       it causes.
  2712. #
  2713. #       stale-while-revalidate=NN makes Squid perform an asyncronous
  2714. #       cache validation if the object isn't more stale than NN.
  2715. #       Doing this VIOLATES the HTTP standard. Enabling this
  2716. #       feature could make you liable for problems which it
  2717. #       causes.
  2718. #
  2719. #       ignore-stale-while-revalidate makes Squid ignore any 'Cache-Control:
  2720. #       stale-while-revalidate=NN' headers received from a server. Can be
  2721. #       combined with stale-while-revalidate=NN to override the server provided
  2722. #       value.
  2723. #
  2724. #       max-stale=NN provided a maximum staleness factor. Squid won't
  2725. #       serve objects more stale than this even if it failed to
  2726. #       validate the object.
  2727. #
  2728. #       negative-ttl=NN overrides the global negative_ttl parameter
  2729. #       selectively for URLs matching this pattern (in seconds).
  2730. #
  2731. #   Basically a cached object is:
  2732. #
  2733. #       FRESH if expires < now, else STALE
  2734. #       STALE if age > max
  2735. #       FRESH if lm-factor < percent, else STALE
  2736. #       FRESH if age < min
  2737. #       else STALE
  2738. #
  2739. #   The refresh_pattern lines are checked in the order listed here.
  2740. #   The first entry which matches is used.  If none of the entries
  2741. #   match the default will be used.
  2742. #
  2743. #   Note, you must uncomment all the default lines if you want
  2744. #   to change one. The default setting is only active if none is
  2745. #   used.
  2746. #
  2747. #Suggested default:
  2748. refresh_pattern ^ftp:       1440    20% 10080
  2749. refresh_pattern ^gopher:    1440    0%  1440
  2750. refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
  2751. refresh_pattern (Release|Packages(.gz)*)$   0   20% 2880
  2752. refresh_pattern .       0   20% 4320
  2753.  
  2754. #  TAG: quick_abort_min (KB)
  2755. #  TAG: quick_abort_max (KB)
  2756. #  TAG: quick_abort_pct (percent)
  2757. #   The cache by default continues downloading aborted requests
  2758. #   which are almost completed (less than 16 KB remaining). This
  2759. #   may be undesirable on slow (e.g. SLIP) links and/or very busy
  2760. #   caches.  Impatient users may tie up file descriptors and
  2761. #   bandwidth by repeatedly requesting and immediately aborting
  2762. #   downloads.
  2763. #
  2764. #   When the user aborts a request, Squid will check the
  2765. #   quick_abort values to the amount of data transfered until
  2766. #   then.
  2767. #
  2768. #   If the transfer has less than 'quick_abort_min' KB remaining,
  2769. #   it will finish the retrieval.
  2770. #
  2771. #   If the transfer has more than 'quick_abort_max' KB remaining,
  2772. #   it will abort the retrieval.
  2773. #
  2774. #   If more than 'quick_abort_pct' of the transfer has completed,
  2775. #   it will finish the retrieval.
  2776. #
  2777. #   If you do not want any retrieval to continue after the client
  2778. #   has aborted, set both 'quick_abort_min' and 'quick_abort_max'
  2779. #   to '0 KB'.
  2780. #
  2781. #   If you want retrievals to always continue if they are being
  2782. #   cached set 'quick_abort_min' to '-1 KB'.
  2783. #
  2784. #Default:
  2785. # quick_abort_min 16 KB
  2786. # quick_abort_max 16 KB
  2787. # quick_abort_pct 95
  2788.  
  2789. #  TAG: read_ahead_gap  buffer-size
  2790. #   The amount of data the cache will buffer ahead of what has been
  2791. #   sent to the client when retrieving an object from another server.
  2792. #
  2793. #Default:
  2794. # read_ahead_gap 16 KB
  2795.  
  2796. #  TAG: negative_ttl    time-units
  2797. #   Time-to-Live (TTL) for failed requests.  Certain types of
  2798. #   failures (such as "connection refused" and "404 Not Found") are
  2799. #   negatively-cached for a configurable amount of time.  The
  2800. #   default is 5 minutes.  Note that this is different from
  2801. #   negative caching of DNS lookups.
  2802. #
  2803. #Default:
  2804. # negative_ttl 5 minutes
  2805.  
  2806. #  TAG: positive_dns_ttl    time-units
  2807. #   Upper limit on how long Squid will cache positive DNS responses.
  2808. #   Default is 6 hours (360 minutes). This directive must be set
  2809. #   larger than negative_dns_ttl.
  2810. #
  2811. #Default:
  2812. # positive_dns_ttl 6 hours
  2813.  
  2814. #  TAG: negative_dns_ttl    time-units
  2815. #   Time-to-Live (TTL) for negative caching of failed DNS lookups.
  2816. #   This also sets the lower cache limit on positive lookups.
  2817. #   Minimum value is 1 second, and it is not recommendable to go
  2818. #   much below 10 seconds.
  2819. #
  2820. #Default:
  2821. # negative_dns_ttl 1 minute
  2822.  
  2823. #  TAG: range_offset_limit  (bytes)
  2824. #   Sets a upper limit on how far into the the file a Range request
  2825. #   may be to cause Squid to prefetch the whole file. If beyond this
  2826. #   limit Squid forwards the Range request as it is and the result
  2827. #   is NOT cached.
  2828. #
  2829. #   This is to stop a far ahead range request (lets say start at 17MB)
  2830. #   from making Squid fetch the whole object up to that point before
  2831. #   sending anything to the client.
  2832. #
  2833. #   A value of -1 causes Squid to always fetch the object from the
  2834. #   beginning so it may cache the result. (2.0 style)
  2835. #
  2836. #   A value of 0 causes Squid to never fetch more than the
  2837. #   client requested. (default)
  2838. #
  2839. #Default:
  2840. # range_offset_limit 0 KB
  2841.  
  2842. #  TAG: minimum_expiry_time (seconds)
  2843. #   The minimum caching time according to (Expires - Date)
  2844. #   Headers Squid honors if the object can't be revalidated
  2845. #   defaults to 60 seconds. In reverse proxy enorinments it
  2846. #   might be desirable to honor shorter object lifetimes. It
  2847. #   is most likely better to make your server return a
  2848. #   meaningful Last-Modified header however.
  2849. #
  2850. #Default:
  2851. # minimum_expiry_time 60 seconds
  2852.  
  2853. #  TAG: store_avg_object_size   (kbytes)
  2854. #   Average object size, used to estimate number of objects your
  2855. #   cache can hold.  The default is 13 KB.
  2856. #
  2857. #Default:
  2858. # store_avg_object_size 13 KB
  2859.  
  2860. #  TAG: store_objects_per_bucket
  2861. #   Target number of objects per bucket in the store hash table.
  2862. #   Lowering this value increases the total number of buckets and
  2863. #   also the storage maintenance rate.  The default is 20.
  2864. #
  2865. #Default:
  2866. # store_objects_per_bucket 20
  2867.  
  2868.  
  2869. # HTTP OPTIONS
  2870. # -----------------------------------------------------------------------------
  2871.  
  2872. #  TAG: request_header_max_size (KB)
  2873. #   This specifies the maximum size for HTTP headers in a request.
  2874. #   Request headers are usually relatively small (about 512 bytes).
  2875. #   Placing a limit on the request header size will catch certain
  2876. #   bugs (for example with persistent connections) and possibly
  2877. #   buffer-overflow or denial-of-service attacks.
  2878. #
  2879. #Default:
  2880. # request_header_max_size 20 KB
  2881.  
  2882. #  TAG: reply_header_max_size   (KB)
  2883. #   This specifies the maximum size for HTTP headers in a reply.
  2884. #   Reply headers are usually relatively small (about 512 bytes).
  2885. #   Placing a limit on the reply header size will catch certain
  2886. #   bugs (for example with persistent connections) and possibly
  2887. #   buffer-overflow or denial-of-service attacks.
  2888. #
  2889. #Default:
  2890. # reply_header_max_size 20 KB
  2891.  
  2892. #  TAG: request_body_max_size   (KB)
  2893. #   This specifies the maximum size for an HTTP request body.
  2894. #   In other words, the maximum size of a PUT/POST request.
  2895. #   A user who attempts to send a request with a body larger
  2896. #   than this limit receives an "Invalid Request" error message.
  2897. #   If you set this parameter to a zero (the default), there will
  2898. #   be no limit imposed.
  2899. #
  2900. #Default:
  2901. # request_body_max_size 0 KB
  2902.  
  2903. #  TAG: broken_posts
  2904. #   A list of ACL elements which, if matched, causes Squid to send
  2905. #   an extra CRLF pair after the body of a PUT/POST request.
  2906. #
  2907. #   Some HTTP servers has broken implementations of PUT/POST,
  2908. #   and rely on an extra CRLF pair sent by some WWW clients.
  2909. #
  2910. #   Quote from RFC2616 section 4.1 on this matter:
  2911. #
  2912. #     Note: certain buggy HTTP/1.0 client implementations generate an
  2913. #     extra CRLF's after a POST request. To restate what is explicitly
  2914. #     forbidden by the BNF, an HTTP/1.1 client must not preface or follow
  2915. #     a request with an extra CRLF.
  2916. #
  2917. #Example:
  2918. # acl buggy_server url_regex ^http://....
  2919. # broken_posts allow buggy_server
  2920. #
  2921. #Default:
  2922. # none
  2923.  
  2924. #  TAG: upgrade_http0.9
  2925. #   This access list controls when HTTP/0.9 responses is upgraded
  2926. #   to our current HTTP version. The default is to always upgrade.
  2927. #
  2928. #   Some applications expect to be able to respond with non-HTTP
  2929. #   responses and clients gets confused if the response is upgraded.
  2930. #   For example SHOUTcast servers used for mp3 streaming.
  2931. #
  2932. #   To enable some flexibility in detection of such applications
  2933. #   the first line of the response is available in the internal header
  2934. #   X-HTTP09-First-Line for use in the rep_header acl.
  2935. #
  2936. # Don't upgrade ShoutCast responses to HTTP
  2937. acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
  2938. upgrade_http0.9 deny shoutcast
  2939.  
  2940. #  TAG: via on|off
  2941. #   If set (default), Squid will include a Via header in requests and
  2942. #   replies as required by RFC2616.
  2943. #
  2944. #Default:
  2945. # via on
  2946.  
  2947. #  TAG: cache_vary
  2948. #   When 'cache_vary' is set to off, response that have a
  2949. #   Vary header will not be stored in the cache.
  2950. #
  2951. #Default:
  2952. # cache_vary on
  2953.  
  2954. #  TAG: broken_vary_encoding
  2955. #   Many servers have broken support for on-the-fly Content-Encoding,
  2956. #   returning the same ETag on both plain and gzip:ed variants.
  2957. #   Vary replies matching this access list will have the cache split
  2958. #   on the Accept-Encoding header of the request and not trusting the
  2959. #   ETag to be unique.
  2960. #
  2961. # Apache mod_gzip and mod_deflate known to be broken so don't trust
  2962. # Apache to signal ETag correctly on such responses
  2963. acl apache rep_header Server ^Apache
  2964. broken_vary_encoding allow apache
  2965.  
  2966. #  TAG: collapsed_forwarding    (on|off)
  2967. #   This option enables multiple requests for the same URI to be
  2968. #   processed as one request. Normally disabled to avoid increased
  2969. #   latency on dynamic content, but there can be benefit from enabling
  2970. #   this in accelerator setups where the web servers are the bottleneck
  2971. #   and reliable and returns mostly cacheable information.
  2972. #
  2973. #Default:
  2974. # collapsed_forwarding off
  2975.  
  2976. #  TAG: refresh_stale_hit   (time)
  2977. #   This option changes the refresh algorithm to allow concurrent
  2978. #   requests while an object is being refreshed to be processed as
  2979. #   cache hits if the object expired less than X seconds ago. Default
  2980. #   is 0 to disable this feature. This option is mostly interesting
  2981. #   in accelerator setups where a few objects is accessed very
  2982. #   frequently.
  2983. #
  2984. #Default:
  2985. # refresh_stale_hit 0 seconds
  2986.  
  2987. #  TAG: ie_refresh  on|off
  2988. #   Microsoft Internet Explorer up until version 5.5 Service
  2989. #   Pack 1 has an issue with transparent proxies, wherein it
  2990. #   is impossible to force a refresh.  Turning this on provides
  2991. #   a partial fix to the problem, by causing all IMS-REFRESH
  2992. #   requests from older IE versions to check the origin server
  2993. #   for fresh content.  This reduces hit ratio by some amount
  2994. #   (~10% in my experience), but allows users to actually get
  2995. #   fresh content when they want it.  Note because Squid
  2996. #   cannot tell if the user is using 5.5 or 5.5SP1, the behavior
  2997. #   of 5.5 is unchanged from old versions of Squid (i.e. a
  2998. #   forced refresh is impossible).  Newer versions of IE will,
  2999. #   hopefully, continue to have the new behavior and will be
  3000. #   handled based on that assumption.  This option defaults to
  3001. #   the old Squid behavior, which is better for hit ratios but
  3002. #   worse for clients using IE, if they need to be able to
  3003. #   force fresh content.
  3004. #
  3005. #Default:
  3006. # ie_refresh off
  3007.  
  3008. #  TAG: vary_ignore_expire  on|off
  3009. #   Many HTTP servers supporting Vary gives such objects
  3010. #   immediate expiry time with no cache-control header
  3011. #   when requested by a HTTP/1.0 client. This option
  3012. #   enables Squid to ignore such expiry times until
  3013. #   HTTP/1.1 is fully implemented.
  3014. #   WARNING: This may eventually cause some varying
  3015. #   objects not intended for caching to get cached.
  3016. #
  3017. #Default:
  3018. # vary_ignore_expire off
  3019.  
  3020. #  TAG: extension_methods
  3021. #   Squid only knows about standardized HTTP request methods.
  3022. #   You can add up to 20 additional "extension" methods here.
  3023. extension_methods REPORT MERGE MKACTIVITY CHECKOUT
  3024.  
  3025. #  TAG: request_entities
  3026. #   Squid defaults to deny GET and HEAD requests with request entities,
  3027. #   as the meaning of such requests are undefined in the HTTP standard
  3028. #   even if not explicitly forbidden.
  3029. #
  3030. #   Set this directive to on if you have clients which insists
  3031. #   on sending request entities in GET or HEAD requests. But be warned
  3032. #   that there is server software (both proxies and web servers) which
  3033. #   can fail to properly process this kind of request which may make you
  3034. #   vulnerable to cache pollution attacks if enabled.
  3035. #
  3036. #Default:
  3037. # request_entities off
  3038.  
  3039. #  TAG: header_access
  3040. #   Usage: header_access header_name allow|deny [!]aclname ...
  3041. #
  3042. #   WARNING: Doing this VIOLATES the HTTP standard.  Enabling
  3043. #   this feature could make you liable for problems which it
  3044. #   causes.
  3045. #
  3046. #   This option replaces the old 'anonymize_headers' and the
  3047. #   older 'http_anonymizer' option with something that is much
  3048. #   more configurable. This new method creates a list of ACLs
  3049. #   for each header, allowing you very fine-tuned header
  3050. #   mangling.
  3051. #
  3052. #   You can only specify known headers for the header name.
  3053. #   Other headers are reclassified as 'Other'. You can also
  3054. #   refer to all the headers with 'All'.
  3055. #
  3056. #   For example, to achieve the same behavior as the old
  3057. #   'http_anonymizer standard' option, you should use:
  3058. #
  3059. #       header_access From deny all
  3060. #       header_access Referer deny all
  3061. #       header_access Server deny all
  3062. #       header_access User-Agent deny all
  3063. #       header_access WWW-Authenticate deny all
  3064. #       header_access Link deny all
  3065. #
  3066. #   Or, to reproduce the old 'http_anonymizer paranoid' feature
  3067. #   you should use:
  3068. #
  3069. #       header_access Allow allow all
  3070. #       header_access Authorization allow all
  3071. #       header_access WWW-Authenticate allow all
  3072. #       header_access Proxy-Authorization allow all
  3073. #       header_access Proxy-Authenticate allow all
  3074. #       header_access Cache-Control allow all
  3075. #       header_access Content-Encoding allow all
  3076. #       header_access Content-Length allow all
  3077. #       header_access Content-Type allow all
  3078. #       header_access Date allow all
  3079. #       header_access Expires allow all
  3080. #       header_access Host allow all
  3081. #       header_access If-Modified-Since allow all
  3082. #       header_access Last-Modified allow all
  3083. #       header_access Location allow all
  3084. #       header_access Pragma allow all
  3085. #       header_access Accept allow all
  3086. #       header_access Accept-Charset allow all
  3087. #       header_access Accept-Encoding allow all
  3088. #       header_access Accept-Language allow all
  3089. #       header_access Content-Language allow all
  3090. #       header_access Mime-Version allow all
  3091. #       header_access Retry-After allow all
  3092. #       header_access Title allow all
  3093. #       header_access Connection allow all
  3094. #       header_access Proxy-Connection allow all
  3095. #       header_access All deny all
  3096. #
  3097. #   By default, all headers are allowed (no anonymizing is
  3098. #   performed).
  3099. #
  3100. #Default:
  3101. # none
  3102.  
  3103. #  TAG: header_replace
  3104. #   Usage:   header_replace header_name message
  3105. #   Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
  3106. #
  3107. #   This option allows you to change the contents of headers
  3108. #   denied with header_access above, by replacing them with
  3109. #   some fixed string. This replaces the old fake_user_agent
  3110. #   option.
  3111. #
  3112. #   By default, headers are removed if denied.
  3113. #
  3114. #Default:
  3115. # none
  3116.  
  3117. #  TAG: relaxed_header_parser   on|off|warn
  3118. #   In the default "on" setting Squid accepts certain forms
  3119. #   of non-compliant HTTP messages where it is unambiguous
  3120. #   what the sending application intended even if the message
  3121. #   is not correctly formatted. The messages is then normalized
  3122. #   to the correct form when forwarded by Squid.
  3123. #
  3124. #   If set to "warn" then a warning will be emitted in cache.log
  3125. #   each time such HTTP error is encountered.
  3126. #
  3127. #   If set to "off" then such HTTP errors will cause the request
  3128. #   or response to be rejected.
  3129. #
  3130. #Default:
  3131. # relaxed_header_parser on
  3132.  
  3133. #  TAG: server_http11   on|off
  3134. #   This option enables the use ot HTTP/1.1 on outgoing "direct" requests.
  3135. #   See also the http11 cache_peer option.
  3136. #   Note: The HTTP/1.1 support is still incomplete, with an
  3137. #   internal HTTP/1.0 hop. As result 1xx responses will not
  3138. #   be forwarded.
  3139. #
  3140. #Default:
  3141. # server_http11 off
  3142.  
  3143. #  TAG: ignore_expect_100   on|off
  3144. #   This option makes Squid ignore any Expect: 100-continue header present
  3145. #   in the request.
  3146. #   Note: Enabling this is a HTTP protocol violation, but some client may
  3147. #   not handle it well..
  3148. #
  3149. #Default:
  3150. # ignore_expect_100 off
  3151.  
  3152. #  TAG: external_refresh_check
  3153. #   This option defines an external helper for determining whether to
  3154. #   refresh a stale response. It will be called when Squid receives a
  3155. #   request for a cached response that is stale; the helper can either
  3156. #   confirm that the response is stale with a STALE response, or
  3157. #   extend the freshness of the response (thereby avoiding a refresh
  3158. #   check) with a FRESH response, along with a freshness=nnn keyword.
  3159. #
  3160. #     external_refresh_check [options] FORMAT.. /path/to/helper [helper_args]
  3161. #
  3162. #   If present, helper_args will be passed to the helper on the command
  3163. #   line verbatim.
  3164. #
  3165. #   Options:
  3166. #
  3167. #     children=n    Number of processes to spawn to service external
  3168. #           refresh checks (default 5).
  3169. #     concurrency=n Concurrency level per process. Only used with
  3170. #           helpers capable of processing more than one query
  3171. #           at a time.
  3172. #
  3173. #   When using the concurrency option, the protocol is changed by introducing
  3174. #   a query channel tag infront of the request/response. The query channel
  3175. #   tag is a number between 0 and concurrency-1.
  3176. #
  3177. #   FORMAT specifications:
  3178. #
  3179. #     %CACHE_URI    The URI of the cached response
  3180. #     %RES{Header}  HTTP response header value
  3181. #     %AGE      The age of the cached response
  3182. #
  3183. #   The request sent to the helper consists of the data in the format
  3184. #   specification in the order specified.
  3185. #
  3186. #   The helper receives lines per the above format specification, and
  3187. #   returns lines starting with OK or ERR indicating the validity of
  3188. #   the request and optionally followed by additional keywords with
  3189. #   more details.  URL escaping is used to protect each value in both
  3190. #   requests and responses.
  3191. #
  3192. #   General result syntax:
  3193. #
  3194. #     FRESH / STALE keyword=value ...
  3195. #
  3196. #   Defined keywords:
  3197. #
  3198. #     freshness=nnn The number of seconds to extend the freshness of
  3199. #           the response by.
  3200. #     log=string    String to be logged in access.log. Available as
  3201. #           %ef in logformat specifications.
  3202. #     res{Header}=value
  3203. #           Value to update response headers with. If already
  3204. #           present, the supplied value completely replaces
  3205. #           the cached value.
  3206. #
  3207. #   In the event of a helper-related error (e.g., overload), Squid
  3208. #   will always default to STALE.
  3209. #
  3210. #Default:
  3211. # none
  3212.  
  3213.  
  3214. # TIMEOUTS
  3215. # -----------------------------------------------------------------------------
  3216.  
  3217. #  TAG: forward_timeout time-units
  3218. #   This parameter specifies how long Squid should at most attempt in
  3219. #   finding a forwarding path for the request before giving up.
  3220. #
  3221. #Default:
  3222. # forward_timeout 4 minutes
  3223.  
  3224. #  TAG: connect_timeout time-units
  3225. #   This parameter specifies how long to wait for the TCP connect to
  3226. #   the requested server or peer to complete before Squid should
  3227. #   attempt to find another path where to forward the request.
  3228. #
  3229. #Default:
  3230. # connect_timeout 1 minute
  3231.  
  3232. #  TAG: peer_connect_timeout    time-units
  3233. #   This parameter specifies how long to wait for a pending TCP
  3234. #   connection to a peer cache.  The default is 30 seconds.   You
  3235. #   may also set different timeout values for individual neighbors
  3236. #   with the 'connect-timeout' option on a 'cache_peer' line.
  3237. #
  3238. #Default:
  3239. # peer_connect_timeout 30 seconds
  3240.  
  3241. #  TAG: read_timeout    time-units
  3242. #   The read_timeout is applied on server-side connections.  After
  3243. #   each successful read(), the timeout will be extended by this
  3244. #   amount.  If no data is read again after this amount of time,
  3245. #   the request is aborted and logged with ERR_READ_TIMEOUT.  The
  3246. #   default is 15 minutes.
  3247. #
  3248. #Default:
  3249. # read_timeout 15 minutes
  3250.  
  3251. #  TAG: request_timeout
  3252. #   How long to wait for an HTTP request after initial
  3253. #   connection establishment.
  3254. #
  3255. #Default:
  3256. # request_timeout 5 minutes
  3257.  
  3258. #  TAG: persistent_request_timeout
  3259. #   How long to wait for the next HTTP request on a persistent
  3260. #   connection after the previous request completes.
  3261. #
  3262. #Default:
  3263. # persistent_request_timeout 2 minutes
  3264.  
  3265. #  TAG: client_lifetime time-units
  3266. #   The maximum amount of time a client (browser) is allowed to
  3267. #   remain connected to the cache process.  This protects the Cache
  3268. #   from having a lot of sockets (and hence file descriptors) tied up
  3269. #   in a CLOSE_WAIT state from remote clients that go away without
  3270. #   properly shutting down (either because of a network failure or
  3271. #   because of a poor client implementation).  The default is one
  3272. #   day, 1440 minutes.
  3273. #
  3274. #   NOTE:  The default value is intended to be much larger than any
  3275. #   client would ever need to be connected to your cache.  You
  3276. #   should probably change client_lifetime only as a last resort.
  3277. #   If you seem to have many client connections tying up
  3278. #   filedescriptors, we recommend first tuning the read_timeout,
  3279. #   request_timeout, persistent_request_timeout and quick_abort values.
  3280. #
  3281. #Default:
  3282. # client_lifetime 1 day
  3283.  
  3284. #  TAG: half_closed_clients
  3285. #   Some clients may shutdown the sending side of their TCP
  3286. #   connections, while leaving their receiving sides open.  Sometimes,
  3287. #   Squid can not tell the difference between a half-closed and a
  3288. #   fully-closed TCP connection.  By default, half-closed client
  3289. #   connections are kept open until a read(2) or write(2) on the
  3290. #   socket returns an error.  Change this option to 'off' and Squid
  3291. #   will immediately close client connections when read(2) returns
  3292. #   "no more data to read."
  3293. #
  3294. #Default:
  3295. # half_closed_clients on
  3296.  
  3297. #  TAG: pconn_timeout
  3298. #   Timeout for idle persistent connections to servers and other
  3299. #   proxies.
  3300. #
  3301. #Default:
  3302. # pconn_timeout 1 minute
  3303.  
  3304. #  TAG: ident_timeout
  3305. #   Maximum time to wait for IDENT lookups to complete.
  3306. #
  3307. #   If this is too high, and you enabled IDENT lookups from untrusted
  3308. #   users, you might be susceptible to denial-of-service by having
  3309. #   many ident requests going at once.
  3310. #
  3311. #Default:
  3312. # ident_timeout 10 seconds
  3313.  
  3314. #  TAG: shutdown_lifetime   time-units
  3315. #   When SIGTERM or SIGHUP is received, the cache is put into
  3316. #   "shutdown pending" mode until all active sockets are closed.
  3317. #   This value is the lifetime to set for all open descriptors
  3318. #   during shutdown mode.  Any active clients after this many
  3319. #   seconds will receive a 'timeout' message.
  3320. #
  3321. #Default:
  3322. # shutdown_lifetime 30 seconds
  3323.  
  3324.  
  3325. # ADMINISTRATIVE PARAMETERS
  3326. # -----------------------------------------------------------------------------
  3327.  
  3328. #  TAG: cache_mgr
  3329. #   Email-address of local cache manager who will receive
  3330. #   mail if the cache dies. The default is "webmaster".
  3331. #
  3332. #Default:
  3333. # cache_mgr webmaster
  3334.  
  3335. #  TAG: mail_from
  3336. #   From: email-address for mail sent when the cache dies.
  3337. #   The default is to use 'appname@unique_hostname'.
  3338. #   Default appname value is "squid", can be changed into
  3339. #   src/globals.h before building squid.
  3340. #
  3341. #Default:
  3342. # none
  3343.  
  3344. #  TAG: mail_program
  3345. #   Email program used to send mail if the cache dies.
  3346. #   The default is "mail". The specified program must comply
  3347. #   with the standard Unix mail syntax:
  3348. #     mail-program recipient < mailfile
  3349. #
  3350. #   Optional command line options can be specified.
  3351. #
  3352. #Default:
  3353. # mail_program mail
  3354.  
  3355. #  TAG: cache_effective_user
  3356. #   If you start Squid as root, it will change its effective/real
  3357. #   UID/GID to the user specified below.  The default is to change
  3358. #   to UID to proxy.  If you define cache_effective_user, but not
  3359. #   cache_effective_group, Squid sets the GID to the effective
  3360. #   user's default group ID (taken from the password file) and
  3361. #   supplementary group list from the from groups membership of
  3362. #   cache_effective_user.
  3363. #
  3364. #Default:
  3365. # cache_effective_user proxy
  3366.  
  3367. #  TAG: cache_effective_group
  3368. #   If you want Squid to run with a specific GID regardless of
  3369. #   the group memberships of the effective user then set this
  3370. #   to the group (or GID) you want Squid to run as. When set
  3371. #   all other group privileges of the effective user is ignored
  3372. #   and only this GID is effective. If Squid is not started as
  3373. #   root the user starting Squid must be member of the specified
  3374. #   group.
  3375. #
  3376. #Default:
  3377. # none
  3378.  
  3379. #  TAG: httpd_suppress_version_string   on|off
  3380. #   Suppress Squid version string info in HTTP headers and HTML error pages.
  3381. #
  3382. #Default:
  3383. # httpd_suppress_version_string off
  3384.  
  3385. #  TAG: visible_hostname
  3386. #   If you want to present a special hostname in error messages, etc,
  3387. #   define this.  Otherwise, the return value of gethostname()
  3388. #   will be used. If you have multiple caches in a cluster and
  3389. #   get errors about IP-forwarding you must set them to have individual
  3390. #   names with this setting.
  3391. #
  3392. #Default:
  3393. # none
  3394.  
  3395. #  TAG: unique_hostname
  3396. #   If you want to have multiple machines with the same
  3397. #   'visible_hostname' you must give each machine a different
  3398. #   'unique_hostname' so forwarding loops can be detected.
  3399. #
  3400. #Default:
  3401. # none
  3402.  
  3403. #  TAG: hostname_aliases
  3404. #   A list of other DNS names your cache has.
  3405. #
  3406. #Default:
  3407. # none
  3408.  
  3409. #  TAG: umask
  3410. #   Minimum umask which should be enforced while the proxy
  3411. #   is running, in addition to the umask set at startup.
  3412. #
  3413. #   Note: Should start with a 0 to indicate the normal octal
  3414. #   representation of umasks
  3415. #
  3416. #Default:
  3417. # umask 027
  3418.  
  3419.  
  3420. # OPTIONS FOR THE CACHE REGISTRATION SERVICE
  3421. # -----------------------------------------------------------------------------
  3422. #
  3423. #   This section contains parameters for the (optional) cache
  3424. #   announcement service.  This service is provided to help
  3425. #   cache administrators locate one another in order to join or
  3426. #   create cache hierarchies.
  3427. #
  3428. #   An 'announcement' message is sent (via UDP) to the registration
  3429. #   service by Squid.  By default, the announcement message is NOT
  3430. #   SENT unless you enable it with 'announce_period' below.
  3431. #
  3432. #   The announcement message includes your hostname, plus the
  3433. #   following information from this configuration file:
  3434. #
  3435. #       http_port
  3436. #       icp_port
  3437. #       cache_mgr
  3438. #
  3439. #   All current information is processed regularly and made
  3440. #   available on the Web at http://www.ircache.net/Cache/Tracker/.
  3441.  
  3442. #  TAG: announce_period
  3443. #   This is how frequently to send cache announcements.  The
  3444. #   default is `0' which disables sending the announcement
  3445. #   messages.
  3446. #
  3447. #   To enable announcing your cache, just uncomment the line
  3448. #   below.
  3449. #
  3450. #Default:
  3451. # announce_period 0
  3452. #
  3453. #To enable announcing your cache, just uncomment the line below.
  3454. #announce_period 1 day
  3455.  
  3456. #  TAG: announce_host
  3457. #  TAG: announce_file
  3458. #  TAG: announce_port
  3459. #   announce_host and announce_port set the hostname and port
  3460. #   number where the registration message will be sent.
  3461. #
  3462. #   Hostname will default to 'tracker.ircache.net' and port will
  3463. #   default default to 3131.  If the 'filename' argument is given,
  3464. #   the contents of that file will be included in the announce
  3465. #   message.
  3466. #
  3467. #Default:
  3468. # announce_host tracker.ircache.net
  3469. # announce_port 3131
  3470.  
  3471.  
  3472. # HTTPD-ACCELERATOR OPTIONS
  3473. # -----------------------------------------------------------------------------
  3474.  
  3475. #  TAG: httpd_accel_no_pmtu_disc    on|off
  3476. #   In many setups of transparently intercepting proxies Path-MTU
  3477. #   discovery can not work on traffic towards the clients. This is
  3478. #   the case when the intercepting device does not fully track
  3479. #   connections and fails to forward ICMP must fragment messages
  3480. #   to the cache server.
  3481. #
  3482. #   If you have such setup and experience that certain clients
  3483. #   sporadically hang or never complete requests set this to on.
  3484. #
  3485. #Default:
  3486. # httpd_accel_no_pmtu_disc off
  3487.  
  3488.  
  3489. # DELAY POOL PARAMETERS
  3490. # -----------------------------------------------------------------------------
  3491.  
  3492. #  TAG: delay_pools
  3493. #   This represents the number of delay pools to be used.  For example,
  3494. #   if you have one class 2 delay pool and one class 3 delays pool, you
  3495. #   have a total of 2 delay pools.
  3496. #
  3497. #Default:
  3498. # delay_pools 0
  3499.  
  3500. #  TAG: delay_class
  3501. #   This defines the class of each delay pool.  There must be exactly one
  3502. #   delay_class line for each delay pool.  For example, to define two
  3503. #   delay pools, one of class 2 and one of class 3, the settings above
  3504. #   and here would be:
  3505. #
  3506. #Example:
  3507. # delay_pools 2      # 2 delay pools
  3508. # delay_class 1 2    # pool 1 is a class 2 pool
  3509. # delay_class 2 3    # pool 2 is a class 3 pool
  3510. #
  3511. #   The delay pool classes are:
  3512. #
  3513. #       class 1     Everything is limited by a single aggregate
  3514. #               bucket.
  3515. #
  3516. #       class 2     Everything is limited by a single aggregate
  3517. #               bucket as well as an "individual" bucket chosen
  3518. #               from bits 25 through 32 of the IP address.
  3519. #
  3520. #       class 3     Everything is limited by a single aggregate
  3521. #               bucket as well as a "network" bucket chosen
  3522. #               from bits 17 through 24 of the IP address and a
  3523. #               "individual" bucket chosen from bits 17 through
  3524. #               32 of the IP address.
  3525. #
  3526. #   NOTE: If an IP address is a.b.c.d
  3527. #       -> bits 25 through 32 are "d"
  3528. #       -> bits 17 through 24 are "c"
  3529. #       -> bits 17 through 32 are "c * 256 + d"
  3530. #
  3531. #Default:
  3532. # none
  3533.  
  3534. #  TAG: delay_access
  3535. #   This is used to determine which delay pool a request falls into.
  3536. #
  3537. #   delay_access is sorted per pool and the matching starts with pool 1,
  3538. #   then pool 2, ..., and finally pool N. The first delay pool where the
  3539. #   request is allowed is selected for the request. If it does not allow
  3540. #   the request to any pool then the request is not delayed (default).
  3541. #
  3542. #   For example, if you want some_big_clients in delay
  3543. #   pool 1 and lotsa_little_clients in delay pool 2:
  3544. #
  3545. #Example:
  3546. # delay_access 1 allow some_big_clients
  3547. # delay_access 1 deny all
  3548. # delay_access 2 allow lotsa_little_clients
  3549. # delay_access 2 deny all
  3550. #
  3551. #Default:
  3552. # none
  3553.  
  3554. #  TAG: delay_parameters
  3555. #   This defines the parameters for a delay pool.  Each delay pool has
  3556. #   a number of "buckets" associated with it, as explained in the
  3557. #   description of delay_class.  For a class 1 delay pool, the syntax is:
  3558. #
  3559. #delay_parameters pool aggregate
  3560. #
  3561. #   For a class 2 delay pool:
  3562. #
  3563. #delay_parameters pool aggregate individual
  3564. #
  3565. #   For a class 3 delay pool:
  3566. #
  3567. #delay_parameters pool aggregate network individual
  3568. #
  3569. #   The variables here are:
  3570. #
  3571. #       pool        a pool number - ie, a number between 1 and the
  3572. #               number specified in delay_pools as used in
  3573. #               delay_class lines.
  3574. #
  3575. #       aggregate   the "delay parameters" for the aggregate bucket
  3576. #               (class 1, 2, 3).
  3577. #
  3578. #       individual  the "delay parameters" for the individual
  3579. #               buckets (class 2, 3).
  3580. #
  3581. #       network     the "delay parameters" for the network buckets
  3582. #               (class 3).
  3583. #
  3584. #   A pair of delay parameters is written restore/maximum, where restore is
  3585. #   the number of bytes (not bits - modem and network speeds are usually
  3586. #   quoted in bits) per second placed into the bucket, and maximum is the
  3587. #   maximum number of bytes which can be in the bucket at any time.
  3588. #
  3589. #   For example, if delay pool number 1 is a class 2 delay pool as in the
  3590. #   above example, and is being used to strictly limit each host to 64kbps
  3591. #   (plus overheads), with no overall limit, the line is:
  3592. #
  3593. #delay_parameters 1 -1/-1 8000/8000
  3594. #
  3595. #   Note that the figure -1 is used to represent "unlimited".
  3596. #
  3597. #   And, if delay pool number 2 is a class 3 delay pool as in the above
  3598. #   example, and you want to limit it to a total of 256kbps (strict limit)
  3599. #   with each 8-bit network permitted 64kbps (strict limit) and each
  3600. #   individual host permitted 4800bps with a bucket maximum size of 64kb
  3601. #   to permit a decent web page to be downloaded at a decent speed
  3602. #   (if the network is not being limited due to overuse) but slow down
  3603. #   large downloads more significantly:
  3604. #
  3605. #delay_parameters 2 32000/32000 8000/8000 600/8000
  3606. #
  3607. #   There must be one delay_parameters line for each delay pool.
  3608. #
  3609. #Default:
  3610. # none
  3611.  
  3612. #  TAG: delay_initial_bucket_level  (percent, 0-100)
  3613. #   The initial bucket percentage is used to determine how much is put
  3614. #   in each bucket when squid starts, is reconfigured, or first notices
  3615. #   a host accessing it (in class 2 and class 3, individual hosts and
  3616. #   networks only have buckets associated with them once they have been
  3617. #   "seen" by squid).
  3618. #
  3619. #Default:
  3620. # delay_initial_bucket_level 50
  3621.  
  3622.  
  3623. # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
  3624. # -----------------------------------------------------------------------------
  3625.  
  3626. #  TAG: wccp_router
  3627. #  TAG: wccp2_router
  3628. #   Use this option to define your WCCP ``home'' router for
  3629. #   Squid.
  3630. #
  3631. #   wccp_router supports a single WCCP(v1) router
  3632. #
  3633. #   wccp2_router supports multiple WCCPv2 routers
  3634. #
  3635. #   only one of the two may be used at the same time and defines
  3636. #   which version of WCCP to use.
  3637. #
  3638. #Default:
  3639. # wccp_router 0.0.0.0
  3640.  
  3641. #  TAG: wccp_version
  3642. #   This directive is only relevant if you need to set up WCCP(v1)
  3643. #   to some very old and end-of-life Cisco routers. In all other
  3644. #   setups it must be left unset or at the default setting.
  3645. #   It defines an internal version in the WCCP(v1) protocol,
  3646. #   with version 4 being the officially documented protocol.
  3647. #
  3648. #   According to some users, Cisco IOS 11.2 and earlier only
  3649. #   support WCCP version 3.  If you're using that or an earlier
  3650. #   version of IOS, you may need to change this value to 3, otherwise
  3651. #   do not specify this parameter.
  3652. #
  3653. #Default:
  3654. # wccp_version 4
  3655.  
  3656. #  TAG: wccp2_rebuild_wait
  3657. #   If this is enabled Squid will wait for the cache dir rebuild to finish
  3658. #   before sending the first wccp2 HereIAm packet
  3659. #
  3660. #Default:
  3661. # wccp2_rebuild_wait on
  3662.  
  3663. #  TAG: wccp2_forwarding_method
  3664. #   WCCP2 allows the setting of forwarding methods between the
  3665. #   router/switch and the cache.  Valid values are as follows:
  3666. #
  3667. #   1 - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
  3668. #   2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
  3669. #
  3670. #   Currently (as of IOS 12.4) cisco routers only support GRE.
  3671. #   Cisco switches only support the L2 redirect assignment method.
  3672. #
  3673. #Default:
  3674. # wccp2_forwarding_method 1
  3675.  
  3676. #  TAG: wccp2_return_method
  3677. #   WCCP2 allows the setting of return methods between the
  3678. #   router/switch and the cache for packets that the cache
  3679. #   decides not to handle.  Valid values are as follows:
  3680. #
  3681. #   1 - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
  3682. #   2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
  3683. #
  3684. #   Currently (as of IOS 12.4) cisco routers only support GRE.
  3685. #   Cisco switches only support the L2 redirect assignment.
  3686. #
  3687. #   If the "ip wccp redirect exclude in" command has been
  3688. #   enabled on the cache interface, then it is still safe for
  3689. #   the proxy server to use a l2 redirect method even if this
  3690. #   option is set to GRE.
  3691. #
  3692. #Default:
  3693. # wccp2_return_method 1
  3694.  
  3695. #  TAG: wccp2_assignment_method
  3696. #   WCCP2 allows the setting of methods to assign the WCCP hash
  3697. #   Valid values are as follows:
  3698. #
  3699. #   1 - Hash assignment
  3700. #   2 - Mask assignment
  3701. #
  3702. #   As a general rule, cisco routers support the hash assignment method
  3703. #   and cisco switches support the mask assignment method.
  3704. #
  3705. #Default:
  3706. # wccp2_assignment_method 1
  3707.  
  3708. #  TAG: wccp2_service
  3709. #   WCCP2 allows for multiple traffic services. There are two
  3710. #   types: "standard" and "dynamic". The standard type defines
  3711. #   one service id - http (id 0). The dynamic service ids can be from
  3712. #   51 to 255 inclusive.  In order to use a dynamic service id
  3713. #   one must define the type of traffic to be redirected; this is done
  3714. #   using the wccp2_service_info option.
  3715. #
  3716. #   The "standard" type does not require a wccp2_service_info option,
  3717. #   just specifying the service id will suffice.
  3718. #
  3719. #   MD5 service authentication can be enabled by adding
  3720. #   "password=<password>" to the end of this service declaration.
  3721. #
  3722. #   Examples:
  3723. #
  3724. #   wccp2_service standard 0    # for the 'web-cache' standard service
  3725. #   wccp2_service dynamic 80    # a dynamic service type which will be
  3726. #                   # fleshed out with subsequent options.
  3727. #   wccp2_service standard 0 password=foo
  3728. #
  3729. #
  3730. #Default:
  3731. # wccp2_service standard 0
  3732.  
  3733. #  TAG: wccp2_service_info
  3734. #   Dynamic WCCPv2 services require further information to define the
  3735. #   traffic you wish to have diverted.
  3736. #
  3737. #   The format is:
  3738. #
  3739. #   wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
  3740. #       priority=<priority> ports=<port>,<port>..
  3741. #
  3742. #   The relevant WCCPv2 flags:
  3743. #   + src_ip_hash, dst_ip_hash
  3744. #   + source_port_hash, dst_port_hash
  3745. #   + src_ip_alt_hash, dst_ip_alt_hash
  3746. #   + src_port_alt_hash, dst_port_alt_hash
  3747. #   + ports_source
  3748. #
  3749. #   The port list can be one to eight entries.
  3750. #
  3751. #   Example:
  3752. #
  3753. #   wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source
  3754. #       priority=240 ports=80
  3755. #
  3756. #   Note: the service id must have been defined by a previous
  3757. #   'wccp2_service dynamic <id>' entry.
  3758. #
  3759. #Default:
  3760. # none
  3761.  
  3762. #  TAG: wccp2_weight
  3763. #   Each cache server gets assigned a set of the destination
  3764. #   hash proportional to their weight.
  3765. #
  3766. #Default:
  3767. # wccp2_weight 10000
  3768.  
  3769. #  TAG: wccp_address
  3770. #  TAG: wccp2_address
  3771. #   Use this option if you require WCCP to use a specific
  3772. #   interface address.
  3773. #
  3774. #   The default behavior is to not bind to any specific address.
  3775. #
  3776. #Default:
  3777. # wccp_address 0.0.0.0
  3778. # wccp2_address 0.0.0.0
  3779.  
  3780.  
  3781. # PERSISTENT CONNECTION HANDLING
  3782. # -----------------------------------------------------------------------------
  3783. #
  3784. # Also see "pconn_timeout" in the TIMEOUTS section
  3785.  
  3786. #  TAG: client_persistent_connections
  3787. #  TAG: server_persistent_connections
  3788. #   Persistent connection support for clients and servers.  By
  3789. #   default, Squid uses persistent connections (when allowed)
  3790. #   with its clients and servers.  You can use these options to
  3791. #   disable persistent connections with clients and/or servers.
  3792. #
  3793. #Default:
  3794. # client_persistent_connections on
  3795. # server_persistent_connections on
  3796.  
  3797. #  TAG: persistent_connection_after_error
  3798. #   With this directive the use of persistent connections after
  3799. #   HTTP errors can be disabled. Useful if you have clients
  3800. #   who fail to handle errors on persistent connections proper.
  3801. #
  3802. #Default:
  3803. # persistent_connection_after_error off
  3804.  
  3805. #  TAG: detect_broken_pconn
  3806. #   Some servers have been found to incorrectly signal the use
  3807. #   of HTTP/1.0 persistent connections even on replies not
  3808. #   compatible, causing significant delays. This server problem
  3809. #   has mostly been seen on redirects.
  3810. #
  3811. #   By enabling this directive Squid attempts to detect such
  3812. #   broken replies and automatically assume the reply is finished
  3813. #   after 10 seconds timeout.
  3814. #
  3815. #Default:
  3816. # detect_broken_pconn off
  3817.  
  3818.  
  3819. # CACHE DIGEST OPTIONS
  3820. # -----------------------------------------------------------------------------
  3821.  
  3822. #  TAG: digest_generation
  3823. #   This controls whether the server will generate a Cache Digest
  3824. #   of its contents.
  3825. #
  3826. #Default:
  3827. # digest_generation on
  3828.  
  3829. #  TAG: digest_bits_per_entry
  3830. #   This is the number of bits of the server's Cache Digest which
  3831. #   will be associated with the Digest entry for a given HTTP
  3832. #   Method and URL (public key) combination.  The default is 5.
  3833. #
  3834. #Default:
  3835. # digest_bits_per_entry 5
  3836.  
  3837. #  TAG: digest_rebuild_period   (seconds)
  3838. #   This is the wait time between Cache Digest rebuilds.
  3839. #
  3840. #Default:
  3841. # digest_rebuild_period 1 hour
  3842.  
  3843. #  TAG: digest_rewrite_period   (seconds)
  3844. #   This is the wait time between Cache Digest writes to disk.
  3845. #
  3846. #Default:
  3847. # digest_rewrite_period 1 hour
  3848.  
  3849. #  TAG: digest_swapout_chunk_size   (bytes)
  3850. #   This is the number of bytes of the Cache Digest to write to
  3851. #   disk at a time.  It defaults to 4096 bytes (4KB), the Squid
  3852. #   default swap page.
  3853. #
  3854. #Default:
  3855. # digest_swapout_chunk_size 4096 bytes
  3856.  
  3857. #  TAG: digest_rebuild_chunk_percentage (percent, 0-100)
  3858. #   This is the percentage of the Cache Digest to be scanned at a
  3859. #   time.  By default it is set to 10% of the Cache Digest.
  3860. #
  3861. #Default:
  3862. # digest_rebuild_chunk_percentage 10
  3863.  
  3864.  
  3865. # SNMP OPTIONS
  3866. # -----------------------------------------------------------------------------
  3867.  
  3868. #  TAG: snmp_port
  3869. #   Squid can now serve statistics and status information via SNMP.
  3870. #   By default it listens to port 3401 on the machine. If you don't
  3871. #   wish to use SNMP, set this to "0".
  3872. #
  3873. #   Note: on Debian/Linux, the default is zero - you need to
  3874. #   set it to 3401 to enable it.
  3875. #
  3876. #Default:
  3877. # snmp_port 0
  3878.  
  3879. #  TAG: snmp_access
  3880. #   Allowing or denying access to the SNMP port.
  3881. #
  3882. #   All access to the agent is denied by default.
  3883. #   usage:
  3884. #
  3885. #   snmp_access allow|deny [!]aclname ...
  3886. #
  3887. #Example:
  3888. # snmp_access allow snmppublic localhost
  3889. # snmp_access deny all
  3890. #
  3891. #Default:
  3892. # snmp_access deny all
  3893.  
  3894. #  TAG: snmp_incoming_address
  3895. #  TAG: snmp_outgoing_address
  3896. #   Just like 'udp_incoming_address' above, but for the SNMP port.
  3897. #
  3898. #   snmp_incoming_address   is used for the SNMP socket receiving
  3899. #               messages from SNMP agents.
  3900. #   snmp_outgoing_address   is used for SNMP packets returned to SNMP
  3901. #               agents.
  3902. #
  3903. #   The default snmp_incoming_address (0.0.0.0) is to listen on all
  3904. #   available network interfaces.
  3905. #
  3906. #   If snmp_outgoing_address is set to 255.255.255.255 (the default)
  3907. #   it will use the same socket as snmp_incoming_address. Only
  3908. #   change this if you want to have SNMP replies sent using another
  3909. #   address than where this Squid listens for SNMP queries.
  3910. #
  3911. #   NOTE, snmp_incoming_address and snmp_outgoing_address can not have
  3912. #   the same value since they both use port 3401.
  3913. #
  3914. #Default:
  3915. # snmp_incoming_address 0.0.0.0
  3916. # snmp_outgoing_address 255.255.255.255
  3917.  
  3918.  
  3919. # ICP OPTIONS
  3920. # -----------------------------------------------------------------------------
  3921.  
  3922. #  TAG: icp_port
  3923. #   The port number where Squid sends and receives ICP queries to
  3924. #   and from neighbor caches.  Default is 3130.  To disable use
  3925. #   "0".  May be overridden with -u on the command line.
  3926. #
  3927. #Default:
  3928. # icp_port 3130
  3929.  
  3930. #  TAG: htcp_port
  3931. #   The port number where Squid sends and receives HTCP queries to
  3932. #   and from neighbor caches.  To turn it on you want to set it 4827.
  3933. #   By default it is set to "0" (disabled).
  3934. #
  3935. #Default:
  3936. # htcp_port 0
  3937.  
  3938. #  TAG: log_icp_queries on|off
  3939. #   If set, ICP queries are logged to access.log. You may wish
  3940. #   do disable this if your ICP load is VERY high to speed things
  3941. #   up or to simplify log analysis.
  3942. #
  3943. #Default:
  3944. # log_icp_queries on
  3945.  
  3946. #  TAG: udp_incoming_address
  3947. #   udp_incoming_address    is used for UDP packets received from other
  3948. #               caches.
  3949. #
  3950. #   The default behavior is to not bind to any specific address.
  3951. #
  3952. #   Only change this if you want to have all UDP queries received on
  3953. #   a specific interface/address.
  3954. #
  3955. #   NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS
  3956. #   modules. Altering it will affect all of them in the same manner.
  3957. #
  3958. #   see also; udp_outgoing_address
  3959. #
  3960. #   NOTE, udp_incoming_address and udp_outgoing_address can not
  3961. #   have the same value since they both use the same port.
  3962. #
  3963. #Default:
  3964. # udp_incoming_address 0.0.0.0
  3965.  
  3966. #  TAG: udp_outgoing_address
  3967. #   udp_outgoing_address    is used for UDP packets sent out to other
  3968. #               caches.
  3969. #
  3970. #   The default behavior is to not bind to any specific address.
  3971. #
  3972. #   Instead it will use the same socket as udp_incoming_address.
  3973. #   Only change this if you want to have UDP queries sent using another
  3974. #   address than where this Squid listens for UDP queries from other
  3975. #   caches.
  3976. #
  3977. #   NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS
  3978. #   modules. Altering it will affect all of them in the same manner.
  3979. #
  3980. #   see also; udp_incoming_address
  3981. #
  3982. #   NOTE, udp_incoming_address and udp_outgoing_address can not
  3983. #   have the same value since they both use the same port.
  3984. #
  3985. #Default:
  3986. # udp_outgoing_address 255.255.255.255
  3987.  
  3988. #  TAG: icp_hit_stale   on|off
  3989. #   If you want to return ICP_HIT for stale cache objects, set this
  3990. #   option to 'on'.  If you have sibling relationships with caches
  3991. #   in other administrative domains, this should be 'off'.  If you only
  3992. #   have sibling relationships with caches under your control,
  3993. #   it is probably okay to set this to 'on'.
  3994. #   If set to 'on', your siblings should use the option "allow-miss"
  3995. #   on their cache_peer lines for connecting to you.
  3996. #
  3997. #Default:
  3998. # icp_hit_stale off
  3999.  
  4000. #  TAG: minimum_direct_hops
  4001. #   If using the ICMP pinging stuff, do direct fetches for sites
  4002. #   which are no more than this many hops away.
  4003. #
  4004. #Default:
  4005. # minimum_direct_hops 4
  4006.  
  4007. #  TAG: minimum_direct_rtt
  4008. #   If using the ICMP pinging stuff, do direct fetches for sites
  4009. #   which are no more than this many rtt milliseconds away.
  4010. #
  4011. #Default:
  4012. # minimum_direct_rtt 400
  4013.  
  4014. #  TAG: netdb_low
  4015. #  TAG: netdb_high
  4016. #   The low and high water marks for the ICMP measurement
  4017. #   database.  These are counts, not percents.  The defaults are
  4018. #   900 and 1000.  When the high water mark is reached, database
  4019. #   entries will be deleted until the low mark is reached.
  4020. #
  4021. #Default:
  4022. # netdb_low 900
  4023. # netdb_high 1000
  4024.  
  4025. #  TAG: netdb_ping_period
  4026. #   The minimum period for measuring a site.  There will be at
  4027. #   least this much delay between successive pings to the same
  4028. #   network.  The default is five minutes.
  4029. #
  4030. #Default:
  4031. # netdb_ping_period 5 minutes
  4032.  
  4033. #  TAG: query_icmp  on|off
  4034. #   If you want to ask your peers to include ICMP data in their ICP
  4035. #   replies, enable this option.
  4036. #
  4037. #   If your peer has configured Squid (during compilation) with
  4038. #   '--enable-icmp' that peer will send ICMP pings to origin server
  4039. #   sites of the URLs it receives.  If you enable this option the
  4040. #   ICP replies from that peer will include the ICMP data (if available).
  4041. #   Then, when choosing a parent cache, Squid will choose the parent with
  4042. #   the minimal RTT to the origin server.  When this happens, the
  4043. #   hierarchy field of the access.log will be
  4044. #   "CLOSEST_PARENT_MISS".  This option is off by default.
  4045. #
  4046. #Default:
  4047. # query_icmp off
  4048.  
  4049. #  TAG: test_reachability   on|off
  4050. #   When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
  4051. #   instead of ICP_MISS if the target host is NOT in the ICMP
  4052. #   database, or has a zero RTT.
  4053. #
  4054. #Default:
  4055. # test_reachability off
  4056.  
  4057. #  TAG: icp_query_timeout   (msec)
  4058. #   Normally Squid will automatically determine an optimal ICP
  4059. #   query timeout value based on the round-trip-time of recent ICP
  4060. #   queries.  If you want to override the value determined by
  4061. #   Squid, set this 'icp_query_timeout' to a non-zero value.  This
  4062. #   value is specified in MILLISECONDS, so, to use a 2-second
  4063. #   timeout (the old default), you would write:
  4064. #
  4065. #       icp_query_timeout 2000
  4066. #
  4067. #Default:
  4068. # icp_query_timeout 0
  4069.  
  4070. #  TAG: maximum_icp_query_timeout   (msec)
  4071. #   Normally the ICP query timeout is determined dynamically.  But
  4072. #   sometimes it can lead to very large values (say 5 seconds).
  4073. #   Use this option to put an upper limit on the dynamic timeout
  4074. #   value.  Do NOT use this option to always use a fixed (instead
  4075. #   of a dynamic) timeout value. To set a fixed timeout see the
  4076. #   'icp_query_timeout' directive.
  4077. #
  4078. #Default:
  4079. # maximum_icp_query_timeout 2000
  4080.  
  4081. #  TAG: minimum_icp_query_timeout   (msec)
  4082. #   Normally the ICP query timeout is determined dynamically.  But
  4083. #   sometimes it can lead to very small timeouts, even lower than
  4084. #   the normal latency variance on your link due to traffic.
  4085. #   Use this option to put an lower limit on the dynamic timeout
  4086. #   value.  Do NOT use this option to always use a fixed (instead
  4087. #   of a dynamic) timeout value. To set a fixed timeout see the
  4088. #   'icp_query_timeout' directive.
  4089. #
  4090. #Default:
  4091. # minimum_icp_query_timeout 5
  4092.  
  4093.  
  4094. # MULTICAST ICP OPTIONS
  4095. # -----------------------------------------------------------------------------
  4096.  
  4097. #  TAG: mcast_groups
  4098. #   This tag specifies a list of multicast groups which your server
  4099. #   should join to receive multicasted ICP queries.
  4100. #
  4101. #   NOTE!  Be very careful what you put here!  Be sure you
  4102. #   understand the difference between an ICP _query_ and an ICP
  4103. #   _reply_.  This option is to be set only if you want to RECEIVE
  4104. #   multicast queries.  Do NOT set this option to SEND multicast
  4105. #   ICP (use cache_peer for that).  ICP replies are always sent via
  4106. #   unicast, so this option does not affect whether or not you will
  4107. #   receive replies from multicast group members.
  4108. #
  4109. #   You must be very careful to NOT use a multicast address which
  4110. #   is already in use by another group of caches.
  4111. #
  4112. #   If you are unsure about multicast, please read the Multicast
  4113. #   chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
  4114. #
  4115. #   Usage: mcast_groups 239.128.16.128 224.0.1.20
  4116. #
  4117. #   By default, Squid doesn't listen on any multicast groups.
  4118. #
  4119. #Default:
  4120. # none
  4121.  
  4122. #  TAG: mcast_miss_addr
  4123. # Note: This option is only available if Squid is rebuilt with the
  4124. #       --enable-multicast-miss option
  4125. #
  4126. #   If you enable this option, every "cache miss" URL will
  4127. #   be sent out on the specified multicast address.
  4128. #
  4129. #   Do not enable this option unless you are are absolutely
  4130. #   certain you understand what you are doing.
  4131. #
  4132. #Default:
  4133. # mcast_miss_addr 255.255.255.255
  4134.  
  4135. #  TAG: mcast_miss_ttl
  4136. # Note: This option is only available if Squid is rebuilt with the
  4137. #       --enable-multicast-miss option
  4138. #
  4139. #   This is the time-to-live value for packets multicasted
  4140. #   when multicasting off cache miss URLs is enabled.  By
  4141. #   default this is set to 'site scope', i.e. 16.
  4142. #
  4143. #Default:
  4144. # mcast_miss_ttl 16
  4145.  
  4146. #  TAG: mcast_miss_port
  4147. # Note: This option is only available if Squid is rebuilt with the
  4148. #       --enable-multicast-miss option
  4149. #
  4150. #   This is the port number to be used in conjunction with
  4151. #   'mcast_miss_addr'.
  4152. #
  4153. #Default:
  4154. # mcast_miss_port 3135
  4155.  
  4156. #  TAG: mcast_miss_encode_key
  4157. # Note: This option is only available if Squid is rebuilt with the
  4158. #       --enable-multicast-miss option
  4159. #
  4160. #   The URLs that are sent in the multicast miss stream are
  4161. #   encrypted.  This is the encryption key.
  4162. #
  4163. #Default:
  4164. # mcast_miss_encode_key XXXXXXXXXXXXXXXX
  4165.  
  4166. #  TAG: mcast_icp_query_timeout (msec)
  4167. #   For multicast peers, Squid regularly sends out ICP "probes" to
  4168. #   count how many other peers are listening on the given multicast
  4169. #   address.  This value specifies how long Squid should wait to
  4170. #   count all the replies.  The default is 2000 msec, or 2
  4171. #   seconds.
  4172. #
  4173. #Default:
  4174. # mcast_icp_query_timeout 2000
  4175.  
  4176.  
  4177. # INTERNAL ICON OPTIONS
  4178. # -----------------------------------------------------------------------------
  4179.  
  4180. #  TAG: icon_directory
  4181. #   Where the icons are stored. These are normally kept in
  4182. #   /usr/share/squid/icons
  4183. #
  4184. #Default:
  4185. # icon_directory /usr/share/squid/icons
  4186.  
  4187. #  TAG: global_internal_static
  4188. #   This directive controls is Squid should intercept all requests for
  4189. #   /squid-internal-static/ no matter which host the URL is requesting
  4190. #   (default on setting), or if nothing special should be done for
  4191. #   such URLs (off setting). The purpose of this directive is to make
  4192. #   icons etc work better in complex cache hierarchies where it may
  4193. #   not always be possible for all corners in the cache mesh to reach
  4194. #   the server generating a directory listing.
  4195. #
  4196. #Default:
  4197. # global_internal_static on
  4198.  
  4199. #  TAG: short_icon_urls
  4200. #   If this is enabled Squid will use short URLs for icons.
  4201. #
  4202. #   If off the URLs for icons will always be absolute URLs
  4203. #   including the proxy name and port.
  4204. #
  4205. #Default:
  4206. # short_icon_urls off
  4207.  
  4208.  
  4209. # ERROR PAGE OPTIONS
  4210. # -----------------------------------------------------------------------------
  4211.  
  4212. #  TAG: error_directory
  4213. #   If you wish to create your own versions of the default
  4214. #   (English) error files, either to customize them to suit your
  4215. #   language or company copy the template English files to another
  4216. #   directory and point this tag at them.
  4217. #
  4218. #   The squid developers are interested in making squid available in
  4219. #   a wide variety of languages. If you are making translations for a
  4220. #   langauge that Squid does not currently provide please consider
  4221. #   contributing your translation back to the project.
  4222. #
  4223. #Default:
  4224. # error_directory /usr/share/squid/errors/en
  4225.  
  4226. #  TAG: error_map
  4227. #   Map errors to custom messages
  4228. #
  4229. #       error_map message_url http_status ...
  4230. #
  4231. #   http_status ... is a list of HTTP status codes or Squid error
  4232. #   messages.
  4233. #
  4234. #   Use in accelerators to substitute the error messages returned
  4235. #   by servers with other custom errors.
  4236. #
  4237. #       error_map http://your.server/error/404.shtml 404
  4238. #
  4239. #   Requests for error messages is a GET request for the configured
  4240. #   URL with the following special headers
  4241. #
  4242. #       X-Error-Status: The received HTTP status code (i.e. 404)
  4243. #       X-Request-URI:  The requested URI where the error occurred
  4244. #
  4245. #   In Addition the following headers are forwarded from the client
  4246. #   request:
  4247. #
  4248. #       User-Agent, Cookie, X-Forwarded-For, Via, Authorization,
  4249. #       Accept, Referer
  4250. #
  4251. #   And the following headers from the server reply:
  4252. #
  4253. #       Server, Via, Location, Content-Location
  4254. #
  4255. #   The reply returned to the client will carry the original HTTP
  4256. #   headers from the real error message, but with the reply body
  4257. #   of the configured error message.
  4258. #
  4259. #
  4260. #Default:
  4261. # none
  4262.  
  4263. #  TAG: err_html_text
  4264. #   HTML text to include in error messages.  Make this a "mailto"
  4265. #   URL to your admin address, or maybe just a link to your
  4266. #   organizations Web page.
  4267. #
  4268. #   To include this in your error messages, you must rewrite
  4269. #   the error template files (found in the "errors" directory).
  4270. #   Wherever you want the 'err_html_text' line to appear,
  4271. #   insert a %L tag in the error template file.
  4272. #
  4273. #Default:
  4274. # none
  4275.  
  4276. #  TAG: deny_info
  4277. #   Usage:   deny_info err_page_name acl
  4278. #   or       deny_info http://... acl
  4279. #   Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
  4280. #
  4281. #   This can be used to return a ERR_ page for requests which
  4282. #   do not pass the 'http_access' rules.  Squid remembers the last
  4283. #   acl it evaluated in http_access, and if a 'deny_info' line exists
  4284. #   for that ACL Squid returns a corresponding error page.
  4285. #
  4286. #   The acl is typically the last acl on the http_access deny line which
  4287. #   denied access. The exceptions to this rule are:
  4288. #   - When Squid needs to request authentication credentials. It's then
  4289. #     the first authentication related acl encountered
  4290. #   - When none of the http_access lines matches. It's then the last
  4291. #     acl processed on the last http_access line.
  4292. #
  4293. #   You may use ERR_ pages that come with Squid or create your own pages
  4294. #   and put them into the configured errors/ directory.
  4295. #
  4296. #   Alternatively you can specify an error URL. The browsers will
  4297. #   get redirected (302) to the specified URL. %s in the redirection
  4298. #   URL will be replaced by the requested URL.
  4299. #
  4300. #   Alternatively you can tell Squid to reset the TCP connection
  4301. #   by specifying TCP_RESET.
  4302. #
  4303. #Default:
  4304. # none
  4305.  
  4306.  
  4307. # OPTIONS INFLUENCING REQUEST FORWARDING
  4308. # -----------------------------------------------------------------------------
  4309.  
  4310. #  TAG: nonhierarchical_direct
  4311. #   By default, Squid will send any non-hierarchical requests
  4312. #   (matching hierarchy_stoplist or not cacheable request type) direct
  4313. #   to origin servers.
  4314. #
  4315. #   If you set this to off, Squid will prefer to send these
  4316. #   requests to parents.
  4317. #
  4318. #   Note that in most configurations, by turning this off you will only
  4319. #   add latency to these request without any improvement in global hit
  4320. #   ratio.
  4321. #
  4322. #   If you are inside an firewall see never_direct instead of
  4323. #   this directive.
  4324. #
  4325. #Default:
  4326. # nonhierarchical_direct on
  4327.  
  4328. #  TAG: prefer_direct
  4329. #   Normally Squid tries to use parents for most requests. If you for some
  4330. #   reason like it to first try going direct and only use a parent if
  4331. #   going direct fails set this to on.
  4332. #
  4333. #   By combining nonhierarchical_direct off and prefer_direct on you
  4334. #   can set up Squid to use a parent as a backup path if going direct
  4335. #   fails.
  4336. #
  4337. #   Note: If you want Squid to use parents for all requests see
  4338. #   the never_direct directive. prefer_direct only modifies how Squid
  4339. #   acts on cacheable requests.
  4340. #
  4341. #Default:
  4342. # prefer_direct off
  4343.  
  4344. #  TAG: ignore_ims_on_miss  on|off
  4345. #   This options makes Squid ignore If-Modified-Since on
  4346. #   cache misses. This is useful while the cache is
  4347. #   mostly empty to more quickly have the cache populated.
  4348. #
  4349. #Default:
  4350. # ignore_ims_on_miss off
  4351.  
  4352. #  TAG: always_direct
  4353. #   Usage: always_direct allow|deny [!]aclname ...
  4354. #
  4355. #   Here you can use ACL elements to specify requests which should
  4356. #   ALWAYS be forwarded by Squid to the origin servers without using
  4357. #   any peers.  For example, to always directly forward requests for
  4358. #   local servers ignoring any parents or siblings you may have use
  4359. #   something like:
  4360. #
  4361. #       acl local-servers dstdomain my.domain.net
  4362. #       always_direct allow local-servers
  4363. #
  4364. #   To always forward FTP requests directly, use
  4365. #
  4366. #       acl FTP proto FTP
  4367. #       always_direct allow FTP
  4368. #
  4369. #   NOTE: There is a similar, but opposite option named
  4370. #   'never_direct'.  You need to be aware that "always_direct deny
  4371. #   foo" is NOT the same thing as "never_direct allow foo".  You
  4372. #   may need to use a deny rule to exclude a more-specific case of
  4373. #   some other rule.  Example:
  4374. #
  4375. #       acl local-external dstdomain external.foo.net
  4376. #       acl local-servers dstdomain  .foo.net
  4377. #       always_direct deny local-external
  4378. #       always_direct allow local-servers
  4379. #
  4380. #   NOTE: If your goal is to make the client forward the request
  4381. #   directly to the origin server bypassing Squid then this needs
  4382. #   to be done in the client configuration. Squid configuration
  4383. #   can only tell Squid how Squid should fetch the object.
  4384. #
  4385. #   NOTE: This directive is not related to caching. The replies
  4386. #   is cached as usual even if you use always_direct. To not cache
  4387. #   the replies see no_cache.
  4388. #
  4389. #   This option replaces some v1.1 options such as local_domain
  4390. #   and local_ip.
  4391. #
  4392. #Default:
  4393. # none
  4394.  
  4395. #  TAG: never_direct
  4396. #   Usage: never_direct allow|deny [!]aclname ...
  4397. #
  4398. #   never_direct is the opposite of always_direct.  Please read
  4399. #   the description for always_direct if you have not already.
  4400. #
  4401. #   With 'never_direct' you can use ACL elements to specify
  4402. #   requests which should NEVER be forwarded directly to origin
  4403. #   servers.  For example, to force the use of a proxy for all
  4404. #   requests, except those in your local domain use something like:
  4405. #
  4406. #       acl local-servers dstdomain .foo.net
  4407. #       acl all src 0.0.0.0/0.0.0.0
  4408. #       never_direct deny local-servers
  4409. #       never_direct allow all
  4410. #
  4411. #   or if Squid is inside a firewall and there are local intranet
  4412. #   servers inside the firewall use something like:
  4413. #
  4414. #       acl local-intranet dstdomain .foo.net
  4415. #       acl local-external dstdomain external.foo.net
  4416. #       always_direct deny local-external
  4417. #       always_direct allow local-intranet
  4418. #       never_direct allow all
  4419. #
  4420. #   This option replaces some v1.1 options such as inside_firewall
  4421. #   and firewall_ip.
  4422. #
  4423. #Default:
  4424. # none
  4425.  
  4426.  
  4427. # ADVANCED NETWORKING OPTIONS
  4428. # -----------------------------------------------------------------------------
  4429.  
  4430. #  TAG: max_filedescriptors
  4431. #   The maximum number of filedescriptors supported.
  4432. #
  4433. #   The default "0" means Squid inherits the current ulimit setting.
  4434. #
  4435. #   Note: Changing this requires a restart of Squid. Also
  4436. #   not all comm loops supports values larger than --with-maxfd.
  4437. #
  4438. #Default:
  4439. # max_filedescriptors 0
  4440.  
  4441. #  TAG: accept_filter
  4442. #   FreeBSD:
  4443. #
  4444. #   The name of an accept(2) filter to install on Squid's
  4445. #   listen socket(s).  This feature is perhaps specific to
  4446. #   FreeBSD and requires support in the kernel.
  4447. #
  4448. #   The 'httpready' filter delays delivering new connections
  4449. #   to Squid until a full HTTP request has been received.
  4450. #   See the accf_http(9) man page for details.
  4451. #
  4452. #   The 'dataready' filter delays delivering new connections
  4453. #   to Squid until there is some data to process.
  4454. #   See the accf_dataready(9) man page for details.
  4455. #
  4456. #   Linux:
  4457. #  
  4458. #   The 'data' filter delays delivering of new connections
  4459. #   to Squid until there is some data to process by TCP_ACCEPT_DEFER.
  4460. #   You may optionally specify a number of seconds to wait by
  4461. #   'data=N' where N is the number of seconds. Defaults to 30
  4462. #   if not specified.  See the tcp(7) man page for details.
  4463. #EXAMPLE:
  4464. ## FreeBSD
  4465. #accept_filter httpready
  4466. ## Linux
  4467. #accept_filter data
  4468. #
  4469. #Default:
  4470. # none
  4471.  
  4472. #  TAG: tcp_recv_bufsize    (bytes)
  4473. #   Size of receive buffer to set for TCP sockets.  Probably just
  4474. #   as easy to change your kernel's default.  Set to zero to use
  4475. #   the default buffer size.
  4476. #
  4477. #Default:
  4478. # tcp_recv_bufsize 0 bytes
  4479.  
  4480. #  TAG: incoming_rate
  4481. #   This directive controls how aggressive Squid should accept new
  4482. #   connections compared to processing existing connections.
  4483. #   The lower number the more frequent Squid will look for new
  4484. #   incoming requests.
  4485. #
  4486. #Default:
  4487. # incoming_rate 30
  4488.  
  4489.  
  4490. # DNS OPTIONS
  4491. # -----------------------------------------------------------------------------
  4492.  
  4493. #  TAG: check_hostnames
  4494. #   For security and stability reasons Squid by default checks
  4495. #   hostnames for Internet standard RFC compliance. If you do not want
  4496. #   Squid to perform these checks then turn this directive off.
  4497. #
  4498. #Default:
  4499. # check_hostnames on
  4500.  
  4501. #  TAG: allow_underscore
  4502. #   Underscore characters is not strictly allowed in Internet hostnames
  4503. #   but nevertheless used by many sites. Set this to off if you want
  4504. #   Squid to be strict about the standard.
  4505. #   This check is performed only when check_hostnames is set to on.
  4506. #
  4507. #Default:
  4508. # allow_underscore on
  4509.  
  4510. #  TAG: cache_dns_program
  4511. # Note: This option is only available if Squid is rebuilt with the
  4512. #       --disable-internal-dns option
  4513. #
  4514. #   Specify the location of the executable for dnslookup process.
  4515. #
  4516. #Default:
  4517. # cache_dns_program /usr/lib/squid/dnsserver
  4518.  
  4519. #  TAG: dns_children
  4520. # Note: This option is only available if Squid is rebuilt with the
  4521. #       --disable-internal-dns option
  4522. #
  4523. #   The number of processes spawn to service DNS name lookups.
  4524. #   For heavily loaded caches on large servers, you should
  4525. #   probably increase this value to at least 10.  The maximum
  4526. #   is 32.  The default is 5.
  4527. #
  4528. #   You must have at least one dnsserver process.
  4529. #
  4530. #Default:
  4531. # dns_children 5
  4532.  
  4533. #  TAG: dns_retransmit_interval
  4534. #   Initial retransmit interval for DNS queries. The interval is
  4535. #   doubled each time all configured DNS servers have been tried.
  4536. #
  4537. #
  4538. #Default:
  4539. # dns_retransmit_interval 5 seconds
  4540.  
  4541. #  TAG: dns_timeout
  4542. #   DNS Query timeout. If no response is received to a DNS query
  4543. #   within this time all DNS servers for the queried domain
  4544. #   are assumed to be unavailable.
  4545. #
  4546. #Default:
  4547. # dns_timeout 2 minutes
  4548.  
  4549. #  TAG: dns_defnames    on|off
  4550. #   Normally the RES_DEFNAMES resolver option is disabled
  4551. #   (see res_init(3)).  This prevents caches in a hierarchy
  4552. #   from interpreting single-component hostnames locally.  To allow
  4553. #   Squid to handle single-component names, enable this option.
  4554. #
  4555. #Default:
  4556. # dns_defnames off
  4557.  
  4558. #  TAG: dns_nameservers
  4559. #   Use this if you want to specify a list of DNS name servers
  4560. #   (IP addresses) to use instead of those given in your
  4561. #   /etc/resolv.conf file.
  4562. #   On Windows platforms, if no value is specified here or in
  4563. #   the /etc/resolv.conf file, the list of DNS name servers are
  4564. #   taken from the Windows registry, both static and dynamic DHCP
  4565. #   configurations are supported.
  4566. #
  4567. #   Example: dns_nameservers 10.0.0.1 192.172.0.4
  4568. #
  4569. #Default:
  4570. # none
  4571.  
  4572. #  TAG: hosts_file
  4573. #   Location of the host-local IP name-address associations
  4574. #   database. Most Operating Systems have such a file on different
  4575. #   default locations:
  4576. #   - Un*X & Linux:    /etc/hosts
  4577. #   - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
  4578. #              (%SystemRoot% value install default is c:\winnt)
  4579. #   - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts
  4580. #              (%SystemRoot% value install default is c:\windows)
  4581. #   - Windows 9x/Me:   %windir%\hosts
  4582. #              (%windir% value is usually c:\windows)
  4583. #   - Cygwin:          /etc/hosts
  4584. #
  4585. #   The file contains newline-separated definitions, in the
  4586. #   form ip_address_in_dotted_form name [name ...] names are
  4587. #   whitespace-separated. Lines beginning with an hash (#)
  4588. #   character are comments.
  4589. #
  4590. #   The file is checked at startup and upon configuration.
  4591. #   If set to 'none', it won't be checked.
  4592. #   If append_domain is used, that domain will be added to
  4593. #   domain-local (i.e. not containing any dot character) host
  4594. #   definitions.
  4595. #
  4596. #Default:
  4597. # hosts_file /etc/hosts
  4598. #
  4599. hosts_file /etc/hosts
  4600.  
  4601. #  TAG: dns_testnames
  4602. #   The DNS tests exit as soon as the first site is successfully looked up
  4603. #
  4604. #   This test can be disabled with the -D command line option.
  4605. #
  4606. #Default:
  4607. # dns_testnames netscape.com internic.net nlanr.net microsoft.com
  4608.  
  4609. #  TAG: append_domain
  4610. #   Appends local domain name to hostnames without any dots in
  4611. #   them.  append_domain must begin with a period.
  4612. #
  4613. #   Be warned there are now Internet names with no dots in
  4614. #   them using only top-domain names, so setting this may
  4615. #   cause some Internet sites to become unavailable.
  4616. #
  4617. #Example:
  4618. # append_domain .yourdomain.com
  4619. #
  4620. #Default:
  4621. # none
  4622.  
  4623. #  TAG: ignore_unknown_nameservers
  4624. #   By default Squid checks that DNS responses are received
  4625. #   from the same IP addresses they are sent to.  If they
  4626. #   don't match, Squid ignores the response and writes a warning
  4627. #   message to cache.log.  You can allow responses from unknown
  4628. #   nameservers by setting this option to 'off'.
  4629. #
  4630. #Default:
  4631. # ignore_unknown_nameservers on
  4632.  
  4633. #  TAG: ipcache_size    (number of entries)
  4634. #  TAG: ipcache_low (percent)
  4635. #  TAG: ipcache_high    (percent)
  4636. #   The size, low-, and high-water marks for the IP cache.
  4637. #
  4638. #Default:
  4639. # ipcache_size 1024
  4640. # ipcache_low 90
  4641. # ipcache_high 95
  4642.  
  4643. #  TAG: fqdncache_size  (number of entries)
  4644. #   Maximum number of FQDN cache entries.
  4645. #
  4646. #Default:
  4647. # fqdncache_size 1024
  4648.  
  4649.  
  4650. # MISCELLANEOUS
  4651. # -----------------------------------------------------------------------------
  4652.  
  4653. #  TAG: memory_pools    on|off
  4654. #   If set, Squid will keep pools of allocated (but unused) memory
  4655. #   available for future use.  If memory is a premium on your
  4656. #   system and you believe your malloc library outperforms Squid
  4657. #   routines, disable this.
  4658. #
  4659. #Default:
  4660. # memory_pools on
  4661.  
  4662. #  TAG: memory_pools_limit  (bytes)
  4663. #   Used only with memory_pools on:
  4664. #   memory_pools_limit 50 MB
  4665. #
  4666. #   If set to a non-zero value, Squid will keep at most the specified
  4667. #   limit of allocated (but unused) memory in memory pools. All free()
  4668. #   requests that exceed this limit will be handled by your malloc
  4669. #   library. Squid does not pre-allocate any memory, just safe-keeps
  4670. #   objects that otherwise would be free()d. Thus, it is safe to set
  4671. #   memory_pools_limit to a reasonably high value even if your
  4672. #   configuration will use less memory.
  4673. #
  4674. #   If set to zero, Squid will keep all memory it can. That is, there
  4675. #   will be no limit on the total amount of memory used for safe-keeping.
  4676. #
  4677. #   To disable memory allocation optimization, do not set
  4678. #   memory_pools_limit to 0. Set memory_pools to "off" instead.
  4679. #
  4680. #   An overhead for maintaining memory pools is not taken into account
  4681. #   when the limit is checked. This overhead is close to four bytes per
  4682. #   object kept. However, pools may actually _save_ memory because of
  4683. #   reduced memory thrashing in your malloc library.
  4684. #
  4685. #Default:
  4686. # memory_pools_limit 5 MB
  4687.  
  4688. #  TAG: forwarded_for   on|off
  4689. #   If set, Squid will include your system's IP address or name
  4690. #   in the HTTP requests it forwards.  By default it looks like
  4691. #   this:
  4692. #
  4693. #       X-Forwarded-For: 192.1.2.3
  4694. #
  4695. #   If you disable this, it will appear as
  4696. #
  4697. #       X-Forwarded-For: unknown
  4698. #
  4699. #Default:
  4700. # forwarded_for on
  4701.  
  4702. #  TAG: cachemgr_passwd
  4703. #   Specify passwords for cachemgr operations.
  4704. #
  4705. #   Usage: cachemgr_passwd password action action ...
  4706. #
  4707. #   Some valid actions are (see cache manager menu for a full list):
  4708. #       5min
  4709. #       60min
  4710. #       asndb
  4711. #       authenticator
  4712. #       cbdata
  4713. #       client_list
  4714. #       comm_incoming
  4715. #       config *
  4716. #       counters
  4717. #       delay
  4718. #       digest_stats
  4719. #       dns
  4720. #       events
  4721. #       filedescriptors
  4722. #       fqdncache
  4723. #       histograms
  4724. #       http_headers
  4725. #       info
  4726. #       io
  4727. #       ipcache
  4728. #       mem
  4729. #       menu
  4730. #       netdb
  4731. #       non_peers
  4732. #       objects
  4733. #       offline_toggle *
  4734. #       pconn
  4735. #       peer_select
  4736. #       reconfigure *
  4737. #       redirector
  4738. #       refresh
  4739. #       server_list
  4740. #       shutdown *
  4741. #       store_digest
  4742. #       storedir
  4743. #       utilization
  4744. #       via_headers
  4745. #       vm_objects
  4746. #
  4747. #   * Indicates actions which will not be performed without a
  4748. #     valid password, others can be performed if not listed here.
  4749. #
  4750. #   To disable an action, set the password to "disable".
  4751. #   To allow performing an action without a password, set the
  4752. #   password to "none".
  4753. #
  4754. #   Use the keyword "all" to set the same password for all actions.
  4755. #
  4756. #Example:
  4757. # cachemgr_passwd secret shutdown
  4758. # cachemgr_passwd lesssssssecret info stats/objects
  4759. # cachemgr_passwd disable all
  4760. #
  4761. #Default:
  4762. # none
  4763.  
  4764. #  TAG: client_db   on|off
  4765. #   If you want to disable collecting per-client statistics,
  4766. #   turn off client_db here.
  4767. #
  4768. #Default:
  4769. # client_db on
  4770.  
  4771. #  TAG: reload_into_ims on|off
  4772. #   When you enable this option, client no-cache or ``reload''
  4773. #   requests will be changed to If-Modified-Since requests.
  4774. #   Doing this VIOLATES the HTTP standard.  Enabling this
  4775. #   feature could make you liable for problems which it
  4776. #   causes.
  4777. #
  4778. #   see also refresh_pattern for a more selective approach.
  4779. #
  4780. #Default:
  4781. # reload_into_ims off
  4782.  
  4783. #  TAG: maximum_single_addr_tries
  4784. #   This sets the maximum number of connection attempts for a
  4785. #   host that only has one address (for multiple-address hosts,
  4786. #   each address is tried once).
  4787. #
  4788. #   The default value is one attempt, the (not recommended)
  4789. #   maximum is 255 tries.  A warning message will be generated
  4790. #   if it is set to a value greater than ten.
  4791. #
  4792. #   Note: This is in addition to the request re-forwarding which
  4793. #   takes place if Squid fails to get a satisfying response.
  4794. #
  4795. #Default:
  4796. # maximum_single_addr_tries 1
  4797.  
  4798. #  TAG: retry_on_error
  4799. #   If set to on Squid will automatically retry requests when
  4800. #   receiving an error response. This is mainly useful if you
  4801. #   are in a complex cache hierarchy to work around access
  4802. #   control errors.
  4803. #
  4804. #Default:
  4805. # retry_on_error off
  4806.  
  4807. #  TAG: as_whois_server
  4808. #   WHOIS server to query for AS numbers.  NOTE: AS numbers are
  4809. #   queried only when Squid starts up, not for every request.
  4810. #
  4811. #Default:
  4812. # as_whois_server whois.ra.net
  4813. # as_whois_server whois.ra.net
  4814.  
  4815. #  TAG: offline_mode
  4816. #   Enable this option and Squid will never try to validate cached
  4817. #   objects.
  4818. #
  4819. #Default:
  4820. # offline_mode off
  4821.  
  4822. #  TAG: uri_whitespace
  4823. #   What to do with requests that have whitespace characters in the
  4824. #   URI.  Options:
  4825. #
  4826. #   strip:  The whitespace characters are stripped out of the URL.
  4827. #       This is the behavior recommended by RFC2396.
  4828. #   deny:   The request is denied.  The user receives an "Invalid
  4829. #       Request" message.
  4830. #   allow:  The request is allowed and the URI is not changed.  The
  4831. #       whitespace characters remain in the URI.  Note the
  4832. #       whitespace is passed to redirector processes if they
  4833. #       are in use.
  4834. #   encode: The request is allowed and the whitespace characters are
  4835. #       encoded according to RFC1738.  This could be considered
  4836. #       a violation of the HTTP/1.1
  4837. #       RFC because proxies are not allowed to rewrite URI's.
  4838. #   chop:   The request is allowed and the URI is chopped at the
  4839. #       first whitespace.  This might also be considered a
  4840. #       violation.
  4841. #
  4842. #Default:
  4843. # uri_whitespace strip
  4844.  
  4845. #  TAG: coredump_dir
  4846. #   By default Squid leaves core files in the directory from where
  4847. #   it was started. If you set 'coredump_dir' to a directory
  4848. #   that exists, Squid will chdir() to that directory at startup
  4849. #   and coredump files will be left there.
  4850. #
  4851. #Default:
  4852. # coredump_dir none
  4853. #
  4854. # Leave coredumps in the first cache dir
  4855. coredump_dir /var/spool/squid
  4856.  
  4857. #  TAG: chroot
  4858. #   Use this to have Squid do a chroot() while initializing.  This
  4859. #   also causes Squid to fully drop root privileges after
  4860. #   initializing.  This means, for example, if you use a HTTP
  4861. #   port less than 1024 and try to reconfigure, you will may get an
  4862. #   error saying that Squid can not open the port.
  4863. #
  4864. #Default:
  4865. # none
  4866.  
  4867. #  TAG: balance_on_multiple_ip
  4868. #   Some load balancing servers based on round robin DNS have been
  4869. #   found not to preserve user session state across requests
  4870. #   to different IP addresses.
  4871. #
  4872. #   By default Squid rotates IP's per request. By disabling
  4873. #   this directive only connection failure triggers rotation.
  4874. #
  4875. #Default:
  4876. # balance_on_multiple_ip on
  4877.  
  4878. #  TAG: pipeline_prefetch
  4879. #   To boost the performance of pipelined requests to closer
  4880. #   match that of a non-proxied environment Squid can try to fetch
  4881. #   up to two requests in parallel from a pipeline.
  4882. #
  4883. #   Defaults to off for bandwidth management and access logging
  4884. #   reasons.
  4885. #
  4886. #Default:
  4887. # pipeline_prefetch off
  4888.  
  4889. #  TAG: high_response_time_warning  (msec)
  4890. #   If the one-minute median response time exceeds this value,
  4891. #   Squid prints a WARNING with debug level 0 to get the
  4892. #   administrators attention.  The value is in milliseconds.
  4893. #
  4894. #Default:
  4895. # high_response_time_warning 0
  4896.  
  4897. #  TAG: high_page_fault_warning
  4898. #   If the one-minute average page fault rate exceeds this
  4899. #   value, Squid prints a WARNING with debug level 0 to get
  4900. #   the administrators attention.  The value is in page faults
  4901. #   per second.
  4902. #
  4903. #Default:
  4904. # high_page_fault_warning 0
  4905.  
  4906. #  TAG: high_memory_warning
  4907. #   If the memory usage (as determined by mallinfo) exceeds
  4908. #   this amount, Squid prints a WARNING with debug level 0 to get
  4909. #   the administrators attention.
  4910. #
  4911. #Default:
  4912. # high_memory_warning 0 KB
  4913.  
  4914. #  TAG: sleep_after_fork    (microseconds)
  4915. #   When this is set to a non-zero value, the main Squid process
  4916. #   sleeps the specified number of microseconds after a fork()
  4917. #   system call. This sleep may help the situation where your
  4918. #   system reports fork() failures due to lack of (virtual)
  4919. #   memory. Note, however, if you have a lot of child
  4920. #   processes, these sleep delays will add up and your
  4921. #   Squid will not service requests for some amount of time
  4922. #   until all the child processes have been started.
  4923. #   On Windows value less then 1000 (1 milliseconds) are
  4924. #   rounded to 1000.
  4925. #
  4926. #Default:
  4927. # sleep_after_fork 0
  4928.  
  4929. #  TAG: zero_buffers    on|off
  4930. #   Squid by default will zero all buffers before using or reusing them.
  4931. #   Setting this to 'off' will result in fixed-sized temporary buffers
  4932. #   not being zero'ed. This may give a performance boost on certain
  4933. #   platforms but it may result in undefined behaviour at the present
  4934. #   time.
  4935. #
  4936. #Default:
  4937. # zero_buffers on
  4938.  
  4939. #  TAG: windows_ipaddrchangemonitor on|off
  4940. #   On Windows Squid by default will monitor IP address changes and will
  4941. #   reconfigure itself after any detected event. This is very useful for
  4942. #   proxies connected to internet with dial-up interfaces.
  4943. #   In some cases (a Proxy server acting as VPN gateway is one) it could be
  4944. #   desiderable to disable this behaviour setting this to 'off'.
  4945. #   Note: after changing this, Squid service must be restarted.
  4946. #
  4947. #Default:
  4948. # windows_ipaddrchangemonitor on
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top